-The following network security group Inbound rules are required for the managed domain to provide authentication and management services. Don't edit or delete these network security group rules for the virtual network subnet your managed domain is deployed into.

-An Azure standard load balancer is created that requires these rules to be place. This network security group secures Azure AD DS and is required for the managed domain to work correctly. Don't delete this network security group. The load balancer won't work correctly without it.

-By default, the Azure AD SuccessFactors connector uses the `activeEmploymentsCount` field of the `PersonEmpTerminationInfo` object to set account status. There is a known SAP SuccessFactors issue documented in [knowledge base article 3047486](https://userapps.support.sap.com/sap/support/knowledge/en/3047486) that at times this may disable the account of a terminated worker one day prior to the termination on the last day of work.

-## Next Steps

-For more information about Permissions Management, see:

-

-**Microsoft Docs**: [Visit Docs](../cloud-infrastructure-entitlement-management/index.yml).

-description: In this quickstart, you learn how you can require that your terms of use are accepted before access to selected cloud apps is granted by Azure Active Directory Conditional Access.

-#Customer intent: As an IT admin, I want to ensure that users have accepted my terms of use before accessing selected cloud apps, so that I have a consent from them.

-Before accessing certain cloud apps in your environment, you might want to get consent from users in form of accepting your terms of use (ToU). Azure Active Directory (Azure AD) Conditional Access provides you with:

-This quickstart shows how to configure an [Azure AD Conditional Access policy](./overview.md) that requires a ToU to be accepted for a selected cloud app in your environment.

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-## Test your sign-in

-**To test your sign-in:**

-1. Sign in to your [Azure portal](https://portal.azure.com/) as Isabella Simonsen.

-**To create your terms of use:**

-1. Sign in to your [Azure portal](https://portal.azure.com) as Global Administrator, Security Administrator, or a Conditional Access Administrator.

-1. Search for and select **Azure Active Directory**. From the menu on the left-hand side select **Security**.

- 

-1. Select **Conditional Access**.

- 

-1. In the **Manage** section, click **Terms of use**.

- :::image type="content" source="./media/require-tou/04.png" alt-text="Screenshot of the Manage section of the Azure Active Directory page. The Terms of use item is highlighted." border="false":::

-1. In the menu on the top, click **New terms**.

- :::image type="content" source="./media/require-tou/05.png" alt-text="Screenshot of a menu in the Azure Active Directory page. The New terms item is highlighted." border="false":::

-1. On the **New terms of use** page:

- :::image type="content" source="./media/require-tou/112.png" alt-text="Screenshot of the New terms of use page, with the name, display name, document, language, conditional access, and expanding terms toggle highlighted." border="false":::

- 1. In the **Name** textbox, type **My TOU**.

- 1. In the **Display name** textbox, type **My TOU**.

- 1. Upload your terms of use PDF file.

- 1. As **Language**, select **English**.

- 1. As **Require users to expand the terms of use**, select **On**.

- 1. As **Enforce with Conditional Access policy templates**, select **Custom policy**.

- 1. Click **Create**.

-## Create your Conditional Access policy

-This section shows how to create the required Conditional Access policy. The scenario in this quickstart uses:

-In your policy, set:

-| Setting | Value |

-| | |

-| Users and groups | Isabella Simonsen |

-| Cloud apps | Microsoft Azure Management |

-| Grant access | My TOU |

-1. On the **New** page, in the **Name** textbox, type **Require TOU for Isabella**.

- 

-1. In the **Assignment** section, click **Users and groups**.

- :::image type="content" source="./media/require-tou/06.png" alt-text="Screenshot of the Assignments section of an Azure portal pane that defines a policy. The Users and groups item is visible, with none selected." border="false":::

-1. On the **Users and groups** page:

- :::image type="content" source="./media/require-tou/24.png" alt-text="Screenshot of the Include tab of the Users and groups page. Select users and groups is selected, as is Users and groups. Select is highlighted." border="false":::

- 1. Click **Select users and groups**, and then select **Users and groups**.

- 1. Click **Select**.

- 1. On the **Select** page, select **Isabella Simonsen**, and then click **Select**.

- 1. On the **Users and groups** page, click **Done**.

-1. Click **Cloud apps**.

- :::image type="content" source="./media/require-tou/08.png" alt-text="Screenshot of the Assignments section of an Azure portal pane that defines a policy. The Cloud apps item is visible, with none selected." border="false":::

-1. On the **Cloud apps** page:

- 

- 1. Click **Select apps**.

- 1. Click **Select**.

- 1. On the **Select** page, select **Microsoft Azure Management**, and then click **Select**.

- 1. On the **Cloud apps** page, click **Done**.

-1. In the **Access controls** section, click **Grant**.

- 

-1. On the **Grant** page:

- 

- 1. Select **My TOU**.

- 1. Click **Select**.

-1. In the **Enable policy** section, click **On**.

- 

-1. Click **Create**.

-## Evaluate a simulated sign-in

-Now that you have configured your Conditional Access policy, you probably want to know whether it works as expected. As a first step, use the Conditional Access what if policy tool to simulate a sign-in of your test user. The simulation estimates the impact this sign-in has on your policies and generates a simulation report.

-To initialize the **What If** policy evaluation tool, set:

-Clicking **What If** creates a simulation report that shows:

-

-**To evaluate your Conditional Access policy:**

-1. On the [Conditional Access - Policies](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies) page, in the menu on the top, click **What If**.

- 

-1. Click **Users**, select **Isabella Simonsen**, and then click **Select**.

- 

-1. To select a cloud app:

- :::image type="content" source="./media/require-tou/16.png" alt-text="Screenshot of the Cloud apps section. Text indicates that one app is selected." border="false":::

- 1. Click **Cloud apps**.

- 1. On the **Cloud apps page**, click **Select apps**.

- 1. Click **Select**.

- 1. On the **Select** page, select **Microsoft Azure Management**, and then click **Select**.

- 1. On the cloud apps page, click **Done**.

-1. Click **What If**.

-In the previous section, you have learned how to evaluate a simulated sign-in. In addition to a simulation, you should also test your Conditional Access policy to ensure that it works as expected.

-To test your policy, try to sign-in to your [Azure portal](https://portal.azure.com) using your **Isabella Simonsen** test account. You should see a dialog that requires you to accept your terms of use.

- :::image type="content" source="./media/require-tou/33.png" alt-text="Screenshot showing a policy named Require M F A for Azure portal users. The shortcut menu is visible, with Delete highlighted." border="false":::

-const claimsChallenge = authenticateHeader

- .split(' ')

- .find((entry) => entry.includes('claims='))

- .split('claims="')[1]

- .split('",')[0];

- claims: window.atob(claimsChallenge), // decode the base64 string

- scopes: scopes, // e.g ['User.Read', 'Contacts.Read']

- account: account, // current active account

- });

- claims: window.atob(claimsChallenge), // decode the base64 string

- scopes: scopes, // e.g ['User.Read', 'Contacts.Read']

- account: account, // current active account

- });

-The Microsoft Authentication Library (MSAL) enables developers to acquire [tokens](developer-glossary.md#security-token) from the Microsoft identity platform in order to authenticate users and access secured web APIs. It can be used to provide secure access to Microsoft Graph, other Microsoft APIs, third-party web APIs, or your own web API. MSAL supports many different application architectures and platforms including .NET, JavaScript, Java, Python, Android, and iOS.

-MSAL gives you many ways to get tokens, with a consistent API for a number of platforms. Using MSAL provides the following benefits:

-* Acquires tokens on behalf of a user or on behalf of an application (when applicable to the platform).

-* Maintains a token cache and refreshes tokens for you when they are close to expire. You don't need to handle token expiration on your own.

-* Helps you specify which audience you want your application to sign in (your org, several orgs, work, and school and Microsoft personal accounts, social identities with Azure AD B2C, users in sovereign, and national clouds).

-Using MSAL, a token can be acquired for a number of application types: web applications, web APIs, single-page apps (JavaScript), mobile and native applications, and daemons and server-side applications.

-Before this new method was available, you could invite guest users without requiring the invitation email by adding an inviter (from your organization or from a partner organization) to the **Guest inviter** directory role, and then having the inviter add guest users to the directory, groups, or applications through the UI or through PowerShell. (If using PowerShell, you can suppress the invitation email altogether). For example:

-description: Instructions about how to get help and open a support ticket for Azure Active Directory.

-# Find help and open a support ticket for Azure Active Directory

-Microsoft provides global technical, pre-sales, billing, and subscription support for Azure Active Directory (Azure AD). Support is available both online and by phone for Microsoft Azure paid and trial subscriptions. Phone support and online billing support are available in additional languages.

-## Find help without opening a support ticket

-Before creating a support ticket, check out the following resources for answers and information.

-* For content such as how-to information or code samples for IT professionals and developers, see the [technical documentation for Azure Active Directory](../index.yml).

-* The [Microsoft Technical Community](https://techcommunity.microsoft.com/) is the place for our IT pro partners and customers to collaborate, share, and learn. The [Microsoft Technical Community Info Center](https://techcommunity.microsoft.com/t5/Community-Info-Center/ct-p/Community-Info-Center) is used for announcements, blog posts, ask-me-anything (AMA) interactions with experts, and more. You can also [join the community to submit your ideas](https://techcommunity.microsoft.com/t5/Communities/ct-p/communities).

-## Open a support ticket

-If you are unable to find answers by using self-help resources, you can open an online support ticket. You should open each support ticket for only a single problem, so that we can connect you to the support engineers who are subject matter experts for your problem. Also, Azure Active Directory engineering teams prioritize their work based on incidents that are generated, so you're often contributing to service improvements.

-### How to open a support ticket for Azure AD in the Azure portal

-> [!NOTE]

-> If you're using Azure AD B2C, open a support ticket by first switching to an Azure AD tenant that has an Azure subscription associated with it. Typically, this is your employee tenant or the default tenant created for you when you signed up for an Azure subscription. To learn more, see [how an Azure subscription is related to Azure AD](active-directory-how-subscriptions-associated-directory.md).

-1. Sign in to [the Azure portal](https://portal.azure.com) and open **Azure Active Directory**.

-

-1. Scroll down to **Troubleshooting + Support** and select **New support request**.

-

-1. On the **Basics** blade, for **Issue type**, select **Technical**.

-1. Select your **Subscription**.

-1. For **Service**, select **Azure Active Directory**.

-1. Create a **Summary** for the request. The summary must be under 140 characters.

-

-1. Select a **Problem type**, and then select a category for that type. At this point, you are also offered self-help information for your problem category.

-

-1. Add the rest of your problem information and click **Next**.

-1. At this point, you are offered self-help solutions and documentation in the **Solutions** blade. If none of the solutions there resolve your problem, click **Next**.

-1. On the **Details** blade, fill out the required details and select a [Severity](https://azure.microsoft.com/support/plans/response/).

-

- 

-

-1. Provide your contact information and select **Next**.

-1. Provide your contact information and select **Create**.

- 

-### How to open a support ticket for Azure AD in the Microsoft 365 admin center

-> [!NOTE]

-> Support for Azure AD in the [Microsoft 365 admin center](https://admin.microsoft.com) is offered for administrators only.

-1. Sign in to the [Microsoft 365 admin center](https://admin.microsoft.com) with an account that has an Enterprise Mobility + Security (EMS) license.

-1. On the **Support** tile, select **New service request**:

-1. On the **Support Overview** page, select **Identity management** or **User and domain management**:

-1. For **Feature**, select the Azure AD feature for which you want support.

-1. For **Symptom**, select an appropriate symptom, summarize your issue and provide relevant details, and then select **Next**.

-1. Select one of the offered self-help resources, or select **Yes, continue** or **No, cancel request**.

-1. If you continue, you are asked for more details. You can attach any files you have that represent the problem, and then select **Next**.

-1. Provide your contact information and select **Submit request**.

-## Get phone support

-See the [Contact Microsoft for support](https://portal.office.com/Support/ContactUs.aspx) page to obtain support phone numbers.

-## Next steps

-* [Microsoft Tech Community](https://techcommunity.microsoft.com/)

-* [Technical documentation for Azure Active Directory](../index.yml)

-description: Learn where to get help and find answers to your questions as you build and configure identity and access management (IAM) solutions that integrate with Azure Active Directory (Azure AD).

-# Support and help options for Azure Active Directory

-If you need an answer to a question or help in solving a problem not covered in our documentation, it might be time to reach out to experts for help. Here are several suggestions for getting answers to your questions as you use Azure Active Directory (Azure AD).

-## Create an Azure support request

-<div class='icon is-large'>

- <img alt='Azure support' src='/media/logos/logo_azure.svg'>

-</div>

-Explore the range of [Azure support options and choose the plan](https://azure.microsoft.com/support/plans) that best fits, whether you're an IT admin managing your organization's tenant, a developer just starting your cloud journey, or a large organization deploying business-critical, strategic applications. Azure customers can create and manage support requests in the Azure portal.

-## Post a question to Microsoft Q&A

-<div class='icon is-large'>

- <img alt='Microsoft Q&A' src='../develop/media/common/question-mark-icon.png'>

-</div>

-Get answers to your identity and access management questions directly from Microsoft engineers, Azure Most Valuable Professionals (MVPs), and members of our expert community.

-[Microsoft Q&A](/answers/products/) is Azure's recommended source of community support.

-If you can't find an answer to your problem by searching Microsoft Q&A, submit a new question. Use one of following tags when you ask your [high-quality question](/answers/articles/24951/how-to-write-a-quality-question.html):

-| Component/area| Tags |

-|||

-| Active Directory Authentication Library (ADAL) | [[adal]](/answers/topics/azure-ad-adal-deprecation.html) |

-| Microsoft Authentication Library (MSAL) | [[msal]](/answers/topics/azure-ad-msal.html) |

-| Open Web Interface for .NET (OWIN) middleware | [[azure-active-directory]](/answers/topics/azure-active-directory.html) |

-| [Azure AD B2B / External Identities](../external-identities/what-is-b2b.md) | [[azure-ad-b2b]](/answers/topics/azure-ad-b2b.html) |

-| [Azure AD B2C](https://azure.microsoft.com/services/active-directory-b2c/) | [[azure-ad-b2c]](/answers/topics/azure-ad-b2c.html) |

-| [Microsoft Graph API](https://developer.microsoft.com/graph/) | [[azure-ad-graph]](/answers/topics/azure-ad-graph.html) |

-| All other authentication and authorization areas | [[azure-active-directory]](/answers/topics/azure-active-directory.html) |

-## Stay informed of updates and new releases

-<div class='icon is-large'>

- <img alt='Stay informed' src='/media/common/i_blog.svg'>

-</div>

-description: This article describes how to disable Group Writeback in Azure AD Connect.

-# Disabling group writeback

-The following document will walk you thorough disabling group writeback. To disable group writeback for your organization, use the following steps:

-1. Launch the Azure Active Directory Connect wizard and navigate to the Additional Tasks page. Select the Customize synchronization options task and click next.

-2. On the Optional Features page, uncheck group writeback. You'll receive a warning letting you know that groups will be deleted. Click Yes.

- >[!Important]

- >Disabling Group Writeback will cause any groups that were previously created by this feature to be deleted from your local Active Directory on the next synchronization cycle.

-3. Uncheck the box

-4. Click Next.

-5. Click Configure.

->[!Note]

->Disabling Group Writeback will set the Full Import and Full Synchronization flags to 'true' on the Azure Active Directory Connector, causing the rule changes to propagate through on the next synchronization cycle, deleting the groups that were previously written back to your Active Directory.

-

-## Rolling back group writeback

-To disable or roll back group writeback via PowerShell, do the following:

-1. Open a PowerShell prompt as administrator.

-2. Disable the sync scheduler after verifying that no synchronization operations are running:

-``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $false

- ```

- ``` PowerShell

- Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1'

- ```

- ``` PowerShell

- Set-ADSyncAADCompanyFeature -GroupWritebackV2 $false

- ```

-5. Re-enable the Sync Scheduler

- ``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $true

- ```

-## Next Steps:

-description: This article describes how to enable Group Writeback in Azure AD Connect.

-Group writeback is the feature that allows you to write cloud groups back to your on-premises Active Directory using Azure AD Connect Sync.

-The following document will walk you through enabling group writeback.

-## Deployment Steps

-Group writeback requires enabling both the original and new versions of the feature. If the original version was previously enabled in your environment, you will only need to follow the first set of steps, as the second set of steps has already been completed.

->[!Note]

->It is recommended that you follow the [swing migration](how-to-upgrade-previous-version.md#swing-migration) method for rolling out the new group writeback feature in your environment. This method will provide a clear contingency plan in the event that a major rollback is necessary.

-

-### Step 1 - Enable group writeback using PowerShell

-1. On your Azure AD Connect server, open a PowerShell prompt as administrator.

-2. Disable the sync scheduler after verifying that no synchronization operations are running.

- ``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $false

- ```

-3. Import the ADSync module.

- ``` PowerShell

- Import-Module 'C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1'

- ```

-4. Enable the group writeback feature for the tenant.

- ``` PowerShell

- Set-ADSyncAADCompanyFeature -GroupWritebackV2 $true

- ```

-5. Re-enable the Sync Scheduler.

- ``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $true

- ```

-### Step 2 ΓÇô Enable group writeback using Azure AD Connect wizard

-If the original version of group writeback was not previously enabled, continue with the following steps.

-1. On your Azure AD Connect server, open the Azure AD Connect wizard, select **Configure** and then click **Next**.

-2. Select **Customize synchronization options** and then click **Next**.

-3. On the **Connect to Azure AD page**, enter your credentials. Click **Next**.

-4. On the **Optional features** page, verify that the options you previously configured are still selected.

-5. Select **Group Writeback** and then click **Next**.

-6. On the **Writeback page**, select an Active Directory organizational unit (OU) to store objects that are synchronized from Microsoft 365 to your on-premises organization, and then click **Next**.

-7. On the **Ready to configure page**, click **Configure**.

-8. When the wizard is complete, click **Exit** on the Configuration complete page. Group Writeback will be automatically configured.

- >[!Note]

- >The following is performed automatically after the last step above. However, if you experience permission issues while exporting the object to AD then do the following:

- >

- >Open the Windows PowerShell as an Administrator on the Azure Active Directory Connect server, and run the following commands. This step is optional

- >

- >``` PowerShell

- >$AzureADConnectSWritebackAccountDN = <MSOL_ account DN>

- >Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1"

- >

- ># To grant the <MSOL_account> permission to all domains in the forest:

- >Set-ADSyncUnifiedGroupWritebackPermissions -ADConnectorAccountDN $AzureADConnectSWritebackAccountDN

- >

- ># To grant the <MSOL_account> permission to specific OU (eg. the OU chosen to writeback Office 365 Groups to):

- >$GroupWritebackOU = <DN of OU where groups are to be written back to>

- >Set-ADSyncUnifiedGroupWritebackPermissions ΓÇôADConnectorAccountDN $AzureADConnectSWritebackAccountDN -ADObjectDN $GroupWritebackOU

- >```

-To make it easier to find groups being written back from Azure AD to Active Directory, there's an option to write back the group distinguished name with the cloud display name.

-CN=Group_3a5c3221-c465-48c0-95b8-e9305786a271, OU=WritebackContainer, DC=domain, DC=comΓÇ»

-CN=Administrators_e9305786a271, OU=WritebackContainer, DC=domain, DC=comΓÇ»

-When configuring group writeback, there will be a checkbox at the bottom of the Group Writeback configuration window. Select the box to enable this feature.

->[!NOTE]

->Groups being written back from Azure AD to AD will have a source of authority of the cloud. This means any changes made on-premises to groups that are written back from Azure AD will be overwritten on the next sync cycle.

-## Next steps:

-

-

-

-

-

-

-

-

-description: This article describes Group Writeback in Azure AD Connect.

-Group writeback allows you to write cloud groups back to your on-premises Active Directory using Azure AD Connect Sync. This feature enables you to manage groups in the cloud, while controlling access to on-premises applications and resources.

-There are two versions of group writeback. The original version is in general availability and is limited to writing back Microsoft 365 groups to your on-premises Active Directory as distribution groups. The new, expanded version of group writeback is in public preview and enables the following capabilities:

-The new version is only available in the [Azure AD Connect version 2.0.89.0 or later](https://www.microsoft.com/download/details.aspx?id=47594). or later and must be enabled in addition to the original version.

-The following document will walk you through what you need to know before you enable group writeback for your tenant.

-

-## Plan your implementation

-There are a few activities that you'll want to complete before enabling the latest public preview of group writeback. These activities include discovering your current configuration, verifying the prerequisites, and choosing the deployment approach.

-## Discovery

-The following sections describe various methods of discovery and how you can discover if group writeback in enabled.

-### Discover if group writeback is enabled in your environment

-To discover if Azure AD Connect group writeback is already enabled in your environment, use the `Get-ADSyncAADCompanyFeature` PowerShell cmdlet.

-The cmdlet is part of the [ADSync PowerShell](reference-connect-adsync.md) module that is installed with Azure AD Connect.

- [](media/how-to-connect-group-writeback/powershell-1.png#lightbox)

-The `UnifiedGroupWriteback` refers to the original version, while `GroupWritebackV2` refers to the new version.

-A value of **False** indicates that the feature is not enabled.

-### Discover the current writeback settings for existing Microsoft 365 groups

-You can view the existing writeback settings on Microsoft 365 groups in the portal. Navigate to the group and select its properties. You can see the Group write-back state on the group.

