-## May 2023

-### New articles

-### Updated articles

-| [Registration campaign](how-to-mfa-registration-campaign.md) | From Sept 25 to Oct 20, 2023, the Microsoft managed value for the registration campaign will change to Enabled for text message and voice call users across all tenants. |

->In March 2023, we announced the deprecation of managing authentication methods in the legacy multifactor authentication and self-service password reset (SSPR) policies. Beginning September 30, 2024, authentication methods can't be managed in these legacy MFA and SSPR policies. We recommend customers use the manual migration control to migrate to the Authentication methods policy by the deprecation date.

-| AADSTS70043 | The refresh token has expired or is invalid due to sign-in frequency checks by Conditional Access. The token was issued on {issueDate} and the maximum allowed lifetime for this request is {time}. |

- --image UbuntuLTS \

-## June 2023

-### New articles

-### Updated articles

-## June 2023

-### Updated articles

-description: Instructions about how to manage Microsoft Entra groups and group membership.

-Before changing instances of Azure AD in your documentation or content, familiarize yourself with the guidance in [New name for Azure AD](new-name.md) to:

-1. If a punctuation mark follows "Azure Active Directory (Azure AD), Azure Active Directory, Azure AD, AAD," replace with 'Microsoft Entra ID' because that's the product name.

-1. If `Azure Active Directory (Azure AD)`, `Azure Active Directory`, `Azure AD`, `AAD` is followed by `for`, `Premium`, `Plan`, `P1`, or `P2`, replace with `Microsoft Entra ID` because it refers to a SKU name or Service Plan.

-1. If `Azure Active Directory (Azure AD)`, `Azure Active Directory`, `Azure AD`, `AAD` is followed by an adjective or noun not in the previous steps, then replace with `Microsoft Entra` because it's a feature name. For example,"Azure AD Conditional Access" becomes "Microsoft Entra Conditional Access," while "Azure AD tenant" becomes "Microsoft Entra tenant."

-1. Otherwise, replace `Azure Active Directory (Azure AD)`, `Azure Active Directory`, `Azure AD`, `AAD` with `Microsoft Entra ID`

-1. Replace titles or text containing `Azure Active Directory (Azure AD)`, `Azure Active Directory`, `Azure AD`, `AAD` with `Microsoft Entra ID`.

- @{ Key = 'Azure AD SSPR'; Value = 'Microsoft Entra SSPR' },

- @{ Key = 'Microsoft Entra IDvanced Threat'; Value = 'Azure Advanced Threat' }

- @{ Key = 'DownloMicrosoft Entra Connector'; Value = 'Download connector' }

-# Get all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files.

-Write-Host "Getting all resx and resjson files in the current directory and its subdirectories, ignoring .gitignored files."

-$targetFiles = Get-ChildItem -Path . -Include *.resx, *.resjson -Recurse

-# This command will get all the files with the extensions .resx and .resjson in the current directory and its subdirectories, and then filter out those that match the patterns in the .gitignore file. The Resolve-Path cmdlet will find the full path of the .gitignore file, and the Get-Content cmdlet will read its content as a single string. The -notmatch operator will compare the full name of each file with the .gitignore content using regular expressions, and return only those that do not match.

-To communicate the multicloud, multiplatform functionality of the products, alleviate confusion with Windows Server Active Directory, and unify the [Microsoft Entra](/entra) product family, the new name for Azure Active Directory (Azure AD) is Microsoft Entra ID.

-Microsoft Entra helps you protect all identities and secure network access everywhere. The expanded product family includes:

-In addition to the capabilities they already have, Microsoft 365 E5 customers also get access to new identity protection capabilities like token protection, Conditional Access based on GPS-based location and step-up authentication for the most sensitive actions. Microsoft 365 E5 includes Microsoft Entra P2, currently known as Azure AD Premium P2.

-[Gainsight SAML](../saas-apps/gainsight-saml-tutorial.md), [Dataddo](https://www.dataddo.com/), [Puzzel](https://www.puzzel.com/), [Worthix App](../saas-apps/worthix-app-tutorial.md), [iOps360 IdConnect](https://iops360.com/iops360-id-connect-azuread-single-sign-on/), [Airbase](../saas-apps/airbase-tutorial.md), [Couchbase Capella - SSO](../saas-apps/couchbase-capella-sso-tutorial.md), [SSO for Jama Connect®](../saas-apps/sso-for-jama-connect-tutorial.md), [mediment (メディメント)](https://mediment.jp/), [Netskope Cloud Exchange Administration Console](../saas-apps/netskope-cloud-exchange-administration-console-tutorial.md), [Uber](../saas-apps/uber-tutorial.md), [Plenda](https://app.plenda.nl/), [Deem Mobile](../saas-apps/deem-mobile-tutorial.md), [40SEAS](https://www.40seas.com/), [Vivantio](https://www.vivantio.com/), [AppTweak](https://www.apptweak.com/), [ioTORQ EMIS](https://www.iotorq.com/), [Vbrick Rev Cloud](../saas-apps/vbrick-rev-cloud-tutorial.md), [OptiTurn](../saas-apps/optiturn-tutorial.md), [Application Experience with Mist](https://www.mist.com/), [クラウド勤怠管理システムKING OF TIME](../saas-apps/cloud-attendance-management-system-king-of-time-tutorial.md), [Connect1](../saas-apps/connect1-tutorial.md), [DB Education Portal for Schools](../saas-apps/db-education-portal-for-schools-tutorial.md), [SURFconext](../saas-apps/surfconext-tutorial.md), [Chengliye Smart SMS Platform](../saas-apps/chengliye-smart-sms-platform-tutorial.md), [CivicEye SSO](../saas-apps/civic-eye-sso-tutorial.md), [Colloquial](../saas-apps/colloquial-tutorial.md), [BigPanda](../saas-apps/bigpanda-tutorial.md), [Foreman](https://foreman.mn/)

-You can also retrieve assignments in an access package using Microsoft Graph. A user in an appropriate role with an application that has the delegated `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can call the API to [list accessPackageAssignments](/graph/api/entitlementmanagement-list-accesspackageassignments?view=graph-rest-beta&preserve-view=true). While an identity governance administrator can retrieve access packages from multiple catalogs, if user or application service principal is assigned only to catalog-specific delegated administrative roles, the request must supply a filter to indicate a specific access package, such as: `$filter=accessPackage/id eq 'a914b616-e04e-476b-aa37-91038f0b165b'`. An application that has the application permission `EntitlementManagement.Read.All` or `EntitlementManagement.ReadWrite.All` permission can also use this API to retrieve assignments across all catalogs.

-You can perform this query in PowerShell with the `Get-MgEntitlementManagementAssignment` cmdlet from the [Microsoft Graph PowerShell cmdlets for Identity Governance](https://www.powershellgallery.com/packages/Microsoft.Graph.Identity.Governance/) module version 2.1.x or later module version. This script illustrates using the Microsoft Graph PowerShell cmdlets module version 2.4.0. This cmdlet takes as a parameter the access package ID, which is included in the response from the `Get-MgEntitlementManagementAccessPackage` cmdlet.

-$accesspackage = Get-MgEntitlementManagementAccessPackage -Filter "displayname eq 'Marketing Campaign'" -ExpandProperty assignmentpolicies

-This document explains how to set up synchronization from on-premises Microsoft Entra Connect cloud sync and Microsoft Entra Connect for the required attributes.

-> There's no corresponding EmployeeHireDate or EmployeeLeaveDateTime attribute in Active Directory. If you're importing from on-premises AD, you'll need to identify an attribute in AD that can be used. This attribute must be a string.

- > The number, and name, of source attributes added will depend on which attributes you are syncing.

-To learn how to configure the admin consent workflow, see [configure-admin-consent-workflow.md](configure-admin-consent-workflow.md).

- -image CentOS

-Groups can be role-assignable or non-role-assignable. The group can be enabled in PIM for Groups or not enabled in PIM for Groups. These are independent properties of the group. Any Microsoft Entra security group and any Microsoft 365 group (except dynamic groups and groups synchronized from on-premises environment) can be enabled in PIM for Groups. The group doesn't have to be role-assignable group to be enabled in PIM for Groups.

-# Learn about the identity logs you can stream to an endpoint

-Using Diagnostic settings in Microsoft Entra ID, you can route activity logs to several endpoints for long term retention and data insights. You select the logs you want to route, then select the endpoint.

-This article describes the logs that you can route to an endpoint from Microsoft Entra Diagnostic settings.

-## Prerequisites

-Setting up an endpoint, such as an event hub or storage account, may require different roles and licenses. To create or edit a new Diagnostic setting, you need a user who's a **Security Administrator** or **Global Administrator** for the Microsoft Entra tenant.

-To help decide which log routing option is best for you, see [How to access activity logs](howto-access-activity-logs.md). The overall process and requirements for each endpoint type are covered in the following articles.

-The following logs can be sent to an endpoint. Some logs may be in public preview but still visible in the portal.

-The `MicrosoftGraphActivityLogs` logs are associated with a feature that is still in private preview. The logs are visible in Microsoft Entra ID, but selecting these options won't add new logs to your workspace unless your organization was included in the private preview.

-Previously, some non-interactive sign-ins from Microsoft Exchange clients were included in the interactive user sign-in log for better visibility. This increased visibility was necessary before the non-interactive user sign-in logs were introduced in November 2020. However, it's important to note that some non-interactive sign-ins, such as those using FIDO2 keys, may still be marked as interactive due to the way the system was set up before the separate non-interactive logs were introduced. These sign-ins may display interactive details like client credential type and browser information, even though they are technically non-interactive sign-ins.

-Microsoft Entra ID issues tokens for authentication and authorization. In some situations, a user who is signed in to the Contoso tenant may try to access resources in the Fabrikam tenant, where they don't have access. A no-authorization token, called a passthrough token, is issued to the Fabrikam tenant. The passthrough token doesn't allow the user to access any resources.

-Non-interactive sign-ins are done *on behalf of a* user. These sign-ins were performed by a client app or OS components on behalf of a user and don't require the user to provide an authentication factor. Instead, Microsoft Entra ID recognizes when the user's token needs to be refreshed and does so behind the scenes, without interrupting the user's session. In general, the user perceives these sign-ins as happening in the background.

-When Microsoft Entra ID logs multiple sign-ins that are identical other than time and date, those sign-ins are from the same entity and are aggregated into a single row. A row with multiple identical sign-ins (except for date and time issued) has a value greater than 1 in the *# sign-ins* column. These aggregated sign-ins may also appear to have the same time stamps. The **Time aggregate** filter can set to 1 hour, 6 hours, or 24 hours. You can expand the row to see all the different sign-ins and their different time stamps.

-The last sign-in date and time shown on this tile may take up to 6 hours to update, which means the date and time may not be current. If you need to see the activity in near real time, select the **See all sign-ins** link on the **Sign-ins** tile to view all sign-in activity for that user.

-> | [Usage Summary Reports Reader](#usage-summary-reports-reader) | Can see only tenant level aggregates in Microsoft 365 Usage Analytics and Productivity Score. | 75934031-6c7e-415a-99d7-48dbd49e875e |

-Users with this role can access tenant level aggregated data and associated insights in Microsoft 365 admin center for Usage and Productivity Score but cannot access any user level details or insights. In Microsoft 365 admin center for the two reports, we differentiate between tenant level aggregated data and user level details. This role gives an extra layer of protection on individual user identifiable data, which was requested by both customers and legal teams.

-## FarmBeats

-## API Management

-### Hostname certificate rotation failed

-API Management service failed to refresh hostname certificate from Key Vault. Ensure that certificate exists in Key Vault and API Management service identity is granted secret read access. Otherwise, API Management service will not be able to retrieve certificate updates from Key Vault, which may lead to the service using stale certificate and runtime API traffic being blocked as a result.

-Learn more about [Api Management - HostnameCertRotationFail (Hostname certificate rotation failed)](https://aka.ms/apimdocs/customdomain).

-SSL/TLS renegotiation attempt blocked. Renegotiation happens when a client certificate is requested over an already established connection. When it is blocked, reading 'context.Request.Certificate' in policy expressions will return 'null'. To support client certificate authentication scenarios, enable 'Negotiate client certificate' on listed hostnames. For browser-based clients, enabling this option might result in a certificate prompt being presented to the client.

-Learn more about [Api Management - TlsRenegotiationBlocked (SSL/TLS renegotiation blocked)](../api-management/api-management-howto-mutual-certificates-for-clients.md).

-We have identified that you are using standard disks with your premium-capable Virtual Machines and we recommend you consider upgrading the standard disks to premium disks. For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we guarantee you will have Virtual Machine Connectivity of at least 99.9%. Consider these factors when making your upgrade decision. The first is that upgrading requires a VM reboot and this process takes 3-5 minutes to complete. The second is if the VMs in the list are mission-critical production VMs, evaluate the improved availability against the cost of premium disks.

-In order for a session host to deploy and register to Azure Virtual Desktop properly, you need to add a set of URLs to allowed list in case your virtual machine runs in restricted environment. After visiting the "Learn More" link, you will be able to see the minimum list of URLs you need to unblock to have a successful deployment and functional session host. For specific URL(s) missing from allowed list, you may also search Application event log for event 3702.

-> Additional regions will incur extra costs.

-You have recently invoked the Azure Fluid Relay service with an old client library. Your Azure Fluid Relay client library should now be upgraded to the latest version to ensure your application remains operational. Upgrading will provide the most up-to-date functionality, as well as enhancements in performance and stability. For more information on the latest version to use and how to upgrade, please refer to the article.

-Starting July 1, 2020, customers will not be able to create new Kafka clusters with Kafka 1.1 on HDInsight 4.0. Existing clusters will run as is without support from Microsoft. Consider moving to Kafka 2.1 on HDInsight 4.0 by June 30 2020 to avoid potential system/support interruption.

-Starting July 1, 2020, customers will not be able to create new Spark clusters with Spark 2.1 and 2.2 on HDInsight 3.6, and Spark 2.3 on HDInsight 4.0. Existing clusters will run as is without support from Microsoft.

-HDInsight service is applying an important certificate related update to your cluster. However, one or more policies in your subscription are preventing HDInsight service from creating or modifying network resources (Load balancer, Network Interface and Public IP address) associated with your clusters and applying this update. Take actions to allow HDInsight service to create or modify network resources (Load balancer, Network interface and Public IP address) associated with your clusters before Jan 13, 2021 05:00 PM UTC. The HDInsight team will be performing updates between Jan 13, 2021 05:00 PM UTC and Jan 16, 2021 05:00 PM UTC. Failure to apply this update may result in your clusters becoming unhealthy and unusable.

-The HDInsight service has attempted to apply a critical certificate update on all your running clusters. However, one or more policies in your subscription are preventing HDInsight service from creating or modifying network resources (Load balancer, Network Interface and Public IP address) associated with your clusters and applying this update. Remove or update your policy assignment to allow HDInsight service to create or modify network resources (Load balancer, Network interface and Public IP address) associated with your clusters before Jan 21, 2021 05:00 PM UTC. The HDInsight team will be performing updates between Jan 21, 2021 05:00 PM UTC and Jan 23, 2021 05:00 PM UTC. To verify the policy update, you can try to create network resources (Load balancer, Network interface and Public IP address) in the same resource group and Subnet where your cluster is in. Failure to apply this update may result in your clusters becoming unhealthy and unusable. You can also drop and recreate your cluster before Jan 25th, 2021 to prevent the cluster from becoming unhealthy and unusable. The HDInsight service will send another notification if we failed to apply the update to your clusters.

-You're receiving this notice because you have one or more active A8, A9, A10 or A11 HDInsight cluster. The A8-A11 virtual machines (VMs) will be retired in all regions on 1 March 2021. After that date, all clusters using A8-A11 will be deallocated. Migrate your affected clusters to another HDInsight supported VM (https://azure.microsoft.com/pricing/details/hdinsight/) before that date. For more details, see 'Learn More' link or contact us at askhdinsight@microsoft.com

-Deploying two or more medium or large sized instances will ensure business continuity during outages caused by planned or unplanned maintenance.

-For geographic routing, traffic is routed to endpoints based on defined regions. When a region fails, there is no pre-defined failover. Having an endpoint where the Regional Grouping is configured to "All (World)" for geographic profiles will avoid traffic black holing and guarantee service remains available.

-All endpoints associated to this proximity profile are in the same region. Users from other regions may experience long latency when attempting to connect. Adding or moving an endpoint to another region will improve overall performance for proximity routing and provide better availability in case all endpoints in one region fail.

-Try to avoid overriding the hostname when configuring Application Gateway. Having a different domain on the frontend of Application Gateway than the one which is used to access the backend can potentially lead to cookies or redirect urls being broken. Note that this might not be the case in all situations and that certain categories of backends (like REST API's) in general are less sensitive to this. Make sure the backend is able to deal with this or update the Application Gateway configuration so the hostname does not need to be overwritten towards the backend. When used with App Service, attach a custom domain name to the Web App and avoid use of the `*.azurewebsites.net` host name towards the backend.

-### Azure WAF RuleSet CRS 3.1/3.2 has been updated with log4j2 vulnerability rule

-In response to log4j2 vulnerability (CVE-2021-44228), Azure Web Application Firewall (WAF) RuleSet CRS 3.1/3.2 has been updated on your Application Gateway to help provide additional protection from this vulnerability. The rules are available under Rule 944240 and no action is needed to enable this.

-### Additional protection to mitigate Log4j2 vulnerability (CVE-2021-44228)

-To mitigate the impact of Log4j2 vulnerability, we recommend these steps:

-1) Upgrade Log4j2 to version 2.15.0 on your backend servers. If upgrade isn't possible, follow the system property guidance link below.

-In active-active configuration, both instances of the VPN gateway will establish S2S VPN tunnels to your on-premises VPN device. When a planned maintenance or unplanned event happens to one gateway instance, traffic will be switched over to the other active IPsec tunnel automatically.

-You are close to exceeding storage quota of 2GB. Create a Standard search service. Indexing operations will stop working when storage quota is exceeded.

-You are close to exceeding storage quota of 50MB. Create a Basic or Standard search service. Indexing operations will stop working when storage quota is exceeded.

-You are close to exceeding your available storage quota. Add additional partitions if you need more storage. After exceeding storage quota, you can still query, but indexing operations will no longer work.

-[Azure AI services](./what-are-ai-services.md) is a group of services, each supporting different, generalized prediction capabilities. The services are divided into different categories to help you find the right service.

-|Service category|Purpose|

-|--|--|

-|[Decision](https://azure.microsoft.com/services/cognitive-services/directory/decision/)|Build apps that surface recommendations for informed and efficient decision-making.|

-|[Language](https://azure.microsoft.com/services/cognitive-services/directory/lang/)|Allow your apps to process natural language with pre-built scripts, evaluate sentiment and learn how to recognize what users want.|

-|[Search](https://azure.microsoft.com/services/cognitive-services/directory/search/)|Add Bing Search APIs to your apps and harness the ability to comb billions of webpages, images, videos, and news with a single API call.|

-|[Speech](https://azure.microsoft.com/services/cognitive-services/directory/speech/)|Convert speech into text and text into natural-sounding speech. Translate from one language to another and enable speaker verification and recognition.|

-|[Vision](https://azure.microsoft.com/services/cognitive-services/directory/vision/)|Recognize, identify, caption, index, and moderate your pictures, videos, and digital ink content.|

-## How is Azure Cognitive Search related to Azure AI services?

-[Azure Cognitive Search](../search/search-what-is-azure-search.md) is a separate cloud search service that optionally uses Azure AI services to add image and natural language processing to indexing workloads. Azure AI services is exposed in Azure Cognitive Search through [built-in skills](../search/cognitive-search-predefined-skills.md) that wrap individual APIs. You can use a free resource for walkthroughs, but plan on creating and attaching a [billable resource](../search/cognitive-search-attach-cognitive-services.md) for larger volumes.

-To request access to GPT-4, Azure OpenAI customers can [apply by filling out this form](https://aka.ms/oai/get-gpt4)

-| `gpt-4` ^1,² (0314) | | N/A | 8,192 | September 2021 |

-| `gpt-4-32k` ^1,² (0314) | | N/A | 32,768 | September 2021 |

-| `gpt-4` ¹³ (0613) | Australia East, Canada East, East US, East US 2, France Central, Japan East, Sweden Central, Switzerland North, UK South | N/A | 8,192 | September 2021 |

-| `gpt-4-32k` ¹³ (0613) | Australia East, Canada East, East US, East US 2, France Central, Japan East, Sweden Central, Switzerland North, UK South | N/A | 32,768 | September 2021 |

-¹ The model is [only available by request](https://aka.ms/oai/get-gpt4).<br>

-³ We are rolling out availability of new regions to customers gradually to ensure a smooth experience. In East US and France Central, customers with existing deployments of GPT-4 can create additional deployments of GPT-4 version 0613. For customers new to GPT-4 on Azure OpenAI, please use one of the other available regions.

-GPT-4 models are the latest available models. Due to high demand access to this model series is currently only available by request. To request access, existing Azure OpenAI customers can [apply by filling out this form](https://aka.ms/oai/get-gpt4)

-* Access granted to Azure OpenAI in the desired Azure subscription

- - GPT-4 model series. Due to high demand access to this model series is currently only available by request. To request access, existing Azure OpenAI customers can [apply by filling out this form](https://aka.ms/oai/get-gpt4)

-You can make a [Models_ListBaseModels](https://github.com/Azure/azure-rest-api-specs/tree/main/specification/cognitiveservices/data-plane/Speech/SpeechToText/preview/v3.2-preview.1) request to get available base models for all locales.

-### Model copy

-Added the new `"/operations/models/copy/{id}"` operation. Used for copy models scenario.

-Added the new `"/models/{id}:copy"` operation. Schema in the new copy operation: `"$ref": "#/definitions/ModelCopyAuthorization"` Deprecated the `"/models/{id}:copyto"` operation. Schema in the deprecated copy operation: `"$ref": "#/definitions/ModelCopy"`

-Added the new `"/models:authorizecopy"` operation returns `"$ref": "#/definitions/ModelCopyAuthorization"`. This returned entity can be used in the new `"/models/{id}:copy"` operation.

-New entity definitions related to model copy authorization:

-```json

-"ModelCopyAuthorization": {

- "title": "ModelCopyAuthorization",

- "required": [

- "expirationDateTime",

- "id",

- "sourceResourceId",

- "targetResourceEndpoint",

- "targetResourceId",

- "targetResourceRegion"

- ],

- "type": "object",

- "properties": {

- "targetResourceRegion": {

- "description": "The region (aka location) of the target speech resource (e.g., westus2).",

- "minLength": 1,

- "type": "string"

- },

- "targetResourceId": {

- "description": "The Azure Resource ID of the target speech resource.",

- "minLength": 1,

- "type": "string"

- },

- "targetResourceEndpoint": {

- "description": "The endpoint (base url) of the target resource (with custom domain name when it is used).",

- "minLength": 1,

- "type": "string"

- },

- "sourceResourceId": {

- "description": "The Azure Resource ID of the source speech resource.",

- "minLength": 1,

- "type": "string"

- },

- "expirationDateTime": {

- "format": "date-time",

- "description": "The expiration date of this copy authorization.",

- "type": "string"

- },

- "id": {

- "description": "The ID of this copy authorization.",

- "minLength": 1,

- "type": "string"

- }

- }

-},

-```

-```json

-"ModelCopyAuthorizationDefinition": {

- "title": "ModelCopyAuthorizationDefinition",

- "required": [

- "sourceResourceId"

- ],

- "type": "object",

- "properties": {

- "sourceResourceId": {

- "description": "The Azure Resource ID of the source speech resource.",

- "minLength": 1,

- "type": "string"

- }

- }

-},

-```

-### CustomModelLinks copy properties

-New `copy` property

-copyTo URI: The location to the obsolete model copy action. See operation \"Models_CopyTo\" for more details.

