-$replicaSet = New-AzADDomainServiceReplicaSet @replicaSetParams

- * SharePoint administrator

-## Step 2: Configure authentication binding policy

-## Step 3: Configure username binding policy

-## Step 4: Enable CBA on the tenant

-To enable the certificate-based authentication in the Azure MyApps portal, complete the following steps:

-1. Sign in to the [MyApps portal](https://myapps.microsoft.com/) as an Authentication Policy Administrator.

-1. Select **Azure Active Directory**, then choose **Security** from the menu on the left-hand side.

-1. Under **Manage**, select **Authentication methods** > **Certificate-based Authentication**.

-1. Under **Basics**, select **Yes** to enable CBA.

-1. CBA can be enabled for a targeted set of users.

- 1. Click **All users** to enable all users.

- 1. Click **Select users** to enable selected users or groups.

- 1. Click **+ Add users**, select specific users and groups.

- 1. Click **Select** to add them.

- :::image type="content" border="true" source="./media/how-to-certificate-based-authentication/enable.png" alt-text="Screenshot of how to enable CBA.":::

-

-Once certificate-based authentication is enabled on the tenant, all users in the tenant will see the option to sign in with a certificate. Only users who are enabled for certificate-based authentication will be able to authenticate using the X.509 certificate.

->[!NOTE]

->The network administrator should allow access to certauth endpoint for the customerΓÇÖs cloud environment in addition to login.microsoftonline.com. Disable TLS inspection on the certauth endpoint to make sure the client certificate request succeeds as part of the TLS handshake.

-Federated deployments that use AD FS 2016 and AF FS 2019 can enable similar benefits using [AD FS Extranet Lockout and Extranet Smart Lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection).

-* An account with *Global Administrator* privileges.

-1. Sign in to the [Azure portal](https://portal.azure.com) using an account with *global administrator* permissions.

- - `https://login.microsoftonline.de`

-The web app gets the user's access token from the incoming requests header, which is then passed down to Microsoft Graph client to make an authenticated request to the `/me` endpoint.

-> [App service accesses Microsoft Graph as the app](multi-service-web-app-access-microsoft-graph-as-app.md)

-As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../develop/howto-configure-publisher-domain.md) ***and*** the companyΓÇÖs identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../develop/publisher-verification-overview.md) about this change.) Note that for Azure AD user flows, the publisherΓÇÖs domain appears only when using a [Microsoft account](microsoft-account.md) or other Azure AD tenant as the identity provider. To meet these new requirements, do the following:

-| Existing AD users and groups| AD| Azure AD| [Synchronize identities between Azure AD and Active Directory](automate-provisioning-to-applications-solutions.md) |

-To create a full user profile for an employee identity, organizations often merge information from multiple HR systems, databases, and other user data stores. MIM provides a rich set of [connectors](https://learn.microsoft.com/microsoft-identity-manager/supported-management-agents) and integration solutions interoperating with heterogeneous platforms.

-**Synchronize identities from AD into Azure AD**

-**Synchronize identities from Azure AD into AD**

-3. When an external user from a partner organization is created in Azure AD using B2B, MIM can automatically provision them [into AD](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario) and give those guests access to on-premises Windows-Integrated Authentication or Kerberos-based applications.

-| 4 |Guest accounts| Azure AD| AD DS| [MIM](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario) |

-Organizations often need a complete audit trail of what users have access to applications containing data subject to regulation. To provide an audit trail, any access provided to a user directly must be traceable through the system of record. MIM provides the [reconciliation capabilities](/microsoft-identity-manager/mim-how-provision-users-adds) to detect changes made directly in a target system and roll back the changes. In addition to detecting changes in target applications, MIM can import identities from third party applications to Azure AD. These applications often augment the set of user records that originated in the HR system.

-| Dangling URI| High| Azure AD Logs and Application Registration| Service-Core Directory, Category-ApplicationManagement<br>Activity: Update Application<br>Success ΓÇô Property Name AppAddress| For example, look for dangling URIs that point to a domain name that no longer exists or one that you donΓÇÖt explicitly own.<br>[Microsoft Sentinel template](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/URLAddedtoApplicationfromUnknownDomain.yaml)<br><br>[Link to Sigma repo](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure) |

-Lifecycle Workflows currently support the following tasks:

-|Task |taskDefinitionID |

-|||

-|[Send welcome email to new hire](lifecycle-workflow-tasks.md#send-welcome-email-to-new-hire) | 70b29d51-b59a-4773-9280-8841dfd3f2ea |

-|[Generate Temporary Access Pass and send via email to user's manager](lifecycle-workflow-tasks.md#generate-temporary-access-pass-and-send-via-email-to-users-manager) | 1b555e50-7f65-41d5-b514-5894a026d10d |

-|[Add user to groups](lifecycle-workflow-tasks.md#add-user-to-groups) | 22085229-5809-45e8-97fd-270d28d66910 |

-|[Add user to teams](lifecycle-workflow-tasks.md#add-user-to-teams) | e440ed8d-25a1-4618-84ce-091ed5be5594 |

-|[Enable user account](lifecycle-workflow-tasks.md#enable-user-account) | 6fc52c9d-398b-4305-9763-15f42c1676fc |

-|[Run a custom task extension](lifecycle-workflow-tasks.md#run-a-custom-task-extension) | 4262b724-8dba-4fad-afc3-43fcbb497a0e |

-|[Disable user account](lifecycle-workflow-tasks.md#disable-user-account) | 1dfdfcc7-52fa-4c2e-bf3a-e3919cc12950 |

-|[Remove user from selected group](lifecycle-workflow-tasks.md#remove-user-from-selected-groups) | 1953a66c-751c-45e5-8bfe-01462c70da3c |

-|[Remove users from all groups](lifecycle-workflow-tasks.md#remove-users-from-all-groups) | b3a31406-2a15-4c9a-b25b-a658fa5f07fc |

-|[Remove user from teams](lifecycle-workflow-tasks.md#remove-user-from-teams) | 06aa7acb-01af-4824-8899-b14e5ed788d6 |

-|[Remove user from all teams](lifecycle-workflow-tasks.md#remove-users-from-all-teams) | 81f7b200-2816-4b3b-8c5d-dc556f07b024 |

-|[Remove all license assignments from user](lifecycle-workflow-tasks.md#remove-all-license-assignments-from-user) | 8fa97d28-3e52-4985-b3a9-a1126f9b8b4e |

-|[Delete user](lifecycle-workflow-tasks.md#delete-user) | 8d18588d-9ad3-4c0f-99d0-ec215f0e3dff |

-|[Send email to manager before user last day](lifecycle-workflow-tasks.md#send-email-to-manager-before-user-last-day) | 52853a3e-f4e5-4eb8-bb24-1ac09a1da935 |

-|[Send email on users last day](lifecycle-workflow-tasks.md#send-email-on-users-last-day) | 9c0a1eaf-5bda-4392-9d9e-6e155bb57411 |

-|[Send offboarding email to users manager after their last day](lifecycle-workflow-tasks.md#send-offboarding-email-to-users-manager-after-their-last-day) | 6f22ddd4-b3a5-47a4-a846-0d7c201a49ce |

->[!NOTE]

-> The User-LifeCycleInfo.ReadWrite.All permissions is currently hidden and cannot be configured in Graph Explorer or the API permission blade of app registrations.

-|LifecycleWorkflows.Read.All | Read all Lifecycle workflows, tasks, user states| Allows the app to list and read all workflows, tasks, user states related to lifecycle workflows on behalf of the signed-in user.| Yes

-|LifecycleWorkflows.ReadWrite.All | Read and write all lifecycle workflows, tasks, user states.| Allows the app to create, update, list, read and delete all workflows, tasks, user states related to lifecycle workflows on behalf of the signed-in user.| Yes

-# Quickstart: Enable single sign-on for an enterprise application

-In this quickstart, you use the Azure Active Directory Admin Center to enable single sign-on (SSO) for an enterprise application that you added to your Azure Active Directory (Azure AD) tenant. After you configure SSO, your users can sign in by using their Azure AD credentials.

-Azure AD has a gallery that contains thousands of pre-integrated applications that use SSO. This quickstart uses an enterprise application named **Azure AD SAML Toolkit** as an example, but the concepts apply for most pre-configured enterprise applications in the gallery.

-It is recommended that you use a non-production environment to test the steps in this quickstart.

-1. The process of configuring an application to use Azure AD for SAML-based SSO varies depending on the application. For any of the enterprise applications in the gallery, use the link to find information about the steps needed to configure the application. The steps for the **Azure AD SAML Toolkit** are listed in this quickstart.

-1. In the **SAML Signing Certificate** section, select **Download** for **Certificate (Raw)** to download the SAML signing certificate and save it to be used later.

-1. For **Email**, enter the email address of the user that will access the application. For example, in a previous quickstart, the user account was created that uses the address of `contosouser1@contoso.com`. Be sure to change `contoso.com` to the domain of your tenant.

-To configure SAML setting for the application:

-1. Signed in with the credentials of the user account that you created, select **SAML Configuration** at the upper-left corner of the page.

-1. In the **Test single sign-on with Azure AD SAML Toolkit 1** section, on the **Set up single sign-on** pane, select **Test**.

-## Clean up resources

-If you are planning to complete the next quickstart, keep the enterprise application that you created. Otherwise, you can consider deleting it to clean up your tenant.

-Learn how to configure the properties of an enterprise application.

-> [!div class="nextstepaction"]

-> [Configure an application](add-application-portal-configure.md)

-Users often are unable to consent to the permissions an application is requesting. Configure the admin consent workflow to allow users to provide a justification and request an administrator's review and approval of an application. For training on how to configure admin consent workflow in your Azure AD tenant, see [Configure admin consent workflow](/training/modules/configure-admin-consent-workflow).

-Consider implementing SSO in your application. You can manually configure most applications for SSO. The most popular options in Azure AD are [SAML-based SSO and OpenID Connect-based SSO](../develop/active-directory-v2-protocols.md). Before you start, make sure that you understand the requirements for SSO and how to [plan for deployment](plan-sso-deployment.md). For training related to configuring SAML-based SSO for an enterprise application in your Azure AD tenant, see [Enable single sign-on for an application by using Azure Active Directory](/training/modules/enable-single-sign-on).

-az ad sp credential list --id "$SP_ID" --query "[].endDate" -o tsv

-The `proxy` policy allows you to route requests forwarded to backends via an HTTP proxy. Only HTTP (not HTTPS) is supported between the gateway and the proxy. Basic and NTLM authentication only.

-To access APIs, you'll need a subscription and a subscription key. A *subscription* is a named container for a pair of subscription keys.

-> [!NOTE]

-> Regularly regenerating keys is a common security precaution. Like most Azure services requiring a subscription key, API Management generates keys in pairs. Each application using the service can switch from *key A* to *key B* and regenerate key A with minimal disruption, and vice versa.

-* Developers can get subscriptions without approval from API publishers.

- error: "/error", // enter the relative path to error handling route

-> Currently, PowerShell support for the new API version (2021-06-22) or the flag ΓÇô `DisableLocalAuth` is not available. However, you can use the Rest-API with this API version to update the flag.

-## Limitations

-Update Management patching will not work when local authentication is disabled.

- 1. From line 9, remove `(Connect-AzAccount -Identity)`,

- 1. Replace it with `(Connect-AzAccount -Identity -AccountId <ClientId>)`, and

-For Azure machines, select the **troubleshoot** link under the **Update Agent Readiness** column in the portal to open the Troubleshoot Update Agent page. For non-Azure machines, the link brings you to this article. To troubleshoot a non-Azure machine, see the instructions in the "Troubleshoot offline" section.

-

-

-

-### Log Analytics agent

-This check ensures that the Log Analytics agent for Linux is installed. For instructions on how to install it, see [Install the agent for Linux](../../azure-monitor/vm/monitor-virtual-machine.md#agents).

-### Log Analytics agent status

-This check ensures that the Log Analytics agent for Linux is running. If the agent isn't running, you can run the following command to attempt to restart it. For more information on troubleshooting the agent, see [Linux - Troubleshoot Hybrid Runbook Worker issues](hybrid-runbook-worker.md#linux).

-```bash

-sudo /opt/microsoft/omsagent/bin/service_control restart

-### Multihoming

-This check verifies if the Log Analytics agent for Linux has the Hybrid Runbook Worker package. This package is required for Update Management to work. To learn more, see [Log Analytics agent for Linux isn't running](hybrid-runbook-worker.md#oms-agent-not-running).

-Update Management downloads Hybrid Runbook Worker packages from the operations endpoint. Therefore, if the Hybrid Runbook Worker is not running and the [operations endpoint](#operations-endpoint) check fails, the update can fail.

-```bash

-This check makes sure that the machine has access to the internet.

-Proxy and firewall configurations must allow the Hybrid Runbook Worker agent to communicate with the registration endpoint. For a list of addresses and ports to open, see [Network planning](../automation-hybrid-runbook-worker.md#network-planning).

-### Log Analytics endpoint 3

-This check verifies that your machine has access to the endpoints needed by the Log Analytics agent.

-> [!NOTE]

-> The current version of the troubleshooter script does not support Ubuntu 20.04.

->

-> The troubleshooter script now includes checks for Windows Server Update Services (WSUS) and for the autodownload and install keys.

-

-

-

-The operating system check verifies whether the Hybrid Runbook Worker is running [one of the supported operating systems.](../update-management/operating-system-requirements.md)

-one of the supported operating systems

-The WMF check verifies that the system has the required version of the Windows Management Framework (WMF), which is [Windows Management Framework 5.1](https://www.microsoft.com/download/details.aspx?id=54616).

-> [!NOTE]

-> The troubleshooter currently doesn't route traffic through a proxy server if one is configured.

-### Crypto folder access

-The Crypto folder access check determines whether the local system account has access to C:\ProgramData\Microsoft\Crypto\RSA.

-You can use the troubleshooter on a Hybrid Runbook Worker offline by running the script locally. Get the following script from GitHub: [UM_Windows_Troubleshooter_Offline.ps1](https://github.com/Azure/updatemanagement/blob/main/UM_Windows_Troubleshooter_Offline.ps1). To run the script, you must have WMF 4.0 or later installed. To download the latest version of PowerShell, see [Installing various versions of PowerShell](/powershell/scripting/install/installing-powershell).

-RuleId : OperatingSystemCheck

-RuleGroupId : prerequisites

-RuleName : Operating System

-RuleGroupName : Prerequisite Checks

-RuleDescription : The Windows Operating system must be version 6.2.9200 (Windows Server 2012) or higher

-CheckResult : Passed

-CheckResultMessage : Operating System version is supported

-CheckResultMessageId : OperatingSystemCheck.Passed

-CheckResultMessageArguments : {}

-RuleId : DotNetFrameworkInstalledCheck

-RuleGroupId : prerequisites

-RuleName : .NET Framework 4.5+

-RuleGroupName : Prerequisite Checks

-RuleDescription : .NET Framework version 4.5 or higher is required

-CheckResult : Passed

-CheckResultMessage : .NET Framework version 4.5+ is found

-CheckResultMessageId : DotNetFrameworkInstalledCheck.Passed

-CheckResultMessageArguments : {}

-RuleId : WindowsManagementFrameworkInstalledCheck

-RuleGroupId : prerequisites

-RuleName : WMF 5.1

-RuleGroupName : Prerequisite Checks

-RuleDescription : Windows Management Framework version 4.0 or higher is required (version 5.1 or higher is preferable)

-CheckResult : Passed

-CheckResultMessage : Detected Windows Management Framework version: 5.1.17763.1

-CheckResultMessageId : WindowsManagementFrameworkInstalledCheck.Passed

-CheckResultMessageArguments : {5.1.17763.1}

-RuleId : AutomationAgentServiceConnectivityCheck1

-RuleGroupId : connectivity

-RuleName : Registration endpoint

-RuleGroupName : connectivity

-RuleDescription :

-CheckResult : Failed

-CheckResultMessage : Unable to find Workspace registration information in registry

-CheckResultMessageId : AutomationAgentServiceConnectivityCheck1.Failed.NoRegistrationFound

-CheckResultMessageArguments : {}

-RuleId : AutomationJobRuntimeDataServiceConnectivityCheck

-RuleGroupId : connectivity

-RuleName : Operations endpoint

-RuleGroupName : connectivity

-RuleDescription : Proxy and firewall configuration must allow Automation Hybrid Worker agent to communicate with eus2-jobruntimedata-prod-su1.azure-automation.net

-CheckResult : Passed

-CheckResultMessage : TCP Test for eus2-jobruntimedata-prod-su1.azure-automation.net (port 443) succeeded

-CheckResultMessageId : AutomationJobRuntimeDataServiceConnectivityCheck.Passed

-CheckResultMessageArguments : {eus2-jobruntimedata-prod-su1.azure-automation.net}

-RuleId : MonitoringAgentServiceRunningCheck

-RuleGroupId : servicehealth

-RuleName : Monitoring Agent service status

-RuleGroupName : VM Service Health Checks

-RuleDescription : HealthService must be running on the machine

-CheckResult : Failed

-CheckResultMessage : Log Analytics for Windows service (HealthService) is not running

-CheckResultMessageId : MonitoringAgentServiceRunningCheck.Failed

-CheckResultMessageArguments : {Log Analytics agent for Windows, HealthService}

-RuleId : MonitoringAgentServiceEventsCheck

-RuleGroupId : servicehealth

-RuleName : Monitoring Agent service events

-RuleGroupName : VM Service Health Checks

-RuleDescription : Event Log must not have event 4502 logged in the past 24 hours

-CheckResult : Failed

-CheckResultMessage : Log Analytics agent for Windows service Event Log (Operations Manager) does not exist on the machine

-CheckResultMessageId : MonitoringAgentServiceEventsCheck.Failed.NoLog

-CheckResultMessageArguments : {Log Analytics agent for Windows, Operations Manager, 4502}

-RuleId : CryptoRsaMachineKeysFolderAccessCheck

-RuleGroupId : permissions

-RuleName : Crypto RSA MachineKeys Folder Access

-RuleGroupName : Access Permission Checks

-RuleDescription : SYSTEM account must have WRITE and MODIFY access to 'C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys'

-CheckResult : Passed

-CheckResultMessage : Have permissions to access C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys

-CheckResultMessageId : CryptoRsaMachineKeysFolderAccessCheck.Passed

-CheckResultMessageArguments : {C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys}

-RuleId : TlsVersionCheck

-RuleGroupId : prerequisites

-RuleName : TLS 1.2

-RuleGroupName : Prerequisite Checks

-RuleDescription : Client and Server connections must support TLS 1.2

-CheckResult : Passed

-CheckResultMessage : TLS 1.2 is enabled by default on the Operating System.