- [](media/how-to-connect-group-writeback/group-2.png#lightbox)

-You can also view the writeback state via MS Graph: [Get group](/graph/api/group-get?tabs=http&view=graph-rest-beta)

- Example: `GET https://graph.microsoft.com/beta/groups?$filter=groupTypes/any(c:c eq 'Unified')&$select=id,displayName,writebackConfiguration`

- - If isEnabled is null or true, the group will be written back.

- - If isEnabled is false, the group won't be written back.

-Finally, you can also view the writeback state via PowerShell using the [Microsoft Identity Tools PowerShell Module](https://www.powershellgallery.com/packages/MSIdentityTools/2.0.16)

- Example: `Get-mggroup -filter "groupTypes/any(c:c eq 'Unified')" | Get-MsIdGroupWritebackConfiguration`

-### Discover the default writeback setting for newly created Microsoft 365 groups

-For groups that haven't been created yet, you can view whether or not they're going to be automatically written back.

-To see the default behavior in your environment for newly created groups use MS Graph: [directorySetting](/graph/api/resources/directorysetting?view=graph-rest-beta)

- Example: `GET https://graph.microsoft.com/beta/Settings`

- If a `directorySetting` named **Group.Unified** doesn't exist, the default directory setting is applied and newly created Microsoft 365 groups **will automatically** be written back.

- If a `directorySetting` named **Group.Unified** exists with a `NewUnifiedGroupWritebackDefault` value of **false**, Microsoft 365 groups **won't automatically** be enabled for write-back when they're created. If the value is not specified or it is set to true, newly created Microsoft 365 groups **will automatically** be written back.

-You can also use the PowerShell cmdlet [AzureADDirectorySetting](../enterprise-users/groups-settings-cmdlets.md)

- Example: `(Get-AzureADDirectorySetting | ? { $_.DisplayName -eq "Group.Unified"} | FL *).values`

- If nothing is returned, you are using the default directory settings, and newly created Microsoft 365 groups **will automatically** be written back.

- If a `directorySetting` is returned with a `NewUnifiedGroupWritebackDefault` value of **false**, Microsoft 365 groups **won't automatically** be enabled for write-back when they're created. If the value is not specified or it is set to **true**, newly created Microsoft 365 groups **will automatically** be written back.

-### Discover if AD has been prepared for Exchange

-To verify if Active Directory has been prepared for Exchange, see [Prepare Active Directory and domains for Exchange Server, Active Directory Exchange Server, Exchange Server Active Directory, Exchange 2019 Active Directory](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019#how-do-you-know-this-worked)

-## Public preview prerequisites

-The following are prerequisites for group writeback.

- - An Azure AD Premium 1 license

- - Azure AD Connect version 2.0.89.0 or later

- - **Optional**: Exchange Server 2016 CU15 or later

- - Only needed for configuring cloud groups with Exchange Hybrid.

- - See [Configure Microsoft 365 Groups with on-premises Exchange hybrid](/exchange/hybrid-deployment/set-up-microsoft-365-groups#prerequisites) for more information.

- - If you haven't [prepared AD for Exchange](/Exchange/plan-and-deploy/prepare-ad-and-domains?view=exchserver-2019), mail related attributes of groups won't be written back.

-## Choosing the right approach

-Choosing the right deployment approach for your organization will depend on the current state of group writeback in your environment and the desired writeback behavior.

-When enabling group writeback, the following default behavior will be experienced:

-To keep the default behavior, continue to the [enable group writeback](how-to-connect-group-writeback-enable.md) article.

-The default behavior can be modified as follows:

-If you plan to make changes to the default behavior, we recommend that you do so prior to enabling group writeback. However, you can still modify the default behavior, if group writeback is already enabled. To modify the default behavior, see [Modifying group writeback](how-to-connect-modify-group-writeback.md).

-

- ## Public preview limitationsΓÇ»

-While this release has undergone extensive testing, you may still encounter issues. One of the goals of this public preview release is to find and fix any such issues before moving to General Availability.ΓÇ» While support is provided for this public preview release, Microsoft may not always be able to fix all issues you may encounter immediately. For this reason, it's recommended that you use your best judgment before deploying this release in your production environment.ΓÇ» Limitations and known issues specific to Group writeback:

-

-

-## Next steps:

-Group writeback is the feature that allows you to write cloud groups back to your on-premises Active Directory using Azure AD Connect Sync. You can change the default behavior in the following ways:

- - Only groups that are configured for write-back will be written back, including newly created Microsoft 365 groups.

- - Groups that are written back will be deleted in AD when they're either disabled for group writeback, soft deleted, or hard deleted in Azure AD.

- - Microsoft 365 groups with up to 250,000 members can be written back to on-premises.

-The following document will walk you through deploying the options for modifying the default behaviors of Azure AD Connect group writeback.

-If the original version of group writeback is already enabled and in use in your environment, then all your Microsoft 365 groups have already been written back to AD. Instead of disabling all Microsoft 365 groups, you'll want to review any use of the previously written back groups, and disable only those that are no longer needed in on-premises AD.

- 1. To configure directory settings to disable automatic writeback of newly created Microsoft 365 groups, update the `NewUnifiedGroupWritebackDefault` setting to false.

- 2. To do this via PowerShell, use the: [New-AzureADDirectorySetting](../enterprise-users/groups-settings-cmdlets.md) cmdlet.

- Example:

- ```PowerShell

- $TemplateId = (Get-AzureADDirectorySettingTemplate | where {$_.DisplayName -eq "Group.Unified" }).Id

- $Template = Get-AzureADDirectorySettingTemplate | where -Property Id -Value $TemplateId -EQ

- $Setting = $Template.CreateDirectorySetting()

- $Setting["NewUnifiedGroupWritebackDefault"] = "False"

- New-AzureADDirectorySetting -DirectorySetting $Setting

- ```

- 3. Via MS Graph: [directorySetting](/graph/api/resources/directorysetting?view=graph-rest-beta)

-### Disable writeback for each existing Microsoft 365 group.

- Example: `Get-mggroup -filter "groupTypes/any(c:c eq 'Unified')" | Update-MsIdGroupWritebackConfiguration -WriteBackEnabled $false`

-

-## Delete groups when disabled for writeback or soft deleted

->[!Note]

->After deletion in AD, written back groups are not automatically restored from the AD recycle bin, if they're re-enabled for writeback or restored from soft delete state. New groups will be created. Deleted groups restored from the AD recycle bin, prior to being re-enabled for writeback or restored from soft delete state in Azure AD, will be joined to their respective Azure AD group.

- 1. On your Azure AD Connect server, open a PowerShell prompt as administrator.

- 2. Disable [Azure AD Connect sync scheduler](./how-to-connect-sync-feature-scheduler.md)

- ``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $false

- ```

-3. Create a custom synchronization rule in Azure AD Connect to delete written back groups when they're disabled for writeback or soft deleted

- ```PowerShell

- import-module ADSync

- $precedenceValue = Read-Host -Prompt "Enter a unique sync rule precedence value [0-99]"

- New-ADSyncRule `

- -Name 'In from AAD - Group SOAinAAD Delete WriteBackOutOfScope and SoftDelete' `

- -Identifier 'cb871f2d-0f01-4c32-a333-ff809145b947' `

- -Description 'Delete AD groups that fall out of scope of Group Writeback or get Soft Deleted in Azure AD' `

- -Direction 'Inbound' `

- -Precedence $precedenceValue `

- -PrecedenceAfter '00000000-0000-0000-0000-000000000000' `

- -PrecedenceBefore '00000000-0000-0000-0000-000000000000' `

- -SourceObjectType 'group' `

- -TargetObjectType 'group' `

- -Connector 'b891884f-051e-4a83-95af-2544101c9083' `

- -LinkType 'Join' `

- -SoftDeleteExpiryInterval 0 `

- -ImmutableTag '' `

- -OutVariable syncRule

- Add-ADSyncAttributeFlowMapping `

- -SynchronizationRule $syncRule[0] `

- -Destination 'reasonFiltered' `

- -FlowType 'Expression' `

- -ValueMergeType 'Update' `

- -Expression 'IIF((IsPresent([reasonFiltered]) = True) && (InStr([reasonFiltered], "WriteBackOutOfScope") > 0 || InStr([reasonFiltered], "SoftDelete") > 0), "DeleteThisGroupInAD", [reasonFiltered])' `

- -OutVariable syncRule

- New-Object `

- -TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.ScopeCondition' `

- -ArgumentList 'cloudMastered','true','EQUAL' `

- -OutVariable condition0

- Add-ADSyncScopeConditionGroup `

- -SynchronizationRule $syncRule[0] `

- -ScopeConditions @($condition0[0]) `

- -OutVariable syncRule

- New-Object `

- -TypeName 'Microsoft.IdentityManagement.PowerShell.ObjectModel.JoinCondition' `

- -ArgumentList 'cloudAnchor','cloudAnchor',$false `

- -OutVariable condition0

- Add-ADSyncJoinConditionGroup `

- -SynchronizationRule $syncRule[0] `

- -JoinConditions @($condition0[0]) `

- -OutVariable syncRule

- Add-ADSyncRule `

- -SynchronizationRule $syncRule[0]

- Get-ADSyncRule `

- -Identifier 'cb871f2d-0f01-4c32-a333-ff809145b947'

- ```

-4. [Enable group writeback](how-to-connect-group-writeback-enable.md)

-5. Enable Azure AD Connect sync scheduler

- ``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $true

- ```

->[!Note]

->Creating the synchronization rule will set the Full Synchronization flag to 'true' on the Azure Active Directory Connector, causing the rule changes to propagate through on the next synchronization cycle.

-## Writeback Microsoft 365 groups with up to 250,000 members

-Since the default sync rule, that limits the group size, is created when group writeback is enabled, the following steps must be completed after group writeback is enabled.

-1. On your Azure AD Connect server, open a PowerShell prompt as administrator.

-2. Disable [Azure AD Connect sync scheduler](./how-to-connect-sync-feature-scheduler.md)

