+| AADSTS7000218 | The request body must contain the following parameter: 'client_assertion' or 'client_secret'. |

+In addition to simple sign-in, a web server app might need to access another web service, such as a [Representational State Transfer (REST) API](/rest/api/azure/). In this case, the web server app engages in a combined OpenID Connect and OAuth 2.0 flow, by using the [OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md). For more information about this scenario, refer to our code [sample](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/2-WebApp-graph-user/2-1-Call-MSGraph/README.md).

+&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read

+>This information last updated on September 21st, 2022.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).

+There are specific scenarios when delegating administration within a single tenant boundary won't meet your needs. In this section, we'll discuss requirements that may drive you to create a multi-tenant architecture. Multi-tenant organizations might span two or more Azure AD tenants. This can result in unique cross-tenant collaboration and management requirements. Multi-tenant architectures increase management overhead and complexity and should be used with caution. We recommend using a single tenant if your needs can be met with that architecture. For more detailed information, see [Multi-tenant user management](multi-tenant-user-management-introduction.md).

+* [Best practices](secure-with-azure-ad-best-practices.md)

+|User state changed from Guest to Member|Medium|Azure AD Audit logs|Activity: Update user<br>Category: UserManagement<br>UserType changed from Guest to Member|Monitor and alert on change of user type from Guest to Member. Was this expected?<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)

+|Guest users invited to tenant by non-approved inviters|Medium|Azure AD Audit logs|Activity: Invite external user<br>Category: UserManagement<br>Initiated by (actor): User Principal Name|Monitor and alert on non-approved actors inviting external users.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|

+|employeeLeaveDateTime|DateTimeOffset|Yes|Not currently|Not currently|

+> To take advantaged of leaver scenarios, you can set the employeeLeaveDateTime manually for cloud-only users. For more information, see: [Set employeeLeaveDateTime](set-employee-leave-date-time.md)

+ Title: Set employeeLeaveDateTime

+description: Explains how to manually set employeeLeaveDateTime.

+# Set employeeLeaveDateTime

+This article describes how to manually set the employeeLeaveDateTime attribute for a user. This attribute can be set as a trigger for leaver workflows created using Lifecycle Workflows.

+## Required permission and roles

+To set the employeeLeaveDateTime attribute, you must make sure the correct delegated roles and application permissions are set. They are as follows:

+### Delegated

+In delegated scenarios, the signed-in user needs the Global Administrator role to update the employeeLeaveDateTime attribute. One of the following delegated permissions is also required:

+- User-LifeCycleInfo.ReadWrite.All

+- Directory.AccessAsUser.All

+### Application

+Updating the employeeLeaveDateTime requires the User-LifeCycleInfo.ReadWrite.All application permission.

+>[!NOTE]

+> The User-LifeCycleInfo.ReadWrite.All permissions is currently hidden and cannot be configured in Graph Explorer or the API permission blade of app registrations.

+## Set employeeLeaveDateTime via PowerShell

+To set the employeeLeaveDateTime for a user using PowerShell enter the following information:

+ ```powershell

+ Connect-MgGraph -Scopes "User-LifeCycleInfo.ReadWrite.All"

+ Select-MgProfile -Name "beta"

+ $UserId = "<Object ID of the user>"

+ $employeeLeaveDateTime = "<Leave date>"

+

+ $Body = '{"employeeLeaveDateTime": "' + $employeeLeaveDateTime + '"}'

+ Update-MgUser -UserId $UserId -BodyParameter $Body

+ $User = Get-MgUser -UserId $UserId -Property employeeLeaveDateTime

+ $User.AdditionalProperties