-CheckResultMessageId : TlsVersionCheck.Passed.EnabledByDefault

-CheckResultMessageArguments : {}

-```

-For more information, see [here](cache-how-to-import-export-data.md) for details on how to export.

-We expect that most Azure Cache for Redis customers won't be affected. However, your application might be affected if you explicitly specify a list of acceptable certificate authorities (CAs), known as *certificate pinning*.

-Active geo-replication is a powerful tool that enables Azure Cache for Redis clusters to be linked together for seamless active-active replication of data. Your applications can write to one Redis cluster and your data is automatically copied to the other linked clusters, and vice versa. For more information, see this [post](https://aka.ms/ActiveGeoGA) in the *Azure Developer Community Blog*.

-* Java - [azul.com](https://www.azul.com/products/azul-support-roadmap/)

-Integrated Auto-instrumentation is available for [Azure App Service .NET](azure-web-apps-net.md), [Azure App Service .NET Core](azure-web-apps-net-core.md), [Azure Functions](../../azure-functions/functions-monitoring.md#monitor-executions-in-azure-functions), and [Azure Virtual Machines](azure-vm-vmss-apps.md).

-Auto-instrumentation is available for any environment using [Azure Monitor OpenTelemetry-based auto-instrumentation for Java applications](java-in-process-agent.md).

-Integrated Auto-Instrumentation is available for Java Apps hosted on [Azure App Service](azure-web-apps-java.md) and [Azure Functions](monitor-functions.md#distributed-tracing-for-java-applications-public-preview).

-description: Retention and privacy policy statement

-When you install [Azure Application Insights][start] SDK in your app, it sends telemetry about your app to the Cloud. Naturally, responsible developers want to know exactly what data is sent, what happens to the data, and how they can keep control of it. In particular, could sensitive data be sent, where is it stored, and how secure is it?

-* The standard telemetry modules that run "out of the box" are unlikely to send sensitive data to the service. The telemetry is concerned with load, performance and usage metrics, exception reports, and other diagnostic data. The main user data visible in the diagnostic reports are URLs; but your app shouldn't in any case put sensitive data in plain text in a URL.

-* While developing and testing your app, it's easy to inspect what's being sent by the SDK. The data appears in the debugging output windows of the IDE and browser.

-* You can select the location when you create a new Application Insights resource. Know more about Application Insights availability per region [here](https://azure.microsoft.com/global-infrastructure/services/?products=all).

-* Review the collected data, as this collection may include data that is allowed in some circumstances but not others. A good example of this circumstance is Device Name. The device name from a server does not affect privacy and is useful, but a device name from a phone or laptop may have privacy implications and be less useful. An SDK developed primarily to target servers, would collect device name by default, and this may need to be overwritten in both normal events and exceptions.

-The rest of this article elaborates more fully on these answers. It's designed to be self-contained, so that you can show it to colleagues who aren't part of your immediate team.

-[Azure Application Insights][start] is a service provided by Microsoft that helps you improve the performance and usability of your live application. It monitors your application all the time it's running, both during testing and after you've published or deployed it. Application Insights creates charts and tables that show you, for example, what times of day you get most users, how responsive the app is, and how well it's served by any external services that it depends on. If there are crashes, failures or performance issues, you can search through the telemetry data in detail to diagnose the cause. And the service will send you emails if there are any changes in the availability and performance of your app.

-In order to get this functionality, you install an Application Insights SDK in your application, which becomes part of its code. When your app is running, the SDK monitors its operation and sends telemetry to the Application Insights service. This is a cloud service hosted by [Microsoft Azure](https://azure.com). (But Application Insights works for any applications, not just applications that are hosted in Azure.)

-The Application Insights service stores and analyzes the telemetry. To see the analysis or search through the stored telemetry, you sign in to your Azure account and open the Application Insights resource for your application. You can also share access to the data with other members of your team, or with specified Azure subscribers.

-You can have data exported from the Application Insights service, for example to a database or to external tools. You provide each tool with a special key that you obtain from the service. The key can be revoked if necessary.

-Application Insights SDKs are available for a range of application types: web services hosted in your own Java EE or ASP.NET servers, or in Azure; web clients - that is, the code running in a web page; desktop apps and services; device apps such as Windows Phone, iOS, and Android. They all send telemetry to the same service.

-* The SDK, which you integrate with your app either [in development](./asp-net.md) or [at run time](./status-monitor-v2-overview.md). There are different SDKs for different application types. There's also an [SDK for web pages](./javascript.md), which loads into the end user's browser along with the page.

-* [Availability tests](./monitor-web-app-availability.md) are processes run by Microsoft that send requests to your web app at regular intervals. The results are sent to the Application Insights service.

-### What kinds of data are collected?

-* [Web server telemetry](./asp-net.md) - HTTP requests. Uri, time taken to process the request, response code, client IP address. `Session id`.

-* [Web pages](./javascript.md) - Page, user and session counts. Page load times. Exceptions. Ajax calls.

-* Performance counters - Memory, CPU, IO, Network occupancy.

-* Client and server context - OS, locale, device type, browser, screen resolution.

-* [Exceptions](./asp-net-exceptions.md) and crashes - **stack dumps**, `build id`, CPU type.

-* [Dependencies](./asp-net-dependencies.md) - calls to external services such as REST, SQL, AJAX. URI or connection string, duration, success, command.

-* [Availability tests](./monitor-web-app-availability.md) - duration of test and steps, responses.

-* [Trace logs](./asp-net-trace-logs.md) and [custom telemetry](./api-custom-events-metrics.md) - **anything you code into your logs or telemetry**.

-[More detail](#data-sent-by-application-insights).

-If you're developing the app using Visual Studio, run the app in debug mode (F5). The telemetry appears in the Output window. From there, you can copy it and format it as JSON for easy inspection.

-There's also a more readable view in the Diagnostics window.

-For web pages, open your browser's debugging window.

-

-### Can I write code to filter the telemetry before it is sent?

-This would be possible by writing a [telemetry processor plugin](./api-filtering-sampling.md).

-Raw data points (that is, items that you can query in Analytics and inspect in Search) are kept for up to 730 days. You can [select a retention duration](../logs/data-retention-archive.md#set-retention-and-archive-policy-by-table) of 30, 60, 90, 120, 180, 270, 365, 550 or 730 days. If you need to keep data longer than 730 days, you can use [Continuous Export](./export-telemetry.md) to copy it to a storage account during data ingestion.

-Data kept longer than 90 days will incur addition charges. Learn more about Application Insights pricing on the [Azure Monitor pricing page](https://azure.microsoft.com/pricing/details/monitor/).

-Aggregated data (that is, counts, averages and other statistical data that you see in Metric Explorer) are retained at a grain of 1 minute for 90 days.

-The data is visible to you and, if you have an organization account, your team members.

-Microsoft uses the data only in order to provide the service to you.

-* You can select the location when you create a new Application Insights resource. Know more about Application Insights availability per region [here](https://azure.microsoft.com/global-infrastructure/services/?products=all).

-Application Insights is an Azure Service. Security policies are described in the [Azure Security, Privacy, and Compliance white paper](https://go.microsoft.com/fwlink/?linkid=392408).

-Access to your data by Microsoft personnel is restricted. We access your data only with your permission and if it is necessary to support your use of Application Insights.

-Data in aggregate across all our customers' applications (such as data rates and average size of traces) is used to improve Application Insights.

-They could send additional telemetry to your account by using the instrumentation key, which can be found in the code of your web pages. With enough additional data, your metrics would not correctly represent your app's performance and usage.

-All data is encrypted at rest and as it moves between data centers.

-#### Is the data encrypted in transit from my application to Application Insights servers?

-Yes, we use https to send data to the portal from nearly all SDKs, including web servers, devices, and HTTPS web pages.

-## Does the SDK create temporary local storage?

-Yes, certain Telemetry Channels will persist data locally if an endpoint cannot be reached. Please review below to see which frameworks and telemetry channels are affected.

-Telemetry channels that utilize local storage create temp files in the TEMP or APPDATA directories, which are restricted to the specific account running your application. This may happen when an endpoint was temporarily unavailable or you hit the throttling limit. Once this issue is resolved, the telemetry channel will resume sending all the new and persisted data.

-This persisted data is not encrypted locally. If this is a concern, review the data and restrict the collection of private data. (For more information, see [How to export and delete private data](../logs/personal-data-mgmt.md#exporting-and-deleting-personal-data).)

-If a customer needs to configure this directory with specific security requirements, it can be configured per framework. Please make sure that the process running your application has write access to this directory, but also make sure this directory is protected to avoid telemetry being read by unintended users.

-`C:\Users\username\AppData\Local\Temp` is used for persisting data. This location isn't configurable from the config directory and the permissions to access this folder are restricted to the specific user with required credentials. (For more information, see [implementation](https://github.com/Microsoft/ApplicationInsights-Java/blob/40809cb6857231e572309a5901e1227305c27c1a/core/src/main/java/com/microsoft/applicationinsights/internal/util/LocalFileSystemUtils.java#L48-L72).)

-### .NET

-By default `ServerTelemetryChannel` uses the current userΓÇÖs local app data folder `%localAppData%\Microsoft\ApplicationInsights` or temp folder `%TMP%`. (See [implementation](https://github.com/Microsoft/ApplicationInsights-dotnet/blob/91e9c91fcea979b1eec4e31ba8e0fc683bf86802/src/ServerTelemetryChannel/Implementation/ApplicationFolderProvider.cs#L54-L84) here.)

-By default `ServerTelemetryChannel` uses the current userΓÇÖs local app data folder `%localAppData%\Microsoft\ApplicationInsights` or temp folder `%TMP%`. (See [implementation](https://github.com/Microsoft/ApplicationInsights-dotnet/blob/91e9c91fcea979b1eec4e31ba8e0fc683bf86802/src/ServerTelemetryChannel/Implementation/ApplicationFolderProvider.cs#L54-L84) here.)

-> With the release 2.15.0-beta3 and greater local storage is now automatically created for Linux, Mac, and Windows. For non Windows systems the SDK will automatically create a local storage folder based on the following logic:

-> - `${TMPDIR}` - if `${TMPDIR}` environment variable is set this location is used.

-> - `/var/tmp` - if the previous location does not exist we try `/var/tmp`.

-> - `/tmp` - if both the previous locations do not exist we try `tmp`.

-> - If none of those locations exist local storage is not created and manual configuration is still required. [For full implementation details](https://github.com/microsoft/ApplicationInsights-dotnet/pull/1860).

-(For more information, see [AspNetCore Custom Configuration](https://github.com/Microsoft/ApplicationInsights-aspnetcore/wiki/Custom-Configuration).)

-By default `%TEMP%/appInsights-node{INSTRUMENTATION KEY}` is used for persisting data. Permissions to access this folder are restricted to the current user and Administrators. (See [implementation](https://github.com/Microsoft/ApplicationInsights-node.js/blob/develop/Library/Sender.ts) here.)

-[HTML5 Session Storage](https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage) is used to persist data. Two separate buffers are used: `AI_buffer` and `AI_sent_buffer`. Telemetry that is batched and waiting to be sent is stored in `AI_buffer`. Telemetry that was just sent is placed in `AI_sent_buffer` until the ingestion server responds that it was successfully received. When telemetry is successfully received, it's removed from all buffers. On transient failures (for example, a user loses network connectivity), telemetry remains in `AI_buffer` until it is successfully received or the ingestion server responds that the telemetry is invalid (bad schema or too old, for example).

-By default OpenCensus Python SDK uses the current user folder `%username%/.opencensus/.azure/`. Permissions to access this folder are restricted to the current user and Administrators. (See [implementation](https://github.com/census-instrumentation/opencensus-python/blob/master/contrib/opencensus-ext-azure/opencensus/ext/azure/common/storage.py) here.) The folder with your persisted data will be named after the Python file that generated the telemetry.

-You may change the location of your storage file by passing in the `storage_path` parameter in the constructor of the exporter you are using.

-To ensure the security of data in transit to the Application Insights endpoints, we strongly encourage customers to configure their application to use at least Transport Layer Security (TLS) 1.2. Older versions of TLS/Secure Sockets Layer (SSL) have been found to be vulnerable and while they still currently work to allow backwards compatibility, they are **not recommended**, and the industry is quickly moving to abandon support for these older protocols.

-The [PCI Security Standards Council](https://www.pcisecuritystandards.org/) has set a [deadline of June 30, 2018](https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Migrating_from_SSL_and_Early_TLS_Resource_Guide.pdf) to disable older versions of TLS/SSL and upgrade to more secure protocols. Once Azure drops legacy support, if your application/clients cannot communicate over at least TLS 1.2 you would not be able to send data to Application Insights. The approach you take to test and validate your application's TLS support will vary depending on the operating system/platform as well as the language/framework your application uses.

-We do not recommend explicitly setting your application to only use TLS 1.2 unless necessary as this can break platform level security features that allow you to automatically detect and take advantage of newer more secure protocols as they become available such as TLS 1.3. We recommend performing a thorough audit of your application's code to check for hardcoding of specific TLS/SSL versions.

-### Platform/Language specific guidance

-|Platform/Language | Support | More Information |

-| Azure App Services | Supported, configuration may be required. | Support was announced in April 2018. Read the announcement for [configuration details](https://azure.github.io/AppService/2018/04/17/App-Service-and-Functions-hosted-apps-can-now-update-TLS-versions!). |

-| Azure Function Apps | Supported, configuration may be required. | Support was announced in April 2018. Read the announcement for [configuration details](https://azure.github.io/AppService/2018/04/17/App-Service-and-Functions-hosted-apps-can-now-update-TLS-versions!). |

-|.NET | Supported, Long Term Support (LTS) | For detailed configuration information, refer to [these instructions](/dotnet/framework/network-programming/tls). |

-|Status Monitor | Supported, configuration required | Status Monitor relies on [OS Configuration](/windows-server/security/tls/tls-registry-settings) + [.NET Configuration](/dotnet/framework/network-programming/tls#support-for-tls-12) to support TLS 1.2.

-|Node.js | Supported, in v10.5.0, configuration may be required. | Use the [official Node.js TLS/SSL documentation](https://nodejs.org/api/tls.html) for any application-specific configuration. |

-| Windows 8.0 - 10 | Supported, and enabled by default. | To confirm that you are still using the [default settings](/windows-server/security/tls/tls-registry-settings). |

-| Windows Server 2012 - 2016 | Supported, and enabled by default. | To confirm that you are still using the [default settings](/windows-server/security/tls/tls-registry-settings) |

-|Windows Vista | Not Supported. | N/A

-To run a preliminary test to see if your Linux system can communicate over TLS 1.2., open the terminal and run:

-Our [Application Insights personal data article](../logs/personal-data-mgmt.md) discusses this issue in-depth.

-However, you can implement such a feature in your application. All the SDKs include an API setting that turns off telemetry collection.

-The SDKs vary between platforms, and there are several components that you can install. (Refer to [Application Insights - overview][start].) Each component sends different data.

-| [Add JavaScript SDK to web page][client] |ClientContext <br/>Inferred<br/>Page<br/>ClientPerf<br/>Ajax |

-| SDK can't collect data. For example: <br/> - can't access perf counters<br/> - exception in telemetry initializer |SDK diagnostics |

-| Inferred |geo location from IP address, timestamp, OS, browser |

-| Ajax |HTTP calls from web page to server |

-| Dependencies |Type(SQL, HTTP, ...), connection string, or URI, sync/async, duration, success, SQL statement (with Status Monitor) |

-| **Exceptions** |Type, **message**, call stacks, source file, line number, `thread id` |

-| Crashes |`Process id`, `parent process id`, `crash thread id`; application patch, `id`, build; exception type, address, reason; obfuscated symbols and registers, binary start and end addresses, binary name and path, cpu type |

-| Trace |**Message** and severity level |

-| SDK diagnostics |Trace message or Exception |

-You can [switch off some of the data by editing ApplicationInsights.config][config]

-> Client IP is used to infer geographic location, but by default IP data is no longer stored and all zeroes are written to the associated field. To understand more about personal data handling we recommend this [article](../logs/personal-data-mgmt.md#application-data). If you need to store IP address data our [IP address collection article](./ip-collection.md) will walk you through your options.

-No, data is read-only, and can only be deleted via the purge functionality. To learn more visit [Guidance for personal data stored in Log Analytics and Application Insights](../logs/personal-data-mgmt.md#delete).

-This product includes GeoLite2 data created by MaxMind, available from [https://www.maxmind.com](https://www.maxmind.com).

-description: Learn the steps required to upgrade from Azure Monitor Application Insights instrumentation keys to connection strings

-This guide walks through migrating from [instrumentation keys](separate-resources.md#about-resources-and-instrumentation-keys) to [connection strings](sdk-connection-string.md#overview).

-1. Go to the Overview blade of your Application Insights resource.

-1. Find your connection string displayed on the right.

-1. Hover over the connection string and select the ΓÇ£Copy to clipboardΓÇ¥ icon.

-To set a connection string via environment variable, place the value of the connection string into an environment variable named ΓÇ£APPLICATIONINSIGHTS_CONNECTION_STRINGΓÇ¥.

-This process can be [automated in your Azure deployments](../../azure-resource-manager/templates/deploy-portal.md#deploy-resources-with-arm-templates-and-azure-portal). For example, the following ARM template shows how you can automatically include the correct connection string with an App Services deployment (be sure to include any other App Settings your app requires):

-## New capabilities

-Connection strings provide a single configuration setting and eliminate the need for multiple proxy settings.

-## Supported SDK Versions

- If you hardcode an instrumentation key in your application code, that programming may take precedence before environment variables.

-The connection string is also included in the ARM resource properties for your Application Insights resource, under the field name ΓÇ£ConnectionStringΓÇ¥.

-### How does this affect auto instrumentation?

-Auto instrumentation scenarios aren't impacted.

-### Can I use Azure AD authentication with auto instrumentation?

-You can't enable [Azure AD authentication](azure-ad-authentication.md) for [auto instrumentation](codeless-overview.md) scenarios. We have plans to address this limitation in the future.

-### What is the difference between global and regional ingestion?

-Global ingestion sends all telemetry data to a single endpoint, no matter where this data will be stored. Regional ingestion allows you to define specific endpoints per region for data ingestion, ensuring data stays within a specific region during processing and storage.

-### How do connection strings impact the billing?

-Billing isn't impacted.

-To receive, store, and explore your monitoring data, include the SDK in your code, and then set up a corresponding Application Insights resource in Azure. The SDK sends data to that resource for further analysis and exploration.

-2. [Create an Application Insights resource](create-new-resource.md)

-Include the SDK in your app, so it can gather data.

- :::image type="content" source="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png" alt-text="Screenshot displaying Application Insights overview and connection string." lightbox="media/migrate-from-instrumentation-keys-to-connection-strings/migrate-from-instrumentation-keys-to-connection-strings.png":::

-2. Add the Node.js client library to your app's dependencies via package.json. From the root folder of your app, run:

- > If you are using TypeScript, do not install separate "typings" packages. This NPM package contains built-in typings.