- ``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $false

- ```

-3. Open the [synchronization rule editor](./how-to-connect-create-custom-sync-rule.md)

-4. Set the Direction to Outbound

-5. Locate and disable the ΓÇÿOut to AD ΓÇô Group Writeback Member LimitΓÇÖ synchronization rule

-6. Enable Azure AD Connect sync scheduler

-``` PowerShell

- Set-ADSyncScheduler -SyncCycleEnabled $true

-```

->[!Note]

->Disabling the synchronization rule will set the Full Synchronization flag to 'true' on the Active Directory Connector, causing the rule changes to propagate through on the next synchronization cycle.

-## Restoring from AD Recycle Bin

-If you're updating the default behavior to delete groups when disabled for writeback or soft deleted, we recommend that you enable the [Active Directory Recycle Bin](./how-to-connect-sync-recycle-bin.md) feature for your on-premises instances of Active Directory. This feature will allow you to manually restore previously deleted AD groups, so that they can be rejoined to their respective Azure AD groups, if they were accidentally disabled for writeback or soft deleted.

-Prior to re-enabling for writeback, or restoring from soft delete in Azure AD, the group will first need to be restored in AD.

-## Next steps:

-This topic describes the different methods that you can use to upgrade your Azure Active Directory (Azure AD) Connect installation to the latest release. You also use the steps in the [Swing migration](#swing-migration) section when you make a substantial configuration change.

-> It is important that you keep your servers current with the latest releases of Azure AD Connect. We are constantly making upgrades to AADConnect, and these upgrades include fixes to security issues and bugs, as well as serviceability, performance and scalability improvements.

->[!NOTE]

-> It is currently supported to upgrade from any version of Azure AD Connect to the current version. In-place upgrades of DirSync or ADSync are not supported and a swing migration is required. If you want to upgrade from DirSync, see [Upgrade from Azure AD sync tool (DirSync)](how-to-dirsync-upgrade-get-started.md) or the [Swing migration](#swing-migration) section. </br>In practice, customers on extremely old versions may encounter problems not directly related to Azure AD Connect. Servers that have been in production for several years, typically have had several patches applied to them and not all of these can be accounted for. Generally, customers who have not upgraded in 12-18 months should consider a swing upgrade instead as this is the most conservative and least risky option.

-If you want to upgrade from DirSync, see [Upgrade from Azure AD sync tool (DirSync)](how-to-dirsync-upgrade-get-started.md) instead.

-| Method | Description |

-| | |

-| [Automatic upgrade](how-to-connect-install-automatic-upgrade.md) |This is the easiest method for customers with an express installation. |

-| [In-place upgrade](#in-place-upgrade) |If you have a single server, you can upgrade the installation in-place on the same server. |

-| [Swing migration](#swing-migration) |With two servers, you can prepare one of the servers with the new release or configuration, and change the active server when you're ready. |

-> After you've enabled your new Azure AD Connect server to start synchronizing changes to Azure AD, you must not roll back to using DirSync or Azure AD Sync. Downgrading from Azure AD Connect to legacy clients, including DirSync and Azure AD Sync, isn't supported and can lead to issues such as data loss in Azure AD.

-An in-place upgrade works for moving from Azure AD Sync or Azure AD Connect. It doesn't work for moving from DirSync or for a solution with Forefront Identity Manager (FIM) + Azure AD Connector.

-This method is preferred when you have a single server and less than about 100,000 objects. If there are any changes to the out-of-box sync rules, a full import and full synchronization occur after the upgrade. This method ensures that the new configuration is applied to all existing objects in the system. This run might take a few hours, depending on the number of objects that are in scope of the sync engine. The normal delta synchronization scheduler (which synchronizes every 30 minutes by default) is suspended, but password synchronization continues. You might consider doing the in-place upgrade during a weekend. If there are no changes to the out-of-box configuration with the new Azure AD Connect release, then a normal delta import/sync starts instead.

-If you've made changes to the out-of-box synchronization rules, then these rules are set back to the default configuration on upgrade. To make sure that your configuration is kept between upgrades, make sure that you make changes as they're described in [Best practices for changing the default configuration](how-to-connect-sync-best-practices-changing-default-configuration.md).

-If you are using Azure AD Connect with non-standard connector (for example, Generic LDAP Connector and Generic SQL Connector), you must refresh the corresponding connector configuration in the [Synchronization Service Manager](./how-to-connect-sync-service-manager-ui-connectors.md) after in-place upgrade. For details on how to refresh the connector configuration, refer to article section [Connector Version Release History - Troubleshooting](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-version-history#troubleshooting). If you do not refresh the configuration, import and export run steps will not work correctly for the connector. You will receive the following error in the application event log with message *"Assembly version in AAD Connector configuration ("X.X.XXX.X") is earlier than the actual version ("X.X.XXX.X") of "C:\Program Files\Microsoft Azure AD Sync\Extensions\Microsoft.IAM.Connector.GenericLdap.dll".*

-If you have a complex deployment or many objects, or if you need to upgrade the Windows Server operating system, it might be impractical to do an in-place upgrade on the live system. For some customers, this process might take multiple days--and during this time, no delta changes are processed. You can also use this method when you plan to make substantial changes to your configuration and you want to try them out before they're pushed to the cloud.

-The recommended method for these scenarios is to use a swing migration. You need (at least) two servers--one active server and one staging server. The active server (shown with solid blue lines in the following picture) is responsible for the active production load. The staging server (shown with dashed purple lines) is prepared with the new release or configuration. When it's fully ready, this server is made active. The previous active server, which now has the old version or configuration installed, is made into the staging server and is upgraded.

-The two servers can use different versions. For example, the active server that you plan to decommission can use Azure AD Sync, and the new staging server can use Azure AD Connect. If you use swing migration to develop a new configuration, it's a good idea to have the same versions on the two servers.

-

-> Some customers prefer to have three or four servers for this scenario. When the staging server is upgraded, you don't have a backup server for [disaster recovery](how-to-connect-sync-staging-server.md#disaster-recovery). With three or four servers, you can prepare one set of primary/standby servers with the new version, which ensures that there is always a staging server that's ready to take over.

-1. If you use Azure AD Connect on both servers and plan to only make a configuration change, make sure that your active server and staging server are both using the same version. That makes it easier to compare differences later. If you're upgrading from Azure AD Sync, then these servers have different versions. If you're upgrading from an older version of Azure AD Connect, it's a good idea to start with the two servers that are using the same version, but it's not required.

-2. If you've made a custom configuration and your staging server doesn't have it, follow the steps under [Move a custom configuration from the active server to the staging server](#move-a-custom-configuration-from-the-active-server-to-the-staging-server).

-3. If you're upgrading from an earlier release of Azure AD Connect, upgrade the staging server to the latest version. If you're moving from Azure AD Sync, then install Azure AD Connect on your staging server.

-4. Let the sync engine run full import and full synchronization on your staging server.

-5. Verify that the new configuration didn't cause any unexpected changes by using the steps under "Verify" in [Verify the configuration of a server](how-to-connect-sync-staging-server.md#verify-the-configuration-of-a-server). If something isn't as expected, correct it, run the import and sync, and verify the data until it looks good, by following the steps.

-6. Switch the staging server to be the active server. This is the final step "Switch active server" in [Verify the configuration of a server](how-to-connect-sync-staging-server.md#verify-the-configuration-of-a-server).

-7. If you're upgrading Azure AD Connect, upgrade the server that's now in staging mode to the latest release. Follow the same steps as before to get the data and configuration upgraded. If you upgraded from Azure AD Sync, you can now turn off and decommission your old server.

-### Move a custom configuration from the active server to the staging server

-If you've made configuration changes to the active server, you need to make sure that the same changes are applied to the staging server. To help with this move, you can use the [Azure AD Connect configuration documenter](https://github.com/Microsoft/AADConnectConfigDocumenter).

-You can move the custom sync rules that you've created by using PowerShell. You must apply other changes the same way on both systems, and you can't migrate the changes. The [configuration documenter](https://github.com/Microsoft/AADConnectConfigDocumenter) can help you comparing the two systems to make sure they are identical. The tool can also help in automating the steps found in this section.

-You need to configure the following things the same way on both servers:

-**Move custom synchronization rules**

-To move custom synchronization rules, do the following:

-2. Select a custom rule. Click **Export**. This brings up a Notepad window. Save the temporary file with a PS1 extension. This makes it a PowerShell script. Copy the PS1 file to the staging server.

- 

-3. The Connector GUID is different on the staging server, and you must change it. To get the GUID, start **Synchronization Rules Editor**, select one of the out-of-box rules that represent the same connected system, and click **Export**. Replace the GUID in your PS1 file with the GUID from the staging server.

-There may be situations where you do not want these overrides to take place immediately after upgrade. For example, you have numerous synchronized objects and you would like these synchronization steps to occur after business hours. To remove these overrides:

- > The overrides are connector-specific. In the following example, Full Import step and Full Synchronization step have been added to both the on-premises AD Connector and Azure AD Connector.

-If you need to upgrade the operating system of your Azure AD Connect server, do not use an in place upgrade of the OS. Instead, prepare a new server with the desired operating system and perform [a swing migration](#swing-migration).

-When you upgrade Azure AD Connect from a previous version, you might hit following error at the beginning of the upgrade

-The reason that this occurs is because the current Azure AD Connect configuration is not supported for upgrade.

-> [!IMPORTANT]

-> Administrative units support for devices is currently in PREVIEW.

-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

-Use the [Add-AzureADMSAdministrativeUnitMember](/powershell/module/azuread/add-azureadmsadministrativeunitmember) command to add users or groups to an administrative unit.

-Use the [Add-AzureADMSAdministrativeUnitMember (Preview)](/powershell/module/azuread/add-azureadmsadministrativeunitmember?view=azureadps-2.0-preview&preserve-view=true) command to add devices to an administrative unit.

-Use the [New-AzureADMSAdministrativeUnitMember (Preview)](/powershell/module/azuread/new-azureadmsadministrativeunitmember) to create a new group in an administrative unit. Currently, only group creation is supported with this command.

-$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"

-$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"

-Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $userObj.ObjectId

-$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"

-$groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'"

-Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $groupObj.ObjectId

-$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"

-$deviceObj = Get-AzureADDevice -Filter "displayname eq 'TestDevice'"

-Add-AzureADMSAdministrativeUnitMember -Id $adminUnitObj.Id -RefObjectId $deviceObj.ObjectId

-$exampleGroup = New-AzureADMSAdministrativeUnitMember -Id "<admin unit object id>" -OdataType "Microsoft.Graph.Group" -DisplayName "<Example group name>" -Description "<Example group description>" -MailEnabled $True -MailNickname "<examplegroup>" -SecurityEnabled $False -GroupTypes @("Unified")

-Use the [Add a member](/graph/api/administrativeunit-post-members) API to add users or groups to an administrative unit.

-Use the [Add a member (Beta)](/graph/api/administrativeunit-post-members?view=graph-rest-beta&preserve-view=true) API to add devices to an administrative unit or create a new group in an administrative unit.

-POST https://graph.microsoft.com/beta/administrativeUnits/{admin-unit-id}/members/$ref

- "@odata.id":"https://graph.microsoft.com/beta/devices/{device-id}"

-POST https://graph.microsoft.com/beta/administrativeUnits/{admin-unit-id}/members/

-Before you can migrate to self-hosted gateway v2, you need to ensure your infrastructure [meets the requirements](self-hosted-gateway-overview.md#gateway-v2-requirements).

-| v2 | `{name}.configuration.azure-api.net` | Yes | [Link](self-hosted-gateway-overview.md#gateway-v2-requirements) |

-| v1 | `{name}.management.azure-api.net/subscriptions/{sub-id}/resourceGroups/{rg-name}/providers/Microsoft.ApiManagement/service/{name}?api-version=2021-01-01-preview` | No | [Link](self-hosted-gateway-overview.md#gateway-v1-requirements) |

-If integrated with your API Management instance, also enable outbound connectivity to the associated public IP addresses, ports, and hostnames for:

-* [Event Hubs](api-management-howto-log-event-hubs.md)

-* [Application Insights](api-management-howto-app-insights.md)

-* [External cache](api-management-howto-cache-external.md)

-#### Gateway v2 requirements

-The self-hosted gateway v2 requires the following:

-* The public IP address of the API Management instance in its primary location

-* The hostname of the instance's configuration endpoint: `<apim-service-name>.configuration.azure-api.net`

-Additionally, customers that use API inspector or quotas in their policies have to ensure that the following dependencies are accessible:

-* The hostname of the instance's associated blob storage account: `<blob-storage-account-name>.blob.core.windows.net`

-* The hostname of the instance's associated table storage account: `<table-storage-account-name>.table.core.windows.net`

-* Public IP addresses from the Storage [service tag](../virtual-network/service-tags-overview.md) corresponding to the primary location of the API Management instance

-#### Gateway v1 requirements

-The self-hosted gateway v1 requires the following:

-* The public IP address of the API Management instance in its primary location

-* The hostname of the instance's management endpoint: `<apim-service-name>.management.azure-api.net`

-* The hostname of the instance's associated blob storage account: `<blob-storage-account-name>.blob.core.windows.net`

-* The hostname of the instance's associated table storage account: `<table-storage-account-name>.table.core.windows.net`

-* Public IP addresses from the Storage [service tag](../virtual-network/service-tags-overview.md) corresponding to the primary location of the API Management instance

-1. Under **Hosting details**, type a globally unique name for your web app and choose **Linux** for **Operating System**. Select **Basic** for **Hosting plan**. Select **Compare plans** to view features and price comparisons. See the table below for app and database SKUs for given hosting plans. You can view [hosting plans details in the announcement](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-the-general-availability-of-wordpress-on-azure-app/ba-p/3593481). For pricing, visit [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/linux/) and [Azure Database for MySQL pricing](https://azure.microsoft.com/pricing/details/mysql/flexible-server/).

-If the deletion process hangs, use the following command to force deletion (adding `-y` if you want to bypass the confirmation prompt):

-Advance to the next tutorial to learn how to implement CI/CD with GitOps.

-> [Implement CI/CD with GitOps](./tutorial-gitops-flux2-ci-cd.md)

-import logging

-import json

-[Auto-Instrumentation](codeless-overview.md) is the preferred instrumentation method. It requires no developer investment and eliminates future overhead related to [updating the SDK](sdk-support-guidance.md). It's the only way to instrument an application in which you don't have access to the source code.

-Refer to the decision tree below to see what is available to instrument your app.

-Links:

-Links:

-Links:

-Links:

-You can expand the datastore capacity by connecting Azure disk pools or [Azure NetApp Files datastores](attach-azure-netapp-files-to-azure-vmware-solution-hosts.md). Azure NetApp Files is available in Ultra, [Premium and Standard performance tiers](/azure/azure-netapp-files/azure-netapp-files-service-levels) to allow adjusting the performance and cost to the requirements of the workloads.

- - Your Active Directory Domain Controller(s) must have LDAPS enabled with a valid certificate. The certificate could be issued by an [Active Directory Certificate Services Certificate Authority (CA)](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) or a [third-party CA](https://docs.microsoft.com/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority).

-When the request support details are received, quota will be reserved for a stretched cluster environment in the region requested. The subscription gets enabled to deploy a stretched cluster SDDC through the Azure portal. A confirmation email will be sent to the designated point of contact within two business days upon which you should be able to [self-deploy a stretched cluster private cloud via the Azure portal](https://docs.microsoft.com/azure/azure-vmware/tutorial-create-private-cloud?tabs=azure-portal#create-a-private-cloud). Be sure to select **Hosts in two availability zones** to ensure that a stretched cluster gets deployed in the region of your choice.

-Once the private cloud is created, you can peer both availability zones (AZs) to your on-premises ExpressRoute circuit with Global Reach that helps connect your on-premises data center to the private cloud. Peering both the AZs will ensure that an AZ failure doesn't result in a loss of connectivity to your private cloud. Since an ExpressRoute Auth Key is valid for only one connection, repeat the [Create an ExpressRoute auth key in the on-premises ExpressRoute circuit](https://docs.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud#create-an-expressroute-auth-key-in-the-on-premises-expressroute-circuit) process to generate another authorization.

-Next, repeat the process to [peer ExpressRoute Global Reach](https://docs.microsoft.com/azure/azure-vmware/tutorial-expressroute-global-reach-private-cloud#peer-private-cloud-to-on-premises) two availability zones to the on-premises ExpressRoute circuit.

- 1. Under **Data science**, select **Dsvm Windows** as the operating system.

- "threshold": 13.00,

-| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. |

- "threshold": 13.00,

-| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. The default value is 13. This is the recommended value to achieve maximum accuracy. |

- "threshold": 38.00,

- "threshold": 13.00,

-| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. The default value is 38 when the type is `zonecrossing` and 13 when time is `DwellTime`. These are the recommended values to achieve maximum accuracy. |

- "aggregation_method": "average"

- "threshold": 13.00,

-| `threshold` | float| Events are egressed when the person is greater than this number of pixels inside the zone. |

- "threshold": 13.00,

- "threshold": 13.00,

- "threshold": 13.00,

- "threshold": 38.00,

- "threshold": 13.00,

-description: Batch transcription is ideal if you want to transcribe a large quantity of audio in storage, such as Azure blobs. By using the dedicated REST API, you can point to audio files with a shared access signature (SAS) URI, and asynchronously receive transcriptions.

-# How to use batch transcription

-Batch transcription is a set of REST API operations that enables you to transcribe a large amount of audio in storage. You can point to audio files by using a typical URI or a [shared access signature (SAS)](../../storage/common/storage-sas-overview.md) URI, and asynchronously receive transcription results. With the v3.0 API, you can transcribe one or more audio files, or process a whole storage container.

-You can use batch transcription REST APIs to call the following methods:

-| Batch transcription operation | Method | REST API call |

-||--|-|

-| Creates a new transcription. | POST | speechtotext/v3.0/transcriptions |

-| Retrieves a list of transcriptions for the authenticated subscription. | GET | speechtotext/v3.0/transcriptions |

-| Gets a list of supported locales for offline transcriptions. | GET | speechtotext/v3.0/transcriptions/locales |

-| Updates the mutable details of the transcription identified by its ID. | PATCH | speechtotext/v3.0/transcriptions/{id} |

-| Deletes the specified transcription task. | DELETE | speechtotext/v3.0/transcriptions/{id} |

-| Gets the transcription identified by the specified ID. | GET | speechtotext/v3.0/transcriptions/{id} |

-| Gets the result files of the transcription identified by the specified ID. | GET | speechtotext/v3.0/transcriptions/{id}/files |

-For more information, see the [Speech-to-text REST API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0) reference documentation.

-Batch transcription jobs are scheduled on a best-effort basis. You can't estimate when a job will change into the running state, but it should happen within minutes under normal system load. When the job is in the running state, the transcription occurs faster than the audio runtime playback speed.

-## Prerequisites

-As with all features of the Speech service, you create a Speech resource from the [Azure portal](https://portal.azure.com).

-If you plan to customize models, follow the steps in [Acoustic customization](./how-to-custom-speech-train-model.md) and [Language customization](./how-to-custom-speech-train-model.md). To use the created models in batch transcription, you need their model location. You can retrieve the model location when you inspect the details of the model (the `self` property). A deployed custom endpoint isn't needed for the batch transcription service.

->[!NOTE]

-> As a part of the REST API, batch transcription has a set of [quotas and limits](speech-services-quotas-and-limits.md#batch-transcription). It's a good idea to review these. To take full advantage of the ability to efficiently transcribe a large number of audio files, send multiple files per request or point to an Azure Blob Storage container with the audio files to transcribe. The service transcribes the files concurrently, which reduces the turnaround time. For more information, see the [Configuration](#configuration) section of this article.

-## Batch transcription API

-The batch transcription API supports the following formats:

-| Format | Codec | Bits per sample | Sample rate |

-|--|-|||

-| WAV | PCM | 16-bit | 8 kHz or 16 kHz, mono or stereo |

-| MP3 | PCM | 16-bit | 8 kHz or 16 kHz, mono or stereo |

-| OGG | OPUS | 16-bit | 8 kHz or 16 kHz, mono or stereo |

-For stereo audio streams, the left and right channels are split during the transcription. A JSON result file is created for each channel. To create an ordered final transcript, use the timestamps that are generated per utterance.

-### Configuration

-Configuration parameters are provided as JSON. You can transcribe one or more individual files, process a whole storage container, and use a custom trained model in a batch transcription.

-If you have more than one file to transcribe, it's a good idea to send multiple files in one request. The following example uses three files:

-```json

-{

- "contentUrls": [

- "<URL to an audio file 1 to transcribe>",

- "<URL to an audio file 2 to transcribe>",

- "<URL to an audio file 3 to transcribe>"

- ],

- "properties": {

- "wordLevelTimestampsEnabled": true

- },

- "locale": "en-US",

- "displayName": "Transcription of file using default model for en-US"

-}

-```

-To process a whole storage container, you can make the following configurations. Container [SAS](../../storage/common/storage-sas-overview.md) should contain `r` (read) and `l` (list) permissions:

-```json

-{

- "contentContainerUrl": "<SAS URL to the Azure blob container to transcribe>",

- "properties": {

- "wordLevelTimestampsEnabled": true

- },

- "locale": "en-US",

- "displayName": "Transcription of container using default model for en-US"

-}

-```

-Here's an example of using a custom trained model in a batch transcription. This example uses three files:

-```json

-{

- "contentUrls": [

- "<URL to an audio file 1 to transcribe>",

- "<URL to an audio file 2 to transcribe>",

- "<URL to an audio file 3 to transcribe>"

- ],

- "properties": {

- "wordLevelTimestampsEnabled": true

- },

- "locale": "en-US",

- "model": {

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/models/{id}"

- },

- "displayName": "Transcription of file using default model for en-US"

-}

-```

-### Configuration properties

-Use these optional properties to configure transcription:

- :::column span="1":::

- **Parameter**

- :::column-end:::

- :::column span="2":::

- **Description**

- :::column span="1":::

- `profanityFilterMode`

- :::column-end:::

- :::column span="2":::

- Optional, defaults to `Masked`. Specifies how to handle profanity in recognition results. Accepted values are `None` to disable profanity filtering, `Masked` to replace profanity with asterisks, `Removed` to remove all profanity from the result, or `Tags` to add profanity tags.

- :::column span="1":::

- `punctuationMode`

- :::column-end:::

- :::column span="2":::

- Optional, defaults to `DictatedAndAutomatic`. Specifies how to handle punctuation in recognition results. Accepted values are `None` to disable punctuation, `Dictated` to imply explicit (spoken) punctuation, `Automatic` to let the decoder deal with punctuation, or `DictatedAndAutomatic` to use dictated and automatic punctuation.

- :::column span="1":::

- `wordLevelTimestampsEnabled`

- :::column-end:::

- :::column span="2":::

- Optional, `false` by default. Specifies if word level timestamps should be added to the output.

- :::column span="1":::

- `diarizationEnabled`

- :::column-end:::

- :::column span="2":::

- Optional, `false` by default. Specifies that diarization analysis should be carried out on the input, which is expected to be a mono channel that contains two voices. Requires `wordLevelTimestampsEnabled` to be set to `true`.

- :::column span="1":::

- `channels`

- :::column-end:::

- :::column span="2":::

- Optional, `0` and `1` transcribed by default. An array of channel numbers to process. Here, a subset of the available channels in the audio file can be specified to be processed (for example `0` only).

- :::column span="1":::

- `timeToLive`

- :::column-end:::

- :::column span="2":::

- Optional, no deletion by default. A duration to automatically delete transcriptions after completing the transcription. The `timeToLive` is useful in mass processing transcriptions to ensure they will be eventually deleted (for example, `PT12H` for 12 hours).

- :::column span="1":::

- `destinationContainerUrl`

- :::column-end:::

- :::column span="2":::

- Optional URL with [ad hoc SAS](../../storage/common/storage-sas-overview.md) to a writeable container in Azure. The result is stored in this container. SAS with stored access policies isn't supported. If you don't specify a container, Microsoft stores the results in a storage container managed by Microsoft. When the transcription is deleted by calling [Delete transcription](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/DeleteTranscription), the result data is also deleted.

-### Storage

-Batch transcription can read audio from a public-visible internet URI,

-and can read audio or write transcriptions by using a SAS URI with [Blob Storage](../../storage/blobs/storage-blobs-overview.md).

-## Batch transcription result

-For each audio input, one transcription result file is created. The [Get transcriptions files](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetTranscriptionFiles) operation returns a list of result files for this transcription. The only way to confirm the audio input for a transcription, is to check the `source` field in the transcription result file.

-Each transcription result file has this format:

-```json

-{

- "source": "...", // sas url of a given contentUrl or the path relative to the root of a given container

- "timestamp": "2020-06-16T09:30:21Z", // creation time of the transcription, ISO 8601 encoded timestamp, combined date and time

- "durationInTicks": 41200000, // total audio duration in ticks (1 tick is 100 nanoseconds)

- "duration": "PT4.12S", // total audio duration, ISO 8601 encoded duration

- "combinedRecognizedPhrases": [ // concatenated results for simple access in single string for each channel

- {

- "channel": 0, // channel number of the concatenated results

- "lexical": "hello world",

- "itn": "hello world",

- "maskedITN": "hello world",

- "display": "Hello world."

- }

- ],

- "recognizedPhrases": [ // results for each phrase and each channel individually

- {

- "recognitionStatus": "Success", // recognition state, e.g. "Success", "Failure"

- "speaker": 1, // if `diarizationEnabled` is `true`, this is the identified speaker (1 or 2), otherwise this property is not present

- "channel": 0, // channel number of the result

- "offset": "PT0.07S", // offset in audio of this phrase, ISO 8601 encoded duration

- "duration": "PT1.59S", // audio duration of this phrase, ISO 8601 encoded duration

- "offsetInTicks": 700000.0, // offset in audio of this phrase in ticks (1 tick is 100 nanoseconds)

- "durationInTicks": 15900000.0, // audio duration of this phrase in ticks (1 tick is 100 nanoseconds)

- // possible transcriptions of the current phrase with confidences

- "nBest": [

- {

- "confidence": 0.898652852, // confidence value for the recognition of the whole phrase

- "lexical": "hello world",

- "itn": "hello world",

- "maskedITN": "hello world",

- "display": "Hello world.",

- // if wordLevelTimestampsEnabled is `true`, there will be a result for each word of the phrase, otherwise this property is not present

- "words": [

- {

- "word": "hello",

- "offset": "PT0.09S",

- "duration": "PT0.48S",

- "offsetInTicks": 900000.0,

- "durationInTicks": 4800000.0,

- "confidence": 0.987572

- },

- {

- "word": "world",

- "offset": "PT0.59S",

- "duration": "PT0.16S",

- "offsetInTicks": 5900000.0,

- "durationInTicks": 1600000.0,

- "confidence": 0.906032

- }

- ]

- }

- ]

- }

- ]

-}

-```

-The result contains the following fields:

- :::column span="1":::

- **Field**

- :::column-end:::

- :::column span="2":::

- **Content**

- :::column span="1":::

- `lexical`

- :::column-end:::

- :::column span="2":::

- The actual words recognized.

- :::column span="1":::

- `itn`

- :::column-end:::

- :::column span="2":::

- The inverse-text-normalized (ITN) form of the recognized text. Abbreviations (for example, "doctor smith" to "dr smith"), phone numbers, and other transformations are applied.

- :::column span="1":::

- `maskedITN`

- :::column-end:::

- :::column span="2":::

- The ITN form with profanity masking applied.

- :::column span="1":::

- `display`

- :::column-end:::

- :::column span="2":::

- The display form of the recognized text. Added punctuation and capitalization are included.

-## Speaker separation (diarization)

-*Diarization* is the process of separating speakers in a piece of audio. The batch pipeline supports diarization and is capable of recognizing two speakers on mono channel recordings. The feature isn't available on stereo recordings.

-The output of transcription with diarization enabled contains a `Speaker` entry for each transcribed phrase. If diarization isn't used, the `Speaker` property isn't present in the JSON output. For diarization, the speakers are identified as `1` or `2`.

-To request diarization, set the `diarizationEnabled` property to `true`. Here's an example:

-```json

-{

- "contentUrls": [

- "<URL to an audio file to transcribe>",

- ],

- "properties": {

- "diarizationEnabled": true,

- "wordLevelTimestampsEnabled": true,

- "punctuationMode": "DictatedAndAutomatic",

- "profanityFilterMode": "Masked"

- },

- "locale": "en-US",

- "displayName": "Transcription of file using default model for en-US"

-}

-```

-Word-level timestamps must be enabled, as the parameters in this request indicate.

-## Best practices

-The batch transcription service can handle a large number of submitted transcriptions. You can query the status of your transcriptions with [Get transcriptions](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetTranscriptions). Call [Delete transcription](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/DeleteTranscription)

-regularly from the service, after you retrieve the results. Alternatively, set the `timeToLive` property to ensure the eventual deletion of the results.

-> [!TIP]

-> You can use the [Ingestion Client](ingestion-client.md) tool and resulting solution to process a high volume of audio.

-## Sample code

-Complete samples are available in the [GitHub sample repository](https://aka.ms/csspeech/samples), inside the `samples/batch` subdirectory.

-Update the sample code with your subscription information, service region, URI pointing to the audio file to transcribe, and model location if you're using a custom model.

-[!code-csharp[Configuration variables for batch transcription](~/samples-cognitive-services-speech-sdk/samples/batch/csharp/batchclient/program.cs#transcriptiondefinition)]

-The sample code sets up the client and submits the transcription request. It then polls for the status information and prints details about the transcription progress.

-```csharp

-// get the status of our transcriptions periodically and log results

-int completed = 0, running = 0, notStarted = 0;

-while (completed < 1)

-{

- completed = 0; running = 0; notStarted = 0;

- // get all transcriptions for the user

- paginatedTranscriptions = null;

- do

- {

- // <transcriptionstatus>

- if (paginatedTranscriptions == null)

- {

- paginatedTranscriptions = await client.GetTranscriptionsAsync().ConfigureAwait(false);

- }

- else

- {

- paginatedTranscriptions = await client.GetTranscriptionsAsync(paginatedTranscriptions.NextLink).ConfigureAwait(false);

- }

- // delete all pre-existing completed transcriptions. If transcriptions are still running or not started, they will not be deleted

- foreach (var transcription in paginatedTranscriptions.Values)

- {

- switch (transcription.Status)

- {

- case "Failed":

- case "Succeeded":

- // we check to see if it was one of the transcriptions we created from this client.

- if (!createdTranscriptions.Contains(transcription.Self))

- {

- // not created form here, continue

- continue;

- }

- completed++;

- // if the transcription was successful, check the results

- if (transcription.Status == "Succeeded")

- {

- var paginatedfiles = await client.GetTranscriptionFilesAsync(transcription.Links.Files).ConfigureAwait(false);

- var resultFile = paginatedfiles.Values.FirstOrDefault(f => f.Kind == ArtifactKind.Transcription);

- var result = await client.GetTranscriptionResultAsync(new Uri(resultFile.Links.ContentUrl)).ConfigureAwait(false);

- Console.WriteLine("Transcription succeeded. Results: ");

- Console.WriteLine(JsonConvert.SerializeObject(result, SpeechJsonContractResolver.WriterSettings));

- }

- else

- {

- Console.WriteLine("Transcription failed. Status: {0}", transcription.Properties.Error.Message);

- }

- break;

- case "Running":

- running++;

- break;

- case "NotStarted":

- notStarted++;

- break;

- }

- }

- // for each transcription in the list we check the status

- Console.WriteLine(string.Format("Transcriptions status: {0} completed, {1} running, {2} not started yet", completed, running, notStarted));

- }

- while (paginatedTranscriptions.NextLink != null);

- // </transcriptionstatus>

- // check again after 1 minute

- await Task.Delay(TimeSpan.FromMinutes(1)).ConfigureAwait(false);

-}

-```

-For full details about the preceding calls, see the [Speech-to-text REST API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0) reference documentation. For the full sample shown here, go to [GitHub](https://aka.ms/csspeech/samples) in the `samples/batch` subdirectory.

-This sample uses an asynchronous setup to post audio and receive transcription status. The `PostTranscriptions` method sends the audio file details, and the `GetTranscriptions` method receives the states. `PostTranscriptions` returns a handle, and `GetTranscriptions` uses it to create a handle to get the transcription status.

-This sample code doesn't specify a custom model. The service uses the base model for transcribing the file or files. To specify the model, you can pass on the same method the model reference for the custom model.

-> [!NOTE]

-> For baseline transcriptions, you don't need to declare the ID for the base model.

-> [!div class="nextstepaction"]

-> [Speech to text v3.0 API reference](https://centralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription)

-* [Explore the Language service features](/azure/cognitive-services/language-service/overview#available-features)

-* [Explore the Speech service features](/azure/cognitive-services/speech-service/overview)

-To create a project, use the [CreateProject](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateProject) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-To create an endpoint and deploy a model, use the [CreateEndpoint](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateEndpoint) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-To redeploy the custom endpoint with a new model, use the [UpdateEndpoint](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/UpdateEndpoint) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-To get logs for an endpoint, start by using the [GetEndpoint](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetEndpoint) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-To create a test, use the [CreateEvaluation](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateEvaluation) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-To get test results, start by using the [GetEvaluation](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetEvaluation) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-To create a test, use the [CreateEvaluation](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateEvaluation) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-To get test results, start by using the [GetEvaluation](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetEvaluation) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-|Batch transcription |[Batch transcription](batch-transcription.md) requests for expired models will fail with a 4xx error. |In each [CreateTranscription](https://westus2.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateTranscription) REST API request body, set the `model` property to a base model or custom model that hasn't yet expired. Otherwise don't include the `model` property to always use the latest base model. |

-To get the training and transcription expiration dates for a base model, use the [GetBaseModel](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetBaseModel) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). You can make a [GetBaseModels](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetBaseModels) request to get available base models for all locales.

-To get the transcription expiration date for your custom model, use the [GetModel](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetModel) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-If you will train a custom model with audio data, choose a Speech resource region with dedicated hardware for training audio data. See footnotes in the [regions](regions.md#speech-service) table for more information. In regions with dedicated hardware for Custom Speech training, the Speech service will use up to 20 hours of your audio training data, and can process about 10 hours of data per day. In other regions, the Speech service uses up to 8 hours of your audio data, and can process about 1 hour of data per day. After the model is trained, you can copy the model to another region as needed with the [CopyModelToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) REST API.

-To create a model with datasets for training, use the [CreateModel](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateModel) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-Copying a model directly to a project in another region is not supported with the Speech CLI. You can copy a model to a project in another region using the [Speech Studio](https://aka.ms/speechstudio/customspeech) or [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-To copy a model to another Speech resource, use the [CopyModelToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

- "self": "https://westus2.api.cognitive.microsoft.com/speechtotext/v3.0/models/9df35ddb-edf9-4e91-8d1a-576d09aabdae",

- "self": "https://westus2.api.cognitive.microsoft.com/speechtotext/v3.0/models/base/eb5450a7-3ca2-461a-b2d7-ddbb3ad96540"

- "manifest": "https://westus2.api.cognitive.microsoft.com/speechtotext/v3.0/models/9df35ddb-edf9-4e91-8d1a-576d09aabdae/manifest",

- "copyTo": "https://westus2.api.cognitive.microsoft.com/speechtotext/v3.0/models/9df35ddb-edf9-4e91-8d1a-576d09aabdae/copyto"

- "self": "https://westus2.api.cognitive.microsoft.com/speechtotext/v3.0/projects/e6ffdefd-9517-45a9-a89c-7b5028ed0e56"

-To connect a new model to a project of the Speech resource where the model was copied, use the [UpdateModel](https://westus2.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/UpdateModel) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-Make an HTTP PATCH request using the URI as shown in the following example. Use the URI of the new model. You can get the new model ID from the `self` property of the [CopyModelToSubscription](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) response body. Replace `YourSubscriptionKey` with your Speech resource key, replace `YourServiceRegion` with your Speech resource region, and set the request body properties as previously described.

- "self": "https://westus2.api.cognitive.microsoft.com/speechtotext/v3.0/projects/e6ffdefd-9517-45a9-a89c-7b5028ed0e56"

- "self": "https://westus2.api.cognitive.microsoft.com/speechtotext/v3.0/projects/e6ffdefd-9517-45a9-a89c-7b5028ed0e56"

-To create a dataset and connect it to an existing project, use the [CreateDataset](https://eastus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateDataset) operation of the [Speech-to-text REST API v3.0](rest-speech-to-text.md). Construct the request body according to the following instructions:

-## Getting Transcription ID for Batch transcription. (REST API v3.0).

-[Batch transcription](batch-transcription.md) uses [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-The required Transcription ID is the GUID value contained in the main `self` element of the Response body returned by requests, like [Create Transcription](https://centralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateTranscription).

-> Use the same technique to determine different IDs required for debugging issues related to [Custom Speech](custom-speech-overview.md), like uploading a dataset using [Create Dataset](https://centralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateDataset) request.

-> You can also see all existing transcriptions and their Transcription IDs for a given Speech resource by using [Get Transcriptions](https://centralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/GetTranscriptions) request.

-description: This document helps developers migrate code from v2 to v3 of in the Speech services speech-to-text REST API.

-> The Speech-to-text REST API v2.0 is deprecated and will be retired by February 29, 2024. Please migrate your applications to the [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-Endpoint host names have changed from `{region}.cris.ai` to `{region}.api.cognitive.microsoft.com`. Paths to the new endpoints no longer contain `api/` because it's part of the hostname. The [Speech-to-text REST API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0) reference documentation lists valid regions and paths.

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3",

- "files": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3/files"

->When the response of a GET to `speechtotext/v3.0/{collection}` contains a value in `$.@nextLink`, continue issuing `GETs` on `$.@nextLink` until `$.@nextLink` is not set to retrieve all elements of that collection.

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3",

- "files": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3/files"

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3/files/f23e54f5-ed74-4c31-9730-2f1a3ef83ce8",

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3/files/28bc946b-c251-4a86-84f6-ea0f0a2373ef",

- "@nextLink": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3/files?skip=2&top=2"

->To get the results of operations, use a `GET` on `/speechtotext/v3.0/{collection}/{id}/files`, they are no longer contained in the responses of `GET` on `/speechtotext/v3.0/{collection}/{id}` or `/speechtotext/v3.0/{collection}`.

->To customize both the acoustic and language model part, pass all of the required language and acoustic datasets in `datasets[]` of the POST to `/speechtotext/v3.0/models`. This will create a single model with both parts customized.

-`GET /speechtotext/v3.0/models/base` and `GET /speechtotext/v3.0/models/`.

->To get a list of provided base models for customization, use `GET` on `/speechtotext/v3.0/models/base`. You can find your own customized models with a `GET` on `/speechtotext/v3.0/models`.

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/transcriptions/9891c965-bb32-4880-b14b-6d44efb158f3",

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/models/021a72d0-54c4-43d3-8254-27336ead9037"

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/endpoints/afa0669c-a01e-4693-ae3a-93baf40f26d6",

- "logs": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/endpoints/afa0669c-a01e-4693-ae3a-93baf40f26d6/files/logs"

- "self": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/endpoints/6d72ad7e-f286-4a6f-b81b-a0532ca6bcaa/files/logs/2019-09-20_080000_3b5f4628-e225-439d-bd27-8804f9eed13f.wav",

- "@nextLink": "https://westus.api.cognitive.microsoft.com/speechtotext/v3.0/endpoints/afa0669c-a01e-4693-ae3a-93baf40f26d6/files/logs?top=2&SkipToken=2!188!MDAwMDk1ITZhMjhiMDllLTg0MDYtNDViMi1hMGRkLWFlNzRlOGRhZWJkNi8yMDIwLTA0LTAxLzEyNDY0M182MzI5NGRkMi1mZGYzLTRhZmEtOTA0NC1mODU5ZTcxOWJiYzYud2F2ITAwMDAyOCE5OTk5LTEyLTMxVDIzOjU5OjU5Ljk5OTk5OTlaIQ--"

-* [Speech-to-text REST API v3.0](rest-speech-to-text.md)

-* [Speech-to-text REST API v3.0 reference](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0)

-2. Run the [Model Copy API](https://eastus2.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CopyModelToSubscription) to replicate the custom model to all prepared regions (Secondary).

-Use cases for the speech-to-text REST API for short audio are limited. Use it only in cases where you can't use the [Speech SDK](speech-sdk.md). For [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md), you should always use [Speech to Text API v3.0](rest-speech-to-text.md).

-description: Get reference documentation for Speech-to-text REST API v3.1 (Public Preview).

-# Speech-to-text REST API v3.1 (preview)

-The Speech-to-text REST API v3.1 is used for [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md). It is currently in Public Preview.

-> [!TIP]

-> See the [Speech to Text API v3.1 preview1](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-1-preview1/) reference documentation for details. This is an updated version of the [Speech to Text API v3.0](./rest-speech-to-text.md)

-Use the REST API v3.1 to:

-## Changes to the v3.0 API

-### Batch transcription changes:

- - **displayFormWordLevelTimestampsEnabled** can be used to enable the reporting of word-level timestamps on the display form of the transcription results.

- - **diarization** can be used to specify hints for the minimum and maximum number of speaker labels to generate when performing optional diarization (speaker separation). With this feature, the service is now able to generate speaker labels for more than two speakers.

- - **languageIdentification** can be used specify settings for optional language identification on the input prior to transcription. Up to 10 candidate locales are supported for language identification. For the preview API, transcription can only be performed with base models for the respective locales. The ability to use custom models for transcription will be added for the GA version.

- - **filter** can be used to provide a filtering expression for selecting a subset of the available resources. You can filter by displayName, description, createdDateTime, lastActionDateTime, status and locale. Example: filter=createdDateTime gt 2022-02-01T11:00:00Z

-### Custom Speech changes

- It also now supports uploading data in multiple blocks for which the following new operations were added:

- - **Upload Data Block** - Upload a block of data for the dataset. The maximum size of the block is 8MiB.

- - **Get Uploaded Blocks** - Get the list of uploaded blocks for this dataset.

- - **Commit Block List** - Commit block list to complete the upload of the dataset.