+ ```

+ This script is an example of a user who will leave on September 30, 2022 at 23:59.

+ ```powershell

+ Connect-MgGraph -Scopes "User-LifeCycleInfo.ReadWrite.All"

+ Select-MgProfile -Name "beta"

+ $UserId = "528492ea-779a-4b59-b9a3-b3773ef6da6d"

+ $employeeLeaveDateTime = "2022-09-30T23:59:59Z"

+

+ $Body = '{"employeeLeaveDateTime": "' + $employeeLeaveDateTime + '"}'

+ Update-MgUser -UserId $UserId -BodyParameter $Body

+ $User = Get-MgUser -UserId $UserId -Property employeeLeaveDateTime

+ $User.AdditionalProperties

+```

+## Next steps

+- [How to synchronize attributes for Lifecycle workflows](how-to-lifecycle-workflow-sync-attributes.md)

+- [Lifecycle Workflows templates](lifecycle-workflow-templates.md)

+> [!NOTE]

+> The Set-AzureADUser PowerShell command will not work on federated domains.

+>To learn more about Cloud Sync please read [this article](/azure/active-directory/cloud-sync/what-is-cloud-sync), or watch this [short video](https://www.microsoft.com/videoplayer/embed/RWJ8l5).

+* Although there is no enforcement of uniqueness on the Azure AD onPremisesUserPrincipalName attribute, it is not supported to sync the same UserPrincipalName value to the Azure AD onPremisesUserPrincipalName attribute for multiple different Azure AD users.

+ Title: View applied Conditional Access policies in Azure AD sign-in logs

+description: Learn how to view Conditional Access policies in Azure AD sign-in logs so that you can assess the impact of those policies.

+# View applied Conditional Access policies in Azure AD sign-in logs

+With Conditional Access policies, you can control how your users get access to the resources of your Azure tenant. As a tenant admin, you need to be able to determine what impact your Conditional Access policies have on sign-ins to your tenant, so that you can take action if necessary.

+The sign-in logs in Azure Active Directory (Azure AD) give you the information that you need to assess the impact of your policies. This article explains how to view applied Conditional Access policies in those logs.

+- Troubleshoot sign-in problems.

+- Check on feature performance.

+- Evaluate the security of a tenant.

+Some scenarios require you to get an understanding of how your Conditional Access policies were applied to a sign-in event. Common examples include:

+- *Helpdesk administrators* who need to look at applied Conditional Access policies to understand if a policy is the root cause of a ticket that a user opened.

+- *Tenant administrators* who need to verify that Conditional Access policies have the intended impact on the users of a tenant.

+You can access the sign-in logs by using the Azure portal, Microsoft Graph, and PowerShell.

+To see applied Conditional Access policies in the sign-in logs, administrators must have permissions to view both the logs and the policies.

+The least privileged built-in role that grants both permissions is *Security Reader*. As a best practice, your global administrator should add the Security Reader role to the related administrator accounts.

+The following built-in roles grant permissions to read Conditional Access policies:

+The following built-in roles grant permission to view sign-in logs:

+If you use a client app to pull sign-in logs from Microsoft Graph, your app needs permissions to receive the `appliedConditionalAccessPolicy` resource from Microsoft Graph. As a best practice, assign `Policy.Read.ConditionalAccess` because it's the least privileged permission.

+Any of the following permissions is sufficient for a client app to access applied certificate authority (CA) policies in sign-in logs through Microsoft Graph:

+- `Policy.Read.ConditionalAccess`

+- `Policy.ReadWrite.ConditionalAccess`

+- `Policy.Read.All`

+Like any other client app, the Microsoft Graph PowerShell module needs client permissions to access applied Conditional Access policies in the sign-in logs. To successfully pull applied Conditional Access policies in the sign-in logs, you must consent to the necessary permissions with your administrator account for Microsoft Graph PowerShell. As a best practice, consent to:

+- `Policy.Read.ConditionalAccess`

+- `AuditLog.Read.All`

+- `Directory.Read.All`

+`Connect-MgGraph -Scopes Policy.Read.ConditionalAccess, AuditLog.Read.All, Directory.Read.All`

+`Get-MgAuditLogSignIn`

+The Azure AD Graph PowerShell module doesn't support viewing applied Conditional Access policies. Only the Microsoft Graph PowerShell module returns applied Conditional Access policies.

+On the **Conditional Access** tab, you see a list of Conditional Access policies applied to that sign-in event.

+To confirm that you have admin access to view applied Conditional Access policies in the sign-in logs:

+1. Go to the Azure portal.

+2. In the upper-right corner, select your directory, and then select **Azure Active Directory** on the left pane.

+4. Select an item in the sign-in table to open the **Activity Details: Sign-ins context** pane.

+5. Select the **Conditional Access** tab on the context pane. If your screen is small, you might need to select the ellipsis (**...**) to see all tabs on the context pane.

+* [Sign-in error code reference](./concept-sign-ins.md)

+* [Sign-in report overview](concept-sign-ins.md)

+2. Navigate to **Manage** -> **Extensions** -> **Single Sign-On**.

+ a. Enable the Single Sign-On.

+

+ b. In **Identity URL** textbox, paste the value of **Identifier(Entity ID)**, which you have copied from Azure portal.

+ c. In **Certificate fingerprint** textbox, paste the **Thumbprint** value of certificate, which you have copied from Azure portal.

+5. Click **Save Changes**.

+1. In the Users section, type the email address of a valid Azure Active Directory user you want to provision into the **Email** textbox and give a valid **Name**.

+5. Click **Create user**.

+* Click on **Test this application** in Azure portal. This will redirect to Panorama9 Sign on URL where you can initiate the login flow.

+* Go to Panorama9 Sign on URL directly and initiate the login flow from there.

+* You can use Microsoft My Apps. When you click the Panorama9 tile in the My Apps, this will redirect to Panorama9 Sign on URL. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

+### 429 Throttling Detected on this resource

+We observed that there have been 1,000 or more 429 throttling errors on this resource in a one day timeframe. Consider enabling autoscale to better handle higher call volumes and reduce the number of 429 errors.

+Learn more about [Cognitive Service - AzureAdvisor429LimitHit (429 Throttling Detected on this resource)](/azure/cognitive-services/autoscale?tabs=portal).

+### Update Automanage to the latest API Version

+We have identified sdk calls from outdated API for resources under this subscription. We recommend switching to the latest sdk versions. This ensures you receive the latest features and performance improvements.

+Learn more about [Virtual machine - UpdateToLatestApi (Update Automanage to the latest API Version)](/azure/automanage/reference-sdk).

+### Improve user experience and connectivity by deploying VMs closer to userΓÇÖs location.

+We have determined that your VMs are located in a region different or far from where your users are connecting from, using Azure Virtual Desktop. This may lead to prolonged connection response times and will impact overall user experience on Azure Virtual Desktop.

+Learn more about [Virtual machine - RegionProximitySessionHosts (Improve user experience and connectivity by deploying VMs closer to userΓÇÖs location.)](../virtual-desktop/connection-latency.md).

+## DataFactory

+### Scale the storage limit for PostgreSQL server

+Our internal telemetry shows that the server may be constrained because it is approaching limits for the currently provisioned storage values. This may result in degraded performance or in the server being moved to read-only mode. To ensure continued performance, we recommend increasing the provisioned storage amount or turning ON the "Auto-Growth" feature for automatic storage increases

+Learn more about [PostgreSQL server - OrcasPostgreSqlStorageLimit (Scale the storage limit for PostgreSQL server)](https://aka.ms/postgresqlstoragelimits).

+## DesktopVirtualization

+### Configure your Azure Cosmos DB applications to use Direct connectivity in the SDK

+We noticed that your Azure Cosmos DB applications are using Gateway mode via the Cosmos DB .NET or Java SDKs. We recommend switching to Direct connectivity for lower latency and higher scalability.

+Learn more about [Cosmos DB account - CosmosDBGatewayMode (Configure your Azure Cosmos DB applications to use Direct connectivity in the SDK)](/azure/cosmos-db/performance-tips#networking).

+### Unsupported Kubernetes version is detected

+Unsupported Kubernetes version is detected. Ensure Kubernetes cluster runs with a supported version.

+Learn more about [HDInsight Cluster Pool - UnsupportedHiloAKSVersionIsDetected (Unsupported Kubernetes version is detected)](https://aka.ms/aks-supported-versions).

+To read more on this feature, please visit link:

+Learn more about [HDInsight cluster - CompactionQueueCandidate (Consider increasing your compaction threads for compactions to complete faster)](/azure/hdinsight/hbase/apache-hbase-advisor).

+## Automanage

+### Update Automanage to the latest API Version

+We have identified sdk calls from outdated API for resources under this subscription. We recommend switching to the latest sdk versions. This ensures you receive the latest features and performance improvements.

+Learn more about [Machine - Azure Arc - UpdateToLatestApiHci (Update Automanage to the latest API Version)](/azure/automanage/reference-sdk).

+## KeyVault

+### Configure DNS Time to Live to 60 seconds

+Time to Live (TTL) affects how recent of a response a client will get when it makes a request to Azure Traffic Manager. Reducing the TTL value means that the client will be routed to a functioning endpoint faster in the case of a failover. Configure your TTL to 60 seconds to route traffic to a health endpoint as quickly as possible.

+Learn more about [Traffic Manager profile - ProfileTTL (Configure DNS Time to Live to 60 seconds)](https://aka.ms/Um3xr5).

+## SAP on Azure Workloads

+### For improved file system performance in HANA DB with ANF, optimize tcp_wmem OS parameter

+The parameter net.ipv4.tcp_wmem specifies minimum, default, and maximum send buffer sizes that are used for a TCP socket. Set the parameter as per SAP note: 302436 to certify HANA DB to run with ANF and improve file system performance. The maximum value should not exceed net.core.wmem_max parameter

+Learn more about [Database Instance - WriteBuffersAllocated (For improved file system performance in HANA DB with ANF, optimize tcp_wmem OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF, optimize wmem_max OS parameter

+In HANA DB with ANF storage type, the maximum write socket buffer, defined by the parameter, net.core.wmem_max must be set large enough to handle outgoing network packets. This configuration certifies HANA DB to run with ANF and improves file system performance. See SAP note: 3024346

+Learn more about [Database Instance - MaxWriteBuffer (For improved file system performance in HANA DB with ANF, optimize wmem_max OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF, optimize tcp_rmem OS parameter

+The parameter net.ipv4.tcp_rmem specifies minimum, default, and maximum receive buffer sizes used for a TCP socket. Set the parameter as per SAP note 3024346 to certify HANA DB to run with ANF and improve file system performance. The maximum value should not exceed net.core.rmem_max parameter

+Learn more about [Database Instance - OptimizeReadTcp (For improved file system performance in HANA DB with ANF, optimize tcp_rmem OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF, optimize rmem_max OS parameter

+In HANA DB with ANF storage type, the maximum read socket buffer, defined by the parameter, net.core.rmem_max must be set large enough to handle incoming network packets. This configuration certifies HANA DB to run with ANF and improves file system performance. See SAP note: 3024346.

+Learn more about [Database Instance - MaxReadBuffer (For improved file system performance in HANA DB with ANF, optimize rmem_max OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF, set receiver backlog queue size to 300000

+The parameter net.core.netdev_max_backlog specifies the size of the receiver backlog queue, used if a Network interface receives packets faster than the kernel can process. Set the parameter as per SAP note: 3024346. This configuration certifies HANA DB to run with ANF and improves file system performance.

+Learn more about [Database Instance - BacklogQueueSize (For improved file system performance in HANA DB with ANF, set receiver backlog queue size to 300000)](https://launchpad.support.sap.com/#/notes/3024346).

+### To improve file system performance in HANA DB with ANF, enable the TCP window scaling OS parameter

+Enable the TCP window scaling parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - EnableTCPWindowScaling (To improve file system performance in HANA DB with ANF, enable the TCP window scaling OS parameter )](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF, disable IPv6 protocol in OS

+Disable IPv6 as per recommendation for SAP on Azure for HANA DB with ANF to improve file system performance

+Learn more about [Database Instance - DisableIPv6Protocol (For improved file system performance in HANA DB with ANF, disable IPv6 protocol in OS)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

+### To improve file system performance in HANA DB with ANF, disable parameter for slow start after idle

+The parameter net.ipv4.tcp_slow_start_after_idle disables the need to scale-up incrementally the TCP window size for TCP connections which were idle for some time. By setting this parameter to zero as per SAP note: 302436, the maximum speed is used from beginning for previously idle TCP connections

+Learn more about [Database Instance - ParamterSlowStart (To improve file system performance in HANA DB with ANF, disable parameter for slow start after idle)](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF optimize tcp_max_syn_backlog OS parameter

+To prevent the kernel from using SYN cookies in a situation where lots of connection requests are sent in a short timeframe and to prevent a warning about a potential SYN flooding attack in the system log, the size of the SYN backlog should be set to a reasonably high value. See SAP note 2382421

+Learn more about [Database Instance - TCPMaxSynBacklog (For improved file system performance in HANA DB with ANF optimize tcp_max_syn_backlog OS parameter)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

+### For improved file system performance in HANA DB with ANF, enable the tcp_sack OS parameter

+Enable the tcp_sack parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - TCPSackParameter (For improved file system performance in HANA DB with ANF, enable the tcp_sack OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+### In high-availaility scenario for HANA DB with ANF, disable the tcp_timestamps OS parameter

+Disable the tcp_timestamps parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in high-availability scenarios for HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - DisableTCPTimestamps (In high-availaility scenario for HANA DB with ANF, disable the tcp_timestamps OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF, enable the tcp_timestamps OS parameter

+Enable the tcp_timestamps parameter as per SAP note: 302436. This configuration certifies HANA DB to run with ANF and improves file system performance in HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - EnableTCPTimestamps (For improved file system performance in HANA DB with ANF, enable the tcp_timestamps OS parameter)](https://launchpad.support.sap.com/#/notes/3024346).

+### To improve file system performance in HANA DB with ANF, enable auto-tuning TCP receive buffer size

+The parameter net.ipv4.tcp_moderate_rcvbuf enables TCP to perform receive buffer auto-tuning, to automatically size the buffer (no greater than tcp_rmem to match the size required by the path for full throughput. Enable this parameter as per SAP note: 302436 for improved file system performance

+Learn more about [Database Instance - EnableAutoTuning (To improve file system performance in HANA DB with ANF, enable auto-tuning TCP receive buffer size)](https://launchpad.support.sap.com/#/notes/3024346).

+### For improved file system performance in HANA DB with ANF, optimize net.ipv4.ip_local_port_range

+As HANA uses a considerable number of connections for the internal communication, it makes sense to have as many client ports available as possible for this purpose. Set the OS parameter, net.ipv4.ip_local_port_range parameter as per SAP note 2382421 to ensure optimal internal HANA communication.

+Learn more about [Database Instance - IPV4LocalPortRange (For improved file system performance in HANA DB with ANF, optimize net.ipv4.ip_local_port_range)](https://launchpad.support.sap.com/#/notes/2382421).

+### To improve file system performance in HANA DB with ANF, optimize sunrpc.tcp_slot_table_entries

+Set the parameter sunrpc.tcp_slot_table_entries to 128 as per recommendation for improved file system performance in HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - TCPSlotTableEntries (To improve file system performance in HANA DB with ANF, optimize sunrpc.tcp_slot_table_entries)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

+### All disks in LVM for /hana/data volume should be of the same type to ensure high performance in HANA DB

+If multiple disk types are selected in the /hana/data volume, performance of HANA DB in SAP workloads might get restricted. Ensure all HANA Data volume disks are of the same type and are configured as per recommendation for SAP on Azure

+Learn more about [Database Instance - HanaDataDiskTypeSame (All disks in LVM for /hana/data volume should be of the same type to ensure high performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=Configuration%20for%20SAP%20/hana/data%20volume).

+### Stripe size for /hana/data should be 256 kb for improved performance of HANA DB in SAP workloads

+If you are using LVM or mdadm to build stripe sets across several Azure premium disks, you need to define stripe sizes. Based on experience with recentLinux versions, Azure recommends using stripe size of 256 kb for /hana/data filesystem for better performance of HANA DB

+Learn more about [Database Instance - HanaDataStripeSize (Stripe size for /hana/data should be 256 kb for improved performance of HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=As%20stripe%20sizes%20the%20recommendation%20is%20to%20use).

+### To improve file system performance in HANA DB with ANF, optimize the parameter vm.swappiness

+Set the OS parameter vm.swappiness to 10 as per recommendation for improved file system performance in HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - VmSwappiness (To improve file system performance in HANA DB with ANF, optimize the parameter vm.swappiness)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

+### To improve file system performance in HANA DB with ANF, disable net.ipv4.conf.all.rp_filter

+Disable the reverse path filter linux OS parameter, net.ipv4.conf.all.rp_filter as per recommendation for improved file system performance in HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - DisableIPV4Conf (To improve file system performance in HANA DB with ANF, disable net.ipv4.conf.all.rp_filter)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

+### If using Ultradisk, the IOPS for /hana/data volume should be >=7000 for better HANA DB performance

+IOPS of at least 7000 in /hana/data volume is recommended for SAP workloads when using Ultradisk. Select the disk type for /hana/data volume as per this requirement to ensure high performance of the DB

+Learn more about [Database Instance - HanaDataIOPS (If using Ultradisk, the IOPS for /hana/data volume should be >=7000 for better HANA DB performance)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#azure-ultra-disk-storage-configuration-for-sap-hana:~:text=1%20x%20P6-,Azure%20Ultra%20disk%20storage%20configuration%20for%20SAP%20HANA,-Another%20Azure%20storage).

+### To improve file system performance in HANA DB with ANF, change parameter tcp_max_slot_table_entries

+Set the OS parameter tcp_max_slot_table_entries to 128 as per SAP note: 302436 for improved file transfer performance in HANA DB with ANF in SAP workloads

+Learn more about [Database Instance - OptimizeTCPMaxSlotTableEntries (To improve file system performance in HANA DB with ANF, change parameter tcp_max_slot_table_entries)](/azure/virtual-machines/workloads/sap/sap-hana-scale-out-standby-netapp-files-suse#:~:text=Create%20configuration%20file%20/etc/sysctl.d/ms%2Daz.conf%20with%20Microsoft%20for%20Azure%20configuration%20settings).

+### Ensure the read performance of /hana/data volume is >=400 MB/sec for better performance in HANA DB

+Read activity of at least 400 MB/sec for /hana/data for 16 MB and 64 MB I/O sizes is recommended for SAP workloads on Azure. Select the disk type for /hana/data as per this requirement to ensure high performance of the DB and to meet minimum storage requirements for SAP HANA

+Learn more about [Database Instance - HanaDataVolumePerformance (Ensure the read performance of /hana/data volume is >=400 MB/sec for better performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=Read%20activity%20of%20at%20least%20400%20MB/sec%20for%20/hana/data).

+### Read/write performance of /hana/log volume should be >=250 MB/sec for better performance in HANA DB

+Read/Write activity of at least 250 MB/sec for /hana/log for 1 MB I/O size is recommended for SAP workloads on Azure. Select the disk type for /hana/log volume as per this requirement to ensure high performance of the DB and to meet minimum storage requirements for SAP HANA

+Learn more about [Database Instance - HanaLogReadWriteVolume (Read/write performance of /hana/log volume should be >=250 MB/sec for better performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=Read/write%20on%20/hana/log%20of%20250%20MB/sec%20with%201%20MB%20I/O%20sizes).

+### If using Ultradisk, the IOPS for /hana/log volume should be >=2000 for better performance in HANA DB

+IOPS of at least 2000 in /hana/log volume is recommended for SAP workloads when using Ultradisk. Select the disk type for /hana/log volume as per this requirement to ensure high performance of the DB

+Learn more about [Database Instance - HanaLogIOPS (If using Ultradisk, the IOPS for /hana/log volume should be >=2000 for better performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#azure-ultra-disk-storage-configuration-for-sap-hana:~:text=1%20x%20P6-,Azure%20Ultra%20disk%20storage%20configuration%20for%20SAP%20HANA,-Another%20Azure%20storage).

+### All disks in LVM for /hana/log volume should be of the same type to ensure high performance in HANA DB

+If multiple disk types are selected in the /hana/log volume, performance of HANA DB in SAP workloads might get restricted. Ensure all HANA Data volume disks are of the same type and are configured as per recommendation for SAP on Azure

+Learn more about [Database Instance - HanaDiskLogVolumeSameType (All disks in LVM for /hana/log volume should be of the same type to ensure high performance in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=For%20the%20/hana/log%20volume.%20the%20configuration%20would%20look%20like).

+### Enable Write Accelerator on /hana/log volume with Premium disk for improved write latency in HANA DB

+Azure Write Accelerator is a functionality for Azure M-Series VMs. It improves I/O latency of writes against the Azure premium storage. For SAP HANA, Write Accelerator is to be used against the /hana/log volume only.

+Learn more about [Database Instance - WriteAcceleratorEnabled (Enable Write Accelerator on /hana/log volume with Premium disk for improved write latency in HANA DB)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=different%20SAP%20applications.-,Solutions%20with%20premium%20storage%20and%20Azure%20Write%20Accelerator%20for%20Azure%20M%2DSeries%20virtual%20machines,-Azure%20Write%20Accelerator).

+### Stripe size for /hana/log should be 64 kb for improved performance of HANA DB in SAP workloads

+If you are using LVM or mdadm to build stripe sets across several Azure premium disks, you need to define stripe sizes. To get enough throughput with larger I/O sizes, Azure recommends using stripe size of 64 kb for /hana/log filesystem for better performance of HANA DB

+Learn more about [Database Instance - HanaLogStripeSize (Stripe size for /hana/log should be 64 kb for improved performance of HANA DB in SAP workloads)](/azure/virtual-machines/workloads/sap/hana-vm-operations-storage#:~:text=As%20stripe%20sizes%20the%20recommendation%20is%20to%20use).

+[kured]: https://github.com/kubereboot/kured

+helm repo add kubereboot https://kubereboot.github.io/charts/

+- Maximum requests per minute per service: 250

+1. Type `F5` to run the app. The app is displayed in your default browser.

+ > [!NOTE]

+ > If you only installed Visual Studio and the prerequisites, you may have to [install missing packages via NuGet](/nuget/consume-packages/install-use-packages-visual-studio).

+> [Start analyzing costs with Cost Management](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn)

+- [Python](configure-language-python.md#access-app-settings-as-environment-variables)

+When your app runs, the App Service app settings are injected into the process as environment variables automatically. You can verify container environment variables with the URL `https://<app-name>.scm.azurewebsites.net/Env`.

+By default, persistent storage is *disabled* on Windows custom containers. To enable it, set the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting value to `true` via the [Cloud Shell](https://shell.azure.com). In Bash:

+```azurecli-interactive

+az webapp config appsettings set --resource-group <group-name> --name <app-name> --settings WEBSITES_ENABLE_APP_SERVICE_STORAGE=true

+```

+In PowerShell:

+```azurepowershell-interactive

+Set-AzWebApp -ResourceGroupName <group-name> -Name <app-name> -AppSettings @{"WEBSITES_ENABLE_APP_SERVICE_STORAGE"=true}

+```

+By default, persistent storage is *enabled* on Linux custom containers. To disable it, set the `WEBSITES_ENABLE_APP_SERVICE_STORAGE` app setting value to `false` via the [Cloud Shell](https://shell.azure.com). In Bash:

+> [!NOTE]

+> OpenSSL v3 creates certificate serials with 20 octets (40 chars) as the X.509 specification allows. Currently only 10 octets (20 chars) is supported when uploading certificate PFX files.

+> OpenSSL v3 also changed default cipher from 3DES to AES256, but this can be overridden on the command line.

+> OpenSSL v1 uses 3DES as default and only uses 8 octets (16 chars) in the serial, so the PFX files generated are supported without any special modifications.

+ az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --scope /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/ --assignee-principal-type ServicePrincipal

+- [Starter Workflows](https://github.com/actions/starter-workflows)

+ You can also change the `DEPLOYMENT_BRANCH` app setting in the Azure Portal, by selecting **Configuration** under **Settings** and adding a new Application Setting with a name of `DEPLOYMENT_BRANCH` and value of `main`.

+ > Currently, a Private Endpoint isn't cloned across slots.

+After a client is automatically routed to a specific slot, it's "pinned" to that slot for one hour or until the cookies are deleted. On the client browser, you can see which slot your session is pinned to by looking at the `x-ms-routing-name` cookie in your HTTP headers. A request that's routed to the "staging" slot has the cookie `x-ms-routing-name=staging`. A request that's routed to the production slot has the cookie `x-ms-routing-name=self`.

+App Service is a Platform-as-a-Service, which means that the OS and application stack are managed for you by Azure; you only manage your application and its data. More control over the OS and application stack is available for you in [Azure Virtual Machines](../virtual-machines/index.yml). With that in mind, it is nevertheless helpful for you as an App Service user to know more information, such as:

+2. Save your changes, then redeploy the app using the [az webapp up](/cli/azure/webapp#az-webapp-up) command again with no arguments for Linux. Add `--os-type Windows` for Windows:

+- The `--runtime "PHP:8.0"` argument creates the web app with PHP version 8.0.

+In this quickstart, you'll learn how to create and deploy your first [WordPress](https://www.wordpress.org/) site to [Azure App Service on Linux](overview.md#app-service-on-linux) with [Azure Database for MySQL - Flexible Server](/azure/mysql/flexible-server/) using the [WordPress Azure Marketplace item by App Service](https://azuremarketplace.microsoft.com/marketplace/apps/WordPress.WordPress?tab=Overview). This quickstart uses the **Basic** tier for your app and a **Burstable, B1ms** tier for your database, and incurs a cost for your Azure Subscription. For pricing, visit [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/) and [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/).

+> After November 28, 2022, [PHP will only be supported on App Service on Linux.](https://github.com/Azure/app-service-linux-docs/blob/master/Runtime_Support/php_support.md#end-of-life-for-php-74).

+> Additional documentation, including [Migrating to App Service](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/wordpress_migration_linux_appservices.md), can be found at [WordPress - App Service on Linux](https://github.com/Azure/wordpress-linux-appservice/tree/main/WordPress).

+1. Under **Hosting details**, type a globally unique name for your web app and choose **Linux** for **Operating System**. Select **Basic** for **Hosting plan**. Select **Compare plans** to view features and price comparisons. See the table below for app and database SKUs for given hosting plans. You can view [hosting plans details in the announcement](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-the-general-availability-of-wordpress-on-azure-app/ba-p/3593481). For pricing, visit [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/) and [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/).

+

+> [!NOTE]

+> If you have feedback to improve this WordPress offering on App Service, submit your ideas at [Web Apps Community](https://feedback.azure.com/d365community/forum/b09330d1-c625-ec11-b6e6-000d3a4f0f1c).

+>

+

+## Manage the MySQL flexible server, username, or password

+- The MySQL Flexible Server is created behind a private [Virtual Network](/azure/virtual-network/virtual-networks-overview.md) and can't be accessed directly. To access or manage the database, use phpMyAdmin that's deployed with the WordPress site. You can access phpMyAdmin by following these steps:

+ - Navigate to the URL: https://`<sitename>`.azurewebsites.net/phpmyadmin

+ - Login with the flexible server's username and password

+- Database username and password of the MySQL Flexible Server are generated automatically. To retrieve these values after the deployment go to Application Settings section of the Configuration page in Azure App Service. The WordPress configuration is modified to use these [Application Settings](reference-app-settings.md#wordpress) to connect to the MySQL database.

+- To change the MySQL database password, see [Reset admin password](/azure/mysql/flexible-server/how-to-manage-server-portal#reset-admin-password). Whenever the MySQL database credentials are changed, the [Application Settings](reference-app-settings.md#wordpress) need to be updated. The [Application Settings for MySQL database](reference-app-settings.md#wordpress) begin with the **`DATABASE_`** prefix. For more information on updating MySQL passwords, see [WordPress on App Service](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/changing_mysql_database_password.md).

+ CREATE ROLE <postgresql-user-name> WITH LOGIN PASSWORD '<application-id-of-user-assigned-identity>' IN ROLE azure_ad_user;

+ azureaduser=$(az ad user list --filter "userPrincipalName eq '<user-principal-name>'" --query '[].id' --output tsv)

+ > To see the list of all user principal names in Azure AD, run `az ad user list --query '[].userPrincipalName'`.

+HTTP 504 errors are presented if a request is sent to application gateways using v2 sku, and the backend response time exceeds the time-out value associated to the listener's rule. This value is defined in the HTTP setting.

+If the information in this article doesn't help to resolve the issue, [submit a support ticket](https://azure.microsoft.com/support/options/).

+A private endpoint is a network interface that uses a private IP address from the virtual network containing clients wishing to connect to your Application Gateway. Each of the clients will use the private IP address of the Private Endpoint to tunnel traffic to the Application Gateway. To create a private endpoint, complete the following steps:

+ -Priority 100 `

+* JavaScript | CustomFormModelInfo interface

+* [**Java**](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/ComposeDocumentModel.java).

+|Business card (v3.0 API)| <ul><li>English (United States)ΓÇöen-US</li><li> English (Australia)ΓÇöen-AU</li><li>English (Canada)ΓÇöen-CA</li><li>English (United Kingdom)ΓÇöen-GB</li><li>English (India)ΓÇöen-IN</li><li>English (Japan)ΓÇöen-JP</li><li>Japanese (Japan)ΓÇöja-JP</li></ul> | Autodetected (en-US or ja-JP) |

+|Business card (v2.1 API)| <ul><li>English (United States)ΓÇöen-US</li><li> English (Australia)ΓÇöen-AU</li><li>English (Canada)ΓÇöen-CA</li><li>English (United Kingdom)ΓÇöen-GB</li><li>English (India)ΓÇöen-IN</li> | Autodetected |

+| _**Composed model**_ |<ul><li>[Form Recognizer labeling tool](https://fott-2-1.azurewebsites.net/)</li><li>[REST API](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-v2-1/operations/Compose)</li><li>[C# SDK](/dotnet/api/azure.ai.formrecognizer.training.createcomposedmodeloperation?view=azure-dotnet&preserve-view=true)</li><li>[Java SDK](/java/api/com.azure.ai.formrecognizer.models.createcomposedmodeloptions?view=azure-java-stable&preserve-view=true)</li><li>JavaScript SDK</li><li>[Python SDK](/python/api/azure-ai-formrecognizer/azure.ai.formrecognizer.formtrainingclient?view=azure-python#azure-ai-formrecognizer-formtrainingclient-begin-create-composed-model&preserve-view=true)</li></ul>|

+|Java| DocumentBuildMode Class | [BuildModel.java](https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/formrecognizer/azure-ai-formrecognizer/src/samples/java/com/azure/ai/formrecognizer/administration/BuildDocumentModel.java)|

+| Feature | Resources | Model ID

+|-|-||

+| **General document model**|<ul ><li>[**Form Recognizer Studio**](https://formrecognizer.appliedai.azure.com)</li><li>[**REST API**](https://westus.dev.cognitive.microsoft.com/docs/services/form-recognizer-api-2022-08-31/operations/AnalyzeDocument)</li><li>[**C# SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Python SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**Java SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li><li>[**JavaScript SDK**](quickstarts/get-started-v3-sdk-rest-api.md)</li></ul>|**prebuilt-document**|

+> [Try the Form Recognizer Studio](https://formrecognizer.appliedai.azure.com/studio)

+The Form Recognizer W-2 model, combines Optical Character Recognition (OCR) with deep learning models to analyze and extract information reported on [US Internal Revenue Service (IRS) tax forms](https://www.irs.gov/forms-pubs/about-form-w-2). A W-2 tax form is a multipart form divided into state and federal sections consisting of more than 14 boxes detailing an employee's income from the previous year. The W-2 tax form is a key document used in employees' federal and state tax filings, as well as other processes like mortgage loans and Social Security Administration (SSA) benefits. The Form Recognizer W-2 model supports both single and multiple standard and customized forms from 2018 to the present.

+To use the v3.0-supported languages, refer to the [v3.0 REST API migration guide](v3-migration-guide.md) to understand the differences from the v2.1 GA API and explore the [v3.0 SDK and REST API quickstarts](quickstarts/get-started-v3-sdk-rest-api.md).

+| [Reference documentation](/javascript/api/@azure/cognitiveservices-formrecognizer/formrecognizerclient?view=azure-node-latest&preserve-view=true)| [npm package dependency form-recognizer 3.1.0](https://www.npmjs.com/package/@azure/ai-form-recognizer) |

+| [Reference documentation](/javascript/api/@azure/cognitiveservices-formrecognizer/formrecognizerclient?view=azure-node-latest&preserve-view=true)| [npm package dependency form-recognizer 3.1.0](https://www.npmjs.com/package/@azure/ai-form-recognizer) |

+ **azure-ai-form-recognizer-formrecognizerclient-beginrecognizeidentitydocumentsfromurl**

+ **beginRecognizeIdDocuments**

+* Split **FormField** type into several different interfaces. This update shouldn't cause any API compatibility issues except in certain edge cases (undefined valueType).

+This guide describes how to migrate or convert Azure Storage accounts to add availability zone support.

+By default, data in a storage account is replicated in a single data center in the primary region. If your application must be highly available, you can convert the data in the primary region to zone-redundant storage (ZRS). ZRS takes advantage of Azure availability zones to replicate data in the primary region across three separate data centers.

+This article describes two basic options for adding availability zone support to a storage account:

+- [Conversion](#option-1-conversion): If your application must be highly available, you can convert the data in the primary region to zone-redundant storage (ZRS). ZRS takes advantage of Azure availability zones to replicate data in the primary region across three separate data centers.

+- [Manual migration](#option-2-manual-migration): Manual migration gives you complete control over the migration process by allowing you to use tools such as AzCopy move to a new storage account with the desired replication settings at the time of your choosing.

+> [!NOTE]

+> For complete details on how to change how your storage account is replicated, see [Change how a storage account is replicated](../storage/common/redundancy-migration.md).

+Before making any changes, review the [limitations for changing replication types](../storage/common/redundancy-migration.md#limitations-for-changing-replication-types) to make sure your storage account is eligible for migration or conversion, and to understand the options available to you. Many storage accounts can be converted directly to ZRS, while others either require a multi-step process or a manual migration. After reviewing the limitations, choose the right option in this article to convert your storage account based on:

+- [Storage account type](../storage/common/redundancy-migration.md#storage-account-type)

+- [Region](../storage/common/redundancy-migration.md#region)

+- [Access tier](../storage/common/redundancy-migration.md#access-tier)

+- [Protocols enabled](../storage/common/redundancy-migration.md#protocol-support)

+- [Failover status](../storage/common/redundancy-migration.md#failover-and-failback)

+During a conversion to ZRS, you can access data in your storage account with no loss of durability or availability. [The Azure Storage SLA](https://azure.microsoft.com/support/legal/sla/storage/) is maintained during the conversion process and there is no data loss. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the conversion.

+If you choose manual migration, some downtime is required, but you have more control over when the process starts and completes.

+## Option 1: Conversion

+During a conversion, you can access data in your storage account with no loss of durability or availability. [The Azure Storage SLA](https://azure.microsoft.com/support/legal/sla/storage/) is maintained during the migration process and there is no data loss associated with a conversion. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the migration.

+### When to perform a conversion

+Perform a conversion if:

+- You want to convert your storage account from LRS to ZRS in the primary region with no application downtime.

+- You don't need the change to be completed by a certain date. While Microsoft handles your request for conversion promptly, there's no guarantee as to when it will complete. Generally, the more data you have in your account, the longer it takes to replicate that data.

+- You want to minimize the amount of manual effort required to complete the change.

+### Conversion considerations

+Conversion can be used in most situations to add availability zone support, but in some cases you will need to use multiple steps or perform a manual migration. For example, if you also want to add or remove geo-redundancy (GRS) or read access (RA) to the secondary region, you will need to perform a two-step process. Perform the conversion to ZRS as one step and the GRS and/or RA change as a separate step. These steps can be performed in any order.

+A full list of things to consider can be found in [Limitations](../storage/common/redundancy-migration.md#limitations-for-changing-replication-types).

+### How to perform a conversion

+A conversion can be accomplished in one of two ways:

+- [A Customer-initiated conversion (preview)](#customer-initiated-conversion-preview)

+- [Request a conversion by creating a support request](#request-a-conversion-by-creating-a-support-request)

+#### Customer-initiated conversion (preview)

+> [!IMPORTANT]

+> Customer-initiated conversion is currently in preview, but is not available in the following regions:

+>

+> - (Europe) West Europe

+> - (Europe) UK South

+> - (North America) Canada Central

+> - (North America) East US

+> - (North America) East US 2

+>

+> This preview version is provided without a service level agreement, and might not be suitable for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Customer-initiated conversion adds a new option for customers to start a conversion. Now, instead of needing to open a support request, customers can request the conversion directly from within the Azure portal. Once initiated, the conversion could still take up to 72 hours to actually begin, but potential delays related to opening and managing a support request are eliminated.

+Customer-initiated conversion is only available from the Azure portal, not from PowerShell or the Azure CLI. To initiate the conversion, follow these steps:

+1. Navigate to your storage account in the Azure portal.

+1. Under **Data management** select **Redundancy**.

+1. Update the **Redundancy** setting.

+1. Select **Save**.

+ :::image type="content" source="../storage/common/media/redundancy-migration/change-replication-option.png" alt-text="Screenshot showing how to change replication option in portal." lightbox="../storage/common/media/redundancy-migration/change-replication-option.png":::

+#### Request a conversion by creating a support request

+Customers can still request a conversion by opening a support request with Microsoft.

+> [!IMPORTANT]

+> If you need to convert more than one storage account, create a single support ticket and specify the names of the accounts to convert on the **Additional details** tab.

+Follow these steps to request a conversion from Microsoft:

+1. In the Azure portal, navigate to a storage account that you want to convert.

+1. Under **Support + troubleshooting**, select **New Support Request**.

+1. Complete the **Problem description** tab based on your account information:

+ - **Summary**: (some descriptive text).

+ - **Issue type**: Select **Technical**.

+ - **Subscription**: Select your subscription from the drop-down.

+ - **Service**: Select **My Services**, then **Storage Account Management** for the **Service type**.

+ - **Resource**: Select a storage account to convert. If you need to specify multiple storage accounts, you can do so on the **Additional details** tab.

+ - **Problem type**: Choose **Data Migration**.

+ - **Problem subtype**: Choose **Migrate to ZRS, GZRS, or RA-GZRS**.

+ :::image type="content" source="../storage/common/media/redundancy-migration/request-live-migration-problem-desc-portal.png" alt-text="Screenshot showing how to request a conversion - Problem description tab.":::

+1. Select **Next**. The **Recommended solution** tab might be displayed briefly before it switches to the **Solutions** page. On the **Solutions** page, you can check the eligibility of your storage account(s) for conversion:

+ - **Target replication type**: (choose the desired option from the drop-down)

+ - **Storage accounts from**: (enter a single storage account name or a list of accounts separated by semicolons)

+ - Select **Submit**.

+ :::image type="content" source="../storage/common/media/redundancy-migration/request-live-migration-solutions-portal.png" alt-text="Screenshot showing how to check the eligibility of your storage account(s) for conversion - Solutions page.":::

+1. Take the appropriate action if the results indicate your storage account is not eligible for conversion. If it is eligible, select **Return to support request**.

+1. Select **Next**. If you have more than one storage account to migrate, then on the **Details** tab, specify the name for each account, separated by a semicolon.

+ :::image type="content" source="../storage/common/media/redundancy-migration/request-live-migration-details-portal.png" alt-text="Screenshot showing how to request a conversion - Additional details tab.":::

+1. Fill out the additional required information on the **Additional details** tab, then select **Review + create** to review and submit your support ticket. A support person will contact you to provide any assistance you may need.

+## Option 2: Manual migration

+A manual migration provides more flexibility and control than a conversion. You can use this option if you need the migration to complete by a certain date, or if conversion is [not supported for your scenario](../storage/common/redundancy-migration.md#limitations-for-changing-replication-types). Manual migration is also useful when moving a storage account to another region. See [Move an Azure Storage account to another region](../storage/common/storage-account-move.md) for more details.

+### When to use a manual migration

+Use a manual migration if:

+- You need the migration to be completed by a certain date.

+- You want to migrate your data to a ZRS storage account that's in a different region than the source account.

+- You want to add or remove zone-redundancy and you don't want to use the customer-initiated migration feature in preview.

+- Your storage account is a premium page blob or block blob account.

+- Your storage account includes data that's in the archive tier.

+### How to manually migrate Azure Storage accounts

+To manually migration your Azure Storage accounts:

+1. Create a new storage account in the primary region with zone redundant storage (ZRS) as the redundancy setting.

+1. Copy the data from your existing storage account to the new storage account. To perform a copy operation, use one of the following options:

+ - **Option 1:** Copy data by using an existing tool such as [AzCopy](../storage/common/storage-use-azcopy-v10.md), [Azure Data factory](../data-factory/connector-azure-blob-storage.md?tabs=data-factory), one of the Azure Storage client libraries, or a reliable third-party tool.

+ - **Option 2:** If you're familiar with Hadoop or HDInsight, you can attach both the source storage account and destination storage account to your cluster. Then, parallelize the data copy process with a tool like [DistCp](https://hadoop.apache.org/docs/r1.2.1/distcp.html).

+1. Determine which type of replication you need and follow the directions in [Change how a storage account is replicated](../storage/common/redundancy-migration.md).

+For detailed guidance on changing the replication configuration for an Azure Storage account from any type to any other type, see:

+> [!div class="nextstepaction"]

+> [Change how a storage account is replicated](../storage/common/redundancy-migration.md)

+> [Move an Azure Storage account to another region](../storage/common/storage-account-move.md)

+App Configuration is designed to store any configuration data that you would normally save in configuration files or environment variables. However, some types of data may be better suited to reside in other sources. For example, store secrets in Key Vault, files in Azure Storage, membership information in Azure AD groups, or customer lists in a database.

+ Title: Private connectivity for Azure Arc-enabled Kubernetes clusters using private link (preview)

+# Private connectivity for Arc-enabled Kubernetes clusters using private link (preview)

+> The Azure Arc Private Link feature is currently in PREVIEW in all regions where Azure Arc-enabled Kubernetes is present, except South East Asia.

+1. Optionally, deploy private endpoints for other Azure services your Azure Arc-enabled Kubernetes cluster is managed by, such as Azure Monitor.

+ | Setting | Azure AD rule | Azure Resource Manager rule | AzureFrontDoorFirstParty rule | Microsoft Container Registry rule |

+ | Name | AllowAADOutboundAccess | AllowAzOutboundAccess | AllowAzureFrontDoorFirstPartyAccess | AllowMCROutboundAccess

+> Configuring private links for Azure Arc-enabled Kubernetes clusters is supported starting from version 1.3.0 of the `connectedk8s` CLI extension, but requires Azure CLI version greater than 2.3.0. If you use a version greater than 1.3.0 for the `connectedk8s` CLI extension, we have introduced validations to check and successfully connect the cluster to Azure Arc only if you're running Azure CLI version greater than 2.3.0.

+If the deletion process hangs, use the following command to force deletion (adding `-y` if you want to bypass the confirmation prompt):

+```azurecli

+az connectedk8s delete -g AzureArcTest1 -n AzureArcTest --force

+```

+This command can also be used if you experience issues when creating a new cluster deployment (due to previously created resources not being completely removed).

+* Read and write permissions on these resource types:

+ * `Microsoft.KubernetesConfiguration/extensions`

+ * `Microsoft.KubernetesConfiguration/fluxConfigurations`

+[`getContainerVersions(ID, options)`](https://fluidframework.com/docs/apis/azure-client/azureclient-class#getcontainerversions-method)

+[`copyContainer(ID, containerSchema)`](https://fluidframework.com/docs/apis/azure-client/azureclient-class#copycontainer-method)

+You can run tests using the local [@fluidframework/azure-local-service](https://www.npmjs.com/package/@fluidframework/azure-local-service) or using a test tenant in Azure Fluid Relay service. [AzureClient](https://fluidframework.com/docs/apis/azure-client/azureclient-class) can be configured to connect to both a remote service and a local service, which enables you to use a single client type between tests against live and local service instances. The only difference is the configuration used to create the client.

+When you create a document in Azure Fluid Relay, the JWT provided by the [ITokenProvider](https://fluidframework.com/docs/apis/azure-client/itokenprovider-interface) for the creation request can only be used once. After creating a document, the client must generate a new JWT that contains the document ID provided by the service at creation time. If an application has an authorization service that manages document access control, it will need to know who created a document with a given ID in order to authorize the generation of a new JWT for access to that document.

+An application can tie into the document creation lifecycle by implementing a public [documentPostCreateCallback()](https://fluidframework.com/docs/apis/azure-client/itokenprovider-interface#documentpostcreatecallback-methodsignature) method in its `TokenProvider`. This callback will be triggered directly after creating the document, before a client requests the new JWT it needs to gain read/write permissions to the document that was created.

+This example implementation below extends the [AzureFunctionTokenProvider](https://fluidframework.com/docs/apis/azure-client/azurefunctiontokenprovider-class) and uses the [axios](https://www.npmjs.com/package/axios) library to make a HTTP request to the Azure Function used for generating tokens.

+ var emailObject = JsonSerializer.Deserialize<OutgoingEmail>(Encoding.UTF8.GetString(email.Body));

+ message = new SendGridMessage();

+ message.AddTo(emailObject.To);

+ message.AddContent("text/html", emailObject.Body);

+ message.SetFrom(new EmailAddress(emailObject.From));

+ message.SetSubject(emailObject.Subject);

+ var emailObject = JsonSerializer.Deserialize<OutgoingEmail>(Encoding.UTF8.GetString(email.Body));

+ var message = new SendGridMessage();

+ message.AddTo(emailObject.To);

+ message.AddContent("text/html", emailObject.Body);

+ message.SetFrom(new EmailAddress(emailObject.From));

+ message.SetSubject(emailObject.Subject);

+ await messageCollector.AddAsync(message);

+ public string To { get; set; }

+ public string From { get; set; }

+ public string Subject { get; set; }

+ public string Body { get; set; }

+[Update your extensions]: ./functions-bindings-register.md

+The `maxAutoRenewDuration` is configurable in *host.json*, which maps to [OnMessageOptions.MaxAutoRenewDuration](/dotnet/api/microsoft.azure.servicebus.messagehandleroptions.maxautorenewduration). The default value of this setting is 5 minutes.

+public void warmup( @WarmupTrigger Object warmupContext, ExecutionContext context) {

+ context.getLogger().info("Function App instance is warm 🌞🌞🌞");

+|[Visual Studio Code](functions-develop-vs-code.md)| [C# (in-process)](functions-dotnet-class-library.md)<br/>[C# (isolated process)](dotnet-isolated-process-guide.md)<br/>[JavaScript](functions-reference-node.md)<br/>[PowerShell](./create-first-function-vs-code-powershell.md)<br/>[Python](functions-reference-python.md) | The [Azure Functions extension for VS Code](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) adds Functions support to VS Code. Requires the Core Tools. Supports development on Linux, macOS, and Windows, when using version 2.x of the Core Tools. To learn more, see [Create your first function using Visual Studio Code](./create-first-function-vs-code-csharp.md). |

+| [Command prompt or terminal](functions-run-local.md) | [C# (in-process)](functions-dotnet-class-library.md)<br/>[C# (isolated process)](dotnet-isolated-process-guide.md)<br/>[JavaScript](functions-reference-node.md)<br/>[PowerShell](functions-reference-powershell.md)<br/>[Python](functions-reference-python.md) | [Azure Functions Core Tools] provides the core runtime and templates for creating functions, which enable local development. Version 2.x supports development on Linux, macOS, and Windows. All environments rely on Core Tools for the local Functions runtime. |

+| [Visual Studio](functions-develop-vs.md) | [C# (in-process)](functions-dotnet-class-library.md)<br/>[C# (isolated process)](dotnet-isolated-process-guide.md) | The Azure Functions tools are included in the **Azure development** workload of [Visual Studio](https://www.visualstudio.com/vs/), starting with Visual Studio 2019. Lets you compile functions in a class library and publish the .dll to Azure. Includes the Core Tools for local testing. To learn more, see [Develop Azure Functions using Visual Studio](functions-develop-vs.md). |

+The local.settings.json file stores app settings and settings used by local development tools. Settings in the local.settings.json file are used only when you're running your project locally. When you publish your project to Azure, be sure to also add any required settings to the app settings for the function app.

+## Synchronize settings