-3. Explicitly load the library in your code. Because the SDK injects instrumentation into many other libraries, load the library as early as possible, even before other `require` statements.

-4. You also can provide a connection string via the environment variable, `APPLICATIONINSIGHTS_CONNECTION_STRING`, instead of passing it manually to `setup()` or `new appInsights.TelemetryClient()`. This practice lets you keep connection strings out of committed source code, and you can specify different connection strings for different environments. To manually configure, call `appInsights.setup('[your connection string]');`.

-5. Start automatically collecting and sending data by calling `appInsights.start();`.

-> As part of using Application Insights instrumentation, we collect and send diagnostic data to Microsoft. This data helps us run and improve Application Insights. You have the option to disable non-essential data collection. [Learn More](./statsbeat.md).

-To view the topology that is discovered for your app, you can use [Application map](app-map.md).

-Because the SDK batches data for submission, there might be a delay before items are displayed in the portal. If you don't see data in your resource, try some of the following fixes:

-## Basic Usage

-Load the Application Insights library, `require("applicationinsights")`, as early as possible in your scripts before loading other packages. This step is needed so that the Application Insights library can prepare later packages for tracking. If you encounter conflicts with other libraries doing similar preparation, try loading the Application Insights library afterwards.

-Because of the way JavaScript handles callbacks, more work is necessary to track a request across external dependencies and later callbacks. By default this extra tracking is enabled; disable it by calling `setAutoDependencyCorrelation(false)` as described in the [configuration](#sdk-configuration) section below.

-## Migrating from versions prior to 0.22

-In general, you can migrate with the following:

-If you access SDK configuration functions without chaining them to `appInsights.setup()`, you can now find these functions at `appInsights.Configurations` (for example, `appInsights.Configuration.setAutoCollectDependencies(true)`). Review the changes to the default configuration in the next section.

-Review their descriptions in your IDE's built-in type hinting, or [applicationinsights.ts](https://github.com/microsoft/ApplicationInsights-node.js/blob/develop/applicationinsights.ts) for detailed information and optional secondary arguments.

-> By default `setAutoCollectConsole` is configured to *exclude* calls to `console.log` (and other console methods). Only calls to supported third-party loggers (for example, winston and bunyan) will be collected. You can change this behavior to include calls to `console` methods by using `setAutoCollectConsole(true, true)`.

-By default, the SDK will send all collected data to the Application Insights service. If you want to enable sampling to reduce the amount of data, set the `samplingPercentage` field on the `config` object of a client. Setting `samplingPercentage` to 100(the default) means all data will be sent and 0 means nothing will be sent.

-### Multiple roles for multi-components applications

-If your application consists of multiple components that you wish to instrument all with the same connection string and still see these components as separate units in the portal, as if they were using separate connection strings (for example, as separate nodes on the Application Map), you may need to manually configure the RoleName field to distinguish one component's telemetry from other components sending data to your Application Insights resource.

-Use the following to set the RoleName field:

-### Automatic web snippet injection (Preview)

-Automatic web snippet injection allows you to enable [Application Insights Usage Experiences](usage-overview.md) and Browser Diagnostic Experiences with a simple configuration. It provides an easier alternative to manually adding the JavaScript snippet or NPM package to your JavaScript web code. For node server with configuration, set `enableAutoWebSnippetInjection` to `true` or alternatively set environment variable `APPLICATIONINSIGHTS_WEB_SNIPPET_ENABLED = true`. Automatic web snippet injection is available in Application Insights Node.js SDK version 2.3.0 or greater. See [Application Insights Node.js GitHub Readme](https://github.com/microsoft/ApplicationInsights-node.js#automatic-web-snippet-injectionpreview) for more information.

-In order to track context across asynchronous calls, some changes are required in third party libraries such as MongoDB and Redis. By default, Application Insights will use [`diagnostic-channel-publishers`](https://github.com/Microsoft/node-diagnostic-channel/tree/master/src/diagnostic-channel-publishers) to monkey-patch some of these libraries. This feature can be disabled by setting the `APPLICATION_INSIGHTS_NO_DIAGNOSTIC_CHANNEL` environment variable.

-> By setting that environment variable, events may no longer be correctly associated with the right operation.

- Individual monkey-patches can be disabled by setting the `APPLICATION_INSIGHTS_NO_PATCH_MODULES` environment variable to a comma separated list of packages to disable (for example, `APPLICATION_INSIGHTS_NO_PATCH_MODULES=console,redis`) to avoid patching the `console` and `redis` packages.

-Currently there are nine packages that are instrumented: `bunyan`,`console`,`mongodb`,`mongodb-core`,`mysql`,`redis`,`winston`,`pg`, and `pg-pool`. Visit the [diagnostic-channel-publishers' README](https://github.com/Microsoft/node-diagnostic-channel/blob/master/src/diagnostic-channel-publishers/README.md) for information about exactly which version of these packages are patched.

-The `bunyan`, `winston`, and `console` patches will generate Application Insights trace events based on whether `setAutoCollectConsole` is enabled. The rest will generate Application Insights Dependency events based on whether `setAutoCollectDependencies` is enabled.

-### Live Metrics

-To enable sending Live Metrics from your app to Azure, use `setSendLiveMetrics(true)`. Filtering of live metrics in the portal is currently not supported.

-> The ability to send extended native metrics was added in version 1.4.0

-### Distributed Tracing modes

-By default, the SDK will send headers understood by other applications/services instrumented with an Application Insights SDK. You can enable sending/receiving of [W3C Trace Context](https://github.com/w3c/trace-context) headers in addition to the existing AI headers, so you won't break correlation with any of your existing legacy services. Enabling W3C headers will allow your app to correlate with other services not instrumented with Application Insights, but do adopt this W3C standard.

-> All requests are tracked by default. To disable automatic collection, call .setAutoCollectRequests(false) before calling start().

-Alternatively you can track requests using `trackNodeHttpRequest` method:

-By default, telemetry is buffered for 15 seconds before it's sent to the ingestion server. If your application has a short lifespan, such as a CLI tool, it might be necessary to manually flush your buffered telemetry when application terminates, `appInsights.defaultClient.flush()`.

-If the SDK detects that your application is crashing, it will call flush for you, `appInsights.defaultClient.flush({ isAppCrashing: true })`. With the flush option `isAppCrashing`, your application is assumed to be in an abnormal state, not suitable for sending telemetry. Instead, the SDK will save all buffered telemetry to [persistent storage](./data-retention-privacy.md#nodejs) and let your application terminate. When your application starts again, it will try to send any telemetry that was saved to persistent storage.

-You can process and filter collected data before it's sent for retention using *Telemetry Processors*. Telemetry processors are called one by one in the order they were added before the telemetry item is sent to the cloud.

-If a telemetry processor returns false, that telemetry item won't be sent.

-All telemetry processors receive the telemetry data and its envelope to inspect and modify. They also receive a context object. The contents of this object is defined by the `contextObjects` parameter when calling a track method for manually tracked telemetry. For automatically collected telemetry, this object is filled with available request information and the persistent request content as provided by `appInsights.getCorrelationContext()` (if automatic dependency correlation is enabled).

-The client object contains a `config` property with many optional settings for advanced scenarios. These can be set as follows:

-| proxyHttpUrl | A proxy server for SDK HTTP traffic (Optional, Default pulled from `http_proxy` environment variable). |

-| proxyHttpsUrl | A proxy server for SDK HTTPS traffic (Optional, Default pulled from `https_proxy` environment variable). |

-| httpAgent | An http.Agent to use for SDK HTTP traffic (Optional, Default undefined). |

-| httpsAgent | An https.Agent to use for SDK HTTPS traffic (Optional, Default undefined). |

-| maxBatchSize | The maximum number of telemetry items to include in a payload to the ingestion endpoint (Default `250`). |

-| maxBatchIntervalMs | The maximum amount of time to wait to for a payload to reach maxBatchSize (Default `15000`). |

-| disableAppInsights | A flag indicating if telemetry transmission is disabled (Default `false`). |

-| samplingPercentage | The percentage of telemetry items tracked that should be transmitted (Default `100`). |

-| correlationIdRetryIntervalMs | The time to wait before retrying to retrieve the ID for cross-component correlation (Default `30000`). |

-| correlationHeaderExcludedDomains| A list of domains to exclude from cross-component correlation header injection (Default See [Config.ts](https://github.com/Microsoft/ApplicationInsights-node.js/blob/develop/Library/Config.ts)).|

-description: Application Insights end-to-end transaction diagnostics

-## What is a Component?

-Components are independently deployable parts of your distributed/microservices application. Developers and operations teams have code-level visibility or access to telemetry generated by these application components.

-* Components are different from "observed" external dependencies such as SQL, Event Hubs etc. which your team/organization may not have access to (code or telemetry).

-* Components run on any number of server/role/container instances.

-* Components can be separate Application Insights instrumentation keys (even if subscriptions are different) or different roles reporting to a single Application Insights instrumentation key. The new experience shows details across all components, regardless of how they have been set up.

-> * **Missing the related item links?** All of the related telemetry are in the [top](#cross-component-transaction-chart) and [bottom](#all-telemetry-with-this-operation-id) sections of the left side.

-This view has four key parts: results list, a cross-component transaction chart, a time-sequence list of all telemetry related to this operation, and the details pane for any selected telemetry item on the left.

-

-* The top row on this chart represents the entry point, the incoming request to the first component called in this transaction. The duration is the total time taken for the transaction to complete.

-* Any calls to external dependencies are simple non-collapsible rows, with icons representing the dependency type.

-* By default, the request, dependency, or exception that you selected is displayed on the right side.

-* Select any row to see its [details on the right](#details-of-the-selected-telemetry).

-> Calls to other components have two rows: one row represents the outbound call (dependency) from the caller component, and the other row corresponds to the inbound request at the called component. The leading icon and distinct styling of the duration bars help differentiate between them.

-This section shows flat list view in a time sequence of all the telemetry related to this transaction. It also shows the custom events, and traces that aren't displayed in the transaction chart. You can filter this list to telemetry generated by a specific component/call. You can select any telemetry item in this list to see corresponding [details on the right](#details-of-the-selected-telemetry).

-

-This collapsible pane shows the detail of any selected item from the transaction chart, or the list. "Show all" lists all of the standard attributes that are collected. Any custom attributes are separately listed below the standard set. Select the "..." below the stack trace window to get an option to copy the trace. "Open profiler traces" or "Open debug snapshot" shows code level diagnostics in corresponding detail panes.

-

-This collapsible pane shows the other results that meet the filter criteria. Select any result to update the respective details the three sections listed above. We try to find samples that are most likely to have the details available from all components even if sampling is in effect in any of them. These are shown as "suggested" samples.

-

-## Profiler and snapshot debugger

-[Application Insights profiler](./profiler.md) or [snapshot debugger](snapshot-debugger.md) help with code-level diagnostics of performance and failure issues. With this experience, you can see profiler traces or snapshots from any component with a single selection.

-If you couldn't get Profiler working, contact **serviceprofilerhelp\@microsoft.com**

-If you couldn't get Snapshot Debugger working, contact **snapshothelp\@microsoft.com**

-

-*I see a single component on the chart, and the others are only showing as external dependencies without any detail of what happened within those components.*

-* If these components are separate Application Insights resources, do you have required [access](resources-roles-access-control.md)

-If you do have access and the components are instrumented with the latest Application Insights SDKs, let us know via the top right feedback channel.

-*I see duplicate rows for the dependencies. Is this expected?*

-At this time, we're showing the outbound dependency call separate from the inbound request. Typically, the two calls look identical with only the duration value being different due to the network round trip. The leading icon and distinct styling of the duration bars help differentiate between them. Is this presentation of the data confusing? Give us your feedback!

-*What about clock skews across different component instances?*

-Timelines are adjusted for clock skews in the transaction chart. You can see the exact timestamps in the details pane or by using Analytics.

-*Why is the new experience missing most of the related items queries?*

-This is by design. All of the related items, across all components, are already available on the left side (top and bottom sections). The new experience has two related items that the left side doesn't cover: all telemetry from five minutes before and after this event and the user timeline.

-*I see more events than expected in the transaction diagnostics experience when using the Application Insights JavaScript SDK. Is there a way to see fewer events per transaction?*

-The transaction diagnostics experience shows all telemetry in a [single operation](correlation.md#data-model-for-telemetry-correlation) that share an [Operation ID](data-model-context.md#operation-id). By default, the Application Insights SDK for JavaScript creates a new operation for each unique page view. In a Single Page Application (SPA), only one page view event will be generated and a single Operation ID will be used for all telemetry generated, this can result in many events being correlated to the same operation. In these scenarios, you can use Automatic Route Tracking to automatically create new operations for navigation in your single page app. You must turn on [enableAutoRouteTracking](javascript.md#single-page-applications) so a page view is generated every time the URL route is updated (logical page view occurs). If you want to manually refresh the Operation ID, you can do so by calling `appInsights.properties.context.telemetryTrace.traceID = Microsoft.ApplicationInsights.Telemetry.Util.generateW3CId()`. Manually triggering a PageView event will also reset the Operation ID.

-*Why do transaction detail durations not add up to the top-request duration?*

-Time not explained in the gantt chart, is time that isn't covered by a tracked dependency.

-This can be due to either external calls that weren't instrumented (automatically or manually), or that the time taken was in process rather than because of an external call.

-description: Tutorial to create custom KPI dashboards using Azure Application Insights.

-# Create custom KPI dashboards using Azure Application Insights

-You can create multiple dashboards in the Azure portal that each include tiles visualizing data from multiple Azure resources across different resource groups and subscriptions. You can pin different charts and views from Azure Application Insights to create custom dashboards that provide you with complete picture of the health and performance of your application. This tutorial walks you through the creation of a custom dashboard that includes multiple types of data and visualizations from Azure Application Insights.

-> * Create a custom dashboard in Azure

-> * Add a tile from the Tile Gallery

-> * Add standard metrics in Application Insights to the dashboard

-> * Add a custom metric chart Application Insights to the dashboard

-> * Add the results of a Logs (Analytics) query to the dashboard

-Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).

-> If you move your Application Insights resource over to a different resource group or subscription, you will need to manually update the dashboard by removing the old tiles and pinning new tiles from the same Application Insights resource at new location.

-A single dashboard can contain resources from multiple applications, resource groups, and subscriptions. Start the tutorial by creating a new dashboard for your application.

-1. In the menu dropdown on the left in Azure portal, select **Dashboard**.

- 

-2. On the dashboard pane, select **New dashboard** then **Blank dashboard**.

- 

-3. Type a name for the dashboard.

-4. Have a look at the **Tile Gallery** for a variety of tiles that you can add to your dashboard. In addition to adding tiles from the gallery, you can pin charts and other views directly from Application Insights to the dashboard.

-5. Locate the **Markdown** tile and drag it on to your dashboard. This tile allows you to add text formatted in markdown, which is ideal for adding descriptive text to your dashboard. To learn more, see [Use a markdown tile on Azure dashboards to show custom content](../../azure-portal/azure-portal-markdown-tile.md).

-6. Add text to the tile's properties and resize it on the dashboard canvas.

- [](media/tutorial-app-dashboards/markdown.png#lightbox)

-7. Select **Done customizing** at the top of the screen to exit tile customization mode.

-A dashboard with static text isn't very interesting, so now add a tile from Application Insights to show information about your application. You can add Application Insights tiles from the Tile Gallery, or you can pin them directly from Application Insights screens. This allows you to configure charts and views that you're already familiar with before pinning them to your dashboard. Start by adding the standard health overview for your application. This requires no configuration and allows minimal customization in the dashboard.

-2. In the **Overview** pane, select the pin icon  to add the tile to a dashboard.

-3. In the "Pin to dashboard" tab, select which dashboard to add the tile to or create a new one.

-

-3. In the top right, a notification will appear that your tile was pinned to your dashboard. Select **Pinned to dashboard** in the notification to return to your dashboard or use the dashboard pane.

-4. That tile is now added to your dashboard. Select **Edit** to change the positioning of the tile. Select and drag it into position and then select **Done customizing**. Your dashboard now has a tile with some useful information.

- [](media/tutorial-app-dashboards/dashboard-edit-mode.png#lightbox)

-The **Metrics** panel allows you to graph a metric collected by Application Insights over time with optional filters and grouping. Like everything else in Application Insights, you can add this chart to the dashboard. This does require you to do a little customization first.

-1. Select your **Application Insights** resource in the home screen.

-1. Select **Metrics**.

-2. An empty chart has already been created, and you're prompted to add a metric. Add a metric to the chart and optionally add a filter and a grouping. The example below shows the number of server requests grouped by success. This gives a running view of successful and unsuccessful requests.

- [](media/tutorial-app-dashboards/metrics.png#lightbox)

-4. Select **Pin to dashboard** on the right.

-3. In the top right, a notification will appear that your tile was pinned to your dashboard. Select **Pinned to dashboard** in the notification to return to your dashboard or use the dashboard tab.

-4. That tile is now added to your dashboard. Select **Edit** to change the positioning of the tile. Select and drag the tile into position and then select **Done customizing**.

-## Add Logs query

-Azure Application Insights Logs provides a rich query language that allows you to analyze all of the data collected Application Insights. Just like charts and other views, you can add the output of a logs query to your dashboard.

-2. Select **Logs** on the left under "monitoring" to open the Logs tab.

-3. Type the following query, which returns the top 10 most requested pages and their request count:

-4. Select **Run** to validate the results of the query.

-5. Select the pin icon  and select the name of your dashboard.

-5. Before you go back to the dashboard, add another query, but render it as a chart so you see the different ways to visualize a logs query in a dashboard. Start with the following query that summarizes the top 10 operations with the most exceptions.

-6. Select **Chart** and then change to a **Doughnut** to visualize the output.

- [](media/tutorial-app-dashboards/logs-doughnut.png#lightbox)

-6. Select the pin icon  on the top right to pin the chart to your dashboard and then return to your dashboard.

-7. The results of the queries are now added to your dashboard in the format that you selected. Select and drag each into position and then select **Done customizing**.

-8. Select the pencil icon  on each title to give them a descriptive title.

-2. You can optionally define specific users who should have access to the dashboard. For more information, see [Share Azure dashboards by using Azure role-based access control](../../azure-portal/azure-portal-dashboard-share-access.md).

-3. Select **Publish**.

-Now that you've learned how to create custom dashboards, have a look at the rest of the Application Insights documentation including a case study.