-copy URI: The location to the model copy action. See operation \"Models_Copy\" for more details.

-```json

-"CustomModelLinks": {

- "title": "CustomModelLinks",

- "type": "object",

- "properties": {

- "copyTo": {

- "format": "uri",

- "description": "The location to the obsolete model copy action. See operation \"Models_CopyTo\" for more details.",

- "type": "string",

- "readOnly": true

- },

- "copy": {

- "format": "uri",

- "description": "The location to the model copy action. See operation \"Models_Copy\" for more details.",

- "type": "string",

- "readOnly": true

- },

- "files": {

- "format": "uri",

- "description": "The location to get all files of this entity. See operation \"Models_ListFiles\" for more details.",

- "type": "string",

- "readOnly": true

- },

- "manifest": {

- "format": "uri",

- "description": "The location to get a manifest for this model to be used in the on-prem container. See operation \"Models_GetCustomModelManifest\" for more details.",

- "type": "string",

- "readOnly": true

- }

- },

- "readOnly": true

-},

-```

-* Some Speech Studio [scenarios](speech-studio-overview.md#speech-studio-scenarios) are available to try without an Azure subscription.

-* Text to speech [Batch synthesis API](./batch-synthesis.md) is available in public preview.

-description: Use the Translator C#/.NET or Python client library (SDK) for cloud-based batch document translation service and process

-| 1.27* | Apr 2023 | Jun 2023 | Jul 2023 | Jul 2024, LTS until Jul 2026 | Until 1.31 GA |

-# Vertical Pod Autoscaling (preview) in Azure Kubernetes Service (AKS)

-This article provides an overview of Vertical Pod Autoscaler (VPA) (preview) in Azure Kubernetes Service (AKS), which is based on the open source [Kubernetes](https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler) version. When configured, it automatically sets resource requests and limits on containers per workload based on past usage. VPA makes certain pods are scheduled onto nodes that have the required CPU and memory resources.

-* A Pod is evicted if it needs to change its resource requests if its scaling mode is set to *auto* or *recreate*.

-* Vertical Pod autoscaling supports a maximum of 500 `VerticalPodAutoscaler` objects per cluster.

-* With this preview release, you can't change the `controlledValue` and `updateMode` of `managedCluster` object.

-* The Azure CLI version 2.0.64 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].

-## API Object

-The Vertical Pod Autoscaler is an API resource in the Kubernetes autoscaling API group. The version supported in this preview release is 0.11 can be found in the [Kubernetes autoscaler repo][github-autoscaler-repo-v011].

-## Install the aks-preview Azure CLI extension

-To install the aks-preview extension, run the following command:

-```azurecli-interactive

-az extension add --name aks-preview

-```

-Run the following command to update to the latest version of the extension released:

-```azurecli-interactive

-az extension update --name aks-preview

-```

-## Register the 'AKS-VPAPreview' feature flag

-Register the `AKS-VPAPreview` feature flag by using the [az feature register][az-feature-register] command, as shown in the following example:

-```azurecli-interactive

-az feature register --namespace "Microsoft.ContainerService" --name "AKS-VPAPreview"

-```

-It takes a few minutes for the status to show *Registered*. Verify the registration status by using the [az feature show][az-feature-show] command:

-```azurecli-interactive

-az feature show --namespace "Microsoft.ContainerService" --name "AKS-VPAPreview"

-```

-When the status reflects *Registered*, refresh the registration of the *Microsoft.ContainerService* resource provider by using the [az provider register][az-provider-register] command:

-```azurecli-interactive

-az provider register --namespace Microsoft.ContainerService

-```

-The following steps create a deployment with two pods, each running a single container that requests 100 millicores and tries to utilize slightly above 500 millicores. Also created is a VPA config pointing at the deployment. The VPA observes the behavior of the pods, and after about five minutes, they're updated with a higher CPU request.

-## Set Pod Autoscaler requests automatically

-Vertical Pod autoscaling uses the `VerticalPodAutoscaler` object to automatically set resource requests on Pods when the updateMode is set to **Auto** or **Recreate**.

- This manifest describes a deployment that has two Pods. Each Pod has one container that requests 100 milliCPU and 50 MiB of memory.

- updateMode: "Auto"

- The `targetRef.name` value specifies that any Pod that is controlled by a deployment named `vpa-auto-deployment` belongs to this `VerticalPodAutoscaler`. The `updateMode` value of `Auto` means that the Vertical Pod Autoscaler controller can delete a Pod, adjust the CPU and memory requests, and then start a new Pod.

-7. Wait a few minutes, and view the running Pods again by running the following [kubectl get][kubectl-get] command:

-8. Get detailed information about one of your running Pods by using the [Kubectl get][kubectl-get] command. Replace `podName` with the name of one of your Pods that you retrieved in the previous step.

- The Vertical Pod Autoscaler uses the `lowerBound` and `upperBound` attributes to decide whether to delete a Pod and replace it with a new Pod. If a Pod has requests less than the lower bound or greater than the upper bound, the Vertical Pod Autoscaler deletes the Pod and replaces it with a Pod that meets the target attribute.

-This article showed you how to automatically scale resource utilization, such as CPU and memory, of cluster nodes to match application requirements. You can also use the horizontal pod autoscaler to automatically adjust the number of pods that run your application. For steps on using the horizontal pod autoscaler, see [Scale applications in AKS][scale-applications-in-aks].

-Astra provides dynamic storage provisioning for stateful workloads on Azure Kubernetes Service (AKS). It also provides data protection using snapshots and clones. Provision SMB volumes through the Kubernetes control plane, making storage seamless and on-demand for all your Windows AKS workloads.

-There are three variations of App Service that require slightly different configuration of the integration with Azure Application Gateway. The variations include regular App Service - also known as multi-tenant, Internal Load Balancer (ILB) App Service Environment and External App Service Environment. This article will walk through how to configure it with App Service (multi-tenant) using service endpoint to secure traffic. The article will also discuss considerations around using private endpoint and integrating with ILB, and External App Service Environment. Finally the article has considerations on scm/kudu site.

-## Integration with App Service (multi-tenant)

-App Service (multi-tenant) has a public internet facing endpoint. Using [service endpoints](../../virtual-network/virtual-network-service-endpoints-overview.md) you can allow traffic only from a specific subnet within an Azure Virtual Network and block everything else. In the following scenario, we'll use this functionality to ensure that an App Service instance can only receive traffic from a specific Application Gateway instance.

-There are two parts to this configuration besides creating the App Service and the Application Gateway. The first part is enabling service endpoints in the subnet of the Virtual Network where the Application Gateway is deployed. Service endpoints will ensure all network traffic leaving the subnet towards the App Service will be tagged with the specific subnet ID. The second part is to set an access restriction of the specific web app to ensure that only traffic tagged with this specific subnet ID is allowed. You can configure it using different tools depending on preference.

-With Azure portal, you follow four steps to provision and configure the setup. If you have existing resources, you can skip the first steps.

-You can now access the App Service through Application Gateway, but if you try to access the App Service directly, you should receive a 403 HTTP error indicating that the web site is stopped.

-The [Resource Manager deployment template][template-app-gateway-app-service-complete] will provision a complete scenario. The scenario consists of an App Service instance locked down with service endpoints and access restriction to only receive traffic from Application Gateway. The template includes many Smart Defaults and unique postfixes added to the resource names for it to be simple. To override them, you'll have to clone the repo or download the template and edit it.

-To apply the template you can use the Deploy to Azure button found in the description of the template, or you can use appropriate PowerShell/CLI.

-The [Azure CLI sample](../../app-service/scripts/cli-integrate-app-service-with-application-gateway.md) will provision an App Service locked down with service endpoints and access restriction to only receive traffic from Application Gateway. If you only need to isolate traffic to an existing App Service from an existing Application Gateway, the following command is sufficient.

-In the default configuration, the command will ensure both setup of the service endpoint configuration in the subnet and the access restriction in the App Service.

-As an alternative to service endpoint, you can use private endpoint to secure traffic between Application Gateway and App Service (multi-tenant). You will need to ensure that Application Gateway can DNS resolve the private IP of the App Service apps or alternatively that you use the private IP in the backend pool and override the host name in the http settings.

-Application Gateway will cache the DNS lookup results, so if you use FQDNs and rely on DNS lookup to get the private IP address, then you may need to restart the Application Gateway if the DNS update or link to Azure private DNS zone was done after configuring the backend pool. To restart the Application Gateway, you must start and stop the instance. You can do this with Azure CLI:

-If you want to ensure that only traffic from the Application Gateway subnet is reaching the App Service Environment, you can configure a Network security group (NSG) which affect all web apps in the App Service Environment. For the NSG, you are able to specify the subnet IP range and optionally the ports (80/443). Make sure you don't override the [required NSG rules](../environment/network-info.md#network-security-groups) for App Service Environment to function correctly.

-To isolate traffic to an individual web app you'll need to use ip-based access restrictions as service endpoints will not work for ASE. The IP address should be the private IP of the Application Gateway instance.

-External App Service Environment has a public facing load balancer like multi-tenant App Service. Service endpoints don't work for App Service Environment, and that's why you'll have to use ip-based access restrictions using the public IP of the Application Gateway instance. To create an External App Service Environment using the Azure portal, you can follow this [Quickstart](../environment/create-external-ase.md)

-If you want to set individual access restrictions for the scm site, you can add access restrictions using the --scm-site flag like shown below.

- --image UbuntuLTS \

- --image UbuntuLTS \

- --image UbuntuLTS \

- --image UbuntuLTS \

- --image UbuntuLTS \

- --image UbuntuLTS \

- --image UbuntuLTS \

- --image UbuntuLTS \

-> [!NOTE]

-> We have started to roll out this release across regions. We'll remove this note once version 1.7.6 is available to all supported regions.

-The following example shows a [C# function](dotnet-isolated-process-guide.md) that receives a Service Bus queue message, logs the message, and sends a message to different Service Bus queue:

-The following example shows a [C# function](dotnet-isolated-process-guide.md) that receives a Service Bus queue message, logs the message, and sends a message to different Service Bus queue:

-If migrating an existing web application, check to see if it's using an open-source map control library such as Cesium, Leaflet, and OpenLayers. If it's and you would prefer to continue to use that library, you can connect it to the Azure Maps tile services ([road tiles] \| [satellite tiles]). The following links provide details on how to use Azure Maps in commonly used open-source map control libraries.

-* In addition to providing a hosted endpoint for accessing the Azure Maps Web SDK, an npm package is available for embedding the Web SDK into apps if preferred. For more information, see [Use the Azure Maps map control] in the Web SDK documentation. This package also includes TypeScript definitions.

-* Bing maps require an account key specified in the script reference of the API or as a map option. Authentication credentials for Azure Maps are specified as options of the map class as either [Shared Key authentication] or [Azure Active Directory].

-Azure Maps provides several different options for displaying traffic. Traffic incidents, such as road closures and accidents can be displayed as icons on the map. Traffic flow, color coded roads, can be overlaid on the map and the colors can be modified to be based relative to the posted speed limit, relative to the normal expected delay, or absolute delay. Incident data in Azure Maps is updated every minute and flow data every 2 minutes.

-[Azure Active Directory]: azure-maps-authentication.md#azure-ad-authentication

-[satellite tiles]: /rest/api/maps/render/getmapimagerytile

-| Directions (including truck) | [Route directions] |

-| Distance Matrix | [Route Matrix] |

-| Imagery ΓÇô Static Map | [Render] |

-| Isochrones | [Route Range] |

-| Local Insights | [Search] + [Route Range] |

-| Snap to Road | [POST Route directions] |

-| Time Zone | [Time Zone] |

-| Traffic Incidents | [Traffic Incident Details] |

-* [Map Tiles] ΓÇô Access road and imagery tiles from Azure Maps as raster and vector tiles.

-* [Batch routing] ΓÇô Allows up to 1,000 route requests to be made in a single batch over a period of time. Routes are calculated in parallel on the server for faster processing.

-> For more information on authentication in Azure Maps, see [manage authentication in Azure Maps].

-* [Free-form address geocoding]: Specify a single address string (like `"1 Microsoft way, Redmond, WA"`) and process the request immediately. This service is recommended if you need to geocode individual addresses quickly.

-* [Structured address geocoding]: Specify the parts of a single address, such as the street name, city, country/region, and postal code and process the request immediately. This service is recommended if you need to geocode individual addresses quickly and the data is already parsed into its individual address parts.

-* [Batch address geocoding]: Create a request containing up to 10,000 addresses and have them processed over a period of time. All the addresses are geocoded in parallel on the server and when completed the full result set can be downloaded. This service is recommended for geocoding large data sets.

-* [Fuzzy search]: This API combines address geocoding with point of interest search. This API takes in a free-form string that can be an address, place, landmark, point of interest, or point of interest category and process the request immediately. This API is recommended for applications where users can search for addresses or points of interest from the same textbox.

-* [Fuzzy batch search]: Create a request containing up to 10,000 addresses, places, landmarks, or point of interests and have them processed over a period of time. All the data is processed in parallel on the server and when completed the full result set can be downloaded.

-* [Address reverse geocoder]: Specify a single geographic coordinate to get its approximate address and process the request immediately.

-* [Cross street reverse geocoder]: Specify a single geographic coordinate to get nearby cross street information (for example, 1st & main) and process the request immediately.

-* [Batch address reverse geocoder]: Create a request containing up to 10,000 coordinates and have them processed over a period of time. All the data is processed in parallel on the server and when completed the full result set can be downloaded.

-* [Free-form address geocoding]: Specify a single address string (like `"1 Microsoft way, Redmond, WA"`) and process the request immediately. This service is recommended if you need to geocode individual addresses quickly.

-* [Fuzzy search]: This API combines address geocoding with point of interest search. This API takes in a free-form string that can be an address, place, landmark, point of interest, or point of interest category and process the request immediately. This API is recommended for applications where users can search for addresses or points of interest from the same textbox.

-* [POI search]: Search for points of interests by name. For example, `"starbucks"`.

-* [POI category search]: Search for points of interests by category. For example, "restaurant".

-* [Calculate route]: Calculate a route and have the request processed immediately. This API supports both `GET` and `POST` requests. `POST` requests are recommended when specifying a large number of waypoints or when using lots of the route options to ensure that the URL request doesnΓÇÖt become too long and cause issues.

-* [Batch route]: Create a request containing up to 1,000 route request and have them processed over a period of time. All the data is processed in parallel on the server and when completed the full result set can be downloaded.

-Azure Maps can snap coordinates to roads by using the [route directions] API. This service can be used to reconstruct a logical route between a set of coordinates and is comparable to the Bing Maps Snap to Road API.

-Azure Maps provides an API for rendering the static map images with data overlaid. The Azure Maps [Map image render] API is comparable to the static map API in Bing Maps.

-* [Map tiles] ΓÇô Retrieve raster (PNG) and vector tiles for the base maps (roads, boundaries, background).

-* [Map imagery tile] ΓÇô Retrieve aerial and satellite imagery tiles.

-* [Route matrix]: Asynchronously calculates travel times and distances for a set of origins and destinations. Up to 700 cells per request is supported (the number of origins multiplied by the number of destinations). With that constraint in mind, examples of possible matrix dimensions are: `700x1`, `50x10`, `10x10`, `28x25`, `10x70`.

-* **Local search**: Searches for points of interest that are nearby (radial search), by name, or by entity type (category). The Azure Maps [POI search] and [POI category search] APIs are most like this API.

-* [POI search]: Search for points of interests by name. For example, `"starbucks"`.

-* [POI category search]: Search for points of interests by category. For example, "restaurant".

-* [Search within geometry]: Searches for points of interests that are within a certain distance of a location.

-* [Fuzzy search]: This API combines address geocoding with point of interest search. This API takes in a free-form string that can be an address, place, landmark, point of interest, or point of interest category and process the request immediately. This API is recommended for applications where users can search for addresses or points of interest from the same textbox.

-* [Search within geometry]: Search for points of interests that are within a specified geometry (polygon).

-* [Search along route]: Search for points of interests that are along a specified route path.

-* [Fuzzy batch search]: Create a request containing up to 10,000 addresses, places, landmarks, or point of interests and have them processed over a period of time. All the data is processed in parallel on the server and when completed the full result set can be downloaded.

-* [Traffic flow segments]: Provides information about the speeds and travel times of the road fragment closest to the given coordinates.

-* [Traffic flow tiles]: Provides raster and vector tiles containing traffic flow data. These

-* [Traffic incident details]: Provides traffic incident details that are within a bounding box, zoom level, and traffic model.

-* [Traffic incident tiles]: Provides raster and vector tiles containing traffic incident data.

-* [Traffic incident viewport]: Retrieves the legal and technical information for the viewport described in the request, such as the traffic model ID.

-* [Time zone by coordinate]: Specify a coordinate and get the details for the time zone it falls in.

-* [Time zone by ID]: Returns current, historical, and future time zone information for the specified IANA time zone ID.

-* [Time zone Enum IANA]: Returns a full list of IANA time zone IDs. Updates to the IANA service are reflected in the system within one day.

-* [Time zone Enum Windows]: Returns a full list of Windows Time Zone IDs.

-* [Time zone IANA version]: Returns the current IANA version number used by Azure Maps.

-* [Time zone Windows to IANA]: Returns a corresponding IANA ID, given a valid Windows Time Zone ID. Multiple IANA IDs may be returned for a single Windows ID.

-* [Free-form address geocoding]: Specify a single address string (like `"1 Microsoft way, Redmond, WA"`) and process the request immediately. This service is recommended if you need to geocode individual addresses quickly.

-* [Structured address geocoding]: Specify the parts of a single address, such as the street name, city, country/region, and postal code and process the request immediately. This service is recommended if you need to geocode individual addresses quickly and the data is already parsed into its individual address parts.

-* [Batch address geocoding]: Create a request containing up to 10,000 addresses and have them processed over a period of time. All the addresses are geocoded in parallel on the server and when completed the full result set can be downloaded. This service is recommended for geocoding large data sets.

-* [Fuzzy search]: This API combines address geocoding with point of interest search. This API takes in a free-form string that can be an address, place, landmark, point of interest, or point of interest category and process the request immediately. This API is recommended for applications where users can search for addresses or points of interest from the same textbox.

-* **[Fuzzy batch search]**: Create a request containing up to 10,000 addresses, places, landmarks, or point of interests and have them processed over a period of time. All the data is processed in parallel on the server and when completed the full result set can be downloaded.

- * [Free-form address geocoding]

- * [Structured address geocoding]

- * [Batch address geocoding]

- * [Fuzzy search]

- * [Fuzzy batch search]

-1. If the desired result(s) has a geometry ID(s), pass it into the [Search Polygon API].

-> [Best practices for using the search service](how-to-use-best-practices-for-search.md)

-[Address reverse geocoder]: /rest/api/maps/search/getsearchaddressreverse

-[Batch address geocoding]: /rest/api/maps/search/postsearchaddressbatchpreview

-[Batch address reverse geocoder]: /rest/api/maps/search/postsearchaddressreversebatchpreview

-[Batch route]: /rest/api/maps/route/postroutedirectionsbatchpreview

-[Batch routing]: /rest/api/maps/route/postroutedirectionsbatchpreview

-[Calculate route]: /rest/api/maps/route/getroutedirections

-[Cross street reverse geocoder]: /rest/api/maps/search/getsearchaddressreversecrossstreet

-[Free-form address geocoding]: /rest/api/maps/search/getsearchaddress

-[Fuzzy batch search]: /rest/api/maps/search/postsearchfuzzybatchpreview

-[Fuzzy search]: /rest/api/maps/search/getsearchfuzzy

-[manage authentication in Azure Maps]: how-to-manage-authentication.md

-[Map image render]: /rest/api/maps/render/getmapimagerytile

-[Map imagery tile]: /rest/api/maps/render/getmapimagerytile

-[Map Tiles]: /rest/api/maps/render-v2/get-map-tile

-[POI category search]: /rest/api/maps/search/get-search-poi-category

-[POI search]: /rest/api/maps/search/get-search-poi

-[POST Route directions]: /rest/api/maps/route/postroutedirections

-[Render]: /rest/api/maps/render-v2/get-map-static-image

-[Route directions]: /rest/api/maps/route/getroutedirections

-[Route Matrix]: /rest/api/maps/route/postroutematrixpreview

-[Route Range]: /rest/api/maps/route/getrouterange

-[Search along route]: /rest/api/maps/search/postsearchalongroute

-[Search Polygon API]: /rest/api/maps/search/getsearchpolygon

-[Search within geometry]: /rest/api/maps/search/postsearchinsidegeometry

-[Structured address geocoding]: /rest/api/maps/search/getsearchaddressstructured

-[Time zone by coordinate]: /rest/api/maps/timezone/gettimezonebycoordinates

-[Time zone by ID]: /rest/api/maps/timezone/gettimezonebyid

-[Time zone Enum IANA]: /rest/api/maps/timezone/gettimezoneenumiana

-[Time zone Enum Windows]: /rest/api/maps/timezone/gettimezoneenumwindows

-[Time zone IANA version]: /rest/api/maps/timezone/gettimezoneianaversion

-[Time zone Windows to IANA]: /rest/api/maps/timezone/gettimezonewindowstoiana

-[Time Zone]: /rest/api/maps/timezone

-[Traffic flow segments]: /rest/api/maps/traffic/gettrafficflowsegment

-[Traffic flow tiles]: /rest/api/maps/traffic/gettrafficflowtile

-[Traffic incident details]: /rest/api/maps/traffic/gettrafficincidentdetail

-[Traffic incident tiles]: /rest/api/maps/traffic/gettrafficincidenttile

-[Traffic incident viewport]: /rest/api/maps/traffic/gettrafficincidentviewport

-If migrating an existing web application, check to see if it's using an open-source map control library. Examples of open-source map control library are: Cesium, Leaflet, and OpenLayers. You can still migrate your application, even if it uses an open-source map control library, and you don't want to use the Azure Maps Web SDK. In such case, connect your application to the Azure Maps tile services ([road tiles]

-\| [satellite tiles]). The following points detail on how to use Azure Maps in some commonly used open-source map control libraries.

-* [ng-azure-maps] - Angular 10 wrapper around Azure maps.

-> For more information on authentication in Azure Maps, see [manage authentication in Azure Maps].

-* Shapes in the Azure Maps Web SDK are based on the GeoJSON schema. Helper classes are exposed through the [*atlas.data* namespace]. There's also the [*atlas.Shape*] class. Use this class to wrap GeoJSON objects, to make it easy to update and maintain the data bindable way.

-* Google maps requires an account key to be specified in the script reference of the API. Authentication credentials for Azure Maps are specified as options of the map class. This credential can be a subscription key or Azure Active Directory information.

-The basic examples below uses Google Maps to load a map centered over New York at coordinates. The longitude: -73.985, latitude: 40.747, and the map is at zoom level of 12.

-> Unlike Google Maps, Azure Maps does not require an initial center and a zoom level to load the map. If this information is not provided when loading the map, Azure maps will try to determine city of the user. It will center and zoom the map there.

-The following examples load a GeoJSON feed of all earthquakes over the last seven days from the USGS. Earthquakes data renders as scaled circles on the map. The color and scale of each circle is based on the magnitude of each earthquake, which is stored in the `"mag"` property of each feature in the data set. If the magnitude is greater than or equal to five, the circle is red. If it's greater or equal to three, but less than five, the circle is orange. If it's less than three, the circle is green. The radius of each circle will be the exponential of the magnitude multiplied by 0.1.

-When visualizing many data points on the map, points may overlap each other. Overlapping makes the map looks cluttered, and the map becomes difficult to read and use. Clustering point data is the process of combining data points that are near each other and representing them on the map as a single clustered data point. As the user zooms into the map, the clusters break apart into their individual data points. Cluster data points to improve user experience and map performance.