+When you develop your functions locally, any local settings required by your app must also be present in app settings of the function app to which your code is deployed. You may also need to download current settings from the function app to your local project. While you can [manually configure app settings in the Azure portal](functions-how-to-use-azure-function-app-settings.md?tabs=portal#settings), the following tools also let you synchronize app settings with local settings in your project:

+ + [C# (in-process)](create-first-function-vs-code-csharp.md)

+ + [C# )isolated process)](create-first-function-vs-code-csharp.md?tabs=isolated-process)

+|Node 12|30 Apr 2022|13 December 2022|

+ "AutoStop_Description": "Alert to stop the VM if the CPU % falls below the threshold",

+ "AutoStop_Description": "Alert to stop the VM if the CPU % falls below the threshold",

+ "AutoStop_Description": "Alert to stop the VM if the CPU % falls below the threshold",

+Heat maps, also known as density maps, are a type of overlay on a map used to represent the density of data using different colors. Heat maps are often used to show the data "hot spots" on a map. Heat maps are a great way to render datasets with large number of points. Displaying a large number of data points on a map will result in a degradation in performance and can cover it with overlapping symbols, making it unusable. Rendering the data as a heat map results not only in better performance, it helps you make better sense of the data by making it easy to see the relative density of each data point.

+| Units | The distance units of the radius. Possible values are:<br /><br />**pixels**. When set to pixels the size of each data point will always be the same, regardless of zoom level.<br />**meters**. When set to meters, the size of the data points will scale based on zoom level based on the equivalent pixel distance at the equator, providing better relativity between neighboring points. However, due to the Mercator projection, the actual radius of coverage in meters at a given latitude will be smaller than this specified radius.<br /><br /> Default: **pixels** |

+description: Learn about the schema of the JSON that's posted to a webhook URL when an activity log alert activates.

+> You can also use the [common alert schema](./alerts-common-schema.md) for your webhook integrations. It provides the advantage of having a single extensible and unified alert payload across all the alert services in Azure Monitor. [Learn about the common alert schema definitions](./alerts-common-schema-definitions.md)ΓÇï.

+The JSON payload contained in the POST operation differs based on the payload's `data.context.activityLog.eventSource` field.

+> Currently, the description that's part of the activity log event is copied to the fired `Alert Description` property.

+> To align the activity log payload with other alert types, as of April 1, 2021, the fired alert property `Description` contains the alert rule description instead.

+> In preparation for that change, we created a new property, `Activity Log Event Description`, to the activity log fired alert. This new property is filled with the `Description` property that's already available for use. So, the new field `Activity Log Event Description` contains the description that's part of the activity log event.

+> Review your alert rules, action rules, webhooks, logic app, or any other configurations where you might be using the `Description` property from the fired alert. Replace the `Description` property with the `Activity Log Event Description` property.

+> If your condition in your action rules, webhooks, logic app, or any other configurations is currently based on the `Description` property for activity log alerts, you might need to modify it to be based on the `Activity Log Event Description` property instead.

+> To fill the new `Description` property, you can add a description in the alert rule definition.

+> 

+For specific schema details on service health notification activity log alerts, see [Service health notifications](../../service-health/service-notifications.md). You can also learn how to [configure service health webhook notifications with your existing problem management solutions](../../service-health/service-health-alert-webhook-guide.md).

+| status |Used for metric alerts. Always set to `activated` for activity log alerts. |

+| resourceProviderName |The resource provider of the affected resource. |

+| conditionType |Always `Event`. |

+| resourceId |Resource ID of the affected resource. |

+| resourceGroupName |Name of the resource group for the affected resource. |

+| category |Category of the event. Supported values include `Administrative`, `Alert`, `Security`, `ServiceHealth`, and `Recommendation`. |

+| correlationId |Usually a GUID in string format. Events with `correlationId` belong to the same larger action and usually share a `correlationId`. |

+| httpRequest |The request usually includes the `clientRequestId`, `clientIpAddress`, and HTTP method (for example, PUT). |

+| level |One of the following values: `Critical`, `Error`, `Warning`, and `Informational`. |

+| operationId |Usually a GUID shared among the events corresponding to a single operation. |

+| status |String. Status of the operation. Common values include `Started`, `In Progress`, `Succeeded`, `Failed`, `Active`, and `Resolved`. |

+| subStatus |Usually includes the HTTP status code of the corresponding REST call. It might also include other strings that describe a substatus. Common substatus values include `OK` (HTTP Status Code: 200), `Created` (HTTP Status Code: 201), `Accepted` (HTTP Status Code: 202), `No Content` (HTTP Status Code: 204), `Bad Request` (HTTP Status Code: 400), `Not Found` (HTTP Status Code: 404), `Conflict` (HTTP Status Code: 409), `Internal Server Error` (HTTP Status Code: 500), `Service Unavailable` (HTTP Status Code: 503), and `Gateway Timeout` (HTTP Status Code: 504). |

+* [Execute Azure Automation scripts (Runbooks) on Azure alerts](https://go.microsoft.com/fwlink/?LinkId=627081).

+description: This article explains the common alert schema definitions for Azure Monitor.

+This article describes the [common alert schema definitions](./alerts-common-schema.md) for Azure Monitor. It includes the definitions for webhooks, Azure Logic Apps, Azure Functions, and Azure Automation runbooks.

+* **Essentials**: A set of standardized fields that are common across all alert types. Fields describe what resource the alert is on, along with other common alert metadata. Examples are severity or description.

+* **Alert context**: A set of fields that describe the cause of the alert. Fields vary based on the alert type. For example, a metric alert includes fields like the metric name and metric value in the alert context. An activity log alert has information about the event that generated the alert.

+| alertId | The unique resource ID that identifies the alert instance. |

+| Severity | The severity of the alert. Possible values are Sev0, Sev1, Sev2, Sev3, or Sev4. |

+| signalType | Identifies the signal on which the alert rule was defined. Possible values are Metric, Log, or Activity Log. |

+| configurationItems |The list of affected resources of an alert.<br>In some cases, the configuration items can be different from the alert targets. For example, in metric-for-log or log alerts defined on a Log Analytics workspace, the configuration items are the actual resources sending the telemetry and not the workspace.<br><ul><li>In the log alerts API (Scheduled Query Rules) v2021-08-01, the `configurationItem` values are taken from explicitly defined dimensions in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li><li>In earlier versions of the log alerts API, the `configurationItem` values are taken implicitly from the results in this priority: `Computer`, `_ResourceId`, `ResourceId`, `Resource`.</li></ul>In ITSM systems, the `configurationItems` field is used to correlate alerts to resources in a configuration management database. |

+The following fields describe the cause of an alert.

+> For log alerts that have a custom email subject and/or JSON payload defined, enabling the common schema reverts email subject and/or payload schema to the one described as follows. This means that if you want to have a custom JSON payload defined, the webhook can't use the common alert schema. Alerts with the common schema enabled have an upper size limit of 256 KB per alert. Search results aren't embedded in the log alerts payload if they cause the alert size to cross this threshold. You can determine this by checking the flag `IncludedSearchResults`. When the search results aren't included, use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get).

+> Log alerts rules from API version 2020-05-01 use this payload type, which only supports common schema. Search results aren't embedded in the log alerts payload when you use this version. Use [dimensions](./alerts-unified-log.md#split-by-alert-dimensions) to provide context to fired alerts. You can also use `LinkToFilteredSearchResultsAPI` or `LinkToSearchResultsAPI` to access query results with the [Log Analytics API](/rest/api/loganalytics/dataaccess/query/get). If you must embed the results, use a logic app with the provided links to generate a custom payload.

+ - We recommend using [Dimensions](alerts-types.md#narrow-the-target-by-using-dimensions). Dimensions provide the column value that fired the alert, giving you context for why the alert fired and how to fix the issue.

+ Title: Types of Azure Monitor alerts

+This article describes the kinds of Azure Monitor alerts you can create and helps you understand when to use each type of alert.

+Azure Monitor has four types of alerts:

+## Choose the right alert type

+This table can help you decide when to use each type of alert. For more information about pricing, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/).

+|Alert type |When to use |Pricing information|

+|Metric alert|Metric alerts are useful when you want to be alerted about data that requires little or no manipulation. Metric data is stored in the system already pre-computed, so metric alerts are less expensive than log alerts. If the data you want to monitor is available in metric data, we recommend that you use metric alerts.|Each metric alert rule is charged based on the number of time series that are monitored. |

+|Log alert|Log alerts allow you to perform advanced logic operations on your data. If the data you want to monitor is available in logs, or requires advanced logic, you can use the robust features of KQL for data manipulation by using log alerts. Log alerts are more expensive than metric alerts.|Each log alert rule is billed based on the interval at which the log query is evaluated. More frequent query evaluation results in a higher cost. For log alerts configured for [at-scale monitoring](#splitting-by-dimensions-in-log-alert-rules), the cost also depends on the number of time series created by the dimensions resulting from your query. |

+|Activity log alert|Activity logs provide auditing of all actions that occurred on resources. Use activity log alerts to receive an alert when a resource experiences a specific event. Examples are a restart, a shutdown, or the creation or deletion of a resource.|For more information, see the [pricing page](https://azure.microsoft.com/pricing/details/monitor/).|

+You can create rules by using these metrics:

+- You can add granularity by [monitoring multiple metric dimensions](#narrow-the-target-by-using-dimensions).

+- You can use [dynamic thresholds](#dynamic-thresholds) driven by machine learning.

+- A single resource, such as a VM. For supported resource types, see [Supported resources for metric alerts in Azure Monitor](alerts-metric-near-real-time.md).

+When you create an alert rule for a single resource, you can apply multiple conditions. For example, you could create an alert rule to monitor an Azure virtual machine and alert when both "Percentage CPU is higher than 90%" and "Queue length is over 300 items." When an alert rule has multiple conditions, the alert fires when all the conditions in the alert rule are true. The alert resolves when at least one of the conditions is no longer true for three consecutive checks.

+### Narrow the target by using dimensions

+Dimensions are name-value pairs that contain more data about the metric value. Using dimensions allows you to filter the metrics and monitor specific time-series, instead of monitoring the aggregate of all the dimensional values.

+For example, the transactions metric of a storage account can have an API name dimension that contains the name of the API called by each transaction. Examples are GetBlob, DeleteBlob, and PutPage. You can choose to have an alert fired when there's a high number of transactions in any API name, which is the aggregated data. Or you can use dimensions to further break it down to alert only when the number of transactions is high for specific API names.

+If you use more than one dimension, the metric alert rule can monitor multiple dimension values from different dimensions of a metric. The alert rule separately monitors all the dimension value combinations.

+For instructions on how to use dimensions in metric alert rules, see [Monitor multiple time series in a single metric alert rule](alerts-metric-multiple-time-series-single-rule.md).

+### Create resource-centric alerts by splitting by dimensions

+To monitor for the same condition on multiple Azure resources, you can use the technique of splitting by dimensions. Splitting by dimensions allows you to create resource-centric alerts at scale for a subscription or resource group. Alerts are split into separate alerts by grouping combinations. Splitting on the Azure resource ID column makes the specified resource into the alert target.

+You might also decide not to split when you want a condition applied to multiple resources in the scope. For example, you might want to fire an alert if at least five machines in the resource group scope have CPU usage over 80%.

+Platform metrics are supported in the Azure cloud for the following

+| Azure Virtual Machines | Yes |Yes | Yes |

+| SQL Server databases | Yes | Yes | Yes |

+| SQL Server elastic pools | Yes | Yes | Yes |

+| Azure NetApp Files capacity pools | Yes | Yes | Yes |

+| Azure NetApp Files volumes | Yes | Yes | Yes |

+| Azure Key Vault | Yes | Yes | Yes |

+| Azure Database for PostgreSQL - Flexible servers | Yes | Yes | Yes |

+ > Multi-resource metric alerts aren't supported for the following scenarios:

+ >

+ > - Alerting on virtual machines' guest metrics.

+ > - Alerting on virtual machines' network metrics. These metrics include Network In Total, Network Out Total, Inbound Flows, Outbound Flows, Inbound Flows Maximum Creation Rate, and Outbound Flows Maximum Creation Rate.

+You can specify the scope of monitoring with a single metric alert rule in one of three ways. For example, with virtual machines you can specify the scope as:

+- A list of virtual machines in one Azure region within a subscription.

+- All virtual machines in one Azure region in one or more resource groups in a subscription.

+- All virtual machines in one Azure region in a subscription.

+Dynamic thresholds use advanced machine learning to:

+- Learn the historical behavior of metrics.

+- Identify patterns and adapt to metric changes over time, such as hourly, daily, or weekly patterns.

+- Recognize anomalies that indicate possible service issues.

+- Calculate the most appropriate threshold for the metric.

+Machine learning continuously uses new data to learn more and make the threshold more accurate. The system adapts to the metrics' behavior over time and alerts based on deviations from its pattern. For this reason, you don't have to know the "right" threshold for each metric.

+- Create rules without having to know what threshold to configure.

+- Configure metric alerts by using high-level concepts without extensive domain knowledge about the metric.

+- Prevent noisy (low precision) or wide (low recall) thresholds that donΓÇÖt have an expected pattern.

+For instructions on how to use dynamic thresholds in metric alert rules, see [Dynamic thresholds in metric alerts](alerts-dynamic-thresholds.md).

+- A single resource, such as a VM.

+- Multiple resources of the same type in the same Azure region, such as a resource group. This capability is currently available for selected resource types.

+- Multiple resources using [cross-resource query](../logs/cross-workspace-query.md#querying-across-log-analytics-workspaces-and-from-application-insights).

+- **Table rows**: The number of rows returned can be used to work with events such as Windows event logs, Syslog, and application exceptions.

+- **Calculation of a numeric column**: Calculations based on any numeric column can be used to include any number of resources. An example is CPU percentage.

+> Log alerts work best when you're trying to detect specific data in the logs, as opposed to when you're trying to detect a lack of data in the logs. Because logs are semi-structured data, they're inherently more latent than metric data on information like a VM heartbeat. To avoid misfires when you're trying to detect a lack of data in the logs, consider using [metric alerts](#metric-alerts). You can send data to the metric store from logs by using [metric alerts for logs](alerts-metric-logs.md).

+You can use dimensions when you create log alert rules to monitor the values of multiple instances of a resource with one rule. For example, you can monitor CPU usage on multiple instances running your website or app. Each instance is monitored individually and notifications are sent for each instance.

+To monitor for the same condition on multiple Azure resources, you can use the technique of splitting by dimensions. Splitting by dimensions allows you to create resource-centric alerts at scale for a subscription or resource group. Alerts are split into separate alerts by grouping combinations using numerical or string columns. Splitting on the Azure resource ID column makes the specified resource into the alert target.

+You might also decide not to split when you want a condition applied to multiple resources in the scope. For example, you might want to fire an alert if at least five machines in the resource group scope have CPU usage over 80%.

+### Use the API

+Manage new rules in your workspaces by using the [ScheduledQueryRules](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules) API.

+> Log alerts for Log Analytics was previously managed by using the legacy [Log Analytics Alert API](api-alerts.md). Learn more about [switching to the current scheduledQueryRules API](alerts-log-api-switch.md).

+Log alerts are listed under the resource provider `microsoft.insights/scheduledqueryrules` with:

+- Log alerts on Application Insights shown with the exact resource name along with resource group and alert properties.

+- Log alerts on Log Analytics shown with the exact resource name along with resource group and alert properties when they're created by using the scheduledQueryRules API.

+- Log alerts created from the [legacy Log Analytics API](./api-alerts.md) aren't tracked in [Azure Resources](../../azure-resource-manager/management/overview.md) and don't have enforced unique resource names. These alerts are still created on `microsoft.insights/scheduledqueryrules` as hidden resources. They have the resource naming structure `<WorkspaceName>|<savedSearchId>|<scheduleId>|<ActionId>`. Log alerts on the legacy API are shown with the preceding hidden resource name along with resource group and alert properties.

+> [!NOTE]

+>

+> Unsupported resource characters such as <, >, %, &, \, ?, and / are replaced with an underscore character (_) in the hidden resource names. This change also appears in the billing information.

+An activity log alert monitors a resource by checking the activity logs for a new activity log event that matches the defined conditions.

+You might want to use activity log alerts for these types of scenarios:

+- When a specific operation occurs on resources in a specific resource group or subscription. For example, you might want to be notified when:

+ - Any virtual machine in a production resource group is deleted.

+- When a service health event occurs. Service health events include notifications of incidents and maintenance events that apply to resources in your subscription.

+- Any of the activity log [event categories](../essentials/activity-log-schema.md), other than on alert events.

+- Any activity log event in a top-level property in the JSON object.

+Activity log alert rules are Azure resources, so you can use an Azure Resource Manager template to create them. You can also create, update, or delete activity log alert rules in the Azure portal.

+## Smart detection alerts

+After you set up Application Insights for your project, your app begins to generate data. Based on this data, Smart Detection takes 24 hours to learn the normal behavior of your app. Your app's performance has a typical pattern of behavior. Some requests or dependency calls will be more prone to failure than others. The overall failure rate might go up as load increases.

+Smart Detection uses machine learning to find these anomalies. Smart Detection monitors the data received from your app, and especially the failure rates. Application Insights automatically alerts you in near real time if your web app experiences an abnormal rise in the rate of failed requests.

+As data comes into Application Insights from your web app, Smart Detection compares the current behavior with the patterns seen over the past few days. If there's an abnormal rise in failure rate compared to previous performance, an analysis is triggered. To help you triage and diagnose the problem, an analysis of the characteristics of the failures and related application data is provided in the alert details. There are also links to the Application Insights portal for further diagnosis. The feature doesn't need setup or configuration because it uses machine learning algorithms to predict the normal failure rate.

+Metric alerts tell you there might be a problem, but Smart Detection starts the diagnostic work for you. It performs much of the analysis you would otherwise have to do yourself. You get the results neatly packaged, which helps you get to the root of the problem quickly.

+Smart Detection works for web apps hosted in the cloud or on your own servers that generate application requests or dependency data.

+ Title: Use the Log Analytics Alert REST API

+description: The Log Analytics Alert REST API allows you to create and manage alerts in Log Analytics. This article provides details about the API and examples for performing different operations.

+# Create and manage alert rules in Log Analytics with REST API

+> As [announced](https://azure.microsoft.com/updates/switch-api-preference-log-alerts/), Log Analytics workspaces created after *June 1, 2019* manage alert rules by using the current [scheduledQueryRules API](/rest/api/monitor/scheduledqueryrule-2021-08-01/scheduled-query-rules). Customers are encouraged to [switch to the current API](./alerts-log-api-switch.md) in older workspaces to take advantage of Azure Monitor scheduledQueryRules [benefits](./alerts-log-api-switch.md#benefits). This article describes management of alert rules by using the legacy API.

+The Log Analytics Alert REST API allows you to create and manage alerts in Log Analytics. This article provides details about the API and several examples for performing different operations.

+The Log Analytics Search REST API is RESTful and can be accessed via the Azure Resource Manager REST API. In this article, you'll find examples where the API is accessed from a PowerShell command line by using [ARMClient](https://github.com/projectkudu/ARMClient). This open-source command-line tool simplifies invoking the Azure Resource Manager API.

+The use of ARMClient and PowerShell is one of many options you can use to access the Log Analytics Search API. With these tools, you can utilize the RESTful Azure Resource Manager API to make calls to Log Analytics workspaces and perform search commands within them. The API outputs search results in JSON format so that you can use the search results in many different ways programmatically.

+Currently, alerts can only be created with a saved search in Log Analytics. For more information, see the [Log Search REST API](../logs/log-query-overview.md).

+A saved search can have one or more schedules. The schedule defines how often the search is run and the time interval over which the criteria are identified. Schedules have the properties described in the following table:

+| `Interval` |How often the search is run. Measured in minutes. |

+| `QueryTimeSpan` |The time interval over which the criteria are evaluated. Must be equal to or greater than `Interval`. Measured in minutes. |

+| `Version` |The API version being used. Currently, this setting should always be `1`. |

+For example, consider an event query with an `Interval` of 15 minutes and a `Timespan` of 30 minutes. In this case, the query would be run every 15 minutes. An alert would be triggered if the criteria continued to resolve to `true` over a 30-minute span.

+### Retrieve schedules

+The following sample response is for a schedule:

+### Create a schedule

+Use the Put method with a unique schedule ID to create a new schedule. Two schedules can't have the same ID even if they're associated with different saved searches. When you create a schedule in the Log Analytics console, a GUID is created for the schedule ID.

+### Edit a schedule

+Use the Put method with an existing schedule ID for the same saved search to modify that schedule. In the following example, the schedule is disabled. The body of the request must include the *etag* of the schedule.

+### Delete schedules

+A schedule can have multiple actions. An action might define one or more processes to perform, such as sending an email or starting a runbook. An action also might define a threshold that determines when the results of a search match some criteria. Some actions will define both so that the processes are performed when the threshold is met.

+All actions have the properties described in the following table. Different types of alerts have other different properties, which are described in the following table:

+| `Type` |Type of the action. Currently, the possible values are `Alert` and `Webhook`. |

+| `Version` |The API version being used. Currently, this setting should always be `1`. |

+### Retrieve actions

+### Create or edit actions

+Use the Put method with an action ID that's unique to the schedule to create a new action. When you create an action in the Log Analytics console, a GUID is for the action ID.

+Use the Put method with an existing action ID for the same saved search to modify that schedule. The body of the request must include the etag of the schedule.

+The request format for creating a new action varies by action type, so these examples are provided in the following sections.

+### Delete actions

+### Alert actions

+A schedule should have one and only one Alert action. Alert actions have one or more of the sections described in the following table:

+| Threshold |Criteria for when the action is run.| Required for every alert, before or after they're extended to Azure. |

+| Severity |Label used to classify the alert when triggered.| Required for every alert, before or after they're extended to Azure. |

+| Suppress |Option to stop notifications from alerts. | Optional for every alert, before or after they're extended to Azure. |

+| Action groups |IDs of Azure `ActionGroup` where actions required are specified, like emails, SMSs, voice calls, webhooks, automation runbooks, and ITSM Connectors.| Required after alerts are extended to Azure.|

+| Customize actions|Modify the standard output for select actions from `ActionGroup`.| Optional for every alert and can be used after alerts are extended to Azure. |

+An Alert action should have one and only one threshold. When the results of a saved search match the threshold in an action associated with that search, any other processes in that action are run. An action can also contain only a threshold so that it can be used with actions of other types that don't contain thresholds.

+Thresholds have the properties described in the following table:

+| `Operator` |Operator for the threshold comparison. <br> gt = Greater than <br> lt = Less than |

+For example, consider an event query with an `Interval` of 15 minutes, a `Timespan` of 30 minutes, and a `Threshold` of greater than 10. In this case, the query would be run every 15 minutes. An alert would be triggered if it returned 10 events that were created over a 30-minute span.

+The following sample response is for an action with only a `Threshold`:

+Use the Put method with a unique action ID to create a new threshold action for a schedule.

+Use the Put method with an existing action ID to modify a threshold action for a schedule. The body of the request must include the etag of the action.

+Log Analytics allows you to classify your alerts into categories for easier management and triage. The Alerts severity levels are `informational`, `warning`, and `critical`. These categories are mapped to the normalized severity scale of Azure Alerts as shown in the following table:

+|Log Analytics severity level |Azure Alerts severity level |

+The following sample response is for an action with only `Threshold` and `Severity`:

+Use the Put method with a unique action ID to create a new action for a schedule with `Severity`.

+Use the Put method with an existing action ID to modify a severity action for a schedule. The body of the request must include the etag of the action.

+Log Analytics-based query alerts fire every time the threshold is met or exceeded. Based on the logic implied in the query, an alert might get fired for a series of intervals. The result is that notifications are sent constantly. To prevent such a scenario, you can set the `Suppress` option that instructs Log Analytics to wait for a stipulated amount of time before notification is fired the second time for the alert rule.

+For example, if `Suppress` is set for 30 minutes, the alert will fire the first time and send notifications configured. It will then wait for 30 minutes before notification for the alert rule is again used. In the interim period, the alert rule will continue to run. Only notification is suppressed by Log Analytics for a specified time regardless of how many times the alert rule fired in this period.

+The `Suppress` property of a Log Analytics alert rule is specified by using the `Throttling` value. The suppression period is specified by using the `DurationInMinutes` value.

+The following sample response is for an action with only `Threshold`, `Severity`, and `Suppress` properties.

+Use the Put method with a unique action ID to create a new action for a schedule with `Severity`.

+Use the Put method with an existing action ID to modify a severity action for a schedule. The body of the request must include the etag of the action.

+#### Action groups

+All alerts in Azure use action group as the default mechanism for handling actions. With an action group, you can specify your actions once and then associate the action group to multiple alerts across Azure without the need to declare the same actions repeatedly. Action groups support multiple actions like email, SMS, voice call, ITSM connection, automation runbook, and webhook URI.

+For users who have extended their alerts into Azure, a schedule should now have action group details passed along with `Threshold` to be able to create an alert. E-mail details, webhook URLs, runbook automation details, and other actions need to be defined inside an action group first before you create an alert. You can create an [action group from Azure Monitor](./action-groups.md) in the Azure portal or use the [Action Group API](/rest/api/monitor/actiongroups).

+To associate an action group to an alert, specify the unique Azure Resource Manager ID of the action group in the alert definition. The following sample illustrates the use:

+Use the Put method with a unique action ID to associate an already existing action group for a schedule. The following sample illustrates the use:

+Use the Put method with an existing action ID to modify an action group associated for a schedule. The body of the request must include the etag of the action.

+#### Customize actions

+By default, actions follow standard templates and format for notifications. But you can customize some actions, even if they're controlled by action groups. Currently, customization is possible for `EmailSubject` and `WebhookPayload`.

+##### Customize EmailSubject for an action group

+By default, the email subject for alerts is Alert Notification `<AlertName>` for `<WorkspaceName>`. But the subject can be customized so that you can specify words or tags to allow you to easily employ filter rules in your Inbox. The customized email header details need to be sent along with `ActionGroup` details, as in the following sample:

+Use the Put method with a unique action ID to associate an existing action group with customization for a schedule. The following sample illustrates the use:

+Use the Put method with an existing action ID to modify an action group associated for a schedule. The body of the request must include the etag of the action.

+##### Customize WebhookPayload for an action group

+By default, the webhook sent via an action group for Log Analytics has a fixed structure. But you can customize the JSON payload by using specific variables supported to meet requirements of the webhook endpoint. For more information, see [Webhook action for log alert rules](./alerts-log-webhook.md).

+The customized webhook details must be sent along with `ActionGroup` details. They'll be applied to all webhook URIs specified inside the action group. The following sample illustrates the use:

+Use the Put method with a unique action ID to associate an existing action group with customization for a schedule. The following sample illustrates the use:

+Use the Put method with an existing action ID to modify an action group associated for a schedule. The body of the request must include the etag of the action.

+* Learn about [log alerts in Azure Monitor](./alerts-unified-log.md).

+* Learn how to [create, edit, or manage log alert rules in Azure Monitor](./alerts-log.md).

+ Title: Convert ITSM actions that send events to ServiceNow to secure webhook actions

+description: Learn how to convert ITSM actions that send events to ServiceNow to secure webhook actions.

+# Convert ITSM actions that send events to ServiceNow to secure webhook actions

+> [!NOTE]

+> As of September 2022, we are starting the 3-year process of deprecating support of using ITSM actions to send events to ServiceNow.

+To migrate your ITSM connector to the new secure webhook integration, follow the [secure webhook configuration instructions](itsmc-secure-webhook-connections-servicenow.md).

+If you're syncing work items between ServiceNow and an Azure Log Analytics workspace (bi-directional), follow the steps below to pull data from ServiceNow into your Log Analytics workspace.

+## Pull data from your ServiceNow instance into a Log Analytics workspace

+1. [Create a logic app](../../logic-apps/quickstart-create-first-logic-app-workflow.md) in the Azure portal.

+1. Create an HTTP GET request that uses the [ServiceNow **Table** API](https://developer.servicenow.com/dev.do#!/reference/api/sandiego/rest/c_TableAPI) to retrieve data from the ServiceNow instance. [See an example](https://docs.servicenow.com/bundle/sandiego-application-development/page/integrate/inbound-rest/concept/use-REST-API-Explorer.html#t_GetStartedRetrieveExisting) of how to use the Table call to retrieve incidents.

+1. To see a list of tables in your ServiceNow instance, in ServiceNow, go to **System definitions**, then **Tables**. Example table names include: `change_request`, `em_alert`, `incident`, `em_event`.

+ :::image type="content" source="media/itsmc-convert-servicenow-to-webhook/alerts-itsmc-service-now-tables.png" alt-text="Screenshot of the Service Now tables.":::

+1. In Logic Apps, add a `Parse JSON` action on the results of the GET request you created in step 2.

+1. Add a schema for the retrieved payload. You can use the **Use sample payload to generate schema** feature. See a sample schema for a `change_request` table.

+ :::image type="content" source="media/itsmc-convert-servicenow-to-webhook/alerts-itsmc-service-now-parse-json.png" alt-text="Screenshot of a sample schema. ":::

+1. Create a [Log Analytics workspace](../logs/quick-create-workspace.md#create-a-workspace).

+1. Create a `for each` loop to insert each row of the data returned from the API into the data in the Log Analytics workspace.

+ - In the **Select an output from previous steps** section, enter the data set returned by the JSON parse action you created in step 4.

+ - Construct each row from the set that enters the loop.

+ - In the last step of the loop, use `Send data` to send the data to the Log Analytics workspace with these values.

+ - **Custom log name**: the name of the custom log you're using to save the data to the Log Analytics workspace.

+ - A connection to the LA workspace that you created in step 6.

+ :::image type="content" source="media/itsmc-convert-servicenow-to-webhook/alerts-itsmc-service-now-for-loop.png" alt-text="Screenshot showing loop that imports data into a Log Analytics workspace.":::

+The data is visible in the **Custom logs** section of your Log Analytics workspace.

+## Sample JSON schema for a change_request table

+```json

+{

+ "properties": {

+ "content": {

+ "properties": {

+ "result": {

+ "items": {

+ "properties": {

+ "active": {

+ "type": "string"

+ },

+ "activity_due": {

+ "type": "string"

+ },

+ "additional_assignee_list": {

+ "type": "string"

+ },

+ "approval": {

+ "type": "string"

+ },

+ "approval_history": {

+ "type": "string"

+ },

+ "approval_set": {

+ "type": "string"

+ },

+ "assigned_to": {

+ "properties": {

+ "link": {

+ "type": "string"

+ },

+ "value": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "assignment_group": {

+ "type": "string"

+ },

+ "backout_plan": {

+ "type": "string"

+ },

+ "business_duration": {

+ "type": "string"

+ },

+ "business_service": {

+ "type": "string"

+ },

+ "cab_date": {

+ "type": "string"

+ },

+ "cab_delegate": {

+ "type": "string"

+ },

+ "cab_recommendation": {

+ "type": "string"

+ },

+ "cab_required": {

+ "type": "string"

+ },

+ "calendar_duration": {

+ "type": "string"

+ },

+ "category": {

+ "type": "string"

+ },

+ "change_plan": {

+ "type": "string"

+ },

+ "chg_model": {

+ "type": "string"

+ },

+ "close_code": {

+ "type": "string"

+ },

+ "close_notes": {

+ "type": "string"

+ },

+ "closed_at": {

+ "type": "string"

+ },

+ "closed_by": {

+ "properties": {

+ "link": {

+ "type": "string"

+ },

+ "value": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "cmdb_ci": {

+ "properties": {

+ "link": {

+ "type": "string"

+ },

+ "value": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "comments": {

+ "type": "string"

+ },

+ "comments_and_work_notes": {

+ "type": "string"

+ },

+ "company": {

+ "type": "string"

+ },

+ "conflict_last_run": {

+ "type": "string"

+ },

+ "conflict_status": {

+ "type": "string"

+ },

+ "contact_type": {

+ "type": "string"

+ },

+ "correlation_display": {

+ "type": "string"

+ },

+ "correlation_id": {

+ "type": "string"

+ },

+ "delivery_plan": {

+ "type": "string"

+ },

+ "delivery_task": {

+ "type": "string"

+ },

+ "description": {

+ "type": "string"

+ },

+ "due_date": {

+ "type": "string"

+ },

+ "end_date": {

+ "type": "string"

+ },

+ "escalation": {

+ "type": "string"

+ },

+ "expected_start": {

+ "type": "string"

+ },

+ "follow_up": {

+ "type": "string"

+ },

+ "group_list": {

+ "type": "string"

+ },

+ "impact": {

+ "type": "string"

+ },

+ "implementation_plan": {

+ "type": "string"

+ },

+ "justification": {

+ "type": "string"

+ },

+ "knowledge": {

+ "type": "string"

+ },

+ "location": {

+ "type": "string"

+ },

+ "made_sla": {

+ "type": "string"

+ },

+ "number": {

+ "type": "string"

+ },

+ "on_hold": {

+ "type": "string"

+ },

+ "on_hold_reason": {

+ "type": "string"

+ },

+ "on_hold_task": {

+ "type": "string"

+ },

+ "opened_at": {

+ "type": "string"

+ },

+ "opened_by": {

+ "properties": {

+ "link": {

+ "type": "string"

+ },

+ "value": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "order": {

+ "type": "string"

+ },

+ "outside_maintenance_schedule": {

+ "type": "string"

+ },

+ "parent": {

+ "type": "string"

+ },

+ "phase": {

+ "type": "string"

+ },

+ "phase_state": {

+ "type": "string"

+ },

+ "priority": {

+ "type": "string"

+ },

+ "production_system": {

+ "type": "string"

+ },

+ "reason": {

+ "type": "string"

+ },

+ "reassignment_count": {

+ "type": "string"

+ },

+ "requested_by": {

+ "properties": {

+ "link": {

+ "type": "string"

+ },

+ "value": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "requested_by_date": {

+ "type": "string"

+ },

+ "review_comments": {

+ "type": "string"

+ },

+ "review_date": {

+ "type": "string"

+ },

+ "review_status": {

+ "type": "string"

+ },

+ "risk": {

+ "type": "string"

+ },

+ "risk_impact_analysis": {

+ "type": "string"

+ },

+ "route_reason": {

+ "type": "string"

+ },

+ "scope": {

+ "type": "string"

+ },

+ "service_offering": {

+ "type": "string"

+ },

+ "short_description": {

+ "type": "string"

+ },

+ "sla_due": {

+ "type": "string"

+ },

+ "start_date": {

+ "type": "string"

+ },

+ "state": {

+ "type": "string"

+ },

+ "std_change_producer_version": {

+ "type": "string"

+ },

+ "sys_class_name": {

+ "type": "string"

+ },

+ "sys_created_by": {

+ "type": "string"

+ },

+ "sys_created_on": {

+ "type": "string"

+ },

+ "sys_domain": {

+ "properties": {

+ "link": {

+ "type": "string"

+ },

+ "value": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_domain_path": {

+ "type": "string"

+ },

+ "sys_id": {

+ "type": "string"

+ },

+ "sys_mod_count": {

+ "type": "string"

+ },

+ "sys_tags": {

+ "type": "string"

+ },

+ "sys_updated_by": {

+ "type": "string"

+ },

+ "sys_updated_on": {

+ "type": "string"

+ },

+ "task_effective_number": {

+ "type": "string"

+ },

+ "test_plan": {

+ "type": "string"

+ },

+ "time_worked": {

+ "type": "string"

+ },

+ "type": {

+ "type": "string"

+ },

+ "unauthorized": {

+ "type": "string"

+ },

+ "universal_request": {

+ "type": "string"

+ },

+ "upon_approval": {

+ "type": "string"

+ },

+ "upon_reject": {

+ "type": "string"

+ },

+ "urgency": {

+ "type": "string"

+ },

+ "user_input": {

+ "type": "string"

+ },

+ "watch_list": {

+ "type": "string"

+ },

+ "work_end": {

+ "type": "string"

+ },

+ "work_notes": {

+ "type": "string"

+ },

+ "work_notes_list": {

+ "type": "string"

+ },

+ "work_start": {

+ "type": "string"

+ }

+ },

+ "required": [

+ "parent",

+ "reason",

+ "watch_list",

+ "upon_reject",

+ "sys_updated_on",

+ "type",

+ "approval_history",

+ "number",

+ "test_plan",

+ "cab_delegate",

+ "requested_by_date",

+ "state",

+ "sys_created_by",

+ "knowledge",

+ "order",

+ "phase",

+ "cmdb_ci",

+ "delivery_plan",

+ "impact",

+ "active",

+ "work_notes_list",

+ "priority",

+ "sys_domain_path",

+ "cab_recommendation",

+ "production_system",

+ "review_date",

+ "business_duration",

+ "group_list",

+ "requested_by",

+ "change_plan",

+ "approval_set",

+ "implementation_plan",

+ "universal_request",

+ "end_date",

+ "short_description",

+ "correlation_display",

+ "delivery_task",

+ "work_start",

+ "additional_assignee_list",

+ "outside_maintenance_schedule",

+ "std_change_producer_version",

+ "service_offering",

+ "sys_class_name",

+ "closed_by",

+ "follow_up",

+ "reassignment_count",

+ "review_status",

+ "assigned_to",

+ "start_date",

+ "sla_due",

+ "comments_and_work_notes",

+ "escalation",

+ "upon_approval",

+ "correlation_id",

+ "made_sla",

+ "backout_plan",

+ "conflict_status",

+ "task_effective_number",

+ "sys_updated_by",

+ "opened_by",

+ "user_input",

+ "sys_created_on",

+ "on_hold_task",

+ "sys_domain",

+ "route_reason",

+ "closed_at",

+ "review_comments",

+ "business_service",

+ "time_worked",

+ "chg_model",

+ "expected_start",

+ "opened_at",

+ "work_end",

+ "phase_state",

+ "cab_date",

+ "work_notes",

+ "close_code",

+ "assignment_group",

+ "description",

+ "on_hold_reason",

+ "calendar_duration",

+ "close_notes",

+ "sys_id",

+ "contact_type",

+ "cab_required",

+ "urgency",

+ "scope",

+ "company",

+ "justification",

+ "activity_due",

+ "comments",

+ "approval",

+ "due_date",

+ "sys_mod_count",

+ "on_hold",

+ "sys_tags",

+ "conflict_last_run",

+ "unauthorized",

+ "location",

+ "risk",

+ "category",

+ "risk_impact_analysis"

+ ],

+ "type": "object"

+ },

+ "type": "array"

+ }

+ },

+ "type": "object"

+ },

+ "schema": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "result": {

+ "properties": {

+ "items": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "active": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "activity_due": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "additional_assignee_list": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "approval": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "approval_history": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "approval_set": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "assigned_to": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "link": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "value": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "assignment_group": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "backout_plan": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "business_duration": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "business_service": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "cab_date": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "cab_delegate": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "cab_recommendation": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "cab_required": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "calendar_duration": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "category": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "change_plan": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "chg_model": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "close_code": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "close_notes": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "closed_at": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "closed_by": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "link": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "value": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "cmdb_ci": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "link": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "value": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "comments": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "comments_and_work_notes": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "company": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "conflict_last_run": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "conflict_status": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "contact_type": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "correlation_display": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "correlation_id": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "delivery_plan": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "delivery_task": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "description": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "due_date": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "end_date": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "escalation": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "expected_start": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "follow_up": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "group_list": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "impact": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "implementation_plan": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "justification": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "knowledge": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "location": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "made_sla": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "number": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "on_hold": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "on_hold_reason": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "on_hold_task": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "opened_at": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "opened_by": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "link": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "value": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "order": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "outside_maintenance_schedule": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "parent": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "phase": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "phase_state": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "priority": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "production_system": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "reason": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "reassignment_count": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "requested_by": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "link": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "value": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "requested_by_date": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "review_comments": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "review_date": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "review_status": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "risk": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "risk_impact_analysis": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "route_reason": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "scope": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "service_offering": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "short_description": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sla_due": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "start_date": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "state": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "std_change_producer_version": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_class_name": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_created_by": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_created_on": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_domain": {

+ "properties": {

+ "properties": {

+ "properties": {

+ "link": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "value": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_domain_path": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_id": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_mod_count": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_tags": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_updated_by": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "sys_updated_on": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "task_effective_number": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "test_plan": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "time_worked": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "unauthorized": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "universal_request": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "upon_approval": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "upon_reject": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "urgency": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "user_input": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "watch_list": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "work_end": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "work_notes": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "work_notes_list": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "work_start": {

+ "properties": {

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "required": {

+ "items": {

+ "type": "string"

+ },

+ "type": "array"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+ },

+ "type": {

+ "type": "string"

+ }

+ },

+ "type": "object"

+ }

+ },

+ "type": "object"

+}

+```

+## Next steps

+* [ITSM Connector overview](itsmc-overview.md)

+* [Create ITSM work items from Azure alerts](./itsmc-definition.md#create-itsm-work-items-from-azure-alerts)

+* [Troubleshooting problems in the ITSM Connector](./itsmc-resync-servicenow.md)

+# Connect Azure to ITSM tools by using IT Service Management solution

+Before you can create a connection, install ITSMC.

+1. In the Azure portal, select **Create a resource**.

+ 

+1. Search for **IT Service Management Connector** in Azure Marketplace. Then select **Create**.

+1. In the **Azure Log Analytics Workspace** section, select the Log Analytics workspace where you want to install ITSMC.

+1. In the **Azure Log Analytics Workspace** section, select the resource group where you want to create the ITSMC resource.

+ 

+ > As part of the ongoing transition from Microsoft Operations Management Suite to Azure Monitor, Operations Management workspaces are now called *Log Analytics workspaces*.

+1. Select **OK**.

+When the ITSMC resource is deployed, a notification appears in the upper-right corner of the screen.

+After you've installed ITSMC, create an ITSM connection.

+After you've prepped your ITSM tool, follow these steps to create a connection.

+1. In **All resources**, look for **ServiceDesk(*your workspace name*)**.

+1. Under **Workspace Data Sources** on the left pane, select **ITSM Connections**.

+ > By default, ITSMC refreshes the connection's configuration data once every 24 hours. To refresh your connection's data instantly to reflect any edits or template updates that you make, select the **Sync** button on your connection's pane.

+After you create your ITSM connection, you can use ITSMC to create work items in your ITSM tool based on Azure alerts. To create the work items, you'll use the ITSM action in action groups.

+> After you create the ITSM connection, you must wait 30 minutes for the sync process to finish.

+Certain work item types can use templates that you define in ServiceNow. When you use templates, you can define fields that will be automatically populated by using constant values defined in ServiceNow (not values from the payload). The templates are synced with Azure. You can define which template you want to use as a part of the definition of an action group. For information about how to create templates, see the [ServiceNow documentation](https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/form-administration/task/t_CreateATemplateUsingTheTmplForm.html).

+1. In the Azure portal, select **Monitor** > **Alerts**.

+1. On the menu at the top of the screen, select **Manage actions**.

+ 

+1. On the **Action groups** screen, select **+Create**.

+ The **Create action group** screen appears.

+1. Select the **Subscription** and **Resource group** where you want to create your action group. Enter values in **Action group name** and **Display name** for your action group. Then select **Next: Notifications**.

+ 

+1. On the **Notifications** tab, select **Next: Actions**.

+1. On the **Actions** tab, select **ITSM** in the **Action type** list. For **Name**, provide a name for the action. Then select the pen button that represents **Edit details**.