-* [Advanced Autoscale configuration using Resource Manager templates for virtual machine scale sets](autoscale-virtual-machine-scale-sets.md)

-* [Autoscale REST API](/rest/api/monitor/autoscalesettings)

-* [Scale virtual machine scale sets](../../virtual-machine-scale-sets/tutorial-autoscale-powershell.md?toc=%2fazure%2fazure-monitor%2ftoc.json)

-* [Autoscale using Resource Manager templates for virtual machine scale sets](../../virtual-machine-scale-sets/tutorial-autoscale-powershell.md?toc=%2fazure%2fazure-monitor%2ftoc.json)

-* [Best practices for Azure Monitor autoscale](autoscale-best-practices.md)

-* [Autoscale REST API](/rest/api/monitor/autoscalesettings)

-* [Troubleshooting virtual machine scale sets and autoscale](../../virtual-machine-scale-sets/virtual-machine-scale-sets-troubleshoot.md)

-* [Troubleshooting Azure Monitor autoscale](./autoscale-troubleshoot.md)

-description: Uses Resource Manager and VM scale sets with multiple rules and profiles, which send email and call webhook URLs with scale actions.

-# Advanced autoscale configuration using Resource Manager templates for VM Scale Sets

-You can scale-in and scale-out in Virtual Machine Scale Sets based on performance metric thresholds, by a recurring schedule, or by a particular date. You can also configure email and webhook notifications for scale actions. This walkthrough shows an example of configuring all these objects using a Resource Manager template on a VM Scale Set.

-> [!NOTE]

-> While this walkthrough explains the steps for VM Scale Sets, the same information applies to autoscaling [Cloud Services](https://azure.microsoft.com/services/cloud-services/), [App Service - Web Apps](https://azure.microsoft.com/services/app-service/web/), and [API Management services](../../api-management/api-management-key-concepts.md)

-> For a simple scale in/out setting on a VM Scale Set based on a simple performance metric such as CPU, refer to the [Linux](../../virtual-machine-scale-sets/tutorial-autoscale-cli.md) and [Windows](../../virtual-machine-scale-sets/tutorial-autoscale-powershell.md) documents

->

->

-## Walkthrough

-In this walkthrough, we use [Azure Resource Explorer](https://resources.azure.com/) to configure and update the autoscale setting for a scale set. Azure Resource Explorer is an easy way to manage Azure resources via Resource Manager templates. If you are new to Azure Resource Explorer tool, read [this introduction](https://azure.microsoft.com/blog/azure-resource-explorer-a-new-tool-to-discover-the-azure-api/).

-1. Deploy a new scale set with a basic autoscale setting. This article uses the one from the Azure QuickStart Gallery, which has a Windows scale set with a basic autoscale template. Linux scale sets work the same way.

-2. After the scale set is created, navigate to the scale set resource from Azure Resource Explorer. You see the following under Microsoft.Insights node.

- 

- The template execution has created a default autoscale setting with the name **'autoscalewad'**. On the right-hand side, you can view the full definition of this autoscale setting. In this case, the default autoscale setting comes with a CPU% based scale-out and scale-in rule.

-3. You can now add more profiles and rules based on the schedule or specific requirements. We create an autoscale setting with three profiles. To understand profiles and rules in autoscale, review [Autoscale Best Practices](autoscale-best-practices.md).

- | Profiles & Rules | Description |

- | | |

- | **Profile** |**Performance/metric based** |

- | Rule |Service Bus Queue Message Count > x |

- | Rule |Service Bus Queue Message Count < y |

- | Rule |CPU% > n |

- | Rule |CPU% < p |

- | **Profile** |**Weekday morning hours (no rules)** |

- | **Profile** |**Product Launch day (no rules)** |

-4. Here is a hypothetical scaling scenario that we use for this walk-through.

- * **Load based** - I'd like to scale out or in based on the load on my application hosted on my scale set.*

- * **Message Queue size** - I use a Service Bus Queue for the incoming messages to my application. I use the queue's message count and CPU% and configure a default profile to trigger a scale action if either of message count or CPU hits the threshold.\*

- * **Time of week and day** - I want a weekly recurring 'time of the day' based profile called 'Weekday Morning Hours'. Based on historical data, I know it is better to have certain number of VM instances to handle my application's load during this time.\*

- * **Special Dates** - I added a 'Product Launch Day' profile. I plan ahead for specific dates so my application is ready to handle the load due marketing announcements and when we put a new product in the application.\*

- * *The last two profiles can also have other performance metric based rules within them. In this case, I decided not to have one and instead to rely on the default performance metric based rules. Rules are optional for the recurring and date-based profiles.*

- Autoscale engine's prioritization of the profiles and rules is also captured in the [autoscaling best practices](autoscale-best-practices.md) article.

- For a list of common metrics for autoscale, refer [Common metrics for Autoscale](autoscale-common-metrics.md)

-5. Make sure you are on the **Read/Write** mode in Resource Explorer

- 

-6. Click Edit. **Replace** the 'profiles' element in autoscale setting with the following configuration:

- 

- ```

- {

- "name": "Perf_Based_Scale",

- "capacity": {

- "minimum": "2",

- "maximum": "12",

- "default": "2"

- },

- "rules": [

- {

- "metricTrigger": {

- "metricName": "MessageCount",

- "metricNamespace": "",

- "metricResourceUri": "/subscriptions/s1/resourceGroups/rg1/providers/Microsoft.ServiceBus/namespaces/mySB/queues/myqueue",

- "timeGrain": "PT5M",

- "statistic": "Average",

- "timeWindow": "PT5M",

- "timeAggregation": "Average",

- "operator": "GreaterThan",

- "threshold": 10

- },

- "scaleAction": {

- "direction": "Increase",

- "type": "ChangeCount",

- "value": "1",

- "cooldown": "PT5M"

- }

- },

- {

- "metricTrigger": {

- "metricName": "MessageCount",

- "metricNamespace": "",

- "metricResourceUri": "/subscriptions/s1/resourceGroups/rg1/providers/Microsoft.ServiceBus/namespaces/mySB/queues/myqueue",

- "timeGrain": "PT5M",

- "statistic": "Average",

- "timeWindow": "PT5M",

- "timeAggregation": "Average",

- "operator": "LessThan",

- "threshold": 3

- },

- "scaleAction": {

- "direction": "Decrease",

- "type": "ChangeCount",

- "value": "1",

- "cooldown": "PT5M"

- }

- },

- {

- "metricTrigger": {

- "metricName": "Percentage CPU",

- "metricNamespace": "",

- "metricResourceUri": "/subscriptions/s1/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachineScaleSets/<this_vmss_name>",

- "timeGrain": "PT5M",

- "statistic": "Average",

- "timeWindow": "PT30M",

- "timeAggregation": "Average",

- "operator": "GreaterThan",

- "threshold": 85

- },

- "scaleAction": {

- "direction": "Increase",

- "type": "ChangeCount",

- "value": "1",

- "cooldown": "PT5M"

- }

- },

- {

- "metricTrigger": {

- "metricName": "Percentage CPU",

- "metricNamespace": "",

- "metricResourceUri": "/subscriptions/s1/resourceGroups/rg1/providers/Microsoft.Compute/virtualMachineScaleSets/<this_vmss_name>",

- "timeGrain": "PT5M",

- "statistic": "Average",

- "timeWindow": "PT30M",

- "timeAggregation": "Average",

- "operator": "LessThan",

- "threshold": 60

- },

- "scaleAction": {

- "direction": "Decrease",

- "type": "ChangeCount",

- "value": "1",

- "cooldown": "PT5M"

- }

- }

- ]

- },

- {

- "name": "Weekday_Morning_Hours_Scale",

- "capacity": {

- "minimum": "4",

- "maximum": "12",

- "default": "4"

- },

- "rules": [],

- "recurrence": {

- "frequency": "Week",

- "schedule": {

- "timeZone": "Pacific Standard Time",

- "days": [

- "Monday",

- "Tuesday",

- "Wednesday",

- "Thursday",

- "Friday"

- ],

- "hours": [

- 6

- ],

- "minutes": [

- 0

- ]

- }

- }

- },

- {

- "name": "Product_Launch_Day",

- "capacity": {

- "minimum": "6",

- "maximum": "20",

- "default": "6"

- },

- "rules": [],

- "fixedDate": {

- "timeZone": "Pacific Standard Time",

- "start": "2016-06-20T00:06:00Z",

- "end": "2016-06-21T23:59:00Z"

- }

- }

- ```

- For supported fields and their values, see [Autoscale REST API documentation](/rest/api/monitor/autoscalesettings). Now your autoscale setting contains the three profiles explained previously.

-7. Finally, look at the Autoscale **notification** section. Autoscale notifications allow you to do three things when a scale-out or in action is successfully triggered.

- - Notify the admin and co-admins of your subscription

- - Email a set of users

- - Trigger a webhook call. When fired, this webhook sends metadata about the autoscaling condition and the scale set resource. To learn more about the payload of autoscale webhook, see [Configure Webhook & Email Notifications for Autoscale](autoscale-webhook-email.md).

- Add the following to the Autoscale setting replacing your **notification** element whose value is null

- ```

- "notifications": [

- {

- "operation": "Scale",

- "email": {

- "sendToSubscriptionAdministrator": true,

- "sendToSubscriptionCoAdministrators": false,

- "customEmails": [

- "user1@mycompany.com",

- "user2@mycompany.com"

- ]

- },

- "webhooks": [

- {

- "serviceUri": "https://foo.webhook.example.com?token=abcd1234",

- "properties": {

- "optional_key1": "optional_value1",

- "optional_key2": "optional_value2"

- }

- }

- ]

- }

- ]

- ```

- Hit **Put** button in Resource Explorer to update the autoscale setting.

-You have updated an autoscale setting on a VM Scale set to include multiple scale profiles and scale notifications.

-## Next Steps

-Use these links to learn more about autoscaling.

-[TroubleShoot Autoscale with Virtual Machine Scale Sets](../../virtual-machine-scale-sets/virtual-machine-scale-sets-troubleshoot.md)

-[Common Metrics for Autoscale](autoscale-common-metrics.md)

-[Best Practices for Azure Autoscale](autoscale-best-practices.md)

-[Manage Autoscale using PowerShell](../powershell-samples.md#create-and-manage-autoscale-settings)

-[Manage Autoscale using CLI](../cli-samples.md#autoscale)

-[Configure Webhook & Email Notifications for Autoscale](autoscale-webhook-email.md)

-[Microsoft.Insights/autoscalesettings](/azure/templates/microsoft.insights/autoscalesettings) template reference

-### Identifier quoting

-Use [Identifier quoting](/azure/data-explorer/kusto/query/schema-entities/entity-names?q=identifier#identifier-quoting) as required.

-| Storage account | Don't use an existing storage account that has other, non-monitoring data stored in it so that you can better control access to the data. If you're archiving the activity log and resource logs together, you might choose to use the same storage account to keep all monitoring data in a central location.<br><br>To send the data to immutable storage, set the immutable policy for the storage account as described in [Set and manage immutability policies for Azure Blob Storage](../../storage/blobs/immutable-policy-configure-version-scope.md). You must follow all steps in this linked article including enabling protected append blobs writes.<br><br>The storage account needs to be in the same region as the resource being monitored if the resource is regional.|

- name:storageAccountName

- name:storageAccountName

- name:storageAccountName

- name:storageAccountName

-* For more information, refer to the [Set-ADUser documentation](/powershell/module/activedirectory/set-aduser).

->There may be a discrepancy in the size of snapshots between source and destination. This discrepancy is expected. To learn more about snapshots, refer to [How Azure NetApp Files snapshots work](snapshots-introduction.md).

- `SUBSYSTEM=="bdi", ACTION=="add", PROGRAM="/bin/awk -v bdi=$kernel 'BEGIN{ret=1} {if ($4 == bdi) {ret=0}} END{exit ret}' /proc/fs/nfsfs/volumes", ATTR{read_ahead_kb}="15380"`

-You can find the resource ID from the Azure portal, or by using:

-# [CLI](#tab/CLI)

-```azurecli

-az resource list

-```

-# [PowerShell](#tab/PowerShell)

-```azurepowershell

-Get-AzResource

-```

-When you run the Azure CLI command to create the container, you might see a warning message about credentials, but the command will be successful. The reason is because although you own the storage account you assign roles like _Storage Blob Data Contributor_ to the storage account scope. For more information, see [Assign an Azure role for access to blob data](../../storage/blobs/assign-azure-role-data-access.md). After you add a role, it takes a few minutes to become active in Azure. You can then append the command with `--auth-mode login` and resolve the warning message.

-The next step is to select a user group, user, or application for managing the resources for the customer. This identity has permissions on the managed resource group according to the role that is assigned. The role can be any Azure built-in role like Owner or Contributor. To create a new Active Directory user group, see [Create a group and add members in Azure Active Directory](../../active-directory/fundamentals/active-directory-groups-create-azure-portal.md).

-You need the object ID of the user group to use for managing the resources.

-Azure Video Indexer currently does not support any monitoring on metrics.

-Azure Video Indexer currently does not support any monitoring on metrics.

-| IndexingLogs | Indexing Logs | Azure Video Indexer indexing logs to monitor all files uploads, indexing jobs and Re-indexing when needed. |

-| [VIAudit](/azure/azure-monitor/reference/tables/tables-resourcetype#azure-video-indexer)<!-- (S/azure/azure-monitor/reference/tables/viaudit)--> | <!-- description copied from previous link --> Events produced using Azure Video Indexer [portal](https://aka.ms/VIportal) or [REST API](https://aka.ms/vi-dev-portal). | |

-|VIIndexing| Events produced using Azure Video Indexer [upload](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Upload-Video) and [Re-indexing](https://api-portal.videoindexer.ai/api-details#api=Operations&operation=Re-Index-Video) APIs. |

-1. Navigate to Backup center and click **+Backup** from the **Overview** tab.

- * You can retain snapshots for instant restore for between one to five days. Two days is the default setting.

- > Azure Backup doesn't support automatic clock adjustment for daylight-saving changes for Azure VM backups. As time changes occur, modify backup policies manually as required.

-1. Navigate to Backup center and select the **Backup Instances** menu item.

->[!NOTE]

->The September Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the September Guest OS. This list is subject to change.

-| Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |

-| | | | | |

-| Rel 22-09 | [5017315] | Latest Cumulative Update(LCU) | 6.48 | Sep 13, 2022 |

-| Rel 22-09 | [5016618] | IE Cumulative Updates | 2.128, 3.115, 4.108 | Aug 9, 2022 |

-| Rel 22-09 | [5017316] | Latest Cumulative Update(LCU) | 7.16 | Sep 13, 2022 |

-| Rel 22-09 | [5017305] | Latest Cumulative Update(LCU) | 5.72 | Sep 13, 2022 |

-| Rel 22-09 | [5013641] | .NET Framework 3.5 and 4.7.2 Cumulative Update | 6.48 | May 10, 2022 |

-| Rel 22-09 | [5017397] | Servicing Stack Update | 2.128 | Sep 13, 2022 |

-| Rel 22-09 | [5017361] | September '22 Rollup | 2.128 | Sep 13, 2022 |

-| Rel 22-09 | [5013637] | .NET Framework 3.5 Security and Quality Rollup LKG | 2.128 | Sep 13, 2022 |

-| Rel 22-09 | [5013644] | .NET Framework 4.6.2 Security and Quality Rollup LKG | 2.128 | May 10, 2022 |

-| Rel 22-09 | [5016263] | Servicing Stack Update | 3.115 | July 12, 2022 |

-| Rel 22-09 | [5017370] | September '22 Rollup | 3.115 | Sep 13, 2022 |

-| Rel 22-09 | [5013635] | .NET Framework 3.5 Security and Quality Rollup LKG | 3.115 | Sep 13, 2022 |

-| Rel 22-09 | [5013642] | .NET Framework 4.6.2 Security and Quality Rollup LKG | 3.115 | May 10, 2022 |

-| Rel 22-09 | [5017398] | Servicing Stack Update | 4.108 | Sep 13, 2022 |

-| Rel 22-09 | [5017367] | Monthly Rollup | 4.108 | Sep 13, 2022 |

-| Rel 22-09 | [5013638] | .NET Framework 3.5 Security and Quality Rollup LKG | 4.108 | Jun 14, 2022 |

-| Rel 22-09 | [5013643] | .NET Framework 4.6.2 Security and Quality Rollup LKG | 4.108 | May 10, 2022 |

-| Rel 22-09 | [4578013] | OOB Standalone Security Update | 4.108 | Aug 19, 2020 |

-| Rel 22-09 | [5017396] | Servicing Stack Update | 5.72 | Sep 13, 2022 |

-| Rel 22-09 | [4494175] | Microcode | 5.72 | Sep 1, 2020 |

-| Rel 22-09 | 5015896 | Servicing Stack Update | 6.48 | Sep 1, 2020 |

-| Rel 22-09 | [5013626] | .NET Framework 4.8 Security and Quality Rollup LKG | 6.48 | May 10, 2022 |

-| WA-GUEST-OS-7.14_202207-01 | August 3, 2022 | Post 7.16 |

-|~~WA-GUEST-OS-7.13_202206-01~| July 11, 2022 | September 2, 2022 |

-| WA-GUEST-OS-6.46_202207-01 | August 3, 2022 | Post 6.48 |

-|~~WA-GUEST-OS-6.45_202206-01~| July 11, 2022 | September 2, 2022 |

-| WA-GUEST-OS-5.70_202207-01 | August 3, 2022 | Post 5.72 |

-| WA-GUEST-OS-4.106_202207-02 | August 3, 2022 | Post 4.108 |

-| WA-GUEST-OS-3.113_202207-02 | August 3, 2022 | Post 3.115 |

-| WA-GUEST-OS-2.126_202207-02 | August 3, 2022 | Post 2.128 |

-1. Enter a name and a description for the project. Then select a Resource Group. If your signed-in account is associated with an Azure account, the Resource Group dropdown will display all of your Azure Resource Groups that include a Custom Vision Service Resource.

- > If no resource group is available, please confirm that you have logged into [customvision.ai](https://customvision.ai) with the same account as you used to log into the [Azure portal](https://portal.azure.com/). Also, please confirm you have selected the same "Directory" in the Custom Vision website as the directory in the Azure portal where your Custom Vision resources are located. In both sites, you may select your directory from the drop down account menu at the top right corner of the screen.

-1. Enter a name and a description for the project. Then select a Resource Group. If your signed-in account is associated with an Azure account, the Resource Group dropdown will display all of your Azure Resource Groups that include a Custom Vision Service Resource.

- > If no resource group is available, please confirm that you have logged into [customvision.ai](https://customvision.ai) with the same account as you used to log into the [Azure portal](https://portal.azure.com/). Also, please confirm you have selected the same "Directory" in the Custom Vision web portal as the directory in the Azure portal where your Custom Vision resources are located. In both sites, you may select your directory from the drop down account menu at the top right corner of the screen.

-Prebuilt neural voices are created from samples that use a 24-khz sample rate. All voices can upsample or downsample to other sample rates when synthesizing.