- ```json

- "features": {

- …

- "supportsAdaptationsWith": [

- "Acoustic",

- "Language",

- "LanguageMarkdown",

- "Pronunciation"

- ]

- }

-```

-|Adaptation Type |DescriptionText |

-|||

-|Acoustic |Supports adapting the model with the audio provided to adapt to the audio condition or specific speaker characteristics. |

-|Language |Supports adapting with Plain Text. |

-|LanguageMarkdown |Supports adapting with Structured Text. |

-|Pronunciation |Supports adapting with a Pronunciation File. |

- - **filter** can be used to provide a filtering expression for selecting a subset of the available resources. You can filter by displayName, description, createdDateTime, lastActionDateTime, status, locale and kind. Example: filter=locale eq 'en-US'

-## Next steps

-description: Get reference documentation for Speech-to-text REST API v3.0.

-# Speech-to-text REST API v3.0

-Speech-to-text REST API v3.0 is used for [Batch transcription](batch-transcription.md) and [Custom Speech](custom-speech-overview.md).

-> See the [Speech to Text API v3.0](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/) reference documentation for details.

-Use REST API v3.0 to:

-## Features

-REST API v3.0 includes such features as:

-For examples of using REST API v3.0 with batch transcription, see [How to use batch transcription](batch-transcription.md).

-For information about migrating to the latest version of the speech-to-text REST API, see [Migrate code from v2.0 to v3.0 of the REST API](./migrate-v2-to-v3.md).

-|Speech resource |In order to use these containers, you must have:<br><br>A _Speech_ Azure resource to get the associated billing key and billing endpoint URI. Both values are available on the Azure portal's **Speech** Overview and Keys pages and are required to start the container.<br><br>**{API_KEY}**: resource key<br><br>**{ENDPOINT_URI}**: endpoint URI example is: `https://westus.api.cognitive.microsoft.com/sts/v1.0`|

-* `https://westus2.api.cognitive.microsoft.com/text/analytics/v3.0/sentiment`

-* `https://westus2.api.cognitive.microsoft.com/text/analytics/v3.0-preview.1/sentiment`

-In some cases, you can't or shouldn't use the [Speech SDK](speech-sdk.md). In those cases, you can use REST APIs to access the Speech service. For example, use the [Speech-to-text REST API v3.0](rest-speech-to-text.md) for [batch transcription](batch-transcription.md) and [custom speech](custom-speech-overview.md).

-Speech-to-text REST API v3.0 uses a different set of endpoints, so it requires a different approach for the private-endpoint-enabled scenario.

-#### Speech-to-text REST API v3.0

-Usually, Speech resources use [Cognitive Services regional endpoints](../cognitive-services-custom-subdomains.md#is-there-a-list-of-regional-endpoints) for communicating with the [Speech-to-text REST API v3.0](rest-speech-to-text.md). These resources have the following naming format: <p/>`{region}.api.cognitive.microsoft.com`.

-#### Speech-to-text REST API v3.0

-Speech-to-text REST API v3.0 usage is fully equivalent to the case of [private-endpoint-enabled Speech resources](#speech-to-text-rest-api-v30).

-| [Speech-to-text REST API V2.0 and v3.0](rest-speech-to-text.md) limit | Not available for F0 | 300 requests per minute |

-| Max text size when you're using the `text` parameter in the [Create Model](https://westcentralus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0/operations/CreateModel/) API request | 200 KB | 500 KB |

-Batch transcription is a set of [Speech-to-text REST API v3.0](rest-speech-to-text.md) operations that enable you to transcribe a large amount of audio in storage. You can point to audio files with a shared access signature (SAS) URI and asynchronously receive transcription results. For more information on how to use the batch transcription API, see [How to use batch transcription](batch-transcription.md) and [Batch transcription samples (REST)](https://github.com/Azure-Samples/cognitive-services-speech-sdk/tree/master/samples/batch).

-The base model may not be sufficient if the audio contains ambient noise or includes a lot of industry and domain-specific jargon. In these cases, building a custom speech model makes sense by training with additional data associated with that specific domain. You can create and train custom acoustic, language, and pronunciation models. For more information, see [Custom Speech](./custom-speech-overview.md) and [Speech-to-text REST API v3.0](rest-speech-to-text.md).

-# Generate a REST API client library for the Speech-to-text REST API v3.0

-> However only [Speech-to-text REST API v3.0](rest-speech-to-text.md) is documented in the Swagger specification. See the documents referenced in the previous paragraph for the information on all other Speech Services REST APIs.

-The [Swagger specification](https://westus.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0) has options that allow you to quickly test for various paths. However, sometimes it's desirable to generate code for all paths, creating a single library of calls that you can base future solutions on. Let's take a look at the process to generate a Python library.

- `https://<your-region>.dev.cognitive.microsoft.com/docs/services/speech-to-text-api-v3-0`

-* [Speech-to-text REST API v3.0](rest-speech-to-text.md)

- > Create a Cognitive Services resource if you plan to access multiple cognitive services under a single endpoint/key. For Form Recognizer access only, create a Form Recognizer resource. Please note that you'll need a single-service resource if you intend to use [Azure Active Directory authentication](../../active-directory/authentication/overview-authentication.md).

-Personalizer will correlate the information of a Rank call with the rewards sent in Reward calls to train the model. These may come at different times. Personalizer waits for a limited time, starting when the Rank call happened, even if the Rank call was made as an inactive event, and activated later.

-If the **Reward Wait Time** expires, and there has been no reward information, a default reward is applied to that event for training. The maximum wait duration is 2 days. If your scenario requires longer reward wait times (e.g. for marketing email campaigns) we are offering a private preview of longer wait times. Open a support ticket in the Azure portal to get in contact with team and see if you qualify and it can be offered to you.

-Feature scores empower you to better understand the relationship between features and the decisions made by Personalizer. They can be used to provide insight to your end-users into why a particular recommendation was made, or to analyze whether your model is exhibiting bias toward or against certain contextual settings, users, and actions.

- "probability": 0.15

- "probability": 0.05

-* **Increased latency.** Enabling _Inference Explainability_ will significantly increase the latency of Rank API calls due to processing of the feature information. Run experiments and measure the latency in your scenario to see if it satisfies your applicationΓÇÖs latency requirements. Future versions of Inference Explainability will mitigate this issue.

-* **Default exploration only.** Currently, Inference Explainability supports only the default exploration algorithm. Future releases will enable the use of this capability with additional exploration algorithms.

-| [Authentication options](./authentication.md)| Authentication is the act of verifying a user's identity. Authorization, by contrast, is the specification of access rights and privileges to resources for a given identity. An identity is a collection of information about a <a href="https://en.wikipedia.org/wiki/Principal_(computer_security)" target="_blank">principal</a>, and a principal can be either an individual user or a service.</br></br>By default, you authenticate your own calls to Cognitive Services using the subscription keys provided; this is the simplest method but not the most secure. The most secure authentication method is to use manged roles in Azure Active Directory. To learn about this and other authentication options, see [Authenticate requests to Cognitive Services](/azure/cognitive-services/authentication). |

-* Explore [Cognitive Services](./what-are-cognitive-services.md) and choose a service to get started.

-| | [Include participant in Teams meeting attendance report](/office/view-and-download-meeting-attendance-reports-in-teams-ae7cf170-530c-47d3-84c1-3aedac74d310) | ❌

-| [Choose co-organizers](/office/add-co-organizers-to-a-meeting-in-teams-0de2c31c-8207-47ff-ae2a-fc1792d466e2)| Teams user can be selected as co-organizer. It affects the availability of actions in Teams meetings. | ✔️ |

-|[Manage what attendees see](/office/spotlight-someone-s-video-in-a-teams-meeting-58be74a4-efac-4e89-a212-8d198182081e)|Teams organizer, co-organizer and presenter can spotlight videos for everyone. Azure Communication Services does not receive the spotlight signals. |❌|

-|[Allow mic for attendees](/office/manage-attendee-audio-and-video-permissions-in-teams-meetings-f9db15e1-f46f-46da-95c6-34f9f39e671a)|If Teams user is attendee, then this option controls whether Teams user can send local audio |✔️|

-|[Allow camera for attendees](/office/manage-attendee-audio-and-video-permissions-in-teams-meetings-f9db15e1-f46f-46da-95c6-34f9f39e671a)|If Teams user is attendee, then this option controls whether Teams user can send local video |✔️|

-|[Provide CART Captions](/office/use-cart-captions-in-a-microsoft-teams-meeting-human-generated-captions-2dd889e8-32a8-4582-98b8-6c96cf14eb47)|Communication access real-time translation (CART) is a service in which a trained CART captioner listens to the speech and instantaneously translates all speech to text. As a meeting organizer, you can set up and offer CART captioning to your audience instead of the Microsoft Teams built-in live captions that are automatically generated.|❌|

-| **Authentication type** | Yes | - **Access Key** <br><br>- **Azure AD Integrated** <br><br>- **Logic Apps Managed Identity (Preview)** | The authentication type to use for your connection. For more information, review [Authentication types for triggers and actions that support authentication - Secure access and data](../logic-apps/logic-apps-securing-a-logic-app.md#authentication-types-for-triggers-and-actions-that-support-authentication). |

-* If your logic app resource uses a managed identity to authenticate access to your Service Bus namespace and messaging entity, make sure that you've assigned role permissions at the corresponding levels. For example, to access a queue, the managed identity requires a role that has the necessary permissions for that queue.

- Each managed identity that accesses a *different* messaging entity should have a separate connection to that entity. If you use different Service Bus actions to send and receive messages, and those actions require different permissions, make sure to use different connections.

- | **Logic Apps Managed Identity** | - Supported with the SQL Server managed connector and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A valid managed identity that's [enabled on your logic app resource](../logic-apps/create-managed-service-identity.md) and has access to your database. <br><br> **SQL DB Contributor** role access to the SQL Server resource <br><br> **Contributor** access to the resource group that includes the SQL Server resource. <br><br>For more information, see [SQL - Server-Level Roles](/sql/relational-databases/security/authentication-access/server-level-roles). |

- | [**SQL Server Authentication**](/sql/relational-databases/security/choose-an-authentication-mode#connecting-through-sql-server-authentication) | - Supported with the SQL Server managed connector, SQL Server built-in connector, and ISE-versioned connector. <br><br>- Requires the following items: <br><br> A data gateway resource that's previously created in Azure for your connection, regardless whether your logic app is in multi-tenant Azure Logic Apps or an ISE. <br><br> A valid user name and strong password that are created and stored in your SQL Server database. For more information, see the following topics: <br><br>- [Azure SQL Security Overview - Authentication](/azure/azure-sql/database/security-overview#authentication) <br>- [Authorize database access to Azure SQL - Authentication and authorization](/azure/azure-sql/database/logins-create-manage#authentication-and-authorization) |

-description: Learn about the customer-managed keys, an overview on its key features and considerations before you encrypt your Premium registry with a customer-managed key stored in Azure Key Vault.

-# Tutorial: An overview of a customer-managed key encryption for your Azure Container Registry

-Azure Container Registry, automatically encrypts the images and other artifacts you store. By default, Azure automatically encrypts the registry content at rest with [service-managed keys](../security/fundamentals/encryption-models.md). You can supplement default encryption with an additional encryption layer using a customer-managed key.

-In this tutorial, part one in a four-part series:

-> * customer-managed key - Overview

-> * Enable a customer-managed key - CLI, Portal, and Resource Manager Template

-## About customer-managed key

-A customer-managed key gives you the ownership to bring your own key in the [Azure Key Vault](../key-vault/general/overview.md). The customer-managed key also allows you to manage key rotations, controls the access and permissions to use the key, and audit the usage of the key.

-The key features include:

->* **Regulatory compliance standards**: By default, Azure automatically encrypts the registry content at rest with [service-managed keys,](../security/fundamentals/encryption-models.md) but customer-managed keys encryption meets the guidelines of standard regulatory compliance.