+1. In the **Subscription** list, select the subscription that contains your Log Analytics workspace. In the **Connection** list, select your ITSM Connector name. It will be followed by your workspace name. An example is *MyITSMConnector(MyWorkspace)*.

+ * **Incident** or **Alert**: If you select one of these options from the **Work Item** dropdown list, you can create individual work items for each configuration item.

+ * **Create individual work items for each Configuration Item**: If you select this checkbox, every configuration item in every alert will create a new work item. Because several alerts will occur for the same affected configuration items, there will be more than one work item for each configuration item.

+ * **Create individual work items for each Configuration Item**: If you clear this checkbox, ITSMC will create a single work item for each alert rule and append to it all affected configuration items. A new work item will be created if the previous one is closed.

+ * **Event**: If you select this option in the **Work Item** dropdown list, you can create individual work items for each log entry or for each configuration item.

+ * **Create individual work items for each Log Entry (Configuration item field is not filled. Can result in large number of work items.)**: If you select this option, a work item will be created for each row in the search results of the log search alert query. The description property in the payload of the work item will contain the row from the search results.

+ * **Create individual work items for each Configuration Item**: If you select this option, every configuration item in every alert will create a new work item. Each configuration item can have more than one work item in the ITSM system. This option is the same as selecting the checkbox that appears after you select **Incident** as the work item type.

+1. As a part of the action definition, you can define predefined fields that will contain constant values as a part of the payload. According to the work item type, three options can be used as a part of the payload:

+ * **Use default fields**: Use a set of fields and values that will be sent automatically as a part of the payload to ServiceNow. Those fields aren't flexible, and the values are defined in ServiceNow lists.

+ * **Use saved templates from ServiceNow**: Use a predefined set of fields and values that were defined as a part of a template definition in ServiceNow. If you already defined the template in ServiceNow, you can use it from the **Template** list. Otherwise, you can define it in ServiceNow. For more information, see the preceding section, [Define a template](#define-a-template).

+[Troubleshoot problems in ITSMC](./itsmc-resync-servicenow.md)

+Application Insights is an extension of [Azure Monitor](../overview.md) and provides Application Performance Monitoring (also known as ΓÇ£APMΓÇ¥) features. APM tools are useful to monitor applications from development, through test, and into production in the following ways:

+1. *Proactively* understand how an application is performing.

+1. *Reactively* review application execution data to determine the cause of an incident.

+In addition to collecting [Metrics](standard-metrics.md) and application [Telemetry](data-model.md) data, which describe application activities and health, Application Insights can also be used to collect and store application [trace logging data](asp-net-trace-logs.md).

+The [log trace](asp-net-trace-logs.md) is associated with other telemetry to give a detailed view of the activity. Adding trace logging to existing apps only requires providing a destination for the logs; the logging framework rarely needs to be changed.

+Application Insights provides other features including, but not limited to:

+- [Live Metrics](live-stream.md) ΓÇô observe activity from your deployed application in real time with no effect on the host environment

+- [Availability](availability-overview.md) ΓÇô also known as ΓÇ£Synthetic Transaction MonitoringΓÇ¥, probe your applications external endpoint(s) to test the overall availability and responsiveness over time

+- [GitHub or Azure DevOps integration](work-item-integration.md) ΓÇô create GitHub or Azure DevOps work items in context of Application Insights data

+- [Usage](usage-overview.md) ΓÇô understand which features are popular with users and how users interact and use your application

+- [Smart Detection](proactive-diagnostics.md) ΓÇô automatic failure and anomaly detection through proactive telemetry analysis

+In addition, Application Insights supports [Distributed Tracing](distributed-tracing.md), also known as ΓÇ£distributed component correlationΓÇ¥. This feature allows [searching for](diagnostic-search.md) and [visualizing](transaction-diagnostics.md) an end-to-end flow of a given execution or transaction. The ability to trace activity end-to-end is increasingly important for applications that have been built as distributed components or [microservices](https://learn.microsoft.com/azure/architecture/guide/architecture-styles/microservices).

+The [Application Map](app-map.md) allows a high level top-down view of the application architecture and at-a-glance visual references to component health and responsiveness.

+To understand the number of Application Insights resources required to cover your Application or components across environments, see the [Application Insights deployment planning guide](separate-resources.md).

+## How do I use Application Insights?

+Application Insights is enabled through either [Auto-Instrumentation](codeless-overview.md) (agent) or by adding the [Application Insights SDK](sdk-support-guidance.md) to your application code. [Many languages](platforms.md) are supported and the applications could be on Azure, on-premises, or hosted by another cloud. To figure out which type of instrumentation is best for you, reference [How do I instrument an application?](#how-do-i-instrument-an-application).

+The Application Insights agent or SDK pre-processes telemetry and metrics before sending the data to Azure where it's ingested and processed further before being stored in Azure Monitor Logs (Log Analytics). For this reason, an Azure account is required to use Application Insights.

+The easiest way to get started consuming Application insights is through the Azure portal and the built-in visual experiences. Advanced users can [query the underlying data](../logs/log-query-overview.md) directly to [build custom visualizations](tutorial-app-dashboards.md) through Azure Monitor [Dashboards](overview-dashboard.md) and [Workbooks](../visualize/workbooks-overview.md).

+Consider starting with the [Application Map](app-map.md) for a high level view. Use the [Search](diagnostic-search.md) experience to quickly narrow down telemetry and data by type and date-time, or search within data (for example Log Traces) and filter to a given correlated operation of interest.

+Jump into analytics with [Performance view](tutorial-performance.md) ΓÇô get deep insights into how your Application or API and downstream dependencies are performing and find for a representative sample to [explore end to end](transaction-diagnostics.md). And, be proactive with the [Failure view](tutorial-runtime-exceptions.md) ΓÇô understand which components or actions are generating failures and triage errors and exceptions. The built-in views are helpful to track application health proactively and for reactive root-cause-analysis.

+[Create Azure Monitor Alerts](tutorial-alert.md) to signal potential issues should your Application or components parts deviate from the established baseline.

+Application Insights pricing is consumption-based; you pay for only what you use. For more information on pricing, see the [Azure Monitor Pricing page](https://azure.microsoft.com/pricing/details/monitor/) and [how to optimize costs](../best-practices-cost.md).

+## How do I instrument an application?

+[Auto-Instrumentation](codeless-overview.md) is the preferred instrumentation method. It requires no developer investment and eliminates future overhead related to [updating the SDK](sdk-support-guidance.md). It's the only way to instrument an application in which you don't have access to the source code.

+You only need to install the Application Insights SDK in the following circumstances:

+- You require [custom events and metrics](api-custom-events-metrics.md)

+- You require control over the flow of telemetry

+- [Auto-Instrumentation](codeless-overview.md) isn't available (typically due to language or platform limitations)

+To use the SDK, you install a small instrumentation package in your app and then instrument the web app, any background components, and JavaScript within the web pages. The app and its components don't have to be hosted in Azure. The instrumentation monitors your app and directs the telemetry data to an Application Insights resource by using a unique token. The effect on your app's performance is small; tracking calls are non-blocking and batched to be sent in a separate thread.

+Refer to the decision tree below to see what is available to instrument your app.

+### [.NET](#tab/net)

+- [Auto-Instrumentation](codeless-overview.md)

+- [Azure Application Insights libraries for .NET](https://docs.microsoft.com/dotnet/api/overview/azure/insights)

+- [Deploy the Azure Monitor Application Insights Agent on Azure virtual machines and Azure virtual machine scale sets](azure-vm-vmss-apps.md)

+- [Deploy Azure Monitor Application Insights Agent for on-premises servers](status-monitor-v2-overview.md)

+### [Java](#tab/java)

+Links:

+- [Azure Monitor OpenTelemetry-based auto-instrumentation for Java applications](java-in-process-agent.md)

+### [Node.js](#tab/nodejs)

+Links:

+- [Enable Azure Monitor OpenTelemetry Exporter for .NET, Node.js, and Python applications](opentelemetry-enable.md)

+- [Monitor your Node.js services and apps with Application Insights](nodejs.md)

+### [JavaScript](#tab/javascript)

+Links:

+- [Application Insights for webpages](javascript.md)

+### [Python](#tab/python)

+Links:

+- [Enable Azure Monitor OpenTelemetry Exporter for .NET, Node.js, and Python applications](opentelemetry-enable.md)

+- [Set up Azure Monitor for your Python application](opencensus-python.md)

+- [Create a resource](create-workspace-resource.md)

+- [Application Map](app-map.md)

+- [Transaction search](diagnostic-search.md)

+If you're viewing Change history after its first integration with Azure Monitor's Change Analysis, you'll see it automatically registering the **Microsoft.ChangeAnalysis** resource provider. The resource may fail and incur the following error messages:

+You're receiving this error message because your role in the current subscription isn't associated with the **Microsoft.Support/register/action** scope. For example, you aren't the owner of your subscription and instead received shared access permissions through a coworker (like view access to a resource group).

+## Only partial data loaded.

+This error message may occur in the Azure portal when loading change data via the Change Analysis home page. Typically, the Change Analysis service calculates and returns all change data. However, in a network failure or a temporary outage of service, you may receive an error message indicating only partial data was loaded.

+To load all change data, try waiting a few minutes and refreshing the page. If you are still only receiving partial data, contact the [Change Analysis help team](mailto:changeanalysishelp@microsoft.com).

+This general unauthorized error message occurs when the current user doesn't have sufficient permissions to view the change. At minimum,

+See the [Botmetric introduction for Azure](https://nutanix.medium.com/announcing-botmetric-cost-governance-beta-in-microsoft-azure-ee6b361c303e).

+The `reference` function can only be used in the outputs section of a template or deployment and properties object of a resource definition. It cannot be used for resource properties such as `type`, `name`, `location` and other top level properties of the resource definition. When used with [property iteration](copy-properties.md), you can use the `reference` function for `input` because the expression is assigned to the resource property.

+We expanded the list of the languages to be supported in LID (language identification) and MLID (multi language Identification) using APIs.

+You can use Azure storage services in workloads running in your private cloud. The Azure storage services include Storage Accounts, Table Storage, and Blob Storage. The connection of workloads to Azure storage services doesn't traverse the internet. This connectivity provides more security and enables you to use SLA-based Azure storage services in your private cloud workloads.

+You can expand the datastore capacity by connecting Azure disk pools or [Azure NetApp Files datastores](attach-azure-netapp-files-to-azure-vmware-solution-hosts.md). Azure NetApp Files is available in Ultra, [Premium and Standard performance tiers](/azure/azure-netapp-files/azure-netapp-files-service-levels) to allow adjusting the performance and cost to the requirements of the workloads.

+> - This preview version will be retired on **31 March 2023**, and will be replaced by [Simplified node communication pool without public IP addresses](simplified-node-communication-pool-no-public-ip.md). For more details, please refer to [Retirement Migration Guide](batch-pools-without-public-ip-addresses-classic-retirement-migration-guide.md).

+- Customers using .NET Framework for their client code should upgrade to .NET > 4.7, that which enforces TLS 1.2 by default.

+- For customers using .NET Framework who are unable to upgrade to > 4.7, please follow this [guide](/dotnet/framework/network-programming/tls) to enforce TLS 1.2.

+For TLS best practices, refer to [TLS best practices for .NET Framework](/dotnet/framework/network-programming/tls).

+For more information, see [How to enable TLS 1.2 on clients](/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).

+recommendations: false

+## September 2022

+### Computer Vision 3.0/3.1 Read previews deprecation

+The preview versions of the Computer Vision 3.0 and 3.1 Read API are scheduled to be retired on January 31, 2023. Customers are encouraged to refer to the [How-To](./how-to/call-read-api.md) and [QuickStarts](./quickstarts-sdk/client-library.md?tabs=visual-studio&pivots=programming-language-csharp) to get started with the generally available (GA) version of the Read API instead. The latest GA versions provide the following benefits:

+* 2022 latest generally available OCR model

+* Significant expansion of OCR language coverage including support for handwritten text

+* Significantly improved OCR quality

+* [Sample code: C#](https://github.com/Azure-Samples/Cognitive-Speech-TTS/tree/master/LongAudioAPI/CSharp/LongAudioAPISample)

+| Speech-to-text | Analyzes sentiment and transcribes continuous real-time speech or batch audio recordings with intermediate results. | 3.6.0 | Generally available |

+| Custom speech-to-text | Using a custom model from the [Custom Speech portal](https://speech.microsoft.com/customspeech), transcribes continuous real-time speech or batch audio recordings into text with intermediate results. | 3.6.0 | Generally available |

+| Neural text-to-speech | Converts text to natural-sounding speech by using deep neural network technology, which allows for more natural synthesized speech. | 2.5.0 | Generally available |

+Source input: `The word <mstrans:dictionary translation=\"wordomatic\">wordomatic</mstrans:dictionary> is a dictionary entry.`

+Use the feature sparingly. A better way to customize translation is by using Custom Translator. Custom Translator makes full use of context and statistical probabilities. If you have or can create training data that shows your work or phrase in context, you get much better results. You can find more information about Custom Translator at [https://aka.ms/CustomTranslator](https://aka.ms/CustomTranslator).

+curl -X POST "https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&from=en&to=de" -H "Ocp-Apim-Subscription-Key: <client-secret>" -H "Content-Type: application/json; charset=UTF-8" -d "[{'Text':'The word <mstrans:dictionary translation=\"wordomatic\">wordomatic</mstrans:dictionary> is a dictionary entry.'}]"

+- [Face API](/legal/cognitive-services/computer-vision/limited-access-identity?context=/azure/cognitive-services/computer-vision/context/context): Identify and Verify features, face ID property

+Release note for `3.6.0-amd64`:

+| `latest` | | `sha256:9a1ef0bcb5616ff9d1c70551d4634acae50ff4f7ed04b0ad514a75f2e6fa1241`|

+| `3.6.0-amd64` | | `sha256:9a1ef0bcb5616ff9d1c70551d4634acae50ff4f7ed04b0ad514a75f2e6fa1241`|

+Release note for `3.5.0-amd64`:

+**Features**

+* Security upgrade.

+Release note for `3.6.0-amd64-<locale>`:

+**Features**

+* Security upgrade.

+* Support for latest model versions.

+* Support for the following new locales:

+ * az-az

+ * bn-in

+ * bs-ba

+ * cy-gb

+ * eu-es

+ * fa-ir

+ * gl-es

+ * he-il

+ * hy-am

+ * it-ch

+ * ka-ge

+ * kk-kz

+ * mk-mk

+ * mn-mn

+ * ne-np

+ * ps-af

+ * so-so

+ * sq-al

+ * wuu-cn

+ * yue-cn

+ * zh-cn-sichuan

+| Image Tags | Notes |

+|-|:--|

+| `latest` | Container image with the `en-US` locale. |

+| `3.6.0-amd64-<locale>` | Replace `<locale>` with one of the available locales, listed below. For example `3.6.0-amd64-en-us`. |

+This container has the following locales available.

+| Locale for v3.6.0 | Notes | Digest |

+|--|:--|:--|

+| `ar-ae`| Container image with the `ar-AE` locale. | `sha256:0ac3cdd0e8e5f6658e350a8ce3b530b3b6b2159b6fd53fff16a383d086b02597` |

+| `ar-bh`| Container image with the `ar-BH` locale. | `sha256:9f4764e76c5773099c44b0e23269272450c3b63036f65be77d2040cee00e9eee` |

+| `ar-eg`| Container image with the `ar-EG` locale. | `sha256:ade7c6c4ba490b176688deb598460b87abd68075808d63ca32fbdd905fad6ca5` |

+| `ar-iq`| Container image with the `ar-IQ` locale. | `sha256:29cf1e678c634b90dfb835e1162871aa94232769aed209c162f58a81c8af0b1f` |

+| `ar-jo`| Container image with the `ar-JO` locale. | `sha256:0325b8cf7cd211e298b05afd9ed63cd5da09953b8ca248901314c8611d8035c3` |

+| `ar-kw`| Container image with the `ar-KW` locale. | `sha256:76de8d6d422c98320271b8fd0fe09c7bdc10f89cab3af166f7e8016d663ff727` |

+| `ar-lb`| Container image with the `ar-LB` locale. | `sha256:036f653152301c7ea623b71c993fc9bc7dadda91116fbaf143eda408c4c9b144` |

+| `ar-om`| Container image with the `ar-OM` locale. | `sha256:d8e78d68b0ce0164c2858595059a05a0175d4c1f8cdb0029ca11eb441f886ecd` |

+| `ar-qa`| Container image with the `ar-QA` locale. | `sha256:3ff3a0ad3fc3f6eb53c511add3b0cb6bea725c32f7aaca130200c0e9e1150d0e` |

+| `ar-sa`| Container image with the `ar-SA` locale. | `sha256:f2f98cbd28fc109f2e94c7f7b777279b350730a8a5704a3411ae14791806a8c3` |

+| `ar-sy`| Container image with the `ar-SY` locale. | `sha256:0875d6f781e3d68f380325fc42b9d57ea13d4ad28c9cd7b3b65ab25ea86a9a0d` |

+| `az-az`| Container image with the `az-AZ` locale. | `sha256:f6edd0c3c967ebee3abd69f92e5d0999b0ea217add8998afaef4e075e40ff4c1` |

+| `bg-bg`| Container image with the `bg-BG` locale. | `sha256:1e92ebeccc7297beb7396cd20ee61152dc5ab9b3d3d55b54f1a9b56e7b244fe4` |

+| `bn-in`| Container image with the `bn-IN` locale. | `sha256:f38ed3ac2e483ce03a7e0f48ad6b4d0075f1218e4378ec983009a60bd789f266` |

+| `bs-ba`| Container image with the `bs-BA` locale. | `sha256:a7f8fba6eff9116892500edbe8e834e793964b735da5e4681a174c9294301fc7` |

+| `ca-es`| Container image with the `ca-ES` locale. | `sha256:60f70e429126ffe1528dbd50118d7c69b2df8dbc7983e62d1c8619418f21e7bb` |

+| `cs-cz`| Container image with the `cs-CZ` locale. | `sha256:1c6fa33844322229a91422c0156db6e5d47abfff83d156b6f3551a1a9b5f0f6b` |

+| `cy-gb`| Container image with the `cy-GB` locale. | `sha256:928511854d3606296bcb6988a2d2946af33677c85fb1013193f8bd45eb0ecf1c` |

+| `da-dk`| Container image with the `da-DK` locale. | `sha256:b09ce63cfaa06a0421bfa371d6609618b408f7bcc19ac19856bb8e03cbff0c4f` |

+| `de-at`| Container image with the `de-AT` locale. | `sha256:d9c48ec5990b8f34cc567246a1a829e9ea8ec21ad7a5b7568add7fd16a2e40ec` |

+| `de-ch`| Container image with the `de-CH` locale. | `sha256:5a606d180e2a3268f2bf465666c5458b00fdef5ceedc02bffd1093170adfb795` |

+| `de-de`| Container image with the `de-DE` locale. | `sha256:7049be561512dc39d54eeb16403fe21e4db1bd63d6f54b025084faa4695790bd` |

+| `el-gr`| Container image with the `el-GR` locale. | `sha256:adc2e74f77ec91b5aa88a5df3850122da832a89ef0468034f1372bc41da57f9e` |

+| `en-au`| Container image with the `en-AU` locale. | `sha256:5b186c1a72d570c9af4db8bb1469dd0efc32a027ee9e9e1695a2c6c73947bcf7` |

+| `en-ca`| Container image with the `en-CA` locale. | `sha256:200f0fe8f8dc86d245af88d4f353d1d1fbe174ad37249b96fba0da0678bbea59` |

+| `en-gb`| Container image with the `en-GB` locale. | `sha256:f7d0168bb31e03f807aa37d88e5d4d4271386850d0087d602e64323d37c16da9` |

+| `en-gh`| Container image with the `en-GH` locale. | `sha256:5df19e03d2370feed607d621a863989bcdbb09870613b6d52f8e260f1d914025` |

+| `en-hk`| Container image with the `en-HK` locale. | `sha256:ff546494dd3dd77b4848e1fd4e64693f9ad324999e42d4c935991163f639d95b` |

+| `en-ie`| Container image with the `en-IE` locale. | `sha256:3efedf83e8ee94582bd3fc8d627e627f05868c34eb1eab5639da8eb4680a6fab` |

+| `en-in`| Container image with the `en-IN` locale. | `sha256:390e00fcf00a68f92930caed9f4e26ffbe8161e8c9c48e6cc987227ea79d8d14` |

+| `en-ke`| Container image with the `en-KE` locale. | `sha256:d79eb726839572782d4f7cd038bc4f0480dd61a1b1f7bad7770e8994c8a357fe` |

+| `en-nz`| Container image with the `en-NZ` locale. | `sha256:c1ae4664dc6c0d8897d5a3c5eddc873c9df272f07840da7ed2fb6578cce72e8d` |

+| `en-ph`| Container image with the `en-PH` locale. | `sha256:90d51d1eeb6abadebef08ef75b4d3744d0ba168b7d66972ef0a0fdc925628d29` |

+| `en-sg`| Container image with the `en-SG` locale. | `sha256:b9969b7c9b5bf950f349e6d9ef343a3f2733fc9ffb47c624426aa993c2b13dc2` |

+| `en-tz`| Container image with the `en-TZ` locale. | `sha256:a745795f69c510819be586ac99772c513ade3d746f15fa6dd1109da456d1b2c8` |

+| `en-us`| Container image with the `en-US` locale. | `sha256:c738a20eb5316f198a0f6878d811f64ae510bf695d2a2e2290f3bb9c9ae72a14` |

+| `en-za`| Container image with the `en-ZA` locale. | `sha256:a6e6a8dc17d0dea22d15b9b93a96337446fce25c7b736cb836d29c146d17240b` |

+| `es-ar`| Container image with the `es-AR` locale. | `sha256:496959cd040b29ffdde582f7b89528a1bd5fadaf430cf9bbbfb19a8651d2b175` |

+| `es-bo`| Container image with the `es-BO` locale. | `sha256:3a60cacf3b6a992e83fc972ff7a89fb944410a1d58657850f50d0582fb3e7abb` |

+| `es-cl`| Container image with the `es-CL` locale. | `sha256:93be7ea20dafd4e135b494f09bc16fe3dec64b9fa248e89443a713e68c7b0a0e` |

+| `es-co`| Container image with the `es-CO` locale. | `sha256:829df4976d7cbc6eb8bbfc19889adaac822081a9000619711fff1022653672b7` |

+| `es-cr`| Container image with the `es-CR` locale. | `sha256:0996232b7aa110072902a78d078eba790bfb7ff9d5d3a7028a37627bc4521f35` |

+| `es-cu`| Container image with the `es-CU` locale. | `sha256:2b195d500dbaf407ca4b7b2796191cf3de695f24e7433d82b0835a8c25974a34` |

+| `es-do`| Container image with the `es-DO` locale. | `sha256:dd9e879e1b30fdd2a9b19e9764c75453a7a09d24070ab72b2c83ec0dafc98306` |

+| `es-ec`| Container image with the `es-EC` locale. | `sha256:4afed9f72fb52d9ab40302acc0b43ec2b85541a7366d612490f2c40a5d7255fc` |

+| `es-es`| Container image with the `es-ES` locale. | `sha256:035a82d74df784bc3e74284e19fe1fa3cfe78e90af595ff476740dd7020e36a4` |

+| `es-gt`| Container image with the `es-GT` locale. | `sha256:a6d01b7bce9ad5de8ecbbef72ded5bea7cf53d322db31bacea46c4104aeeba98` |

+| `es-hn`| Container image with the `es-HN` locale. | `sha256:ca8488abde8af4a0755b24019df5c65170b4a2a9eb12d4ff079d9244ab910564` |

+| `es-mx`| Container image with the `es-MX` locale. | `sha256:447bb1f2ad0daef9339f1822d70d203a667d4e20c28165e17169110d6e197e20` |

+| `es-ni`| Container image with the `es-NI` locale. | `sha256:388f5597583ce4433041667c2d0c13aec3236c933b9d562ec9fbe5d694a51112` |

+| `es-pa`| Container image with the `es-PA` locale. | `sha256:f52fe174e4b355cd904194dc9052a18d5556d7b1e84d3107ecf3af6c3aeced65` |

+| `es-pe`| Container image with the `es-PE` locale. | `sha256:469c56fe5acbe7e3f86e8cb3ffbcd6cc55af1e9ab6ac947090d84b13067dd79a` |

+| `es-pr`| Container image with the `es-PR` locale. | `sha256:f675406550e1e5fb364c8cb2da8b130aad87f7a631d39f08e85e04daf5990791` |

+| `es-py`| Container image with the `es-PY` locale. | `sha256:b326051aaf0f806b31a6af2214a087dbb019cad4b8c519e32c13217401d53550` |

+| `es-sv`| Container image with the `es-SV` locale. | `sha256:5cca0df8fc9e391e1434c0263a1d72d71baf6d8acb6b5b1402c165dbf7ee4b4a` |

+| `es-us`| Container image with the `es-US` locale. | `sha256:e1310293e2ccb46096c8dbdce0120e47fdacaad26061682323bc5f3950103434` |

+| `es-uy`| Container image with the `es-UY` locale. | `sha256:fc10377355dd5aa853060b17fbad3537c1908ca98467d7c3bbfe5f6c30cf0998` |

+| `es-ve`| Container image with the `es-VE` locale. | `sha256:fae45ff835672a3a8ad8306448421e8d5d07e337ced7e040b35c10a97ae114b7` |

+| `et-ee`| Container image with the `et-EE` locale. | `sha256:8dddc254b4a5869ddd0180043dda858e35cf78e7fe8426c6be7802514970964f` |

+| `eu-es`| Container image with the `eu-ES` locale. | `sha256:8e0eb2e1cd3288e127149cd92d7f64343aef58d1ff030f1676c3f538eb1c7363` |

+| `fa-ir`| Container image with the `fa-IR` locale. | `sha256:3dfc28549f9035ac3ef3a8cad4d7560e0ee774627ff1a3d625f33a26f5f77efe` |

+| `fi-fi`| Container image with the `fi-FI` locale. | `sha256:5ec66af3a5259c55023d62fad82cb7d6267a2ef90fe40a9ce3458bb30f8a1d75` |

+| `fil-ph`| Container image with the `fil-PH` locale. | `sha256:647575b5c131537dd010a8442f35f64707320f2a70c8aaee764db9a4b5da52be` |

+| `fr-ca`| Container image with the `fr-CA` locale. | `sha256:4b8b8078112b869fe16c7bc4da5e4814d5a4c122ff029f472d8abdeb90bcfc7f` |

+| `fr-ch`| Container image with the `fr-CH` locale. | `sha256:cf28529f299505269709a0d515b16420243eaacf388a9832c7676777a4b50780` |

+| `fr-fr`| Container image with the `fr-FR` locale. | `sha256:758546a5287ef6df8261784f7e1c5567b9ceb3b9625692469d4c07685aa5bd4e` |

+| `ga-ie`| Container image with the `ga-IE` locale. | `sha256:04b109c4c9fa97a5177d4340035c63f12e27e5909414e84495a1007b8d7ca58c` |

+| `gl-es`| Container image with the `gl-ES` locale. | `sha256:7e9e414df651824399cdb9344c0b9ea92c290804ebce0f33599dff163a12baef` |

+| `gu-in`| Container image with the `gu-IN` locale. | `sha256:1c1c1aceeaf4647b2fc87615a171790b8a5a90ceb93778a0f286fbaf5ff79f81` |

+| `he-il`| Container image with the `he-IL` locale. | `sha256:ece7d40a5d3afed7565607cfaef0d6023e77b87e3b00fb1d954f705b74c71bd5` |

+| `hi-in`| Container image with the `hi-IN` locale. | `sha256:e5584a4119771fd0a8c6787666f3c83a1d02f0908c2bb42152c60f27cc17a41c` |

+| `hr-hr`| Container image with the `hr-HR` locale. | `sha256:012e138bb4ddc27804ecd5f1388ff98835087945c131f91ad41d50c7891b2a5b` |

+| `hu-hu`| Container image with the `hu-HU` locale. | `sha256:92ef3f57fb20500579a402e95743cd48defb0abd2e65f8267d5e8024fa7da907` |

+| `hy-am`| Container image with the `hy-AM` locale. | `sha256:11b136d61bfb0e26cf589f0ad3e4ffedbb58eeeb29e98779926c4d956150ebe4` |

+| `id-id`| Container image with the `id-ID` locale. | `sha256:b6876e71c9780282184139866c17f7199dcbf224ff8ef27e1bfdf135dd5f4145` |

+| `it-ch`| Container image with the `it-CH` locale. | `sha256:84c194b5d362b16b7cef0fa3fe50ea6d3581bca5d8610231b16d9e15691d8df1` |

+| `it-it`| Container image with the `it-IT` locale. | `sha256:7466c7cc5fe67064bedae3a38d8fb130b46f5d1e59fb1c4f61d8d82f81a0885e` |

+| `ja-jp`| Container image with the `ja-JP` locale. | `sha256:cf0d088b51f75aaaa517758fef083119f9818e83764f1fe465e6fca487cda00f` |

+| `ka-ge`| Container image with the `ka-GE` locale. | `sha256:4d7d73c8478757b9f30196253f3f9d3af4f1d39d4bb6e3dd1672a70e48ea7b80` |

+| `kk-kz`| Container image with the `kk-KZ` locale. | `sha256:1aa1cd8eed78b447d7d70b8dfadbe52e71090652bf89c6bfffbfc3c357df5b4f` |

+| `ko-kr`| Container image with the `ko-KR` locale. | `sha256:02c59457471cd14286f48d659515074d451609c7869099ecb128b06e444c72f4` |

+| `lt-lt`| Container image with the `lt-LT` locale. | `sha256:78fbaa5f52d440b40da1f63f82de27d18ae4d8e7d44bf327945c4e095a769ee0` |

+| `lv-lv`| Container image with the `lv-LV` locale. | `sha256:3e81453e1191ba30b944102de3b1a5d382c90c7031a6dea08fffc5d876e6d6d3` |

+| `mk-mk`| Container image with the `mk-MK` locale. | `sha256:35a45b35660ff3304cc5a8cfc0c4f813238e900f6fd05d7560c5199d4b89acd9` |

+| `mn-mn`| Container image with the `mn-MN` locale. | `sha256:2833f2e6d5de15d25e30f0e60dbff01aae74aba62c4783e9831851cc07dc07c2` |

+| `mr-in`| Container image with the `mr-IN` locale. | `sha256:358506bba4abdaf5fd8d0f02f6088cc196cb8c6c2926f9a2feb4674d177c77cf` |

+| `ms-my`| Container image with the `ms-MY` locale. | `sha256:d51552edd37a9373f6ac97d69a460a84e6b74a8a9d96f6ad8639aba9921bc515` |

+| `mt-mt`| Container image with the `mt-MT` locale. | `sha256:09dc4e22015e63934b2863169cdd6135d4594632b631373a7a88720d46200a51` |

+| `nb-no`| Container image with the `nb-NO` locale. | `sha256:d51d1dcfa4eca08312fd34f108a92508f37f6174b4080980f571567c29cc72da` |

+| `ne-np`| Container image with the `ne-NP` locale. | `sha256:2d43914d6dda8316f528a1592d9d92f7b64cdab9a91155d52e14c0914c21a32f` |

+| `nl-nl`| Container image with the `nl-NL` locale. | `sha256:4777d0bd9ec06e07b1e85cc789de0dafd1875c802258eea5e571b1a6025f394b` |

+| `pl-pl`| Container image with the `pl-PL` locale. | `sha256:5c29ceb4f38ac691047af387e2fb554a150c5d9f0b99d7c8814bc52458c1ce26` |

+| `ps-af`| Container image with the `ps-AF` locale. | `sha256:1b7a114348c1ddda5ab2fa5b8741cc3b13d79e15d89ac35f064bca284f47ab30` |

+| `pt-br`| Container image with the `pt-BR` locale. | `sha256:25374a351401f530c6614044387c37cd7bee8f6760f4205784a426aa2722142a` |

+| `pt-pt`| Container image with the `pt-PT` locale. | `sha256:8535549150e2ae742bd2ba0624953ffd61546b5768c31ac29251093f65430276` |

+| `ro-ro`| Container image with the `ro-RO` locale. | `sha256:197581fa179fd751f037e3fd00c1a9f32e49138f176d8cd97541bb34c6984731` |

+| `ru-ru`| Container image with the `ru-RU` locale. | `sha256:31cab611d45fc9fb634b8cdbf52a8aabd7ec964a7dbc22997da36d51bbc827fb` |

+| `sk-sk`| Container image with the `sk-SK` locale. | `sha256:f2ee4ce886b7d6a18c0077cddbe965f926c05e3d808029d5c1517254272263a5` |

+| `sl-si`| Container image with the `sl-SI` locale. | `sha256:18d36de8592663782c59b5b5a9db93dedcd9b33cc70988dee3e42e50f6ef7d95` |

+| `so-so`| Container image with the `so-SO` locale. | `sha256:0d6f4c458725dc2ffa716179c5682da22780793379ab88f2cde7b609cc1f599d` |

+| `sq-al`| Container image with the `sq-AL` locale. | `sha256:e5c548e65e677a6bb472c6c4defdbdb6db0eac5b9049410d47d0eb59d104a298` |

+| `sv-se`| Container image with the `sv-SE` locale. | `sha256:088368e644a4c8d749b61a40360a7ae20e7f61c259cc39063a9ec8b637994f5d` |

+| `ta-in`| Container image with the `ta-IN` locale. | `sha256:82f2114b53cd98516ec0bef65c6c1dc24d721222535ffe1cb6dd567c851c2680` |

+| `te-in`| Container image with the `te-IN` locale. | `sha256:1e990ec464201ca88fc5204f923f76286b2a1259214cb943184969c7218a470b` |

+| `th-th`| Container image with the `th-TH` locale. | `sha256:8f37ed7f5386f37512e2f9423222f4780d946eb1549b729ffd17a1b26172ed86` |

+| `tr-tr`| Container image with the `tr-TR` locale. | `sha256:81578af72978c035ffea9007be87572af03730e9814e7a61fdab0073103b64ac` |

+| `uk-ua`| Container image with the `uk-UA` locale. | `sha256:380c8b8e3c842a189fa657c65402c72bdf9990badf3a79652ea067efd108c467` |

+| `vi-vn`| Container image with the `vi-VN` locale. | `sha256:8070d738a7dee389fa4d378e4edcd52b29e9902cc49a1f001eed682824c6c59c` |

+| `wuu-cn`| Container image with the `wuu-CN` locale. | `sha256:62ed0704ddd3b62ceab50dcd1f699159bbaa1e559f77b0eaa88bd37c10f8dc5f` |

+| `yue-cn`| Container image with the `yue-CN` locale. | `sha256:1c60aa9cc39b10206e0c56c808a6a95ada9aff8acc7eeb1a97095f3abe39671f` |

+| `zh-cn`| Container image with the `zh-CN` locale. | `sha256:b3258ef54b0bf4be7e178594d14dda7558489f43632898df674a0b2f94dbbad8` |

+| `zh-cn-sichuan`| Container image with the `zh-CN-sichuan` locale. | `sha256:c9537c454b24e8d70e44705498193fddaf262cb988efcdac526740cf8cb2249e` |

+| `zh-hk`| Container image with the `zh-HK` locale. | `sha256:5d21febbb1e8710b01ad1a5727c33080e6853d3a4bfbf5365b059630b76a9901` |

+| `zh-tw`| Container image with the `zh-TW` locale. | `sha256:15dbadcd92e335705e07a8ecefbe621e3c97b723bdf1c5b0c322a5b9965ea47d` |

+# [Previous version](#tab/previous)

+Release notes for `v2.5.0`:

+**Features**

+* Security upgrade.

+* Added support for

+ * `az-az-babekneural`

+ * `az-az-banuneural`

+ * `fa-ir-dilaraneural`

+ * `fa-ir-faridneural`

+ * `fil-ph-angeloneural`

+ * `fil-ph-blessicaneural`

+ * `he-il-avrineural`

+ * `he-il-hilaneural`

+ * `id-id-ardineural`

+ * `id-id-gadisneural`

+ * `ka-ge-ekaneural`

+ * `ka-ge-giorgineural`

+| Image Tags | Notes |

+||:|

+| `latest` | Container image with the `en-US` locale and `en-US-AriaNeural` voice. |

+| `2.5.0-amd64-<locale-and-voice>` | Replace `<locale>` with one of the available locales, listed below. For example `2.5.0-amd64-en-us-arianeural`. |

+| v2.5.0 Locales and voices | Notes |

+|-|:|

+| `am-et-amehaneural`| Container image with the `am-ET` locale and `am-ET-amehaneural` voice.|

+| `am-et-mekdesneural`| Container image with the `am-ET` locale and `am-ET-mekdesneural` voice.|

+| `ar-bh-lailaneural`| Container image with the `ar-BH` locale and `ar-BH-lailaneural` voice.|

+| `ar-eg-salmaneural`| Container image with the `ar-EG` locale and `ar-EG-salmaneural` voice.|

+| `ar-eg-shakirneural`| Container image with the `ar-EG` locale and `ar-EG-shakirneural` voice.|

+| `ar-sa-hamedneural`| Container image with the `ar-SA` locale and `ar-SA-hamedneural` voice.|

+| `ar-sa-zariyahneural`| Container image with the `ar-SA` locale and `ar-SA-zariyahneural` voice.|

+| `az-az-babekneural`| Container image with the `az-AZ` locale and `az-AZ-babekneural` voice.|

+| `az-az-banuneural`| Container image with the `az-AZ` locale and `az-AZ-banuneural` voice.|

+| `cs-cz-antoninneural`| Container image with the `cs-CZ` locale and `cs-CZ-antoninneural` voice.|

+| `cs-cz-vlastaneural`| Container image with the `cs-CZ` locale and `cs-CZ-vlastaneural` voice.|

+| `de-ch-janneural`| Container image with the `de-CH` locale and `de-CH-janneural` voice.|

+| `de-ch-lenineural`| Container image with the `de-CH` locale and `de-CH-lenineural` voice.|

+| `de-de-conradneural`| Container image with the `de-DE` locale and `de-DE-conradneural` voice.|

+| `de-de-katjaneural`| Container image with the `de-DE` locale and `de-DE-katjaneural` voice.|

+| `en-au-natashaneural`| Container image with the `en-AU` locale and `en-AU-natashaneural` voice.|

+| `en-au-williamneural`| Container image with the `en-AU` locale and `en-AU-williamneural` voice.|

+| `en-ca-claraneural`| Container image with the `en-CA` locale and `en-CA-claraneural` voice.|

+| `en-ca-liamneural`| Container image with the `en-CA` locale and `en-CA-liamneural` voice.|

+| `en-gb-libbyneural`| Container image with the `en-GB` locale and `en-GB-libbyneural` voice.|

+| `en-gb-ryanneural`| Container image with the `en-GB` locale and `en-GB-ryanneural` voice.|

+| `en-gb-sonianeural`| Container image with the `en-GB` locale and `en-GB-sonianeural` voice.|

+| `en-us-arianeural`| Container image with the `en-US` locale and `en-US-arianeural` voice.|

+| `en-us-guyneural`| Container image with the `en-US` locale and `en-US-guyneural` voice.|

+| `en-us-jennyneural`| Container image with the `en-US` locale and `en-US-jennyneural` voice.|

+| `es-es-alvaroneural`| Container image with the `es-ES` locale and `es-ES-alvaroneural` voice.|

+| `es-es-elviraneural`| Container image with the `es-ES` locale and `es-ES-elviraneural` voice.|

+| `es-mx-dalianeural`| Container image with the `es-MX` locale and `es-MX-dalianeural` voice.|

+| `es-mx-jorgeneural`| Container image with the `es-MX` locale and `es-MX-jorgeneural` voice.|

+| `fa-ir-dilaraneural`| Container image with the `fa-IR` locale and `fa-IR-dilaraneural` voice.|

+| `fa-ir-faridneural`| Container image with the `fa-IR` locale and `fa-IR-faridneural` voice.|

+| `fil-ph-angeloneural`| Container image with the `fil-PH` locale and `fil-PH-angeloneural` voice.|

+| `fil-ph-blessicaneural`| Container image with the `fil-PH` locale and `fil-PH-blessicaneural` voice.|

+| `fr-ca-antoineneural`| Container image with the `fr-CA` locale and `fr-CA-antoineneural` voice.|

+| `fr-ca-jeanneural`| Container image with the `fr-CA` locale and `fr-CA-jeanneural` voice.|

+| `fr-ca-sylvieneural`| Container image with the `fr-CA` locale and `fr-CA-sylvieneural` voice.|

+| `fr-fr-deniseneural`| Container image with the `fr-FR` locale and `fr-FR-deniseneural` voice.|

+| `fr-fr-henrineural`| Container image with the `fr-FR` locale and `fr-FR-henrineural` voice.|

+| `he-il-avrineural`| Container image with the `he-IL` locale and `he-IL-avrineural` voice.|

+| `he-il-hilaneural`| Container image with the `he-IL` locale and `he-IL-hilaneural` voice.|

+| `hi-in-madhurneural`| Container image with the `hi-IN` locale and `hi-IN-madhurneural` voice.|

+| `hi-in-swaraneural`| Container image with the `hi-IN` locale and `hi-IN-swaraneural` voice.|

+| `id-id-ardineural`| Container image with the `id-ID` locale and `id-ID-ardineural` voice.|

+| `id-id-gadisneural`| Container image with the `id-ID` locale and `id-ID-gadisneural` voice.|

+| `it-it-diegoneural`| Container image with the `it-IT` locale and `it-IT-diegoneural` voice.|

+| `it-it-elsaneural`| Container image with the `it-IT` locale and `it-IT-elsaneural` voice.|

+| `it-it-isabellaneural`| Container image with the `it-IT` locale and `it-IT-isabellaneural` voice.|

+| `ja-jp-keitaneural`| Container image with the `ja-JP` locale and `ja-JP-keitaneural` voice.|

+| `ja-jp-nanamineural`| Container image with the `ja-JP` locale and `ja-JP-nanamineural` voice.|

+| `ka-ge-ekaneural`| Container image with the `ka-GE` locale and `ka-GE-ekaneural` voice.|

+| `ka-ge-giorgineural`| Container image with the `ka-GE` locale and `ka-GE-giorgineural` voice.|

+| `ko-kr-injoonneural`| Container image with the `ko-KR` locale and `ko-KR-injoonneural` voice.|

+| `ko-kr-sunhineural`| Container image with the `ko-KR` locale and `ko-KR-sunhineural` voice.|

+| `pt-br-antonioneural`| Container image with the `pt-BR` locale and `pt-BR-antonioneural` voice.|

+| `pt-br-franciscaneural`| Container image with the `pt-BR` locale and `pt-BR-franciscaneural` voice.|

+| `so-so-muuseneural`| Container image with the `so-SO` locale and `so-SO-muuseneural` voice.|

+| `so-so-ubaxneural`| Container image with the `so-SO` locale and `so-SO-ubaxneural` voice.|

+| `sv-se-hillevineural`| Container image with the `sv-SE` locale and `sv-SE-hillevineural` voice.|

+| `sv-se-mattiasneural`| Container image with the `sv-SE` locale and `sv-SE-mattiasneural` voice.|

+| `sv-se-sofieneural`| Container image with the `sv-SE` locale and `sv-SE-sofieneural` voice.|

+| `tr-tr-ahmetneural`| Container image with the `tr-TR` locale and `tr-TR-ahmetneural` voice.|

+| `tr-tr-emelneural`| Container image with the `tr-TR` locale and `tr-TR-emelneural` voice.|

+| `zh-cn-xiaochenneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaochenneural` voice.|

+| `zh-cn-xiaohanneural`| Container image with the `zh-CN` locale and `zh-CN-xiaohanneural` voice.|

+| `zh-cn-xiaomoneural`| Container image with the `zh-CN` locale and `zh-CN-xiaomoneural` voice.|

+| `zh-cn-xiaoqiuneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoqiuneural` voice.|

+| `zh-cn-xiaoruineural`| Container image with the `zh-CN` locale and `zh-CN-xiaoruineural` voice.|

+| `zh-cn-xiaoshuangneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoshuangneural` voice.|

+| `zh-cn-xiaoxiaoneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoxiaoneural` voice.|

+| `zh-cn-xiaoxuanneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoxuanneural` voice.|

+| `zh-cn-xiaoyanneural-preview`| Container image with the `zh-CN` locale and `zh-CN-xiaoyanneural` voice.|

+| `zh-cn-xiaoyouneural`| Container image with the `zh-CN` locale and `zh-CN-xiaoyouneural` voice.|

+| `zh-cn-yunxineural`| Container image with the `zh-CN` locale and `zh-CN-yunxineural` voice.|

+| `zh-cn-yunyangneural`| Container image with the `zh-CN` locale and `zh-CN-yunyangneural` voice.|

+| `zh-cn-yunyeneural`| Container image with the `zh-CN` locale and `zh-CN-yunyeneural` voice.|

+# [Previous version](#tab/previous)

+Setting the service configuration flag IsInferenceExplainabilityEnabled in your service configuration enables Personalizer to include feature values and weights in the Rank API response. To update your current service configuration, use the [Service Configuration ΓÇô Update API](/rest/api/personalizer/1.1preview1/service-configuration/update?tabs=HTTP). In the JSON request body, include your current service configuration and add the additional entry: ΓÇ£IsInferenceExplainabilityEnabledΓÇ¥: true. If you donΓÇÖt know your current service configuration, you can obtain it from the [Service Configuration ΓÇô Get API](/rest/api/personalizer/1.1preview1/service-configuration/get?tabs=HTTP)

+Recall that Personalizer will either return the _best action_ as determined by the model or an _exploratory action_ chosen by the exploration policy. The best action is the one that the model has determined has the highest probability of maximizing the average reward, whereas exploratory actions are chosen among the set of all possible actions provided in the Rank API call. Actions taken during exploration do not leverage the feature scores in determining which action to take, therefore **feature scores for exploratory actions should not be used to gain an understanding of why the action was taken.** [You can learn more about exploration here](/azure/cognitive-services/personalizer/concepts-exploration).

+### What is toll free verification?

+The toll-free verification process ensures that your services running on toll-free numbers (TFNs) comply with carrier policies and [industry best practices](./messaging-policy.md). This also provides relevant service information to the downstream carriers, reduces the likelihood of false positive filtering and wrongful spam blocks.

+This verification is **required** for TFNs sending messages to **Canada recipients** and is **not required** for TFNs sending [low throughput messages](#sms-to-us-phone-numbers) to **US recipients**. Verifying TFNs is free of cost.

+### What happens if I don't verify my toll-free numbers?

+What happens to the unverified toll-free number depends on the destination of SMS traffic.

+#### SMS to US phone numbers

+Effective **October 1, 2022**, unverified toll-free numbers sending messages to US phone numbers will be subjected to stricter filtering and the following thresholds for messaging:

+- **Daily Limit:** 2,000 messages

+- **Weekly limit:** 12,000 messages

+- **Monthly limit:** 25,000 messages

+This does not apply to TFNs in a pending or verified status.

+#### SMS to Canadian phone numbers

+Effective **October 1, 2022**, unverified toll-free numbers sending messages to Canadian destinations will have its traffic **blocked**. To be unblocked, TFNs have to be in pending or verified status.

+### What is a pending status? What can I do in a pending status?

+After submission of the toll-free verification application, we will process your application and send it to the toll-free messaging aggregator. This process usually takes in 4-6 business days. Once the application reaches the toll-free messaging aggregator the application status changes to pending until verified or rejected.

+Once in pending state, you can start sending SMS to US numbers without the thresholds mentioned above and be unblocked from sending SMS to Canadian destinations. TFNs in pending state are subject to reduced likelihood of filtering.

+### What happens after I submit the toll-free verification form?

+Updates for changes and the status of your applications will be communicated via the email you provide in the application. Results from the application can be: approved, denied or further clarification needed. For more questions about your submitted application, please email acstnrequest@microsoft.com.

+The whole toll-free verification process takes about **5-6 weeks** but is subject to change depending on the volume of applications to the toll-free messaging aggregator and how detailed the application is.

+To submit a toll-free verification application, navigate to Azure Communication Service resource that your toll-free number is associated with in Azure portal and navigate to the Phone numbers blade. Click on the Toll-Free verification application link displayed as "Submit Application" in the infobox at the top of the phone numbers blade. Complete the form.

+### What are common reasons for toll-free verification delays?

+Your application wait time increases when your application has missing or unclear information.

+- **Missing required information like Opt-in Image URL** - If there is no Opt-in option, proved a good justification.

+- **Opt-in Image URL is not accessible to the public** - When you host your image on image hosting services (i.e. OneDrive, GoogleDrive, iCloud, Dropbox, etc.) make sure the public can view it. Test the URL by seeing if the URL can be viewed by a personal account.

+- **Incorrect toll-free numbers** - Phone numbers have to be toll-free numbers, not local numbers, 10DLC, or short codes.

+Azure Communication Services does not support text-to-911 functionality in the United States, but itΓÇÖs possible that you may have an obligation to do so under the rules of the Federal Communications Commission (FCC). You should assess whether the FCCΓÇÖs text-to-911 rules apply to your service or application. To the extent you're covered by these rules, you'll be responsible for routing 911 text messages to emergency call centers that request them. You're free to determine your own text-to-911 delivery model, but one approach accepted by the FCC involves automatically launching the native dialer on the userΓÇÖs mobile device to deliver 911 texts through the underlying mobile carrier.

+| | Recognize user input through DTMF | ✔️ | ✔️ |

+**Play** - When your application answers a call or places an outbound call, you can play an audio prompt for the caller. This audio can be looped if needed in scenarios like playing hold music. To learn more, view our [concepts](./play-action.md) and [quickstart](../../quickstarts/voice-video-calling/play-action.md).

+**Recognize input** - After your application has played an audio prompt, you can request user input to drive business logic and navigation in your application. To learn more, view our [concepts](./recognize-action.md) and [quickstart](../../quickstarts/voice-video-calling/Recognize-Action.md).

+| RecognizeCompleted | Recognition of user input was successfully completed |

+| RecognizeFailed | Recognition of user input was unsuccessful <br/><br/>*to learn more about recognize action events view our [quickstart](../../quickstarts/voice-video-calling/Recognize-Action.md)*|

+ Title: Recognize action

+description: Conceptual information about using Recognize action with Call Automation.

+# Recognize action overview

+> [!IMPORTANT]

+> Functionality described on this document is currently in private preview. Private preview includes access to SDKs and documentation for testing purposes that are not yet available publicly.

+> Apply to become an early adopter by filling out the form for [preview access to Azure Communication Services](https://aka.ms/ACS-EarlyAdopter).

+With the Recognize action developers will be able to enhance their IVR or contact center applications to recognize user input. One of the most common scenarios of recognition is to play a message and request user input. This input is received in the form of DTMF (input via the digits on their calling device) which then allows the application to navigate the user to the next action.

+**DTMF**

+Dual-tone multifrequency (DTMF) recognition is the process of understanding tones/sounds generated by a telephone when a number is pressed. Equipment at the receiving end listening for the specific tone then converts them into commands. These commands generally signal user intent when navigating a menu in an IVR scenario or in some cases can be used to capture important information that the user needs to provide via their phones keypad.

+**DTMF events and their associated tones**

+|Event|Tone|

+| |--|

+|0|Zero|

+|1|One|

+|2|Two|

+|3|Three|

+|4|Four|

+|5|Five|

+|6|Six|

+|7|Seven|

+|8|Eight|

+|9|Nine|

+|A|A|

+|B|B|

+|C|C|

+|D|D|

+|*|Asterisk|

+|#|Pound|

+## Common use cases

+The recognize action can be used for many reasons, below are a few examples of how developers can use the recognize action in their application.

+### Improve user journey with self-service prompts

+- **Users can control the call** - By enabling input recognition you allow the caller to navigate your IVR menu and provide information that can be used to resolve their query.

+- **Gather user information** - By enabling input recognition your application can gather input from the callers. This can be information such as account numbers, credit card information, etc.

+### Interrupt audio prompts

+**User can exit from an IVR menu and speak to a human agent** - With DTMF interruption your application can allow users to exit interrupt the flow of the IVR menu and be able to chat to a human agent.

+## How the Recognize action workflow looks

+

+## What's coming up next for Recognize action

+As we invest more into this functionality, we recommend developers sign up to our TAP program that allows you to get early access to the newest feature releases. Over the coming months the recognize action will add in new capabilities that use our integration with Azure Cognitive Services to provide AI capabilities such as Speech-To-Text. With these, you can improve customer interactions and recognize voice inputs from participants on the call.

+## Next steps

+- Check out the [Recognize action quickstart](../../quickstarts/voice-video-calling/recognize-action.md) to learn more.

+> * Submit toll-free verification application [(see if required)](../../concepts/sms/sms-faq.md#toll-free-verification)

+- Learn how to [manage inbound telephony calls](../telephony/manage-inbound-calls.md) with Call Automation.

+- Learn more about [Play action](../../concepts/voice-video-calling/play-action.md).

+- Learn more about [Recognize action](../../concepts/voice-video-calling/recognize-action.md).

+- Learn more about [Call Automation](../../concepts/voice-video-calling/call-automation.md)

+- Learn more about [Recognize action](../../concepts/voice-video-calling/recognize-action.md)

+ Title: Recognize Action

+description: Provides a quick start for recognizing user input from participants on a call.

+zone_pivot_groups: acs-csharp-java

+# Quickstart: Recognize action

+> [!IMPORTANT]

+> Functionality described on this document is currently in private preview. Private preview includes access to SDKs and documentation for testing purposes that are not yet available publicly.

+> Apply to become an early adopter by filling out the form for [preview access to Azure Communication Services](https://aka.ms/ACS-EarlyAdopter).

+This quickstart will help you get started with recognizing DTMF input provided by participants through Azure Communication Services Call Automation SDK.

+## Event codes

+|Status|Code|Subcode|Message|

+|-|--|--|--|

+|RecognizeCompleted|200|8531|Action completed, max digits received.|

+|RecognizeCompleted|200|8514|Action completed as stop tone was detected.|

+|RecognizeCompleted|400|8508|Action failed, the operation was canceled.|

+|RecognizeFailed|400|8510|Action failed, initial silence timeout reached|

+|RecognizeFailed|400|8532|Action failed, inter-digit silence timeout reached.|

+|RecognizeFailed|500|8511|Action failed, encountered failure while trying to play the prompt.|

+|RecognizeFailed|500|8512|Unknown internal server error.|

+## Clean up resources

+If you want to clean up and remove a Communication Services subscription, you can delete the resource or resource group. Deleting the resource group also deletes any other resources associated with it. Learn more about [cleaning up resources](../create-communication-resource.md#clean-up-resources).

+## Next Steps

+- Learn more about [Recognize action](../../concepts/voice-video-calling/recognize-action.md)

+- Learn more about [Play action](../../concepts/voice-video-calling/play-action.md)

+- Learn more about [Call Automation](../../concepts/voice-video-calling/call-automation.md)

+zone_pivot_groups: acs-programming-languages-csharp-python

+>[!NOTE]

+>We strongly encourage to use [Azure SDKs](https://github.com/Azure/azure-sdk). Approach described here is a fallback option for cases when Azure SDKs can't be used for any reason.

+> [!NOTE]

+> Moving VNETs among different resource groups or subscriptions is not supported if the VNET is in use by a Container Apps environment.

+> The subnet associated with a Container App Environment requires a CIDR prefix of /23 or larger (/23, /22 etc.).

+## DNS

+- **Custom DNS**: If your VNET uses a custom DNS server instead of the default Azure-provided DNS server, configure your DNS server to forward unresolved DNS queries to `168.63.129.16`. [Azure recursive resolvers](../virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances.md#name-resolution-that-uses-your-own-dns-server) uses this IP address to resolve requests. If you do not use the Azure recursive resolvers, the Container Apps environment will not function.

+- **VNET-scope ingress**: If you plan to use VNET-scope [ingress](./ingress.md#configuration) in an internal Container Apps environment, configure your domains in one of the following ways:

+ 1. **Non-custom domains**: If you do not plan to use custom domains, create a private DNS zone that resolves the Container Apps environment's default domain to the static IP address of the Container Apps environment. You can use [Azure Private DNS](../dns/private-dns-overview.md) or your own DNS server. If you use Azure Private DNS, create a Private DNS Zone named as the Container App EnvironmentΓÇÖs default domain (`<UNIQUE_IDENTIFIER>.<REGION_NAME>.azurecontainerapps.io`), with an `A` record that points to the static IP address of the Container Apps environment.

+ 1. **Custom domains**: If you plan to use custom domains, use a publicly resolvable domain to [add a custom domain and certificate](./custom-domains-certificates.md#add-a-custom-domain-and-certificate) to the container app. Additionally, create a private DNS zone that resolves the apex domain to the static IP address of the Container Apps environment. You can use [Azure Private DNS](../dns/private-dns-overview.md) or your own DNS server. If you use Azure Private DNS, create a Private DNS Zone named as the apex domain, with an `A` record that points to the static IP address of the Container Apps environment.

+| Partial | No |

+| Partial | No |

+| Partial | No |

+Get started with the Azure Cosmos DB client library for JavaScript to create databases, containers, and items within your account. Without a credit card or an Azure subscription, you can set up a free [Try Azure Cosmos DB account](https://aka.ms/trycosmosdb). Follow these steps to install the package and try out example code for basic tasks.

+> [!NOTE]

+> The [example code snippets](https://github.com/Azure-Samples/cosmos-db-sql-api-javascript-samples) are available on GitHub as a Node.js project.

+* In a terminal or command window, run ``node --version`` to check that the Node.js version is one of the current long term support (LTS) versions.

+* Run ``az --version`` (Azure CLI) or ``Get-Module -ListAvailable AzureRM`` (Azure PowerShell) to check that you have the appropriate Azure command-line tools installed.

+## Setting up

+This section walks you through creating an Azure Cosmos account and setting up a project that uses Azure Cosmos DB SQL API client library for JavaScript to manage resources.

+### Create an Azure Cosmos DB account

+### Configure environment variables

+### Create a new JavaScript project

+1. Create a new Node.js application in an empty folder using your preferred terminal.