-Traffic data can be overlaid both Azure and Google maps.

-Both Azure and Google maps support overlaying georeferenced images on the map. Georeferenced images move and scale as you pan and zoom the map. In Google Maps, georeferenced images are known as ground overlays while in Azure Maps they're referred to as image layers. They're great for building floor plans, overlaying old maps, or imagery from a drone.

-Both Azure and Google maps can import and render KML, KMZ and GeoRSS data on the map. Azure Maps also supports GPX, GML, spatial CSV files, GeoJSON, Well Known Text (WKT), Web-Mapping Services (WMS), Web-Mapping Tile Services (WMTS), and Web Feature Services (WFS). Azure Maps reads the files locally into memory and in most cases can handle larger KML files.

-[*atlas.data* namespace]: /javascript/api/azure-maps-control/atlas.data

-[*atlas.Shape*]: /javascript/api/azure-maps-control/atlas.shape

-[manage authentication in Azure Maps]: how-to-manage-authentication.md

-[satellite tiles]: /rest/api/maps/render/getmapimagerytile

-| Distance Matrix | [Route Matrix] |

-| Time Zone | [Time Zone] |

-* Nearest Roads - This is achievable using the Web SDK as demonstrated in the [Basic snap to road logic] sample, but is not currently available as a service.

-> For more information on authentication in Azure Maps, see [manage authentication in Azure Maps].

-* **[Free-form address geocoding]**: Specify a single address string and process the request immediately. "1 Microsoft way, Redmond, WA" is an example of a single address string. This API is recommended if you need to geocode individual addresses quickly.

-* **[Structured address geocoding]**: Specify the parts of a single address, such as the street name, city, country/region, and postal code and process the request immediately. This API is recommended if you need to geocode individual addresses quickly and the data is already parsed into its individual address parts.

-* **[Batch address geocoding]**: Create a request containing up to 10,000 addresses and have them processed over a period of time. All the addresses are geocoded in parallel on the server and when completed the full result set can be downloaded. This is recommended for geocoding large data sets.

-* **[Fuzzy search]**: This API combines address geocoding with point of interest search. This API takes in a free-form string. This string can be an address, place, landmark, point of interest, or point of interest category. This API process the request near real time. This API is recommended for applications where users search for addresses or points of interest in the same textbox.

-* **[Fuzzy batch search]**: Create a request containing up to 10,000 addresses, places, landmarks, or point of interests and have them processed over a period of time. All the data is processed in parallel on the server and when completed the full result set can be downloaded.

-| `address` | `query` |

-| `bounds` | `topLeft` and `btmRight` |

-| `components` | `streetNumber`<br/>`streetName`<br/>`crossStreet`<br/>`postalCode`<br/>`municipality` - city / town<br/>`municipalitySubdivision` ΓÇô neighborhood, sub / super city<br/>`countrySubdivision` - state or province<br/>`countrySecondarySubdivision` - county<br/>`countryTertiarySubdivision` - district<br/>`countryCode` - two letter country/region code |

-| `key` | `subscription-key` ΓÇô For more information, see [Authentication with Azure Maps]. |

-| `language` | `language` ΓÇô For more information, see [Localization support in Azure Maps]. |

-| `region` | `countrySet` |

-* **[Address reverse geocoder]**: Specify a single geographic coordinate to get the approximate address corresponding to this coordinate. Processes the request near real time.

-* **[Cross street reverse geocoder]**: Specify a single geographic coordinate to get nearby cross street information and process the request immediately. For example, you may receive the following cross streets 1st Ave and Main St.

-* **[Batch address reverse geocoder]**: Create a request containing up to 10,000 coordinates and have them processed over a period of time. All data is processed in parallel on the server. When the request completes, you can download the full set of results.

-* **[POI search]**: Search for points of interests by name. For example, "Starbucks".

-* **[POI category search]**: Search for points of interests by category. For example, "restaurant".

-* **[Nearby search]**: Searches for points of interests that are within a certain distance of a location.

-* **[Fuzzy search]**: This API combines address geocoding with point of interest search. This API takes in a free-form string that can be an address, place, landmark, point of interest, or point of interest category. It processes the request near real time. This API is recommended for applications where users search for addresses or points of interest in the same textbox.

-* **[Search within geometry]**: Search for points of interests that are within a specified geometry. For example, search a point of interest within a polygon.

-* **[Search along route]**: Search for points of interests that are along a specified route path.

-* **[Fuzzy batch search]**: Create a request containing up to 10,000 addresses, places, landmarks, or point of interests. Processed the request over a period of time. All data is processed in parallel on the server. When the request completes processing, you can download the full set of result.

-Use the Azure Maps [POI search] and [Fuzzy search] to search for points of interests by name or address.

-Use the [Nearby search] API to retrieve nearby points of interests, in Azure Maps.

-* Different modes of transportation. Such as, driving, walking, bicycling.

-* **[Calculate route]**: Calculate a route and have the request processed immediately. This API supports both `GET` and `POST` requests. `POST` requests are recommended when specifying a large number of waypoints or when using lots of the route options to ensure that the URL request doesn't become too long and cause issues. The `POST` Route Direction in Azure Maps has an option can that take in thousands of [supporting points] and use them to recreate a logical route path between them (snap to road).

-* **[Batch route]**: Create a request containing up to 1,000 route request and have them processed over a period of time. All the data is processed in parallel on the server and when completed the full result set can be downloaded.

-Azure Maps routing API has other features that aren't available in Google Maps. When migrating your app, consider using these features, you might find them useful.

-* Support for other travel modes: bus, motorcycle, taxi, truck, and van.

-* Limit the elevation, which the route may ascend.

-* Route based on engine specifications. Calculate routes for combustion or electric vehicles based on engine specifications, and the remaining fuel or charge.

-* Support commercial vehicle route parameters. Such as, vehicle dimensions, weight, number of axels, and cargo type.

-In addition, the route service in Azure Maps supports [calculating routable ranges]. Calculating routable ranges is also known as isochrones. It entails generating a polygon covering an area that can be traveled to in any direction from an origin point. All under a specified amount of time or amount of fuel or charge.

-Azure Maps provides an API for rendering the static map images with data overlaid. The [Map image render] API in Azure Maps is comparable to the static map API in Google Maps.

-| `center` | `center` |

-| `format` | `format` ΓÇô specified as part of URL path. Currently only PNG supported. |

-| `key` | `subscription-key` ΓÇô For more information, see [Authentication with Azure Maps]. |

-| `language` | `language` ΓÇô For more information, see [Localization support in Azure Maps]. |

-| `maptype` | `layer` and `style` ΓÇô See [Supported map styles](supported-map-styles.md) documentation. |

-| `markers` | `pins` |

-| `path` | `path` |

-| `region` | *N/A* ΓÇô This is a geocoding related feature. Use the `countrySet` parameter when using the Azure Maps geocoding API. |

-| `scale` | *N/A* |

-| `size` | `width` and `height` ΓÇô can be up to 8192x8192 in size. |

-| `style` | *N/A* |

-| `visible` | *N/A* |

-| `zoom` | `zoom` |

-In addition to being able to generate a static map image, the Azure Maps render service provides the ability to directly access map tiles in raster (PNG) and vector format:

-* **[Map tile]**: Retrieve raster (PNG) and vector tiles for the base maps (roads, boundaries, background).

-* **[Map imagery tile]**: Retrieve aerial and satellite imagery tiles.

-Add lines and polygon to a static map image using the `path` parameter in the URL. The `path` parameter takes in a style and a list of locations to be rendered on the map, as shown below:

-Add path styles with the `optionName:value` format, separate multiple styles by the pipe (\|) characters. And, separate option names and values with a colon (:). Like this: `optionName1:value1|optionName2:value2`. The following style option names can be used to style paths in Google Maps:

-* **[Route matrix]**(/rest/api/maps/route/postroutematrixpreview): Asynchronously calculates travel times and distances for a set of origins and destinations. Supports up to 700 cells per request. That's the number of origins multiplied by the number of destinations. With that constraint in mind, examples of possible matrix dimensions are: 700x1, 50x10, 10x10, 28x25, 10x70.

-* **[Time zone by coordinate]**(/rest/api/maps/timezone/gettimezonebycoordinates): Specify a coordinate and receive the time zone details of the coordinate.

-* **[Time zone by ID]**: Returns current, historical, and future time zone information for the specified IANA time zone ID.

-* **[Time zone Enum IANA]**: Returns a full list of IANA time zone IDs. Updates to the IANA service are reflected in the system within one day.

-* **[Time zone Enum Windows]**: Returns a full list of Windows Time Zone IDs.

-* **[Time zone IANA version]**: Returns the current IANA version number used by Azure Maps.

-* **[Time zone Windows to IANA]**: Returns a corresponding IANA ID, given a valid Windows Time Zone ID. Multiple IANA IDs may be returned for a single Windows ID.

-* JavaScript, TypeScript, Node.js ΓÇô [documentation] \| [npm package]

-> [Best practices for search](how-to-use-best-practices-for-search.md)

-[Address reverse geocoder]: /rest/api/maps/search/getsearchaddressreverse

-[Batch address geocoding]: /rest/api/maps/search/postsearchaddressbatchpreview

-[Batch address reverse geocoder]: /rest/api/maps/search/postsearchaddressreversebatchpreview

-[Batch route]: /rest/api/maps/route/postroutedirectionsbatchpreview

-[Calculate route]: /rest/api/maps/route/getroutedirections

-[calculating routable ranges]: /rest/api/maps/route/getrouterange

-[Cross street reverse geocoder]: /rest/api/maps/search/getsearchaddressreversecrossstreet

-[documentation]: how-to-use-services-module.md

-[Free-form address geocoding]: /rest/api/maps/search/getsearchaddress

-[Fuzzy batch search]: /rest/api/maps/search/postsearchfuzzybatchpreview

-[Fuzzy search]: /rest/api/maps/search/getsearchfuzzy

-[manage authentication in Azure Maps]: how-to-manage-authentication.md

-[Map image render]: /rest/api/maps/render/getmapimagerytile

-[Map imagery tile]: /rest/api/maps/render/getmapimagerytile

-[Map tile]: /rest/api/maps/render-v2/get-map-tile

-[Nearby search]: /rest/api/maps/search/getsearchnearby

-[POI category search]: /rest/api/maps/search/getsearchpoicategory

-[POI search]: /rest/api/maps/search/getsearchpoi

-[Route Matrix]: /rest/api/maps/route/postroutematrixpreview

-[Search along route]: /rest/api/maps/search/postsearchalongroute

-[Search within geometry]: /rest/api/maps/search/postsearchinsidegeometry

-[Structured address geocoding]: /rest/api/maps/search/getsearchaddressstructured

-[supporting points]: /rest/api/maps/route/postroutedirections#supportingpoints

-[Time zone by ID]: /rest/api/maps/timezone/gettimezonebyid

-[Time zone Enum IANA]: /rest/api/maps/timezone/gettimezoneenumiana

-[Time zone Enum Windows]: /rest/api/maps/timezone/gettimezoneenumwindows

-[Time zone IANA version]: /rest/api/maps/timezone/gettimezoneianaversion

-[Time zone Windows to IANA]: /rest/api/maps/timezone/gettimezonewindowstoiana

-[Time Zone]: /rest/api/maps/timezone

-* [Map image]

-* [Map tile]

-* Web SDK map control

-* Android map control

-* Power BI visual

-* Web SDK map control

-* [Satellite tile]

-* Web SDK map control

-* Android map control

-* Power BI visual

-* Web SDK map control

-* Android map control

-* Power BI visual

-* [Map image]

-* [Map tile]

-* Web SDK map control

-* Android map control

-* Power BI visual

-* Web SDK map control

-* Android map control

-* Power BI visual

-* Web SDK map control

-* Android map control

-* Power BI visual

-* [Map tile]

-* Web SDK map control

-* Android map control

-* Power BI visual

-* Web SDK map control

-* Android map control

-* Power BI visual

-* Web SDK map control

-* Android map control

-* Power BI visual

-[Choose the right pricing tier in Azure Maps]: choose-pricing-tier.md

-[Map image]: /rest/api/maps/render-v2/get-map-static-image

-[Map tile]: /rest/api/maps/render-v2/get-map-tile

-[Satellite tile]: /rest/api/maps/render/getmapimagerytilepreview

-* [Python](./opencensus-python.md)

-* Set up custom dependency tracking for [OpenCensus Python](./opencensus-python-dependency.md).

-Instrument your application with the [OpenCensus Python SDK](./opencensus-python.md) for Azure Monitor.

-To monitor Python apps, use the [SDK](./opencensus-python.md).

- This approach is much more customizable, but it requires the following approaches: SDK for [.NET Core](./asp-net-core.md), [.NET](./asp-net.md), [Node.js](./nodejs.md), [Python](./opencensus-python.md), and a standalone agent for [Java](./opentelemetry-enable.md?tabs=java). This method also means you must manage the updates to the latest version of the packages yourself.

-* [Python](opencensus-python.md)

-For more information on OpenCensus for Python, see [Set up Azure Monitor for your Python application](opencensus-python.md).

-You can export the log data by using `AzureLogHandler`. For more information, see [Set up Azure Monitor for your Python application](./opencensus-python.md#logs).

-> Only the .NET and .NET Core SDKs have a `GetMetric()` method. If you're using Java, see [Sending custom metrics using micrometer](./java-standalone-config.md#autocollected-micrometer-metrics-including-spring-boot-actuator-metrics). For JavaScript and Node.js, you would still use `TrackMetric()`, but keep in mind the caveats that were outlined in the previous section. For Python, you can use [OpenCensus.stats](./opencensus-python.md#metrics) to send custom metrics, but the metrics implementation is different.

-A span is a type of telemetry that represent one of:

-The `body` section requires the `fromAttributes` setting. The values from these attributes are used to create a new body, concatenated in the order that the configuration specifies. The processor will change the log body only if all of these attributes are present on the log.

-Metric filters only support `exclude` criteria. Metrics that match its `exclude` criteria will not be exported.

-> While the solution to seamlessly enable application monitoring is in process for other languages, use the SDKs to monitor your apps running on AKS. Use [ASP.NET Core](./asp-net-core.md), [ASP.NET](./asp-net.md), [Node.js](./nodejs.md), [JavaScript](./javascript.md), and [Python](./opencensus-python.md).

-* [Python](./opencensus-python.md)

-description: Monitor dependency calls for your Python apps via OpenCensus Python.

-# Track dependencies with OpenCensus Python

-> [!NOTE]

-> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and provide [migration guidance](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-python-opencensus-migrate?tabs=aspnetcore).

-A dependency is an external component that is called by your application. Dependency data is collected using OpenCensus Python and its various integrations. The data is then sent to Application Insights under Azure Monitor as `dependencies` telemetry.

-First, instrument your Python application with latest [OpenCensus Python SDK](./opencensus-python.md).

-## In-process dependencies

-OpenCensus Python SDK for Azure Monitor allows you to send "in-process" dependency telemetry (information and logic that occurs within your application). In-process dependencies will have the `type` field as `INPROC` in analytics.

-```python

-from opencensus.ext.azure.trace_exporter import AzureExporter

-from opencensus.trace.samplers import ProbabilitySampler

-from opencensus.trace.tracer import Tracer

-tracer = Tracer(exporter=AzureExporter(connection_string="InstrumentationKey=<your-ikey-here>"), sampler=ProbabilitySampler(1.0))

-with tracer.span(name='foo'): # <-- A dependency telemetry item will be sent for this span "foo"

- print('Hello, World!')

-```

-## Dependencies with "requests" integration

-Track your outgoing requests with the OpenCensus `requests` integration.

-Download and install `opencensus-ext-requests` from [PyPI](https://pypi.org/project/opencensus-ext-requests/) and add it to the trace integrations. Requests sent using the Python [requests](https://pypi.org/project/requests/) library will be tracked.

-```python

-import requests

-from opencensus.ext.azure.trace_exporter import AzureExporter

-from opencensus.trace import config_integration

-from opencensus.trace.samplers import ProbabilitySampler

-from opencensus.trace.tracer import Tracer

-config_integration.trace_integrations(['requests']) # <-- this line enables the requests integration

-tracer = Tracer(exporter=AzureExporter(connection_string="InstrumentationKey=<your-ikey-here>"), sampler=ProbabilitySampler(1.0))

-with tracer.span(name='parent'):

- response = requests.get(url='https://www.wikipedia.org/wiki/Rabbit') # <-- this request will be tracked

-```

-## Dependencies with "httplib" integration

-Track your outgoing requests with OpenCensus `httplib` integration.

-Download and install `opencensus-ext-httplib` from [PyPI](https://pypi.org/project/opencensus-ext-httplib/) and add it to the trace integrations. Requests sent using [http.client](https://docs.python.org/3.7/library/http.client.html) for Python3 or [httplib](https://docs.python.org/2/library/httplib.html) for Python2 will be tracked.

-```python

-import http.client as httplib

-from opencensus.ext.azure.trace_exporter import AzureExporter

-from opencensus.trace import config_integration

-from opencensus.trace.samplers import ProbabilitySampler

-from opencensus.trace.tracer import Tracer

-config_integration.trace_integrations(['httplib'])

-conn = httplib.HTTPConnection("www.python.org")

-tracer = Tracer(

- exporter=AzureExporter(),

- sampler=ProbabilitySampler(1.0)

-)

-conn.request("GET", "http://www.python.org", "", {})

-response = conn.getresponse()

-conn.close()

-```

-## Dependencies with "django" integration

-Track your outgoing Django requests with the OpenCensus `django` integration.

-> [!NOTE]

-> The only outgoing Django requests that are tracked are calls made to a database. For requests made to the Django application, see [incoming requests](./opencensus-python-request.md#track-django-applications).

-Download and install `opencensus-ext-django` from [PyPI](https://pypi.org/project/opencensus-ext-django/) and add the following line to the `MIDDLEWARE` section in the Django `settings.py` file.

-```python

-MIDDLEWARE = [

- ...

- 'opencensus.ext.django.middleware.OpencensusMiddleware',

-]

-```

-Additional configuration can be provided, read [customizations](https://github.com/census-instrumentation/opencensus-python#customization) for a complete reference.

-```python

-OPENCENSUS = {

- 'TRACE': {

- 'SAMPLER': 'opencensus.trace.samplers.ProbabilitySampler(rate=1)',

- 'EXPORTER': '''opencensus.ext.azure.trace_exporter.AzureExporter(

- connection_string="InstrumentationKey=<your-ikey-here>"

- )''',

- }

-}

-```

-You can find a Django sample application that uses dependencies in the Azure Monitor OpenCensus Python samples repository located [here](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor/django_sample).

-## Dependencies with "mysql" integration

-Track your MYSQL dependencies with the OpenCensus `mysql` integration. This integration supports the [mysql-connector](https://pypi.org/project/mysql-connector-python/) library.

-Download and install `opencensus-ext-mysql` from [PyPI](https://pypi.org/project/opencensus-ext-mysql/) and add the following lines to your code.

-```python

-from opencensus.trace import config_integration

-config_integration.trace_integrations(['mysql'])

-```

-## Dependencies with "pymysql" integration

-Track your PyMySQL dependencies with the OpenCensus `pymysql` integration.

-Download and install `opencensus-ext-pymysql` from [PyPI](https://pypi.org/project/opencensus-ext-pymysql/) and add the following lines to your code.

-```python

-from opencensus.trace import config_integration

-config_integration.trace_integrations(['pymysql'])

-```

-## Dependencies with "postgresql" integration

-Track your PostgreSQL dependencies with the OpenCensus `postgresql` integration. This integration supports the [psycopg2](https://pypi.org/project/psycopg2/) library.

-Download and install `opencensus-ext-postgresql` from [PyPI](https://pypi.org/project/opencensus-ext-postgresql/) and add the following lines to your code.

-```python

-from opencensus.trace import config_integration

-config_integration.trace_integrations(['postgresql'])

-```

-## Dependencies with "pymongo" integration

-Track your MongoDB dependencies with the OpenCensus `pymongo` integration. This integration supports the [pymongo](https://pypi.org/project/pymongo/) library.

-Download and install `opencensus-ext-pymongo` from [PyPI](https://pypi.org/project/opencensus-ext-pymongo/) and add the following lines to your code.

-```python

-from opencensus.trace import config_integration

-config_integration.trace_integrations(['pymongo'])

-```

-### Dependencies with "sqlalchemy" integration

-Track your dependencies using SQLAlchemy using OpenCensus `sqlalchemy` integration. This integration tracks the usage of the [sqlalchemy](https://pypi.org/project/SQLAlchemy/) package, regardless of the underlying database.

-```python

-from opencensus.trace import config_integration

-config_integration.trace_integrations(['sqlalchemy'])

-```

-## Next steps

-* [Application Map](./app-map.md)

-* [Availability](./availability-overview.md)

-* [Search](./diagnostic-search.md)

-* [Log (Analytics) query](../logs/log-query-overview.md)

-* [Transaction diagnostics](./transaction-diagnostics.md)

-description: Monitor request calls for your Python apps via OpenCensus Python.

-# Track incoming requests with OpenCensus Python

-> [!NOTE]

-> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and provide [migration guidance](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-python-opencensus-migrate?tabs=aspnetcore).

-OpenCensus Python and its integrations collect incoming request data. You can track incoming request data sent to your web applications built on top of the popular web frameworks Django, Flask, and Pyramid. Application Insights receives the data as `requests` telemetry.

-First, instrument your Python application with the latest [OpenCensus Python SDK](./opencensus-python.md).

-## Track Django applications

-1. Download and install `opencensus-ext-django` from [PyPI](https://pypi.org/project/opencensus-ext-django/). Instrument your application with the `django` middleware. Incoming requests sent to your Django application are tracked.

-1. Include `opencensus.ext.django.middleware.OpencensusMiddleware` in your `settings.py` file under `MIDDLEWARE`.

- ```python

- MIDDLEWARE = (

- ...

- 'opencensus.ext.django.middleware.OpencensusMiddleware',

- ...

- )

- ```

-1. Make sure AzureExporter is configured properly in your `settings.py` under `OPENCENSUS`. For requests from URLs that you don't want to track, add them to `EXCLUDELIST_PATHS`.

- ```python

- OPENCENSUS = {

- 'TRACE': {

- 'SAMPLER': 'opencensus.trace.samplers.ProbabilitySampler(rate=1)',

- 'EXPORTER': '''opencensus.ext.azure.trace_exporter.AzureExporter(

- connection_string="InstrumentationKey=<your-ikey-here>"

- )''',

- 'EXCLUDELIST_PATHS': ['https://example.com'], < These sites will not be traced if a request is sent to it.

- }

- }

- ```

-You can find a Django sample application in the [Azure Monitor OpenCensus Python samples repository](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor/django_sample).

-## Track Flask applications

-1. Download and install `opencensus-ext-flask` from [PyPI](https://pypi.org/project/opencensus-ext-flask/). Instrument your application with the `flask` middleware. Incoming requests sent to your Flask application are tracked.

- ```python

-

- from flask import Flask

- from opencensus.ext.azure.trace_exporter import AzureExporter

- from opencensus.ext.flask.flask_middleware import FlaskMiddleware

- from opencensus.trace.samplers import ProbabilitySampler

-

- app = Flask(__name__)

- middleware = FlaskMiddleware(

- app,

- exporter=AzureExporter(connection_string="InstrumentationKey=<your-ikey-here>"),

- sampler=ProbabilitySampler(rate=1.0),

- )

-

- @app.route('/')

- def hello():

- return 'Hello World!'

-

- if __name__ == '__main__':

- app.run(host='localhost', port=8080, threaded=True)

-

- ```

-1. You can also configure your `flask` application through `app.config`. For requests from URLs that you don't want to track, add them to `EXCLUDELIST_PATHS`.

- ```python

- app.config['OPENCENSUS'] = {

- 'TRACE': {

- 'SAMPLER': 'opencensus.trace.samplers.ProbabilitySampler(rate=1.0)',

- 'EXPORTER': '''opencensus.ext.azure.trace_exporter.AzureExporter(

- connection_string="InstrumentationKey=<your-ikey-here>",

- )''',

- 'EXCLUDELIST_PATHS': ['https://example.com'], < These sites will not be traced if a request is sent to it.

- }

- }

- ```

-

- > [!NOTE]

- > To run Flask under uWSGI in a Docker environment, you must first add `lazy-apps = true` to the uWSGI configuration file (uwsgi.ini). For more information, see the [issue description](https://github.com/census-instrumentation/opencensus-python/issues/660).