->* **Integration with Azure key vault**: Customer-managed keys support server-side encryption through integration with [Azure Key Vault.](../key-vault/general/overview.md). With customer-managed keys, you can create your own encryption keys and store them in an Azure Key Vault, or you can use Azure Key Vault APIs to generate keys.

->* **Key life cycle management**: Integrating customer-managed keys with [Azure Key Vault](../key-vault/general/overview.md), will give you full control and responsibility for the key lifecycle, including rotation and management.

-Configure Azure Container Registry (ACR) with a customer-managed key consider knowing:

->* This feature is available in the **Premium** container registry service tier. For more information, see [ACR service tiers.](container-registry-skus.md)

->* You can currently enable a customer-managed key only while creating a registry.

->* You can't disable the encryption after enabling a customer-managed key on a registry.

->* You have to configure a *user-assigned* managed identity to access the key vault. Later, if required you can enable the registry's *system-assigned* managed identity for key vault access.

->* Azure Container Registry supports only RSA or RSA-HSM keys. Elliptic curve keys aren't currently supported.

->* In a registry encrypted with a customer-managed key, you can retain logs for [ACR Tasks](container-registry-tasks-overview.md) only for 24 hours. To retain logs for a longer period, see guidance to [export and store task run logs.](container-registry-tasks-logs.md#alternative-log-storage)

->* [Content trust](container-registry-content-trust.md) is currently not supported in a registry encrypted with a customer-managed key.

-Azure Container Registry supports both automatic and manual rotation of registry encryption keys when a new key version is available in Azure Key Vault.

->It is an important security consideration for a registry with customer-managed key encryption to frequently update (rotate) the key versions. Follow your organization's compliance policies to regularly update [key versions,](../key-vault/general/about-keys-secrets-certificates.md#objects-identifiers-and-versioning) while storing a customer-managed key in Azure Key Vault.

-* **Automatically update the key version** - With a registry encrypted with a non-versioned key, Azure Container Registry regularly checks the Azure key vault for a new key version and updates the customer-managed key within 1 hour. So, we suggest omitting the key version when you enable registry encryption with a customer-managed key. So, that ACR automatically uses and updates to the latest key version.

-* **Manually update the key version** - With a registry encrypted with a specific key version, Azure Container Registry uses that version for encryption until you manually rotate the customer-managed key. So, we suggest specifying the key version when you enable registry encryption with a customer-managed key. So, that ACR will use a specific version of a key for registry encryption.

-For details, see [Choose key ID with version](tutorial-enable-customer-managed-keys.md#option-1-manual-key-rotationkey-id-with-version) , or [Choose key ID without key version](tutorial-enable-customer-managed-keys.md#option-2-automatic-key-rotationkey-id-omitting-version), and [Update key version](tutorial-rotate-revoke-customer-managed-keys.md#create-or-update-key-versioncli) later in this tutorial.

-In this tutorial, you have an overview on a customer-managed keys, their key features, and a brief of the considerations to enable a customer-managed key to your registry and types of updating key versions.

-Advance to the next [tutorial](tutorial-enable-customer-managed-keys.md) to enable your container registry with a customer-managed keys using Azure CLI, Azure portal, and Azure Resource Manager template.

-description: In this tutorial, learn to encrypt your Premium registry with a customer-managed key stored in Azure Key Vault using Azure CLI.

-# Tutorial: Encrypt Azure Container Registry with a customer-managed key

-This article is part two in a four-part tutorial series. In [part one](tutorial-customer-managed-keys.md), you have an overview about a customer-managed key, key features, and the considerations before you enable a customer-managed key on your registry. This article walks you through the steps using the Azure CLI, Azure portal, or a Resource Manager template.

-In this article

->* Enable a customer-managed key - Azure CLI

->* Enable a customer-managed key - Azure portal

->* Enable a customer-managed key - Azure Resource Manager template

->* See [Install Azure CLI][azure-cli] or run in [Azure Cloud Shell.](../cloud-shell/quickstart.md).

->* Sign into [Azure Portal](https://ms.portal.azure.com/)

-## Enable a customer-managed key - Azure CLI

-Create a resource group for creating the key vault, container registry, and other required resources.

-1. Run the [az group create][az-group-create](/cli/azure/group#az-group-create) command to create a resource group.

-By configuring the *user-assigned managed identity* to the registry, you can access the Azure Key Vault.

-1. Run the [az identity create][az-identity-create](/cli/azure/identity#az-identity-create) command to create a user-assigned [managed identity for Azure resources.](../active-directory/managed-identities-azure-resources/overview.md).

-```azurecli

-az identity create \

- --resource-group <resource-group-name> \

- --name <managed-identity-name>

-```

-2. In the command output, take a note of the following values: `id` and `principalId` to configure registry access with the Azure Key Vault.

-```JSON

-{

- "clientId": "xxxx2bac-xxxx-xxxx-xxxx-192cxxxx6273",

- "clientSecretUrl": "https://control-eastus.identity.azure.net/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentityname/credentials?tid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&oid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&aid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myresourcegroup",

- "location": "eastus",

- "name": "myidentityname",

- "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "resourceGroup": "myresourcegroup",

- "tags": {},

- "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "type": "Microsoft.ManagedIdentity/userAssignedIdentities"

-}

-```

-3. For convenience, store the values of `id` and `principalId` in environment variables:

-```azurecli

-identityID=$(az identity show --resource-group <resource-group-name> --name <managed-identity-name> --query 'id' --output tsv)

-identityPrincipalID=$(az identity show --resource-group <resource-group-name> --name <managed-identity-name> --query 'principalId' --output tsv)

-```

-1. Run the [az keyvault create][az-keyvault-create](/cli/azure/keyvault#az-keyvault-create) to create a key vault and store a customer-managed key for registry encryption.

-2. By default, new key vault automatically enables the **soft delete** setting. To prevent data loss by accidental key or key vault deletions, we recommend enabling the **purge protection** setting.

-```azurecli

-az keyvault create --name <key-vault-name> \

- --resource-group <resource-group-name> \

- --enable-purge-protection

-```

-3. For convenience, take a note of the key vault resource ID and store the value in environment variables:

-```azurecli

-keyvaultID=$(az keyvault show --resource-group <resource-group-name> --name <key-vault-name> --query 'id' --output tsv)

-```

-#### Enable key vault access by trusted services

-If the key vault is in protection with a firewall or virtual network (private endpoint), you must enable the network settings to allow access by [trusted Azure services.](../key-vault/general/overview-vnet-service-endpoints.md#trusted-services)

-For more information, see [Configure Azure Key Vault networking settings](../key-vault/general/how-to-azure-key-vault-network-security.md?tabs=azure-cli).

-#### Enable key vault access by managed identity

-There are two ways to enable key vault access.

-#### Option 1: Enable key vault access policy

-Configure the access policy for the key vault and set key permissions to access with a *user-assigned* managed identity:

-1. Run the [az keyvault set policy][az-keyvault-set-policy](/cli/azure/keyvault#az-keyvault-set-policy) command, and pass the previously created and stored environment variable value of the `principal ID`.

-2. Set key permissions to **get**, **unwrapKey**, and **wrapKey**.

-```azurecli

-az keyvault set-policy \

- --resource-group <resource-group-name> \

- --name <key-vault-name> \

- --object-id $identityPrincipalID \

- --key-permissions get unwrapKey wrapKey

-```

-#### Option 2: Assign RBAC role

-Alternatively, use [Azure RBAC for Key Vault](../key-vault/general/rbac-guide.md) to assign permissions to the *user-assigned* managed identity and access the key vault.

-1. Run the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command and assign the `Key Vault Crypto Service Encryption role` to a *user-assigned* managed identity.

-#### Create key and get key ID

-1. Run the [az keyvault key create][az-keyvault-key-create](/cli/azure/keyvault/key#az-keyvault-key-create) command to create a key in the key vault.

-```azurecli

-az keyvault key create \

- --name <key-name> \

- --vault-name <key-vault-name>

-```

-2. In the command output, take note of the key's ID `kid`.

-```output

-[...]

- "key": {

- "crv": null,

- "d": null,

- "dp": null,

- "dq": null,

- "e": "AQAB",

- "k": null,

- "keyOps": [

- "encrypt",

- "decrypt",

- "sign",

- "verify",

- "wrapKey",

- "unwrapKey"

- ],

- "kid": "https://mykeyvault.vault.azure.net/keys/mykey/<version>",

- "kty": "RSA",

-[...]

-```

-3. For convenience, store the format you choose for the key ID in the $keyID environment variable.

-4. You can use a key ID with a version or a key without a version.

-#### Option 1: Manual key rotation - key ID with version

-Encrypting a registry with a customer-managed key with a key version will only allow manual key rotation in Azure Container Registry.

-1. This example stores the key's `kid` property:

-#### Option 2: Automatic key rotation - key ID omitting version

-Encrypting a registry with a customer-managed key by omitting a key version will enable automatic key rotation to detect a new key version in Azure Key Vault.

-1. This example removes the version from the key's `kid` property:

-1. Run the [az acr create][az-acr-create](/cli/azure/acr#az-acr-create) command to create a registry in the *Premium* service tier and enable the customer-managed key.

-2. Pass the managed identity ID `id`and the key ID `kid` values stored in the environment variables in previous steps.

-```azurecli

-az acr create \

- --resource-group <resource-group-name> \

- --name <container-registry-name> \

- --identity $identityID \

- --key-encryption-key $keyID \

- --sku Premium

-```

-1. Run the [az acr encryption show][az-acr-encryption-show](/cli/azure/acr/encryption#az-acr-encryption-show) command, to show the status of the registry encryption with a customer-managed key is enabled.

-2. Depending on the key used to, encrypt the registry and the output is similar to:

-## Enable a customer-managed key - Azure Portal

-Create a *user-assigned* [managed identity](../active-directory/managed-identities-azure-resources/overview.md) for Azure resources in the Azure portal.

-1. Follow the steps to [create a user-assigned identity.](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity).

-2. Save the `identity's name` to use it in later steps.

-1. Follow the steps in the [Quickstart: Create a key vault using the Azure portal.](../key-vault/general/quick-create-portal.md).

-2. When creating a key vault for a customer-managed key, in the **Basics** tab, enable the **Purge protection** setting. This setting helps prevent data loss by accidental key or key vault deletions.

-#### Enable key vault access by trusted services

-If the key vault is in protection with a firewall or virtual network (private endpoint), enable the network setting to allow access by [trusted Azure services.](../key-vault/general/overview-vnet-service-endpoints.md#trusted-services)

-For more information, see [Configure Azure Key Vault networking settings.](../key-vault/general/how-to-azure-key-vault-network-security.md?tabs=azure-portal)

-#### Enable key vault access by managed identity

-There are two ways to enable key vault access by managed identity.

-#### Option 1: Enable key vault access policy

-Configure the access policy for the key vault and set key permissions to access with a *user-assigned* managed identity:

-1. Navigate to your key vault.

-3. Select **Key permissions**, and select **Get**, **Unwrap Key**, and **Wrap Key**.

-5. Select **Add**, then select **Save**.

-#### Option 2: Assign RBAC role

-Alternatively, assign the `Key Vault Crypto Service Encryption User` role to the *user-assigned* managed identity at the key vault scope.

-For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

-### Create key

-Create a key in the key vault and use it to encrypt the registry. Follow these steps if you want to select a specific key version as a customer-managed key. You may also need to create a key before creating the registry if key vault access is restricted to a private endpoint or selected networks.

-1. Navigate to your key vault.

-1. Accept the remaining default values and select **Create**.

-### Create Azure Container Registry

-1. In the **Basics** tab, select or create a resource group, and enter a registry name. In **SKU**, select **Premium**.

-1. In the **Encryption** tab, in **Customer-managed key**, select **Enabled**.

-1. In **Identity**, select the managed identity you created.

-1. In **Encryption**, choose either of the following:

- * Select **Select from Key Vault**, and select an existing key vault and key, or **Create new**. The key you select is non-versioned and enables automatic key rotation.

- * Select **Enter key URI**, and provide the identifier of an existing key. You can provide either a versioned key URI (for a key that must be rotated manually) or a non-versioned key URI (which enables automatic key rotation). See the previous section for steps to create a key.

-1. In the **Encryption** tab, select **Review + create**.

-### Show encryption status

-To see the encryption status of your registry in the portal, navigate to your registry. Under **Settings**, select **Encryption**.

-## Enable a customer-managed key - Azure Resource Manager template

-You can use a Resource Manager template to create a registry and enable encryption with a customer-managed key.

-The following Resource Manager template creates a new container registry and a *user-assigned* managed identity.

-1. Copy the following content of a Resource Manager template to a new file and save it using a filename `CMKtemplate.json`.

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "vault_name": {

- "defaultValue": "",

- "type": "String"

- },

- "registry_name": {

- "defaultValue": "",

- "type": "String"

- },

- "identity_name": {

- "defaultValue": "",

- "type": "String"

- },

- "kek_id": {

- "type": "String"

- }

- },

- "variables": {},

- "resources": [

- {

- "type": "Microsoft.ContainerRegistry/registries",

- "apiVersion": "2019-12-01-preview",

- "name": "[parameters('registry_name')]",

- "location": "[resourceGroup().location]",

- "sku": {

- "name": "Premium",

- "tier": "Premium"

- },

- "identity": {

- "type": "UserAssigned",

- "userAssignedIdentities": {

- "[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identity_name'))]": {}

- }

- },

- "dependsOn": [

- "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identity_name'))]"

- ],

- "properties": {

- "adminUserEnabled": false,

- "encryption": {

- "status": "enabled",

- "keyVaultProperties": {

- "identity": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identity_name')), '2018-11-30').clientId]",

- "KeyIdentifier": "[parameters('kek_id')]"

- }

- },

- "networkRuleSet": {

- "defaultAction": "Allow",

- "virtualNetworkRules": [],

- "ipRules": []

- },

- "policies": {

- "quarantinePolicy": {

- "status": "disabled"

- },

- "trustPolicy": {

- "type": "Notary",

- "status": "disabled"

- },

- "retentionPolicy": {

- "days": 7,

- "status": "disabled"

- }

- }

- }

- },

- {

- "type": "Microsoft.KeyVault/vaults/accessPolicies",

- "apiVersion": "2018-02-14",

- "name": "[concat(parameters('vault_name'), '/add')]",

- "dependsOn": [

- "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identity_name'))]"

- ],

- "properties": {

- "accessPolicies": [

- {

- "tenantId": "[subscription().tenantId]",

- "objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identity_name')), '2018-11-30').principalId]",

- "permissions": {

- "keys": [

- "get",

- "unwrapKey",

- "wrapKey"

- ]

- }

- }

- ]

- }

- },

- {

- "type": "Microsoft.ManagedIdentity/userAssignedIdentities",

- "apiVersion": "2018-11-30",

- "name": "[parameters('identity_name')]",

- "location": "[resourceGroup().location]"

- }

- ]

-}

-```

-* Key vault, identified by name

-* Key vault key, identified by key ID

-3. Run the [az deployment group create][az-deployment-group-create] command to create the registry using the preceding template file. When indicated, provide a new registry name and a *user-assigned* managed identity name, as well as the key vault name and key ID you created.

-```azurecli

-az deployment group create \

- --resource-group <resource-group-name> \

- --template-file CMKtemplate.json \

- --parameters \

- registry_name=<registry-name> \

- identity_name=<managed-identity> \

- vault_name=<key-vault-name> \

- key_id=<key-vault-key-id>

-```

-4. Run the [az acr encryption show][az-acr-encryption-show] command, to show the status of registry encryption

-```azurecli

-az acr encryption show --name <registry-name>

-```

-In this tutorial, you've learned to enable a customer-managed key on your Azure Container Registry using Azure CLI, portal, and Resource Manager template. This article also explains how to create resources for the encryption and verify the encryption status of your registry.

-Advance to the next [tutorial](tutorial-rotate-revoke-customer-managed-keys.md), to have a walk-through of performing the customer-managed key rotation, update key versions, and revoke a customer-managed key.

-description: Learn how to rotate, update, revoke a customer-managed key.

-# Rotate and Revoke a customer-managed key

-This article is part three in a four-part tutorial series. In [part one](tutorial-customer-managed-keys.md), you have an overview of the customer-managed key, their key features, and the considerations before you enable a customer-managed key on your registry. In [part two](tutorial-enable-customer-managed-keys.md), you've learned to enable a customer-managed key using the Azure CLI, Azure portal, or a Resource Manager template. In this article walks you to rotate a customer-managed key, update key version and revoke the key.

->* To rotate a key, you can either update the key version in Azure Key Vault or create a new key.

->* While rotating the key, you can specify the same identity you have used to create the registry.

->* Optionally, you can also configure a new user-assigned identity to access the key, or enable and specify the registry's system-assigned identity.

-> * To enable the registry's system-assigned identity in the portal, select **Settings** > **Identity** and set the system-assigned identity's status to **On**.

-> * Ensure that the required [key vault access](tutorial-enable-customer-managed-keys.md#enable-key-vault-access-by-managed-identity) is set for the identity you configure for key access.

-### Create or update key version - CLI

-1. To create a new key version, run the [az keyvault key create][az-keyvault-key-create](/cli/azure/keyvault/key#az-keyvault-key-create) command:

- ΓÇô-name <key-name> \

-2. If you configure the registry to detect key version updates, the customer-managed key automatically updates within 1 hour.

-3. If you configure the registry for manual updating for a new key version, run the [az-acr-encryption-rotate-key](/cli/azure/acr/#az-acr-encryption-rotate-key) command, passing the new key ID and the identity you want to configure.

-> When you run `az-acr-encryption-rotate-key`, you can pass either a versioned key ID or a non-versioned key ID. If you use a non-versioned key ID, the registry is then configured to automatically detect later key version updates.

-Update a customer-managed key version manually:

- 1. Rotate key and use user-assigned identity

-If you're using the key from a different key vault, verify the `principal-id-user-assigned-identity` has the `get`, `wrap`, and `unwrap` permissions on that key vault.

-```azurecli

-az acr encryption rotate-key \

- --name <registry-name> \

- --key-encryption-key <new-key-id> \

- --identity <principal-id-user-assigned-identity>

-```

- 2. Rotate key and use system-assigned identity

-Before you use the system-assigned identity, verify for the `get`, `wrap`, and `unwrap` permissions assigned to it.

-```azurecli

-az acr encryption rotate-key \

- --name <registry-name> \

- --key-encryption-key <new-key-id> \

- --identity [system]

-```

-### Create or update key version - Portal

-Use the registry's **Encryption** settings to update the key vault, key, or identity settings used for a customer-managed key.

-1. In the portal, navigate to your registry.

-1. Under **Settings**, select **Encryption** > **Change key**.

- :::image type="content" source="media/container-registry-customer-managed-keys/rotate-key.png" alt-text="Rotate key in the Azure portal":::

-1. In **Encryption**, choose one of the following:

- * Select **Select from Key Vault**, and select an existing key vault and key, or **Create new**. The key you select is non-versioned and enables automatic key rotation.

- * Select **Enter key URI**, and provide a key identifier directly. You can provide either a versioned key URI (for a key that must be rotated manually) or a non-versioned key URI (which enables automatic key rotation).

-1. Complete the key selection and select **Save**.

->* You can revoke a customer-managed encryption key by changing the access policy, or changing the permissions on the key vault, or by deleting the key.

-1. Run the [az-keyvault-delete-policy](/cli/azure/keyvault#az-keyvault-delete-policy) command to change the access policy of the managed identity used by your registry:

-2. Run the [az-keyvault-key-delete](/cli/azure/keyvault/key#az-keyvault-key-delete) command to delete the individual versions of a key. This operation requires the keys/delete permission.

->* Revoking a customer-managed key will block access to all registry data.

->* If you enable access to the key or restore a deleted key, the registry will pick the key, and you can gain back control on access to the encrypted registry data.

-In this tutorial, you've learned to perform key rotations, update key versions using CLI and Portal, and revoking a customer-managed key on your Azure Container Registry.

-Advance to the next tutorial to [troubleshoot](tutorial-troubleshoot-customer-managed-keys.md) most common issues like removing a managed identity, 403 errors, and restoring accidental key deletes.

-description: Tutorial to troubleshoot the most common issues from a registry enabled with a customer-managed key.

-This article is part four in a four-part tutorial series. In [part one](tutorial-customer-managed-keys.md), you have an overview of the customer-managed keys, their key features, and the considerations before you enable a customer-managed key on your registry. In [part two](tutorial-enable-customer-managed-keys.md), you've learned to enable customer-managed keys using the Azure CLI, Azure portal, or a Resource Manager template. In [part three](tutorial-rotate-revoke-customer-managed-keys.md), you'll learn to rotate, update, revoke a customer-managed key. In this article, learn to troubleshoot any issues with customer-managed keys.

-## Troubleshoot a customer-managed key

-This article helps you to troubleshoot and resolve most common issues such as authentication issues, accidental deletions of keys, etc.

-## Removing managed identity

-If you try to remove a user-assigned or a system-assigned managed identity that you've used to configure encryption for your registry, you may see an error:

-You'll also not be able to change (rotate) the encryption key. The resolution steps depend on the type of identity you've used for encryption.