+ ```bash

+ npm init -y

+ ```

+2. Edit the `package.json` file to use ES6 modules by adding the `"type": "module",` entry. This allows your code to use modern async/await syntax.

+ :::code language="javascript" source="~/cosmos-db-sql-api-javascript-samples/001-quickstart/package.json" highlight="6":::

+### Install the package

+1. Add the [@azure/cosmos](https://www.npmjs.com/package/@azure/cosmos) npm package to the Node.js project.

+ ```bash

+ npm install @azure/cosmos

+ ```

+

+1. Add the [dotenv](https://www.npmjs.com/package/dotenv) npm package to read environment variables from a `.env` file.

+

+ ```bash

+ npm install dotenv

+ ```

+### Create local development environment files

+1. Create a `.gitignore` file and add the following value to ignore your environment file and your node_modules. This ensures that only the secure and relevant information can be checked into source code.

+ ```text

+ .env

+ node_modules

+ ```

+1. Create a `.env` file with the following variables:

+ ```text

+ COSMOS_ENDPOINT=

+ COSMOS_KEY=

+ ```

+### Create a code file

+Create an `index.js` and add the following boilerplate code to the file to read environment variables:

+### Add dependency to client library

+Add the following code at the end of the `index.js` file to include the required dependency to programmatically access Cosmos DB.

+### Add environment variables to code file

+Add the following code at the end of the `index.js` file to include the required environment variables. The endpoint and key were found at the end of the [account creation steps](#create-an-azure-cosmos-db-account).

+### Add variables for names

+Add the following variables to manage unique database and container names as well as the [partition key (pk)](/azure/cosmos-db/partitioning-overview).

+In this example, we chose to add a timeStamp to the database and container in case you run this sample code more than once.

+## Object model

+You'll use the following JavaScript classes to interact with these resources:

+* [``CosmosClient``](/javascript/api/@azure/cosmos/cosmosclient) - This class provides a client-side logical representation for the Azure Cosmos DB service. The client object is used to configure and execute requests against the service.

+* [``Database``](/javascript/api/@azure/cosmos/database) - This class is a reference to a database that may, or may not, exist in the service yet. The database is validated server-side when you attempt to access it or perform an operation against it.

+* [``Container``](/javascript/api/@azure/cosmos/container) - This class is a reference to a container that also may not exist in the service yet. The container is validated server-side when you attempt to work with it.

+* [``SqlQuerySpec``](/javascript/api/@azure/cosmos/sqlqueryspec) - This interface represents a SQL query and any query parameters.

+* [``QueryIterator<>``](/javascript/api/@azure/cosmos/queryiterator) - This class represents an iterator that can track the current page of results and get a new page of results.

+* [``FeedResponse<>``](/javascript/api/@azure/cosmos/feedresponse) - This class represents a single page of responses from the iterator.

+## Code examples

+* [Authenticate the client](#authenticate-the-client)

+* [Create a database](#create-a-database)

+* [Create a container](#create-a-container)

+* [Create an item](#create-an-item)

+* [Get an item](#get-an-item)

+* [Query items](#query-items)

+The sample code described in this article creates a database named ``adventureworks`` with a container named ``products``. The ``products`` table is designed to contain product details such as name, category, quantity, and a sale indicator. Each product also contains a unique identifier.

+For this sample code, the container will use the category as a logical partition key.

+### Authenticate the client

+In the `index.js`, add the following code to use the resource **endpoint** and **key** to authenticate to Cosmos DB. Define a new instance of the [``CosmosClient``](/javascript/api/@azure/cosmos/cosmosclient) class.

+### Create a database

+Add the following code to use the [``CosmosClient.Databases.createDatabaseIfNotExists``](/javascript/api/@azure/cosmos/databases#@azure-cosmos-databases-createifnotexists) method to create a new database if it doesn't already exist. This method will return a reference to the existing or newly created database.

+### Create a container

+Add the following code to create a container with the [``Database.Containers.createContainerIfNotExistsAsync``](/javascript/api/@azure/cosmos/containers#@azure-cosmos-containers-createifnotexists) method. The method returns a reference to the container.

+### Create an item

+Add the following code to provide your data set. Each _product_ has a unique ID, name, category name (used as partition key) and other fields.

+Create a few items in the container by calling [``Container.Items.create``](/javascript/api/@azure/cosmos/items#@azure-cosmos-items-create) in a loop.

+### Get an item

+In Azure Cosmos DB, you can perform a point read operation by using both the unique identifier (``id``) and partition key fields. In the SDK, call [``Container.item().read``](/javascript/api/@azure/cosmos/item#@azure-cosmos-item-read) passing in both values to return an item.

+The partition key is specific to a container. In this Contoso Products container, the category name, `categoryName`, is used as the partition key.

+### Query items

+Add the following code to query for all items that match a specific filter. Create a [parameterized query expression](/javascript/api/@azure/cosmos/sqlqueryspec) then call the [``Container.Items.query``](/javascript/api/@azure/cosmos/items#@azure-cosmos-items-query) method. This method returns a [``QueryIterator``](/javascript/api/@azure/cosmos/queryiterator) that will manage the pages of results. Then, use a combination of ``while`` and ``for`` loops to [``fetchNext``](/javascript/api/@azure/cosmos/queryiterator#@azure-cosmos-queryiterator-fetchnext) page of results as a [``FeedResponse``](/javascript/api/@azure/cosmos/feedresponse) and then iterate over the individual data objects.

+The query is programmatically composed to `SELECT * FROM todo t WHERE t.partitionKey = 'Bikes, Touring Bikes'`.

+If you want to use this data returned from the FeedResponse as an _item_, you need to create an [``Item``](/javascript/api/@azure/cosmos/item), using the [``Container.Items.read``](#get-an-item) method.

+### Delete an item

+Add the following code to delete an item you need to use the ID and partition key to get the item, then delete it. This example uses the [``Container.Item.delete``](/javascript/api/@azure/cosmos/item#@azure-cosmos-item-delete) method to delete the item.

+## Run the code

+This app creates an Azure Cosmos DB SQL API database and container. The example then creates items and then reads one item back. Finally, the example issues a query that should only return items matching a specific category. With each step, the example outputs metadata to the console about the steps it has performed.

+To run the app, use a terminal to navigate to the application directory and run the application.

+```bash

+node index.js

+```

+The output of the app should be similar to this example:

+```output

+contoso_1663276732626 database ready

+products_1663276732626 container ready

+'Touring-1000 Blue, 50' inserted

+'Touring-1000 Blue, 46' inserted

+'Mountain-200 Black, 42' inserted

+Touring-1000 Blue, 50 read

+08225A9E-F2B3-4FA3-AB08-8C70ADD6C3C2: Touring-1000 Blue, 50, BK-T79U-50

+2C981511-AC73-4A65-9DA3-A0577E386394: Touring-1000 Blue, 46, BK-T79U-46

+0F124781-C991-48A9-ACF2-249771D44029 Item deleted

+```

+## Clean up resources

+## Next steps

+In this quickstart, you learned how to create an Azure Cosmos DB SQL API account, create a database, and create a container using the JavaScript SDK. You can now dive deeper into the SDK to import more data, perform complex queries, and manage your Azure Cosmos DB SQL API resources.

+> [Tutorial: Build a Node.js console app](sql-api-nodejs-get-started.md)

+Bold property names are unchanged.

+| **AccountOwnerId** | AccountOwnerId |

+| **AvailabilityZone** | AvailabilityZone |

+| **InvoiceSectionId** | InvoiceSectionId |

+| **MeterRegion** | MeterRegion |

+| **PayGPrice** | PayGPrice |

+| **PlanName** | PlanName |

+| **PricingModel** | PricingModel |

+| **ProductOrderId** | ProductOrderId |

+| **ProductOrderName** | ProductOrderName |

+| **PublisherName** | PublisherName |

+| **PublisherType** | PublisherType |

+| **ReservationId** | ReservationId |

+| **ReservationName** | ReservationName |

+| **ServiceInfo1** | ServiceInfo1 |

+| **ServiceInfo2** | ServiceInfo2 |

+| **Tags** | Tags |

+| **Term** | Term |

+| **CostAllocationRuleName** | CostAllocationRuleName |

+Organizations with an existing EA account should review this article when they set up an MCA account. Previously, renewing an EA account required some minimal work to move from an old enrollment to a new one. However, migrating to an MCA account requires extra effort. Extra effort is because of changes in the underlying billing subsystem, which affect all cost-related APIs and service offerings.

+- Review other integration offerings like Power BI for other needed action.

+| Usage (JSON) | [/usagedetails](/rest/api/billing/enterprise/billing-enterprise-api-usage-detail#json-format)[/usagedetailsbycustomdate](/rest/api/billing/enterprise/billing-enterprise-api-usage-detail#json-format) | [Choose a cost details solution](../automate/usage-details-best-practices.md) |

+| Usage (CSV) | [/usagedetails/download](/rest/api/billing/enterprise/billing-enterprise-api-usage-detail#csv-format)[/usagedetails/submit](/rest/api/billing/enterprise/billing-enterprise-api-usage-detail#csv-format) | [Choose a cost details solution](../automate/usage-details-best-practices.md) |

+| Marketplace Usage (CSV) | [/marketplacecharges](/rest/api/billing/enterprise/billing-enterprise-api-marketplace-storecharge)[/marketplacechargesbycustomdate](/rest/api/billing/enterprise/billing-enterprise-api-marketplace-storecharge) | [Choose a cost details solution](../automate/usage-details-best-practices.md) |

+Get a daily breakdown of costs from Azure service usage, third-party Marketplace usage, and other Marketplace purchases with the following APIs. The following separate APIs were merged for Azure services and third-party Marketplace usage. The old APIs are replaced by either [Exports](ingest-azure-usage-at-scale.md) or the [Cost Details API](/rest/api/cost-management/generate-cost-details-report/create-operation). To choose the solution that's right for you, see [Choose a cost details solution](../automate/usage-details-best-practices.md). Both solutions provide the same Cost Details file and have marketplace purchases in the data, which were previously only shown in the balance summary to date.

+Exports and the Cost Details API, as with all Cost Management APIs, are available at multiple scopes. For invoiced costs, as you would traditionally receive at an enrollment level, use the billing profile scope. For more information about Cost Management scopes, see [Understand and work with scopes](understand-work-scopes.md).

+| **Type** | **ID format** |

+| Billing account | /Microsoft.Billing/billingAccounts/{billingAccountId} |

+| Billing profile | /Microsoft.Billing/billingAccounts/{billingAccountId}/billingProfiles/{billingProfileId} |

+| Subscription | /subscriptions/{subscriptionId} |

+| Resource group | /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName} |

+Some property names have changed in the new Cost Details dataset available through Exports and Cost Details API. The following table shows corresponding properties.

+| ChargesBilledSeparately | isAzureCreditEligible | The properties are opposites. If isAzureCreditEnabled is true, ChargesBilledSeparately would be false. |

+| Tags | tags | The tags property applies to the root object, not to the properties nested property. |

+Make another GET call to the location. The response to the GET call is the same until the operation reaches a completion or failure state. When completed, the response to the GET call location returns the download URL as if the operation was executed at the same time. Here's an example:

+This API is for Microsoft Customer Agreements and it provides extra attributes.

+| partNumber | Not applicable because part number isn't listed in MCA invoices. Instead of part number, use the meterId and productOrderName combination to uniquely identify prices. |

+This article applies to customers with a Microsoft Customer Agreement (MCA) and to customers who signed up for Azure through the Azure website (for a Microsoft Online Services Program account also called pay-as-you-go account).

+On 1 October 2021, automatic payments in India may block some credit card transactions, especially transactions exceeding 5,000 INR. Because of this situation, you may need to make payments manually in the Azure portal. This directive won't affect the total amount you'll be charged for your Azure usage.

+On 30 September 2022, Microsoft and other online merchants will no longer be storing credit card information. To comply with this regulation Microsoft will be removing all stored card details from Microsoft Azure. To avoid service interruption, you'll need to add and verify your payment method to make a payment in the Azure portal for all invoices.

+### UPI and NetBanking payment options

+Azure supports two alternate payment options for customers in India:

+- UPI (Unified Payments Interface) payment is a real-time payment method.

+- NetBanking (Internet Banking) facilitates customers with access to banking services on an online platform.

+#### How do I make a payment with UPI or NetBanking?

+UPI and NetBanking are only supported for one-time transactions.

+To make a payment with UPI or NetBanking:

+1. Select Add a new payment method when youΓÇÖre making a payment.

+2. Select UPI / NetBanking.

+3. You're redirected to a payment partner, like Billdesk, where you can choose your payment method.

+4. YouΓÇÖre redirected to your bank's website where you can process the payment.

+After you submit the payment, allow time for the payment to appear in the Azure portal.

+#### How am I refunded if I made a payment with UPI or NetBanking?

+Refunds are treated as a regular charge. TheyΓÇÖre refunded to your bank account.

+If you have a Microsoft Online Services Program (pay-as-you-go) account and you have a bill due, you'll see the **Pay now** banner on your subscription property page.

+If you have a Microsoft Online Services Program account (pay-as-you-go account), the **Pay now** option might be unavailable. Instead, you might see a **Settle balance** banner. If so, see [Resolve past due balance](../manage/resolve-past-due-balance.md#resolve-past-due-balance-in-the-azure-portal).

+- **Recommendation**: Make sure the execution output size does not exceed 4 MB. For more information, see [How to scale out the size of data moving using Azure Data Factory](/answers/questions/700102/how-to-scale-out-the-size-of-data-moving-using-azu.html).

+| [Google Sheets (Preview)](connector-google-sheets.md#mapping-data-flow-properties) | | -/Γ£ô |

+ |Authentication |System Assigned Managed Identity |

+|[VoyagerESR 2.0](https://www.klasgroup.com/products-gov/voyager-tdc/) |Cisco ESS3300 Switch component |

+1. Select **Next: Select plans**.<a name="cloudtrail-implications-note"></a>

+| 22.2.6 | 09/2022 | 04/2023 |

+## September 2022

+|Service area |Updates |

+|||

+|**OT networks** |**Sensor software version 22.2.6**: <br> - Bug fixes and stability improvements <br>- Enhancements to the device type classification algorithm |

+| Microsoft.Communication.IncomingCall | Published when there is an incoming call |

+### Microsoft.Communication.IncomingCall

+```json

+[

+ {

+ "id": "d5546be8-227a-4db8-b2c3-4f06fd675fd6",

+ "topic": "/subscriptions/{subscription-id}/resourcegroups/{group-name}/providers/microsoft.communication/communicationservices/{communication-services-resource-name}",

+ "subject": "/caller/4:+16041234567/recipient/8:acs:ff4181e1-324c-4cd1-9c4f-bda3e5d348f5_00000000-0000-0000-0000-000000000000",

+ "data": {

+ "to": {

+ "kind": "PhoneNumber",

+ "rawId": "4:+18331234567",

+ "phoneNumber": {

+ "value": "+18331234567"

+ }

+ },

+ "from": {

+ "kind": "PhoneNumber",

+ "rawId": "4:+16041234567",

+ "phoneNumber": {

+ "value": "+16041234567"

+ }

+ },

+ "callerDisplayName": "",

+ "incomingCallContext": "eyJhbGciOiJub25lIiwidHliSldUIn0.eyJjYyI6Ikg0c0lBQi9iT0JiOUs0SVhtQS9UMGhJbFVaUUlHQVBIc1J1M1RlbzgyNW4xcmtHJNa2hCNVVTQkNUbjFKTVo1NCt3ZDk1WFY0ZnNENUg0VDV2dk5VQ001NWxpRkpJb0pDUWlXS0F3OTJRSEVwUWo4aFFleDl4ZmxjRi9lMTlaODNEUmN6QUpvMVRWVXoxK1dWYm1lNW5zNmF5cFRyVGJ1KzMxU3FMY3E1SFhHWHZpc3FWd2kwcUJWSEhta0xjVFJEQ0hlSjNhdzA5MHE2T0pOaFNqS0pFdXpCcVdidzRoSmJGMGtxUkNaOFA4T3VUMTF0MzVHN0kvS0w3aVQyc09aS2F0NHQ2cFV5d0UwSUlEYm4wQStjcGtiVjlUK0E4SUhLZ2JKUjc1Vm8vZ0hFZGtRT3RCYXl1akc4cUt2U1dITFFCR3JFYjJNY3RuRVF0TEZQV1JEUzJHMDk3TGU5VnhhTktob2JIV0wzOHdab3dWcGVWZmsrL2QxYVZnQ2U1bVVLQTh1T056YmpvdXdnQjNzZTlnTEhjNFlYem5BVU9nRGY5dUFQMndsMXA0WU5nK1cySVRxSEtZUzJDV25IcEUySkhVZzd2UnVHOTBsZ081cU81MngvekR0OElYWHBFSi9peUxtNkdibmR1eEdZREozRXNWWXh4ZzZPd1hqc0pCUjZvR1U3NDIrYTR4M1RpQXFaV245UVIrMHNaVDg3YXpRQzbDNUR3BuZFhST1FTMVRTRzVVTkRGeU5UVjNORTFHU2kxck1UTk9VMUF0TWtWNVNreFRUVVI0YlMxRk1VdEVabnBRTjFsQ1EwWkVlVTQxZURCc1IyaHljVTVYTFROeWVTMVJNVjgyVFhrdGRFNUJZV3hrZW5SSVUwMTFVVE5GWkRKUkluMTlmUS5hMTZ0eXdzTDhuVHNPY1RWa2JnV3FPbTRncktHZmVMaC1KNjZUZXoza0JWQVJmYWYwOTRDWDFJSE5tUXRJeDN1TWk2aXZ3QXFFQWV1UlNGTjhlS3gzWV8yZXppZUN5WDlaSHp6Q1ZKemdZUVprc0RjYnprMGJoR09laWkydkpEMnlBMFdyUW1SeGFxOGZUM25EOUQ1Z1ZSUVczMGRheGQ5V001X1ZuNFNENmxtLVR5TUSVEifQ.",

+ "correlationId": "d732db64-4803-462d-be9c-518943ea2b7a"

+ },

+ "eventType": "Microsoft.Communication.IncomingCall",

+ "dataVersion": "1.0",

+ "metadataVersion": "1",

+ "eventTime": "2022-08-25T19:27:24.2415391Z"

+ }

+]

+```

+## Default action and public network access

+> [!NOTE]

+> For the extra robustness gained by **availability-zone** support, the minimal deployment scale for the dedicated tier is **8 capacity units (CU)**, but you'll have availability zone support in the premium tier from the first PU in all availability zone regions.

+To connect your Azure virtual network and your on-premises network using ExpressRoute, you must first create a virtual network gateway. A virtual network gateway serves two purposes: exchange IP routes between the networks and route network traffic. This article explains different gateway types, gateway SKUs, and estimated performance by SKU. This article also explains ExpressRoute [FastPath](#fastpath), a feature that enables the network traffic from your on-premises network to bypass the virtual network gateway to improve performance.

+* **Vpn** - To send encrypted traffic across the public Internet, you use the gateway type 'Vpn'. This type of gateway is also referred to as a VPN gateway. Site-to-Site, Point-to-Site, and VNet-to-VNet connections all use a VPN gateway.

+* **ExpressRoute** - To send network traffic on a private connection, you use the gateway type 'ExpressRoute'. This type of gateway is also referred to as an ExpressRoute gateway and is used when configuring ExpressRoute.

+If you want to upgrade your gateway to a higher capacity gateway SKU, you can use the `Resize-AzVirtualNetworkGateway` PowerShell cmdlet or perform the upgrade directly in the ExpressRoute virtual network gateway configuration page in the Azure portal. The following upgrades are supported:

+For all other downgrade scenarios, you'll need to delete and recreate the gateway. Recreating a gateway incurs downtime.

+> * Application performance depends on multiple factors, such as the end-to-end latency, and the number of traffic flows the application opens. The numbers in the table represent the upper limit that the application can theoretically achieve in an ideal environment. Additionally, Microsoft performs routine host and OS maintenance on the ExpressRoute Virtual Network Gateway, to maintain reliability of the service. During a maintenance period, control plane and data path capacity of the gateway is reduced.

+> * During a maintenance period, you may experience intermittent connectivity issues to private endpoint resources.

+Before you create an ExpressRoute gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required ExpressRoute gateway settings. Never deploy anything else into the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know to deploy the virtual network gateway VMs and services into this subnet.

+When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. Further more, you may want to make sure your gateway subnet contains enough IP addresses to accommodate possible future configurations. While you can create a gateway subnet as small as /29, we recommend that you create a gateway subnet of /27 or larger (/27, /26 etc.). If you plan on connecting 16 ExpressRoute circuits to your gateway, you **must** create a gateway subnet of /26 or larger. If you're creating a dual stack gateway subnet, we recommend that you also use an IPv6 range of /64 or larger. This set up will accommodate most configurations.

+You can also deploy ExpressRoute gateways in Azure Availability Zones. This configuration physically and logically separates them into different Availability Zones, protecting your on-premises network connectivity to Azure from zone-level failures.

+The new gateway SKUs also support other deployment options to best match your needs. When creating a virtual network gateway using the new gateway SKUs, you can deploy the gateway in a specific zone. This type of gateway is referred to as a zonal gateway. When you deploy a zonal gateway, all the instances of the gateway are deployed in the same Availability Zone.

+## Route Server

+When you create or delete an Azure Route Server from a virtual network that contains a Virtual Network Gateway (ExpressRoute or VPN), expect downtime until the operation gets completed.

+For more technical resources and specific syntax requirements when using REST APIs and PowerShell cmdlets for virtual network gateway configurations, see the following pages:

+By default, connectivity between virtual networks are enabled when you link multiple virtual networks to the same ExpressRoute circuit. However, Microsoft advises against using your ExpressRoute circuit for communication between virtual networks and instead uses [VNet peering](../virtual-network/virtual-network-peering-overview.md). For more information about why VNet-to-VNet connectivity isn't recommended over ExpressRoute, see [connectivity between virtual networks over ExpressRoute](virtual-network-connectivity-guidance.md).

+### Virtual network peering

+A virtual network with an ExpressRoute gateway can have virtual network peering with up to 500 other virtual networks. Virtual network peering without an ExpressRoute gateway may have a higher peering limitation.

+ | Setting | Value |

+ | | |

+ | Resource group | Select **Create new**. Enter **ExpressRouteResourceGroup** </br> Select **OK**. |

+ | Region | West US 2 |

+ | Name | TestERCircuit |

+ :::image type="content" source="./media/expressroute-howto-circuit-portal-resource-manager/expressroute-create-basic.png" alt-text=" Screenshot of how to configure the resource group and region.":::

+ Title: Long running TCP sessions with Azure Firewall

+description: There are few scenarios where Azure Firewall can potentially drop long running TCP sessions.

+# Long running TCP sessions with Azure Firewall

+Azure Firewall is designed to be available and redundant. Every effort is made to avoid service disruptions. However, there are few scenarios where Azure Firewall can potentially drop long running TCP sessions.

+## Scenarios impacting long running connections

+The following scenarios can potentially drop long running TCP sessions:

+- Scale down

+- Firewall maintenance

+- Idle timeout

+- Auto-recovery

+### Scale down

+Azure Firewall scales up\down based on throughput and CPU usage. Scale down is performed by putting the VM instance in drain mode for 90 seconds before recycling the VM instance. Any long running connections remaining on the VM instance after 90 seconds will be disconnected.

+### Firewall maintenance

+The Azure Firewall engineering team updates the firewall on an as-needed basis (usually every month), generally during night time hours in the local time-zone for that region. Updates include security patches, bug fixes, and new feature roll outs that are applied by configuring the firewall in a [rolling update mode](https://azure.microsoft.com/blog/deployment-strategies-defined/). The firewall instances are put in a drain mode before reimaging them to give short-lived sessions time to drain. Long running sessions remaining on an instance after the drain period are dropped during the restart.

+### Idle timeout

+An idle timer is in place to recycle idle sessions. The default value is four minutes. Applications that maintain keepalives don't idle out. If the application needs more than 4 minutes (typical of IOT devices), you can contact support to extend the time to 30 minutes in the backend.

+### Auto-recovery

+Azure Firewall constantly monitors VM instances and recovers them automatically in case any instance goes unresponsive. In general, there's a 1 in 100 chance for a firewall instance to be auto-recovered over a 30 day period.

+## Applications sensitive to TCP session resets

+Session disconnection isnΓÇÖt an issue for resilient applications that can handle session reset gracefully. However, there are few applications (like traditional SAP GUI and SAP RFC based apps) which are sensitive to sessions resets. Secure such sensitive applications with Network Security Groups (NSGs).

+## Network security groups

+You can deploy [network security groups](../virtual-network/virtual-network-vnet-plan-design-arm.md#security) (NSGs) to protect against unsolicited traffic into Azure subnets. Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets. NSG flow logs help with auditing by logging information about IP traffic flowing through an NSG. To learn more about NSG flow logging, see [Introduction to flow logging for network security groups](../network-watcher/network-watcher-nsg-flow-logging-overview.md).

+## Next steps

+To learn more about Azure Firewall performance, see [Azure Firewall performance](firewall-performance.md).

+> Session affinity will be established in the following circumstances beyond the standard non-cacheable scenarios:

+| Operator | Description | ARM template support |

+|-|--|--|

+| Any | Matches when there's any value, regardless of what it is. | `operator`: `Any` |

+| Equal | Matches when the value exactly matches the specified string. | `operator`: `Equal` |

+| Contains | Matches when the value contains the specified string. | `operator`: `Contains` |

+| Less Than | Matches when the length of the value is less than the specified integer. | `operator`: `LessThan` |

+| Greater Than | Matches when the length of the value is greater than the specified integer. | `operator`: `GreaterThan` |

+| Less Than or Equal | Matches when the length of the value is less than or equal to the specified integer. | `operator`: `LessThanOrEqual` |

+| Greater Than or Equal | Matches when the length of the value is greater than or equal to the specified integer. | `operator`: `GreaterThanOrEqual` |

+| Begins With | Matches when the value begins with the specified string. | `operator`: `BeginsWith` |

+| Ends With | Matches when the value ends with the specified string. | `operator`: `EndsWith` |

+| Not Any | Matches when there's no value. | `operator`: `Any` and `negateCondition` : `true` |

+| Not Equal | Matches when the value doesn't match the specified string. | `operator`: `Equal` and `negateCondition` : `true` |

+| Not Contains | Matches when the value doesn't contain the specified string. | `operator`: `Contains` and `negateCondition` : `true` |

+| Not Less Than | Matches when the length of the value isn't less than the specified integer. | `operator`: `LessThan` and `negateCondition` : `true` |

+| Not Greater Than | Matches when the length of the value isn't greater than the specified integer. | `operator`: `GreaterThan` and `negateCondition` : `true` |

+| Not Less Than or Equal | Matches when the length of the value isn't less than or equal to the specified integer. | `operator`: `LessThanOrEqual` and `negateCondition` : `true` |

+| Not Greater Than or Equals | Matches when the length of the value isn't greater than or equal to the specified integer. | `operator`: `GreaterThanOrEqual` and `negateCondition` : `true` |

+| Not Begins With | Matches when the value doesn't begin with the specified string. | `operator`: `BeginsWith` and `negateCondition` : `true` |

+| Not Ends With | Matches when the value doesn't end with the specified string. | `operator`: `EndsWith` and `negateCondition` : `true` |

+ Title: 'Cache purging - Azure Front Door - Azure CLI'

+description: This article helps you understand how to purge cache on an Azure Front Door Standard and Premium profile using Azure CLI.

+# Cache purging in Azure Front Door with Azure CLI

+Azure Front Door caches assets until the asset's time-to-live (TTL) expires. Whenever a client requests an asset with expired TTL, the Azure Front Door environment retrieves a new updated copy of the asset to serve the request and then stores the refreshed cache.

+Best practice is to make sure your users always obtain the latest copy of your assets. The way to do that is to version your assets for each update and publish them as new URLs. Azure Front Door Standard/Premium will immediately retrieve the new assets for the next client requests. Sometimes you may wish to purge cached contents from all edge nodes and force them all to retrieve new updated assets. The reason you want to purge cached contents is because you've made new updates to your application, or you want to update assets that contain incorrect information.

+* Review [Caching with Azure Front Door](../front-door-caching.md) to understand how caching works.

+* Have a functioning Azure Front Door profile. Refer [Create a Front Door - CLI](../create-front-door-cli.md)to learn how to create one.

+## Configure cache purge

+Run [az afd endpoint purge](/cli/azure/afd/endpoint#az-afd-endpoint-purge) to purge cache after inputting the necessary parameters like:

+ * Name of resource group

+ * Name of the Azure Front Door profile within the resource group with assets you want to purge

+ * Endpoints with assets you want to purge

+ * Domains/Subdomains with assets you want to purge

+ > [!IMPORTANT]

+ > Cache purge for wildcard domains is not supported, you have to specify a subdomain for cache purge for a wildcard domain. You can add as many single-level subdomains of the wildcard domain. For example, for the wildcard domain `*.afdxgatest.azfdtest.xyz`, you can add subdomains in the form of `contoso.afdxgatest.azfdtest.xyz` or `cart.afdxgatest.azfdtest.xyz` and so on. For more information, see [Wildcard domains in Azure Front Door](../front-door-wildcard-domain.md).

+ * The path to the content to be purged.

+ * These formats are supported in the lists of paths to purge:

+ * **Single path purge**: Purge individual assets by specifying the full path of the asset (without the protocol and domain), with the file extension, for example, /pictures/strasbourg.png.

+ * **Root domain purge**: Purge the root of the endpoint with "/*" in the path.

+```azurecli-interactive

+az afd endpoint purge \

+ --resource-group myRGFD \

+ --profile-name contosoafd \

+ --endpoint-name myendpoint \

+ --domains www.contoso.com \

+ --content-paths '/scripts/*'

+```

+Cache purges on the Azure Front Door profile are case-insensitive. Additionally, they're query string agnostic, which means to purge a URL will purge all query-string variations of it.

+## Next steps

+Learn how to [create an Azure Front Door profile](../create-front-door-portal.md).

+ Title: 'Cache purging - Azure Front Door - Azure PowerShell'

+description: This article helps you understand how to purge cache on an Azure Front Door Standard and Premium profile using Azure PowerShell.

+# Cache purging in Azure Front Door with Azure PowerShell

+Azure Front Door caches assets until the asset's time-to-live (TTL) expires. Whenever a client requests an asset with expired TTL, the Azure Front Door environment retrieves a new updated copy of the asset to serve the request and then stores the refreshed cache.

+Best practice is to make sure your users always obtain the latest copy of your assets. The way to do that is to version your assets for each update and publish them as new URLs. Azure Front Door Standard/Premium will immediately retrieve the new assets for the next client requests. Sometimes you may wish to purge cached contents from all edge nodes and force them all to retrieve new updated assets. The reason you want to purge cached contents is because you've made new updates to your application, or you want to update assets that contain incorrect information.

+## Prerequisites

+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).

+- Azure PowerShell installed locally or Azure Cloud Shell

+* Review [Caching with Azure Front Door](../front-door-caching.md) to understand how caching works.

+* Have a functioning Azure Front Door profile. Refer [Create a Front Door - PowerShell](../create-front-door-powershell.md)to learn how to create one.

+## Configure cache purge

+Run [Clear-AzFrontDoorCdnEndpointContent](/powershell/module/az.cdn/clear-azfrontdoorcdnendpointcontent) to purge cache after inputting the necessary parameters like:

+ * Name of resource group

+ * Name of the Azure Front Door profile within the resource group with assets you want to purge

+ * Endpoints with assets you want to purge

+ * Domains/Subdomains with assets you want to purge

+ > [!IMPORTANT]

+ > Cache purge for wildcard domains is not supported, you have to specify a subdomain for cache purge for a wildcard domain. You can add as many single-level subdomains of the wildcard domain. For example, for the wildcard domain `*.afdxgatest.azfdtest.xyz`, you can add subdomains in the form of `contoso.afdxgatest.azfdtest.xyz` or `cart.afdxgatest.azfdtest.xyz` and so on. For more information, see [Wildcard domains in Azure Front Door](../front-door-wildcard-domain.md).

+ * The path to the content to be purged.

+ * These formats are supported in the lists of paths to purge:

+ * **Single path purge**: Purge individual assets by specifying the full path of the asset (without the protocol and domain), with the file extension, for example, /pictures/strasbourg.png.

+ * **Root domain purge**: Purge the root of the endpoint with "/*" in the path.

+```azurepowershell-interactive

+Clear-AzFrontDoorCdnEndpointContent `

+ -ResourceGroupName myRGFD `

+ -ProfileName contosoafd `

+ -EndpointName myendpoint `

+ -Domain www.contoso.com `

+ -ContentPath /scripts/*

+```

+Cache purges on the Azure Front Door profile are case-insensitive. Additionally, they're query string agnostic, which means to purge a URL will purge all query-string variations of it.

+## Next steps

+Learn how to [create an Azure Front Door profile](../create-front-door-portal.md).

+implementations:

+- **\[Preview\]: Linux machines should meet requirements for the Azure compute security baseline**

+ Azure Policy guest configuration definition

+- **Vulnerabilities in security configuration on your machines should be remediated** in Azure

+ Security Center

+For more information, see [Azure Policy guest configuration](../concepts/guest-configuration.md) and

+[Overview of the Azure Security Benchmark (V2)](../../../security/benchmarks/overview.md).

+|Ensure nosuid option set on /tmp partition.<br />_(1.1.7) |Description: Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't create setuid files in /var/tmp. |Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /tmp partition. For more information, see the fstab(5) manual pages. |

+|Ensure nosuid option set on /var/tmp partition.<br />_(1.1.8) |Description: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users can't create setuid files in /var/tmp. |Edit the /etc/fstab file and add nosuid to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |

+|Ensure noexec option set on /var/tmp partition.<br />_(1.1.9) |Description: Since the `/var/tmp` filesystem is only intended for temporary file storage, set this option to ensure that users can't run executable binaries from `/var/tmp` . |Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /var/tmp partition. For more information, see the fstab(5) manual pages. |

+|Ensure noexec option set on /dev/shm partition.<br />_(1.1.16) |Description: Setting this option on a file system prevents users from executing programs from shared memory. This control deters users from introducing potentially malicious software on the system. |Edit the /etc/fstab file and add noexec to the fourth field (mounting options) for the /dev/shm partition. For more information, see the fstab(5) manual pages. |

+|Ensure permissions on /etc/motd are configured.<br />_(1.7.1.4) |Description: If the `/etc/motd` file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |Set the owner and group of /etc/motd to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |

+|Ensure permissions on /etc/issue are configured.<br />_(1.7.1.5) |Description: If the `/etc/issue` file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |Set the owner and group of /etc/issue to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |

+|Ensure permissions on /etc/issue.net are configured.<br />_(1.7.1.6) |Description: If the `/etc/issue.net` file doesn't have the correct ownership, it could be modified by unauthorized users with incorrect or misleading information. |Set the owner and group of /etc/issue.net to root and set permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |

+|Ensure permissions on /etc/hosts.allow are configured.<br />_(3.4.4) |Description: It's critical to ensure that the `/etc/hosts.allow` file is protected from unauthorized write access. Although it's protected by default, the file permissions could be changed either inadvertently or through malicious actions. |Set the owner and group of /etc/hosts.allow to root and the permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |

+|Ensure permissions on /etc/hosts.deny are configured.<br />_(3.4.5) |Description: It's critical to ensure that the `/etc/hosts.deny` file is protected from unauthorized write access. Although it's protected by default, the file permissions could be changed either inadvertently or through malicious actions. |Set the owner and group of /etc/hosts.deny to root and the permissions to 0644 or run '/opt/microsoft/omsagent/plugin/omsremediate -r file-permissions' |

+|Ensure default deny firewall policy<br />_(3.6.2) |Description: With a default accept policy, the firewall will accept any packet that is not explicitly denied. It is easier to maintain a secure firewall with a default DROP policy than it is with a default Allow policy. |Set the default policy for incoming, outgoing, and routed traffic to `deny` or `reject` as appropriate using your firewall software |

+|Disable the installation and use of file systems that aren't required (cramfs)<br />_(6.1) |Description: An attacker could use a vulnerability in cramfs to elevate privileges |Add a file to the /etc/modprob.d directory that disables cramfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|Disable the installation and use of file systems that aren't required (freevxfs)<br />_(6.2) |Description: An attacker could use a vulnerability in freevxfs to elevate privileges |Add a file to the /etc/modprob.d directory that disables freevxfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|Ensure all users' home directories exist<br />_(6.2.7) |Description: If the user's home directory does not exist or is unassigned, the user will be placed in the volume root. Moreover, the user will be unable either to write any files or set environment variables. |If any users' home directories don't exist, create them and make sure the respective user owns the directory. Users without an assigned home directory should be removed or assigned a home directory as appropriate. |

+|Ensure users own their home directories<br />_(6.2.9) |Description: Since the user is accountable for files stored in the user home directory, the user must be the owner of the directory. |Change the ownership of any home directories that aren't owned by the defined user to the correct user. |

+|Ensure users' dot files aren't group or world writable.<br />_(6.2.10) |Description: Group or world-writable user configuration files may enable malicious users to steal or modify other users' data or to gain another user's system privileges. |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, we recommended you establish a monitoring policy to report user dot file permissions and determine site policy remediation actions. |

+|Ensure no users have .forward files<br />_(6.2.11) |Description: Use of the `.forward` file poses a security risk in that sensitive data may be inadvertently transferred outside the organization. The `.forward` file also poses a risk as it can be used to execute commands that may perform unintended actions. |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy. |

+|Ensure no users have .netrc files<br />_(6.2.12) |Description: The `.netrc` file presents a significant security risk since it stores passwords in unencrypted form. Even if FTP is disabled, user accounts may have brought over `.netrc` files from other systems that could pose a risk to those systems |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user `.netrc` files and determine the action to be taken in accordance with site policy. |

+|Ensure no users have .rhosts files<br />_(6.2.14) |Description: This action is only meaningful if `.rhosts` support is permitted in the file `/etc/pam.conf` . Even though the `.rhosts` files are ineffective if support is disabled in `/etc/pam.conf` , they may have been brought over from other systems and could contain information useful to an attacker for those other systems. |Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it's recommended that a monitoring policy be established to report user `.rhosts` files and determine the action to be taken in accordance with site policy. |

+|Ensure all groups in /etc/passwd exist in /etc/group<br />_(6.2.15) |Description: Groups which are defined in the /etc/passwd file but not in the /etc/group file poses a threat to system security since group permissions aren't properly managed. |For each group defined in /etc/passwd, ensure there is a corresponding group in /etc/group |

+|Ensure shadow group is empty<br />_(6.2.20) |Description: Any users assigned to the shadow group would be granted read access to the /etc/shadow file. If attackers can gain read access to the `/etc/shadow` file, they can easily run a password cracking program against the hashed passwords to break them. Other security information that is stored in the `/etc/shadow` file (such as expiration) could also be useful to subvert other user accounts. |Remove all users form the shadow group |

+|Disable the installation and use of file systems that aren't required (hfs)<br />_(6.3) |Description: An attacker could use a vulnerability in hfs to elevate privileges |Add a file to the /etc/modprob.d directory that disables hfs or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|Disable the installation and use of file systems that aren't required (hfsplus)<br />_(6.4) |Description: An attacker could use a vulnerability in hfsplus to elevate privileges |Add a file to the /etc/modprob.d directory that disables hfsplus or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|Disable the installation and use of file systems that aren't required (jffs2)<br />_(6.5) |Description: An attacker could use a vulnerability in jffs2 to elevate privileges |Add a file to the /etc/modprob.d directory that disables jffs2 or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|/etc/shadow file permissions should be set to 0400<br />_(11.1) |Description: An attacker can retrieve or manipulate hashed passwords from /etc/shadow if it's not correctly secured. |Set the permissions and ownership of /etc/shadow* or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-shadow-perms' |

+|/etc/shadow- file permissions should be set to 0400<br />_(11.2) |Description: An attacker can retrieve or manipulate hashed passwords from /etc/shadow- if it's not correctly secured. |Set the permissions and ownership of /etc/shadow* or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-shadow-perms' |

+|/etc/gshadow file permissions should be set to 0400<br />_(11.3) |Description: An attacker could join security groups if this file isn't properly secured |Set the permissions and ownership of /etc/gshadow- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-gshadow-perms' |

+|/etc/gshadow- file permissions should be set to 0400<br />_(11.4) |Description: An attacker could join security groups if this file isn't properly secured |Set the permissions and ownership of /etc/gshadow or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-gshadow-perms' |

+|/etc/passwd- file permissions should be set to 0600<br />_(12.3) |Description: An attacker could join security groups if this file isn't properly secured |Set the permissions and ownership of /etc/passwd- or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-etc-passwd-perms |

+|Access to the root account via su should be restricted to the 'root' group<br />₍₂₁₎ |Description: An attacker could escalate permissions by password guessing if su is not restricted to users in the root group. |Run the command '/opt/microsoft/omsagent/plugin/omsremediate -r fix-su-permissions'. This control adds the line 'auth required pam_wheel.so use_uid' to the file '/etc/pam.d/su' |

+|The '.' shouldn't appear in root's $PATH<br />_(27.1) |Description: An attacker could elevate privileges by placing a malicious file in root's $PATH |Modify the 'export PATH=' line in /root/.profile |

+|The system shouldn't act as a network sniffer.<br />₍₄₈₎ |Description: An attacker may use promiscuous interfaces to sniff network traffic |Promiscuous mode is enabled via a 'promisc' entry in '/etc/network/interfaces' or '/etc/rc.local.' Check both files and remove this entry. |

+|The IPv6 protocol should be enabled.<br />₍₅₀₎ |Description: This is necessary for communication on modern networks. |Open /etc/sysctl.conf and confirm that 'net.ipv6.conf.all.disable_ipv6' and 'net.ipv6.conf.default.disable_ipv6' are set to 0 |

+|Ensure DCCP is disabled<br />₍₅₄₎ |Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install dccp /bin/true` then unload the dccp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|Ensure SCTP is disabled<br />₍₅₅₎ |Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install sctp /bin/true` then unload the sctp module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|Ensure TIPC is disabled<br />₍₅₇₎ |Description: If the protocol is not required, it's recommended that the drivers not be installed to reduce the potential attack surface. |Edit or create a file in the `/etc/modprobe.d/` directory ending in .conf and add `install tipc /bin/true` then unload the tipc module or run '/opt/microsoft/omsagent/plugin/omsremediate -r disable-unnecessary-kernel-mods' |

+|Ensure a logging service is enabled<br />₍₆₂₎ |Description: It's imperative to have the ability to log events on a node. |Enable the rsyslog package or run '/opt/microsoft/omsagent/plugin/omsremediate -r enable-rsyslog' |

+|Ensure logger configuration files are restricted.<br />_(63.1) |Description: It's important to ensure that log files exist and have the correct permissions to ensure that sensitive syslog data is archived and protected. |Set your logger's configuration files to 0640 or run '/opt/microsoft/omsagent/plugin/omsremediate -r logger-config-file-permissions' |

+|Rsyslog shouldn't accept remote messages.<br />₍₆₇₎ |Description: An attacker could inject messages into syslog, causing a DoS or a distraction from other activity |Remove the lines '$ModLoad imudp' and '$ModLoad imtcp' from the file '/etc/rsyslog.conf' |

+|Ensure at/cron is restricted to authorized users<br />₍₉₈₎ |Description: On many systems, only the system administrator is authorized to schedule `cron` jobs. Using the `cron.allow` file to control who can run `cron` jobs enforces this policy. It's easier to manage an allowlist than a denylist. In a denylist, you could potentially add a user ID to the system and forget to add it to the deny files. |Replace /etc/cron.deny and /etc/at.deny with their respective `allow` files or run '/opt/microsoft/omsagent/plugin/omsremediate -r fix-cron-job-allow' |

+|Ensure SSH LogLevel is set to INFO<br />_(106.5) |Description: SSH provides several logging levels with varying amounts of verbosity. `DEBUG `is specifically _not_ recommended other than strictly for debugging SSH communications since it provides so much data that it's difficult to identify important security information. `INFO `level is the basic level that only records login activity of SSH users. In many situations, such as Incident Response, it's important to determine when a particular user was active on a system. The logout record can eliminate those users who disconnected, which helps narrow the field. |Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: ``` LogLevel INFO ``` |

+|Ensure SSH LoginGraceTime is set to one minute or less.<br />_(110.2) |Description: Setting the `LoginGraceTime` parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. It will also limit the number of concurrent unauthenticated connections While the recommended setting is 60 seconds (1 Minute), set the number based on site policy. |Edit the /etc/ssh/sshd_config file to set the parameters according to the policy or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-login-grace-time' |

+|Ensure remote login warning banner is configured properly.<br />₍₁₁₁₎ |Description: Warning messages inform users who are attempting to login to the system of their legal status regarding the system and must include the name of the organization that owns the system and any monitoring policies that are in place. Displaying OS and patch level information in login banners also has the side effect of providing detailed system information to attackers attempting to target specific exploits of a system. Authorized users can easily get this information by running the `uname -a`command once they have logged in. |Remove any instances of \m \r \s and \v from the /etc/issue.net file |

+|Users aren't allowed to set environment options for SSH.<br />₍₁₁₂₎ |Description: An attacker may be able to bypass some access restrictions over SSH |Remove the line 'PermitUserEnvironment yes' from the file '/etc/ssh/sshd_config' |

+|Ensure password reuse is limited.<br />_(157.5) |Description: Forcing users not to reuse their past five passwords makes it less likely that an attacker will be able to guess the password. |Ensure the 'remember' option is set to at least 5 in either /etc/pam.d/common-password or both /etc/pam.d/password_auth and /etc/pam.d/system_auth or run '/opt/microsoft/omsagent/plugin/omsremediate -r configure-password-policy-history' |

+|Ensure system accounts are non-login<br />_(157.15) |Description: It's important to make sure that accounts that aren't being used by regular users are prevented from being used to provide an interactive shell. By default, Ubuntu sets the password field for these accounts to an invalid string, but it's also recommended that the shell field in the password file be set to `/usr/sbin/nologin`. This prevents the account from potentially being used to run any commands. |Set the shell for any accounts returned by the audit script to `/sbin/nologin` |

+|Ensure SNMP Server is not enabled<br />₍₁₇₉₎ |Description: The SNMP server can communicate using SNMP v1, which transmits data in the clear and does not require authentication to execute commands. Unless absolutely necessary, it's recommended that the SNMP service not be used. If SNMP is required the server should be configured to disallow SNMP v1. |Run one of the following commands to disable `snmpd`: ``` # chkconfig snmpd off ``` ``` # systemctl disable snmpd ``` ``` # update-rc.d snmpd disable ``` |

+|Ensure NIS server is not enabled<br />₍₁₈₂₎ |Description: The NIS service is an inherently insecure system that has been vulnerable to DOS attacks, buffer overflows and has poor authentication for querying NIS maps. NIS is generally replaced by protocols like Lightweight Directory Access Protocol (LDAP). It's recommended that the service be disabled and more secure services be used |Run one of the following commands to disable `ypserv` : ``` # chkconfig ypserv off ``` ``` # systemctl disable ypserv ``` ``` # update-rc.d ypserv disable ``` |

+|Ensure rsh client is not installed<br />₍₁₈₃₎ |Description: These legacy clients contain numerous security exposures and have been replaced with the more secure SSH package. Even if the server is removed, it's best to ensure the clients are also removed to prevent users from inadvertently attempting to use these commands and therefore exposing their credentials. Note that removing the `rsh `package removes the clients for `rsh`, `rcp `and `rlogin`. |Uninstall `rsh` using the appropriate package manager or manual installation: ``` yum remove rsh ``` ``` apt-get remove rsh ``` ``` zypper remove rsh ``` |

+|Disable SMB V1 with Samba<br />₍₁₈₅₎ |Description: SMB v1 has well-known, serious vulnerabilities and does not encrypt data in transit. If it must be used for business reasons, it's strongly recommended that additional steps be taken to mitigate the risks inherent to this protocol. |If Samba is not running, remove package, otherwise there should be a line in the [global] section of /etc/samba/smb.conf: min protocol = SMB2 or run '/opt/microsoft/omsagent/plugin/omsremediate -r set-smb-min-version |

+- [Azure Policy guest configuration](../concepts/guest-configuration.md).

+* **Spark** and **HBase** cluster types can also run Hive queries, and might be appropriate if you're running those workloads.

+* **Avoid data skew** - Choose your partitioning key wisely so that all partitions are even size. For example, partitioning on *State* column may skew the distribution of data. Since the state of California has a population almost 30x that of Vermont, the partition size is potentially skewed, and performance may vary tremendously.

+You can create or register a client application from the [Azure portal](dicom-register-application.md), or using PowerShell and Azure CLI scripts. This client application can be used for one or more DICOM service instances. It can also be used for other services in Azure Health Data Services.

+The FHIR service in Azure Health Data Services enables rapid exchange of health data using the Fast Healthcare Interoperability Resources (FHIR®) data standard. As part of a managed Platform-as-a-Service (PaaS), the FHIR service makes it easy for anyone working with health data to securely store and exchange Protected Health Information ([PHI](https://www.hhs.gov/answers/hipaa/what-is-phi/https://docsupdatetracker.net/index.html)) in the cloud.

+- Controlled access to FHIR data at scale with Azure Active Directory Role-Based Access Control (RBAC)

+- Audit log tracking for access, creation, and modification events within the FHIR service data store

+The FHIR service allows you to quickly create and deploy a FHIR server to leverage the elastic scale of the cloud for ingesting, persisting, and querying FHIR data. The Azure services that power the FHIR service are designed for high performance no matter how much data you're working with.

+Gathering your industrial and business data onto an IoT Hub lets you store your data securely, perform business and efficiency analyses on it, and generate reports from it. You can process your combined data with Microsoft Azure services and tools, for example [Azure Stream Analytics](https://docs.microsoft.com/azure/stream-analytics), or visualize in your Business Intelligence platform of choice such as [Power BI](https://powerbi.microsoft.com).

+Alternatively, there are several options to register a device using different kinds of authorization. To explore the options, see [Examples](/cli/azure/iot/hub/device-identity#az-iot-hub-device-identity-create-examples) on the **az iot hub device-identity** reference page.

+ 1. On the **Overview** pane, select **Trigger history**. Under **Callback url [POST]**, copy the URL:

+ 

+| North Central US | 168.62.249.81, 157.56.12.202, 65.52.211.164, 65.52.9.64, 52.162.177.104, 23.101.174.98 |

+| North Central US | 168.62.248.37, 157.55.210.61, 157.55.212.238, 52.162.208.216, 52.162.213.231, 65.52.10.183, 65.52.9.96, 65.52.8.225, 52.162.177.90, 52.162.177.30, 23.101.160.111, 23.101.167.207 |

+1. In the **ApplicationInsights.config** file, add your [Application Insights instrumentation key](../azure-monitor/app/sdk-connection-string.md) by uncommenting the line with the `<InstrumentationKey></Instrumentation>` element. Replace the placeholder, *your-Application-Insights-instrumentation-key*, with your key, for example:

+ * [Visual Studio 2019, 2017, or 2015 - Community edition](https://aka.ms/download-visual-studio), which is free. The Azure Logic Apps extension is currently unavailable for Visual Studio 2022. This quickstart uses Visual Studio Community 2017.

+> [!NOTE]

+> [!WARNING]

+> If you have set rules in firewall and/or Network Security Group over your workspace, verify that required permissions are given to inbound and outbound network traffic as defined in [Configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md).

+> [!div class="op_single_selector" title1="Select the Azure Machine Learning SDK or CLI version you are using:"]

+> * [v1](v1/how-to-create-manage-compute-instance.md)

+> * [v2 (current version)](how-to-create-manage-compute-instance.md)

+* The [Azure CLI extension for Machine Learning service (v2)](https://aka.ms/sdk-v2-install), [Azure Machine Learning Python SDK (v2)](https://aka.ms/sdk-v2-install), or the [Azure Machine Learning Visual Studio Code extension](how-to-setup-vs-code.md).

+* If using the Python SDK, [set up your development environment with a workspace](how-to-configure-environment.md). Once your environment is set up, attach to the workspace in your Python script:

+ [!INCLUDE [connect ws v2](../../includes/machine-learning-connect-ws-v2.md)]

+[!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=ci_basic)]

+For more information on the classes, methods, and parameters used in this example, see the following reference documents:

+* [`AmlCompute` class](/python/api/azure-ai-ml/azure.ai.ml.entities.amlcompute)

+* [`ComputeInstance` class](/python/api/azure-ai-ml/azure.ai.ml.entities.computeinstance)

+ * Enable auto-stop (preview). Configure a compute instance to automatically shut down if it's inactive. For more information, see [configure auto-stop](#configure-auto-stop-preview).

+* No active Jupyter Kernel sessions (which translates to no Notebooks usage via Jupyter, JupyterLab or Interactive notebooks)

+Activity on custom applications installed on the compute instance isn't considered. There are also some basic bounds around inactivity time periods; CI must be inactive for a minimum of 15 mins and a maximum of three days.

+* CLIv2 (YAML): only configurable during new CI creation

+* Python SDKv2: only configurable during new CI creation

+* ARM Templates: only configurable during new CI creation

+Administrators can use a built-in [Azure Policy](./../governance/policy/overview.md) definition to enforce auto-stop on all compute instances in a given subscription/resource-group.

+ :::image type="content" source="media/how-to-create-attach-studio/idle-shutdown-policy.png" alt-text="Screenshot for the idle shutdown policy in Azure portal.":::

+You can also create your own custom Azure policy. For example, if the below policy is assigned, all new compute instances will have auto-stop configured with a 60-minute inactivity period.

+In the examples below, the name of the compute instance is stored in the variable `ci_basic_name`.

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=ci_basic_state)]

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=stop_compute)]

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=start_compute)]

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=restart_compute)]

+ [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=delete_compute)]

+[Azure RBAC](../role-based-access-control/overview.md) allows you to control which users in the workspace can create, delete, start, stop, restart a compute instance. All users in the workspace contributor and owner role can create, delete, start, stop, and restart compute instances across the workspace. However, only the creator of a specific compute instance, or the user assigned if it was created on their behalf, is allowed to access Jupyter, JupyterLab, and RStudio on that compute instance. A compute instance is dedicated to a single user who has root access. That user has access to Jupyter/JupyterLab/RStudio running on the instance. Compute instance will have single-user sign-in and all actions will use that userΓÇÖs identity for Azure RBAC and attribution of experiment jobs. SSH access is controlled through public/private key mechanism.

+ + Azure Machine Learning compute

+ + Azure Machine Learning managed online endpoints

+ + Azure Machine Learning pipelines

+[Azure Machine Learning Compute](concept-compute-target.md#azure-machine-learning-compute-managed) has a default quota limit on both the number of cores (split by each VM Family and cumulative total cores) and the number of unique compute resources allowed per region in a subscription. This quota is separate from the VM core quota listed in the previous section as it applies only to the managed compute resources of Azure Machine Learning.

+The following table shows more limits in the platform. Reach out to the AzureML product team through a **technical** support ticket to request an exception.

+| Nodes in a single Azure Machine Learning Compute (AmlCompute) **cluster** set up as a non communication-enabled pool (that is, can't run MPI jobs) | 100 nodes but configurable up to 65,000 nodes |

+| Nodes in a single Parallel Run Step **run** on an Azure Machine Learning Compute (AmlCompute) cluster | 100 nodes but configurable up to 65,000 nodes if your cluster is set up to scale per above |

+¹ Maximum lifetime is the duration between when a job starts and when it finishes. Completed jobs persist indefinitely. Data for jobs not completed within the maximum lifetime isn't accessible.

+| Max request time-out at endpoint level | 90 seconds |

+² We reserve 20% extra compute resources for performing upgrades. For example, if you request 10 instances in a deployment, you must have a quota for 12. Otherwise, you'll receive an error.

+To request an exception from the Azure Machine Learning product team, use the steps in the [Request quota increases](#request-quota-increases).

+For example, consider a subscription with a US East total VM core limit of 30, an A series core limit of 30, and a D series core limit of 30. This subscription would be allowed to deploy 30 A1 VMs, or 30 D1 VMs, or a combination of the two that doesn't exceed a total of 30 cores.

+1. Scroll down until you see the list of VM sizes you don't have quota for.

+### Endpoint quota increases

+When requesting the quota increase, provide the following information:

+1. When opening the support request, select __Machine Learning Service: Endpoint Limits__ as the __Quota type__.

+1. On the __Additional details__ tab, select __Enter details__ and then provide the quota you'd like to increase and the new value, the reason for the quota increase request, and __location(s)__ where you need the quota increase. Finally, select __Save and continue__ to continue.

+ :::image type="content" source="./media/how-to-manage-quotas/quota-details.png" lightbox="./media/how-to-manage-quotas/quota-details.png" alt-text="Screenshot of the quota details form.":::

+ # [Portal](#tab/portal)

+ # [Portal](#tab/portal)

+ "python=3.8"

+*V1*

+- A Python version can be added by adding Python as a conda package, specifying the version (this is specific to SDK V1):

+ Title: Authentication secrets

+description: Learn how to pass secrets to training jobs in secure fashion using Azure Key Vault.

+# Use authentication credential secrets in Azure Machine Learning jobs

+> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning Python SDK you are using:"]

+> * [v1](v1/how-to-use-secrets-in-runs.md)

+> * [v2 (current version)](how-to-use-secrets-in-runs.md)

+Authentication information such as your user name and password are secrets. For example, if you connect to an external database in order to query training data, you would need to pass your username and password to the remote job context. Coding such values into training scripts in clear text is insecure as it would potentially expose the secret.

+The Azure Key Vault allows you to securely store and retrieve secrets. In this article, learn how you can retrieve secrets stored in a key vault from a training job running on a compute cluster.

+> [!IMPORTANT]

+> The Azure Machine Learning Python SDK v2 and Azure CLI extension v2 for machine learning do not provide the capability to set or get secrets. Instead, the information in this article uses the [Azure Key Vault Secrets client library for Python](/python/api/overview/azure/keyvault-secrets-readme).

+## Prerequisites

+Before following the steps in this article, make sure you have the following prerequisites:

+> [!TIP]

+> Many of the prerequisites in this section require __Contributor__, __Owner__, or equivalent access to your Azure subscription, or the Azure Resource Group that contains the resources. You may need to contact your Azure administrator and have them perform these actions.

+* An Azure subscription. If you don't have an Azure subscription, create a free account before you begin. Try the [free or paid version of Azure Machine Learning](https://azure.microsoft.com/free/).

+

+* An Azure Machine Learning workspace. If you don't have one, use the steps in the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create one.

+* An Azure Key Vault. If you used the [Quickstart: Create workspace resources](quickstart-create-resources.md) article to create your workspace, a key vault was created for you. You can also create a separate key vault instance using the information in the [Quickstart: Create a key vault](/azure/key-vault/general/quick-create-portal) article.

+ > [!TIP]

+ > You do not have to use same key vault as the workspace.

+* An Azure Machine Learning compute cluster configured to use a [managed identity](how-to-create-attach-compute-cluster.md?tabs=azure-studio#set-up-managed-identity). The cluster can be configured for either a system-assigned or user-assigned managed identity.

+* Grant the managed identity for the compute cluster access to the secrets stored in key vault. The method used to grant access depends on how your key vault is configured:

+ * [Azure role-based access control (Azure RBAC)](/azure/key-vault/general/rbac-guide): When configured for Azure RBAC, add the managed identity to the __Key Vault Secrets User__ role on your key vault.

+ * [Azure Key Vault access policy](/azure/key-vault/general/assign-access-policy): When configured to use access policies, add a new policy that grants the __get__ operation for secrets and assign it to the managed identity.

+* A stored secret value in the key vault. This value can then be retrieved using a key. For more information, see [Quickstart: Set and retrieve a secret from Azure Key Vault](/azure/key-vault/secrets/quick-create-python).

+ > [!TIP]

+ > The quickstart link is to the steps for using the Azure Key Vault Python SDK. In the table of contents in the left navigation area are links to other ways to set a key.

+## Getting secrets

+1. Add the `azure-keyvault-secrets` and `azure-identity` packages to the [Azure Machine Learning environment](concept-environments.md) used when training the model. For example, by adding them to the conda file used to build the environment.

+ The environment is used to build the Docker image that the training job runs in on the compute cluster.

+1. From your training code, use the [Azure Identity SDK](/python/api/overview/azure/identity-readme) and [Key Vault client library](/python/api/overview/azure/keyvault-secrets-readme) to get the managed identity credentials and authenticate to key vault:

+ ```python

+ from azure.identity import DefaultAzureCredential

+ from azure.keyvault.secret import SecretClient

+ credential = DefaultAzureCredential()

+ secret_client = SecretClient(vault_url="https://my-key-vault.vault.azure.net/", credential=credential)

+ ```

+1. After authenticating, use the Key Vault client library to retrieve a secret by providing the associated key:

+ ```python

+ secret = secret_client.get_secret("secret-name")

+ print(secret.value)

+ ```

+For an example of submitting a training job using the Azure Machine Learning Python SDK v2 (preview), see [Train models with the Python SDK v2](how-to-train-sdk.md).

+> [!div class="op_single_selector" title1="Select the Azure Machine Learning SDK or CLI version you are using:"]

+> * [v1](how-to-create-manage-compute-instance.md)

+> * [v2 (current version)](../how-to-create-manage-compute-instance.md)

+* The [Azure CLI extension for Machine Learning service (v1)](reference-azure-machine-learning-cli.md) or [Azure Machine Learning Python SDK (v1)](/python/api/overview/azure/ml/intro).

+# [Python SDK](#tab/python)

+```python

+import datetime

+import time

+from azureml.core.compute import ComputeTarget, ComputeInstance

+from azureml.core.compute_target import ComputeTargetException

+# Choose a name for your instance

+# Compute instance name should be unique across the azure region

+compute_name = "ci{}".format(ws._workspace_id)[:10]

+# Verify that instance does not exist already

+try:

+ instance = ComputeInstance(workspace=ws, name=compute_name)

+ print('Found existing instance, use it.')

+except ComputeTargetException:

+ compute_config = ComputeInstance.provisioning_configuration(

+ vm_size='STANDARD_D3_V2',

+ ssh_public_access=False,

+ # vnet_resourcegroup_name='<my-resource-group>',

+ # vnet_name='<my-vnet-name>',

+ # subnet_name='default',

+ # admin_user_ssh_public_key='<my-sshkey>'

+ )

+ instance = ComputeInstance.create(ws, compute_name, compute_config)

+ instance.wait_for_completion(show_output=True)

+```

+For more information on the classes, methods, and parameters used in this example, see the following reference documents:

+* [ComputeInstance class](/python/api/azureml-core/azureml.core.compute.computeinstance.computeinstance)

+* [ComputeTarget.create](/python/api/azureml-core/azureml.core.compute.computetarget#create-workspace--name--provisioning-configuration-)

+* [ComputeInstance.wait_for_completion](/python/api/azureml-core/azureml.core.compute.computeinstance(class)#wait-for-completion-show-output-false--is-delete-operation-false-)

+# [Azure CLI](#tab/azure-cli)

+# [Python SDK](#tab/python)

+In the examples below, the name of the compute instance is **instance**.

+* Get status

+ ```python

+ # get_status() gets the latest status of the ComputeInstance target

+ instance.get_status()

+ ```

+* Stop

+ ```python

+ # stop() is used to stop the ComputeInstance

+ # Stopping ComputeInstance will stop the billing meter and persist the state on the disk.

+ # Available Quota will not be changed with this operation.

+ instance.stop(wait_for_completion=True, show_output=True)

+ ```

+* Start

+ ```python

+ # start() is used to start the ComputeInstance if it is in stopped state

+ instance.start(wait_for_completion=True, show_output=True)

+ ```

+* Restart

+ ```python

+ # restart() is used to restart the ComputeInstance

+ instance.restart(wait_for_completion=True, show_output=True)

+ ```

+* Delete

+ ```python

+ # delete() is used to delete the ComputeInstance target. Useful if you want to re-use the compute name

+ instance.delete(wait_for_completion=True, show_output=True)

+ ```

+# [Azure CLI](#tab/azure-cli)

+[Azure RBAC](../../role-based-access-control/overview.md) allows you to control which users in the workspace can create, delete, start, stop, restart a compute instance. All users in the workspace contributor and owner role can create, delete, start, stop, and restart compute instances across the workspace. However, only the creator of a specific compute instance, or the user assigned if it was created on their behalf, is allowed to access Jupyter, JupyterLab, and RStudio on that compute instance. A compute instance is dedicated to a single user who has root access. That user has access to Jupyter/JupyterLab/RStudio running on the instance. Compute instance will have single-user sign in and all actions will use that userΓÇÖs identity for Azure RBAC and attribution of experiment runs. SSH access is controlled through public/private key mechanism.

+ Title: Authentication secrets in training

+description: Learn how to pass secrets to training jobs in secure fashion using the Azure Key Vault for your workspace.

+# Use authentication credential secrets in Azure Machine Learning training jobs

+> [!div class="op_single_selector" title1="Select the version of the Azure Machine Learning Python SDK you are using:"]

+> * [v1](how-to-use-secrets-in-runs.md)

+> * [v2 (current version)](../how-to-use-secrets-in-runs.md)

+In this article, you learn how to use secrets in training jobs securely. Authentication information such as your user name and password are secrets. For example, if you connect to an external database in order to query training data, you would need to pass your username and password to the remote job context. Coding such values into training scripts in cleartext is insecure as it would expose the secret.

+Instead, your Azure Machine Learning workspace has an associated resource called a [Azure Key Vault](/azure/key-vault/general/overview). Use this Key Vault to pass secrets to remote jobs securely through a set of APIs in the Azure Machine Learning Python SDK.

+The standard flow for using secrets is:

+ 1. On local computer, log in to Azure and connect to your workspace.

+ 2. On local computer, set a secret in Workspace Key Vault.

+ 3. Submit a remote job.

+ 4. Within the remote job, get the secret from Key Vault and use it.

+## Set secrets

+In the Azure Machine Learning, the [Keyvault](/python/api/azureml-core/azureml.core.keyvault.keyvault) class contains methods for setting secrets. In your local Python session, first obtain a reference to your workspace Key Vault, and then use the [`set_secret()`](/python/api/azureml-core/azureml.core.keyvault.keyvault#set-secret-name--value-) method to set a secret by name and value. The __set_secret__ method updates the secret value if the name already exists.

+```python

+from azureml.core import Workspace

+from azureml.core import Keyvault

+import os

+ws = Workspace.from_config()

+my_secret = os.environ.get("MY_SECRET")

+keyvault = ws.get_default_keyvault()

+keyvault.set_secret(name="mysecret", value = my_secret)

+```

+Do not put the secret value in your Python code as it is insecure to store it in file as cleartext. Instead, obtain the secret value from an environment variable, for example Azure DevOps build secret, or from interactive user input.

+You can list secret names using the [`list_secrets()`](/python/api/azureml-core/azureml.core.keyvault.keyvault#list-secrets--) method and there is also a batch version,[set_secrets()](/python/api/azureml-core/azureml.core.keyvault.keyvault#set-secrets-secrets-batch-) that allows you to set multiple secrets at a time.

+> [!IMPORTANT]

+> Using `list_secrets()` will only list secrets created through `set_secret()` or `set_secrets()` using the Azure ML SDK. It will not list secrets created by something other than the SDK. For example, a secret created using the Azure portal or Azure PowerShell will not be listed.

+>

+> You can use [`get_secret()`](#get-secrets) to get a secret value from the key vault, regardless of how it was created. So you can retrieve secrets that are not listed by `list_secrets()`.

+## Get secrets

+In your local code, you can use the [`get_secret()`](/python/api/azureml-core/azureml.core.keyvault.keyvault#get-secret-name-) method to get the secret value by name.

+For jobs submitted the [`Experiment.submit`](/python/api/azureml-core/azureml.core.experiment.experiment#submit-config--tags-none-kwargs-) , use the [`get_secret()`](/python/api/azureml-core/azureml.core.run.run#get-secret-name-) method with the [`Run`](/python/api/azureml-core/azureml.core.run%28class%29) class. Because a submitted run is aware of its workspace, this method shortcuts the Workspace instantiation and returns the secret value directly.

+```python

+# Code in submitted job

+from azureml.core import Experiment, Run

+run = Run.get_context()

+secret_value = run.get_secret(name="mysecret")

+```

+Be careful not to expose the secret value by writing or printing it out.

+There is also a batch version, [get_secrets()](/python/api/azureml-core/azureml.core.run.run#get-secrets-secrets-) for accessing multiple secrets at once.

+## Next steps

+ * [View example notebook](https://github.com/Azure/MachineLearningNotebooks/blob/master/how-to-use-azureml/manage-azureml-service/authentication-in-azureml/authentication-in-azureml.ipynb)

+ * [Learn about enterprise security with Azure Machine Learning](../concept-enterprise-security.md)

+# Discover and assess servers for migration using Private Link (Preview)

+# Support requirements and considerations for Private endpoint connectivity (Preview)

+# Migrate servers to Azure using Private Link (Preview)

+ Title: Active Directory authentication - Azure Database for MySQL - Flexible Server Preview

+description: Learn about the concepts of Azure Active Directory for authentication with Azure Database for MySQL flexible server

+# Active Directory authentication - Azure Database for MySQL - Flexible Server Preview

+Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of connecting to Azure Database for MySQL Flexible server using identities defined in Azure AD. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.

+## Benefits

+- Authentication of users across Azure Services in a uniform way

+- Management of password policies and password rotation in a single place

+- Multiple forms of authentication supported by Azure Active Directory, which can eliminate the need to store passwords

+- Customers can manage database permissions using external (Azure AD) groups.

+- Azure AD authentication uses MySQL database users to authenticate identities at the database level

+- Support of token-based authentication for applications connecting to Azure Database for MySQL Flexible server

+## Use the steps below to configure and use Azure AD authentication

+1. Select your preferred authentication method for accessing the MySQL flexible server. By default, the authentication selected will be MySQL authentication only. Select Azure Active Directory authentication only or MySQL and Azure Active Directory authentication to enabled Azure AD authentication.

+2. Select the user managed identity (UMI) with the following privileges: _User.Read.All, GroupMember.Read.All_ and _Application.Read.ALL_, which can be used to configure Azure AD authentication.

+3. Add Azure AD Admin. It can be Azure AD Users, Groups or security principles, which will have access to Azure Database for MySQL flexible server.

+4. Create database users in your database mapped to Azure AD identities.

+5. Connect to your database by retrieving a token for an Azure AD identity and logging in.

+> [!Note]

+> For detailed, step-by-step instructions about how to configure Azure AD authentication with Azure Database for MySQL flexible server, see [Learn how to set up Azure Active Directory authentication for Azure Database for MySQL flexible Server](how-to-azure-ad.md)

+## Architecture

+User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity, and when the managed identity is deleted, the corresponding service principal is automatically removed. The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Only a User-assigned Managed Identity (UMI) is currently supported by Azure Database for MySQL-Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure. Azure takes care of rolling the credentials that are used by the service instance.

+The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for MySQL. The arrows indicate communication pathways.

+1. Your application can request a token from the Azure Instance Metadata Service identity endpoint.

+2. Using the client ID and certificate, a call is made to Azure AD to request an access token.

+3. A JSON Web Token (JWT) access token is returned by Azure AD.

+4. Your application sends the access token on a call to Azure Database for MySQL flexible server.

+## Administrator structure

+

+When using Azure AD authentication, there are two Administrator accounts for the MySQL server; the original MySQL administrator and the Azure AD administrator. Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL Flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL Flexible server. Only one Azure AD administrator (a user or group) can be configured at a time.

+Methods of authentication for accessing the MySQL flexible server include:

+- MySQL Authentication only - Create a MySQL admin login and password to access your MySQL server with MySQL authentication.

+- Only Azure AD authentication - Authenticate as an Azure AD admin using an existing Azure AD user or group; the server parameter **aad_auth_only** will be _enabled_.

+- Authentication with MySQL and Azure AD - Authenticate using MySQL admin credentials or as an Azure AD admin using an existing Azure AD user or group; the server parameter **aad_auth_only** will be _disabled_.

+## Permissions

+To allow the UMI to read from Microsoft Graph as the server identity, the following permissions are required. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role.

+These permissions should be granted before you provision a logical server or managed instance. After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.

+> [!IMPORTANT]

+> Only a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) can grant these permissions.

+- [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.

+- [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.

+- [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.

+To create a new Azure AD database user, you must connect as the Azure AD administrator. This is demonstrated in Configure and Login with Azure AD for Azure Database for MySQL.

+

+Any Azure AD authentication is only possible if the Azure AD admin was created for Azure Database for MySQL Flexible server. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously can no longer connect to the database using their Azure Active Directory credentials.

+## Token Validation

+Azure AD authentication in Azure Database for MySQL flexible server ensures that the user exists in the MySQL server, and it checks the validity of the token by validating the contents of the token. The following token validation steps are performed:

+- Token is signed by Azure AD and has not been tampered with.

+- Token was issued by Azure AD for the tenant associated with the server.

+- Token has not expired.

+- Token is for the Azure Database for MySQL flexible server resource (and not another Azure resource).

+## Connecting using Azure AD identities

+Azure Active Directory authentication supports the following methods of connecting to a database using Azure AD identities:

+- Azure Active Directory Password

+- Azure Active Directory Integrated

+- Azure Active Directory Universal with MFA

+- Using Active Directory Application certificates or client secrets

+- Managed Identity

+Once you have authenticated against the Active Directory, you then retrieve a token. This token is your password for logging in.

+Please note that management operations, such as adding new users, are only supported for Azure AD user roles at this point.

+> [!NOTE]

+> For more details on how to connect with an Active Directory token, see [Configure and sign in with Azure AD for Azure Database for MySQL flexible server](how-to-azure-ad.md).

+## Additional considerations

+- Only one Azure AD administrator can be configured for an Azure Database for MySQL Flexible server at any time.

+- Only an Azure AD administrator for MySQL can initially connect to the Azure Database for MySQL Flexible server using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL Flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL Flexible server.

+- If a user is deleted from Azure AD, that user will no longer be able to authenticate with Azure AD, and therefore it will no longer be possible to acquire an access token for that user. In this case, although the matching user will still be in the database, it will not be possible to connect to the server with that user.

+> [!NOTE]

+> Login with the deleted Azure AD user can still be done till the token expires (up to 60 minutes from token issuing). If you also remove the user from Azure Database for MySQL this access will be revoked immediately.

+- If the Azure AD admin is removed from the server, the server will no longer be associated with an Azure AD tenant, and therefore all Azure AD logins will be disabled for the server. Adding a new Azure AD admin from the same tenant will re-enable Azure AD logins.

+- Azure Database for MySQL Flexible server matches access tokens to the Azure Database for MySQL user using the userΓÇÖs unique Azure AD user ID, as opposed to using the username. This means that if an Azure AD user is deleted in Azure AD and a new user created with the same name, Azure Database for MySQL considers that a different user. Therefore, if a user is deleted from Azure AD and then a new user with the same name added, the new user will not be able to connect with the existing user.

+## Next steps

+- To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for MySQL, see [Set up Azure Active Directory authentication for Azure Database for MySQL flexible server](how-to-azure-ad.md)

+ Title: Set up Azure Active Directory authentication for Azure Database for MySQL flexible server Preview

+description: Learn how to set up Azure Active Directory authentication for Azure Database for MySQL flexible Server

+# Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server Preview

+This tutorial shows you how to set up Azure Active Directory authentication for Azure Database for MySQL flexible server.

+In this tutorial, you learn how to:

+- Configure the Azure AD Admin

+- Connect to Azure Database for MySQL flexible server using Azure AD

+## Configure the Azure AD Admin

+

+Only an Azure AD Admin user can create/enable users for Azure AD-based authentication. To create an Azure AD Admin user, please follow the following steps.

+- In the Azure portal, select the instance of Azure Database for MySQL Flexible server that you want to enable for Azure AD.

+

+- Under Security pane, select Authentication:

+- There are three types of authentication available:

+ - MySQL authentication only ΓÇô By default, MySQL uses the built-in mysql_native_password authentication plugin, which performs authentication using the native password hashing method

+ - Azure Active Directory authentication only ΓÇô Only allows authentication with an Azure AD account. Disables mysql_native_password authentication and turns _ON_ the server parameter **aad_auth_only**

+ - MySQL and Azure Active Directory authentication ΓÇô Allows authentication using a native MySQL password or an Azure AD account. Turns _OFF_ the server parameter **aad_auth_only**

+- Select Identity ΓÇô Select/Add User assigned managed identity. To allow the UMI to read from Microsoft Graph as the server identity, the following permissions are required. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role.

+ - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.

+ - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.

+ - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.

+These permissions should be granted before you provision a logical server or managed instance. After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.

+> [!IMPORTANT]

+> Only a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) can grant these permissions.

+- Select a valid Azure AD user or an Azure AD group in the customer tenant to be Azure AD administrator. Once Azure AD authentication support has been enabled, Azure AD Admins can be added as security principals with permissions to add Azure AD Users to the MySQL server.

+ > [!NOTE]

+ > Only one Azure AD admin can be created per MySQL server and selection of another one will overwrite the existing Azure AD admin configured for the server.

+## Connect to Azure Database for MySQL flexible server using Azure AD

+#### Prerequisites

+- An Azure account with an active subscription.

+- If you don't have an Azure subscription, create an [Azure free account](https://azure.microsoft.com/free) before you begin.

+

+ > [!Note]

+ > With an Azure free account, you can now try Azure Database for MySQL - Flexible Server for free for 12 months. For more information, see [Try Flexible Server for free](how-to-deploy-on-azure-free-account.md).

+- Install or upgrade Azure CLI to the latest version. See [Install Azure CLI](/cli/azure/install-azure-cli).

+**Step 1: Authenticate with Azure AD**

+Start by authenticating with Azure AD using the Azure CLI tool.

+_(This step is not required in Azure Cloud Shell.)_

+- Log in to Azure account using [az login](/cli/azure/reference-index#az-login) command. Note the ID property, which refers to Subscription ID for your Azure account:

+ ```azurecli-interactive

+ az login

+ ```

+The command will launch a browser window to the Azure AD authentication page. It requires you to give your Azure AD user ID and the password.

+- If you have multiple subscriptions, choose the appropriate subscription using the az account set command:

+ ```azurecli-interactive

+ az account set --subscription \<subscription id\>

+ ```

+**Step 2: Retrieve Azure AD access token**

+Invoke the Azure CLI tool to acquire an access token for the Azure AD authenticated user from step 1 to access Azure Database for MySQL flexible server.

+- Example (for Public Cloud):

+

+ ```azurecli-interactive

+ az account get-access-token --resource https://ossrdbms-aad.database.windows.net

+ ```

+- The above resource value must be specified exactly as shown. For other clouds, the resource value can be looked up using:

+ ```azurecli-interactive

+ az cloud show

+ ```

+- For Azure CLI version 2.0.71 and later, the command can be specified in the following more convenient version for all clouds:

+ ```azurecli-interactive

+ az account get-access-token --resource-type oss-rdbms

+ ```

+

+- Using PowerShell, you can use the following command to acquire access token:

+ ```powershell

+ $accessToken = Get-AzAccessToken -ResourceUrl https://ossrdbms-aad.database.windows.net

+ $accessToken.Token | out-file C:\temp\MySQLAccessToken.txt

+ ```

+

+After authentication is successful, Azure AD will return an access token:

+```json

+{

+ "accessToken": "TOKEN",

+ "expiresOn": "...",

+ "subscription": "...",

+ "tenant": "...",

+ "tokenType": "Bearer"

+}

+```

+The token is a Base 64 string that encodes all the information about the authenticated user, and which is targeted to the Azure Database for MySQL service.

+The access token validity is anywhere between 5 minutes to 60 minutes. We recommend you get the access token just before initiating the login to Azure Database for MySQL Flexible server.

+- You can use the following PowerShell command to see the token validity.

+ ```powershell

+ $accessToken.ExpiresOn.DateTime

+ ```

+**Step 3: Use token as password for logging in with MySQL**

+When connecting you need to use the access token as the MySQL user password. When using GUI clients such as MySQLWorkbench, you can use the method described above to retrieve the token.

+#### Using MySQL CLI

+When using the CLI, you can use this short-hand to connect:

+**Example (Linux/macOS):**

+```

+mysql -h mydb.mysql.database.azure.com \

+ --user user@tenant.onmicrosoft.com \

+ --enable-cleartext-plugin \

+ --password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken`

+```

+#### Using MySQL Workbench

+* Launch MySQL Workbench and Click the Database option, then click "Connect to database"

+* In the hostname field, enter the MySQL FQDN eg. mysql.database.azure.com

+* In the username field, enter the MySQL Azure Active Directory administrator name and append this with MySQL server name, not the FQDN e.g. user@tenant.onmicrosoft.com@

+* In the password field, click "Store in Vault" and paste in the access token from file e.g. C:\temp\MySQLAccessToken.txt

+* Click the advanced tab and ensure that you check "Enable Cleartext Authentication Plugin"

+* Click OK to connect to the database

+#### Important considerations when connecting:

+* `user@tenant.onmicrosoft.com` is the name of the Azure AD user or group you are trying to connect as

+* Make sure to use the exact way the Azure AD user or group name is spelled

+* Azure AD user and group names are case sensitive

+* When connecting as a group, use only the group name (e.g. `GroupName`)

+* If the name contains spaces, use `\` before each space to escape it

+> [!Note]

+> The ΓÇ£enable-cleartext-pluginΓÇ¥ setting ΓÇô you need to use a similar configuration with other clients to make sure the token gets sent to the server without being hashed.

+You are now authenticated to your MySQL flexible server using Azure AD authentication.

+## Additional Azure AD Admin commands

+- Manage server Active Directory administrator

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin

+ ```

+- Create an Active Directory administrator

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin create

+ ```

+ _Example: Create Active Directory administrator with user 'john@contoso.com', administrator ID '00000000-0000-0000-0000-000000000000' and identity 'test-identity'_

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin create -g testgroup -s testsvr -u john@contoso.com -i 00000000-0000-0000-0000-000000000000 --identity test-identity

+ ```

+- Delete an Active Directory administrator

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin delete

+ ```

+ _Example: Delete Active Directory administrator_

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin delete -g testgroup -s testsvr

+ ```

+- List all Active Directory administrators

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin list

+ ```

+ _Example: List Active Directory administrators_

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin list -g testgroup -s testsvr

+ ```

+- Get an Active Directory administrator

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin show

+ ```

+ _Example: Get Active Directory administrator_

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin show -g testgroup -s testsvr

+ ```

+- Wait for the Active Directory administrator to satisfy certain conditions

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin wait

+ ```

+ _Examples:_

+ - _Wait until the Active Directory administrator exists_

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin wait -g testgroup -s testsvr --exists

+ ```

+ - _Wait for the Active Directory administrator to be deleted_

+ ```azurecli-interactive

+ az mysql flexible-server ad-admin wait -g testgroup -s testsvr ΓÇôdeleted

+ ```

+## Creating Azure AD users in Azure Database for MySQL

+To add an Azure AD user to your Azure Database for MySQL database, perform the following steps after connecting:

+1. First ensure that the Azure AD user `<user>@yourtenant.onmicrosoft.com` is a valid user in Azure AD tenant.