-* TTS Service July 2022, new voices in Public Preview and new viseme feature blend shapes were released. See details below.

-The supported streaming and non-streaming audio formats are sent in each request as the `X-Microsoft-OutputFormat` header. Each format incorporates a bit rate and encoding type. The Speech service supports 48-kHz, 24-kHz, 16-kHz, and 8-kHz audio outputs. Prebuilt neural voices are created from samples that use a 24-khz sample rate. All voices can upsample or downsample to other sample rates when synthesizing.

-> en-US-AriaNeural, en-US-JennyNeural and zh-CN-XiaoxiaoNeural are available in public preview in 48Khz output. Other voices support 24khz upsampled to 48khz output.

-> [!NOTE]

-* **Prebuilt neural voices**: Microsoft neural text-to-speech capability uses deep neural networks to overcome the limits of traditional speech synthesis with regard to stress and intonation in spoken language. Prosody prediction and voice synthesis happen simultaneously, which results in more fluid and natural-sounding outputs. You can use neural voices to:

-If you're using Language Understanding (LUIS), you can [import your LUIS JSON file](../conversational-language-understanding/concepts/backwards-compatibility.md) to the new Conversational language understanding feature.

-description: Learn about backwards compatibility between LUIS and Conversational Language Understanding

-# Backwards compatibility with LUIS applications

-You can reuse some of the content of your existing [LUIS](../../../LUIS/what-is-luis.md) applications in [conversational language understanding](../overview.md). When working with conversational language understanding projects, you can:

-* Create conversational language understanding conversation projects from LUIS application JSON files.

-* Create LUIS applications that can be connected to [orchestration workflow](../../orchestration-workflow/overview.md) projects.

-

-> [!NOTE]

-> This guide assumes you have created a Language resource. If you're getting started with the service, see the [quickstart article](../quickstart.md).

-## Import a LUIS application JSON file into Conversational Language Understanding

-### [Language Studio](#tab/studio)

-To import a LUIS application JSON file, click on the icon next to **Create a new project** and select **Import**. Then select the LUIS file. When you import a new project into Conversational Language Understanding, you can select an exported LUIS application JSON file, and the service will automatically create a project with the currently available features.

-### [REST API](#tab/rest-api)

-## Supported features

-When you import the LUIS JSON application into conversational language understanding, it will create a **Conversations** project with the following features will be selected:

-|**Feature**|**Notes**|

-|: - |: - |

-|Intents|All of your intents will be transferred as conversational language understanding intents with the same names.|

-|ML entities|All of your ML entities will be transferred as conversational language understanding entities with the same names. The labels will be persisted and used to train the Learned component of the entity. Structured ML entities will transfer over the lowest level subentities of the structure as different entities and apply their labels accordingly.|

-|Utterances|All of your LUIS utterances will be transferred as conversational language understanding utterances with their intent and entity labels. Structured ML entity labels will only consider the lowest level subentity labels, and all the top level entity labels will be ignored.|

-|Culture|The primary language of the Conversation project will be the LUIS app culture. If the culture is not supported, the importing will fail. |

-|List entities|All of your list entities will be transferred as conversational language understanding entities with the same names. The normalized values and synonyms of each list will be transferred as keys and synonyms in the list component for the conversational language understanding entity.|

-|Prebuilt entities|All of your prebuilt entities will be transferred as conversational language understanding entities with the same names. The conversational language understanding entity will have the relevant [prebuilt entities](entity-components.md#prebuilt-component) enabled if they are supported. |

-|Required entity features in ML entities|If you had a prebuilt entity or a list entity as a required feature to another ML entity, then the ML entity will be transferred as a conversational language understanding entity with the same name and its labels will apply. The conversational language understanding entity will include the required feature entity as a component. The [overlap method](entity-components.md#entity-options) will be set as ΓÇ£Exact OverlapΓÇ¥ for the conversational language understanding entity.|

-|Non-required entity features in ML entities|If you had a prebuilt entity or a list entity as a non-required feature to another ML entity, then the ML entity will be transferred as a conversational language understanding entity with the same name and its ML labels will apply. If an ML entity was used as a feature to another ML entity, it will not be transferred over.|

-|Roles|All of your roles will be transferred as conversational language understanding entities with the same names. Each role will be its own conversational language understanding entity. The roleΓÇÖs entity type will determine which component is populated for the role. Roles on prebuilt entities will transfer as conversational language understanding entities with the prebuilt entity component enabled and the role labels transferred over to train the Learned component. Roles on list entities will transfer as conversational language understanding entities with the list entity component populated and the role labels transferred over to train the Learned component. Roles on ML entities will be transferred as conversational language understanding entities with their labels applied to train the Learned component of the entity. |

-## Unsupported features

-When you import the LUIS JSON application into conversational language understanding, certain features will be ignored, but they will not block you from importing the application. The following features will be ignored:

-|**Feature**|**Notes**|

-|: - |: - |

-|Application Settings|The settings such as Normalize Punctuation, Normalize Diacritics, and Use All Training Data were meant to improve predictions for intents and entities. The new models in conversational language understanding are not sensitive to small changes such as punctuation and are therefore not available as settings.|

-|Features|Phrase list features and features to intents will all be ignored. Features were meant to introduce semantic understanding for LUIS that conversational language understanding can provide out of the box with its new models.|

-|Patterns|Patterns were used to cover for lack of quality in intent classification. The new models in conversational language understanding are expected to perform better without needing patterns.|

-|`Pattern.Any` Entities|`Pattern.Any` entities were used to cover for lack of quality in ML entity extraction. The new models in conversational language understanding are expected to perform better without needing `Pattern.Any` entities.|

-|Regex Entities| Not currently supported |

-|Structured ML Entities| Not currently supported |

-## Use a published LUIS application in orchestration workflow projects

-You can only connect to published LUIS applications that are owned by the same Language resource that you use for Conversational Language Understanding. You can change the authoring resource to a Language **S** resource in **West Europe** applications. See the [LUIS documentation](../../../luis/luis-how-to-azure-subscription.md#assign-luis-resources) for steps on assigning a different resource to your LUIS application. You can also export then import the LUIS applications into your Language resource. You must train and publish LUIS applications for them to appear in Conversational Language Understanding when you want to connect them to orchestration projects.

-## Next steps

-[Conversational Language Understanding overview](../overview.md)

-Yes, you can [import any LUIS application](./concepts/backwards-compatibility.md) JSON file from the latest version in the service.

-If you have an existing LUIS application, you can _import_ the LUIS application JSON to Conversational Language Understanding directly, and it will create a Conversation project with all the pieces that are currently available: Intents, ML entities, and utterances. See [backwards compatibility with LUIS](../concepts/backwards-compatibility.md) for more information.

-To get started, open Power BI Desktop and load the comma-separated value (CSV) file `FabrikamComments.csv` that you downloaded in [Prerequisites](#prerequisites). This file represents a day's worth of hypothetical activity in a fictional small company's support forum.

-The Open dialog appears. Navigate to your Downloads folder, or to the folder where you downloaded the `FabrikamComments.csv` file. Click `FabrikamComments.csv`, then the **Open** button. The CSV import dialog appears.

- Supported in General Availability, to set up inbound calling for Dynamics 365 OC with direct routing or Voice Calling (PSTN) follow [these instructions](/dynamics365/customer-service/voice-channel-inbound-calling)

- **Inbound calling with Power Virtual Agents**

- *Coming soon*

-**Inbound calling with ACS Client Calling SDK**

-*Coming soon*

-description: Create workflows that manage blobs in Azure storage accounts using Azure Logic Apps.

-# Create and manage blobs in Azure Blob Storage by using Azure Logic Apps

-From your workflow in Azure Logic Apps, you can access and manage files stored as blobs in your Azure storage account by using the [Azure Blob Storage connector](/connectors/azureblobconnector/). This connector provides triggers and actions that your workflow can use for blob operations. You can then automate tasks to manage files in your storage account. For example, [connector actions](/connectors/azureblobconnector/#actions) include checking, deleting, reading, and uploading blobs. The [available trigger](/connectors/azureblobconnector/#triggers) fires when a blob is added or modified.

-You can connect to Blob Storage from both **Logic App (Consumption)** and **Logic App (Standard)** resource types. You can use the connector with logic app workflows in multi-tenant Azure Logic Apps, single-tenant Azure Logic Apps, and the integration service environment (ISE). With **Logic App (Standard)**, you can use either the *built-in* **Azure Blob** operations or the **Azure Blob Storage** managed connector operations.

-## Prerequisites

-## Limits

- - Use a Blob trigger that returns file properties, such as [**When a blob is added or modified (properties only)**](/connectors/azureblobconnector/#when-a-blob-is-added-or-modified-(properties-only)).

- - Follow the trigger with the Blob action named [**Get blob content**](/connectors/azureblobconnector/#get-blob-content), which reads the complete file and implicitly uses chunking.

-## Connector reference

-For more technical details about this connector, such as triggers, actions, and limits, review the [connector's reference page](/connectors/azureblobconnector/).

-In Azure Logic Apps, every workflow must start with a [trigger](../logic-apps/logic-apps-overview.md#logic-app-concepts), which fires when a specific event happens or when a specific condition is met.

-Only one Blob trigger exists and has either of the following names, based on whether you're working with a Consumption or Standard logic app workflow:

-| Logic app type | Trigger name | Description |

-|-|--|-|

-| Consumption | Managed connector only: **When a blob is added or modified (properties only)** | The trigger fires when a blob's properties are added or updated in your storage container's root folder. |

-| Standard | - Built-in: **When a blob is Added or Modified in Azure Storage** <br><br>- Managed connector: **When a blob is added or modified (properties only)** | - Built-in: The trigger fires when a blob is added or updated in your storage container. The trigger also fires for any nested folders in your storage container, not just the root folder. <br><br>- Managed connector: The trigger fires when a blob's properties are added or updated in your storage container's root folder. |

-||||

-> [!IMPORTANT]

-> When you set up the Blob trigger, the built-in version processes all existing blobs in the container, while the managed version ignores existing blobs in the container.

-When the trigger fires each time, Azure Logic Apps creates a logic app instance and starts running the workflow.

-To add a Blob trigger to a logic app workflow in multi-tenant Azure Logic Apps, follow these steps:

-1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

-1. Under the designer search box, make sure that **All** is selected. In the search box, enter **Azure blob**. From the **Triggers** list, select the trigger named **When a blob is added or modified (properties only)**.

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/consumption-trigger-add.png" alt-text="Screenshot showing Azure portal and workflow designer with a Consumption logic app and the trigger named 'When a blob is added or modified (properties only)' selected.":::

-1. If you're prompted for connection details, [create a connection to your Azure Blob Storage account](#connect-blob-storage-account).

-1. Provide the necessary information for the trigger.

- 1. For the **Container** property value, select the folder icon to browse for your blob storage container. Or, enter the path manually using the syntax **/<*container-name*>**, for example:

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/consumption-trigger-configure.png" alt-text="Screenshot showing Azure Blob trigger with parameters configuration.":::

- 1. Configure other trigger settings as needed.

-1. Add one or more actions to your workflow.

-1. On the designer toolbar, select **Save** to save your changes.

-To add a Blob trigger to a logic app workflow in single-tenant Azure Logic Apps, follow these steps:

-1. In the [Azure portal](https://portal.azure.com), open your logic app workflow in the designer.

-1. On the designer, select **Choose an operation**.

-1. In the **Add a trigger** pane that opens, under the **Choose an operation** search box, you can select either **Built-in** to find the **Azure Blob** *built-in* trigger, or select **Azure** to find the **Azure Blob Storage** *managed connector* trigger.

- This example uses the built-in **Azure Blob** trigger.

-1. Under the search box, select **Built-in**. In the search box, enter **Azure blob**.

-1. From the **Triggers** list, select the built-in trigger named **When a blob is Added or Modified in Azure Storage**.

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/standard-trigger-add.png" alt-text="Screenshot showing Azure portal, workflow designer, Standard logic app workflow and Azure Blob trigger selected.":::

-1. If you're prompted for connection details, [create a connection to your Azure Storage account](#connect-blob-storage-account).

-1. Provide the necessary information for the trigger. On the **Parameters** tab, in the **Blob Path** property, enter the name of the folder that you want to monitor.

- 1. Return to the workflow designer. In the trigger's **Blob Path** property, enter the path for the container, folder, or blob, based on whether you're checking for new blobs or changes to an existing blob. The syntax varies based on the check that you want to run and any filtering that you want to use:

- |||

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/standard-trigger-root-folder.png" alt-text="Screenshot showing the workflow designer for a Standard logic app workflow with an Azure Blob trigger set up for the root folder.":::

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/standard-trigger-sub-folder-existing-blob.png" alt-text="Screenshot showing the workflow designer for a Standard logic app workflow with an Azure Blob trigger set up for a subfolder and specific blob.":::

-1. Continue creating your workflow by adding one or more actions.

-1. On the designer toolbar, select **Save** to save your changes.

-In Azure Logic Apps, an [action](../logic-apps/logic-apps-overview.md#logic-app-concepts) is a step in your workflow that follows a trigger or another action.

-To add a Blob action to a logic app workflow in multi-tenant Azure Logic Apps, follow these steps:

-1. In the [Azure portal](https://portal.azure.com), open your workflow in the designer.

-1. If your workflow is blank, add any trigger that you want.

- This example starts with the [**Recurrence** trigger](connectors-native-recurrence.md).

-1. Under the trigger or action where you want to add the Blob action, select **New step** or **Add an action**, if between steps. This example uses the built-in Azure Blob action.

-1. Under the designer search box, make sure that **All** is selected. In the search box, enter **Azure blob**. Select the Blob action that you want to use.

- This example uses the action named **Get blob content**.

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/consumption-action-add.png" alt-text="Screenshot showing Consumption logic app in designer with available Blob actions.":::

-1. If you're prompted for connection details, [create a connection to your Azure Storage account](#connect-blob-storage-account).

-1. Provide the necessary information for the action.

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/consumption-action-root-folder.png" alt-text="Screenshot showing Consumption logic app in designer with Blob action setup for root folder.":::

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/consumption-action-sub-folder.png" alt-text="Screenshot showing Consumption logic app in designer with Blob action setup for subfolder.":::

-1. Set up other action settings as needed.

-To add an Azure Blob action to a logic app workflow in single-tenant Azure Logic Apps, follow these steps:

-1. In the [Azure portal](https://portal.azure.com), open your workflow in the designer.

-1. If your workflow is blank, add any trigger that you want.

- This example starts with the [**Recurrence** trigger](connectors-native-recurrence.md).

-1. Under the trigger or action where you want to add the Blob action, select **Insert a new step** (**+**) > **Add an action**.

-1. On the designer, make sure that **Add an operation** is selected. In the **Add an action** pane that opens, under the **Choose an operation** search box, select either **Built-in** to find the **Azure Blob** *built-in* actions, or select **Azure** to find the **Azure Blob Storage** *managed connector* actions.

-1. In the search box, enter **Azure blob**. Select the Azure Blob action that you want to use.

- This example uses the action named **Reads Blob Content from Azure Storage**, which only reads the blob content. To later view the content, add a different action that creates a file with the blob content using another connector. For example, you can add a OneDrive action that creates a file based on the blob content.

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/standard-action-add.png" alt-text="Screenshot showing the Azure portal and workflow designer with a Standard logic app workflow and the available Azure Blob Storage actions.":::

-1. If you're prompted for connection details, [create a connection to your Azure Storage account](#connect-blob-storage-account).

-1. For the action, provide the necessary information, which includes the following values for the **Read Blob Content from Azure Storage** action:

- | **Container Name** | Yes | The name for the storage container that you want to use |

- ||||

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/standard-action-root-folder.png" alt-text="Screenshot showing Standard logic app in designer with Blob action setup for root folder.":::

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/standard-action-subfolder.png" alt-text="Screenshot showing Standard logic app in designer with Blob action setup for subfolder.":::

-1. Configure any other action settings as needed.

-1. On the designer toolbar, select **Save**.

-1. Test your logic app to make sure your selected container contains a blob.

-<a name="connect-blob-storage-account"></a>

-## Connect to Azure Storage account

-### [Consumption](#tab/consumption)

-Before you can configure your [Azure Blob Storage trigger](#add-trigger) or [Azure Blob Storage action](#add-action), you need to connect to your Azure Storage account.

-Based on the [authentication type that your storage account requires](../storage/common/authorize-data-access.md), you have to provide a connection name and select the authentication type at a minimum.

-For example, if your storage account requires *access key* authorization, you have to provide the following information:

-| Property | Required | Value | Description |

-|-|-|-|-|

-| **Connection name** | Yes | <*connection-name*> | The name to use for your connection. |

-| **Authentication type** | Yes | - **Access Key** <br><br>- **Azure AD Integrated** <br><br>- **Logic Apps Managed Identity** | The authentication type to use for your connection. For more information, review [Authentication types for triggers and actions that support authentication - Secure access and data](../logic-apps/logic-apps-securing-a-logic-app.md#authentication-types-supported-triggers-actions). |

-| **Azure Storage Account name** | Yes, <br>but only for access key authentication | <*storage-account-name*> | The name for the Azure storage account where your blob container exists. <br><br><br><br>**Note**: To find the storage account name, open your storage account resource in the Azure portal. In the resource menu, under **Security + networking**, select **Access keys**. Under **Storage account name**, copy and save the name. |

-| **Azure Storage Account Access Key** | Yes, <br>but only for access key authentication | <*storage-account-access-key*> | The access key for your Azure storage account. <br><br><br><br>**Note**: To find the access key, open your storage account resource in the Azure portal. In the resource menu, under **Security + networking**, select **Access keys** > **Show keys**. Copy and save one of the key values. |

-|||||

-The following example shows how a connection using access key authentication might appear:

-> [!NOTE]

-> After you create your connection, if you have a different existing Azure Blob storage connection

-> that you want to use instead, select **Change connection** in the trigger or action details editor.

-If you have problems connecting to your storage account, review [how to access storage accounts behind firewalls](#access-storage-accounts-behind-firewalls).

-### [Standard](#tab/standard)

-Before you can configure your [Azure Blob trigger](#add-trigger) or [Azure Blob action](#add-action), you need to connect to your Azure Storage account. A connection requires the following properties:

-| Property | Required | Value | Description |

-|-|-|-|-|

-| **Connection name** | Yes | <*connection-name*> | The name to use for your connection. |

-| **Azure Blob Storage Connection String** | Yes | <*storage-account*> | Select your storage account from the list, or provide a string. <br><br><br><br>**Note**: To find the connection string, go to the storage account's page. In the navigation menu, under **Security + networking**, select **Access keys** > **Show keys**. Copy one of the available connection string values. |

-|||||

-To create an Azure Blob Storage connection from a logic app workflow in single-tenant Azure Logic Apps, follow these steps:

-1. For **Connection name**, enter a name for your connection.