-You can find a Flask sample application that tracks requests in the [Azure Monitor OpenCensus Python samples repository](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor/flask_sample).

-## Track Pyramid applications

-1. Download and install `opencensus-ext-django` from [PyPI](https://pypi.org/project/opencensus-ext-pyramid/). Instrument your application with the `pyramid` tween. Incoming requests sent to your Pyramid application are tracked.

- ```python

- def main(global_config, **settings):

- config = Configurator(settings=settings)

-

- config.add_tween('opencensus.ext.pyramid'

- '.pyramid_middleware.OpenCensusTweenFactory')

- ```

-1. You can configure your `pyramid` tween directly in the code. For requests from URLs that you don't want to track, add them to `EXCLUDELIST_PATHS`.

- ```python

- settings = {

- 'OPENCENSUS': {

- 'TRACE': {

- 'SAMPLER': 'opencensus.trace.samplers.ProbabilitySampler(rate=1.0)',

- 'EXPORTER': '''opencensus.ext.azure.trace_exporter.AzureExporter(

- connection_string="InstrumentationKey=<your-ikey-here>",

- )''',

- 'EXCLUDELIST_PATHS': ['https://example.com'], < These sites will not be traced if a request is sent to it.

- }

- }

- }

- config = Configurator(settings=settings)

- ```

-## Track FastAPI applications

-1. The following dependencies are required:

- - [fastapi](https://pypi.org/project/fastapi/)

- - [uvicorn](https://pypi.org/project/uvicorn/)

- In a production setting, we recommend that you deploy [uvicorn with gunicorn](https://www.uvicorn.org/deployment/#gunicorn).

-2. Download and install `opencensus-ext-fastapi` from [PyPI](https://pypi.org/project/opencensus-ext-fastapi/).

- `pip install opencensus-ext-fastapi`

-3. Instrument your application with the `fastapi` middleware.

- ```python

- from fastapi import FastAPI

- from opencensus.ext.fastapi.fastapi_middleware import FastAPIMiddleware

- app = FastAPI(__name__)

- app.add_middleware(FastAPIMiddleware)

- @app.get('/')

- def hello():

- return 'Hello World!'

- ```

-4. Run your application. Calls made to your FastAPI application should be automatically tracked. Telemetry should be logged directly to Azure Monitor.

-## Next steps

-* [Application Map](./app-map.md)

-* [Availability](./availability-overview.md)

-* [Search](./diagnostic-search.md)

-* [Log Analytics query](../logs/log-query-overview.md)

-* [Transaction diagnostics](./transaction-diagnostics.md)

-description: This article provides instructions on how to wire up OpenCensus Python with Azure Monitor.

-# Set up Azure Monitor for your Python application

-> [!NOTE]

-> [OpenCensus Python SDK is deprecated](https://opentelemetry.io/blog/2023/sunsetting-opencensus/), but Microsoft supports it until retirement on September 30, 2024. We now recommend the [OpenTelemetry-based Python offering](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-enable?tabs=python) and provide [migration guidance](https://learn.microsoft.com/azure/azure-monitor/app/opentelemetry-python-opencensus-migrate?tabs=aspnetcore).

-Azure Monitor supports distributed tracing, metric collection, and logging of Python applications.

-Microsoft's supported solution for tracking and exporting data for your Python applications is through the [OpenCensus Python SDK](#introducing-opencensus-python-sdk) via the [Azure Monitor exporters](#instrument-with-opencensus-python-sdk-with-azure-monitor-exporters).

-Microsoft doesn't recommend using any other telemetry SDKs for Python as a telemetry solution because they're unsupported.

-OpenCensus is converging into [OpenTelemetry](https://opentelemetry.io/). We continue to recommend OpenCensus while OpenTelemetry gradually matures.

-## Prerequisites

-You need an Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.

-## Introducing OpenCensus Python SDK

-[OpenCensus](https://opencensus.io) is a set of open-source libraries to allow collection of distributed tracing, metrics, and logging telemetry. By using [Azure Monitor exporters](https://github.com/census-instrumentation/opencensus-python/tree/master/contrib/opencensus-ext-azure), you can send this collected telemetry to Application Insights. This article walks you through the process of setting up OpenCensus and Azure Monitor exporters for Python to send your monitoring data to Azure Monitor.

-## Instrument with OpenCensus Python SDK with Azure Monitor exporters

-Install the OpenCensus Azure Monitor exporters:

-```console

-python -m pip install opencensus-ext-azure

-```

-The SDK uses three Azure Monitor exporters to send different types of telemetry to Azure Monitor. They're `trace`, `metrics`, and `logs`. For more information on these telemetry types, see the [Data platform overview](../data-platform.md). Use the following instructions to send these telemetry types via the three exporters.

-## Telemetry type mappings

-OpenCensus maps the following exporters to the types of telemetry that you see in Azure Monitor.

-| Pillar of observability | Telemetry type in Azure Monitor | Explanation |

-|-||--|

-| Logs | Traces, exceptions, customEvents | Log telemetry, exception telemetry, event telemetry |

-| Metrics | customMetrics, performanceCounters | Custom metrics performance counters |

-| Tracing | Requests dependencies | Incoming requests, outgoing requests |

-### Logs

-1. First, let's generate some local log data.

- ```python

- import logging

- logger = logging.getLogger(__name__)

- def main():

- """Generate random log data."""

- for num in range(5):

- logger.warning(f"Log Entry - {num}")

- if __name__ == "__main__":

- main()

- ```

-1. A log entry is emitted for each number in the range.

- ```output

- Log Entry - 0

- Log Entry - 1

- Log Entry - 2

- Log Entry - 3

- Log Entry - 4

- ```

-1. We want to see this log data to Azure Monitor. You can specify it in an environment variable, `APPLICATIONINSIGHTS_CONNECTION_STRING`. You may also pass the connection_string directly into the `AzureLogHandler`, but connection strings shouldn't be added to version control.

- ```shell

- APPLICATIONINSIGHTS_CONNECTION_STRING=<appinsights-connection-string>

- ```

- We recommend using the connection string to instantiate the exporters that are used to send telemetry to Application Insights. Modify your code from the previous step based on the following code sample:

- ```python

- import logging

- from opencensus.ext.azure.log_exporter import AzureLogHandler

- logger = logging.getLogger(__name__)

- logger.addHandler(AzureLogHandler())

- # Alternatively manually pass in the connection_string

- # logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>))

- """Generate random log data."""

- for num in range(5):

- logger.warning(f"Log Entry - {num}")

- ```

-1. The exporter sends log data to Azure Monitor. You can find the data under `traces`.

- In this context, `traces` isn't the same as `tracing`. Here, `traces` refers to the type of telemetry that you see in Azure Monitor when you utilize `AzureLogHandler`. But `tracing` refers to a concept in OpenCensus and relates to [distributed tracing](./distributed-tracing.md).

- > [!NOTE]

- > The root logger is configured with the level of `warning`. That means any logs that you send that have less severity are ignored, and in turn, won't be sent to Azure Monitor. For more information, see [Logging documentation](https://docs.python.org/3/library/logging.html#logging.Logger.setLevel).

-1. You can also add custom properties to your log messages in the `extra` keyword argument by using the `custom_dimensions` field. These properties appear as key-value pairs in `customDimensions` in Azure Monitor.

- > [!NOTE]

- > For this feature to work, you need to pass a dictionary to the `custom_dimensions` field. If you pass arguments of any other type, the logger ignores them.

- ```python

- import logging

- from opencensus.ext.azure.log_exporter import AzureLogHandler

- logger = logging.getLogger(__name__)

- logger.addHandler(AzureLogHandler())

- # Alternatively manually pass in the connection_string

- # logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>))

- properties = {'custom_dimensions': {'key_1': 'value_1', 'key_2': 'value_2'}}

- # Use properties in logging statements

- logger.warning('action', extra=properties)

- ```

-> [!NOTE]

-> As part of using Application Insights instrumentation, we collect and send diagnostic data to Microsoft. This data helps us run and improve Application Insights. You have the option to disable non-essential data collection. To learn more, see [Statsbeat in Application Insights](./statsbeat.md).

-#### Configure logging for Django applications

-You can configure logging explicitly in your application code like the preceding for your Django applications, or you can specify it in Django's logging configuration. This code can go into whatever file you use for Django site's settings configuration, typically `settings.py`.

-For information on how to configure Django settings, see [Django settings](https://docs.djangoproject.com/en/4.0/topics/settings/). For more information on how to configure logging, see [Django logging](https://docs.djangoproject.com/en/4.0/topics/logging/).

-```json

-LOGGING = {

- "handlers": {

- "azure": {

- "level": "DEBUG",

- "class": "opencensus.ext.azure.log_exporter.AzureLogHandler",

- "connection_string": "<appinsights-connection-string>",

- },

- "console": {

- "level": "DEBUG",

- "class": "logging.StreamHandler",

- "stream": sys.stdout,

- },

- },

- "loggers": {

- "logger_name": {"handlers": ["azure", "console"]},

- },

-}

-```

-Be sure you use the logger with the same name as the one specified in your configuration.

-```python

-# views.py

-import logging

-from django.shortcuts import request

-logger = logging.getLogger("logger_name")

-logger.warning("this will be tracked")

-```

-#### Send exceptions

-OpenCensus Python doesn't automatically track and send `exception` telemetry. It's sent through `AzureLogHandler` by using exceptions through the Python logging library. You can add custom properties like you do with normal logging.

-```python

-import logging

-from opencensus.ext.azure.log_exporter import AzureLogHandler

-logger = logging.getLogger(__name__)

-logger.addHandler(AzureLogHandler())

-# Alternatively, manually pass in the connection_string

-# logger.addHandler(AzureLogHandler(connection_string=<appinsights-connection-string>))

-properties = {'custom_dimensions': {'key_1': 'value_1', 'key_2': 'value_2'}}

-# Use properties in exception logs

-try:

- result = 1 / 0 # generate a ZeroDivisionError

-except Exception:

- logger.exception('Captured an exception.', extra=properties)

-```

-Because you must log exceptions explicitly, it's up to you how to log unhandled exceptions. OpenCensus doesn't place restrictions on how to do this logging, but you must explicitly log exception telemetry.

-#### Send events

-You can send `customEvent` telemetry in exactly the same way that you send `trace` telemetry, except by using `AzureEventHandler` instead.

-```python

-import logging

-from opencensus.ext.azure.log_exporter import AzureEventHandler

-logger = logging.getLogger(__name__)

-logger.addHandler(AzureEventHandler())

-# Alternatively manually pass in the connection_string

-# logger.addHandler(AzureEventHandler(connection_string=<appinsights-connection-string>))

-logger.setLevel(logging.INFO)

-logger.info('Hello, World!')

-```

-#### Sampling

-For information on sampling in OpenCensus, see [Sampling in OpenCensus](sampling.md#configuring-fixed-rate-sampling-for-opencensus-python-applications).

-#### Log correlation

-For information on how to enrich your logs with trace context data, see OpenCensus Python [logs integration](distributed-tracing-telemetry-correlation.md#log-correlation).

-#### Modify telemetry

-For information on how to modify tracked telemetry before it's sent to Azure Monitor, see OpenCensus Python [telemetry processors](./api-filtering-sampling.md#opencensus-python-telemetry-processors).

-### Metrics

-OpenCensus.stats supports four aggregation methods but provides partial support for Azure Monitor:

-### Count aggregation example

-1. First, let's generate some local metric data. We create a metric to track the number of times the user selects the **Enter** key.

- ```python

- from datetime import datetime

- from opencensus.stats import aggregation as aggregation_module

- from opencensus.stats import measure as measure_module

- from opencensus.stats import stats as stats_module

- from opencensus.stats import view as view_module

- from opencensus.tags import tag_map as tag_map_module

- stats = stats_module.stats

- view_manager = stats.view_manager

- stats_recorder = stats.stats_recorder

- prompt_measure = measure_module.MeasureInt("prompts",

- "number of prompts",

- "prompts")

- prompt_view = view_module.View("prompt view",

- "number of prompts",

- [],

- prompt_measure,

- aggregation_module.CountAggregation())

- view_manager.register_view(prompt_view)

- mmap = stats_recorder.new_measurement_map()

- tmap = tag_map_module.TagMap()

- def main():

- for _ in range(4):

- mmap.measure_int_put(prompt_measure, 1)

- mmap.record(tmap)

- metrics = list(mmap.measure_to_view_map.get_metrics(datetime.utcnow()))

- print(metrics[0].time_series[0].points[0])

- if __name__ == "__main__":

- main()

- ```

-1. Metrics are created to track many times. With each entry, the value is incremented and the metric information appears in the console. The information includes the current value and the current time stamp when the metric was updated.

- ```output

- Point(value=ValueLong(5), timestamp=2019-10-09 20:58:04.930426)

- Point(value=ValueLong(6), timestamp=2019-10-09 20:58:05.170167)

- Point(value=ValueLong(7), timestamp=2019-10-09 20:58:05.438614)

- Point(value=ValueLong(7), timestamp=2019-10-09 20:58:05.834216)

- ```

-1. Entering values is helpful for demonstration purposes, but we want to emit the metric data to Azure Monitor. Pass your connection string directly into the exporter. Or you can specify it in an environment variable, `APPLICATIONINSIGHTS_CONNECTION_STRING`. We recommend using the connection string to instantiate the exporters that are used to send telemetry to Application Insights. Modify your code from the previous step based on the following code sample:

- ```python

- from datetime import datetime

- from opencensus.ext.azure import metrics_exporter

- from opencensus.stats import aggregation as aggregation_module

- from opencensus.stats import measure as measure_module

- from opencensus.stats import stats as stats_module

- from opencensus.stats import view as view_module

- from opencensus.tags import tag_map as tag_map_module

- stats = stats_module.stats

- view_manager = stats.view_manager

- stats_recorder = stats.stats_recorder

- prompt_measure = measure_module.MeasureInt("prompts",

- "number of prompts",

- "prompts")

- prompt_view = view_module.View("prompt view",

- "number of prompts",

- [],

- prompt_measure,

- aggregation_module.CountAggregation())

- view_manager.register_view(prompt_view)

- mmap = stats_recorder.new_measurement_map()

- tmap = tag_map_module.TagMap()

- exporter = metrics_exporter.new_metrics_exporter()

- # Alternatively manually pass in the connection_string

- # exporter = metrics_exporter.new_metrics_exporter(connection_string='<appinsights-connection-string>')

- view_manager.register_exporter(exporter)

- def main():

- for _ in range(10):

- input("Press enter.")

- mmap.measure_int_put(prompt_measure, 1)

- mmap.record(tmap)

- metrics = list(mmap.measure_to_view_map.get_metrics(datetime.utcnow()))

- print(metrics[0].time_series[0].points[0])

- if __name__ == "__main__":

- main()

- ```

-1. The exporter sends metric data to Azure Monitor at a fixed interval. You must set this value to 60 seconds as Application Insights backend assumes aggregation of metrics points on a 60-second time interval. We're tracking a single metric, so this metric data, with whatever value and time stamp it contains, is sent every interval. The data is cumulative, can only increase, and resets to 0 on restart.

- You can find the data under `customMetrics`, but the `customMetrics` properties `valueCount`, `valueSum`, `valueMin`, `valueMax`, and `valueStdDev` aren't effectively used.

-### Set custom dimensions in metrics

-The OpenCensus Python SDK allows you to add custom dimensions to your metrics telemetry by using `tags`, which are like a dictionary of key-value pairs.

-1. Insert the tags that you want to use into the tag map. The tag map acts like a sort of "pool" of all available tags you can use.

- ```python

- ...

- tmap = tag_map_module.TagMap()

- tmap.insert("url", "http://example.com")

- ...

- ```

-1. For a specific `View`, specify the tags you want to use when you're recording metrics with that view via the tag key.

- ```python

- ...

- prompt_view = view_module.View("prompt view",

- "number of prompts",

- ["url"], # <-- A sequence of tag keys used to specify which tag key/value to use from the tag map

- prompt_measure,

- aggregation_module.CountAggregation())

- ...

- ```

-1. Be sure to use the tag map when you're recording in the measurement map. The tag keys that are specified in the `View` must be found in the tag map used to record.

- ```python

- ...

- mmap = stats_recorder.new_measurement_map()

- mmap.measure_int_put(prompt_measure, 1)

- mmap.record(tmap) # <-- pass the tag map in here

- ...

- ```

-1. Under the `customMetrics` table, all metric records emitted by using `prompt_view` have custom dimensions `{"url":"http://example.com"}`.

-1. To produce tags with different values by using the same keys, create new tag maps for them.

- ```python

- ...

- tmap = tag_map_module.TagMap()

- tmap2 = tag_map_module.TagMap()

- tmap.insert("url", "http://example.com")

- tmap2.insert("url", "https://www.wikipedia.org/wiki/")

- ...

- ```

-#### Performance counters

-By default, the metrics exporter sends a set of performance counters to Azure Monitor. You can disable this capability by setting the `enable_standard_metrics` flag to `False` in the constructor of the metrics exporter.

-```python

-...

-exporter = metrics_exporter.new_metrics_exporter(

- enable_standard_metrics=False,

- )

-...

-```

-The following performance counters are currently sent:

-You should be able to see these metrics in `performanceCounters`. For more information, see [Performance counters](./performance-counters.md).

-#### Modify telemetry

-For information on how to modify tracked telemetry before it's sent to Azure Monitor, see OpenCensus Python [telemetry processors](./api-filtering-sampling.md#opencensus-python-telemetry-processors).

-### Tracing

-> [!NOTE]

-> In OpenCensus, `tracing` refers to [distributed tracing](./distributed-tracing.md). The `AzureExporter` parameter sends `requests` and `dependency` telemetry to Azure Monitor.

-1. First, let's generate some trace data locally. In Python IDLE, or your editor of choice, enter the following code:

- ```python

- from opencensus.trace.samplers import ProbabilitySampler

- from opencensus.trace.tracer import Tracer

- tracer = Tracer(sampler=ProbabilitySampler(1.0))

- def main():

- with tracer.span(name="test") as span:

- for value in range(5):

- print(value)

- if __name__ == "__main__":

- main()

- ```

-1. With each entry, the value is printed to the shell. The OpenCensus Python module generates a corresponding piece of `SpanData`. The OpenCensus project defines a [trace as a tree of spans](https://opencensus.io/core-concepts/tracing/).

-

- ```output

- 0

- [SpanData(name='test', context=SpanContext(trace_id=8aa41bc469f1a705aed1bdb20c342603, span_id=None, trace_options=TraceOptions(enabled=True), tracestate=None), span_id='15ac5123ac1f6847', parent_span_id=None, attributes=BoundedDict({}, maxlen=32), start_time='2019-06-27T18:21:22.805429Z', end_time='2019-06-27T18:21:44.933405Z', child_span_count=0, stack_trace=None, annotations=BoundedList([], maxlen=32), message_events=BoundedList([], maxlen=128), links=BoundedList([], maxlen=32), status=None, same_process_as_parent_span=None, span_kind=0)]

- 1

- [SpanData(name='test', context=SpanContext(trace_id=8aa41bc469f1a705aed1bdb20c342603, span_id=None, trace_options=TraceOptions(enabled=True), tracestate=None), span_id='2e512f846ba342de', parent_span_id=None, attributes=BoundedDict({}, maxlen=32), start_time='2019-06-27T18:21:44.933405Z', end_time='2019-06-27T18:21:46.156787Z', child_span_count=0, stack_trace=None, annotations=BoundedList([], maxlen=32), message_events=BoundedList([], maxlen=128), links=BoundedList([], maxlen=32), status=None, same_process_as_parent_span=None, span_kind=0)]

- 2

- [SpanData(name='test', context=SpanContext(trace_id=8aa41bc469f1a705aed1bdb20c342603, span_id=None, trace_options=TraceOptions(enabled=True), tracestate=None), span_id='f3f9f9ee6db4740a', parent_span_id=None, attributes=BoundedDict({}, maxlen=32), start_time='2019-06-27T18:21:46.157732Z', end_time='2019-06-27T18:21:47.269583Z', child_span_count=0, stack_trace=None, annotations=BoundedList([], maxlen=32), message_events=BoundedList([], maxlen=128), links=BoundedList([], maxlen=32), status=None, same_process_as_parent_span=None, span_kind=0)]

- ```

-1. Viewing the output is helpful for demonstration purposes, but we want to emit `SpanData` to Azure Monitor. Pass your connection string directly into the exporter. Or you can specify it in an environment variable, `APPLICATIONINSIGHTS_CONNECTION_STRING`. We recommend using the connection string to instantiate the exporters that are used to send telemetry to Application Insights. Modify your code from the previous step based on the following code sample:

- ```python

- from opencensus.ext.azure.trace_exporter import AzureExporter

- from opencensus.trace.samplers import ProbabilitySampler

- from opencensus.trace.tracer import Tracer

- tracer = Tracer(

- exporter=AzureExporter(),

- sampler=ProbabilitySampler(1.0),

- )

- # Alternatively manually pass in the connection_string

- # exporter = AzureExporter(

- # connection_string='<appinsights-connection-string>',

- # ...

- # )

-

- def main():

- with tracer.span(name="test") as span:

- for value in range(5):

- print(value)

- if __name__ == "__main__":

- main()

- ```

-1. Now when you run the Python script, only the value is being printed in the shell. The created `SpanData` is sent to Azure Monitor. You can find the emitted span data under `dependencies`.

- For more information about outgoing requests, see OpenCensus Python [dependencies](./opencensus-python-dependency.md). For more information on incoming requests, see OpenCensus Python [requests](./opencensus-python-request.md).

-#### Sampling

-For information on sampling in OpenCensus, see [Sampling in OpenCensus](sampling.md#configuring-fixed-rate-sampling-for-opencensus-python-applications).

-#### Trace correlation

-For more information on telemetry correlation in your trace data, see OpenCensus Python [telemetry correlation](distributed-tracing-telemetry-correlation.md#telemetry-correlation-in-opencensus-python).

-#### Modify telemetry

-For more information on how to modify tracked telemetry before it's sent to Azure Monitor, see OpenCensus Python [telemetry processors](./api-filtering-sampling.md#opencensus-python-telemetry-processors).

-## Configure Azure Monitor exporters

-As shown, there are three different Azure Monitor exporters that support OpenCensus. Each one sends different types of telemetry to Azure Monitor. To see what types of telemetry each exporter sends, see the following table.