-### Removing a **user-assigned identity**:

-If this issue occurs while removing a user-assigned identity, follow the steps:

-1. Reassign the user-assigned identity using the [az acr identity assign](/cli/azure/acr/identity/#az-acr-identity-assign) command.

-2. Pass the user-assigned identity's resource ID, or use the identity's name when it is in the same resource group as the registry.

-For example:

-```azurecli

-az acr identity assign -n myRegistry \

- --identities "/subscriptions/mysubscription/resourcegroups/myresourcegroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity"

-```

-### Removing a **System-assigned identity**

-If issue occurs while you try to remove a system-assigned identity, please [create an Azure support ticket](https://azure.microsoft.com/support/create-ticket/) for assistance to restore the identity.

-## Enabling the key vault firewall

-If you enable a key vault firewall or virtual network after creating an encrypted registry, you might see HTTP 403 or other errors with image import or automated key rotation. To correct this problem, reconfigure the managed identity and key you used initially for encryption. See steps in [Rotate a customer-managed key.](tutorial-rotate-revoke-customer-managed-keys.md#rotate-a-customer-managed-key)

-If the problem persists, please contact Azure Support.

-## Accidental deletion of key vault or key

-Deletion of the key vault, or the key, used to encrypt a registry with a customer-managed key will make the registry's content inaccessible. If [soft delete](../key-vault/general/soft-delete-overview.md) is enabled in the key vault (the default option), you can recover a deleted vault, or key vault object and resume registry operations.

-For key vault deletion and recovery scenarios, see [Azure Key Vault recovery management with soft delete and purge protection](../key-vault/general/key-vault-recovery.md).

-1. Sign into the [Azure portal](https://portal.azure.com/learn.learn.microsoft.com) and navigate to your Azure Cosmos DB account.

-The client-side architecture employed in Direct mode enables predictable network utilization and multiplexed access to Azure Cosmos DB replicas. The diagram above shows how Direct mode routes client requests to replicas in the Cosmos DB backend. The Direct mode architecture allocates up to 10 **Channels** on the client side per DB replica. A Channel is a TCP connection preceded by a request buffer, which is 30 requests deep. The Channels belonging to a replica are dynamically allocated as needed by the replica's **Service Endpoint**. When the user issues a request in Direct mode, the **TransportClient** routes the request to the proper service endpoint based on the partition key. The **Request Queue** buffers requests before the Service Endpoint.

-If you have any existing reservations, they stop applying 90 days after you transfer a subscription. Be sure to [cancel any reservations and refund them](../reservations/exchange-and-refund-azure-reservations.md) before you transfer a subscription to avoid charges after the 90 day grace period.

-1. Go to the **Bulk Copy from Files to Database** template. Create a **New** connection to the source Gen2 store. Be aware that "GetMetadataDataset" and "SourceDataset" are references to the same connection of your source file store.

- :::image type="content" source="media/solution-template-bulk-copy-from-files-to-database/source-connection.png" alt-text="Create a new connection to the source data store":::

-2. Create a **New** connection to the sink data store that you're copying data to.

- :::image type="content" source="media/solution-template-bulk-copy-from-files-to-database/destination-connection.png" alt-text="Create a new connection to the sink data store":::

-

-3. Select **Use this template**.

- :::image type="content" source="media/solution-template-bulk-copy-from-files-to-database/use-template.png" alt-text="Use this template":::

-

-4. You would see a pipeline created as shown in the following example:

- > [!NOTE]

- > If you chose **Azure Synapse Analytics** as the data destination in **step 2** mentioned above, you must enter a connection to Azure Blob storage for staging, as required by Azure Synapse Analytics Polybase. As the following screenshot shows, the template will automatically generate a *Storage Path* for your Blob storage. Check if the container has been created after the pipeline run.

-

- :::image type="content" source="media/solution-template-bulk-copy-from-files-to-database/staging-account.png" alt-text="Polybase setting":::

-5. Select **Debug**, enter the **Parameters**, and then select **Finish**.

-6. When the pipeline run completes successfully, you would see results similar to the following example:

- :::image type="content" source="mediB_with_ControlTable2.png" alt-text="Create a new connection to the control table":::

- :::image type="content" source="mediB_with_ControlTable3.png" alt-text="Create a new connection to the source database":::

- :::image type="content" source="mediB_with_ControlTable4.png" alt-text="Create a new connection to the destination store":::

- :::image type="content" source="mediB_with_ControlTable6.png" alt-text="Review the pipeline":::

- :::image type="content" source="mediB_with_ControlTable7.png" alt-text="Click **Debug**":::

- :::image type="content" source="mediB_with_ControlTable8.png" alt-text="Review the result":::

- :::image type="content" source="mediB_with_ControlTable9.png" alt-text="Polybase setting":::

- :::image type="content" source="mediB_with_ControlTable4.png" alt-text="Create a new connection to the source table":::

- :::image type="content" source="mediB_with_ControlTable5.png" alt-text="Create a new connection to the destination table":::

- :::image type="content" source="mediB_with_ControlTable6.png" alt-text="Create a new connection to the control table data store":::

- :::image type="content" source="mediB_with_ControlTable8.png" alt-text="Review the pipeline":::

- :::image type="content" source="mediB_with_ControlTable9.png" alt-text="Set the stored procedure activity":::

- :::image type="content" source="mediB_with_ControlTable10.png" alt-text="Write the content for the parameters of the stored procedure":::

- :::image type="content" source="mediB_with_ControlTable11.png" alt-text="Select **Debug**":::

- :::image type="content" source="mediB_with_ControlTable12.png" alt-text="Review the result":::

- :::image type="content" source="mediB_with_ControlTable15.png" alt-text="Configure Polybase":::

- :::image type="content" source="media/solution-template-move-files/move-files-1-small.png" alt-text="Create a new connection to the source" lightbox="media/solution-template-move-files/move-files-1.png":::

- :::image type="content" source="media/solution-template-move-files/move-files-2-small.png" alt-text="Create a new connection to the destination" lightbox="media/solution-template-move-files/move-files-2.png":::

- :::image type="content" source="media/solution-template-move-files/move-files4.png" alt-text="Show the pipeline":::

- :::image type="content" source="media/solution-template-move-files/move-files5.png" alt-text="Run the pipeline":::

- :::image type="content" source="media/solution-template-move-files/move-files6.png" alt-text="Review the result":::

-New-AzVirtualNetwork -Name MyVnet -ResourceGroupName MyResourceGroup -Location "East US" -AddressPrefix 10.0.0.0/16 -DdosProtectionPlan $ddosProtectionPlanID -EnableDdosProtection

-The capability to exempt some accounts that donΓÇÖt use MFA isn't currently supported. There are plans to add this capability, and the information can be viewed in our [Important upcoming changes](/azure/defender-for-cloud/upcoming-changes#multiple-changes-to-identity-recommendations) page.

-Defender for Cloud now includes preview support for the [Azure Monitor Agent](../azure-monitor/agents/agents-overview.md) (AMA). AMA is intended to replace the legacy Log Analytics agent (also referred to as the Microsoft Monitoring Agent (MMA)), which is on a path to deprecation. AMA [provides a number of benefits](../azure-monitor/agents/azure-monitor-agent-migration.md#benefits) over legacy agents.

-In Defender for Cloud, when you [enable auto provisioning for AMA](auto-deploy-azure-monitoring-agent.md), the agent is deployed on **existing and new** VMs and Azure Arc-enabled machines that are detected in your subscriptions. If Defender for Cloud plans are enabled, AMA collects configuration information and event logs from Azure VMs and Azure Arc machines. Note that the AMA integration is in preview, so we recommend using it in test environments, rather than in production environments.

-Then, you can access 3D Scenes Studio at this link: [3D Scenes Studio](https://dev.explorer.azuredigitaltwins-test.net/3dscenes).

-* Share the **URL of your Azure Digital Twins instance** and the **URL of your Azure storage container** that you used when [initializing your 3D Scenes Studio environment](#initialize-your-3d-scenes-studio-environment). The recipient can access [3D Scenes Studio](https://dev.explorer.azuredigitaltwins-test.net/3dscenes) and initialize it with these same URL values to connect to your same environment.

-### List of events for Blob REST APIs

- |**Microsoft.Storage.BlobCreated** |Triggered when a blob is created or replaced. <br>Specifically, this event is triggered when clients use the `PutBlob`, `PutBlockList`, or `CopyBlob` operations that are available in the Blob REST API **and** when the Block Blob is completely committed. <br>If clients use the `CopyBlob` operation on accounts that have the **hierarchical namespace** feature enabled on them, the `CopyBlob` operation works a little differently. In that case, the **Microsoft.Storage.BlobCreated** event is triggered when the `CopyBlob` operation is **initiated** and not when the Block Blob is completely committed. |

- |**Microsoft.Storage.BlobDeleted** |Triggered when a blob is deleted. <br>Specifically, this event is triggered when clients call the `DeleteBlob` operation that is available in the Blob REST API. |

- |**Microsoft.Storage.BlobTierChanged** |Triggered when the blob access tier is changed. Specifically, when clients call the `Set Blob Tier` operation that is available in the Blob REST API, this event is triggered after the tier change completes. |

-|**Microsoft.Storage.AsyncOperationInitiated** |Triggered when an operation involving moving or copying of data from the archive to hot or cool tiers is initiated. Specifically, this event is triggered either when clients call the `Set Blob Tier` API to move a blob from archive tier to hot or cool tier, or when clients call the `Copy Blob` API to copy data from a blob in the archive tier to a blob in the hot or cool tier.|

-### List of the events for Azure Data Lake Storage Gen 2 REST APIs

-These events are triggered if you enable a hierarchical namespace on the storage account, and clients use Azure Data Lake Storage Gen2 REST APIs. For more information bout Azure Data Lake Storage Gen2, see [Introduction to Azure Data Lake Storage Gen2](../storage/blobs/data-lake-storage-introduction.md).

-|Event name|Description|

-|-|--|

-|**Microsoft.Storage.BlobCreated** | Triggered when a blob is created or replaced. <br>Specifically, this event is triggered when clients use the `CreateFile` and `FlushWithClose` operations that are available in the Azure Data Lake Storage Gen2 REST API. |

-|**Microsoft.Storage.BlobDeleted** |Triggered when a blob is deleted. <br>Specifically, This event is also triggered when clients call the `DeleteFile` operation that is available in the Azure Data Lake Storage Gen2 REST API. |

-|**Microsoft.Storage.BlobRenamed**|Triggered when a blob is renamed. <br>Specifically, this event is triggered when clients use the `RenameFile` operation that is available in the Azure Data Lake Storage Gen2 REST API.|

-|**Microsoft.Storage.DirectoryCreated**|Triggered when a directory is created. <br>Specifically, this event is triggered when clients use the `CreateDirectory` operation that is available in the Azure Data Lake Storage Gen2 REST API.|

-|**Microsoft.Storage.DirectoryRenamed**|Triggered when a directory is renamed. <br>Specifically, this event is triggered when clients use the `RenameDirectory` operation that is available in the Azure Data Lake Storage Gen2 REST API.|

-|**Microsoft.Storage.DirectoryDeleted**|Triggered when a directory is deleted. <br>Specifically, this event is triggered when clients use the `DeleteDirectory` operation that is available in the Azure Data Lake Storage Gen2 REST API.|

-> [!NOTE]

-> For **Azure Data Lake Storage Gen2**, if you want to ensure that the **Microsoft.Storage.BlobCreated** event is triggered only when a Block Blob is completely committed, filter the event for the `FlushWithClose` REST API call. This API call triggers the **Microsoft.Storage.BlobCreated** event only after data is fully committed to a Block Blob. To learn how to create a filter, see [Filter events for Event Grid](./how-to-filter-events.md).

-### List of the events for SFTP APIs

-These events are triggered if you enable a hierarchical namespace on the storage account, and clients use SFTP APIs. For more information about SFTP support for Azure Blob Storage, see [SSH File Transfer Protocol (SFTP) in Azure Blob Storage](../storage/blobs/secure-file-transfer-protocol-support.md).

-|Event name|Description|

-|-|--|

-|**Microsoft.Storage.BlobCreated** |Triggered when a blob is created or overwritten. <br>Specifically, this event is triggered when clients use the `put` operation, which corresponds to the `SftpCreate` and `SftpCommit` APIs. An empty blob is created when the file is opened and the uploaded contents are committed when the file is closed.|

-|**Microsoft.Storage.BlobDeleted** |Triggered when a blob is deleted. <br>Specifically, this event is also triggered when clients call the `rm` operation, which corresponds to the `SftpRemove` API.|

-|**Microsoft.Storage.BlobRenamed**|Triggered when a blob is renamed. <br>Specifically, this event is triggered when clients use the `rename` operation on files, which corresponds to the `SftpRename` API.|

-|**Microsoft.Storage.DirectoryCreated**|Triggered when a directory is created. <br>Specifically, this event is triggered when clients use the `mkdir` operation, which corresponds to the `SftpMakeDir` API.|

-|**Microsoft.Storage.DirectoryRenamed**|Triggered when a directory is renamed. <br>Specifically, this event is triggered when clients use the `rename` operation on a directory, which corresponds to the `SftpRename` API.|

-|**Microsoft.Storage.DirectoryDeleted**|Triggered when a directory is deleted. <br>Specifically, this event is triggered when clients use the `rmdir` operation, which corresponds to the `SftpRemoveDir` API.|

-### List of policy-related events

-These events are triggered when the actions defined by a policy are performed.

- |Event name |Description|

- |-|--|

- |**Microsoft.Storage.BlobInventoryPolicyCompleted** |Triggered when the inventory run completes for a rule that is defined an inventory policy . This event also occurs if the inventory run fails with a user error before it starts to run. For example, an invalid policy, or an error that occurs when a destination container is not present will trigger the event. |

- |**Microsoft.Storage.LifecyclePolicyCompleted** |Triggered when the actions defined by a lifecycle management policy are performed. |

-## Example events

-When an event is triggered, the Event Grid service sends data about that event to subscribing endpoint. This section contains an example of what that data would look like for each blob storage event.

-### Microsoft.Storage.BlobCreated event (Data Lake Storage Gen2)

-If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes:

-* The `dataVersion` key is set to a value of `2`.

-* The `data.api` key is set to the string `CreateFile` or `FlushWithClose`.

-* The `contentOffset` key is included in the data set.

-> [!NOTE]

-> If applications use the `PutBlockList` operation to upload a new blob to the account, the data won't contain these changes.

- "subject": "/blobServices/default/containers/my-file-system/blobs/new-file.txt",

- "eventType": "Microsoft.Storage.BlobCreated",

- "eventTime": "2017-06-26T18:41:00.9584103Z",

- "id": "831e1650-001e-001b-66ab-eeb76e069631",

- "api": "CreateFile",

- "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",

- "requestId": "831e1650-001e-001b-66ab-eeb76e000000",

- "eTag": "\"0x8D4BCC2E4835CD0\"",

- "contentLength": 0,

- "contentOffset": 0,

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/new-file.txt",

- "sequencer": "00000000000004420000000000028963",

- "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"

- "dataVersion": "2",

-### Microsoft.Storage.BlobCreated event (SFTP)

-If the blob storage account uses SFTP to create or overwrite a blob, then the data looks similar to the previous example with an exception of these changes:

-* The `dataVersion` key is set to a value of `3`.

-* The `data.api` key is set to the string `SftpCreate` or `SftpCommit`.

-* The `clientRequestId` key is not included.

-* The `contentType` key is set to `application/octet-stream`.

-* The `contentOffset` key is included in the data set.

-* The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication.

-> [!NOTE]

-> SFTP uploads will generate 2 events. One `SftpCreate` for an initial empty blob created when opening the file and one `SftpCommit` when the file contents are written.

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/testcontainer/blobs/new-file.txt",

- "eventType": "Microsoft.Storage.BlobCreated",

- "eventTime": "2022-04-25T19:13:00.1522383Z",

- "api": "SftpCommit",

- "contentType": "application/octet-stream",

- "contentLength": 0,

- "contentOffset": 0,

- "identity":"localuser",

- "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"

- "dataVersion": "3",

- "metadataVersion": "1"

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "eventType": "Microsoft.Storage.BlobDeleted",

- "eventTime": "2017-11-07T20:09:22.5674003Z",

- "dataVersion": "",

- "metadataVersion": "1"

-### Microsoft.Storage.BlobDeleted event (Data Lake Storage Gen2)

-If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes:

-* The `data.api` key is set to the string `DeleteFile`.

-* The `url` key contains the path `dfs.core.windows.net`.

-> If applications use the `DeleteBlob` operation to delete a blob from the account, the data won't contain these changes.

- "subject": "/blobServices/default/containers/my-file-system/blobs/file-to-delete.txt",

- "eventType": "Microsoft.Storage.BlobDeleted",

- "data": {

- "api": "DeleteFile",

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/file-to-delete.txt",

-### Microsoft.Storage.BlobDeleted event (SFTP)

-If the blob storage account uses SFTP to delete a blob, then the data looks similar to the previous example with an exception of these changes:

-* The `data.api` key is set to the string `SftpRemove`.

-* The `clientRequestId` key is not included.

-* The `contentType` key is set to `application/octet-stream`.

-* The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication.

- "subject": "/blobServices/default/containers/testcontainer/blobs/new-file.txt",

- "eventTime": "2022-04-25T19:13:00.1522383Z",

- "data": {

- "api": "SftpRemove",

- "url": "https://my-storage-account.blob.core.windows.net/testcontainer/new-file.txt",

- "identity":"localuser",

-### Microsoft.Storage.BlobTierChanged event

-```json

-{

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/testcontainer/blobs/Auto.jpg",

- "eventType": "Microsoft.Storage.BlobTierChanged",

- "id": "0fdefc06-b01e-0034-39f6-4016610696f6",

- "data": {

- "api": "SetBlobTier",

- "clientRequestId": "68be434c-1a0d-432f-9cd7-1db90bff83d7",

- "requestId": "0fdefc06-b01e-0034-39f6-401661000000",

- "contentType": "image/jpeg",

- "contentLength": 105891,

- "blobType": "BlockBlob",

- "url": "https://my-storage-account.blob.core.windows.net/testcontainer/Auto.jpg",

- "sequencer": "000000000000000000000000000089A4000000000018d6ea",

- "storageDiagnostics": {

- "batchId": "3418f7a9-7006-0014-00f6-406dc6000000"

- }

- },

- "dataVersion": "",

- "metadataVersion": "1",

- "eventTime": "2021-05-04T15:00:00.8350154Z"

-}

-```

-### Microsoft.Storage.AsyncOperationInitiated event

-```json

-{

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/testcontainer/blobs/00000.avro",

- "eventType": "Microsoft.Storage.AsyncOperationInitiated",

- "id": "8ea4e3f2-101e-003d-5ff4-4053b2061016",

- "data": {

- "api": "SetBlobTier",

- "clientRequestId": "777fb4cd-f890-4c5b-b024-fb47300bae62",

- "requestId": "8ea4e3f2-101e-003d-5ff4-4053b2000000",

- "contentType": "application/octet-stream",

- "contentLength": 3660,

- "blobType": "BlockBlob",

- "url": "https://my-storage-account.blob.core.windows.net/testcontainer/00000.avro",

- "sequencer": "000000000000000000000000000089A4000000000018c6d7",

- "storageDiagnostics": {

- "batchId": "34128c8a-7006-0014-00f4-406dc6000000"

- }

- },

- "dataVersion": "",

- "metadataVersion": "1",

- "eventTime": "2021-05-04T14:44:59.3204652Z"

-}

-```

-### Microsoft.Storage.BlobRenamed event

-### Microsoft.Storage.BlobRenamed event (SFTP)

-If the blob storage account uses SFTP to rename a blob, then the data looks similar to the previous example with an exception of these changes:

-* The `data.api` key is set to the string `SftpRename`.

-* The `clientRequestId` key is not included.

-* The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication.

- "subject": "/blobServices/default/containers/testcontainer/blobs/my-renamed-file.txt",

- "eventType": "Microsoft.Storage.BlobRenamed",

- "eventTime": "2022-04-25T19:13:00.1522383Z",

- "api": "SftpRename",

- "destinationUrl": "https://my-storage-account.blob.core.windows.net/testcontainer/my-renamed-file.txt",

- "sourceUrl": "https://my-storage-account.blob.core.windows.net/testcontainer/my-original-file.txt",

- "identity":"localuser",

-### Microsoft.Storage.DirectoryCreated event

- "subject": "/blobServices/default/containers/my-file-system/blobs/my-new-directory",

- "eventType": "Microsoft.Storage.DirectoryCreated",

- "api": "CreateDirectory",

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-new-directory",

-### Microsoft.Storage.DirectoryCreated event (SFTP)

-If the blob storage account uses SFTP to create a directory, then the data looks similar to the previous example with an exception of these changes:

-* The `dataVersion` key is set to a value of `2`.

-* The `data.api` key is set to the string `SftpMakeDir`.

-* The `clientRequestId` key is not included.

-* The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication.