-1. For **Azure Blob Storage Connection String**, enter the connection string for the storage account that you want to use.

-1. Select **Create** to finish creating your connection.

- :::image type="content" source="./media/connectors-create-api-azureblobstorage/standard-connection-create.png" alt-text="Screenshot that shows the workflow designer with a Standard logic app workflow and a prompt to add a new connection for the Azure Blob Storage step.":::

-> [!NOTE]

-> After you create your connection, if you have a different existing Azure Blob storage connection

-> that you want to use instead, select **Change connection** in the trigger or action details editor.

-If you have problems connecting to your storage account, review [how to access storage accounts behind firewalls](#access-storage-accounts-behind-firewalls).

- You don't have to create a private endpoint. You can just permit traffic through the ISE outbound IPs on the storage account.

-### Access storage accounts through VNet integration

- You can put the storage account in an Azure virtual network by creating a private endpoint, and then add that virtual network to the trusted virtual networks list. To give your logic app access to the storage account, you have to [Set up outbound traffic using VNet integration](../logic-apps/secure-single-tenant-workflow-virtual-network-private-endpoint.md#set-up-outbound) to enable connecting to resources in a virtual network. You can then add the VNet to the storage account's trusted virtual networks list.

- You don't have to create a private endpoint. You can just permit traffic through the ISE outbound IPs on the storage account.

-> Limitations for this solution:

-> - To authenticate your storage account connection, you have to set up a system-assigned managed identity.

->

-[Connectors overview for Azure Logic Apps](apis-list.md)

-This article reviews two flows for encrypting data with a customer-managed key:

-* Encrypt data with a customer-managed key stored in a standard Azure Key Vault

-* Encrypt data with a customer-managed key stored in a network-protected Azure Key Vault with [Trusted Services](../key-vault/general/network-security.md) enabled.

-## Encrypt data with a customer-managed key stored in a standard Azure Key Vault

-## Encrypt data with a customer-managed key in a network protected Azure Key Vault with Trusted Services enabled

-### Create a Key Vault resource

-Create an Azure Key Vault using [Azure portal](../key-vault/general/quick-create-portal.md), [Azure CLI](../key-vault/general/quick-create-cli.md), or [Azure PowerShell](../key-vault/general/quick-create-powershell.md). To start, do not apply any network-limitations so we can add necessary keys to the vault. In subsequent steps, we will add network-limitations and enable trusted services.

-For the properties of your key vault, use the following guidelines:

-* Name: A unique name is required.

-* Subscription: Choose a subscription.

-* Under Resource Group, either choose an existing resource group, or create new and enter a resource group name.

-* In the Location pull-down menu, choose a location.

-* You can leave the other options to their defaults or pick based on additional requirements.

-> [!IMPORTANT]

-> When using customer-managed keys to encrypt an ACI deployment template, it is recommended that the following two properties be set on the key vault, Soft Delete and Do Not Purge. These properties are not enabled by default, but can be enabled using either PowerShell or Azure CLI on a new or existing key vault.

-### Generate a new key

-Once your key vault is created, navigate to the resource in Azure portal. On the left navigation menu of the resource blade, under Settings, click **Keys**. On the view for "Keys," click "Generate/Import" to generate a new key. Use any unique Name for this key, and any other preferences based on your requirements. Make sure to capture key name and version for subsequent steps.

-

-### Create a user-assigned managed identity for your container group

-Create an identity in your subscription using the [az identity create](/cli/azure/identity#az-identity-create) command. You can use the same resource group used to create the key vault, or use a different one.

-```azurecli-interactive

-az identity create \

- --resource-group myResourceGroup \

- --name myACIId

-```

-To use the identity in the following steps, use the [az identity show](/cli/azure/identity#az-identity-show) command to store the identity's service principal ID and resource ID in variables.

-```azurecli-interactive

-# Get service principal ID of the user-assigned identity

-spID=$(az identity show \

- --resource-group myResourceGroup \

- --name myACIId \

- --query principalId --output tsv)

-```

-### Set access policy

-Create a new access policy for allowing the user-assigned identity to access and unwrap your key for encryption purposes.

-```azurecli-interactive

-az keyvault set-policy \

- --name mykeyvault \

- --resource-group myResourceGroup \

- --object-id $spID \

- --key-permissions get unwrapKey

- ```

-### Modify Azure Key Vault's network permissions

-The following commands set up an Azure Firewall for your Azure Key Vault and allow Azure Trusted Services such as ACI access.

-```azurecli-interactive

-az keyvault update \

- --name mykeyvault \

- --resource-group myResourceGroup \

- --default-action Deny