+2. Sign in to your Azure Database for MySQL instance as the Azure AD Admin user.

+3. Create user `<user>@yourtenant.onmicrosoft.com` in Azure Database for MySQL.

+_Example:_

+```sql

+CREATE AADUSER 'user1@yourtenant.onmicrosoft.com';

+```

+For user names that exceed 32 characters, it is recommended you use an alias instead, to be used when connecting:

+_Example:_

+```sql

+CREATE AADUSER 'userWithLongName@yourtenant.onmicrosoft.com' as 'userDefinedShortName';

+```

+> [!NOTE]

+> 1. MySQL ignores leading and trailing spaces so user name should not have any leading or trailing spaces.

+> 2. Authenticating a user through Azure AD does not give the user any permissions to access objects within the Azure Database for MySQL database. You must grant the user the required permissions manually.

+## Creating Azure AD groups in Azure Database for MySQL

+To enable an Azure AD group for access to your database, use the same mechanism as for users, but instead specify the group name:

+_Example:_

+```sql

+CREATE AADUSER 'Prod_DB_Readonly';

+```

+When logging in, members of the group will use their personal access tokens, but sign with the group name specified as the username.

+## Compatibility with application drivers

+Most drivers are supported, however make sure to use the settings for sending the password in clear-text, so the token gets sent without modification.

+- C/C++

+ - libmysqlclient: Supported

+ - mysql-connector-c++: Supported

+- Java

+ - Connector/J (mysql-connector-java): Supported, must utilize `useSSL` setting

+- Python

+ - Connector/Python: Supported

+- Ruby

+ - mysql2: Supported

+- .NET

+ - mysql-connector-net: Supported, need to add plugin for mysql_clear_password

+ - mysql-net/MySqlConnector: Supported

+- Node.js

+ - mysqljs: Not supported (does not send token in cleartext without patch)

+ - node-mysql2: Supported

+- Perl

+ - DBD::mysql: Supported

+ - Net::MySQL: Not supported

+- Go

+ - go-sql-driver: Supported, add `?tls=true&allowCleartextPasswords=true` to connection string

+## Next steps

+- Review the concepts for [Azure Active Directory authentication with Azure Database for MySQL flexible server](concepts-azure-ad-authentication.md)

+1. In MySQL Workbench, on the **Navigator** pane, select **Data Import/Restore**.

+> [!NOTE]

+> Virtual Network (VNet) rules can only be used on General Purpose or Memory Optimized tiers.

+# Quickstart: Create a notification hub using a Resource Manager template

+This quickstart uses an Azure Resource Manager template to create an Azure Notification Hubs namespace, and a notification hub named **MyHub** within that namespace.

+Navigate to **Token configuration** and click on **Add optional claim**. Select **ID** then check the **email** and **upn** claims.

+Fill in the name as **AAD**, the **Client ID** as the **Application ID** and the **Client Secret**. The **Issuer URL** is formatted as such: `https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/v2.0`. Replace the placeholder with the Tenant ID you retrieved earlier.

+## Release: September 2022

+* Support for [Fast Restore](./concepts-backup-restore.md)

+* General availability of [Geo-Redundant Backups](./concepts-backup-restore.md)

+

+Please see the [regions](overview.md#azure-regions) where Geo-redundant backup is currently available.

+Databases & storage solutions such as Oracle, Teradata, and SAP have query engines to transform data using scripting language. Data lineage information from views/stored procedures/etc is collected into Microsoft Purview and stitched with lineage from other systems. Lineage is supported for the following data sources via Microsoft Purview data scan. Learn more about the supported lineage scenarios from the respective article.

+ :::image type="content" source="./media/catalog-lineage-user-guide/view-columns-from-lineage-inline.png" alt-text="Screenshot showing how to select View columns in the lineage page" lightbox="./media/catalog-lineage-user-guide/view-columns-from-lineage.png"border="true":::

+ :::image type="content" source="./media/catalog-lineage-user-guide/select-columns-to-show-in-lineage-inline.png" alt-text="Screenshot showing how to select columns to display in the lineage page." lightbox="./media/catalog-lineage-user-guide/select-columns-to-show-in-lineage.png":::

+1. Hover over a selected column on the left pane or in the dataset of the lineage canvas to see the column mapping. All the column instances are highlighted.

+ :::image type="content" source="./media/catalog-lineage-user-guide/show-column-flow-in-lineage-inline.png" alt-text="Screenshot showing how to hover over a column name to highlight the column flow in a data lineage path." lightbox="./media/catalog-lineage-user-guide/show-column-flow-in-lineage.png":::

+1. If the number of columns is larger than what can be displayed in the left pane, use the filter option to select a specific column by name. Alternatively, you can use your mouse to scroll through the list.

+1. If the lineage canvas contains more nodes and edges, use the filter to select data asset or process nodes by name. Alternatively, you can use your mouse to pan around the lineage window.

+1. Use the toggle in the left pane to highlight the list of datasets in the lineage canvas. If you turn off the toggle, any asset that contains at least one of the selected columns is displayed. If you turn on the toggle, only datasets that contain all of the columns are displayed.

+You can also view data processes, like copy activities, in the data catalog. For example, in this lineage flow, select the copy activity:

+The copy activity will expand, and then you can select the **Switch to asset** button, which will give you more details about the process itself.

+Data process can take one or more input datasets to produce one or more outputs. In Microsoft Purview, column level lineage is available for process nodes.

+1. Switch between input and output datasets from a drop-down in the columns panel.

+1. Select columns from one or more tables to see the lineage flowing from input dataset to corresponding output dataset.

+ :::image type="content" source="./media/catalog-lineage-user-guide/process-column-lineage-inline.png" alt-text="Screenshot showing columns lineage of a process node." lightbox="./media/catalog-lineage-user-guide/process-column-lineage.png":::

+ :::image type="content" source="./media/catalog-lineage-user-guide/select-switch-to-asset-inline.png" alt-text="Screenshot how to select Switch to asset in a lineage data asset." lightbox="./media/catalog-lineage-user-guide/select-switch-to-asset.png":::

+1. The lineage canvas could become complex for popular datasets. To avoid clutter, the default view will only show five levels of lineage for the asset in focus. The rest of the lineage can be expanded by selecting the bubbles in the lineage canvas. Data consumers can also hide the assets in the canvas that are of no interest. To further reduce the clutter, turn off the toggle **More Lineage** at the top of lineage canvas. This action will hide all the bubbles in lineage canvas.

+ :::image type="content" source="./media/catalog-lineage-user-guide/use-toggle-to-hide-bubbles-inline.png" alt-text="Screenshot showing how to toggle More lineage." lightbox="./media/catalog-lineage-user-guide/use-toggle-to-hide-bubbles.png":::

+1. Use the smart buttons in the lineage canvas to get an optimal view of the lineage:

+ 1. Full screen

+ 1. Zoom to fit

+ 1. Zoom in/out

+ 1. Auto align

+ 1. Zoom preview

+ 1. And more options:

+ 1. Center the current asset

+ 1. Reset to default view

+ :::image type="content" source="./media/catalog-lineage-user-guide/use-lineage-smart-buttons-inline.png" alt-text="Screenshot showing how to select the lineage smart buttons." lightbox="./media/catalog-lineage-user-guide/use-lineage-smart-buttons.png":::

+- Raw data staged from various platforms

+## Use cases

+Data lineage is broadly understood as the lifecycle that spans the dataΓÇÖs origin, and where it moves over time across the data estate. It's used for different kinds of backwards-looking scenarios such as troubleshooting, tracing root cause in data pipelines and debugging. Lineage is also used for data quality analysis, compliance and ΓÇ£what ifΓÇ¥ scenarios often referred to as impact analysis. Lineage is represented visually to show data moving from source to destination including how the data was transformed. Given the complexity of most enterprise data environments, these views can be hard to understand without doing some consolidation or masking of peripheral data points.

+- High fidelity lineage with other metadata like ownership is captured to show the lineage in a human readable format for source & target entities. for example: lineage at a hive table level instead of partitions or file level.

+>We support adding 10 Data Factory at once. If you want to add more than 10 Data Factory, please do so in multiple batches of 10 Data Factory.

+[Link to Azure Data Share for lineage](how-to-link-azure-data-share.md)

+|Public access with self-hosted integration runtime |Allowed |Allowed |Self-hosted runtime |Delegated authentication / service principal | [Deployment checklist](#deployment-checklist) |

+- For the cross-tenant scenario, delegated authentication and service principal are the only supported authentication options for scanning.

+ 1. There are no typos in the password or secret.

+ 2. For **delegated auth**, username includes the user principal name, such as `johndoe@contoso.com`.

+1. In Power BI tenant, In Azure Active Directory create a security group.

+1. In Power BI tenant, from Azure Active Directory tenant, make sure [Service Principal is member of the new security group](#authenticate-to-power-bi-tenant).

+1. On the Power BI Tenant Admin portal, validate if [Allow service principals to use read-only Power BI admin APIs](#associate-the-security-group-with-power-bi-tenant) is enabled for the new security group.

+1. If delegated authentication is used, in the Power BI Azure AD tenant validate the following Power BI admin user settings:

+ 1. The user is assigned to the Power BI administrator role.

+ 2. At least one [Power BI license](/power-bi/admin/service-admin-licensing-organization#subscription-license-types) is assigned to the user.

+ 3. If the user is recently created, sign in with the user at least once, to make sure that the password is reset successfully, and the user can successfully initiate the session.

+ 4. There are no multifactor authentication or conditional access policies enforced on the user.

+1. In Power BI tenant, In Azure Active Directory create a security group.

+1. In Power BI tenant, from Azure Active Directory tenant, make sure [Service Principal is member of the new security group](#authenticate-to-power-bi-tenant).

+1. On the Power BI Tenant Admin portal, validate if [Allow service principals to use read-only Power BI admin APIs](#associate-the-security-group-with-power-bi-tenant) is enabled for the new security group.

+### Authenticate to Power BI tenant

+In Azure Active Directory Tenant, where Power BI tenant is located:

+1. In the [Azure portal](https://portal.azure.com), search for **Azure Active Directory**.

+

+2. Create a new security group in your Azure Active Directory, by following [Create a basic group and add members using Azure Active Directory](../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).

+ > [!Tip]

+ > You can skip this step if you already have a security group you want to use.

+3. Select **Security** as the **Group Type**.

+ :::image type="content" source="./media/setup-power-bi-scan-PowerShell/security-group.png" alt-text="Screenshot of security group type.":::

+4. Add your **service principal** to this security group. Select **Members**, then select **+ Add members**.

+5. Search for your Microsoft Purview managed identity or service principal and select it.

+ :::image type="content" source="./media/setup-power-bi-scan-PowerShell/add-catalog-to-group-by-search.png" alt-text="Screenshot showing how to add catalog by searching for its name.":::

+ You should see a success notification showing you that it was added.

+ :::image type="content" source="./media/setup-power-bi-scan-PowerShell/success-add-catalog-msi.png" alt-text="Screenshot showing successful addition of catalog managed identity.":::

+### Associate the security group with Power BI tenant

+1. Log into the [Power BI admin portal](https://app.powerbi.com/admin-portal/tenantSettings).

+

+2. Select the **Tenant settings** page.

+ > [!Important]

+ > You need to be a Power BI Admin to see the tenant settings page.

+3. Select **Admin API settings** > **Allow service principals to use read-only Power BI admin APIs (Preview)**.

+

+4. Select **Specific security groups**.

+ :::image type="content" source="./media/setup-power-bi-scan-PowerShell/allow-service-principals-power-bi-admin.png" alt-text="Image showing how to allow service principals to get read-only Power BI admin API permissions.":::

+5. Select **Admin API settings** > **Enhance admin APIs responses with detailed metadata** > Enable the toggle to allow Microsoft Purview Data Map automatically discover the detailed metadata of Power BI datasets as part of its scans.

+ > [!IMPORTANT]

+ > After you update the Admin API settings on your power bi tenant, wait around 15 minutes before registering a scan and test connection.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-sub-artifacts.png" alt-text="Image showing the Power BI admin portal config to enable subartifact scan.":::

+ > [!Caution]

+ > When you allow the security group you created (that has your Microsoft Purview managed identity as a member) to use read-only Power BI admin APIs, you also allow it to access the metadata (e.g. dashboard and report names, owners, descriptions, etc.) for all of your Power BI artifacts in this tenant. Once the metadata has been pulled into the Microsoft Purview, Microsoft Purview's permissions, not Power BI permissions, determine who can see that metadata.

+

+ > [!Note]

+ > You can remove the security group from your developer settings, but the metadata previously extracted won't be removed from the Microsoft Purview account. You can delete it separately, if you wish.

+### Create scan for cross-tenant using Azure IR with delegated authentication

+### Create scan for cross-tenant using self-hosted IR with service principal

+To create and run a new scan by using the self-hosted integration runtime, perform the following steps:

+1. Create an app registration in your Azure AD tenant where Power BI is located. Provide a web URL in the **Redirect URI**. Take note of the client ID (app ID).

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-create-service-principle.png" alt-text="Screenshot that shows how to create a service principle.":::

+

+1. From the Azure AD dashboard, select the newly created application, and then select **App permissions**. Assign the application the following delegated permissions, and grant admin consent for the tenant:

+ - Power BI Service Tenant.Read.All

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions for Power BI and Microsoft Graph.":::

+1. From the Azure AD dashboard, select the newly created application, and then select **Authentication**. Under **Supported account types**, select **Accounts in any organizational directory (Any Azure AD directory - Multitenant)**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-multitenant.png" alt-text="Screenshot of account type support multitenant.":::

+1. Under **Implicit grant and hybrid flows**, select **ID tokens (used for implicit and hybrid flows)**.

+

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-id-token-hybrid-flows.png" alt-text="Screenshot of ID token hybrid flows.":::

+1. Under **Advanced settings**, enable **Allow Public client flows**.

+1. In the tenant where Microsoft Purview is created go to the instance of Azure Key Vault.

+1. Select **Settings** > **Secrets**, and then select **+ Generate/Import**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault.png" alt-text="Screenshot of the instance of Azure Key Vault.":::

+1. Enter a name for the secret. For **Value**, type the newly created password for the Azure AD user. Select **Create** to complete.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-key-vault-secret.png" alt-text="Screenshot that shows how to generate a secret in Azure Key Vault.":::

+1. If your key vault isn't connected to Microsoft Purview yet, you need to [create a new key vault connection](manage-credentials.md#create-azure-key-vaults-connections-in-your-microsoft-purview-account).

+

+1. In the Microsoft Purview Studio, go to the **Data map** in the left menu. Go to **Sources**.

+1. Select the registered Power BI source from cross-tenant.

+1. Select **+ New scan**.

+1. Give your scan a name. Then select the option to include or exclude the personal workspaces.

+

+ > [!Note]

+ > If you switch the configuration of a scan to include or exclude a personal workspace, you trigger a full scan of the Power BI source.

+1. Select your self-hosted integration runtime from the drop-down list.

+1. For the **Credential**, select **Service Principal**, and then select **+ New** to create a new credential.

+

+1. Create a new credential and provide the following required parameters:

+

+ - **Name**: Provide a unique name for credential

+ - **Authentication method**: Service principal

+ - **Tenant ID**: Your Power BI tenant ID

+ - **Client ID**: Use Service Principal Client ID (App ID) you created earlier

+1. Select **Test connection** before continuing to the next steps.

+ If the test fails, select **View Report** to see the detailed status and troubleshoot the problem:

+ 1. *Access - Failed* status means that the user authentication failed. Validate if the App ID and secret are correct. Review if the credential contains the correct client (app) ID from the app registration.

+ 2. *Assets (+ lineage) - Failed* status means that the authorization between Microsoft Purview and Power BI has failed. Make sure that the user is added to the Power BI administrator role, and has the proper Power BI license assigned.

+ 3. *Detailed metadata (Enhanced) - Failed* status means that the Power BI admin portal is disabled for the following setting: **Enhance admin APIs responses with detailed metadata**.

+1. Set up a scan trigger. Your options are **Recurring** or **Once**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/scan-trigger.png" alt-text="Screenshot of the Microsoft Purview scan scheduler.":::

+1. On **Review new scan**, select **Save and run** to launch your scan.

+|Public access with Azure IR |Allowed |Allowed |Azure Runtime | Microsoft Purview Managed Identity | [Review deployment checklist](#deployment-checklist) |

+|Public access with Self-hosted IR |Allowed |Allowed |Self-hosted runtime |Delegated authentication / Service principal| [Review deployment checklist](#deployment-checklist) |

+|Private access |Allowed |Denied |Self-hosted runtime |Delegated authentication / Service principal| [Review deployment checklist](#deployment-checklist) |

+|Private access |Denied |Allowed |Self-hosted runtime |Delegated authentication / Service principal| [Review deployment checklist](#deployment-checklist) |

+|Private access |Denied |Denied |Self-hosted runtime |Delegated authentication / Service principal| [Review deployment checklist](#deployment-checklist) |

+- Delegated authentication and service principal are the only supported authentication options when self-hosted integration runtime is used during the scan.

+- Service Principal

+1. From Azure Active Directory tenant, make sure [Microsoft Purview account MSI is member of the new security group](#authenticate-to-power-bi-tenant).

+### Scan same-tenant Power BI using self-hosted IR with Delegated Authentication or Service Principal in public network

+ 1. There are no typos in the password or secret.

+2. If delegated authentication is used, validate Power BI admin user settings to make sure:

+ 1. User is assigned to Power BI Administrator role.

+ 2. At least one [Power BI license](/power-bi/admin/service-admin-licensing-organization#subscription-license-types) is assigned to the user.

+ 3. If user is recently created, sign in with the user at least once to make sure password is reset successfully and user can successfully initiate the session.

+ 4. There's no MFA or Conditional Access Policies are enforced on the user.

+3. Validate Self-hosted runtime settings:

+1. In Azure Active Directory tenant, create a security group.

+1. From Azure Active Directory tenant, make sure [Service Principal is member of the new security group](#authenticate-to-power-bi-tenant).

+1. On the Power BI Tenant Admin portal, validate if [Allow service principals to use read-only Power BI admin APIs](#associate-the-security-group-with-power-bi-tenant) is enabled for the new security group.

+### Scan same-tenant Power BI using self-hosted IR with Delegated Authentication or Service Principal in a private network

+1. If Delegated Authentication is used, validate Power BI admin user settings to make sure:

+ 1. User is assigned to Power BI Administrator role.

+ 2. At least one [Power BI license](/power-bi/admin/service-admin-licensing-organization#subscription-license-types) is assigned to the user.

+ 3. If user is recently created, sign in with the user at least once to make sure password is reset successfully and user can successfully initiate the session.

+ 4. There's no MFA or Conditional Access Policies are enforced on the user.

+1. In Azure Active Directory tenant, create a security group.

+1. From Azure Active Directory tenant, make sure [Service Principal is member of the new security group](#authenticate-to-power-bi-tenant).

+1. On the Power BI Tenant Admin portal, validate if [Allow service principals to use read-only Power BI admin APIs](#associate-the-security-group-with-power-bi-tenant) is enabled for the new security group.

+### Authenticate to Power BI tenant

+4. Add relevant user to the security group:

+ - If you are using **Managed Identity** as authentication method, add your Microsoft Purview managed identity to this security group. Select **Members**, then select **+ Add members**.

+ :::image type="content" source="./media/setup-power-bi-scan-PowerShell/add-group-member.png" alt-text="Screenshot of how to add the catalog's managed instance to group.":::

+ - If you are using **delegated authentication** or **service principal** as authentication method, add your **service princial** to this security group. Select **Members**, then select **+ Add members**.

+5. Search for your Microsoft Purview managed identity or service principal and select it.

+ :::image type="content" source="./media/setup-power-bi-scan-PowerShell/add-catalog-to-group-by-search.png" alt-text="Screenshot showing how to add catalog by searching for its name.":::

+### Associate the security group with Power BI tenant

+### Create scan for same-tenant Power BI using Azure IR and Managed Identity

+This is a suitable scenario, if both Microsoft Purview and Power BI tenant are configured to allow public access in the network settings.

+### Create scan for same-tenant using self-hosted IR with service principal

+This scenario can be used when Microsoft Purview and Power BI tenant or both, are configured to use private endpoint and deny public access. Additionally, this option is also applicable if Microsoft Purview and Power BI tenant are configured to allow public access.

+For more information related to Power BI network, see [How to configure private endpoints for accessing Power BI](/power-bi/enterprise/service-security-private-links).

+For more information about Microsoft Purview network settings, see [Use private endpoints for your Microsoft Purview account](catalog-private-link.md).

+To create and run a new scan, do the following:

+1. Create an App Registration in your Azure Active Directory tenant. Provide a web URL in the **Redirect URI**. Take note of Client ID(App ID).

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-create-service-principle.png" alt-text="Screenshot how to create a Service principle.":::

+

+1. From Azure Active Directory dashboard, select newly created application and then select **App registration**. From **API Permissions**, assign the application the following delegated permissions and grant admin consent for the tenant:

+ - Power BI Service Tenant.Read.All

+ - Microsoft Graph openid

+ - Microsoft Graph User.Read

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-delegated-permissions.png" alt-text="Screenshot of delegated permissions for Power BI Service and Microsoft Graph.":::

+

+1. Under **Advanced settings**, enable **Allow Public client flows**.

+2. In the Microsoft Purview Studio, navigate to the **Data map** in the left menu.

+1. Navigate to **Sources**.

+1. Select the registered Power BI source.

+1. Select **+ New scan**.

+1. Give your scan a name. Then select the option to include or exclude the personal workspaces.

+

+ >[!Note]

+ > Switching the configuration of a scan to include or exclude a personal workspace will trigger a full scan of Power BI source.

+1. Select your self-hosted integration runtime from the drop-down list.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-scan-shir.png" alt-text="Image showing Power BI scan setup using SHIR for same tenant.":::

+1. For the **Credential**, select **service principal** and select **+ New** to create a new credential.

+1. Create a new credential and provide required parameters:

+

+ - **Name**: Provide a unique name for credential

+ - **Authentication method**: Service principal

+ - **Tenant ID**: Your Power BI tenant ID

+ - **Client ID**: Use Service Principal Client ID (App ID) you created earlier

+

+1. Select **Test Connection** before continuing to next steps. If **Test Connection** failed, select **View Report** to see the detailed status and troubleshoot the problem

+ 1. Access - Failed status means the user authentication failed. Scans using managed identity will always pass because no user authentication required.

+ 2. Assets (+ lineage) - Failed status means the Microsoft Purview - Power BI authorization has failed. Make sure the Microsoft Purview managed identity is added to the security group associated in Power BI admin portal.

+ 3. Detailed metadata (Enhanced) - Failed status means the Power BI admin portal is disabled for the following setting - **Enhance admin APIs responses with detailed metadata**

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/power-bi-test-connection-status-report.png" alt-text="Screenshot of test connection status report page.":::

+1. Set up a scan trigger. Your options are **Recurring**, and **Once**.

+ :::image type="content" source="media/setup-power-bi-scan-catalog-portal/scan-trigger.png" alt-text="Screenshot of the Microsoft Purview scan scheduler.":::

+1. On **Review new scan**, select **Save and run** to launch your scan.

+### Create scan for same-tenant using self-hosted IR with delegated authentication

+ - **Authentication method**: Delegated auth

+- [Search Data Catalog](how-to-search-catalog.md)

+If you don't have an account yet, go to [https://azure.microsoft.com/get-started/](https://azure.microsoft.com/get-started/), select the free account option, and follow the instructions.

+1. To create one, select "Create a resource":

+2. From the new screen, choose **Storage** on the left side and then **Storage account - blob, file, table, queue** from the next column:

+3. Clicking this button will bring up the following screen with storage properties to fill out:

+4. Fill out the form in the following manner:

+* Select a **Region** close to you. Ideally use the same [region](../reference/regions.md) as used for setting up the rendering in the other quickstart.

+* **Premium account type** set to 'Block blobs'

+* **Redundancy** set to 'Zone-redundant storage (ZRS)'

+5. None of the properties in other tabs have to be changed, so you can proceed with **"Review + create"** and then follow the steps to complete the setup.

+6. The website now informs you about the progress of your deployment and reports "Your deployment is complete" eventually. Select **"Go to resource"** for the next steps:

+1. From the **"Go to resource"** button above, you get to a page with a panel on the left that contains a list menu. In that list under the **"Blob service"** category, select **"Containers"**:

+2. Press the **"+ Container"** button to create the **input** blob storage container.

+3. After the container has been created, select **+ Container** again and repeat with these settings for the **output** container:

+There's a [UI-based tool called ARRT](./../samples/azure-remote-rendering-asset-tool.md) to start conversions and interact with the rendered result.

+To make it easier to call the asset conversion service, we provide a utility script. It's located in the *Scripts* folder and is called **Conversion.ps1**.

+* uploads all files in a given directory from local disk to the input storage container,

+* calls the [the asset conversion REST API](../how-tos/conversion/conversion-rest-api.md), which will retrieve the data from the input storage container and start a conversion, which will return a conversion ID,

+* polls the conversion status API with the retrieved conversion ID until the conversion process terminates with success or failure,

+* retrieves a link to the converted asset in the output storage.

+The value for **arrtutorialstorage** needs to be replaced with the unique name you picked during storage account creation.

+The SAS URI created by the conversion script will only be valid for 24 hours. However, after it expired you don't need to convert your model again. Instead, you can create a new SAS in the portal as described in the next steps:

+2. Select your **Storage account** resource:

+3. In the following screen, Select **Storage explorer** in the left panel and find your output model (*.arrAsset* file) in the *arroutput* blob storage container. Right-click on the file and select **Get Shared Access Signature** from the context menu:

+|[Azure Blob storage](../../storage/blobs/storage-blobs-introduction.md)|*.blob.core.windows.net|

+|[Azure Cosmos DB](/azure/cosmos-db/)|*.cosmos.azure.com|

+|[Azure Cosmos DB](/azure/cosmos-db/)|*.documents.azure.com|

+|[Azure Key Vault](../../key-vault/general/overview.md)| *.vault.azure.net|

+| [Virtual network rules](/azure/azure-sql/database/vnet-service-endpoint-rule-overview)|A firewall security feature that controls whether the server for your databases and elastic pools in Azure SQL Database or for your dedicated SQL pool (formerly SQL DW) databases in Azure Synapse Analytics accepts communications that are sent from particular subnets in virtual networks. |

+2) Initiate conversion of the underlying storage account created for managed cluster from LRS to ZRS using [customer-initiated conversion](../storage/common/redundancy-migration.md#customer-initiated-conversion-preview). The resource group of storage account that needs to be migrated would be of the form "SFC_ClusterId"(ex SFC_9240df2f-71ab-4733-a641-53a8464d992d) under the same subscription as the managed cluster resource.

+ Title: Scale up an Azure Service Fabric non-primary node type

+description: Vertically scale your Service Fabric cluster by adding a new non-primary node type and removing the previous one.

+# Scale up a Service Fabric cluster non-primary node type

+This article describes how to scale up a Service Fabric cluster non-primary node type with minimal downtime. In-place SKU upgrades aren't supported on Service Fabric cluster nodes, as such operations potentially involve data and availability loss. The safest, most reliable, and recommended method for scaling up a Service Fabric node type is to:

+1. Add a new node type to your Service Fabric cluster, backed by your upgraded (or modified) virtual machine scale set SKU and configuration. This step also involves setting up a new load balancer, subnet, and public IP for the scale set.

+1. Once both the original and upgraded scale sets are running side by side, migrate the workload by setting placement constraints for applications to the new node type.

+1. Verify the cluster is healthy, then remove the original scale set (and related resources) and node state for the deleted nodes.

+The following will walk you through the process for updating the VM size and operating system of non-primary node type VMs of a sample cluster with [Silver durability](service-fabric-cluster-capacity.md#durability-characteristics-of-the-cluster), backed by a single scale set with five nodes used as a secondary node type. The primary node type with Service Fabric system services will remain untouched. We'll be upgrading the non-primary node type:

+- From VM size *Standard_D2_V2* to *Standard D4_V2*, and

+- From VM operating system *Windows Server 2019 Datacenter* to *Windows Server 2022 Datacenter*.

+> [!WARNING]

+> Before attempting this procedure on a production cluster, we recommend that you study the sample templates and verify the process against a test cluster.

+>

+> Do not attempt a non-primary node type scale up procedure if the cluster status is unhealthy, as this will only destabilize the cluster further.

+We'll make use of the step-by-step Azure deployment templates used in the [Scale up a Service Fabric cluster primary node type](service-fabric-scale-up-primary-node-type.md) guide. However, we'll modify them so they aren't specific to primary node types. The templates are [available on GitHub](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade-nonprimary).

+## Set up the test cluster

+Let's set up the initial Service Fabric test cluster. First, [download](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade-nonprimary) the Azure Resource Manager sample templates that we'll use to complete this scenario.

+Next, sign in to your Azure account.

+```powershell

+# Sign in to your Azure account

+Login-AzAccount -SubscriptionId "<subscription ID>"

+```

+Next open the [*parameters.json*](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade-nonprimary/parameters.json) file and update the value for `clusterName` to something unique (within Azure).

+The following commands will guide you through generating a new self-signed certificate and deploying the test cluster. If you already have a certificate you'd like to use, skip to [Use an existing certificate to deploy the cluster](#use-an-existing-certificate-to-deploy-the-cluster).

+### Generate a self-signed certificate and deploy the cluster

+First, assign the variables you'll need for Service Fabric cluster deployment. Adjust the values for `resourceGroupName`, `certSubjectName`, `parameterFilePath`, and `templateFilePath` for your specific account and environment:

+```powershell

+# Assign deployment variables

+$resourceGroupName = "sftestupgradegroup"

+$certOutputFolder = "c:\certificates"

+$certPassword = "Password!1" | ConvertTo-SecureString -AsPlainText -Force

+$certSubjectName = "sftestupgrade.southcentralus.cloudapp.azure.com"

+$parameterFilePath = "C:\parameters.json"

+$templateFilePath = "C:\Initial-TestClusterSetup.json"

+```

+> [!NOTE]

+> Ensure that the `certOutputFolder` location exists on your local machine before running the command to deploy a new Service Fabric cluster.

+Then deploy the Service Fabric test cluster:

+```powershell

+# Deploy the initial test cluster

+New-AzServiceFabricCluster `

+ -ResourceGroupName $resourceGroupName `

+ -CertificateOutputFolder $certOutputFolder `

+ -CertificatePassword $certPassword `

+ -CertificateSubjectName $certSubjectName `

+ -TemplateFile $templateFilePath `

+ -ParameterFile $parameterFilePath

+```

+Once the deployment is complete, locate the *.pfx* file (`$certPfx`) on your local machine and import it to your certificate store:

+```powershell

+cd c:\certificates

+$certPfx = ".\sftestupgradegroup20200312121003.pfx"

+Import-PfxCertificate `

+ -FilePath $certPfx `

+ -CertStoreLocation Cert:\CurrentUser\My `

+ -Password (ConvertTo-SecureString Password!1 -AsPlainText -Force)

+```

+The operation will return the certificate thumbprint, which you can now use to [connect to the new cluster](#connect-to-the-new-cluster-and-check-health-status) and check its health status. (Skip the following section, which is an alternate approach to cluster deployment.)

+### Use an existing certificate to deploy the cluster

+Alternately, you can use an existing Azure Key Vault certificate to deploy the test cluster. To do this, you'll need to [obtain references to your Key Vault](#obtain-your-key-vault-references) and certificate thumbprint.

+```powershell

+# Key Vault variables

+$certUrlValue = "https://sftestupgradegroup.vault.azure.net/secrets/sftestupgradegroup20200309235308/dac0e7b7f9d4414984ccaa72bfb2ea39"

+$sourceVaultValue = "/subscriptions/########-####-####-####-############/resourceGroups/sftestupgradegroup/providers/Microsoft.KeyVault/vaults/sftestupgradegroup"

+$thumb = "BB796AA33BD9767E7DA27FE5182CF8FDEE714A70"

+```

+Next, designate a resource group name for the cluster and set the `templateFilePath` and `parameterFilePath` locations:

+> [!NOTE]

+> The designated resource group must already exist and be located in the same region as your Key Vault.

+```powershell

+$resourceGroupName = "sftestupgradegroup"

+$templateFilePath = "C:\Initial-TestClusterSetup.json"

+$parameterFilePath = "C:\parameters.json"

+```

+Finally, run the following command to deploy the initial test cluster:

+```powershell

+# Deploy the initial test cluster

+New-AzResourceGroupDeployment `

+ -ResourceGroupName $resourceGroupName `

+ -TemplateFile $templateFilePath `

+ -TemplateParameterFile $parameterFilePath `

+ -CertificateThumbprint $thumb `

+ -CertificateUrlValue $certUrlValue `

+ -SourceVaultValue $sourceVaultValue `

+ -Verbose

+```

+### Connect to the new cluster and check health status

+Connect to the cluster and ensure that all five of its nodes are healthy (substitute the `clusterName` and `thumb` variables with your own values):

+```powershell

+# Connect to the cluster

+$clusterName = "sftestupgrade.southcentralus.cloudapp.azure.com:19000"

+$thumb = "BB796AA33BD9767E7DA27FE5182CF8FDEE714A70"

+Connect-ServiceFabricCluster `

+ -ConnectionEndpoint $clusterName `

+ -KeepAliveIntervalInSec 10 `

+ -X509Credential `

+ -ServerCertThumbprint $thumb `

+ -FindType FindByThumbprint `

+ -FindValue $thumb `

+ -StoreLocation CurrentUser `

+ -StoreName My

+# Check cluster health

+Get-ServiceFabricClusterHealth

+```

+With that, we're ready to begin the upgrade procedure.

+## Deploy a new non-primary node type with an upgraded scale set

+In order to upgrade (vertically scale) a node type, we'll first need to deploy a new node type backed by a new scale set and supporting resources. The new scale set will be marked as non-primary (`isPrimary: false`), just like the original scale set. If you want to scale up a primary node type, see [Scale up a Service Fabric cluster primary node type](service-fabric-scale-up-primary-node-type.md). The resources created in the following section will ultimately become the new node type in your cluster, and the original node type resources will be deleted.

+### Update the cluster template with the upgraded scale set

+Here are the section-by-section modifications of the original cluster deployment template for adding a new node type and supporting resources.

+Most of the required changes for this step have already been made for you in the [*Step1-AddPrimaryNodeType.json*](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade-nonprimary/Step1-AddPrimaryNodeType.json) template file. However, an additional change must be made so the template file works for non-primary node types. The following sections will explain these changes in detail, and call outs will be made when you must make a change.

+> [!Note]

+> Ensure that you use names that are unique from the original node type, scale set, load balancer, public IP, and subnet of the original non-primary node type, as these resources will be deleted at a later step in the process.

+#### Create a new subnet in the existing virtual network

+```json

+{

+ "name": "[variables('subnet1Name')]",

+ "properties": {

+ "addressPrefix": "[variables('subnet1Prefix')]"

+ }

+}

+```

+#### Create a new public IP with a unique domainNameLabel

+```json

+{

+ "apiVersion": "[variables('publicIPApiVersion')]",

+ "type": "Microsoft.Network/publicIPAddresses",

+ "name": "[concat(variables('lbIPName'),'-',variables('vmNodeType1Name'))]",

+ "location": "[variables('computeLocation')]",

+ "properties": {

+ "dnsSettings": {

+ "domainNameLabel": "[concat(variables('dnsName'),'-','nt1')]"

+ },

+ "publicIPAllocationMethod": "Dynamic"

+ },

+ "tags": {

+ "resourceType": "Service Fabric",

+ "clusterName": "[parameters('clusterName')]"

+ }

+}

+```

+#### Create a new load balancer for the public IP

+```json

+"dependsOn": [

+ "[concat('Microsoft.Network/publicIPAddresses/',concat(variables('lbIPName'),'-',variables('vmNodeType1Name')))]"

+]

+```

+#### Create a new virtual machine scale set (with upgraded VM and OS SKUs)

+Node Type Ref

+```json

+"nodeTypeRef": "[variables('vmNodeType1Name')]"

+```

+VM SKU

+```json

+"sku": {

+ "name": "[parameters('vmNodeType1Size')]",

+ "capacity": "[parameters('nt1InstanceCount')]",

+ "tier": "Standard"

+}

+```

+OS SKU

+```json

+"imageReference": {

+ "publisher": "[parameters('vmImagePublisher1')]",

+ "offer": "[parameters('vmImageOffer1')]",

+ "sku": "[parameters('vmImageSku1')]",

+ "version": "[parameters('vmImageVersion1')]"

+}

+```

+Also, ensure you include any additional extensions that are required for your workload.

+#### Add a new non-primary node type to the cluster

+Now that the new node type (vmNodeType1Name) has its own name, subnet, IP, load balancer, and scale set, it can reuse all other variables from the original node type (such as `nt0applicationEndPort`, `nt0applicationStartPort`, and `nt0fabricTcpGatewayPort`).

+In the existing template file, the `isPrimary` parameter is set to `true` for the [Scale up a Service Fabric cluster primary node type](service-fabric-scale-up-primary-node-type.md) guide. Change `isPrimary` to `false` for your non-primary node type:

+```json

+"name": "[variables('vmNodeType1Name')]",

+"applicationPorts": {

+ "endPort": "[variables('nt0applicationEndPort')]",

+ "startPort": "[variables('nt0applicationStartPort')]"

+},

+"clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]",

+"durabilityLevel": "Bronze",

+"ephemeralPorts": {

+ "endPort": "[variables('nt0ephemeralEndPort')]",

+ "startPort": "[variables('nt0ephemeralStartPort')]"

+},

+"httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]",

+"isPrimary": false,

+"reverseProxyEndpointPort": "[variables('nt0reverseProxyEndpointPort')]",

+"vmInstanceCount": "[parameters('nt1InstanceCount')]"

+```

+Once you've implemented all the changes in your template and parameters files, proceed to the next section to acquire your Key Vault references and deploy the updates to your cluster.