-Each exporter accepts the same arguments for configuration, passed through the constructors. You can see information about each one here:

-|Exporter telemetry|Description|

-|:|:|

-`connection_string`| The connection string used to connect to your Azure Monitor resource. Takes priority over `instrumentation_key`.|

-`credential`| Credential class used by Azure Active Directory authentication. See the "Authentication" section that follows.|

-`enable_standard_metrics`| Used for `AzureMetricsExporter`. Signals the exporter to send [performance counter](../essentials/app-insights-metrics.md#performance-counters) metrics automatically to Azure Monitor. Defaults to `True`.|

-`export_interval`| Used to specify the frequency in seconds of exporting. Defaults to `15s`. For metrics, you MUST set it to 60 seconds or else your metric aggregations don't make sense in the metrics explorer.|

-`grace_period`| Used to specify the timeout for shutdown of exporters in seconds. Defaults to `5s`.|

-`instrumentation_key`| The instrumentation key used to connect to your Azure Monitor resource.|

-`logging_sampling_rate`| Used for `AzureLogHandler` and `AzureEventHandler`. Provides a sampling rate [0,1.0] for exporting logs/events. Defaults to `1.0`.|

-`max_batch_size`| Specifies the maximum size of telemetry that's exported at once.|

-`proxies`| Specifies a sequence of proxies to use for sending data to Azure Monitor. For more information, see [proxies](https://requests.readthedocs.io/en/latest/user/advanced/#proxies).|

-`storage_path`| A path to where the local storage folder exists (unsent telemetry). As of `opencensus-ext-azure` v1.0.3, the default path is the OS temp directory + `opencensus-python` + `your-ikey`. Prior to v1.0.3, the default path is `$USER` + `.opencensus` + `.azure` + `python-file-name`.|

-`timeout`| Specifies the networking timeout to send telemetry to the ingestion service in seconds. Defaults to `10s`.|

-## Integrate with Azure Functions

-To capture custom telemetry in Azure Functions environments, use the OpenCensus Python Azure Functions [extension](https://github.com/census-ecosystem/opencensus-python-extensions-azure/tree/main/extensions/functions#opencensus-python-azure-functions-extension). For more information, see the [Azure Functions Python developer guide](../../azure-functions/functions-reference-python.md#log-custom-telemetry).

-## Authentication (preview)

-> [!NOTE]

-> The authentication feature is available starting from `opencensus-ext-azure` v1.1b0.

-Each of the Azure Monitor exporters supports configuration of securely sending telemetry payloads via OAuth authentication with Azure Active Directory. For more information, see the [Authentication documentation](./azure-ad-authentication.md).

-## View your data with queries

-You can view the telemetry data that was sent from your application through the **Logs (Analytics)** tab.

-

-In the list under **Active**:

-For more information about how to use queries and logs, see [Logs in Azure Monitor](../logs/data-platform-logs.md).

-## Learn more about OpenCensus for Python

-* [OpenCensus Python on GitHub](https://github.com/census-instrumentation/opencensus-python)

-* [Customization](https://github.com/census-instrumentation/opencensus-python/blob/master/README.rst#customization)

-* [Azure Monitor exporters on GitHub](https://github.com/census-instrumentation/opencensus-python/tree/master/contrib/opencensus-ext-azure)

-* [OpenCensus integrations](https://github.com/census-instrumentation/opencensus-python#extensions)

-* [Azure Monitor sample applications](https://github.com/Azure-Samples/azure-monitor-opencensus-python/tree/master/azure_monitor)

-## Troubleshooting

-## Release Notes

-For the latest release notes, see [Python Azure Monitor Exporter](https://github.com/census-instrumentation/opencensus-python/blob/master/contrib/opencensus-ext-azure/CHANGELOG.md)

-Our [Service Updates](https://azure.microsoft.com/updates/?service=application-insights) also summarize major Application Insights improvements.

-## Next steps

-* To enable usage experiences, [enable web or browser user monitoring](javascript.md)

-* [Track incoming requests](./opencensus-python-dependency.md).

-* [Track outgoing requests](./opencensus-python-request.md).

-* Check out the [Application map](./app-map.md).

-* Learn how to do [End-to-end performance monitoring](../app/tutorial-performance.md).

-### Alerts

-* [Availability overview](./availability-overview.md): Create tests to make sure your site is visible on the web.

-* [Smart diagnostics](../alerts/proactive-diagnostics.md): These tests run automatically, so you don't have to do anything to set them up. They tell you if your app has an unusual rate of failed requests.

-* [Metric alerts](../alerts/alerts-log.md): Set alerts to warn you if a metric crosses a threshold. You can set them on custom metrics that you code into your app.

- credential: credential

- - [Python](./opencensus-python.md)

-The collection endpoint pre-aggregates events before ingestion sampling. For this reason, [ingestion sampling](./sampling.md) will never affect the accuracy of pre-aggregated metrics, regardless of the SDK version you use with your application.

-| Python | Not supported | Supported | Partially supported via [OpenCensus.stats](opencensus-python.md#metrics) |

-> The metrics implementation for Python by using OpenCensus.stats is different from GetMetric. For more information, see the [Python documentation on metrics](./opencensus-python.md#metrics).

-You can use pre-aggregation with custom metrics. The two main benefits are the ability to configure and alert on a dimension of a custom metric and reducing the volume of data sent from the SDK to the Application Insights collection endpoint.

-There are several [ways of sending custom metrics from the Application Insights SDK](./api-custom-events-metrics.md). If your version of the SDK offers [GetMetric and TrackValue](./api-custom-events-metrics.md#getmetric), these methods are the preferred way of sending custom metrics. In this case, pre-aggregation happens inside the SDK. This approach reduces the volume of data stored in Azure and also the volume of data transmitted from the SDK to Application Insights. Otherwise, use the [trackMetric](./api-custom-events-metrics.md#trackmetric) method, which will pre-aggregate metric events during data ingestion.

-Instrument your application with the latest [OpenCensus Azure Monitor exporters](./opencensus-python.md).

-* [Python](./opencensus-python.md)

-## Multi-line logging in Container Insights (preview)

-Additionally, the feature also adds support for .NET and Go stack traces, which appear as single entries instead of being split into multiple entries in ContainerLogV2 table.

-enabled = "true"

-To view data allocation benefits from sources such as [Microsoft Defender for Servers](https://azure.microsoft.com/pricing/details/defender-for-cloud/), [Microsoft Sentinel benefit for Microsoft 365 E5, A5, F5, and G5 customers](https://azure.microsoft.com/offers/sentinel-microsoft-365-offer/), or the [Sentinel Free Trial](https://azure.microsoft.com/pricing/details/microsoft-sentinel/), you need to export your usage details.

-Application-Insights|[Set up Azure Monitor for your Python application](app/opencensus-python.md)|Updated telemetry type mappings code sample.|

-|[Dependency tracking in Application Insights with OpenCensus Python](app/opencensus-python-dependency.md)|Updated Django sample application and documentation in the Azure Monitor OpenCensus Python samples repository.|

-|[Incoming request tracking in Application Insights with OpenCensus Python](app/opencensus-python-request.md)|Updated Django sample application and documentation in the Azure Monitor OpenCensus Python samples repository.|

-|[Monitor Python applications with Azure Monitor](app/opencensus-python.md)|Updated Django sample application and documentation in the Azure Monitor OpenCensus Python samples repository.|

-> Once a volume has exceeded a `maxfiles` limit, you cannot reduce volume size below the quota corresponding to that `maxfiles` limit even if you have reduced the actual used file count. For example, if you have crossed the 63,753,378 `maxfiles` limit, the volume quota cannot be reduced below its corresponding index of 2 TiB.

-Hybrid connections event log JSON strings include the elements listed in the following table:

-# About Enhanced soft delete for Azure Backup (preview)

-## Supported regions

-[Configure and manage enhanced soft delete for Azure Backup (preview)](backup-azure-enhanced-soft-delete-configure-manage.md).

-# Configure and manage enhanced soft delete in Azure Backup (preview)

-Soft delete of recovery points helps you recover any recovery points that are accidentally or maliciously deleted for some operations that could lead to deletion of one or more recovery points. Recovery points don't move to soft-deleted state immediately and have a *24 hour SLA* (same as before). The example here shows recovery points that were deleted as part of backup policy modifications.

-[Soft delete of recovery points](backup-azure-enhanced-soft-delete-about.md#soft-delete-of-recovery-points), a part of enhanced soft delete is currently available in selected Azure regions. [Learn more](backup-azure-enhanced-soft-delete-about.md#supported-regions) on the region availability.

- :::image type="content" source="./media/backup-azure-enhanced-soft-delete/select-restore-point-for-soft-delete.png" alt-text="Screenshot shows to filter recovery points for soft delete.":::

-You can *undelete* recovery points that are in soft deleted state so that they can last till their expiry by modifying the policy again to increase the retention of backups.

-[About Enhanced soft delete for Azure Backup (preview)](backup-azure-enhanced-soft-delete-about.md).

-# Quickstart: Enable protection using Multi-user authorization on Recovery Services vault in Azure Backup

-Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. Learn about [MUA concepts](multi-user-authorization-concept.md).

-The Backup admin now has the Reader role on the Resource Guard and can easily enable multi-user authorization on vaults managed by them.

-Follow these steps:

-1. Go to the Recovery Services vault.

-1. Go to **Properties** on the left navigation panel, then to **Multi-User Authorization** and click **Update**.

-1. The option to enable MUA appears. Choose a Resource Guard using one of the following ways:

- 1. You can either specify the URI of the Resource Guard, make sure you specify the URI of a Resource Guard you have **Reader** access to and that is the same regions as the vault. You can find the URI (Resource Guard ID) of the Resource Guard in its **Overview** screen:

- 1. Or, you can select the Resource Guard from the list of Resource Guards you have **Reader** access to, and those available in the region.

- 1. Click on the dropdown and select the directory the Resource Guard is in.

- 1. Click **Authenticate** to validate your identity and access.

-1. Click **Save** once done to enable MUA.

-# Multi-user authorization using Resource Guard

->Multi-user authorization using Resource Guard for Backup vault is in preview.

-# [Backup vault (preview)](#tab/backup-vault)

-Vault and Resource Guard are **in the same subscription.** </br> The Backup admin does't have access to the Resource Guard. | Least isolation between the Backup admin and the Security admin. | Relatively easy to implement since only one subscription is required. | Resource level permissions/ roles need to be ensured are correctly assigned.

-description: In this tutorial, you'll learn about how create a resource guard and enable Multi-user authorization on Recovery Services vault for Azure Backup.

-This tutorial describes how to create a Resource Guard and enable Multi-user authorization on a Recovery Services vault. This adds an additional layer of protection to critical operations on your Recovery Services vaults.

-This tutorial includes the following:

->[!div class="checklist"]

->- Prerequisies

->- Create a Resource Guard

->- Enable MUA on a Recovery Services vault

-> Multi-user authorization for Azure Backup is available in all public Azure regions.

->The **Security admin** creates the Resource Guard. We recommend that you create it in a **different subscription** or a **different tenant** as the vault. However, it should be in the **same region** as the vault. The Backup admin must **NOT** have *contributor* access on the Resource Guard or the subscription that contains it.

->Create the Resource Guard in a tenant different from the vault tenant.

-Follow these steps:

- - Click **Create** to start creating a Resource Guard.

- - In the create blade, fill in the required details for this Resource Guard.

-1. Click **Review + Create**.

-1. Follow notifications for status and successful creation of the Resource Guard.

->[!Note]

->Choose the operations you want to protect using the Resource Guard out of all supported critical operations. By default, all supported critical operations are enabled. However, you can exempt certain operations from falling under the purview of MUA using Resource Guard. The security admin can perform the following steps:

-Follow these steps:

-1. In the Resource Guard created above, go to **Properties**.

->[!Note]

->To enable MUA on a vault, the admin of the vault must have **Reader** role on the Resource Guard or subscription containing the Resource Guard. To assign the **Reader** role on the Resource Guard:

-Follow these steps:

-1. Select **Reader** from the list of built-in roles and click **Next** on the bottom of the screen.

-## Enable MUA on a Recovery Services vault

->[!Note]

->The Backup admin now has the Reader role on the Resource Guard and can easily enable multi-user authorization on vaults managed by them and performs the following steps.

-1. Go to **Properties** on the left navigation panel, then to **Multi-User Authorization** and click **Update**.

- 1. Click on the dropdown and select the directory the Resource Guard is in.

- 1. Click **Authenticate** to validate your identity and access.

-1. Click **Save** once done to enable MUA.

-This document includes the following sections:

->[!div class="checklist"]

->- Before you start

->- Testing scenarios

->- Create a Resource Guard

->- Enable MUA on a Recovery Services vault

->- Protected operations on a vault using MUA

->- Authorize critical operations on a vault

->- Disable MUA on a Recovery Services vault

-> Multi-user authorization for Azure Backup is available in all public Azure regions.

-1. Search for **Resource Guards** in the search bar and select the corresponding item from the drop-down list.

- :::image type="content" source="./media/multi-user-authorization/resource-guards-preview-inline.png" alt-text="Screenshot showing resource guards." lightbox="./media/multi-user-authorization/resource-guards-preview-expanded.png":::

-1. Select **Review + Create**.

- Follow notifications for status and successful creation of the Resource Guard.

-1. In the Resource Guard created above, go to **Properties**.

-1. Select **Reader** from the list of built-in roles and select **Next** on the bottom of the screen.

-1. Go to the Recovery Services vault. Go to **Properties** on the left navigation panel, then to **Multi-User Authorization** and click **Update**.

- 1. You can either specify the URI of the Resource Guard, make sure you specify the URI of a Resource Guard you have **Reader** access to and that is the same regions as the vault. You can find the URI (Resource Guard ID) of the Resource Guard in its **Overview** screen:

- 1. Or, you can select the Resource Guard from the list of Resource Guards you have **Reader** access to, and those available in the region.

- 1. Click on the dropdown and select the directory the Resource Guard is in.

- 1. Click **Authenticate** to validate your identity and access.

-## Authorize critical (protected) operations using Azure AD Privileged Identity Management

-### Create an eligible assignment for the Backup admin (if using Azure AD Privileged Identity Management)

-1. If the setting named **Approvers** shows *None* or displays incorrect approvers, select **Edit** to add the reviewers who would need to review and approve the activation request for the Contributor role.

-This article describes how to configure Multi-user authorization (MUA) for Azure Backup to add an additional layer of protection to critical operations on your Backup vault (preview).

->[!Note]

->Multi-user authorization using Resource Guard for Backup vault is in preview.

-This document includes the following sections:

->[!div class="checklist"]

->- Before you start

->- Testing scenarios

->- Create a Resource Guard

->- Enable MUA on a Backup vault

->- Protected operations on a vault using MUA

->- Authorize critical operations on a vault

->- Disable MUA on a Backup vault

->Multi-user authorization for Azure Backup is available in all public Azure regions.

-1. Search for **Resource Guards** in the search bar and select the corresponding item from the drop-down list.

- :::image type="content" source="./media/multi-user-authorization/resource-guards-preview-inline.png" alt-text="Screenshot showing resource guards for Backup vault." lightbox="./media/multi-user-authorization/resource-guards-preview-expanded.png":::

- - Ensure that the Resource Guard is in the same Azure regions as the Backup vault.

-1. Select **Review + Create** and then follow the notifications to monitor the status and a successful creation of the Resource Guard.

- You can't disable the **Remove MUA protection** operation.

-1. Select **Reader** from the list of built-in roles and select **Next** on the bottom of the screen.

- - You can either specify the URI of the Resource Guard. Ensure that you specify the URI of a Resource Guard you have **Reader** access to and it's in the same regions as the vault. You can find the URI (Resource Guard ID) of the Resource Guard on its **Overview** page.

- 1. Select the drop-down and select the directory the Resource Guard is in.

-## Authorize critical (protected) operations using Azure AD Privileged Identity Management

-There are scenarios where you may need to perform critical operations on your backups and you can perform them with the right approvals or permissions with MUA. The following sections explain on how to authorize the critical operation requests using Privileged Identity Management (PIM).

->We recommend to use the Azure AD PIM. However, you can also use manual or custom methods to manage access for the Backup admin on the Resource Guard. To manually manage access to the Resource Guard, use the *Access control (IAM)* setting on the left pane of the Resource Guard and grant the **Contributor** role to the Backup admin.

-### Create an eligible assignment for the Backup admin using Azure AD Privileged Identity Management

-1. Select **Edit** to add the reviewers who must review and approve the activation request for the *Contributor* role in case you find that Approvers show *None* or displays incorrect approvers.

-1. Select security options, such as Multi Factor Authentication (MFA), Mandating ticket. to activate *Contributor* role.

-1. Select **Update** to complete the set-up of approvers to activate *Contributor* role.

-1. In the security tenant, go to [Azure AD Privileged Identity Management.](../active-directory/privileged-identity-management/pim-configure.md).

-description: Learn about new features in Azure Backup.

-This article provides service limits for Azure Chaos Studio Preview.

-Chaos Studio applies limits to the number of objects, duration of activities, and retention of data.

-| Limit | Value |

-|--|--|

-| Actions per experiment | 9 |

-| Branches per experiment | 9 |

-| Steps per experiment | 4 |

-| Action duration (hours) | 12 |

-| Concurrent experiments executing per region and subscription | 5 |

-| Total experiment duration (hours) | 12 |

-| Number of experiments per region and subscription | 500 |

-| Number of targets per action | 50 |

-| Number of active agents per target | 1,000 |

-| Number of targets per region and subscription | 10,000 |

-Chaos Studio applies limits to all Azure Resource Manager operations. Requests made over the limit are throttled. All request limits are applied for a five-minute interval unless otherwise specified.

-Using the advanced option, you can associate existing resources. When selecting a Cloud Shell region,

-you must select a backing storage account co-located in the same region. For example, if your

-assigned region is West US then you must associate a fileshare that resides within West US as well.

-When the storage setup prompt appears, select **Show advanced settings** to view more options. The

-populated storage options filter for locally redundant storage (LRS), geo-redundant storage (GRS),

-and zone-redundant storage (ZRS) accounts.

-Customers should choose a primary region, unless they have a requirement that their data at rest be

-stored in a particular region. If they have such a requirement, a secondary storage region should be

-used.

-Storage accounts that you create in Cloud Shell are tagged with

-`ms-resource-usage:azure-cloud-shell`. If you want to disallow users from creating storage accounts

-in Cloud Shell, create an [Azure resource policy for tags][02] that is triggered by this specific

-tag.

-# Deploy Azure Cloud Shell in a VNET with quickstart templates

-Before you can deploy Azure Cloud Shell in a virtual network (VNET) configuration using the

-## Steps to deploy Azure Cloud Shell in a VNET

-This article walks you through the following steps to deploy Azure Cloud Shell in a VNET:

-1. Provision the virtual networks using the **Azure Cloud Shell - VNet** ARM template

-1. Provision the VNET storage account using the **Azure Cloud Shell - VNet storage** ARM template

-1. Configure and use Azure Cloud Shell in a VNET

-necessary resources. You should create dedicated resources for the Azure Cloud Shell VNET

- Cloud Shell VNET deployment

-To configure the VNET for Cloud Shell using the quickstarts, retrieve the `Azure Container Instance`

-## 2. Provision the virtual network using the ARM template

-with the subnets, require valid IP address assignments.

- Shell VNET

-| Existing VNET Name | Fill in the value from the prerequisite information you gathered.<br>For this example, we're using `vnet-cloudshell-eastus`. |

-## 3. Provision the VNET storage using the ARM template

-network. The template creates the storage account and assigns it to the private VNET.

- Shell VNET.

-| Existing VNET Name | For this example, we're using `vnet-cloudshell-eastus`. |

-After deploying your private Cloud Shell instance, each Cloud Shell user must change their

-Azure Cloud Shell has a limit of 20 concurrent users per tenant per region. Opening more than 20

-simultaneous sessions produces a "Tenant User Over Quota" error. If you have a legitimate need to

-have more than 20 sessions open, such as for training sessions, contact Support to request a quota

-increase before your anticipated usage.

- - In Bash, run `env` to find your region set as `ACC_LOCATION`.

-[05]: persisting-shell-storage.md#mount-a-new-clouddrive

-## Enable interoperability in your Teams tenant

-Azure AD user with [Teams administrator role](../../../active-directory/roles/permissions-reference.md#teams-administrator) can run PowerShell cmdlet with MicrosoftTeams module to enable the Communication Services resource in the tenant.

-### 1. Prepare the Microsoft Teams module

-First, open the PowerShell and validate the existence of the Teams module with the following command:

-```script

-Get-module *teams*

-```

-If you don't see the `MicrosoftTeams` module, install it first. To install the module, you need to run PowerShell as an administrator. Then run the following command:

-```script

- Install-Module -Name MicrosoftTeams

-```

-You'll be informed about the modules that will be installed, which you can confirm with a `Y` or `A` answer. If the module is installed but is outdated, you can run the following command to update the module:

-```script

- Update-Module MicrosoftTeams

-```

-### 2. Connect to Microsoft Teams module

-When the module is installed and ready, you can connect to the MicrosftTeams module with the following command. You'll be prompted with an interactive window to log in. The user account that you're going to use needs to have Teams administrator permissions. Otherwise, you might get an `access denied` response in the next steps.

-```script

-Connect-MicrosoftTeams

-```

-### 3. Enable tenant configuration

-Interoperability with Communication Services resources is controlled via tenant configuration and assigned policy. Teams tenant has a single tenant configuration, and Teams users have assigned global policy or custom policy. The following table shows possible scenarios and impacts on interoperability.

-| Tenant configuration | Global policy | Custom policy | Assigned policy | Interoperability |

-| | | | | |

-| True | True | True | Global | **Enabled** |

-| True | True | True | Custom | **Enabled** |

-| True | True | False | Global | **Enabled** |

-| True | True | False | Custom | Disabled |

-| True | False | True | Global | Disabled |

-| True | False | True | Custom | **Enabled** |

-| True | False | False | Global | Disabled |

-| True | False | False | Custom | Disabled |

-| False | True | True | Global | Disabled |

-| False | True | True | Custom | Disabled |

-| False | True | False | Global | Disabled |

-| False | True | False | Custom | Disabled |

-| False | False | True | Global | Disabled |

-| False | False | True | Custom | Disabled |

-| False | False | False | Global | Disabled |

-| False | False | False | Custom | Disabled |

-After successful login, you can run the cmdlet [Set-CsTeamsAcsFederationConfiguration](/powershell/module/teams/set-csteamsacsfederationconfiguration) to enable Communication Services resource in your tenant. Replace the text `IMMUTABLE_RESOURCE_ID` with an immutable resource ID in your communication resource. You can find more details on how to get this information [here](../troubleshooting-info.md#getting-immutable-resource-id).

-```script

-$allowlist = @('IMMUTABLE_RESOURCE_ID')

-Set-CsTeamsAcsFederationConfiguration -EnableAcsUsers $True -AllowedAcsResources $allowlist

-```

-### 4. Enable tenant policy

-Each Teams user has assigned an `External Access Policy` that determines whether Communication Services users can call this Teams user. Use cmdlet

-[Set-CsExternalAccessPolicy](/powershell/module/skype/set-csexternalaccesspolicy) to ensure that the policy assigned to the Teams user has set `EnableAcsFederationAccess` to `$true`

-```script

-Set-CsExternalAccessPolicy -Identity Global -EnableAcsFederationAccess $true

-```

-In this article, you'll learn how to implement Microsoft Teams spotlight capability with Azure Communication Services Calling SDKs. This capability allows users in the call or meeting to pin and unpin videos for everyone.

-Communication Services or Microsoft 365 users can call the spotlight APIs based on role type and conversation type

-**In a one to one call or group call scenario, the following APIs are supported for both Communication Services and Microsoft 365 users**

-|APIs| Organizer | Presenter | Attendee |

-|-|--|--|--|

-| startSpotlight | ✔️ | ✔️ | ✔️ |

-| stopSpotlight | ✔️ | ✔️ | ✔️ |

-| stopAllSpotlight | ✔️ | ✔️ | ✔️ |

-| getSpotlightedParticipants | ✔️ | ✔️ | ✔️ |

-**For meeting scenario the following APIs are supported for both Communication Services and Microsoft 365 users**

-|APIs| Organizer | Presenter | Attendee |

-|-|--|--|--|

-| startSpotlight | ✔️ | ✔️ | |

-| stopSpotlight | ✔️ | ✔️ | ✔️ |

-| stopAllSpotlight | ✔️ | ✔️ | |

-| getSpotlightedParticipants | ✔️ | ✔️ | ✔️ |

-* **Internal environment**: An internal container app environment on the workload profiles environment that's integrated with a custom virtual network. When you create an internal container app environment, your container app environment has no public IP addresses, and all traffic is routed through the virtual network. For more information, see the [guide for how to create a container app environment on the workload profiles environment](./workload-profiles-manage-cli.md).