- ```

-

-```azurecli-interactive

-az keyvault update \

- --name mykeyvault \

- --resource-group myResourceGroup \

- --bypass AzureServices

- ```

-### Modify your JSON deployment template

-> [!IMPORTANT]

-> Encrypting deployment data with a customer-managed key is available in the 2022-09-01 API version or newer. The 2022-09-01 API version is only available via ARM or REST. If you have any issues with this, please reach out to Azure Support.

-Once the key vault key and access policy are set up, add the following properties to your ACI deployment template. Learn more about deploying ACI resources with a template in the [Tutorial: Deploy a multi-container group using a Resource Manager template](./container-instances-multi-container-group.md).

-* Under `resources`, set `apiVersion` to `2022-09-01`.

-* Under the container group properties section of the deployment template, add an `encryptionProperties`, which contains the following values:

- * `vaultBaseUrl`: the DNS Name of your key vault. This can be found on the overview blade of the key vault resource in Portal

- * `keyName`: the name of the key generated earlier

- * `keyVersion`: the current version of the key. This can be found by clicking into the key itself (under "Keys" in the Settings section of your key vault resource)

- * `identity`: this is the resource URI of the Managed Identity instance created earlier

-* Under the container group properties, add a `sku` property with value `Standard`. The `sku` property is required in API version 2022-09-01.

-* Under resources, add the `identity` object required to use Managed Identity with ACI, which contains the following values:

- * `type`: the type of the identity being used (either user-assigned or system-assigned). This case will be set to "UserAssigned"

- * `userAssignedIdentities`: the resourceURI of the same user-assigned identity used above in the `encryptionProperties` object.

-The following template snippet shows these additional properties to encrypt deployment data:

-```json

-[...]

-"resources": [

- {

- "name": "[parameters('containerGroupName')]",

- "type": "Microsoft.ContainerInstance/containerGroups",

- "apiVersion": "2019-12-01",

- "location": "[resourceGroup().location]",

- "identity": {

- "type": "UserAssigned",

- "userAssignedIdentities": {

- "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId": {}

- }

- },

- "properties": {

- "encryptionProperties": {

- "vaultBaseUrl": "https://example.vault.azure.net",

- "keyName": "acikey",

- "keyVersion": "xxxxxxxxxxxxxxxx",

- "identity": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId"

- },

- "sku": "Standard",

- "containers": {

- [...]

- }

- }

- }

-]

-```

-Following is a complete template, adapted from the template in [Tutorial: Deploy a multi-container group using a Resource Manager template](./container-instances-multi-container-group.md).

-```json

-{

- "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",

- "contentVersion": "1.0.0.0",

- "parameters": {

- "containerGroupName": {

- "type": "string",

- "defaultValue": "myContainerGroup",

- "metadata": {

- "description": "Container Group name."

- }

- }

- },

- "variables": {

- "container1name": "aci-tutorial-app",

- "container1image": "mcr.microsoft.com/azuredocs/aci-helloworld:latest",

- "container2name": "aci-tutorial-sidecar",

- "container2image": "mcr.microsoft.com/azuredocs/aci-tutorial-sidecar"

- },

- "resources": [

- {

- "name": "[parameters('containerGroupName')]",

- "type": "Microsoft.ContainerInstance/containerGroups",

- "apiVersion": "2022-09-01",

- "location": "[resourceGroup().location]",

- "identity": {

- "type": "UserAssigned",

- "userAssignedIdentities": {

- "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId": {}

- }

- },

- "properties": {

- "encryptionProperties": {

- "vaultBaseUrl": "https://example.vault.azure.net",

- "keyName": "acikey",

- "keyVersion": "xxxxxxxxxxxxxxxx",

- "identity": "/subscriptions/XXXXXXXXXXXXXXXXXXXXXX/resourcegroups/XXXXXXXXXXXXXXXXXXXXXX/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myACIId"

- },

- "sku": "Standard",

- "containers": [

- {

- "name": "[variables('container1name')]",

- "properties": {

- "image": "[variables('container1image')]",

- "resources": {

- "requests": {

- "cpu": 1,

- "memoryInGb": 1.5

- }

- },

- "ports": [

- {

- "port": 80

- },

- {

- "port": 8080

- }

- ]

- }

- },

- {

- "name": "[variables('container2name')]",

- "properties": {

- "image": "[variables('container2image')]",

- "resources": {

- "requests": {

- "cpu": 1,

- "memoryInGb": 1.5

- }

- }

- }

- }

- ],

- "osType": "Linux",

- "ipAddress": {

- "type": "Public",

- "ports": [

- {

- "protocol": "tcp",

- "port": "80"

- },

- {

- "protocol": "tcp",

- "port": "8080"

- }

- ]

- }

- }

- }

- ],

- "outputs": {

- "containerIPv4Address": {

- "type": "string",

- "value": "[reference(resourceId('Microsoft.ContainerInstance/containerGroups/', parameters('containerGroupName'))).ipAddress.ip]"

- }

- }

-}

-```

-### Deploy your resources

-If you created and edited the template file on your desktop, you can upload it to your Cloud Shell directory by dragging the file into it.

-Create a resource group with the [az group create][az-group-create] command.

-```azurecli-interactive

-az group create --name myResourceGroup --location eastus

-```

-Deploy the template with the [az deployment group create][az-deployment-group-create] command.

-```azurecli-interactive

-az deployment group create --resource-group myResourceGroup --template-file deployment-template.json

-```

-Within a few seconds, you should receive an initial response from Azure. Once the deployment completes, all data related to it persisted by the ACI service will be encrypted with the key you provided.

-### Limitations

-* Currently you can't use a managed identity in a container group deployed to a virtual network.

-Azure Container Instances does not expose direct access to the underlying infrastructure that hosts container groups. This includes access to the Docker API running on the container's host and running privileged containers. If you require Docker interaction, check the [REST reference documentation](/rest/api/container-instances/) to see what the ACI API supports. If there is something missing, submit a request on the [ACI feedback forums](https://aka.ms/aci/feedback).

-* You can't use a [managed identity](container-instances-managed-identity.md) in a container group deployed to a virtual network.

-[az-network-profile-list]: /cli/azure/network/profile#az_network_profile_list

-* Container groups running in Azure Virtual Networks don't support managed identity authentication image pulls with ACR.

-> The prices used in these examples below are hypothetical and are not intended to imply actual pricing.

-* Expression: ```(car as (model as string, year as integer), color as string, transmission as string)```

-* Expression: ```(cars as (car as ({@model} as string, year as integer)))```

-> The prices used in these examples below are hypothetical and are not intended to imply actual pricing.

-You can also [export your cost data](../cost-management-billing/costs/tutorial-export-acm-data.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to a storage account. This is helpful when you need or others to do additional data analysis for costs. For example, a finance teams can analyze the data using Excel or Power BI. You can export your costs on a daily, weekly, or monthly schedule and set a custom date range. Exporting cost data is the recommended way to retrieve cost datasets.

-> [!NOTE]

-> The prices used in these examples below are hypothetical and are not intended to imply actual pricing.

-## Copy data from AWS S3 to Azure Blob storage hourly

-In this scenario, you want to copy data from AWS S3 to Azure Blob storage on an hourly schedule.

-To accomplish the scenario, you need to create a pipeline with the following items:

-1. A copy activity with an input dataset for the data to be copied from AWS S3.

-2. An output dataset for the data on Azure Storage.

-3. A schedule trigger to execute the pipeline every hour.

- :::image type="content" source="media/pricing-concepts/scenario1.png" alt-text="Diagram shows a pipeline with a schedule trigger. In the pipeline, copy activity flows to an input dataset, which flows to an A W S S3 linked service and copy activity also flows to an output dataset, which flows to an Azure Storage linked service.":::

-| **Operations** | **Types and Units** |

-| | |

-| Create Linked Service | 2 Read/Write entity |

-| Create Datasets | 4 Read/Write entities (2 for dataset creation, 2 for linked service references) |

-| Create Pipeline | 3 Read/Write entities (1 for pipeline creation, 2 for dataset references) |

-| Get Pipeline | 1 Read/Write entity |

-| Run Pipeline | 2 Activity runs (1 for trigger run, 1 for activity runs) |

-| Copy Data Assumption: execution time = 10 min | 10 \* 4 Azure Integration Runtime (default DIU setting = 4) For more information on data integration units and optimizing copy performance, see [this article](copy-activity-performance.md) |

-| Monitor Pipeline Assumption: Only 1 run occurred | 2 Monitoring run records retrieved (1 for pipeline run, 1 for activity run) |

-**Total Scenario pricing: $0.16811**

- - Read/Write = 10\*0.00001 = $0.0001 [1 R/W = $0.50/50000 = 0.00001]

- - Monitoring = 2\*0.000005 = $0.00001 [1 Monitoring = $0.25/50000 = 0.000005]

- - Activity Runs = 0.001\*2 = $0.002 [1 run = $1/1000 = 0.001]

- - Data Movement Activities = $0.166 (Prorated for 10 minutes of execution time. $0.25/hour on Azure Integration Runtime)

-## Copy data and transform with Azure Databricks hourly

-In this scenario, you want to copy data from AWS S3 to Azure Blob storage and transform the data with Azure Databricks on an hourly schedule.

-To accomplish the scenario, you need to create a pipeline with the following items:

-1. One copy activity with an input dataset for the data to be copied from AWS S3, and an output dataset for the data on Azure storage.

-2. One Azure Databricks activity for the data transformation.

-3. One schedule trigger to execute the pipeline every hour.

-| **Operations** | **Types and Units** |

-| | |

-| Create Linked Service | 3 Read/Write entity |

-| Create Datasets | 4 Read/Write entities (2 for dataset creation, 2 for linked service references) |

-| Create Pipeline | 3 Read/Write entities (1 for pipeline creation, 2 for dataset references) |

-| Get Pipeline | 1 Read/Write entity |

-| Run Pipeline | 3 Activity runs (1 for trigger run, 2 for activity runs) |

-| Copy Data Assumption: execution time = 10 min | 10 \* 4 Azure Integration Runtime (default DIU setting = 4) For more information on data integration units and optimizing copy performance, see [this article](copy-activity-performance.md) |

-| Monitor Pipeline Assumption: Only 1 run occurred | 3 Monitoring run records retrieved (1 for pipeline run, 2 for activity run) |

-| Execute Databricks activity Assumption: execution time = 10 min | 10 min External Pipeline Activity Execution |

-**Total Scenario pricing: $0.16916**

- - Read/Write = 11\*0.00001 = $0.00011 [1 R/W = $0.50/50000 = 0.00001]

- - Monitoring = 3\*0.000005 = $0.00001 [1 Monitoring = $0.25/50000 = 0.000005]

- - Activity Runs = 0.001\*3 = $0.003 [1 run = $1/1000 = 0.001]

- - Data Movement Activities = $0.166 (Prorated for 10 minutes of execution time. $0.25/hour on Azure Integration Runtime)

- - External Pipeline Activity = $0.000041 (Prorated for 10 minutes of execution time. $0.00025/hour on Azure Integration Runtime)

-## Copy data and transform with dynamic parameters hourly

-In this scenario, you want to copy data from AWS S3 to Azure Blob storage and transform with Azure Databricks (with dynamic parameters in the script) on an hourly schedule.

-To accomplish the scenario, you need to create a pipeline with the following items:

-1. One copy activity with an input dataset for the data to be copied from AWS S3, an output dataset for the data on Azure storage.

-2. One Lookup activity for passing parameters dynamically to the transformation script.

-3. One Azure Databricks activity for the data transformation.

-4. One schedule trigger to execute the pipeline every hour.

-| **Operations** | **Types and Units** |

-| | |

-| Create Linked Service | 3 Read/Write entity |

-| Create Datasets | 4 Read/Write entities (2 for dataset creation, 2 for linked service references) |

-| Create Pipeline | 3 Read/Write entities (1 for pipeline creation, 2 for dataset references) |

-| Get Pipeline | 1 Read/Write entity |

-| Run Pipeline | 4 Activity runs (1 for trigger run, 3 for activity runs) |

-| Copy Data Assumption: execution time = 10 min | 10 \* 4 Azure Integration Runtime (default DIU setting = 4) For more information on data integration units and optimizing copy performance, see [this article](copy-activity-performance.md) |

-| Monitor Pipeline Assumption: Only 1 run occurred | 4 Monitoring run records retrieved (1 for pipeline run, 3 for activity run) |

-| Execute Lookup activity Assumption: execution time = 1 min | 1 min Pipeline Activity execution |

-| Execute Databricks activity Assumption: execution time = 10 min | 10 min External Pipeline Activity execution |

-**Total Scenario pricing: $0.17020**

- - Read/Write = 11\*0.00001 = $0.00011 [1 R/W = $0.50/50000 = 0.00001]

- - Monitoring = 4\*0.000005 = $0.00002 [1 Monitoring = $0.25/50000 = 0.000005]

- - Activity Runs = 0.001\*4 = $0.004 [1 run = $1/1000 = 0.001]

- - Data Movement Activities = $0.166 (Prorated for 10 minutes of execution time. $0.25/hour on Azure Integration Runtime)

- - Pipeline Activity = $0.00003 (Prorated for 1 minute of execution time. $0.005/hour on Azure Integration Runtime)

- - External Pipeline Activity = $0.000041 (Prorated for 10 minutes of execution time. $0.00025/hour on Azure Integration Runtime)

-## Run SSIS packages on Azure-SSIS integration runtime

-Azure-SSIS integration runtime (IR) is a specialized cluster of Azure virtual machines (VMs) for SSIS package executions in Azure Data Factory (ADF). When you provision it, it will be dedicated to you, hence it will be charged just like any other dedicated Azure VMs as long as you keep it running, regardless whether you use it to execute SSIS packages or not. With respect to its running cost, youΓÇÖll see the hourly estimate on its setup pane in ADF portal, for example:

-In the above example, if you keep your Azure-SSIS IR running for 2 hours, you'll be charged: **2 (hours) x US$1.158/hour = US$2.316**.

-To manage your Azure-SSIS IR running cost, you can scale down your VM size, scale in your cluster size, bring your own SQL Server license via Azure Hybrid Benefit (AHB) option that offers significant savings, see [Azure-SSIS IR pricing](https://azure.microsoft.com/pricing/details/data-factory/ssis/), and or start & stop your Azure-SSIS IR whenever convenient/on demand/just in time to process your SSIS workloads, see [Reconfigure Azure-SSIS IR](manage-azure-ssis-integration-runtime.md#to-reconfigure-an-azure-ssis-ir) and [Schedule Azure-SSIS IR](how-to-schedule-azure-ssis-integration-runtime.md).

-## Using mapping data flow debug for a normal workday

-As a Data Engineer, Sam is responsible for designing, building, and testing mapping data flows every day. Sam logs into the ADF UI in the morning and enables the Debug mode for Data Flows. The default TTL for Debug sessions is 60 minutes. Sam works throughout the day for 8 hours, so the Debug session never expires. Therefore, Sam's charges for the day will be:

-**8 (hours) x 8 (compute-optimized cores) x $0.193 = $12.35**

-At the same time, Chris, another Data Engineer, also logs into the ADF browser UI for data profiling and ETL design work. Chris does not work in ADF all day like Sam. Chris only needs to use the data flow debugger for 1 hour during the same period and same day as Sam above. These are the charges Chris incurs for debug usage:

-**1 (hour) x 8 (general purpose cores) x $0.274 = $2.19**

-## Transform data in blob store with mapping data flows

-In this scenario, you want to transform data in Blob Store visually in ADF mapping data flows on an hourly schedule.

-To accomplish the scenario, you need to create a pipeline with the following items:

-1. A Data Flow activity with the transformation logic.

-2. An input dataset for the data on Azure Storage.

-3. An output dataset for the data on Azure Storage.

-4. A schedule trigger to execute the pipeline every hour.

-| **Operations** | **Types and Units** |

-| | |

-| Create Linked Service | 2 Read/Write entity |

-| Create Datasets | 4 Read/Write entities (2 for dataset creation, 2 for linked service references) |

-| Create Pipeline | 3 Read/Write entities (1 for pipeline creation, 2 for dataset references) |

-| Get Pipeline | 1 Read/Write entity |

-| Run Pipeline | 2 Activity runs (1 for trigger run, 1 for activity runs) |

-| Data Flow Assumptions: execution time = 10 min + 10 min TTL | 10 \* 16 cores of General Compute with TTL of 10 |

-| Monitor Pipeline Assumption: Only 1 run occurred | 2 Monitoring run records retrieved (1 for pipeline run, 1 for activity run) |

-**Total Scenario pricing: $1.4631**

- - Read/Write = 10\*0.00001 = $0.0001 [1 R/W = $0.50/50000 = 0.00001]

- - Monitoring = 2\*0.000005 = $0.00001 [1 Monitoring = $0.25/50000 = 0.000005]

- - Activity Runs = 0.001\*2 = $0.002 [1 run = $1/1000 = 0.001]

- - Data Flow Activities = $1.461 prorated for 20 minutes (10 mins execution time + 10 mins TTL). $0.274/hour on Azure Integration Runtime with 16 cores general compute

-## Data integration in Azure Data Factory Managed VNET

-In this scenario, you want to delete original files on Azure Blob Storage and copy data from Azure SQL Database to Azure Blob Storage. You will do this execution twice on different pipelines. The execution time of these two pipelines is overlapping.

-To accomplish the scenario, you need to create two pipelines with the following items:

- - A pipeline activity ΓÇô Delete Activity.

- - A copy activity with an input dataset for the data to be copied from Azure Blob storage.

- - An output dataset for the data on Azure SQL Database.

- - A schedule triggers to execute the pipeline.

-| **Operations** | **Types and Units** |

-| | |

-| Create Linked Service | 4 Read/Write entity |

-| Create Datasets | 8 Read/Write entities (4 for dataset creation, 4 for linked service references) |

-| Create Pipeline | 6 Read/Write entities (2 for pipeline creation, 4 for dataset references) |

-| Get Pipeline | 2 Read/Write entity |

-| Run Pipeline | 6 Activity runs (2 for trigger run, 4 for activity runs) |

-| Execute Delete Activity: each execution time = 5 min. The Delete Activity execution in first pipeline is from 10:00 AM UTC to 10:05 AM UTC. The Delete Activity execution in second pipeline is from 10:02 AM UTC to 10:07 AM UTC.|Total 7 min pipeline activity execution in Managed VNET. Pipeline activity supports up to 50 concurrency in Managed VNET. There is a 60 minutes Time To Live (TTL) for pipeline activity|

-| Copy Data Assumption: each execution time = 10 min. The Copy execution in first pipeline is from 10:06 AM UTC to 10:15 AM UTC. The Copy Activity execution in second pipeline is from 10:08 AM UTC to 10:17 AM UTC. | 10 * 4 Azure Integration Runtime (default DIU setting = 4) For more information on data integration units and optimizing copy performance, see [this article](copy-activity-performance.md) |

-| Monitor Pipeline Assumption: Only 2 runs occurred | 6 Monitoring run records retrieved (2 for pipeline run, 4 for activity run) |

-**Total Scenario pricing: $1.45523**

- - Read/Write = 20*0.00001 = $0.0002 [1 R/W = $0.50/50000 = 0.00001]

- - Monitoring = 6*0.000005 = $0.00003 [1 Monitoring = $0.25/50000 = 0.000005]

- - Activity Runs = 0.001*6 = $0.006 [1 run = $1/1000 = 0.001]

- - Data Movement Activities = $0.333 (Prorated for 10 minutes of execution time. $0.25/hour on Azure Integration Runtime)

- - Pipeline Activity = $1.116 (Prorated for 7 minutes of execution time plus 60 minutes TTL. $1/hour on Azure Integration Runtime)

-> [!NOTE]

-> These prices are for example purposes only.

-**FAQ**

-Q: If I would like to run more than 50 pipeline activities, can these activities be executed simultaneously?

-A: Max 50 concurrent pipeline activities will be allowed. The 51th pipeline activity will be queued until a ΓÇ£free slotΓÇ¥ is opened up.

-Same for external activity. Max 800 concurrent external activities will be allowed.

-All supported cloud connection methods provide:

-## Multi-cloud connections

-For more information, see [Connect via multi-cloud vendors](connect-sensors.md#connect-via-multi-cloud-vendors).

-This article describes how to connect your sensors to the Defender for IoT portal in Azure.

-|- You have sensors hosted in multiple public clouds | **[Connect via multi-cloud vendors](#connect-via-multi-cloud-vendors)** |

- - **IoT Hub**: `*.azure-devices.net`

- - **Blob storage**: `*.blob.core.windows.net`

- - **EventHub**: `*.servicebus.windows.net`

- - **Microsoft Download Center**: `download.microsoft.com`

-1. Connect your proxy to Defender for IoT. Enable outbound HTTP traffic on port 443 from the sensor to the following Azure hostnames:

- - **IoT Hub**: `*.azure-devices.net`

- - **Threat Intelligence**: `*.blob.core.windows.net`

- - **Eventhub**: `*.servicebus.windows.net`

- - **Microsoft download site**: `download.microsoft.com`

-1. Ensure that your sensor can access the cloud using HTTP on port 443 to the following Microsoft domains:

- - **IoT Hub**: `*.azure-devices.net`

- - **Threat Intelligence**: `*.blob.core.windows.net`

- - **Eventhub**: `*.servicebus.windows.net`

- - **Microsoft Download Center**: `download.microsoft.com`

-## Connect via multi-cloud vendors

-This section describes how to connect your sensor to Defender for IoT in Azure from sensors deployed in one or more public clouds. For more information, see [Multi-cloud connections](architecture-connections.md#multi-cloud-connections).

- :::image type="content" source="media/architecture-connections/multi-cloud-flow-chart.png" alt-text="Flow chart to determine which connectivity method to use.":::

- - If you're running a hybrid environment with multiple sensor versions, make sure any sensors with software version 22.1.x can connect to Azure. Use firewall rules that allow outbound HTTPS traffic on port 443 to the following hostnames:

- - **IoT Hub**: `*.azure-devices.net`

- - **Threat Intelligence**: `*.blob.core.windows.net`

- - **EventHub**: `*.servicebus.windows.net`

- - **Microsoft Download Center**: `download.microsoft.com`

-For more information, see [Device inventory column reference](#device-inventory-column-reference).

-

-| :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-diagnostics.png" border="false"::: **Send diagnostic files to support** | Individual, locally managed OT sensors only. <br><br>Available from the **...** options menu. <br><br>For more information, see [Upload a diagnostics log for support (Public preview)](#upload-a-diagnostics-log-for-support-public-preview).|

-| HTTPS | TCP | Out | 443 | Access to Azure | Sensor | `*.azure-devices.net`<br> `*.blob.core.windows.net`<br> `*.servicebus.windows.net`|

-| HTTPS | TCP | Out | 443 | Remote sensor upgrades from the Azure portal | Sensor| `download.microsoft.com`|

-|**Defender for IoT data connector** | Displays Defender for IoT data in Microsoft Sentinel, supporting end-to-end SOC investigations for Defender for IoT alerts. | - OT and Enterprise IoT networks <br>- Cloud-connected sensors | Microsoft | [Integrate Microsoft Sentinel and Microsoft Defender for IoT](/azure/sentinel/iot-solution?tabs=use-out-of-the-box-analytics-rules-recommended) |

- | Trusted domains | To add a trusted domain, add the domain name and the connection type of a trusted domain. <br />You can configure trusted domains only for users who were defined under users. |

-|**E500** | [Dell Edge 5200](appliance-catalog/dell-edge-5200.md) <br> (Rugged MIL-STD-810G) | **Max bandwidth**: 1 Gbp/s<br>**Max devices**: 10,000 <br> 8 Cores/32G RAM/512GB | **Mounting**: Wall Mount<br>**Ports**: 3x RJ45 |

-|**OT networks** |**Sensor software version 22.2.6**: <br> - Bug fixes and stability improvements <br>- Enhancements to the device type classification algorithm<br><br>- **Microsoft Sentinel integration**: <br>- [Investigation enhancements with IOT device entities](#investigation-enhancements-with-iot-device-entities-in-microsoft-sentinel)<br>- [Updates to the Microsoft Defender for IoT solution](#updates-to-the-microsoft-defender-for-iot-solution-in-microsoft-sentinels-content-hub) |

-### Investigation enhancements with IOT device entities in Microsoft Sentinel

-1. Make sure that your physical appliance or VM can access the cloud using HTTP on port 443 to the following Microsoft domains:

- > You can also download and add the [Azure public IP ranges](https://www.microsoft.com/download/details.aspx?id=56519) so your firewall will allow the Azure domains that are specified above, along with their region.

-This tutorial describes how to set up your network for OT system security monitoring, using a virtual, cloud-connected sensor, on a virtual machine (VM), using a trial subscription of Microsoft Defender for IoT.

-## Verify cloud connections

-This tutorial describes how to create a cloud-connected sensor, connecting directly to the Defender for IoT on the cloud.

-Before continuing, make sure that your sensor can access the cloud using HTTP on port 443 to the following Microsoft domains:

-> [!TIP]

-> Defender for IoT supports other cloud-connection methods, including proxies or multi-cloud vendors. For more information, see [OT sensor cloud connection methods](architecture-connections.md), [Connect your OT sensors to the cloud](connect-sensors.md), [Cloud-connected vs local sensors](architecture.md#cloud-connected-vs-local-sensors).

->

-Updates from legacy versions may require a series of software updates. For example, if you still have a sensor version 3.1.1 installed, you'll need to first upgrade to version 10.5.5, and then to a 22.x version.

-1. On the **Software Update** pane on the right, select **Upload file**, and then navigate to and select your downloaded `legacy-sensor-secured-patcher-<Version number>.tar` file.

- Sign in when prompted, and then return to the **System Settings** > **Sensor management** > **Software Update** pane to confirm that the new version is listed.

-1. On the Azure portal, go to **Defender for IoT** > **Updates**. Under **Sensors**, select **Download** and save the file.

- Save your changes when you're finished selecting sensors to update.

-1. Expand the row for your sensor, select the options **...** menu on the right of the row, and then select **Prepare to update to 22.x**.

- :::image type="content" source="media/release-notes/workbooks.png" alt-text="Screenshot of the new Workbooks page." lightbox="media/release-notes/workbooks.png":::

-### Use modeling tools

-There are several sample projects available that you can use to simplify dealing with models and ontologies. They're located in this repository: [Tools for Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-tools).

-Here are some of the tools included in the sample repository:

-| Link to tool | Description |

-| | |

-| [Model uploader](https://github.com/Azure/opendigitaltwins-tools/tree/master/ADTTools#uploadmodels) | Once you're finished creating, extending, or selecting your models, you need to upload them to your Azure Digital Twins instance to make them available for use in your solution. However, if you have many models to uploadΓÇöor if they have many interdependencies that would make ordering individual uploads complicatedΓÇöyou can use this model uploader sample to upload many models at once. |

-| [Model visualizer](https://github.com/Azure/opendigitaltwins-tools/tree/master/AdtModelVisualizer) | Once you have uploaded models into your Azure Digital Twins instance, you can view the models in your Azure Digital Twins instance, including any inheritance and model relationships, using the model visualizer sample. This sample is currently in a draft state. We encourage the digital twins development community to extend and contribute to the sample. |

-> You can visualize the models in your ontology using the [Azure Digital Twins Explorer](concepts-azure-digital-twins-explorer.md) or [Azure Digital Twins Model Visualizer](https://github.com/Azure/opendigitaltwins-tools/tree/master/AdtModelVisualizer).

-> With online migrations of SQL Server to Azure SQL Database, migration of SQL_variant data types is not supported.

->[!NOTE]

-Azure Monitor has alerting that you can configure for each available metric value. See [Azure Monitor alerts](../azure-monitor/alerts/alerts-metric.md) for more information.

-> If you intend to use an alias record for the A or AAAA record types to point to an [Azure Traffic Manager profile](../traffic-manager/quickstart-create-traffic-manager-profile.md) you must make sure that the Traffic Manager profile has only [external endpoints](../traffic-manager/traffic-manager-endpoint-types.md#external-endpoints). You must provide the IPv4 or IPv6 address for external endpoints in Traffic Manager. You can't use fully-qualified domain names (FQDNs) in endpoints. Ideally, use static IP addresses.

-description: Learn how to create a DNS zone and record in Azure DNS. This is a step-by-step quickstart to create and manage your first DNS zone and record using Azure Resource Manager template (ARM template).

-When you no longer need the resources that you created with the DNS zone, delete the resource group. This removes the DNS zone and all the related resources.

-The following example creates a record with the relative name "www" in the DNS Zone "contoso.xyz" in the resource group "MyResourceGroup". The fully-qualified name of the record set is "www.contoso.xyz". The record type is "A", with IP address "10.10.10.10", and a default TTL of 3600 seconds (1 hour).

-When using `Set-AzDnsZone` with a $zone object, [Etag checks](dns-zones-records.md#etags) are used to ensure concurrent changes aren't overwritten. You can use the optional `-Overwrite` switch to suppress these checks.

-When using the `az network dns record-set <record-type> add-record` command, you need to specify the record getting deleted and the zone to delete from. These parameters are described in [Create a DNS record](#create-a-dns-record) and [Create records of other types](#create-records-of-other-types) above.

-When using `Set-AzDnsRecordSet`, [Etag checks](dns-zones-records.md#etags) are used to ensure concurrent changes aren't overwritten. You can use the optional `-Overwrite` switch to suppress these checks.

- - Ruleset name: Enter a name for your ruleset (ex: myruleset).

-When calling the Azure DNS REST API, you need to specify each TXT string separately. When using the Azure portal, PowerShell or CLI interfaces you should specify a single string per record, which is automatically divided into 255-character segments if necessary.

-description: This guide provides step by step instruction on how to migrate legacy private DNS zones to the latest resource model

-If you choose to secure your storage account with the **Firewalls and virtual networks** restrictions on **Selected networks**, be sure to enable the exception **Allow trusted Microsoft services...** so that HDInsight can access your storage account`.`

-A device model is defined by using the [DTDL](https://github.com/Azure/opendigitaltwins-dtdl) modeling language. This language lets you define:

-The JSON file that defines the device model uses the [Digital Twin Definition Language (DTDL) v2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md).

-```:::image type="content" source="media/howto-create-custom-rules/event-hubs-namespace.png" alt-text="Screenshot of Event Hubs namespace." border="false":::

-```:::image type="content" source="media/howto-create-custom-rules/default-function.png" alt-text="Screenshot of Edit HTTP trigger function.":::

-```:::image type="content" source="media/howto-create-custom-rules/function-app-logs.png" alt-text="Function log output":::

-The device model section of a device template specifies the capabilities of a device you want to connect to your application. Capabilities include telemetry, properties, and commands. The model is defined using [DTDL](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md).

-For reference, the [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md) definitions for these capabilities look like the following snippet:

-The [model repository](./concepts-model-repository.md) is a store for model and interface definitions. You define models and interfaces using the [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl).

-You describe the telemetry, properties, and commands that an IoT Plug and Play device implements with a [Digital Twins Definition Language v2 (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl) _model_. There are two types of model referred to in this article:

-1. Create a [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl) model to describe your device. To learn more, see [Understand components in IoT Plug and Play models](concepts-modeling-guide.md).

-An IoT Plug and Play device implements a model described by the [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl) schema. A model describes the set of components, properties, commands, and telemetry messages that a particular device can have.

-IoT Plug and Play uses DTDL version 2. For more information about this version, see the [Digital Twins Definition Language (DTDL) - version 2](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md) specification on GitHub.

-The Digital Twins Definition Language (DTDL) is described in the [DTDL Specification](https://github.com/Azure/opendigitaltwins-dtdl). Users can use the _Digital Twins Model Parser_ NuGet package to validate and query a model defined in multiple files.

-The device models repository (DMR) enables device builders to manage and share IoT Plug and Play device models. The device models are JSON LD documents defined using the [Digital Twins Modeling Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md).

-To define a model, you use the Digital Twins Definition Language (DTDL). DTDL uses a JSON variant called [JSON-LD](https://json-ld.org/). The following snippet shows the model for a thermostat device that:

-Every IoT Plug and Play device has a model that describes the features and capabilities of the device. The model uses the [Digital Twin Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl/blob/master/DTDL/v2/dtdlv2.md) to describe the device capabilities.

-An IoT Plug and Play device implements a model described by [Digital Twins Definition Language v2 (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl). Solution developers can use the **Update Digital Twin API** to update the state of component and the properties of the digital twin.

-To make IoT Plug and Play work with [Azure Digital Twins](../digital-twins/overview.md), you define models and interfaces using the [Digital Twins Definition Language (DTDL)](https://github.com/Azure/opendigitaltwins-dtdl). IoT Plug and Play and the DTDL are open to the community, and Microsoft welcomes collaboration with customers, partners, and industry. Both are based on open W3C standards such as JSON-LD and RDF, which enables easier adoption across services and tooling.

-A device is an IoT Plug and Play device if it publishes its model ID when it connects to an IoT hub and implements the properties and methods described in the Digital Twins Definition Language (DTDL) model identified by the model ID. To learn more about how devices use a DTDL and model ID, see [IoT Plug and Play developer guide](./concepts-developer-guide-device.md). Modules use model IDs and DTDL models in the same way.

- "interfaceId": "dtmi:azure:iot:deviceUpdate;1",

-Be aware that the message count value can be delayed by 1 minute, and that, for reasons having to do with the IoT Hub service infrastructure, the value can sometimes bounce between higher and lower values on refresh. This counter should only be incorrect for values accrued over the last minute.

-The information presented on the Overview pane is useful, but represents only a small amount of the monitoring data that is available for an IoT hub. Some monitoring data is collected automatically and is available for analysis as soon as you create your IoT hub. You can enable additional types of data collection with some configuration.

-Azure IoT Hub creates monitoring data using [Azure Monitor](../azure-monitor/overview.md), which is a full stack monitoring service in Azure that provides a complete set of features to monitor your Azure resources in addition to resources in other clouds and on-premises.

-The following sections build on this article by describing the specific data gathered for Azure IoT Hub and providing examples for configuring data collection and analyzing this data with Azure tools.

-## Monitoring data

-Azure IoT Hub collects the same kinds of monitoring data as other Azure resources that are described in [Monitoring data from Azure resources](../azure-monitor/essentials/monitor-azure-resource.md#monitoring-data).

-See [Monitoring Azure IoT Hub data reference](monitor-iot-hub-reference.md) for detailed information on the metrics and logs created by Azure IoT Hub.

-> [!IMPORTANT]

-> The events emitted by the IoT Hub service using Azure Monitor resource logs are not guaranteed to be reliable or ordered. Some events might be lost or delivered out of order. Resource logs also aren't meant to be real-time, and it may take several minutes for events to be logged to your choice of destination.

-## Collection and routing

-Platform metrics and the Activity log are collected and stored automatically, but can be routed to other locations by using a diagnostic setting.

-Resource logs are not collected and stored until you create a diagnostic setting and route them to one or more locations.

-Metrics and logs can be routed to several locations including:

-In Azure portal, you can select **Diagnostic settings** under **Monitoring** on the left-pane of your IoT hub followed by **Add diagnostic setting** to create diagnostic settings scoped to the logs and platform metrics emitted by your IoT hub.

-See [Create diagnostic setting to collect platform logs and metrics in Azure](../azure-monitor/essentials/diagnostic-settings.md) for the detailed process for creating a diagnostic setting using the Azure portal, CLI, or PowerShell. When you create a diagnostic setting, you specify which categories of logs to collect. The categories for Azure IoT Hub are listed under [Resource logs in the Monitoring Azure IoT Hub data reference](monitor-iot-hub-reference.md#resource-logs). Be aware that events are emitted only for errors in some categories.

-When routing IoT Hub platform metrics to other locations, be aware that:

-You can analyze metrics for Azure IoT Hub with metrics from other Azure services using metrics explorer by opening **Metrics** from the **Azure Monitor** menu. See [Getting started with Azure Metrics Explorer](../azure-monitor/essentials/metrics-getting-started.md) for details on using this tool.

-In Azure portal, you can select **Metrics** under **Monitoring** on the left-pane of your IoT hub to open metrics explorer scoped, by default, to the platform metrics emitted by your IoT hub:

-In Azure portal, you can select **Logs** under **Monitoring** on the left-pane of your IoT hub to perform Log Analytics queries scoped, by default, to the logs and metrics collected in Azure Monitor Logs for your IoT hub.

-All resource logs in Azure Monitor have the same fields followed by service-specific fields. The common schema is outlined in [Azure Monitor resource log schema](../azure-monitor/essentials/resource-logs-schema.md#top-level-common-schema). You can find the schema and categories of resource logs collected for Azure IoT Hub in [Resource logs in the Monitoring Azure IoT Hub data reference](monitor-iot-hub-reference.md#resource-logs). Be aware that events are emitted only for errors in some categories.

-The [Activity log](../azure-monitor/essentials/activity-log.md) is a platform log in Azure that provides insight into subscription-level events. You can view it independently or route it to Azure Monitor Logs, where you can do much more complex queries using Log Analytics.

-When routing IoT Hub platform metrics to Azure Monitor Logs, be aware that:

-For some common queries with IoT Hub, see [Sample Kusto queries](#sample-kusto-queries). For detailed information on using Log Analytics queries, see [Overview of log queries in Azure Monitor](../azure-monitor/logs/log-query-overview.md).

-Some operations in IoT Hub resource logs return an `sdkVersion` property in their `properties` object. For these operations, when a device or backend app is using one of the Azure IoT SDKs, this property contains information about the SDK being used, the SDK version, and the platform on which the SDK is running. The following example shows the `sdkVersion` property emitted for a [`deviceConnect`](monitor-iot-hub-reference.md#connections) operation when using the Node.js device SDK: `"azure-iot-device/1.17.1 (node v10.16.0; Windows_NT 10.0.18363; x64)"`. Here's an example of the value emitted for the .NET (C#) SDK: `".NET/1.21.2 (.NET Framework 4.8.4200.0; Microsoft Windows 10.0.17763 WindowsProduct:0x00000004; X86)"`.

-> [!IMPORTANT]

-> When you select **Logs** from the IoT hub menu, Log Analytics is opened with the query scope set to the current IoT hub. This means that log queries will only include data from that resource. If you want to run a query that includes data from other IoT hubs or data from other Azure services, select **Logs** from the **Azure Monitor** menu. See [Log query scope and time range in Azure Monitor Log Analytics](../azure-monitor/logs/scope.md) for details.

-Following are queries that you can use to help you monitor your IoT hub.

-After you set up event logging through diagnostics settings, you can create applications that read out the logs so that you can take action based on the information in them. This sample code retrieves logs from an event hub:

-When creating an alert rule based on platform metrics, be aware that for IoT Hub platform metrics that are collected in units of count, some aggregations may not be available or usable. To learn more, see [Supported aggregations in the Monitoring Azure IoT Hub data reference](monitor-iot-hub-reference.md#supported-aggregations).

-Azure Monitor provides a metric, *Connected devices*, that you can use to monitor the number of devices connected to your IoT Hub and trigger an alert when number of connected devices drops below a threshold value. Azure Monitor also emits events in the [connections category](monitor-iot-hub-reference.md#connections) that you can use to monitor device connects, disconnects, and connection errors. While these may be sufficient for some scenarios, [Azure Event Grid](../event-grid/index.yml) provides a low-latency, per-device monitoring solution that you can use to track device connections for critical devices and infrastructure.

-With Event Grid, you can subscribe to the IoT Hub [**DeviceConnected** and **DeviceDisconnected** events](iot-hub-event-grid.md#event-types) to trigger alerts and monitor device connection state. Event Grid provides much lower event latency than Azure Monitor, and you can monitor on a per-device basis, rather than for the total number of connected devices. These factors make Event Grid the preferred method for monitoring connections for critical devices and infrastructure. We highly recommend using Event Grid to monitor device connections in production environments.

-For more detailed information about monitoring device connectivity with Event Grid and Azure Monitor, see [Monitor, diagnose, and troubleshoot device connectivity to Azure IoT Hub](iot-hub-troubleshoot-connectivity.md).

-> Full restore is a very destructive and disruptive operation. Therefore it is mandatory to have completed a full backup within last 30 minutes before a `restore` operation can be performed.

-A resource group is a logical container into which Azure resources are deployed and managed. Use the Azure PowerShell [New-AzResourceGroup](/powershell/module/az.resources/new-azresourcegroup) cmdlet to create a resource group named *myResourceGroup* in the *westus3* location.

-New-AzResourceGroup -Name "myResourceGroup" -Location "westus3"

-New-AzKeyVaultManagedHsm -Name "<your-unique-managed-hsm-name>" -ResourceGroupName "myResourceGroup" -Location "westus3" -Administrator "<your-principal-ID>"

-Azure Labs Services allows educators (teachers, professors, trainers, or teaching assistants, etc.) to quickly and easily create an online lab to provision pre-configured learning environments for the trainees. Each trainee would be able use identical and isolated environments for the training. Policies can be applied to ensure that the training environments are available to each trainee only when they need them and contain enough resources - such as virtual machines - required for the training.

-| `secrets.value` | string | | URI for the Azure Key Vault secret. |

- value: https://akv-contoso.vault.azure.net/secrets/MySecret

-Learn how to build [automated regression testing in your CI/CD workflow](tutorial-cicd-azure-pipelines.md).

-In addition to customer-managed keys, Azure Machine Learning also provides a [hbi_workspace flag](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basicfriendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-). Enabling this flag reduces the amount of data Microsoft collects for diagnostic purposes and enables [extra encryption in Microsoft-managed environments](../security/fundamentals/encryption-atrest.md). This flag also enables the following behaviors:

-* See the Python SDK reference documentation for the [environment class](/python/api/azureml-core/azureml.core.environment%28class%29).

- > * AzureKeyVault.region is only needed if your workspace was created with the [hbi_workspace](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basicfriendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-) flag enabled.

-> * The host for __Azure Key Vault__ is only needed if your workspace was created with the [hbi_workspace](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basicfriendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-) flag enabled.

-Learn more about [cloning Git repositories into your workspace file system](concept-train-model-git-integration.md#clone-git-repositories-into-your-workspace-file-system).

-Azure Machine Learning workspaces have a four built-in roles that are available by default. When adding users to a workspace, they can be assigned one of the built-in roles described below.

- 2. [Add a group owner](../active-directory/fundamentals/active-directory-accessmanagement-managing-group-owners.md). This user has permissions to add or remove group members. Note that the group owner is not required to be group member, or have direct RBAC role on the workspace.

-If you anticipate that you will need to recreate complex role assignments, an Azure Resource Manager template can be a big help. The [machine-learning-dependencies-role-assignment template](https://github.com/Azure/azure-quickstart-templates/tree/master//quickstarts/microsoft.machinelearningservices/machine-learning-dependencies-role-assignment) shows how role assignments can be specified in source code for reuse.

- primary_metric="mean_average_precision",

-* The [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/install) or [Azure CLI extension for machine learning v1](reference-azure-machine-learning-cli.md).

-* The [Azure CLI extension for Machine Learning service (v2)](reference-azure-machine-learning-cli.md), [Azure Machine Learning Python SDK](/python/api/overview/azure/ml/intro), or the [Azure Machine Learning Visual Studio Code extension](how-to-setup-vs-code.md).

-You can also configure several advanced properties when you create Azure Machine Learning Compute. The properties allow you to create a persistent cluster of fixed size, or within an existing Azure Virtual Network in your subscription. See the [AmlCompute class](/python/api/azureml-core/azureml.core.compute.amlcompute.amlcompute) for details.

-In this article, learn how to create and manage Azure Machine Learning [environments](/python/api/azureml-core/azureml.core.environment.environment) in the Azure Machine Learning studio. Use the environments to track and reproduce your projects' software dependencies as they evolve.

- * **how-to-use-azureml > track-and-monitor-experiments > tensorboard > export-run-history-to-tensorboard > export-run-history-to-tensorboard.ipynb**

- * **how-to-use-azureml > track-and-monitor-experiments > tensorboard > tensorboard > tensorboard.ipynb**

-description: Migrate data management from v1 to v2 of Azure Machine Learning SDK

-# Migrate data management from SDK v1 to v2

-description: Migrate model management from v1 to v2 of Azure Machine Learning SDK

-# Migrate model management from SDK v1 to SDK v2

-description: Migrate how to run a script from SDK v1 to SDK v2

-# Migrate script run from SDK v1 to SDK v2

-To migrate, you'll need to change your code for submitting jobs to SDK v2. What you run _within_ the job doesn't need to be migrated to SDK v2. However, it's recommended to remove any code specific to Azure ML from your model training scripts. This separation allows for an easier transition between local and cloud and is considered best practice for mature MLOps. In practice, this means removing `azureml.*` lines of code. Model logging and tracking code should be replaced with MLflow. For more details, see [how to use MLflow in v2](how-to-use-mlflow-cli-runs.md).

-description: Migrate deployment endpoints from v1 to v2 of Azure Machine Learning SDK

-# Migrate deployment endpoints from SDK v1 to SDK v2

-# Migrate AutoML from SDK v1 to SDK v2

-description: Migrate from v1 to v2 of Azure Machine Learning SDK

-# Migrate hyperparameter tuning from SDK v1 to SDK v2

-description: Migrate parallel run step from v1 to v2 of Azure Machine Learning SDK

-# Migrate parallel run step from SDK v1 to SDK v2

-To migrate your current sdk v1 parallel run step to v2, you'll need to

-description: Migrate pipelines from v1 to v2 of Azure Machine Learning SDK

-# Migrate pipelines from SDK v1 to SDK v2

-description: Migrate local runs from v1 to v2 of Azure Machine Learning SDK

-# Migrate local runs from SDK v1 to SDK v2

-description: Migrate compute management from v1 to v2 of Azure Machine Learning SDK

-# Migrate compute management from SDK v1 to v2

-description: Migrate datastore management from v1 to v2 of Azure Machine Learning SDK

-# Migrate datastore management from SDK v1 to SDK v2

-description: Migrate workspace management from v1 to v2 of Azure Machine Learning SDK

-# Migrate workspace management from SDK v1 to SDK v2

- - Learn how to clone sample notebooks in [Tutorial: Train and deploy a model](../tutorial-train-deploy-notebook.md).

- - Clone the **how-to-use-azureml** folder instead of **tutorials**

-1. Select the **Open terminal** tool to open a terminal window.

- :::image type="content" source="media/tutorial-train-deploy-notebook/open-terminal.png" alt-text="Screenshot: Open terminal from Notebooks section.":::

-1. On the top bar, select the compute instance you created during the [Quickstart: Get started with Azure Machine Learning](../quickstart-create-resources.md) to use if it's not already selected. Start the compute instance if it is stopped.

-1. In the terminal window, clone the MachineLearningNotebooks repository:

- ```bash

- git clone --depth 1 https://github.com/Azure/MachineLearningNotebooks

- ```

-1. If necessary, refresh the list of files with the **Refresh** tool to see the newly cloned folder under your user folder.

-1. Open the **MachineLearningNotebooks** folder that was cloned into your **Files** section.

-1. Select the **quickstart-azureml-in-10mins.ipynb** file from your **MachineLearningNotebooks/tutorials/compute-instance-quickstarts/quickstart-azureml-in-10mins** folder.

-3. Add Azure AD Admin. It can be Azure AD Users, Groups or security principles, which will have access to Azure Database for MySQL flexible server.

-User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity, and when the managed identity is deleted, the corresponding service principal is automatically removed. The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Only a User-assigned Managed Identity (UMI) is currently supported by Azure Database for MySQL-Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure. Azure takes care of rolling the credentials that are used by the service instance.

-3. A JSON Web Token (JWT) access token is returned by Azure AD.

-4. Your application sends the access token on a call to Azure Database for MySQL flexible server.

-These permissions should be granted before you provision a logical server or managed instance. After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.

-To create a new Azure AD database user, you must connect as the Azure AD administrator. This is demonstrated in Configure and Login with Azure AD for Azure Database for MySQL.

-Data encryption with CMKs is set at the server level. For a given server, a CMK, called the key encryption key (KEK), is used to encrypt the data encryption key (DEK) used by the service. The KEK is an asymmetric key stored in a customer-owned and customer-managed [Azure Key Vault instance](../../key-vault/general/security-features.md). Key Vault is highly available and scalable secure storage for RSA cryptographic keys, optionally backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). Key Vault doesn't allow direct access to a stored key, but instead provides encryption/decryption services using the key to the authorized entities. The key can be generated by the key vault, imported, or [transferred to the key vault from an on-premises HSM device](../../key-vault/keys/hsm-protected-keys.md).

-## Terminology and description

-**Data encryption key (DEK)**: A symmetric AES256 key used to encrypt a partition or block of data. Encrypting each block of data with a different key makes crypto analysis attacks more difficult. Access to DEKs is needed by the resource provider or application instance that is encrypting and decrypting a specific block. When you replace a DEK with a new key, only the data in its associated block must be re-encrypted with the new key.

-**Key encryption key (KEK)**: An encryption key used to encrypt the DEKs. A KEK that never leaves Key Vault allows the DEKs themselves to be encrypted and controlled. The entity that has access to the KEK might be different than the entity that requires the DEK. Since the KEK is required to decrypt the DEKs, the KEK is effectively a single point by which DEKs can be effectively deleted by deletion of the KEK. The DEKs, encrypted with the KEKs, are stored separately. Only an entity with access to the KEK can decrypt these DEKs. For more information, see [Security in encryption rest](../../security/fundamentals/encryption-atrest.md).

-**Requirements for configuring data encryption for Azure Database for MySQL Flexible server**

- | Password | your password | Click **Store in Vault...** button to save the password. |

-3. Click **Test Connection** to test if all parameters are correctly configured.

-4. Click **OK** to save the connection.

-5. In the listing of **MySQL Connections**, click the tile corresponding to your server, and then wait for the connection to be established.

-2. To run the sample SQL Code, click the lightening bolt icon in the toolbar of the **SQL File** tab.

-Only an Azure AD Admin user can create/enable users for Azure AD-based authentication. To create an Azure AD Admin user, please follow the following steps.

- - MySQL authentication only ΓÇô By default, MySQL uses the built-in mysql_native_password authentication plugin, which performs authentication using the native password hashing method

- - Azure Active Directory authentication only ΓÇô Only allows authentication with an Azure AD account. Disables mysql_native_password authentication and turns _ON_ the server parameter **aad_auth_only**

- - MySQL and Azure Active Directory authentication ΓÇô Allows authentication using a native MySQL password or an Azure AD account. Turns _OFF_ the server parameter **aad_auth_only**

-These permissions should be granted before you provision a logical server or managed instance. After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.

-```

-* In the username field, enter the MySQL Azure Active Directory administrator name and append this with MySQL server name, not the FQDN e.g. user@tenant.onmicrosoft.com@

-# Best practices for server operations on Azure Database for MySQL -Single server

-Azure Database for MySQL Single Server successfully completed the root certificate change on **February 15, 2021 (02/15/2021)** as part of standard maintenance and security best practices. This article gives you more details about the changes, the resources affected, and the steps needed to ensure that your application maintains connectivity to your database server.

-> Please don't drop or alter **Baltimore certificate** until the cert change is made. We'll send a communication after the change is done, and then it will be safe to drop the **Baltimore certificate**.

- No actions are required if you aren't using SSL/TLS.

-#### If I create a new server after February 15, 2021 (02/15/2021), will I be impacted?

-For servers created after February 15, 2021 (02/15/2021), you will continue to use the [BaltimoreCyberTrustRoot](https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem) for your applications to connect using SSL.