- "subject": "/blobServices/default/containers/testcontainer/blobs/my-new-directory",

- "eventType": "Microsoft.Storage.DirectoryCreated",

- "eventTime": "2022-04-25T19:13:00.1522383Z",

- "api": "SftpMakeDir",

- "url": "https://my-storage-account.blob.core.windows.net/testcontainer/my-new-directory",

- "identity":"localuser",

- "dataVersion": "2",

-### Microsoft.Storage.DirectoryRenamed event

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-directory",

- "eventType": "Microsoft.Storage.DirectoryRenamed",

- "eventTime": "2017-06-26T18:41:00.9584103Z",

- "api": "RenameDirectory",

- "destinationUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-renamed-directory",

- "sourceUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-original-directory",

- "dataVersion": "1",

- "metadataVersion": "1"

-### Microsoft.Storage.DirectoryRenamed event (SFTP)

-If the blob storage account uses SFTP to rename a directory, then the data looks similar to the previous example with an exception of these changes:

-* The `data.api` key is set to the string `SftpRename`.

-* The `clientRequestId` key is not included.

-* The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication.

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/testcontainer/blobs/my-renamed-directory",

- "eventType": "Microsoft.Storage.DirectoryRenamed",

- "eventTime": "2022-04-25T19:13:00.1522383Z",

- "data": {

- "api": "SftpRename",

- "destinationUrl": "https://my-storage-account.blob.core.windows.net/testcontainer/my-renamed-directory",

- "sourceUrl": "https://my-storage-account.blob.core.windows.net/testcontainer/my-original-directory",

- "identity":"localuser",

- "dataVersion": "1",

- "metadataVersion": "1"

-### Microsoft.Storage.DirectoryDeleted event

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/my-file-system/blobs/directory-to-delete",

- "eventType": "Microsoft.Storage.DirectoryDeleted",

- "eventTime": "2017-06-26T18:41:00.9584103Z",

- "api": "DeleteDirectory",

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/directory-to-delete",

- "recursive": "true",

- "dataVersion": "1",

- "metadataVersion": "1"

-### Microsoft.Storage.DirectoryDeleted event (SFTP)

-If the blob storage account uses SFTP to delete a directory, then the data looks similar to the previous example with an exception of these changes:

-* The `data.api` key is set to the string `SftpRemoveDir`.

-* The `clientRequestId` key is not included.

-* The `identity` key is included in the data set. This corresponds to the local user used for SFTP authentication.

- "topic": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/testcontainer/blobs/directory-to-delete",

- "eventType": "Microsoft.Storage.DirectoryDeleted",

- "eventTime": "2022-04-25T19:13:00.1522383Z",

- "api": "SftpRemoveDir",

- "url": "https://my-storage-account.blob.core.windows.net/testcontainer/directory-to-delete",

- "recursive": "false",

- "identity":"localuser",

- "dataVersion": "1",

- "metadataVersion": "1"

-### Microsoft.Storage.BlobInventoryPolicyCompleted event

-{

- "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/BlobInventory/providers/Microsoft.EventGrid/topics/BlobInventoryTopic",

- "subject": "BlobDataManagement/BlobInventory",

- "eventType": "Microsoft.Storage.BlobInventoryPolicyCompleted",

- "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "scheduleDateTime": "2021-05-28T03:50:27Z",

- "accountName": "testaccount",

- "ruleName": "Rule_1",

- "policyRunStatus": "Succeeded",

- "policyRunStatusMessage": "Inventory run succeeded, refer manifest file for inventory details.",

- "policyRunId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "manifestBlobUrl": "https://testaccount.blob.core.windows.net/inventory-destination-container/2021/05/26/13-25-36/Rule_1/Rule_1.csv"

- "dataVersion": "1.0",

- "metadataVersion": "1",

- "eventTime": "2021-05-28T15:03:18Z"

-}

-### Microsoft.Storage.LifecyclePolicyCompleted event

-```json

-{

- "topic": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/contosoresourcegroup/providers/Microsoft.Storage/storageAccounts/contosostorageaccount",

- "subject": "BlobDataManagement/LifeCycleManagement/SummaryReport",

- "eventType": "Microsoft.Storage.LifecyclePolicyCompleted",

- "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

- "data": {

- "scheduleTime": "2022/05/24 22:57:29.3260160",

- "deleteSummary": {

- "totalObjectsCount": 16,

- "successCount": 14,

- "errorList": ""

- },

- "tierToCoolSummary": {

- "totalObjectsCount": 0,

- "successCount": 0,

- "errorList": ""

- },

- "tierToArchiveSummary": {

- "totalObjectsCount": 0,

- "successCount": 0,

- "errorList": ""

- }

- },

- "dataVersion": "1",

- "metadataVersion": "1",

- "eventTime": "2022-05-26T00:00:40.1880331"

-}

-```

-# [Cloud event schema](#tab/cloud-event-schema)

-### Microsoft.Storage.BlobCreated event

- "subject": "/blobServices/default/containers/test-container/blobs/new-file.txt",

- "type": "Microsoft.Storage.BlobCreated",

- "api": "PutBlockList",

- "eTag": "\"0x8D4BCC2E4835CD0\"",

- "contentType": "text/plain",

- "contentLength": 524288,

- "blobType": "BlockBlob",

- "url": "https://my-storage-account.blob.core.windows.net/testcontainer/new-file.txt",

- "sequencer": "00000000000004420000000000028963",

- "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"

-### Microsoft.Storage.BlobCreated event (Data Lake Storage Gen2)

-If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes:

-* The `data.api` key is set to the string `CreateFile` or `FlushWithClose`.

-> If applications use the `PutBlockList` operation to upload a new blob to the account, the data won't contain these changes.

- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/my-file-system/blobs/new-file.txt",

- "type": "Microsoft.Storage.BlobCreated",

- "time": "2017-06-26T18:41:00.9584103Z",

- "api": "CreateFile",

- "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",

- "contentType": "text/plain",

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/new-file.txt",

- "sequencer": "00000000000004420000000000028963",

- "specversion": "1.0"

-### Microsoft.Storage.BlobDeleted event

- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/testcontainer/blobs/file-to-delete.txt",

- "type": "Microsoft.Storage.BlobDeleted",

- "time": "2017-11-07T20:09:22.5674003Z",

- "id": "4c2359fe-001e-00ba-0e04-58586806d298",

- "api": "DeleteBlob",

- "requestId": "4c2359fe-001e-00ba-0e04-585868000000",

- "url": "https://my-storage-account.blob.core.windows.net/testcontainer/file-to-delete.txt",

- "sequencer": "0000000000000281000000000002F5CA",

- "batchId": "b68529f3-68cd-4744-baa4-3c0498ec19f0"

- "specversion": "1.0"

-### Microsoft.Storage.BlobDeleted event (Data Lake Storage Gen2)

-If the blob storage account has a hierarchical namespace, the data looks similar to the previous example with an exception of these changes:

-* The `data.api` key is set to the string `DeleteFile`.

-* The `url` key contains the path `dfs.core.windows.net`.

-> [!NOTE]

-> If applications use the `DeleteBlob` operation to delete a blob from the account, the data won't contain these changes.

- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/my-file-system/blobs/file-to-delete.txt",

- "type": "Microsoft.Storage.BlobDeleted",

- "time": "2017-06-26T18:41:00.9584103Z",

- "data": {

- "api": "DeleteFile",

- "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",

- "contentType": "text/plain",

- "blobType": "BlockBlob",

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/file-to-delete.txt",

- "specversion": "1.0"

-### Microsoft.Storage.BlobRenamed event

- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-file.txt",

- "type": "Microsoft.Storage.BlobRenamed",

- "time": "2017-06-26T18:41:00.9584103Z",

- "api": "RenameFile",

- "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",

- "destinationUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-renamed-file.txt",

- "sourceUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-original-file.txt",

- "specversion": "1.0"

-### Microsoft.Storage.DirectoryCreated event

- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/my-file-system/blobs/my-new-directory",

- "type": "Microsoft.Storage.DirectoryCreated",

- "time": "2017-06-26T18:41:00.9584103Z",

- "api": "CreateDirectory",

- "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-new-directory",

- "specversion": "1.0"

-### Microsoft.Storage.DirectoryRenamed event

- "source": "/subscriptions/{subscription-id}/resourceGroups/Storage/providers/Microsoft.Storage/storageAccounts/my-storage-account",

- "subject": "/blobServices/default/containers/my-file-system/blobs/my-renamed-directory",

- "type": "Microsoft.Storage.DirectoryRenamed",

- "time": "2017-06-26T18:41:00.9584103Z",

- "api": "RenameDirectory",

- "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",

- "destinationUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-renamed-directory",

- "sourceUrl": "https://my-storage-account.dfs.core.windows.net/my-file-system/my-original-directory",

- "specversion": "1.0"

-### Microsoft.Storage.DirectoryDeleted event

-```json

-[{

- "subject": "/blobServices/default/containers/my-file-system/blobs/directory-to-delete",

- "time": "2017-06-26T18:41:00.9584103Z",

- "api": "DeleteDirectory",

- "clientRequestId": "6d79dbfb-0e37-4fc4-981f-442c9ca65760",

- "url": "https://my-storage-account.dfs.core.windows.net/my-file-system/directory-to-delete",

- "recursive": "true",

- that sets the compliance states for targeted resources in a manual policy. You can only have one

- attestation on one resource for an individual policy. In preview, Attestations are available

-only through the Azure Resource Manager (ARM) API.

-Below is an example of creating a new attestation resource:

-```http

-PUT http://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/attestations/{name}?api-version=2019-10-01

-```

-#### Request body

-Below is a sample attestation resource JSON object:

-```json

-"properties": {

- "policyAssignmentId": "/subscriptions/{subscriptionID}/providers/microsoft.authorization/policyassignments/{assignmentID}",

- "policyDefinitionReferenceId": "{definitionReferenceID}",

- "complianceState": "Compliant",

- "expiresOn": "2023-07-14T00:00:00Z",

- "owner": "{AADObjectID}",

- "comments": "This subscription has passed a security audit. See attached details for evidence",

- "evidence": [

- {

- "description": "The results of the security audit.",

- "sourceUri": "https://gist.github.com/contoso/9573e238762c60166c090ae16b814011"

- },

- {

- "description": "Description of the attached evidence document.",

- "sourceUri": "https://storagesamples.blob.core.windows.net/sample-container/contingency_evidence_adendum.docx"

- },

- ],

-}

-```

-|Property |Description |

-|||

-|policyAssignmentId |Required assignment ID for which the state is being set. |

-|policyDefinitionReferenceId |Optional definition reference ID, if within a policy initiative. |

-|complianceState |Desired state of the resources. Allowed values are `Compliant`, `NonCompliant`, and `Unknown`. |

-|owner |Optional Azure AD object ID of responsible party. |

-|comments |Optional description of why state is being set. |

-|evidence |Optional link array for attestation evidence. |

-Because attestations are a separate resource from policy assignments, they have their own lifecycle. You can PUT, GET and DELETE attestations by using the ARM API. See the [Policy REST API Reference](/rest/api/policy) for more details.

-[Learn how to use SQLLine with Apache HBase](apache-hbase-query-with-phoenix.md)

-clientsecret=$(az ad app credential reset --id $clientid --append --credential-description $clientsecretname --years $clientsecretduration --query password --output tsv)

-Gathering your industrial and business data onto an IoT Hub lets you store your data securely, perform business and efficiency analyses on it, and generate reports from it. You can process your combined data with Microsoft Azure services and tools, for example [Azure Stream Analytics](https://docs.microsoft.com/azure/stream-analytics), or visualize in your Business Intelligence platform of choice such as [Power BI](https://powerbi.microsoft.com).

-| Key Vault Secrets User | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 |

-### Locate and copy lab plan or lab account resource ID

-To add extra capacity to an existing lab, you must specify the lab's resource ID when you make the request.

-Use the following steps to locate and copy the resource ID so that you can paste it into your support request.

-1. In the [Azure portal](https://portal.azure.com), navigate to the lab plan or lab account you want to add cores to.

-1. Paste the Resource ID into a document for safekeeping; you'll need it to complete the support request.

-The information required for the lab accounts used in original version of Lab Services (May 2019) and the lab plans used in the updated version of Lab Services (August 2022) is different. Use the appropriate tab below to guide you as you complete the **Quota details**.

-#### [Lab Accounts](#tab/LabAccounts/)

- |**Is this for an existing lab or to create a new lab?**|Select **Existing lab** or **New lab**. </br> If you're adding cores to an existing lab, enter the lab's resource ID.|

- |**What's the month-by-month usage plan for the requested cores?**|Enter the rate at which you want to add the extra cores.|

-#### [Lab Plans](#tab/Labplans/)

- |**What is the month-by-month usage plan for the requested cores?**|Enter the rate at which you want to add the extra cores.|

- "name": "Basic",

- "publicIPAllocationMethod": "Dynamic",

- * **Sku** - You can change the sku of the public IP in the configuration from standard to basic or basic to standard by altering the **sku** > **name** property in the **\<resource-group-name>.json** file:

- "name": "Basic",

- * **Public IP allocation method** and **Idle timeout** - You can change both of these options in the template by altering the **publicIPAllocationMethod** property from **Dynamic** to **Static** or **Static** to **Dynamic**. The idle timeout can be changed by altering the **idleTimeoutInMinutes** property to your desired amount. The default is **4**:

- "name": "Basic",

- "publicIPAllocationMethod": "Dynamic",

-In logic app workflows, some triggers and actions support using a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) to authenticate access to resources protected by Azure Active Directory (Azure AD). This identity was previously known as a *Managed Service Identity (MSI)*. When you enable your logic app resource to use a managed identity for authentication, you don't have to provide credentials, secrets, or Azure AD tokens. Azure manages this identity and helps keep authentication information secure because you don't have to manage this sensitive information.

-Azure Logic Apps supports the [*system-assigned* managed identity](../active-directory/managed-identities-azure-resources/overview.md) and the [*user-assigned* managed identity](../active-directory/managed-identities-azure-resources/overview.md), but the following differences exist between these identity types:

-* Based on your logic app resource type, you can enable either the system-assigned identity, user-assigned identity, or both at the same time:

- | Logic app resource type | Environment | Managed identity support |

- |-|-|--|

- | Consumption | - Multi-tenant Azure Logic Apps <p><p>- Integration service environment (ISE) | - You can enable *either* the system-assigned identity type *or* the user-assigned identity type on your logic app resource. <p>- If enabled with the user-assigned identity type, your logic app resource can have *only a single user-assigned identity* at any one time. <p>- You can use the identity at the logic app resource level and at the connection level. |

- | Standard | - Single-tenant Azure Logic Apps <p><p>- App Service Environment v3 (ASEv3) <p><p>- Azure Arc enabled Logic Apps | - You can enable *both* the system-assigned identity type, which is enabled by default, *and* the user-assigned identity type at the same time. <p>- Your logic app resource can have *multiple* user-assigned identities at the same time. <p>- You can use the identity at the logic app resource level and at the connection level. |

- ||||

-To learn more about managed identity limits in Azure Logic Apps, review [Limits on managed identities for logic apps](logic-apps-limits-and-config.md#managed-identity). For more information about the Consumption and Standard logic app resource types and environments, review the following documentation:

-The following table lists the operations where you can use either the system-assigned managed identity or user-assigned managed identity in the **Logic App (Consumption)** resource type:

-| Operation type | Supported operations |

-| Managed connector | - Azure AD <br>- Azure AD Identity Protection <br>- Azure App Service <br>- Azure Automation <br>- Azure Blob Storage <br>- Azure Container Instance <br>- Azure Cosmos DB <br>- Azure Data Explorer <br>- Azure Data Factory <br>- Azure Data Lake <br>- Azure Event Grid <br>- Azure Event Hubs <br>- Azure IoT Central V2 <br>- Azure IoT Central V3 <br>- Azure Key Vault <br>- Azure Log Analytics <br>- Azure Queues <br>- Azure Resource Manager <br>- Azure Service Bus <br>- Azure Sentinel <br>- Azure VM <br>- HTTP with Azure AD <br>- SQL Server |

-|||

-The following table lists the operations where you can use both the system-assigned managed identity and multiple user-assigned managed identities in the **Logic App (Standard)** resource type:

-| Operation type | Supported operations |

-| Built-in | - HTTP <br>- HTTP + Webhook <p>**Note**: HTTP operations can authenticate connections to Azure Storage accounts behind Azure firewalls with the system-assigned identity. |

-|||

-This article shows how to enable and set up the system-assigned identity or user-assigned identity, based on whether you're using the **Logic App (Consumption)** or **Logic App (Standard)** resource type. Unlike the system-assigned identity, which you don't have to manually create, you *do* have to manually create the user-assigned identity. This article includes the steps to create the user-assigned identity using the Azure portal and Azure Resource Manager template (ARM template). For Azure PowerShell, Azure CLI, and Azure REST API, review the following documentation:

-| Tool | Documentation |

-|||

-| Azure PowerShell | [Create user-assigned identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-powershell.md) |

-| Azure CLI | [Create user-assigned identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli.md) |

-| Azure REST API | [Create user-assigned identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-rest.md) |

-|||

-* To give a managed identity access to an Azure resource, you need to add a role to the target resource for that identity. To add roles, you need [Azure AD administrator permissions](../active-directory/roles/permissions-reference.md) that can assign roles to identities in the corresponding Azure AD tenant.

-* The target Azure resource that you want to access. On this resource, you'll add a role for the managed identity, which helps the logic app resource or connection authenticate access to the target resource.

-* The logic app resource where you want to use the [trigger or actions that support managed identities](logic-apps-securing-a-logic-app.md#authentication-types-supported-triggers-actions).

-1. In the [Azure portal](https://portal.azure.com), open your logic app resource.

- ||||

-To automate creating and deploying logic app resources, you can use an [ARM template](logic-apps-azure-resource-manager-templates-overview.md). To enable the system-assigned managed identity for your logic app resource in the template, add the `identity` object and the `type` child property to the logic app's resource definition in the template, for example:

-1. In the Azure portal, open your logic app resource.

-|||

-|||

- |||||

-||||

-|||||

-

- 

-

-

-

-|||

-|||

-## Authentication types for triggers and actions that support authentication

-The following table identifies the authentication types that are available on the triggers and actions where you can select an authentication type:

-| Authentication type | Supported triggers and actions |

-||--|

-| [Active Directory OAuth](#azure-active-directory-oauth-authentication) | Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook |

-| [Managed identity](#managed-identity-authentication) | **Consumption logic app**: <br><br>- **Built-in**: Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP Webhook <p><p>- **Managed connector**: Azure AD, Azure AD Identity Protection, Azure App Service, Azure Automation, Azure Blob Storage, Azure Container Instance, Azure Cosmos DB, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Event Hubs, Azure IoT Central V2, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Queues, Azure Resource Manager, Azure Service Bus, Azure Sentinel, Azure VM, HTTP with Azure AD, SQL Server <p><p>___________________________________________________________________________________________<p><p>**Standard logic app**: <p><p>- **Built-in**: HTTP, HTTP Webhook <p><p>- **Managed connector**: Azure AD, Azure AD Identity Protection, Azure App Service, Azure Automation, Azure Blob Storage, Azure Container Instance, Azure Cosmos DB, Azure Data Explorer, Azure Data Factory, Azure Data Lake, Azure Event Grid, Azure Event Hubs, Azure IoT Central V2, Azure IoT Central V3, Azure Key Vault, Azure Log Analytics, Azure Queues, Azure Resource Manager, Azure Service Bus, Azure Sentinel, Azure VM, HTTP with Azure AD, SQL Server |

-|||

-See examples of classification and automated machine learning in these Python notebooks: [Fraud Detection](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/classification-credit-card-fraud/auto-ml-classification-credit-card-fraud.ipynb), [Marketing Prediction](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/classification-bank-marketing-all-features/auto-ml-classification-bank-marketing-all-features.ipynb), and [Newsgroup Data Classification](https://github.com/Azure/azureml-examples/tree/main/python-sdk/tutorials/automl-with-azureml/classification-text-dnn)

-See examples of regression and automated machine learning for predictions in these Python notebooks: [CPU Performance Prediction](https://github.com/Azure/azureml-examples/tree/main/python-sdk/tutorials/automl-with-azureml/regression-explanation-featurization),

-See examples of regression and automated machine learning for predictions in these Python notebooks: [Sales Forecasting](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-orange-juice-sales/auto-ml-forecasting-orange-juice-sales.ipynb), [Demand Forecasting](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb), and [Forecasting GitHub's Daily Active Users](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-github-dau/auto-ml-forecasting-github-dau.ipynb).

-See how to convert to ONNX format [in this Jupyter notebook example](https://github.com/Azure/azureml-examples/tree/main/python-sdk/tutorials/automl-with-azureml/classification-bank-marketing-all-features). Learn which [algorithms are supported in ONNX](how-to-configure-auto-train.md#supported-algorithms).

-Review detailed code examples and use cases in the [GitHub notebook repository for automated machine learning samples](https://github.com/Azure/azureml-examples/tree/main/python-sdk/tutorials/automl-with-azureml).

-This [Jupyter notebook](https://github.com/Azure/azureml-examples/blob/sdk-preview/sdk/resources/workspace/workspace.ipynb) shows more ways to create an Azure ML workspace using SDK v2.

-This [Jupyter notebook](https://github.com/Azure/azureml-examples/blob/sdk-preview/sdk/resources/compute/compute.ipynb) shows more ways to create compute using SDK v2.

-This [Jupyter notebook](https://github.com/Azure/azureml-examples/blob/sdk-preview/sdk/resources/datastores/datastore.ipynb) shows more ways to create datastores using SDK v2.

-This [Jupyter notebook](https://github.com/Azure/azureml-examples/blob/sdk-preview/sdk/assets/environment/environment.ipynb) shows more ways to create custom environments using SDK v2.