- --image UbuntuLTS \

-If you are using management plane operations, see [role-based access control](../role-based-access-control.md) applied to your management plane operations article.

-A resource is a collection or database to which we are applying access control rules.

-An additional column called `userId` has been added to the `MongoRequests` table in the Azure Portal Diagnostics feature. This column will identify which user performed which data plan operation. The value in this column is empty when RBAC is not enabled.

-These roles already exist on every database and do not need to be created.

-3. Enable the RBAC capability on your existing API for MongoDB database account. You'll need to [add the capability](how-to-configure-capabilities.md) "EnableMongoRoleBasedAccessControl" to your database account. RBAC can also be enabled via the features tab in the Azure portal instead.

-Azure portal support for role management is not available. However, RBAC can be enabled via the features tab in the Azure portal.

-* [Data encryption at rest using customer managed keys](./concepts-customer-managed-keys.md)

-The versions of each extension installed in a cluster sometimes differ based on the version of PostgreSQL (11, 12, or 13). The tables list extension versions per database version.

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [citus](https://github.com/citusdata/citus) | Citus distributed database. | 9.5.12 | 10.2.9 | 11.3.0 | 12.0.0 | 12.0.0 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [citext](https://www.postgresql.org/docs/current/static/citext.html) | Provides a case-insensitive character string type. | 1.5 | 1.6 | 1.6 | 1.6 | 1.6 |

-> | [cube](https://www.postgresql.org/docs/current/static/cube.html) | Provides a data type for multidimensional cubes. | 1.4 | 1.4 | 1.4 | 1.5 | 1.5 |

-> | [hll](https://github.com/citusdata/postgresql-hll) | Provides a HyperLogLog data structure. | 2.16 | 2.16 | 2.16 | 2.16 | 2.16 |

-> | [hstore](https://www.postgresql.org/docs/current/static/hstore.html) | Provides a data type for storing sets of key-value pairs. | 1.5 | 1.6 | 1.7 | 1.8 | 1.8 |

-> | [isn](https://www.postgresql.org/docs/current/static/isn.html) | Provides data types for international product numbering standards. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

-> | [lo](https://www.postgresql.org/docs/current/lo.html) | Large Object maintenance. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

-> | [ltree](https://www.postgresql.org/docs/current/static/ltree.html) | Provides a data type for hierarchical tree-like structures. | 1.1 | 1.1 | 1.2 | 1.2 | 1.2 |

-> | [seg](https://www.postgresql.org/docs/current/seg.html) | Data type for representing line segments or floating-point intervals. | 1.3 | 1.3 | 1.3 | 1.4 | 1.4 |

-> | [tdigest](https://github.com/tvondra/tdigest) | Data type for on-line accumulation of rank-based statistics such as quantiles and trimmed means. | 1.4.0 | 1.4.0 | 1.4.0 | 1.4.0 | 1.4.0 |

-> | [topn](https://github.com/citusdata/postgresql-topn/) | Type for top-n JSONB. | 2.5.0 | 2.5.0 | 2.5.0 | 2.5.0 | 2.5.0 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [dict\_int](https://www.postgresql.org/docs/current/static/dict-int.html) | Provides a text search dictionary template for integers. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [dict\_xsyn](https://www.postgresql.org/docs/current/dict-xsyn.html) | Text search dictionary template for extended synonym processing. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [unaccent](https://www.postgresql.org/docs/current/static/unaccent.html) | A text search dictionary that removes accents (diacritic signs) from lexemes. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [autoinc](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.7) | Functions for autoincrementing fields. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [earthdistance](https://www.postgresql.org/docs/current/static/earthdistance.html) | Provides a means to calculate great-circle distances on the surface of the Earth. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

-> | [fuzzystrmatch](https://www.postgresql.org/docs/current/static/fuzzystrmatch.html) | Provides several functions to determine similarities and distance between strings. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

-> | [insert\_username](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.8) | Functions for tracking who changed a table. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [intagg](https://www.postgresql.org/docs/current/intagg.html) | Integer aggregator and enumerator (obsolete). | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

-> | [intarray](https://www.postgresql.org/docs/current/static/intarray.html) | Provides functions and operators for manipulating null-free arrays of integers. | 1.2 | 1.2 | 1.3 | 1.5 | 1.5 |

-> | [moddatetime](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.9) | Functions for tracking last modification time. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [pg\_partman](https://pgxn.org/dist/pg_partman/doc/pg_partman.html) | Manages partitioned tables by time or ID. | 4.7.3 | 4.7.3 | 4.7.3 | 4.7.3 | 4.7.3 |

-> | [pg\_surgery](https://www.postgresql.org/docs/current/pgsurgery.html) | Functions to perform surgery on a damaged relation. | | | | 1.0 | 1.0 |

-> | [pg\_trgm](https://www.postgresql.org/docs/current/static/pgtrgm.html) | Provides functions and operators for determining the similarity of alphanumeric text based on trigram matching. | 1.4 | 1.4 | 1.5 | 1.6 | 1.6 |

-> | [pgcrypto](https://www.postgresql.org/docs/current/static/pgcrypto.html) | Provides cryptographic functions. | 1.3 | 1.3 | 1.3 | 1.3 | 1.3 |

-> | [refint](https://www.postgresql.org/docs/current/contrib-spi.html#id-1.11.7.45.5) | Functions for implementing referential integrity (obsolete). | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [tablefunc](https://www.postgresql.org/docs/current/static/tablefunc.html) | Provides functions that manipulate whole tables, including crosstab. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [tcn](https://www.postgresql.org/docs/current/tcn.html) | Triggered change notifications. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [uuid-ossp](https://www.postgresql.org/docs/current/static/uuid-ossp.html) | Generates universally unique identifiers (UUIDs). | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [bloom](https://www.postgresql.org/docs/current/bloom.html) | Bloom access method - signature file-based index. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [btree\_gin](https://www.postgresql.org/docs/current/static/btree-gin.html) | Provides sample GIN operator classes that implement B-tree-like behavior for certain data types. | 1.3 | 1.3 | 1.3 | 1.3 | 1.3 |

-> | [btree\_gist](https://www.postgresql.org/docs/current/static/btree-gist.html) | Provides GiST index operator classes that implement B-tree. | 1.5 | 1.5 | 1.5 | 1.6 | 1.7 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [plpgsql](https://www.postgresql.org/docs/current/static/plpgsql.html) | PL/pgSQL loadable procedural language. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [amcheck](https://www.postgresql.org/docs/current/amcheck.html) | Functions for verifying relation integrity. | 1.1 | 1.2 | 1.2 | 1.3 | 1.3 |

-> | [dblink](https://www.postgresql.org/docs/current/dblink.html) | A module that supports connections to other PostgreSQL databases from within a database session. See the "dblink and postgres_fdw" section for information about this extension. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

-> | [old\_snapshot](https://www.postgresql.org/docs/current/oldsnapshot.html) | Allows inspection of the server state that is used to implement old_snapshot_threshold. | | | | 1.0 | 1.0 |

-> | [pageinspect](https://www.postgresql.org/docs/current/pageinspect.html) | Inspect the contents of database pages at a low level. | 1.7 | 1.7 | 1.8 | 1.9 | 1.10 |

-> | [pg\_azure\_storage](howto-ingest-azure-blob-storage.md) | Azure integration for PostgreSQL. | | | 1.2 | 1.2 | 1.2 |

-> | [pg\_buffercache](https://www.postgresql.org/docs/current/static/pgbuffercache.html) | Provides a means for examining what's happening in the shared buffer cache in real time. | 1.3 | 1.3 | 1.3 | 1.3 | 1.3 |

-> | [pg\_cron](https://github.com/citusdata/pg_cron) | Job scheduler for PostgreSQL. | 1.5 | 1.5 | 1.5 | 1.5 | 1.5 |

-> | [pg\_freespacemap](https://www.postgresql.org/docs/current/pgfreespacemap.html) | Examine the free space map (FSM). | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

-> | [pg\_prewarm](https://www.postgresql.org/docs/current/static/pgprewarm.html) | Provides a way to load relation data into the buffer cache. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

-> | [pg\_stat\_statements](https://www.postgresql.org/docs/current/static/pgstatstatements.html) | Provides a means for tracking execution statistics of all SQL statements executed by a server. See the "pg_stat_statements" section for information about this extension. | 1.6 | 1.7 | 1.8 | 1.9 | 1.10 |

-> | [pg\_visibility](https://www.postgresql.org/docs/current/pgvisibility.html) | Examine the visibility map (VM) and page-level visibility information. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

-> | [pgrowlocks](https://www.postgresql.org/docs/current/static/pgrowlocks.html) | Provides a means for showing row-level locking information. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

-> | [pgstattuple](https://www.postgresql.org/docs/current/static/pgstattuple.html) | Provides a means for showing tuple-level statistics. | 1.5 | 1.5 | 1.5 | 1.5 | 1.5 |

-> | [postgres\_fdw](https://www.postgresql.org/docs/current/static/postgres-fdw.html) | Foreign-data wrapper used to access data stored in external PostgreSQL servers. See the "dblink and postgres_fdw" section for information about this extension.| 1.0 | 1.0 | 1.0 | 1.1 | 1.1 |

-> | [sslinfo](https://www.postgresql.org/docs/current/sslinfo.html) | Information about TLS/SSL certificates. | 1.2 | 1.2 | 1.2 | 1.2 | 1.2 |

-> | [tsm\_system\_rows](https://www.postgresql.org/docs/current/tsm-system-rows.html) | TABLESAMPLE method, which accepts number of rows as a limit. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [tsm\_system\_time](https://www.postgresql.org/docs/current/tsm-system-time.html) | TABLESAMPLE method, which accepts time in milliseconds as a limit. | 1.0 | 1.0 | 1.0 | 1.0 | 1.0 |

-> | [xml2](https://www.postgresql.org/docs/current/xml2.html) | XPath querying and XSLT. | 1.1 | 1.1 | 1.1 | 1.1 | 1.1 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> [pgvector](https://github.com/pgvector/pgvector#installation-notes) | Open-source vector similarity search for Postgres | 0.4.4 | 0.4.4 | 0.4.4 | 0.4.4 | 0.4.4 |

-> | **Extension** | **Description** | **PG 11** | **PG 12** | **PG 13** | **PG 14** | **PG 15** |

-> ||||||

-> | [PostGIS](https://www.postgis.net/) | Spatial and geographic objects for PostgreSQL. | 3.3.4 | 3.4.0 | 3.4.0 | 3.4.0 | 3.4.0 |

-> | address\_standardizer | Used to parse an address into constituent elements. Used to support geocoding address normalization step. | 3.3.4 | 3.4.0 | 3.4.0 | 3.4.0 | 3.4.0 |

-> | postgis\_sfcgal | PostGIS SFCGAL functions. | 3.3.4 | 3.4.0 | 3.4.0 | 3.4.0 | 3.4.0 |

-> | postgis\_topology | PostGIS topology spatial types and functions. | 3.3.4 | 3.4.0 | 3.4.0 | 3.4.0 | 3.4.0 |

-The [pg\_stat\_statements extension](https://www.postgresql.org/docs/current/pgstatstatements.html) is preloaded on every Azure Cosmos DB for PostgreSQL server to provide you with a means of tracking execution statistics of SQL statements.

-will be installed as well. In particular, PostgreSQL 14 and PostgreSQL 15 come with Citus 12, PostgreSQL 13 comes with Citus 11, PostgreSQL 12 comes with Citus 10, and earlier PostgreSQL versions come with Citus 9.5.

- --image debian \

-This article outlines how to use the Copy activity in Azure Data Factory and Azure Synapse pipelines to copy data from and to Azure Blob Storage. It also describes how to use the Data Flow activity to transform data in Azure Blob Storage. To learn more read the [Azure Data Factory](introduction.md) and the [Azure Synapse Analytics](..\synapse-analytics\overview-what-is.md) introduction articles.

-1. Browse to the Manage tab in your Azure Data Factory or Synapse workspace and select Linked Services, then click New:

-| containerUri | Specify the Azure Blob container URI which has enabled Anonymous read access by taking this format `https://<AccountName>.blob.core.windows.net/<ContainerName>` and [Configure anonymous public read access for containers and blobs](../storage/blobs/anonymous-read-access-configure.md#set-the-public-access-level-for-a-container) | Yes |

-The UI experience will be like below. This sample will use the Azure open dataset as the source. If you want to get the open [dataset bing_covid-19_data.csv](https://pandemicdatalake.blob.core.windows.net/public/curated/covid-19/bing_covid-19_data/latest/bing_covid-19_data.csv), you just need to choose **Authentication type** as **Anonymous** and fill in Container URI with `https://pandemicdatalake.blob.core.windows.net/public`.

->A secondary Blob service endpoint is not supported when you're using account key authentication. You can use other authentication types.

-| accountKind | Specify the kind of your storage account. Allowed values are: **Storage** (general purpose v1), **StorageV2** (general purpose v2), **BlobStorage**, or **BlockBlobStorage**. <br/><br/>When using Azure Blob linked service in data flow, managed identity or service principal authentication is not supported when account kind as empty or "Storage". Specify the proper account kind, choose a different authentication, or upgrade your storage account to general purpose v2. | No |

->- If your blob account enables [soft delete](../storage/blobs/soft-delete-blob-overview.md), service principal authentication is not supported in Data Flow.

-| accountKind | Specify the kind of your storage account. Allowed values are: **Storage** (general purpose v1), **StorageV2** (general purpose v2), **BlobStorage**, or **BlockBlobStorage**. <br/><br/>When using Azure Blob linked service in data flow, managed identity or service principal authentication is not supported when account kind as empty or "Storage". Specify the proper account kind, choose a different authentication, or upgrade your storage account to general purpose v2. | No |

-| accountKind | Specify the kind of your storage account. Allowed values are: **Storage** (general purpose v1), **StorageV2** (general purpose v2), **BlobStorage**, or **BlockBlobStorage**. <br/><br/>When using Azure Blob linked service in data flow, managed identity or service principal authentication is not supported when account kind as empty or "Storage". Specify the proper account kind, choose a different authentication, or upgrade your storage account to general purpose v2. | No |

-> - If your blob account enables [soft delete](../storage/blobs/soft-delete-blob-overview.md), system-assigned/user-assigned managed identity authentication is not supported in Data Flow.

-| OPTION 2: blob prefix<br>- prefix | Prefix for the blob name under the given container configured in a dataset to filter source blobs. Blobs whose names start with `container_in_dataset/this_prefix` are selected. It utilizes the service-side filter for Blob storage, which provides better performance than a wildcard filter.<br><br>When you use prefix and choose to copy to file-based sink with preserving hierarchy, note the sub-path after the last "/" in prefix will be preserved. For example, you have source `container/folder/subfolder/file.txt`, and configure prefix as `folder/sub`, then the preserved file path is `subfolder/file.txt`. | No |

-| OPTION 4: a list of files<br>- fileListPath | Indicates to copy a given file set. Point to a text file that includes a list of files you want to copy, one file per line, which is the relative path to the path configured in the dataset.<br/>When you're using this option, do not specify a file name in the dataset. See more examples in [File list examples](#file-list-examples). | No |

-| deleteFilesAfterCompletion | Indicates whether the binary files will be deleted from source store after successfully moving to the destination store. The file deletion is per file, so when copy activity fails, you will see some files have already been copied to the destination and deleted from source, while others are still remaining on source store. <br/>This property is only valid in binary files copy scenario. The default value: false. | No |

-| modifiedDatetimeEnd | Same as above. | No |

-| enablePartitionDiscovery | For files that are partitioned, specify whether to parse the partitions from the file path and add them as additional source columns.<br/>Allowed values are **false** (default) and **true**. | No |

-| partitionRootPath | When partition discovery is enabled, specify the absolute root path in order to read partitioned folders as data columns.<br/><br/>If it is not specified, by default,<br/>- When you use file path in dataset or list of files on source, partition root path is the path configured in dataset.<br/>- When you use wildcard folder filter, partition root path is the sub-path before the first wildcard.<br/>- When you use prefix, partition root path is sub-path before the last "/". <br/><br/>For example, assuming you configure the path in dataset as "root/folder/year=2020/month=08/day=27":<br/>- If you specify partition root path as "root/folder/year=2020", copy activity will generate two more columns `month` and `day` with value "08" and "27" respectively, in addition to the columns inside the files.<br/>- If partition root path is not specified, no extra column will be generated. | No |

-| blockSizeInMB | Specify the block size, in megabytes, used to write data to block blobs. Learn more [about Block Blobs](/rest/api/storageservices/understanding-block-blobs--append-blobs--and-page-blobs#about-block-blobs). <br/>Allowed value is *between 4 MB and 100 MB*. <br/>By default, the service automatically determines the block size based on your source store type and data. For nonbinary copy into Blob storage, the default block size is 100 MB so it can fit in (at most) 4.95 TB of data. It might be not optimal when your data is not large, especially when you use the self-hosted integration runtime with poor network connections that result in operation timeout or performance issues. You can explicitly specify a block size, while ensuring that `blockSizeInMB*50000` is big enough to store the data. Otherwise, the Copy activity run will fail. | No |

-| container<br/>&nbsp;&nbsp;&nbsp;&nbsp;FolderA<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File1.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File2.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File3.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4.json<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;**File5.csv**<br/>&nbsp;&nbsp;&nbsp;&nbsp;Metadata<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;FileListToCopy.txt | File1.csv<br>Subfolder1/File3.csv<br>Subfolder1/File5.csv | **In dataset:**<br>- Container: `container`<br>- Folder path: `FolderA`<br><br>**In Copy activity source:**<br>- File list path: `container/Metadata/FileListToCopy.txt` <br><br>The file list path points to a text file in the same data store that includes a list of files you want to copy, one file per line, with the relative path to the path configured in the dataset. |

-| false |preserveHierarchy | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target folder, Folder1, is created with the following structure: <br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/><br/>Subfolder1 with File3, File4, and File5 is not picked up. |

-| false |flattenHierarchy | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target folder, Folder1, is created with the following structure: <br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;autogenerated name for File2<br/><br/>Subfolder1 with File3, File4, and File5 is not picked up. |

-| false |mergeFiles | Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File2<br/>&nbsp;&nbsp;&nbsp;&nbsp;Subfolder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File3<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File4<br/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;File5 | The target folder, Folder1, is created with the following structure:<br/><br/>Folder1<br/>&nbsp;&nbsp;&nbsp;&nbsp;File1 + File2 contents are merged into one file with an autogenerated file name. autogenerated name for File1<br/><br/>Subfolder1 with File3, File4, and File5 is not picked up. |

-Use the **Partition root path** setting to define what the top level of the folder structure is. When you view the contents of your data via a data preview, you'll see that the service will add the resolved partitions found in each of your folder levels.

-If you have a source path with wildcard, your syntax will look like this:

-> File operations run only when you start the data flow from a pipeline run (a pipeline debug or execution run) that uses the Execute Data Flow activity in a pipeline. File operations *do not* run in Data Flow debug mode.

-**Filter by last modified:** You can filter which files you process by specifying a date range of when they were last modified. All datetimes are in UTC.

-**Enable change data capture:** If true, you will get new or changed files only from the last run. Initial load of full snapshot data will always be gotten in the first run, followed by capturing new or changed files only in next runs.

- - **Pattern**: Enter a pattern that enumerates your output files per partition. For example, `loans[n].csv` will create `loans1.csv`, `loans2.csv`, and so on.

- - **As data in column**: Set the output file to the value of a column. The path is relative to the dataset container, not the destination folder. If you have a folder path in your dataset, it will be overridden.

-| modifiedDatetimeStart | Files are filtered based on the attribute: last modified. The files will be selected if their last modified time is greater than or equal to `modifiedDatetimeStart` and less than `modifiedDatetimeEnd`. The time is applied to the UTC time zone in the format of "2018-12-01T05:00:00Z". <br/><br/> Be aware that enabling this setting will affect the overall performance of data movement when you want to filter huge amounts of files. <br/><br/> The properties can be `NULL`, which means no file attribute filter will be applied to the dataset. When `modifiedDatetimeStart` has a datetime value but `modifiedDatetimeEnd` is `NULL`, the files whose last modified attribute is greater than or equal to the datetime value will be selected. When `modifiedDatetimeEnd` has a datetime value but `modifiedDatetimeStart` is `NULL`, the files whose last modified attribute is less than the datetime value will be selected.| No |

-| modifiedDatetimeEnd | Files are filtered based on the attribute: last modified. The files will be selected if their last modified time is greater than or equal to `modifiedDatetimeStart` and less than `modifiedDatetimeEnd`. The time is applied to the UTC time zone in the format of "2018-12-01T05:00:00Z". <br/><br/> Be aware that enabling this setting will affect the overall performance of data movement when you want to filter huge amounts of files. <br/><br/> The properties can be `NULL`, which means no file attribute filter will be applied to the dataset. When `modifiedDatetimeStart` has a datetime value but `modifiedDatetimeEnd` is `NULL`, the files whose last modified attribute is greater than or equal to the datetime value will be selected. When `modifiedDatetimeEnd` has a datetime value but `modifiedDatetimeStart` is `NULL`, the files whose last modified attribute is less than the datetime value will be selected.| No |

-| recursive | Indicates whether the data is read recursively from the subfolders or only from the specified folder. Note that when `recursive` is set to `true` and the sink is a file-based store, an empty folder or subfolder isn't copied or created at the sink.<br/>Allowed values are `true` (default) and `false`. | No |

-Azure Data Factory can get new or changed files only from Azure Blob Storage by enabling **Enable change data capture ** in the mapping data flow source transformation. With this connector option, you can read new or updated files only and apply transformations before loading transformed data into destination datasets of your choice. Pleaser refer to [Change Data Capture](concepts-change-data-capture.md) for details.

-For a list of data stores that the Copy activity supports as sources and sinks, see [Supported data stores](copy-activity-overview.md#supported-data-stores-and-formats).

-1. Specify a workload from the options provided. If prompted, confirm the option you selected and then select **Apply**.

-3. In **New Container** tab that pops out from the right side of the Azure portal, add a name for the container. The name must be lower-case and you may include numbers and dashes '-'. Then select the **Public access level** from the drop-down list box. We recommend that you choose **Private (non anonymous access)** to prevent others from accessing your data. For more information regarding container access levels, see [Container access permissions](../storage/blobs/anonymous-read-access-configure.md#set-the-public-access-level-for-a-container).

-This article describes how to investigate API security findings, alerts, and security posture recommendations for APIs protected by [Microsoft Defender for APIs](defender-for-apis-introduction.md). Defender for APIs is currently in preview.

-Multi-region support | In multi-region Azure API Management instances, some ML-based detections and security insights (data classification, authentication check, unused and external APIs) aren't supported in secondary regions. In such cases, data residency requirements are still met.ΓÇ»

-1. In the value field enter **jvascript:**.

-To resolve the issue, assign the correct permissions: [Give project access to the development team](quickstart-create-and-configure-projects.md#give-project-access-to-the-development-team).

-First, you create a dev center to organize your deployment environments resources. Next, you create a key vault to store the GitHub personal access token (PAT) that is used to grant Azure access to your GitHub repository. Then, you attach an identity to the dev center and assign that identity access to the key vault. Then, you add a catalog that stores your IaC templates to the dev center. Finally, you create environment types to define the types of environments that development teams can create.