+### Obtain your Key Vault references

+To deploy the updated configuration, you'll need several references to the cluster certificate stored in your Key Vault. The easiest way to find these values is through Azure portal. You'll need:

+* **The Key Vault URL of your cluster certificate.** From your Key Vault in Azure portal, select **Certificates** > *Your desired certificate* > **Secret Identifier**:

+ ```powershell

+ $certUrlValue="https://sftestupgradegroup.vault.azure.net/secrets/sftestupgradegroup20200309235308/dac0e7b7f9d4414984ccaa72bfb2ea39"

+ ```

+* **The thumbprint of your cluster certificate.** (You probably already have this if you [connected to the initial cluster](#connect-to-the-new-cluster-and-check-health-status) to check its health status.) From the same certificate blade (**Certificates** > *Your desired certificate*) in Azure portal, copy **X.509 SHA-1 Thumbprint (in hex)**:

+ ```powershell

+ $thumb = "BB796AA33BD9767E7DA27FE5182CF8FDEE714A70"

+ ```

+* **The Resource ID of your Key Vault.** From your Key Vault in Azure portal, select **Properties** > **Resource ID**:

+ ```powershell

+ $sourceVaultValue = "/subscriptions/########-####-####-####-############/resourceGroups/sftestupgradegroup/providers/Microsoft.KeyVault/vaults/sftestupgradegroup"

+ ```

+### Deploy the updated template

+Adjust the `templateFilePath` as needed and run the following command:

+```powershell

+# Deploy the new node type and its resources

+$templateFilePath = "C:\Step1-AddPrimaryNodeType.json"

+New-AzResourceGroupDeployment `

+ -ResourceGroupName $resourceGroupName `

+ -TemplateFile $templateFilePath `

+ -TemplateParameterFile $parameterFilePath `

+ -CertificateThumbprint $thumb `

+ -CertificateUrlValue $certUrlValue `

+ -SourceVaultValue $sourceVaultValue `

+ -Verbose

+```

+When the deployment completes, check the cluster health again and ensure all nodes on both node types are healthy.

+```powershell

+Get-ServiceFabricClusterHealth

+```

+### Migrate workloads to the new node type

+Wait till all applications moved to the new node type and are healthy.

+### Disable the nodes in the original node type scale set

+Once all seed nodes have migrated to the new scale set, you can disable the nodes of the original scale set.

+```powershell

+# Disable the nodes in the original scale set.

+$nodeType = "nt0vm"

+$nodes = Get-ServiceFabricNode

+Write-Host "Disabling nodes..."

+foreach($node in $nodes)

+{

+ if ($node.NodeType -eq $nodeType)

+ {

+ $node.NodeName

+ Disable-ServiceFabricNode -Intent RemoveNode -NodeName $node.NodeName -Force

+ }

+}

+```

+Use Service Fabric Explorer to monitor the progression of nodes in the original scale set from *Disabling* to *Disabled* status.

+Wait for all nodes to reach *Disabled* state.

+### Stop data on the disabled nodes

+Now you can stop data on the disabled nodes.

+```powershell

+# Stop data on the disabled nodes.

+foreach($node in $nodes)

+{

+ if ($node.NodeType -eq $nodeType)

+ {

+ $node.NodeName

+ Start-ServiceFabricNodeTransition -Stop -OperationId (New-Guid) -NodeInstanceId $node.NodeInstanceId -NodeName $node.NodeName -StopDurationInSeconds 10000

+ }

+}

+```

+## Remove the original node type and clean up its resources

+We're ready to remove the original node type and its associated resources to conclude the vertical scaling procedure.

+### Remove the original scale set

+First remove the node type's backing scale set.

+```powershell

+$scaleSetName = "nt0vm"

+$scaleSetResourceType = "Microsoft.Compute/virtualMachineScaleSets"

+Remove-AzResource -ResourceName $scaleSetName -ResourceType $scaleSetResourceType -ResourceGroupName $resourceGroupName -Force

+```

+### Delete the original IP and load balancer resources

+You can now delete the original IP, and load balancer resources. In this step, you'll also update the DNS name.

+> [!Note]

+> This step is optional if you're already using a *Standard* SKU public IP and load balancer. In this case you could have multiple scale sets / node types under the same load balancer.

+Run the following commands, modifying the `$lbname` value as needed.

+```powershell

+# Delete the original IP and load balancer resources

+$lbName = "LB-sftestupgrade-nt0vm"

+$lbResourceType = "Microsoft.Network/loadBalancers"

+$ipResourceType = "Microsoft.Network/publicIPAddresses"

+$oldPublicIpName = "PublicIP-LB-FE-nt0vm"

+$newPublicIpName = "PublicIP-LB-FE-nt1vm"

+$oldPublicIP = Get-AzPublicIpAddress -Name $oldPublicIpName -ResourceGroupName $resourceGroupName

+$nonPrimaryDNSName = $oldNonPrimaryPublicIP.DnsSettings.DomainNameLabel

+$nonPrimaryDNSFqdn = $oldNonPrimaryPublicIP.DnsSettings.Fqdn

+Remove-AzResource -ResourceName $lbName -ResourceType $lbResourceType -ResourceGroupName $resourceGroupName -Force

+Remove-AzResource -ResourceName $oldPublicIpName -ResourceType $ipResourceType -ResourceGroupName $resourceGroupName -Force

+$PublicIP = Get-AzPublicIpAddress -Name $newPublicIpName -ResourceGroupName $resourceGroupName

+$PublicIP.DnsSettings.DomainNameLabel = $nonPrimaryDNSName

+$PublicIP.DnsSettings.Fqdn = $nonPrimaryDNSFqdn

+Set-AzPublicIpAddress -PublicIpAddress $PublicIP

+```

+### Remove node state from the original node type

+The original node type nodes will now show *Error* for their **Health State**. Remove their node state from the cluster.

+```powershell

+# Remove state of the obsolete nodes from the cluster

+$nodeType = "nt0vm"

+$nodes = Get-ServiceFabricNode

+Write-Host "Removing node state..."

+foreach($node in $nodes)

+{

+ if ($node.NodeType -eq $nodeType)

+ {

+ $node.NodeName

+ Remove-ServiceFabricNodeState -NodeName $node.NodeName -Force

+ }

+}

+```

+Service Fabric Explorer should now reflect only the five nodes of the new node type (nt1vm), all with Health State values of *OK*. We'll remediate that next by updating the template to reflect the latest changes and redeploying.

+### Update the deployment template to reflect the newly scaled-up non-primary node type

+Most of the required changes for this step have already been made for you in the [*Step3-CleanupOriginalPrimaryNodeType.json*](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade-nonprimary/Step3-CleanupOriginalPrimaryNodeType.json) template file. However, an additional change must be made so the template file works for non-primary node types. The following sections will explain these changes in detail, and call outs will be made when you must make a change.

+#### Update the cluster management endpoint

+Update the cluster `managementEndpoint` on the deployment template to reference the new IP (by updating *vmNodeType0Name* with *vmNodeType1Name*).

+```json

+ "managementEndpoint": "[concat('https://',reference(concat(variables('lbIPName'),'-',variables('vmNodeType1Name'))).dnsSettings.fqdn,':',variables('nt0fabricHttpGatewayPort'))]",

+```

+#### Remove the original node type reference

+Remove the original node type reference from the Service Fabric resource in the deployment template.

+In the existing template file, the `isPrimary` parameter is set to `true` for the [Scale up a Service Fabric cluster primary node type](service-fabric-scale-up-primary-node-type.md) guide. Change `isPrimary` to `false` for your non-primary node type:

+```json

+"name": "[variables('vmNodeType0Name')]",

+"applicationPorts": {

+ "endPort": "[variables('nt0applicationEndPort')]",

+ "startPort": "[variables('nt0applicationStartPort')]"

+},

+"clientConnectionEndpointPort": "[variables('nt0fabricTcpGatewayPort')]",

+"durabilityLevel": "Bronze",

+"ephemeralPorts": {

+ "endPort": "[variables('nt0ephemeralEndPort')]",

+ "startPort": "[variables('nt0ephemeralStartPort')]"

+},

+"httpGatewayEndpointPort": "[variables('nt0fabricHttpGatewayPort')]",

+"isPrimary": false,

+"reverseProxyEndpointPort": "[variables('nt0reverseProxyEndpointPort')]",

+"vmInstanceCount": "[parameters('nt0InstanceCount')]"

+```

+#### Configure health policies to ignore existing errors

+Only for Silver and higher durability clusters, update the cluster resource in the template and configure health policies to ignore `fabric:/System` application health by adding *applicationDeltaHealthPolicies* under cluster resource properties as given below. The below policy will ignore existing errors but not allow new health errors.

+```json

+"upgradeDescription":

+{

+ "forceRestart": false,

+ "upgradeReplicaSetCheckTimeout": "10675199.02:48:05.4775807",

+ "healthCheckWaitDuration": "00:05:00",

+ "healthCheckStableDuration": "00:05:00",

+ "healthCheckRetryTimeout": "00:45:00",

+ "upgradeTimeout": "12:00:00",

+ "upgradeDomainTimeout": "02:00:00",

+ "healthPolicy": {

+ "maxPercentUnhealthyNodes": 100,

+ "maxPercentUnhealthyApplications": 100

+ },

+ "deltaHealthPolicy":

+ {

+ "maxPercentDeltaUnhealthyNodes": 0,

+ "maxPercentUpgradeDomainDeltaUnhealthyNodes": 0,

+ "maxPercentDeltaUnhealthyApplications": 0,

+ "applicationDeltaHealthPolicies":

+ {

+ "fabric:/System":

+ {

+ "defaultServiceTypeDeltaHealthPolicy":

+ {

+ "maxPercentDeltaUnhealthyServices": 0

+ }

+ }

+ }

+ }

+}

+```

+#### Remove supporting resources for the original node type

+Remove all other resources related to the original node type from the ARM template and the parameters file. Delete the following:

+```json

+ "vmImagePublisher": {

+ "value": "MicrosoftWindowsServer"

+ },

+ "vmImageOffer": {

+ "value": "WindowsServer"

+ },

+ "vmImageSku": {

+ "value": "2019-Datacenter"

+ },

+ "vmImageVersion": {

+ "value": "latest"

+ },

+```

+#### Deploy the finalized template

+Finally, deploy the modified Azure Resource Manager template.

+```powershell

+# Deploy the updated template file

+$templateFilePath = "C:\Step3-CleanupOriginalPrimaryNodeType"

+New-AzResourceGroupDeployment `

+ -ResourceGroupName $resourceGroupName `

+ -TemplateFile $templateFilePath `

+ -TemplateParameterFile $parameterFilePath `

+ -CertificateThumbprint $thumb `

+ -CertificateUrlValue $certUrlValue `

+ -SourceVaultValue $sourceVaultValue `

+ -Verbose

+```

+> [!NOTE]

+> This step will take a while, usually up to two hours.

+The upgrade will change settings to the *InfrastructureService*; therefore, a node restart is needed. In this case, *forceRestart* is ignored. The parameter `upgradeReplicaSetCheckTimeout` specifies the maximum time that Service Fabric waits for a partition to be in a safe state, if not already in a safe state. Once safety checks pass for all partitions on a node, Service Fabric proceeds with the upgrade on that node. The value for the parameter `upgradeTimeout` can be reduced to 6 hours, but for maximal safety 12 hours should be used.

+Once the deployment has completed, verify in Azure portal that the Service Fabric resource Status is *Ready*. Verify you can reach the new Service Fabric Explorer endpoint, the **Cluster Health State** is *OK*, and any deployed applications function properly.

+With that, you've vertically scaled a cluster non-primary node type!

+## Next steps

+* Learn how to [add a node type to a cluster](virtual-machine-scale-set-scale-node-type-scale-out.md)

+* Learn about [application scalability](service-fabric-concepts-scalability.md).

+* [Scale an Azure cluster in or out](service-fabric-tutorial-scale-cluster.md).

+* [Scale an Azure cluster programmatically](service-fabric-cluster-programmatic-scaling.md) using the fluent Azure compute SDK.

+* [Scale a standalone cluster in or out](service-fabric-cluster-windows-server-add-remove-nodes.md).

+- From VM operating system *Windows Server 2019 Datacenter* to *Windows Server 2022 Datacenter*.

+The step-by-step Azure deployment templates that we'll use to complete this sample upgrade scenario are [available on GitHub](https://github.com/microsoft/service-fabric-scripts-and-templates/tree/master/templates/nodetype-upgrade).

+In order to upgrade (vertically scale) a node type, we'll first need to deploy a new node type backed by a new scale set and supporting resources. The new scale set will be marked as primary (`isPrimary: true`), just like the original scale set. If you want to scale up a non-primary node type, see [Scale up a Service Fabric cluster non-primary node type](service-fabric-scale-up-non-primary-node-type.md). The resources created in the following section will ultimately become the new primary node type in your cluster, and the original primary node type resources will be deleted.

+ "dnsSettings": {

+ "domainNameLabel": "[concat(variables('dnsName'),'-','nt1')]"

+ },

+ "publicIPAllocationMethod": "Dynamic"

+ "resourceType": "Service Fabric",

+ "clusterName": "[parameters('clusterName')]"

+ "value": "2019-Datacenter"

+| [NextJs](https://nextjs.org/) | `/` | n/a |

+| [RedwoodJS](https://redwoodjs.com/) | `web/dist` | `yarn rw build web` |

+> For more detail on Application Insights usage, refer to [Application Insights overview](../azure-monitor/app/app-insights-overview.md).

+- [Azure Storage client library for Ruby](https://github.com/azure/azure-storage-ruby), using the [RubyGem package](https://rubygems.org/gems/azure-storage-blob):

+A combination of three factors determine how your storage account is replicated and accessible:

+- **Zone redundancy** - whether data is replicated between different zones within the primary region (LRS vs. ZRS)

+- **Geo-redundancy** - replication within a single "local" region or between different regions (LRS vs. GRS)

+- **Read access (RA)** - read access to the secondary region in the event of a failover when geo-redundancy is used (GRS vs. RA-GRS)

+For an overview of all of the redundancy options, see [Azure Storage redundancy](storage-redundancy.md).

+In this article, you will learn how to change the replication setting(s) for an existing storage account.

+## Options for changing the replication type

+You can change how your storage account is replicated from any type to any other. There are four basic ways to change the settings:

+- [Use the Azure portal, Azure PowerShell, or the Azure CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)

+- [Initiate a conversion from within the Azure portal (preview)](#customer-initiated-conversion-preview)

+- [Request a conversion by creating a support request with Microsoft](#support-requested-conversion)

+- [Perform a manual migration](#manual-migration)

+To add or remove geo-replication or read access to the secondary region, you can simply [change the replication setting using the portal, PowerShell, or the CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli).

+To add or remove zone-redundancy requires using either [customer-initiated conversion (preview)](#customer-initiated-conversion-preview), [support-requested conversion](#support-requested-conversion), or [a manual migration](#manual-migration).

+During a conversion, you can access data in your storage account with no loss of durability or availability. [The Azure Storage SLA](https://azure.microsoft.com/support/legal/sla/storage/) is maintained during the conversion process and there is no data loss. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the conversion.

+Performing a manual migration involves downtime and requires the most manual effort, but you have more control over the timing of the process.

+If you want to change how data is replicated in the primary region and also configure geo-replication or read-access, a two-step process is required. Geo-redundancy and read-access can be changed at the same time, but zone-redundancy must be changed separately. It doesn't matter which is done first.

+> [!NOTE]

+> While Microsoft handles your request for a conversion promptly, there's no guarantee as to when it will complete. If you need your data converted by a certain date, Microsoft recommends that you perform a manual migration instead.

+>

+> Generally, the more data you have in your account, the longer it takes to replicate that data to other zones in the region.

+### Replication change table

+The following table provides an overview of how to switch from each type of replication to another.

+> [!NOTE]

+> Manual migration is an option for any scenario in which you want to change the replication setting within the [limitations for changing replication types](#limitations-for-changing-replication-types), so that option has been omitted from the table below to simplify it.

+>

+> Also, some changes noted in the table involve a two-step process such as switching from LRS to GRS/RA-GRS first, then converting to GZRS/RA-GZRS. The order of the steps doesn't matter. You could also convert from LRS to ZRS first, then switch to GZRS/RA-GZRS. The switch is listed first in the table because it appears to occur almost instantaneously, while the conversion typically takes much longer. Performing the faster change first allows you to initiate both required changes around the same time and not have to wait for the longer change to complete before proceeding with the other one.

+| Switching | ΓǪto LRS | ΓǪto GRS/RA-GRS ⁶ | ΓǪto ZRS | ΓǪto GZRS/RA-GZRS ⁶ |

+| **…from LRS** | **N/A** | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)^1,2 | [Customer-initiated conversion](#customer-initiated-conversion-preview)^3,5<br>**- or -**</br>[Support-requested conversion](#support-requested-conversion)^3,5 | [Switch to GRS/RA-GRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)^1,2, then perform a conversion to GZRS/RA-GZRS using:<br><br>[Customer-initiated conversion](#customer-initiated-conversion-preview)^3,5<br>**- or -**</br>[Support-requested conversion](#support-requested-conversion)^3,5 |

+| **…from GRS/RA-GRS** | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli) | **N/A** | [Switch to LRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli), then perform a conversion to ZRS using:<br><br>[Customer-initiated conversion](#customer-initiated-conversion-preview)^3,5<br>**- or -**</br>[Support-requested conversion](#support-requested-conversion)^3,5 | [Customer-initiated conversion](#customer-initiated-conversion-preview)^3,5<br>**- or -**</br>[Support-requested conversion](#support-requested-conversion)^3,5 |

+| **ΓǪfrom ZRS** | [Customer-initiated conversion](#customer-initiated-conversion-preview)³ | [Switch to GZRS/RA-GZRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)^1,2, then perform a conversion to GRS/RA-GRS using:<br><br>[Customer-initiated conversion](#customer-initiated-conversion-preview)³ | **N/A** | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)² |

+| **ΓǪfrom GZRS/RA-GZRS** | [Switch to ZRS first](#change-the-replication-setting-using-the-portal-powershell-or-the-cli), then perform a conversion to LRS using:<br><br>[Customer-initiated conversion](#customer-initiated-conversion-preview)³ | [Customer-initiated conversion](#customer-initiated-conversion-preview)³ | [Use Azure portal, PowerShell, or CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli)| **N/A** |

+² Switching to geo-redundancy is not supported if the storage account contains blobs in the archive tier.<br />

+³ Conversion is supported for standard general-purpose v2 and premium file share storage accounts. It is not supported for premium block blob or page blob storage accounts.<br />

+⁵ Converting from LRS to ZRS is not supported if the NFSv3 protocol support is enabled for Azure Blob Storage or if the storage account contains Azure Files NFSv4.1 shares. <br />

+⁶ Even though enabling geo-redundancy appears to occur instantaneously, failover to the secondary region cannot be initiated until data synchronization between the two regions has completed.

+## Change the replication setting

+Depending on your scenario from the table above, use one of the methods below to change your replication settings.

+### Change the replication setting using the portal, PowerShell, or the CLI

+In most cases you can use the Azure portal, PowerShell, or the Azure CLI to change the geo-redundant or read access (RA) replication setting for a storage account. If you are initiating a zone redundancy conversion, you can change the setting from within the Azure portal, but not from PowerShell or the Azure CLI.

+Changing how your storage account is replicated in the portal does not result in down time for your applications. This includes changes that require a conversion.

+1. Under **Data management** select **Redundancy**.

+1. Update the **Redundancy** setting.

+1. Select **Save**.

+### Perform a conversion

+Converting your storage account to add or remove zone-redundancy makes the change without incurring any down time.

+During a conversion, you can access data in your storage account with no loss of durability or availability. [The Azure Storage SLA](https://azure.microsoft.com/support/legal/sla/storage/) is maintained during the process and there is no data loss associated with a conversion. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the conversion.

+There are two ways to initiate a conversion:

+- [Customer-initiated](#customer-initiated-conversion-preview)

+- [Support-requested](#support-requested-conversion)

+#### Customer-initiated conversion (preview)

+> [!IMPORTANT]

+> Customer initiated conversion is currently in preview and available in all public ZRS regions except for the following:

+>

+> - (Europe) West Europe

+> - (Europe) UK South

+> - (North America) Canada Central

+> - (North America) East US

+> - (North America) East US 2

+>

+> This preview version is provided without a service level agreement, and might not be suitable for production workloads. Certain features might not be supported or might have constrained capabilities.

+> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

+Customer-initiated conversion adds a new option for customers to start a conversion. Now, instead of needing to open a support request, customers can start the conversion directly from within the Azure portal. Once initiated, the conversion could still take up to 72 hours to actually begin, but potential delays related to opening and managing a support request are eliminated.

+Customer-initiated conversion is only available from the Azure portal, not from PowerShell or the Azure CLI. To initiate the conversion, perform the same steps used for changing other replication settings in the Azure portal as described in [Change the replication setting using the portal, PowerShell, or the CLI](#change-the-replication-setting-using-the-portal-powershell-or-the-cli).

+#### Support-requested conversion

+Customers can still request a conversion by opening a support request with Microsoft.

+> [!IMPORTANT]

+> If you need to convert more than one storage account, create a single support ticket and specify the names of the accounts to convert on the **Additional details** tab.

+Follow these steps to request a conversion from Microsoft:

+1. In the Azure portal, navigate to a storage account that you want to convert.

+1. Under **Support + troubleshooting**, select **New Support Request**.

+1. Complete the **Problem description** tab based on your account information:

+ - **Summary**: (some descriptive text).

+ - **Issue type**: Select **Technical**.

+ - **Subscription**: Select your subscription from the drop-down.

+ - **Service**: Select **My Services**, then **Storage Account Management** for the **Service type**.

+ - **Resource**: Select a storage account to convert. If you need to specify multiple storage accounts, you can do so on the **Additional details** tab.

+ - **Problem type**: Choose **Data Migration**.

+ - **Problem subtype**: Choose **Migrate to ZRS, GZRS, or RA-GZRS**.

+ :::image type="content" source="media/redundancy-migration/request-live-migration-problem-desc-portal.png" alt-text="Screenshot showing how to request a conversion - Problem description tab.":::

+1. Select **Next**. The **Recommended solution** tab might be displayed briefly before it switches to the **Solutions** page. On the **Solutions** page, you can check the eligibility of your storage account(s) for conversion:

+ - **Target replication type**: (choose the desired option from the drop-down)

+ - **Storage accounts from**: (enter a single storage account name or a list of accounts separated by semicolons)

+ - Select **Submit**.

+ :::image type="content" source="media/redundancy-migration/request-live-migration-solutions-portal.png" alt-text="Screenshot showing how to check the eligibility of your storage account(s) for conversion - Solutions page.":::

+1. Take the appropriate action if the results indicate your storage account is not eligible for conversion. If it is eligible, select **Return to support request**.

+1. Select **Next**. If you have more than one storage account to migrate, then on the **Details** tab, specify the name for each account, separated by a semicolon.

+ :::image type="content" source="media/redundancy-migration/request-live-migration-details-portal.png" alt-text="Screenshot showing how to request a conversion - Additional details tab.":::

+1. Fill out the additional required information on the **Additional details** tab, then select **Review + create** to review and submit your support ticket. A support person will contact you to provide any assistance you may need.

+### Manual migration

+A manual migration provides more flexibility and control than a conversion. You can use this option if you need the migration to complete by a certain date, or if conversion is [not supported for your scenario](#limitations-for-changing-replication-types). Manual migration is also useful when moving a storage account to another region. See [Move an Azure Storage account to another region](storage-account-move.md) for more details.

+You must perform a manual migration if:

+- You want to migrate your storage account to a different region.

+- Your storage account is a block blob account.

+- Your storage account includes data in the archive tier and rehydrating the data is not desired.

+> A manual migration can result in application downtime. If your application requires high availability, Microsoft also provides a [conversion](#perform-a-conversion) option. A conversion is an in-place migration with no downtime.

+With a manual migration, you copy the data from your existing storage account to a new storage account. To perform a manual migration, you can use one of the following options:

+- Copy data by using an existing tool such as AzCopy, one of the Azure Storage client libraries, or a reliable third-party tool.

+- If you're familiar with Hadoop or HDInsight, you can attach both the source storage account and destination storage account to your cluster. Then, parallelize the data copy process with a tool like DistCp.

+For more detailed guidance on how to perform a manual migration, see [Move an Azure Storage account to another region](storage-account-move.md).

+## Limitations for changing replication types

+Limitations apply to some replication change scenarios depending on:

+- [Storage account type](#storage-account-type)

+- [Region](#region)

+- [Access tier](#access-tier)

+- [Protocol support](#protocol-support)

+- [Failover and failback](#failover-and-failback)

+### Storage account type

+When planning to change your replication settings, consider the following limitations related to the storage account type.

+Some storage account types only support certain redundancy configurations, which affects whether they can be converted or migrated and, if so, how. For more details on Azure storage account types and the supported redundancy options, see [the storage account overview](storage-account-overview.md#types-of-storage-accounts).

+The following table provides an overview of redundancy options available for storage account types and whether conversion and manual migration are supported:

+| Storage account type | Supports LRS | Supports ZRS | Supports conversion<br>(from the portal) | Supports conversion<br>(by support request) | Supports manual migration |

+|:-|::|::|:--:|:-:|:-:|

+| Standard general purpose v2 | &#x2705; | &#x2705; | &#x2705; | &#x2705; | &#x2705; |

+| Premium file shares | &#x2705; | &#x2705; | | &#x2705; ¹ | &#x2705; |

+| Premium block blob | &#x2705; | &#x2705; | | | &#x2705; |

+| Premium page blob | &#x2705; | | | | |

+| Managed disks² | &#x2705; | | | | |

+| Standard general purpose v1 | &#x2705; | | ³ | | &#x2705; |

+| ZRS Classic⁴<br />_{(available in standard general purpose v1 accounts)} | &#x2705; | | | |

+¹ Conversion for premium file shares is only available by [opening a support request](#support-requested-conversion); [Customer-initiated conversion (preview)](#customer-initiated-conversion-preview) is not currently supported.<br />

+² Managed disks are only available for LRS and cannot be migrated to ZRS. You can store snapshots and images for standard SSD managed disks on standard HDD storage and [choose between LRS and ZRS options](https://azure.microsoft.com/pricing/details/managed-disks/). For information about integration with availability sets, see [Introduction to Azure managed disks](../../virtual-machines/managed-disks-overview.md#integration-with-availability-sets).<br />

+³ If your storage account is v1, you'll need to upgrade it to v2 before performing a conversion. To learn how to upgrade your v1 account, see [Upgrade to a general-purpose v2 storage account](storage-account-upgrade.md).<br />

+⁴ ZRS Classic storage accounts have been deprecated. For information about converting ZRS Classic accounts, see [Converting ZRS Classic accounts](#converting-zrs-classic-accounts).<br />

+#### Converting ZRS Classic accounts

+> ZRS Classic accounts were deprecated on March 31, 2021. Customers can no longer create ZRS Classic accounts. If you still have some, you should upgrade them to general purpose v2 accounts.

+ZRS Classic was available only for **block blobs** in general-purpose V1 (GPv1) storage accounts. For more information about storage accounts, see [Azure storage account overview](storage-account-overview.md).

+ZRS Classic accounts asynchronously replicated data across data centers within one to two regions. Replicated data was not available unless Microsoft initiated a failover to the secondary. A ZRS Classic account can't be converted to or from LRS, GRS, or RA-GRS. ZRS Classic accounts also don't support metrics or logging.

+To change ZRS Classic to another replication type, use one of the following methods:

+- Upgrade it to ZRS first

+- [Manually migrate the data directly to another replication type](#manual-migration)

+To upgrade your ZRS Classic storage account to ZRS, use the Azure portal, PowerShell, or Azure CLI in regions where ZRS is available:

+To manually migrate your ZRS Classic account data to another type of replication, follow the steps to [perform a manual migration](#manual-migration).

+### Region

+Make sure the region where your storage account is located supports all of the desired replication settings. For example, if you are converting your account to zone-redundant (ZRS, GZRS, or RA-GZRS), make sure your storage account is in a region that supports it. See the lists of supported regions for [Zone-redundant storage](storage-redundancy.md#zone-redundant-storage) and [Geo-zone-redundant storage](storage-redundancy.md#geo-zone-redundant-storage).

+The [customer-initiated conversion (preview)](#customer-initiated-conversion-preview) to ZRS is available in all public ZRS regions except for the following:

+- (Europe) West Europe

+- (Europe) UK South

+- (North America) Canada Central

+- (North America) East US

+- (North America) East US 2

+If you want to migrate your data into a zone-redundant storage account located in a region different from the source account, you must perform a manual migration. For more details, see [Move an Azure Storage account to another region](storage-account-move.md).

+### Access tier

+Ensure the desired replication option supports the access tier currently used in the storage account. For example, GZRS storage accounts do not currently support the archive tier. See [Hot, Cool, and Archive access tiers for blob data](../blobs/access-tiers-overview.md) for more details.

+To change the redundancy configuration for a storage account that contains blobs in the Archive tier, you must first rehydrate all archived blobs to the Hot or Cool tier. Microsoft recommends that you avoid changing the redundancy configuration for a storage account that contains archived blobs if at all possible, because rehydration operations can be costly and time-consuming. An option that avoids the rehydration time and expense is a [manual migration](#manual-migration).

+### Protocol support

+Converting your storage account to zone-redundancy (ZRS, GZRS or RA-GZRS) is not supported if the NFSv3 protocol support is enabled for Azure Blob Storage, or if the storage account contains Azure Files NFSv4.1 shares.

+### Failover and failback

+After an account failover to the secondary region, it's possible to initiate a failback from the new primary back to the new secondary with PowerShell or Azure CLI (version 2.30.0 or later). For more information, see [use caution when failing back to the original primary](storage-disaster-recovery-guidance.md#use-caution-when-failing-back-to-the-original-primary).

+If you performed an [account failover](storage-disaster-recovery-guidance.md) for your (RA-)GRS or (RA-)GZRS account, the account is locally redundant (LRS) in the new primary region after the failover. Live migration to ZRS or GZRS for an LRS account resulting from a failover is not supported. This is true even in the case of so-called failback operations. For example, if you perform an account failover from RA-GZRS to the LRS in the secondary region, and then configure it again to RA-GRS and perform another account failover to the original primary region, you can't perform a conversion to RA-GZRS in the primary region. Instead, you'll need to perform a manual migration to ZRS or GZRS.

+## Downtime requirements

+During a conversion, you can access data in your storage account with no loss of durability or availability. [The Azure Storage SLA](https://azure.microsoft.com/support/legal/sla/storage/) is maintained during the migration process and there is no data loss associated with a conversion. Service endpoints, access keys, shared access signatures, and other account options remain unchanged after the migration.

+If you initiate a conversion from the Azure portal, the migration process could take up to 72 hours to begin, and possibly longer if requested by opening a support request.

+If you choose to perform a manual migration, downtime is required but you have more control over the timing of the migration process.

+For example, going *from* LRS to any other type of replication will incur additional charges because you are moving to a more sophisticated redundancy level. Migrating *to* GRS or RA-GRS will incur an egress bandwidth charge at the time of the conversion or migration because your entire storage account is being replicated to the secondary region. All subsequent writes to the primary region also incur egress bandwidth charges to replicate the write to the secondary region. For details on bandwidth charges, see [Azure Storage Pricing page](https://azure.microsoft.com/pricing/details/storage/blobs/).

+- [Move an Azure Storage account to another region](storage-account-move.md)

+- [Check the Last Sync Time property for a storage account](last-sync-time-get.md)

+| [LRS to ZRS conversion](../common/redundancy-migration.md?tabs=portal#limitations-for-changing-replication-types)| Γ¢ö |

+ Title: What's new in Azure Files and Azure File Sync

+description: Learn about new features and enhancements in Azure Files and Azure File Sync.

+Azure Files is updated regularly to offer new features and enhancements. This article provides detailed information about what's new in Azure Files and Azure File Sync.

+## What's new in 2022

+### 2022 quarter 3 (July, August, September)

+#### Azure Active Directory (Azure AD) Kerberos authentication for hybrid identities on Azure Files (public preview)

+This [preview release](storage-files-identity-auth-azure-active-directory-enable.md) builds on top of [FSLogix profile container support](../../virtual-desktop/create-profile-container-azure-ad.md) released in December 2022 and expands it to support more use cases with an easy, two-step portal experience (SMB only). Azure AD Kerberos allows Kerberos authentication for hybrid identities in Azure AD, reducing the need for customers to configure another domain service and allowing customers to authenticate with Azure Files without the need for line-of-sight to domain controllers. While the initial support is limited to hybrid user identities, which are identities created in AD DS and synced to Azure AD, itΓÇÖs a significant milestone as we simplify identity-based authentication for Azure Files customers. [Read the blog post](https://techcommunity.microsoft.com/t5/azure-storage-blog/public-preview-leverage-azure-active-directory-kerberos-with/ba-p/3612111).

+### 2022 quarter 2 (April, May, June)

+#### SUSE Linux support for SAP HANA System Replication (HSR) and Pacemaker

+Azure customers can now [deploy a highly available SAP HANA system in a scale-out configuration](../../virtual-machines/workloads/sap/sap-hana-high-availability-scale-out-hsr-suse.md) with HSR and Pacemaker on Azure SUSE Linux Enterprise Server virtual machines (VMs), using NFS Azure file shares for a shared file system.

+### 2022 quarter 1 (January, February, March)

+#### Azure File Sync TCO improvements

+To offer sync and tiering, Azure File Sync performs two types of transactions on behalf of the customer:

+- Transactions from churn, including changed files (sync) and recalled files (tiering).

+- Transactions from cloud change enumeration, done to discover changes made directly on the Azure file share. Historically, this was a major component of an Azure File Sync customerΓÇÖs Azure Files bill.

+To improve TCO, we markedly decreased the number of transactions needed to fully scan an Azure file share. Prior to this change, most customers were best off in the hot tier. Now most customers are best off in the cool tier.

+## What's new in 2021

+### 2021 quarter 4 (October, November, December)

+#### Increased IOPS for premium file shares

+#### NFS 4.1 protocol support is generally available

+#### Symmetric throughput for premium file shares

+### 2021 quarter 3 (July, August, September)

+#### SMB Multichannel is generally available

+#### SMB 3.1.1 and SMB security settings

+### 2021 quarter 2 (April, May, June)

+#### Premium, hot, and cool storage capacity reservations

+#### Improved portal experience for domain joining to Active Directory

+### 2021 quarter 1 (January, February, March)

+#### Azure Files management now available through the control plane

+ ```csharp

+ ```json

+- [PolyBase with T-SQL](../sql-data-warehouse/sql-data-warehouse-load-from-azure-blob-storage-with-polybase.md?bc=%2fazure%2fsynapse-analytics%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fsynapse-analytics%2ftoc.json) works well when your data is in Azure Blob storage or Azure Data Lake Store. It gives you the most control over the loading process, but also requires you to define external data objects. The other methods define these objects behind the scenes as you map source tables to destination tables. To orchestrate T-SQL loads, you can use Azure Data Factory, SSIS, or Azure functions.

+- Serverless SQL pools in Synapse Analytics don't support the datasets with the [BLOOM filter](/azure/databricks/optimizations/bloom-filters). The serverless SQL pool ignores the BLOOM filters.

+Try to setup a data source in some SQL Database that references your Azure Data Lake storage using Managed Identity credential, and try to [create external table on top of data source with Managed Identity](develop-storage-files-storage-access-control.md?tabs=managed-identity#access-a-data-source-using-credentials) to confirm that a table with the Managed Identity can access your storage.

+ Check out the newest [KQL Learn module](/training/modules/gain-insights-data-kusto-query-language/) and see for yourself how easy it is to become a KQL master.

+ - Sync patch cycles in relation to patch TuesdayΓÇöthe unofficial term for Microsoft's scheduled security fix release on every second Tuesday of each month.

+Update management center (preview) supports Azure VMs created using Azure Marketplace images, where the virtual machine agent is already included in the Azure Marketplace image.

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported <br>

+[Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization): Supported <br>

+In the bash Cloud Shell opened before type:

+```bash

+vim ~/clouddrive/azurepolicy.parameters.json

+For more information, see [Azure Policy](../../governance/policy/overview.md).

+Most nonzero-impact maintenance pauses the VM for less than 10 seconds. In certain cases, Azure uses memory-preserving maintenance mechanisms. These mechanisms pause the VM, typically for about 30 seconds, and preserve the memory in RAM. The VM is then resumed, and its clock is automatically synchronized.

+ export ADO_PROJECT=SAP-Deployment-Automation

+ $Env:ControlPlaneSubscriptionName="<YourControlPlaneSubscriptionName>"

+ $Env:DevSubscriptionName="<YourDevSubscriptionName>"

+- Using 3rd-party software [SIOS DataKeeper Cluster Edition](https://us.sios.com/products/sios-datakeeper/) to create a mirrored storage that simulates cluster shared storage.

+Get more information about [SIOS DataKeeper](https://us.sios.com/products/sios-datakeeper/).

+Get more information about [SIOS DataKeeper](https://us.sios.com/products/sios-datakeeper/).

+- Using [SIOS DataKeeper Cluster Edition](https://us.sios.com/products/sios-datakeeper/) to create mirrored storage, that will simulate clustered shared disk

+- Add Microsoft .NET Framework, if needed. See the [SIOS documentation](https://us.sios.com/products/sios-datakeeper/) for the most up-to-date .NET framework requirements

+- Using [SIOS DataKeeper Cluster Edition](https://us.sios.com/products/sios-datakeeper/) to create mirrored storage, that will simulate clustered shared disk

+- Learn how to [configure a cross-tenant connection with Azure Virtual Network Manager using the Azure portal](how-to-configure-cross-tenant-portal.md)

+- Check out the [Azure Virtual Network Manager FAQ](faq.md)

+ :::image type="content" source="./media/tutorial-create-secured-hub-and-spoke/network-group-basics.png" alt-text="Screenshot of the Basics tab on Create a network group page.":::

+ :::image type="content" source="./media/tutorial-create-secured-hub-and-spoke/define-dynamic-membership.png" alt-text="Screenshot of the defined dynamic membership button.":::

+ | Condition | Enter **-EastUS** to dynamically add the two East US virtual networks into this network group. |

+1. Select **Next: Topology >**. Select **Hub and Spoke** under the **Topology** setting. This will reveal other settings.

+1. Select **Select a hub** under **Hub** setting. Then, select **VNet-A-WestUS** to serve as your network hub and select **Select**.

+1. Under **Spoke network groups**, select **+ add**. Then, select **myNetworkGroupB** for the network group and select **Select**.

+ | Global Mesh | Leave **Enable mesh connectivity across regions** option **unchecked**. This setting isn't required as both spokes are in the same region |

+1. Select **Configuration** under *Settings* again, then select **+ Create**, and select **SecurityAdmin** from the menu to begin creating a SecurityAdmin configuration.

+1. Select **Next** and then **Deploy**. You should now see the deployment show up in the list for the selected region. The deployment of the configuration can take about 15-20 minutes to complete.

+* It's possible to deploy Site-to-Site VPN connections over ExpressRoute private peering at the same time as Site-to-Site VPN connections via the Internet on the same VPN gateway.

+This feature is available for the following SKUs:

+* VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5 with standard public IP with no zones

+* VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ with standard public IP with one or more zones

+ >[!NOTE]

+ >This feature is supported on gateways with a standard public IP only.

+ >

+## Prerequisites

+ You should see a public and a private IP address. Write down the IP address under the ΓÇ£TunnelIpAddressesΓÇ¥ section of the output. You'll use this information in a later step.

+You can create exclusions for WAF in Application Gateway at different scope levels. For more information, see [Web Application Firewall exclusion lists](application-gateway-waf-configuration.md#exclusion-scopes).