-You can provision the workspace to use user-assigned managed identity, and grant the managed identity additional roles, for example to access your own Azure Container Registry for base Docker images. For more information, see [Use managed identities for access control](how-to-use-managed-identities.md).

-* [Use Azure AD managed identity with Azure Machine Learning](how-to-use-managed-identities.md)

-+ Try out [Python SDK v2 pipeline example](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines)

-If you're getting started with MLflow in Azure Machine Learning, we recommend that you explore the [notebook examples about how to use MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/readme.md):

-* [Training and tracking an XGBoost classifier with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_classification_mlflow.ipynb): Demonstrates how to track experiments by using MLflow, log models, and combine multiple flavors into pipelines.

-* [Training and tracking an XGBoost classifier with MLflow using service principal authentication](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_service_principal.ipynb): Demonstrates how to track experiments by using MLflow from compute that's running outside Azure Machine Learning. It shows how to authenticate against Azure Machine Learning services by using a service principal.

-* [Hyper-parameter optimization using Hyperopt and nested runs in MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/train-with-mlflow/xgboost_nested_runs.ipynb): Demonstrates how to use child runs in MLflow to do hyper-parameter optimization for models by using the popular library Hyperopt. It shows how to transfer metrics, parameters, and artifacts from child runs to parent runs.

-* [Logging models with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/logging-models/logging_model_with_mlflow.ipynb): Demonstrates how to use the concept of models instead of artifacts with MLflow, including how to construct custom models.

-* [Manage runs and experiments with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/run-history/run_history.ipynb): Demonstrates how to query experiments, runs, metrics, parameters, and artifacts from Azure Machine Learning by using MLflow.

-* [Manage model registries with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/model-management/model_management.ipynb): Demonstrates how to manage models in registries by using MLflow.

-* [Deploying models with MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/no-code-deployment/deploying_with_mlflow.ipynb): Demonstrates how to deploy no-code models in MLflow format to a deployment target in Azure Machine Learning.

-* [Training models in Azure Databricks and deploying them on Azure Machine Learning](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/no-code-deployment/track_with_databricks_deploy_aml.ipynb): Demonstrates how to train models in Azure Databricks and deploy them in Azure Machine Learning. It also includes how to handle cases where you also want to track the experiments with the MLflow instance in Azure Databricks.

-* [Migrating models with a scoring script to MLflow](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/migrating-scoring-to-mlflow/scoring_to_mlmodel.ipynb): Demonstrates how to migrate models with scoring scripts to no-code deployment with MLflow.

-* [Using MLflow REST with Azure Machine Learning](https://github.com/Azure/azureml-examples/blob/main/notebooks/using-mlflow/using-rest-api/using_mlflow_rest_api.ipynb): Demonstrates how to work with the MLflow REST API when you're connected to Azure Machine Learning.

-For more information, [Work with models in Azure Machine Learning](how-to-manage-models.md).

->

-> Associating a dataset with a registered model is an optional step. For information on how to reference a dataset when you register a model, see the [Model](/python/api/azureml-core/azureml.core.model%28class%29) class reference.

-## Monitor for operational and machine learning issues

-Monitoring enables you to understand what data is being sent to your model, and the predictions that it returns.

-This information helps you understand how your model is being used. The collected input data might also be useful in training future versions of the model.

-For more information, see [Enable model data collection](v1/how-to-enable-data-collection.md).

-## Retrain your model on new data

-Often, you'll want to validate your model, update it, or even retrain it from scratch, as you receive new information. Sometimes, receiving new data is an expected part of the domain. Other times, as discussed in [Detect data drift (preview) on datasets](v1/how-to-monitor-datasets.md), model performance can degrade because of:

-There's no universal answer to "How do I know if I should retrain?" The Machine Learning event and monitoring tools previously discussed are good starting points for automation. After you've decided to retrain, you should:

-A theme of the preceding steps is that your retraining should be automated, not improvised. [Machine Learning pipelines](concept-ml-pipelines.md) are a good answer for creating workflows that relate to data preparation, training, validation, and deployment. Read [Retrain models with Machine Learning designer](how-to-retrain-designer.md) to see how pipelines and the Machine Learning designer fit into a retraining scenario.

-* [Machine Learning MLOps](https://aka.ms/mlops) repository

-* [Machine Learning MLOpsPython](https://github.com/Microsoft/MLOpspython) repository

-You can also use Azure Data Factory to create a data ingestion pipeline that prepares data for use with training. For more information, see [Data ingestion pipeline](v1/how-to-cicd-data-ingestion.md).

-[Kubernetes Cluster](./how-to-attach-kubernetes-anywhere.md) running behind an outbound proxy server or firewall needs extra network configuration. Configure the [Azure Arc network requirements](../azure-arc/kubernetes/quickstart-connect-cluster.md?tabs=azure-cli#meet-network-requirements) needed by Azure Arc agents. The following outbound URLs are also required for Azure Machine Learning,

-| __\*.azurecr.io__ | https:443 | Azure container registry, required to pull docker images used for machine learning workloads.|**&check;**|**&check;**|

-| __\*.blob.core.windows.net__ | https:443 | Azure blob storage, required to fetch machine learning project scripts,data or models, and upload job logs/outputs.|**&check;**|**&check;**|

-| __\*.workspace.\<region\>.api.azureml.ms__<br>__\<region\>.experiments.azureml.net__<br>__\<region\>.api.azureml.ms__ | https:443 | Azure Machine Learning service API.|**&check;**|**&check;**|

- az configure --defaults workspace=<Azure Machine Learning workspace name> group=<resource group>

-## Limitations

-* The identity for an endpoint is immutable. During endpoint creation, you can associate it with a system-assigned identity (default) or a user-assigned identity. You can't change the identity after the endpoint has been created.

-## Define configuration YAML file for deployment

-To deploy an online endpoint with the CLI, you need to define the configuration in a YAML file. For more information on the YAML schema, see [online endpoint YAML reference](reference-yaml-endpoint-online.md) document.

-The YAML files in the following examples are used to create online endpoints.

-# [System-assigned managed identity](#tab/system-identity)

-The following YAML example is located at `endpoints/online/managed/managed-identities/1-sai-create-endpoint`. The file,

-* Defines the name by which you want to refer to the endpoint, `my-sai-endpoint`.

-* Specifies the type of authorization to use to access the endpoint, `auth-mode: key`.

-This YAML example, `2-sai-deployment.yml`,

-* Specifies that the type of endpoint you want to create is an `online` endpoint.

-* Indicates that the endpoint has an associated deployment called `blue`.

-* Configures the details of the deployment such as, which model to deploy and which environment and scoring script to use.

-# [User-assigned managed identity](#tab/user-identity)

-The following YAML example is located at `endpoints/online/managed/managed-identities/1-uai-create-endpoint`. The file,

-* Defines the name by which you want to refer to the endpoint, `my-uai-endpoint`.

-* Specifies the type of authorization to use to access the endpoint, `auth-mode: key`.

-* Indicates the identity type to use, `type: user_assigned`

-This YAML example, `2-sai-deployment.yml`,

-* Specifies that the type of endpoint you want to create is an `online` endpoint.

-* Indicates that the endpoint has an associated deployment called `blue`.

-* Configures the details of the deployment such as, which model to deploy and which environment and scoring script to use.

-# [System-assigned managed identity](#tab/system-identity)

-# [User-assigned managed identity](#tab/user-identity)

-# [System-assigned managed identity](#tab/system-identity)

-# [User-assigned managed identity](#tab/user-identity)

-# [System-assigned managed identity](#tab/system-identity)

-# [User-assigned managed identity](#tab/user-identity)

-# [System-assigned managed identity](#tab/system-identity)

-# [User-assigned managed identity](#tab/user-identity)

-# [System-assigned managed identity](#tab/system-identity)

-# [User-assigned managed identity](#tab/user-identity)

-# [System-assigned managed identity](#tab/system-identity)

-> The init method in the scoring script reads the file from your storage account using the system assigned managed identity token.

-# [User-assigned managed identity](#tab/user-identity)

-> The init method in the scoring script reads the file from your storage account using the system assigned managed identity token.

-## Confirm your endpoint deployed successfully

-Once your online endpoint is deployed, confirm its operation. Details of inferencing vary from model to model. For this guide, the JSON query parameters look like:

-# [System-assigned managed identity](#tab/system-identity)

-# [User-assigned managed identity](#tab/user-identity)

-# [System-assigned managed identity](#tab/system-identity)

-# [User-assigned managed identity](#tab/user-identity)

-* Explore training job samples with SDK v2 -[https://github.com/Azure/azureml-examples/tree/main/sdk/jobs](https://github.com/Azure/azureml-examples/tree/main/sdk/jobs)

-* Explore model deployment with online endpoint samples with SDK v2 -[https://github.com/Azure/azureml-examples/tree/main/sdk/endpoints/online/kubernetes](https://github.com/Azure/azureml-examples/tree/main/sdk/endpoints/online/kubernetes)

-View a Python code example applying the [target rolling window aggregate feature](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb).

-The [forecast_quantiles()](/python/api/azureml-train-automl-client/azureml.train.automl.model_proxy.modelproxy#forecast-quantiles-x-values--typing-any--y-values--typing-union-typing-any--nonetype-none--forecast-destination--typing-union-typing-any--nonetype-none--ignore-data-errors--boolfalse--azureml-data-abstract-dataset-abstractdataset) function allows specifications of when predictions should start, unlike the `predict()` method, which is typically used for classification and regression tasks. The forecast_quantiles() method by default generates a point forecast or a mean/median forecast which doesn't have a cone of uncertainty around it. Learn more in the [Forecasting away from training data notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-forecast-function/auto-ml-forecasting-function.ipynb).

-You can calculate model metrics like, root mean squared error (RMSE) or mean absolute percentage error (MAPE) to help you estimate the models performance. See the Evaluate section of the [Bike share demand notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb) for an example.

-The following code demonstrates the key parameters users need to set up their many models run. See the [Many Models- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-many-models/auto-ml-forecasting-many-models.ipynb) for a many models forecasting example

-The following code demonstrates the key parameters to set up your hierarchical time series forecasting runs. See the [Hierarchical time series- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-hierarchical-timeseries/auto-ml-forecasting-hierarchical-timeseries.ipynb), for an end to end example.

-See the [forecasting sample notebooks](https://github.com/Azure/azureml-examples/tree/main/python-sdk/tutorials/automl-with-azureml) for detailed code examples of advanced forecasting configuration including:

-* [holiday detection and featurization](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb)

-* [rolling-origin cross validation](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb)

-* [configurable lags](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-bike-share/auto-ml-forecasting-bike-share.ipynb)

-* [rolling window aggregate features](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/forecasting-energy-demand/auto-ml-forecasting-energy-demand.ipynb)

-Training data is a required parameter and is passed in using the `training` key of the data section. You can optionally specify another MLtable as a validation data with the `validation` key. If no validation data is specified, 20% of your training data will be used for validation by default, unless you pass `validation_data_size` argument with a different value.

-Target column name is a required parameter and used as target for supervised ML task. It's passed in using the `target_column_name` key in the data section. For example,

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=data-load)]

-If you wish to use the default hyperparameter values for a given algorithm (say yolov5), you can specify it using model_name key in image_model section. For example,

-image_model:

- model_name: "yolov5"

-If you wish to use the default hyperparameter values for a given algorithm (say yolov5), you can specify it using model_name parameter in set_image_model method of the task specific `automl` job. For example,

-image_object_detection_job.set_image_model(model_name="yolov5")

-Once you've built a baseline model, you might want to optimize model performance in order to sweep over the model algorithm and hyperparameter space. You can use the following sample config to sweep over the hyperparameters for each algorithm, choosing from a range of values for learning_rate, optimizer, lr_scheduler, etc., to generate a model with the optimal primary metric. If hyperparameter values aren't specified, then default values are used for the specified algorithm.

-### Experiment budget

-You can optionally specify the maximum time budget for your AutoML Vision training job using the `timeout` parameter in the `limits` - the amount of time in minutes before the experiment terminates. If none specified, default experiment timeout is seven days (maximum 60 days). For example,

- timeout: 60

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=limit-settings)]

-> Currently only random sampling supports conditional hyperparameter spaces.

-### Resources for the sweep

-You can control the resources spent on your hyperparameter sweep by specifying the `max_trials` and the `max_concurrent_trials` for the sweep.

-Parameter | Detail

-`max_trials` | Required parameter for maximum number of configurations to sweep. Must be an integer between 1 and 1000. When exploring just the default hyperparameters for a given model algorithm, set this parameter to 1.

-`max_concurrent_trials`| Maximum number of runs that can run concurrently. If not specified, all runs launch in parallel. If specified, must be an integer between 1 and 100. <br><br> **NOTE:** The number of concurrent runs is gated on the resources available in the specified compute target. Ensure that the compute target has the available resources for the desired concurrency.

- limits:

- max_trials: 10

- max_concurrent_trials: 2

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=sweep-settings)]

-image_model:

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=pass-arguments)]

-image_model:

-To pass a checkpoint via the run ID, you need to use the `checkpoint_run_id` parameter in `set_image_model` function.

-image_object_detection_job.set_image_model(checkpoint_run_id=target_checkpoint_run_id)

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=submit-run)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=best_run)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=create_local_dir)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=download_model)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=register_model)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=endpoint)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=create_endpoint)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=deploy)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=create_deploy)]

-[!Notebook-python[] (~/azureml-examples-main/sdk/jobs/automl-standalone-jobs/automl-image-object-detection-task-fridge-items/automl-image-object-detection-task-fridge-items.ipynb?name=update_traffic)]

-In the previous step, we downloaded a file `mlflow-model/artifacts/settings.json` from the best model. which can be used to update the inference settings before registering the model. Although its's recommended to use the same parameters as training for best performance.

-Review detailed code examples and use cases in the [GitHub notebook repository for automated machine learning samples](https://github.com/Azure/azureml-examples/tree/main/sdk/jobs/automl-standalone-jobs). Please check the folders with 'automl-image-' prefix for samples specific to building computer vision models.

-Review detailed code examples and use cases in the [GitHub notebook repository for automated machine learning samples](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/automl-standalone-jobs).

- * [Install the `automl` package yourself](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/README.md#setup-using-a-local-conda-environment), which includes the [default installation](/python/api/overview/azure/ml/install#default-install) of the SDK.

-* [Multi-class text classification](https://github.com/Azure/azureml-examples/blob/main/sdk/jobs/automl-standalone-jobs/automl-nlp-text-classification-multiclass-task-sentiment-analysis/automl-nlp-text-classification-multiclass-task-sentiment.ipynb)

-https://github.com/Azure/azureml-examples/blob/main/sdk/jobs/automl-standalone-jobs/automl-nlp-text-classification-multilabel-task-paper-categorization/automl-nlp-text-classification-multilabel-task-paper-cat.ipynb)

-* [Named entity recognition](https://github.com/Azure/azureml-examples/blob/main/sdk/jobs/automl-standalone-jobs/automl-nlp-text-named-entity-recognition-task/automl-nlp-text-ner-task.ipynb)

-1. **Preprocessing and tokenization of all text columns**. For example, the "StringCast" transformer can be found in the final model's featurization summary. An example of how to produce the model's featurization summary can be found in [this notebook](https://github.com/Azure/azureml-examples/blob/main/python-sdk/tutorials/automl-with-azureml/classification-text-dnn/auto-ml-classification-text-dnn.ipynb).

-Follow [this link](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/automl-standalone-jobs) for example notebooks of each task type.

-Below is a [sample pipeline](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines/1h_automl_in_pipeline/automl-classification-bankmarketing-in-pipeline) with an AutoML classification component and a command component that shows the resulting AutoML output. Note how the inputs (training & validation data) and the outputs (best model) are referenced in different steps.

-# Note that the above is only a snippet from the bankmarketing example you can find in our examples repo -> https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines/1h_automl_in_pipeline/automl-classification-bankmarketing-in-pipeline

-For more examples on how to do include AutoML in your pipelines, please check out our [examples repo](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines/1h_automl_in_pipeline/).

-+ While many sample notebooks are available, **only [these sample notebooks](https://github.com/Azure/azureml-examples/tree/main/python-sdk/tutorials/automl-with-databricks) work with Azure Databricks.**

-[!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=cluster_basic)]

-[!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=cluster_low_pri)]

-# [Python SDK](#tab/python)

-# [Azure CLI](#tab/azure-cli)

-### Create a new managed compute cluster with managed identity

-Use this command:

-```azurecli

-az ml compute create -f create-cluster.yml

-```

-Where the contents of *create-cluster.yml* are as follows:

-* User-assigned managed identity

- :::code language="yaml" source="~/azureml-examples-main/cli/resources/compute/cluster-user-identity.yml":::

-* System-assigned managed identity

- :::code language="yaml" source="~/azureml-examples-main/cli/resources/compute/cluster-system-identity.yml":::

-### Add a managed identity to an existing cluster

-To update an existing cluster:

-* User-assigned managed identity

- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-mlcompute-update-to-user-identity.sh":::

-* System-assigned managed identity

- :::code language="azurecli" source="~/azureml-examples-main/cli/deploy-mlcompute-update-to-system-identity.sh":::

-# [Studio](#tab/azure-studio)

-During cluster creation or when editing compute cluster details, in the **Advanced settings**, toggle **Assign a managed identity** and specify a system-assigned identity or user-assigned identity.

-### Managed identity usage

-This article is based on the [image_classification_keras_minist_convnet.ipynb](https://github.com/Azure/azureml-examples/blob/sdk-preview/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb) notebook found in the `sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet` directory of the [AzureML Examples](https://github.com/azure/azureml-examples) repository.

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=required-library)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=define-input)]

-If you're following along with the example in the [AzureML Examples repo](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet), the source files are already available in `prep/` folder. This folder contains two files to construct the component: `prep_component.py`, which defines the component and `conda.yaml`, which defines the run-time environment of the component.

-The source files of this component are under `train/` folder in the [AzureML Examples repo](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet). This folder contains three files to construct the component:

-The `train.py` file contains a normal python function, which performs the training model logic to train a Keras neural network for image classification. You can find the code [here](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/train/train.py).

-If you're following along with the example in the [AzureML Examples repo](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet), the source files are already available in `score/` folder. This folder contains three files to construct the component:

-The score component uses the same image and conda.yaml file as the train component. The source file is in the [sample repository](https://github.com/Azure/azureml-examples/blob/sdk-preview/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/train/conda.yaml).

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=load-from-dsl-component)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=load-from-yaml)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=build-pipeline)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=credential)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=workspace)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=submit-pipeline)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=stream-pipeline)]

-[!notebook-python[] (~/azureml-examples-main/sdk/jobs/pipelines/2e_image_classification_keras_minist_convnet/image_classification_keras_minist_convnet.ipynb?name=register-component)]

-* For more examples of how to build pipelines by using the machine learning SDK, see the [example repository](https://github.com/Azure/azureml-examples/tree/sdk-preview/sdk/jobs/pipelines).

-[!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=ci_basic)]

- [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=ci_basic_state)]

- [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=stop_compute)]

- [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=start_compute)]

- [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=restart_compute)]

- [!notebook-python[](~/azureml-examples-main/sdk/resources/compute/compute.ipynb?name=delete_compute)]

-> You can also reference an existing container registry or storage account in the Azure Resource Manager template, instead of creating a new one. When doing so, you must either [use a managed identity](how-to-use-managed-identities.md) (preview), or [enable the admin account](../container-registry/container-registry-authentication.md#admin-account) for the container registry.

-For other example scripts, see [azureml-examples](https://github.com/Azure/azureml-examples/tree/main/setup-ci).

-The examples in this article can be found in the [Debug online endpoints locally in Visual Studio Code](https://github.com/Azure/azureml-examples/blob/main/sdk/endpoints/online/managed/debug-online-endpoints-locally-in-visual-studio-code.ipynb) notebook within the[azureml-examples](https://github.com/azure/azureml-examples) repository. To run the code locally, clone the repo and then change directories to the notebook's parent directory `sdk/endpoints/online/managed`.

-We will send a sample request using a json file. The sample json is in the [example repository](https://github.com/Azure/azureml-examples/tree/main/sdk/endpoints/online/custom-container).

-We'll send a sample request using a [json](https://github.com/Azure/azureml-examples/blob/main/sdk/endpoints/online/model-1/sample-request.json) file.

-* Explore online endpoint samples - [https://github.com/Azure/azureml-examples/tree/main/sdk/endpoints](https://github.com/Azure/azureml-examples/tree/main/sdk/endpoints)

- * Alternatively, you can create a new local Conda environment on your local machine and then install the latest Azure ML SDK. [How to install AutoML client SDK in Conda environment with the `automl` package](https://github.com/Azure/azureml-examples/tree/main/python-sdk/tutorials/automl-with-azureml#setup-using-a-local-conda-environment).

-Certain machine learning scenarios involve training models with private data. In such cases, data scientists need to run training workflows without being exposed to the confidential input data. In this scenario, a [managed identity](how-to-use-managed-identities.md) of the training compute is used for data access authentication. This approach allows storage admins to grant Storage Blob Data Reader access to the managed identity that the training compute uses to run the training job. The individual data scientists don't need to be granted access. For more information, see [Set up managed identity on a compute cluster](how-to-create-attach-compute-cluster.md#set-up-managed-identity).