-The following diagram shows the steps you perform in the [Create and configure a project quickstart](quickstart-create-and-configure-projects.md) to configure a project associated with a dev center for Deployment Environments.

-## Create a Key Vault

-You need an Azure Key Vault to store the GitHub personal access token (PAT) that is used to grant Azure access to your GitHub repository. Key Vaults can control access with either access policies or role-based access control (RBAC). If you have an existing key vault, you can use it, but you should check whether it uses access policies or RBAC assignments to control access. In this quickstart, you create an RBAC Key Vault. For help with configuring an access policy for a key vault, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy?branch=main&tabs=azure-portal).

-If you don't have an existing key vault, use the following steps to create one:

-1. Sign in to the [Azure portal](https://portal.azure.com).

-1. In the Search box, enter *Key Vault*.

-1. From the results list, select **Key Vault**.

-1. On the Key Vault page, select **Create**.

-1. On the Create key vault tab, provide the following information:

- |Name |Value |

- |-|--|

- |**Name**|Enter a name for the key vault.|

- |**Subscription**|Select the subscription in which you want to create the key vault.|

- |**Resource group**|Either use an existing resource group or select **Create new** and enter a name for the resource group.|

- |**Location**|Select the location or region where you want to create the key vault.|

-

- Leave the other options at their defaults.

-1. On the Access configuration tab, select **Azure role-based access control**, and then select **Review + create**.

-1. On the Review + create tab, select **Create**.

-## Create a personal access token

-## Attach an identity to the dev center

-In this quickstart, you configure a system-assigned managed identity for your dev center.

-### Assign the system-assigned managed identity access to the key vault secret

-Make sure that the identity has access to the key vault secret that contains the personal access token to access your repository. Key Vaults support two methods of access; Azure role-based access control (RBAC) or Vault access policy. In this quickstart, you use an RBAC key vault.

-Configure vault access:

-1. In the Azure portal, go to the key vault that contains the secret with the personal access token.

-1. In the left menu, select **Access control (IAM)**.

-1. Select **Add** > **Add role assignment**.

-1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).

- | Setting | Value |

- | | |

- | **Role** | Select **Key Vault Secrets User**. |

- | **Assign access to** | Select **Managed identity**. |

- | **Members** | Select the dev center managed identity that you created in [Attach a system-assigned managed identity](#attach-a-system-assigned-managed-identity). |

- | **Secret identifier**| Enter the [secret identifier](#create-a-personal-access-token) that contains your personal access token for the repository.<br /> When you copy a secret identifier, the connection string includes a version identifier at the end, like in this example: `https://contoso-kv.vault.azure.net/secrets/GitHub-repo-pat/9376b432b72441a1b9e795695708ea5a`.<br />Removing the version identifier ensures that Deployment Environments fetches the latest version of the secret from the key vault. If your personal access token expires, only the key vault needs to be updated. <br />*Example secret identifier:* `https://contoso-kv.vault.azure.net/secrets/GitHub-repo-pat`|

-This quickstart shows you how to create a project in Azure Deployment Environments. Then, you associate the project with the dev center you created in [Quickstart: Create and configure a dev center](./quickstart-create-and-configure-devcenter.md).

-A platform engineering team typically creates projects and provides project access to development teams. Development teams then create [environments](concept-environments-key-concepts.md#environments) by using [environment definitions](concept-environments-key-concepts.md#environment-definitions), connect to individual resources, and deploy applications.

-The following diagram shows the steps you perform in the [Create and configure a dev center for Azure Deployment Environments](quickstart-create-and-configure-devcenter.md) quickstart to configure a dev center for Azure Deployment Environments in the Azure portal. You must perform these steps before you can create a project.

-

-For more information on how to create an environment, see [Quickstart: Create and access Azure Deployment Environments by using the developer portal](quickstart-create-access-environments.md).

- :::image type="content" source="media/quickstart-create-configure-projects/create-project-page-review-create.png" alt-text="Screenshot that shows selecting the Review + Create button to validate and create a project.":::

-### Assign a managed identity the owner role to the subscription

-Before you can create environment types, you must give the managed identity that represents your dev center access to the subscriptions where you configure the [project environment types](concept-environments-key-concepts.md#project-environment-types).

-In this quickstart you assign the Owner role to the system-assigned managed identity that you configured previously: [Attach a system-assigned managed identity](quickstart-create-and-configure-devcenter.md#attach-a-system-assigned-managed-identity).

-1. Navigate to your dev center.

-1. On the left menu under Settings, select **Identity**.

-1. Under System assigned > Permissions, select **Azure role assignments**.

- :::image type="content" source="media/quickstart-create-configure-projects/system-assigned-managed-identity.png" alt-text="Screenshot that shows a system-assigned managed identity with Role assignments highlighted.":::

-1. In Azure role assignments, select **Add role assignment (Preview)**, enter or select the following information, and then select **Save**:

-

- |Name |Value |

- ||-|

- |**Scope**|Subscription|

- |**Subscription**|Select the subscription in which to use the managed identity.|

- |**Role**|Owner|

-## Configure a project

-## Give project access to the development team

-# Determine resource usage and quota

-## Determine your usage and quota

-# Request a quota limit increase

-The time it takes to increase your quota varies depending on the VM size, region, and number of resources requested. You won't have to go through the process of requesting extra capacity often, but to ensure you have the resources you require when you need them, you should:

-> Self-serve scalable Dedicated can be deployed with [availability zones](../availability-zones/az-overview.md#azure-regions-with-availability-zones) enabled with 3 CUs but you won't be able to use the self-serve scaling capability to scale the cluster. You must instead [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) to scale the AZ enabled cluster.

- Console.ReadLine();

-Region xxx not deployed on any RegionServer. This means the region is in `hbase:meta`, but offline.

-Alternatively, run `assign <region-hash>` on hbase-shell to force to assign this region

-Manually merge those overlapped regions. Go to HBase HMaster Web UI table section, select the table link, which has the issue. You will see start key/end key of each region belonging to that table. Then merge those overlapped regions. In HBase shell, do `merge_region 'xxxxxxxx','yyyyyyy', true`. For example:

-This is most likely due to region partial deletion when RegionServer crashes or VM reboots. Currently, the Azure Storage is a flat blob file system and some file operations are not atomic.

-Edit the parameters in the `azuredeploy.parameters.json` to specify information about your new cluster and the database that will hold Ambari.

-Beginning on September 3, 2019, accessing these secrets will require the `Microsoft.HDInsight/clusters/configurations/action` permission, meaning they can no longer be accessed by users with the Reader role. The roles that have this permission are Contributor, Owner, and the new HDInsight Cluster Operator role (more on that below).

-We are also introducing a new [HDInsight Cluster Operator](../role-based-access-control/built-in-roles.md#hdinsight-cluster-operator) role

-that will be able to retrieve secrets without being granted the administrative

-permissions of Contributor or Owner. To summarize:

-The following APIs will be changed or deprecated:

- - To retrieve all configurations, including sensitive parameters, use `ClusterOperationsExtensions.ListConfigurations` going forward. Note that users with the 'Reader' role will not be able to use this method. This allows for granular control over which users can access sensitive information for a cluster.

- - To retrieve all configurations, including sensitive parameters, use [`ConfigurationOperationsExtensions.List`](/dotnet/api/microsoft.azure.management.hdinsight.configurationsoperationsextensions.list) going forward.ΓÇ» Note that users with the 'Reader' role will not be able to use this method. This allows for granular control over which users can access sensitive information for a cluster.

- - To retrieve all configurations, including sensitive parameters, use [`ConfigurationsOperations.list`](/python/api/azure-mgmt-hdinsight/azure.mgmt.hdinsight.operations.configurationsoperations#list-resource-group-name--cluster-name--custom-headers-none--raw-false-operation-config-) going forward.ΓÇ» Note that users with the 'Reader' role will not be able to use this method. This allows for granular control over which users can access sensitive information for a cluster.

- - To retrieve all configurations, including sensitive parameters, use [`ConfigurationsClient.list`](https://godoc.org/github.com/Azure/azure-sdk-for-go/services/preview/hdinsight/mgmt/2015-03-01-preview/hdinsight#ConfigurationsClient.List) going forward.ΓÇ» Note that users with the 'Reader' role will not be able to use this method. This allows for granular control over which users can access sensitive information for a cluster.

- - Users with HDInsight Cluster Operator, Contributor, or Owner roles will not be affected.

- - Users with only the Reader role will need to specify the `DefaultStorageAccountKey` parameter explicitly.

-> This command must be run by a user with the Owner role, as only they can grant these permissions. The `--assignee` is the name of the service principal or email address of the user to whom you want to assign the HDInsight Cluster Operator role. If you receive an insufficient permissions error, see the FAQ below.

-If this still doesn't work, contact your Azure AD admin to acquire the correct permissions.

-If you are using an older version of one of the tools for Visual Studio, VSCode, IntelliJ or Eclipse mentioned above, they will no longer function until you update.

-description: Learn how to configure a number of additional features for your network virtual appliance in Azure HDInsight.

-Azure Firewall FQDN tag is automatically configured to allow traffic for many of the common important FQDNs. Using another network virtual appliance will require you to configure a number of additional features. Keep the following factors in mind as you configure your network virtual appliance:

-You can optionally enable one or more of the following service endpoints which will result in bypassing the NVA. This option can be useful for large amounts of data transfers to save on cost and also for performance optimizations.

-| IPs published [here](hdinsight-management-ip-addresses.md) | These IPs are for HDInsight resource provider and should be included in the UDR to avoid asymmetric routing. This rule is only needed if the ResourceProviderConnection is set to *Inbound*. If the ResourceProviderConnection is set to *Outbound* then these IPs are not needed in the UDR. |

-| AAD-DS private IPs | Only needed for ESP clusters, if the VNETs are not peered.|

-You can get the list of dependent FQDNs (mostly Azure Storage and Azure Service Bus) for configuring your network virtual appliance [in this repo](https://github.com/Azure-Samples/hdinsight-fqdn-lists/). For the regional list see [here](https://github.com/Azure-Samples/hdinsight-fqdn-lists/tree/main/Public). These dependencies are used by HDInsight resource provider(RP) to create and monitor/manage clusters successfully. These include telemetry/diagnostic logs, provisioning metadata, cluster-related configurations, scripts, etc. This FQDN dependency list might change with releasing future HDInsight updates.

-The list below only gives a few FQDNs that may be needed for OS and security patching or certificate validations during the cluster create process and during the lifetime of cluster operations:

-A produced log will look similar to:

-The above logs should provide high-level understanding of the file system operations. If the above logs are still not providing useful information, or if you want to investigate blob storage api calls, add `fs.azure.storage.client.logging=true` to the `core-site`. This setting will enable the Java sdk logs for wasb storage driver and will print each call to blob storage server. Remove the setting after investigations because it could fill up the disk quickly and could slow down the process.

-# Purge history operation for Azure API for FHIR

-`$purge-history` is an operation that allows you to delete the history of a single FHIR resource. This operation isn't defined in the FHIR specification.

-FHIR&#174; is a registered trademark of [HL7](https://hl7.org/fhir/) and is used with the permission of HL7.

-|[Ancestor resources must be fully provisioned before a child resource can be provisioned.](#ancestor-resources-must-be-fully-provisioned-before-a-child-resource-can-be-provisioned-1)

-|[The location property of child resources must match the location property of parent resources.](#the-location-property-of-child-resources-must-match-the-location-property-of-parent-resources-1)

-|[ManagedIdentityCredentialNotFound](#managedidentitycredentialnotfound)

-FHIR&#174; is a registered trademark of Health Level Seven International, registered in the U.S. Trademark Office and is used with their permission.

-[^2]: *Devices were chosen based on availability of support resources, common boards used for prototyping and PoCs, and boards that support beginner-friendly IDEs like Arduino IDE and VS Code extensions; for example, Arduino Extension and Platform IO extension. For simplicity, we aimed to keep the total device list <6. Some of these metrics are "squishy," which means that other teams and individuals may have chosen to feature different boards based on their interpretation of the criteria.*

-[^3]: *For bringing devices to production, you'll likely want to test a PoC with a specific chipset, ST's STM32 or Microchip's Pic-IoT breakout board series, design a custom board that can be manufactured for lower cost than the MCUs and SBCs listed here, or even explore FPGA-based dev kits. You may also want to use a development environment for professional electrical engineering like STM32CubeMX or ARM mBed browser-based programmer.*

-1. Read through the 'what to consider when choosing a board' section below to identify needs and constraints.

-Below are some suggestions for criteria to consider when choosing a device for your IoT prototype.

- - An SBC is preferred when you need multiple different tasks, like gathering sensor data and controlling another device. It may also be preferred in the early stages when there are many options for possible solutions - an SBC will enable you to try lots of different approaches.

- - **Power**: Consider how much voltage and current the board consumes. Determine if wall power is readily available or if you'll need a battery for your application.

- * Additional considerations include if your device will be communicating with other sensors or devices. If so, identify how many ports those signals require.

- - **Peripherals**: Consider if any of the peripherals your device connects to will have wireless protocols (for example, WiFi, BLE).

-Following is a comparison table of MCUs in alphabetical order. Please note this is an intentionally brief list, it isn't intended to be exhaustive.

-Following is a comparison table of SBCs in alphabetical order. Note this is an intentionally brief list, it isn't intended to be exhaustive.

- **Windows:**

- **Linux:**

-description: Overview on how to control access to IoT Hub, includes links to depth articles on AAD integration and SAS options.

-# Control access to IoT Hub

-This article describes the options for securing your IoT hub. IoT Hub uses *permissions* to grant access to each IoT hub endpoint. Permissions limit the access to an IoT hub based on functionality.

-There are three different ways for controlling access to IoT Hub:

-> [!Tip]

-> You can enable a lock on your IoT resources to prevent them being accidentally or maliciously deleted. To learn more about Azure Resource locks, please visit, [Lock your resources to protect your infrastructure](../azure-resource-manager/management/lock-resources.md?tabs=json)

-## Next steps

-description: Understand cryptography and X.509 PKI for Azure IoT Hub

-#Customer intent: As a developer, I want to understand X.509 Public Key Infrastructure (PKI) and public key cryptography so I can use X.509 certificates to authenticate devices to an IoT hub.

-# Understand public key cryptography and X.509 public key infrastructure

-You can use X.509 certificates to authenticate devices to an Azure IoT hub. A certificate is a digital document that contains the device's public key and can be used to verify that the device is what it claims to be. X.509 certificates and certificate revocation lists (CRLs) are documented by [RFC 5280](https://tools.ietf.org/html/rfc5280). Certificates are just one part of an X.509 public key infrastructure (PKI). To understand X.509 PKI, you need to understand cryptographic algorithms, cryptographic keys, certificates, and certificate authorities (CAs):

-* **Algorithms** define how original plaintext data is transformed into ciphertext and back to plaintext.

-* **Keys** are random or pseudorandom data strings used as input to an algorithm.

-* **Certificates** are digital documents that contain an entity's public key and enable you to determine whether the subject of the certificate is who or what it claims to be.

-* **Certificate Authorities** attest to the authenticity of certificate subjects.

-You can purchase a certificate from a certificate authority (CA). You can also, for testing and development or if you're working in a self-contained environment, create a self-signed root CA. For example, if you want to test IoT Hub authentication on devices that you own, you can self-sign your root CA and use that to issue device certificates. You can also issue self-signed device certificates.

-Before discussing X.509 certificates in more detail and using them to authenticate devices to an IoT hub, here are the fundamental cryptography concepts on which certificates are based.

-## Cryptography

-Cryptography protects information and communications through *encryption* and *decryption*. Encryption is the process of translating plain text data (*plaintext*) into something that appears to be random and meaningless (*ciphertext*). Decryption is the process of converting ciphertext back to plaintext. Cryptography is concerned with the following objectives:

-* **Confidentiality**: The information can be understood by only the intended audience.

-* **Integrity**: The information can't be altered in storage or in transit.

-* **Non-repudiation**: The creator of information can't later deny that creation.

-* **Authentication**: The sender and receiver can confirm each other's identity.

-## Encryption

-The encryption process requires an algorithm and a key. The algorithm defines how data is transformed from plaintext into ciphertext and back to plaintext. A key is a random string of data used as input to the algorithm. All of the security of the process is contained in the key. Therefore, the key must be stored securely. The details of the most popular algorithms, however, are publicly available.

-There are two types of encryption. Symmetric encryption uses the same key for both encryption and decryption. Asymmetric encryption uses different but mathematically related keys to perform encryption and decryption.

-### Symmetric encryption

-Symmetric encryption uses the same key to encrypt plaintext into ciphertext and decrypt ciphertext back into plaintext. The necessary length of the key, expressed in number of bits, is determined by the algorithm. After the key is used to encrypt plaintext, the encrypted message is sent to the recipient who then decrypts the ciphertext. The symmetric key must be securely transmitted to the recipient. Sending the key is the greatest security risk when using a symmetric algorithm.

-### Asymmetric encryption

-If only symmetric encryption is used, the problem is that all parties to the communication must possess the private key. However, it's possible that unauthorized third parties can capture the key during transmission to authorized users. To address this issue, you can use asymmetric or public key cryptography instead.

-In asymmetric cryptography, every user has two mathematically related keys called a key pair. One key is public and the other key is private. The key pair ensures that only the recipient has access to the private key needed to decrypt the data. The following illustration summarizes the asymmetric encryption process.

-1. The recipient creates a public-private key pair and sends the public key to a CA. The CA packages the public key in an X.509 certificate.

-1. The sending party obtains the recipient's public key from the CA.

-1. The sender encrypts plaintext data using an encryption algorithm. The recipient's public key is used to perform encryption.

-1. The sender transmits the ciphertext to the recipient. It isn't necessary to send the key because the recipient already has the private key needed to decrypt the ciphertext.

-1. The recipient decrypts the ciphertext by using the specified asymmetric algorithm and the private key.

-### Combining symmetric and asymmetric encryption

-Symmetric and asymmetric encryption can be combined to take advantage of their relative strengths. Symmetric encryption is much faster than asymmetric encryption, but, because of the necessity of sending private keys to other parties, it isn't as secure. To combine the two types together, symmetric encryption can be used to convert plaintext to ciphertext. Asymmetric encryption is used to exchange the symmetric key. This process is demonstrated by the following diagram.

-1. The sender retrieves the recipient's public key.

-1. The sender generates a symmetric key and uses it to encrypt the original data.

-1. The sender uses the recipient's public key to encrypt the symmetric key.

-1. The sender transmits the encrypted symmetric key and the ciphertext to the intended recipient.

-1. The recipient uses the private key that matches the recipient's public key to decrypt the sender's symmetric key.

-1. The recipient uses the symmetric key to decrypt the ciphertext.

-### Asymmetric signing

-Asymmetric algorithms can be used to protect data from modification and prove the identity of the data creator. The following illustration shows how asymmetric signing helps prove the sender's identity.

-1. The sender passes plaintext data through an asymmetric encryption algorithm, using the private key for encryption. Notice that this scenario reverses use of the private and public keys outlined in the preceding section, [Asymmetric encryption](#asymmetric-encryption).

-1. The resulting ciphertext is sent to the recipient.

-1. The recipient obtains the originator's public key from a directory.

-1. The recipient decrypts the ciphertext by using the originator's public key. The resulting plaintext proves the originator's identity because only the originator has access to the private key that initially encrypted the original text.

-## Signing

-Digital signing can be used to determine whether the data has been modified in transit or at rest. The data is passed through a hash algorithm, a one-way function that produces a mathematical result from the given message. The result is called a *hash value*, *message digest*, *digest*, *signature*, *fingerprint*, or *thumbprint*. A hash value can't be reversed to obtain the original message. Because a small change in the message results in a significant change in the *thumbprint*, the hash value can be used to determine whether a message has been altered. The following illustration shows how asymmetric encryption and hash algorithms can be used to verify that a message hasn't been modified.

-1. The sender creates a plaintext message.

-1. The sender hashes the plaintext message to create a message digest.

-1. The sender encrypts the digest using a private key.

-1. The sender transmits the plaintext message and the encrypted digest to the intended recipient.

-1. The recipient decrypts the digest by using the sender's public key.

-1. The recipient runs the same hash algorithm that the sender used over the message.

-1. The recipient compares the resulting signature to the decrypted signature. If the digests are the same, the message wasn't modified during transmission.

-## Next steps

-To learn more about the fields that make up an X.509 certificate, see [X.509 certificates](reference-x509-certificates.md).

-If you're already familiar with X.509 certificates, and you want to generate test versions that you can use to authenticate to your IoT hub, see the following articles:

-* [Tutorial: Create and upload certificates for testing](tutorial-x509-test-certs.md)

-* If you want to use self-signed certificates for testing, see the [Create a self-signed certificate](reference-x509-certificates.md#create-a-self-signed-certificate) section of [X.509 certificates](reference-x509-certificates.md).

- >[!IMPORTANT]

- >We recommend that you use certificates signed by an issuing Certificate Authority (CA), even for testing purposes. Never use self-signed certificates in production.

-If you have a root CA certificate or subordinate CA certificate and you want to upload it to your IoT hub, you must verify that you own that certificate. For more information, see [Tutorial: Create and upload certificates for testing](tutorial-x509-test-certs.md).

-description: Overview - how to authenticate devices to IoT Hub using X.509 Certificate Authorities.

-# Authenticate devices using X.509 CA certificates

-This article describes how to use X.509 certificate authority (CA) certificates to authenticate devices connecting to IoT Hub. In this article you will learn:

-* How to get an X.509 CA certificate

-* How to register the X.509 CA certificate to IoT Hub

-* How to sign devices using X.509 CA certificates

-* How devices signed with X.509 CA are authenticated

-The X.509 CA feature enables device authentication to IoT Hub using a certificate authority (CA). It simplifies the initial device enrollment process and supply chain logistics during device manufacturing. If you aren't familiar with X.509 CA certificates, see [Understand how X.509 CA certificates are used in the IoT industry](iot-hub-x509ca-concept.md) for more information.

-## Get an X.509 CA certificate

-The X.509 CA certificate is at the top of the chain of certificates for each of your devices. You may purchase or create one depending on how you intend to use it.

-For production environments, we recommend that you purchase an X.509 CA certificate from a professional certificate services provider. Purchasing a CA certificate has the benefit of the root CA acting as a trusted third party to vouch for the legitimacy of your devices. Consider this option if your devices are part of an open IoT network where they interact with third-party products or services.

-You may also create a self-signed X.509 CA certificate for testing purposes. For more information about creating certificates for testing, see [Create and upload certificates for testing](tutorial-x509-test-certs.md).

->[!NOTE]

->We do not recommend the use of self-signed certificates for production environments.

-Regardless of how you obtain your X.509 CA certificate, make sure to keep its corresponding private key secret and protected always. This precaution is necessary for building trust in the X.509 CA authentication.

-## Sign devices into the certificate chain of trust

-The owner of an X.509 CA certificate can cryptographically sign an intermediate CA that can in turn sign another intermediate CA, and so on, until the last intermediate CA terminates this process by signing a device certificate. The result is a cascaded chain of certificates known as a *certificate chain of trust*. In real life this plays out as delegation of trust towards signing devices. This delegation is important because it establishes a cryptographically variable chain of custody and avoids sharing of signing keys.

-

-The device certificate (also called a leaf certificate) must have the *subject name* set to the **device ID** (`CN=deviceId`) that was used when registering the IoT device in Azure IoT Hub. This setting is required for authentication.

-Learn how to [create a certificate chain](https://github.com/Azure/azure-iot-sdk-c/blob/master/tools/CACertificates/CACertificateOverview.md) as done when signing devices.

-## Register the X.509 CA certificate to IoT Hub

-Register your X.509 CA certificate to IoT Hub, which uses it to authenticate your devices during registration and connection. Registering the X.509 CA certificate is a two-step process that includes uploading the certificate file and then establishing proof of possession.

-The upload process entails uploading a file that contains your certificate. This file should never contain any private keys.

-The proof of possession step involves a cryptographic challenge and response process between you and IoT Hub. Given that digital certificate contents are public and therefore susceptible to eavesdropping, IoT Hub has to verify that you really own the CA certificate. You can choose to either automatically or manually verify ownership. For manual verification, Azure IoT Hub generates a random challenge that you sign with the CA certificate's corresponding private key. If you kept the private key secret and protected as recommended, then only you possess the knowledge to complete this step. Secrecy of private keys is the source of trust in this method. After signing the challenge, you complete this step and manually verify your certificate by uploading a file containing the results.

-Learn how to [register your CA certificate](tutorial-x509-test-certs.md#register-your-subordinate-ca-certificate-to-your-iot-hub).

-## Create a device on IoT Hub

-To prevent device impersonation, IoT Hub requires that you let it know what devices to expect. You do this by creating a device entry in the IoT hub's device registry. This process is automated when using [IoT Hub Device Provisioning Service](../iot-dps/about-iot-dps.md).

-Learn how to [manually create a device in IoT Hub](./iot-hub-create-through-portal.md#register-a-new-device-in-the-iot-hub).

-## Authenticate devices signed with X.509 CA certificates

-With your X.509 CA certificate registered and devices signed into a certificate chain of trust, the final step is device authentication when the device connects. When an X.509 CA-signed device connects, it uploads its certificate chain for validation. The chain includes all intermediate CA and device certificates. With this information, IoT Hub authenticates the device in a two-step process. IoT Hub cryptographically validates the certificate chain for internal consistency, and then issues a proof-of-possession challenge to the device. IoT Hub declares the device authentic on a successful proof-of-possession response from the device. This declaration assumes that the device's private key is protected and that only the device can successfully respond to this challenge. We recommend using secure chips like Hardware Secure Modules (HSM) in devices to protect private keys.

-A successful device connection to IoT Hub completes the authentication process and is also indicative of a proper setup. Every time a device connects, IoT Hub renegotiates the TLS session and verifies the deviceΓÇÖs X.509 certificate.

-## Revoke a device certificate

-IoT Hub doesn't check certificate revocation lists from the certificate authority when authenticating devices with certificate-based authentication. If you have a device that needs to be blocked from connecting to IoT Hub because of a potentially compromised certificate, you should disable the device in the identity registry. For more information, see [Disable or delete a device in an IoT hub](./iot-hub-create-through-portal.md#disable-or-delete-a-device-in-an-iot-hub).

-## Next Steps

-Learn about [the value of X.509 CA authentication](iot-hub-x509ca-concept.md) in IoT.

-Get started with [IoT Hub Device Provisioning Service](../iot-dps/index.yml).

-1. Click the property you'd like to update.

- --image UbuntuLTS \

- --image UbuntuLTS \

- - In case the student gets their VM into a bad state and their image needs to be [reset](how-to-manage-vm-pool.md#reset-lab-vms).

-| | Lab Operator | Optionally, assign to other administrator to manage lab users & schedules, publish labs, and reset/start/stop/connect lab VMs. |

-| | Lab Operator | Optionally, assign to other educators to manage lab users & schedules, publish labs, and reset/start/stop/connect lab VMs. |

-| | Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reset/start/stop/connect lab VMs. |

-| | Lab Operator | Optionally, assign to other administrator to manage lab users & schedules, publish labs, and reset/start/stop/connect lab VMs. |

-| Educator | Lab Operator | Manage lab users & schedules, publish labs, and reset/start/stop/connect lab VMs. |

-| | Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reset/start/stop/connect lab VMs. |

-| | Lab Assistant | Optionally, assign to other educators to help support lab students by allowing reset/start/stop/connect lab VMs. |

-| Lab management | Lab Assistant | Grant permission to view an existing lab. Can also start, stop, or reset any VM in the lab. Learn more about the [Lab Assistant role](#lab-assistant-role). |

-| Grant permission to only start/stop/reset VMs for *all* labs within a resource group. | Lab management | [Lab Assistant](#lab-assistant-role) | Resource group |

-| Grant permission to only start/stop/reset VMs for a specific lab. | Lab management | [Lab Assistant](#lab-assistant-role) | Lab |

-Assign the Lab Assistant role to grant a user permission to view a lab, and start, stop, and reset lab virtual machines for the lab.

-| Access lab VMs by private IP address (private-only labs) | Not recommended | This scenario is functional, but makes it difficult for lab users to connect to their lab VM. In the Azure Lab Services website, lab users can't identify the private IP address of their lab VM. In addition, the connect button points to the public endpoint of the lab VM. The lab creator needs to provide lab users with the private IP address of their lab VMs. After a VM reset, this private IP address might change.<br/><br/>If you implement this scenario, don't delete the public IP address or load balancer associated with the lab. If those resources are deleted, the lab fails to scale or publish. |

- > If you [republish a lab](how-to-create-manage-template.md#publish-the-template-vm) or [Reset VMs](how-to-manage-vm-pool.md#reset-lab-vms), the users remain registered for the labs' VMs. However, the contents of the VMs will be deleted and the VMs will be recreated with the template VM's image.

-The lab virtual machine pool represents the set of lab virtual machines (VMs) that are available for lab users to connect to. The lab VM creation starts when you publish a lab template, or when you update the lab capacity. Learn how to change the capacity of the lab and modify the number of lab virtual machines, or manage the state of individual lab VMs.

-When you manage a lab VM pool, you can:

-Lab VMs can be in one of a few states.

-> [!WARNING]

-> When you start a lab VM, it doesn't affect the available [quota hours](./classroom-labs-concepts.md#quota) for the lab user. Make sure to stop all lab VMs manually or use a [schedule](how-to-create-schedules.md) to avoid unexpected costs.

-## Prerequisites

- :::image type="content" source="./media/how-to-set-virtual-machine-passwords/start-all-vms-button.png" alt-text="Screenshot that shows the Virtual machine pool page and the Start all button is highlighted.":::

- :::image type="content" source="./media/how-to-set-virtual-machine-passwords/stop-all-vms-button.png" alt-text="Screenshot that shows the Virtual machine pool page and the Stop all button is highlighted.":::

-## Reset lab VMs

-When you reset a lab VM, Azure Lab Services shuts down the lab VM, deletes it, and recreates a new lab VM from the original template VM. You can think of a reset as a refresh of the entire lab VM.

-> After you reset a lab VM, all the data that's saved on the OS disk (usually the C: drive on Windows), and the temporary disk (usually the D: drive on Windows), is lost. Learn how to [store the user data outside the lab VM](/azure/lab-services/troubleshoot-access-lab-vm#store-user-data-outside-the-lab-vm).

-To reset one or more lab VMs:

-1. Select **Reset** in the toolbar.

- :::image type="content" source="./media/how-to-set-virtual-machine-passwords/reset-vm-button.png" alt-text="Screenshot of virtual machine pool. Reset button is highlighted.":::

-1. On the **Reset virtual machine(s)** dialog box, select **Reset**.

- :::image type="content" source="./media/how-to-set-virtual-machine-passwords/reset-vms-dialog.png" alt-text="Screenshot of reset virtual machine confirmation dialog.":::

-### Redeploy lab VMs

-When you use [lab plans](./lab-services-whats-new.md), lab users can now redeploy their lab VM. This operation is labeled **Troubleshoot** in Azure Lab Services. When you redeploy a lab VM, Azure Lab Services will shut down the VM, move the VM to a new node within the Azure infrastructure, and then power it back on.

-Learn how [lab users can redeploy their lab VM](./how-to-reset-and-redeploy-vm.md#redeploy-vms).

-When a lab user resets a lab virtual machine, all data on the machine is removed. To protect user data from being lost, we recommend that lab users back up their data in the cloud, for example by using Microsoft OneDrive.

-description: Learn how to troubleshoot a VM in Azure Lab Services by redeploying or resetting the VM.

-# Troubleshoot a lab by redeploying or resetting the VM

-On rare occasions, you may have problems connecting to a VM in one of your labs. In this article, you learn how to redeploy or reset a lab VM in Azure Lab Services. You can use these troubleshooting steps to resolve connectivity issues for your assigned labs, without support from an educator or admin.

-Learn more about [strategies for troubleshooting lab VMs](./troubleshoot-access-lab-vm.md).

-## Reset VMs

-When you reset a lab VM, Azure Lab Services will shut down the VM, delete it, and recreate a new lab VM from the original template VM. You can think of a reset as a refresh of the entire VM.

-You can reset a lab VM that is assigned to you. If you have the Lab Assistant, Lab Contributor, or Lab Operator role, you can reset any lab VM for which you have permissions.

-You can also reset a lab VM by using the [REST api](/rest/api/labservices/virtual-machines/reimage), [PowerShell](/powershell/module/az.labservices/update-azlabservicesvmreimage), or the [.NET SDK](/dotnet/api/azure.resourcemanager.labservices.labvirtualmachineresource.reimage).

-> [!WARNING]

-> After you reset a lab VM, all the data that you saved on the OS disk (usually the C: drive on Windows), and the temporary disk (usually the D: drive on Windows), is lost. Learn how you can [store the user data outside the lab VM](./troubleshoot-access-lab-vm.md#store-user-data-outside-the-lab-vm).

-To reset a lab VM in the Azure Lab Services website that's assigned to you:

-1. For a specific lab VM, select **...** > **Reset**.

- :::image type="content" source="./media/how-to-reset-and-redeploy-vm/reset-single-vm.png" alt-text="Screenshot that shows how to reset a lab VM in the Lab Services web portal, highlighting the Reset button.":::

-1. On the **Reset virtual machine** dialog box, select **Reset**.

- :::image type="content" source="./media/how-to-reset-and-redeploy-vm/reset-single-vm-confirmation.png" alt-text="Screenshot that shows the confirmation dialog for resetting a single VM in the Lab Services web portal.":::

-Alternatively, if you have permissions across multiple labs, you can reset multiple VMs for a lab:

-1. Select one or multiple VMs from the list, and then select **Reset** in the toolbar.

- :::image type="content" source="./media/how-to-reset-and-redeploy-vm/reset-vm-button.png" alt-text="Screenshot that shows the virtual machine pool in the Lab Services web portal, highlighting the Reset button.":::

-1. On the **Reset virtual machine** dialog box, select **Reset**.

- :::image type="content" source="./media/how-to-reset-and-redeploy-vm/reset-vms-dialog.png" alt-text="Screenshot that shows the reset virtual machine confirmation dialog in the Lab Services web portal.":::

-## Redeploy VMs

-When you use lab plans, introduced in the [April 2022 Update](lab-services-whats-new.md), you can now also redeploy a lab VM. This operation is labeled **Troubleshoot** in the Azure Lab Services website and is available in the student's view of their VMs.

-When you redeploy a lab VM, Azure Lab Services will shut down the VM, move the VM to a new node in within the Azure infrastructure, and then power it back on. You can think of a redeploy operation as a refresh of the underlying VM for your lab. All data that you saved in the [OS disk](/azure/virtual-machines/managed-disks-overview#os-disk) (usually the C: drive on Windows) of the VM will still be available after the redeploy operation. Any data on the [temporary disk](/azure/virtual-machines/managed-disks-overview#temporary-disk) (usually the D: drive on Windows) is lost after a redeploy operation.

-You can only redeploy a lab VM in the Azure Lab Services website that is assigned to you.

-You can also redeploy a lab VM by using the [REST api](/rest/api/labservices/virtual-machines/redeploy), [PowerShell](/powershell/module/az.labservices/start-azlabservicesvmredeployment), or the [.NET SDK](/dotnet/api/azure.resourcemanager.labservices.labvirtualmachineresource.redeploy).

-> After you redeploy a VM, all the data that you saved on the [temporary disk](/azure/virtual-machines/managed-disks-overview#temporary-disk) (D: drive by default on Windows) is lost.

-To redeploy a lab VM in the Azure Lab Services website:

-1. For a specific lab VM, select **...** > **Troubleshoot**.

- :::image type="content" source="./media/how-to-reset-and-redeploy-vm/redeploy-vms.png" alt-text="Screenshot that shows the Redeploy virtual machine menu option in the Lab Services web portal.":::

-1. On the **Troubleshoot virtual machine** dialog box, select **Redeploy**.

- :::image type="content" source="./media/how-to-reset-and-redeploy-vm/redeploy-single-vm-confirmation.png" alt-text="Screenshot that shows the confirmation dialog for redeploying a single VM in the Lab Services web portal.":::

-1. [Redeploy your lab VM](./how-to-reset-and-redeploy-vm.md#redeploy-vms) to another infrastructure node, while maintaining the user data.

- This approach might help resolve issues with the underlying virtual machine. Learn more about [redeploying versus resetting a lab VM](#redeploy-versus-reset-a-lab-vm) and how they affect your user data.

-1. If you still can't connect to the lab VM, [reset the lab VM](./how-to-reset-and-redeploy-vm.md#reset-vms).

- > Resetting a lab VM deletes the user data in the VM. Make sure to [store the user data outside the lab VM](#store-user-data-outside-the-lab-vm).

-1. If the lab VM is still in an incorrect state, [reset the lab VM](./how-to-reset-and-redeploy-vm.md#reset-vms).

- > Resetting a lab VM deletes the user data in the VM. Make sure to [store the user data outside the lab VM](#store-user-data-outside-the-lab-vm).

-## Redeploy versus reset a lab VM

-Azure Lab Services lets you redeploy, labeled *troubleshooting* in the Azure portal, or reset a lab VM. Both operations are similar, and result in the creation of a new virtual machine instance. However, there are fundamental differences that affect the user data on the lab VM.

-Learn more about how to [redeploy a lab VM in the Azure Lab Services website](./how-to-reset-and-redeploy-vm.md#redeploy-vms).

-When you reset a lab VM, Azure Lab Services will shut down the VM, delete it, and recreate a new lab VM from the original template VM. You can think of a reset as a refresh of the entire VM. After you reset a lab VM, all the data that you saved on the OS disk (usually the C: drive on Windows), and the temporary disk (usually the D: drive on Windows), is lost. To avoid losing data on the VM, [store the user data outside the lab VM](#store-user-data-outside-the-lab-vm).

-Learn more about how to [reset a lab VM in the Azure Lab Services website](./how-to-reset-and-redeploy-vm.md#reset-vms).

-> Redeploying a VM is only available for lab VMs that you created in a lab plan. VMs that are connected to a lab account only support the reset operation.

-When you reset a lab VM, all user data on the VM is lost. To avoid losing this data, you have to store the user data outside of the lab VM. You have different options to configure the template VM:

-> * Manage student VMs

-4. Select **Users** on the left menu or **Users** tile. You see students who have registered with your lab.

-2. Confirm that you see the status of VMs and the number of hours the VMs have been running. The time that a lab owner spends on a student VM doesn't count against the usage time shown in the last column.

-## Manage student VMs

-On this page, you can start, stop, or reset student VMs by using controls in the **State** column or on the toolbar.

-> When an educator turns on a student VM, quota for the student isn't affected. Quota for a user specifies the number of lab hours available to the user outside of the scheduled class time. For more information on quotas, see [Set quotas for users](how-to-manage-lab-users.md?#set-quotas-for-users).

- --image UbuntuLTS \

-More general model groupings are possible via AutoML's Many-Models solution; see our [Many Models- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/v1-archive/v1/python-sdk/tutorials/automl-with-azureml/forecasting-many-models/auto-ml-forecasting-many-models.ipynb) and [Hierarchical time series- Automated ML notebook](https://github.com/Azure/azureml-examples/blob/v1-archive/v1/python-sdk/tutorials/automl-with-azureml/forecasting-hierarchical-timeseries/auto-ml-forecasting-hierarchical-timeseries.ipynb).

-* Azure Machine Learning extension (preview) for Azure Pipelines. This extension can be installed from the Visual Studio marketplace at [https://marketplace.visualstudio.com/items?itemName=ms-air-aiagility.azureml-v2](https://marketplace.visualstudio.com/items?itemName=ms-air-aiagility.azureml-v2).

- > [!TIP]

- >This extension isn't required to submit the Azure Machine Learning job; it's required to be able to wait for the job completion.

- [!INCLUDE [machine-learning-preview-generic-disclaimer](includes/machine-learning-preview-generic-disclaimer.md)]

- When the workspace is configured with a private endpoint, the Azure Container Registry for the workspace must be configured for __Premium__ tier to allow access via the private endpoint. For more information, see [Azure Container Registry service tiers](../container-registry/container-registry-skus.md). Also, the workspace should be set with the `image_build_compute` property, as deployment creation involves building of images. For more information on setting the `image_build_compute` property for your workspace, see [Create a workspace that uses a private endpoint](how-to-configure-private-link.md#create-a-workspace-that-uses-a-private-endpoint).

-> When using a private endpoint, you can also disable public access. For more information, see [disallow public read access](../storage/blobs/anonymous-read-access-configure.md#allow-or-disallow-public-read-access-for-a-storage-account).

-> When using a service endpoint, you can also disable public access. For more information, see [disallow public read access](../storage/blobs/anonymous-read-access-configure.md#allow-or-disallow-public-read-access-for-a-storage-account).

-A way for the console application to access the ONNX model is to add it to the build output directory. To learn more about MSBuild common items, see the [MSBuild guide](/visualstudio/msbuild/common-msbuild-project-items).

-* Create an [Application Insights instance](../../azure-monitor/app/opencensus-python.md) (this doc also contains information on getting the connection string for the resource)

-> When using a private endpoint, you can also disable public access. For more information, see [disallow public read access](../../storage/blobs/anonymous-read-access-configure.md#allow-or-disallow-public-read-access-for-a-storage-account).

-> When using a service endpoint, you can also disable public access. For more information, see [disallow public read access](../../storage/blobs/anonymous-read-access-configure.md#allow-or-disallow-public-read-access-for-a-storage-account).

-Snapshot backups are enabled by default and taken every 24 hours. Backups are stored in an internal Azure Blob Storage account and are retained for up to 2 days (48 hours). There's no cost for the initial 2 backups. Additional backups will be charged, see [pricing](https://azure.microsoft.com/pricing/details/managed-instance-apache-cassandra/). To change the backup interval or retention period, or to restore from an existing backup, file a [support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest) in the Azure portal.

-tags: azure-resource-manager

-# Customer intent: I need to monitor communication between a virtual machine scale set and a virtual machine. If the communication fails, I need to know why, so that I can resolve the problem.

-When you no longer need the resources, delete the resource group and all the resources it contains:

-1. In the **Search** box at the top of the Azure portal, enter **myResourceGroup** and then, in the search results list, select it.

-1. For **Resource group name**, enter **myResourceGroup**, and then select **Delete**.

-## Next steps

-In this tutorial, you learned how to monitor a connection between a virtual machine scale set and a VM. You learned that a network security group rule prevented communication to a VM.

-To learn about all the different responses a connection monitor can return, see [response types](network-watcher-connectivity-overview.md#response). You can also monitor a connection between a VM, a fully qualified domain name, a uniform resource identifier, or an IP address. See also:

-* [Analyze monitoring data and set alerts](./connection-monitor-overview.md#analyze-monitoring-data-and-set-alerts)

-* [Diagnose problems in your network](./connection-monitor-overview.md#diagnose-issues-in-your-network)

-description: In this tutorial, you learn how to use Azure Network Watcher VPN troubleshoot to diagnose a communication problem between two Azure virtual networks connected by Azure VPN gateways.

-# Customer intent: I need to determine why resources in a virtual network can't communicate with resources in a different virtual network over a VPN connection.

-Azure VPN gateway is a type of virtual network gateway that you can use to send encrypted traffic between an Azure virtual network and your on-premises locations over the public internet. You can also use VPN gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. A VPN gateway allows you to create multiple connections to on-premises VPN devices and Azure VPN gateways. For more information about the number of connections that you can create with each VPN gateway SKU, see [Gateway SKUs](../../articles/vpn-gateway/vpn-gateway-about-vpngateways.md#gwsku). Whenever you need to troubleshoot an issue with a VPN gateway or one of its connections, you can use Azure Network Watcher VPN troubleshoot to help you checking the VPN gateway or its connections to find and resolve the problem in easy and simple steps.

-This tutorial helps you use Azure Network Watcher [VPN troubleshoot](network-watcher-troubleshoot-overview.md) capability to diagnose and troubleshoot a connectivity issue that's preventing two virtual networks from communicating with each other. These two virtual networks are connected via VPN gateways using VNet-to-VNet connections.

-> * Create virtual networks

-## Sign in to Azure

-Sign in to the [Azure portal](https://portal.azure.com).

-## Create virtual networks

-In this section, you create two virtual networks that you connect later using virtual network gateways.

-### Create first virtual network

-1. In the search box at the top of the portal, enter *virtual networks*. Select **Virtual networks** in the search results.

- :::image type="content" source="./media/diagnose-communication-problem-between-networks/virtual-network-azure-portal.png" alt-text="Screenshot shows searching for virtual networks in the Azure portal.":::

-1. Select **+ Create**. In **Create virtual network**, enter or select the following values in the **Basics** tab:

- | Resource Group | Select **Create new**. </br> Enter *myResourceGroup* in **Name**. </br> Select **OK**. |

- | Name | Enter *myVNet1*. |

-1. Select the **IP Addresses** tab, or select **Next: IP Addresses** button at the bottom of the page.

-1. Enter the following values in the **IP Addresses** tab:

- | Setting | Value |

- | | |

- | IPv4 address space | Enter *10.1.0.0/16*. |

- | Subnet name | Enter *mySubnet*. |

- | Subnet address range | Enter *10.1.0.0/24*. |

-1. Select the **Review + create** tab or select the **Review + create** button at the bottom of the page.

-1. Review the settings, and then select **Create**.

-### Create second virtual network

-Repeat the previous steps to create the second virtual network using the following values:

-| Name | **myVNet2** |

-| IPv4 address space | **10.2.0.0/16** |

-| Subnet name | **mySubnet** |

-| Subnet address range | **10.2.0.0/24** |

-1. In the search box at the top of the portal, enter *storage accounts*. Select **Storage accounts** in the search results.

- | Name | Enter *vpn*. |

-## Create VPN gateways

-In this section, you create two VPN gateways that will be used to connect the two virtual networks you created previously.

-### Create first VPN gateway

-1. In the search box at the top of the portal, enter *virtual network gateways*. Select **Virtual network gateways** in the search results.

-1. Select **+ Create**. In **Create virtual network gateway**, enter or select the following values in the **Basics** tab:

- | Setting | Value |

- | | |

- | **Project details** | |

- | Subscription | Select your Azure subscription. |

- | **Instance details** | |

- | Name | Enter *VNet1GW*. |

- | Region | Select **East US**. |

- | Gateway type | Select **VPN**. |

- | VPN type | Select **Route-based**. |

- | SKU | Select **VpnGw1**. |

- | Generation | Select **Generation1**. |

- | Virtual network | Select **myVNet1**. |

- | Gateway subnet address range | Enter *10.1.1.0/27*. |

- | **Public IP address** | |

- | Public IP address | Select **Create new**. |

- | Public IP address name | Enter *VNet1GW-ip*. |

- | Enable active-active mode | Select **Disabled**. |

- | Configure BGP | Select **Disabled**. |

-1. Select **Review + create**.

-1. Review the settings, and then select **Create**. A gateway can take 45 minutes or more to fully create and deploy.

-### Create second VPN gateway

-To create the second VPN gateway, repeat the previous steps you used to create the first VPN gateway with the following values:

-| Setting | Value |

-| | |

-| Name | **VNet2GW**. |

-| Virtual network | **myVNet2**. |

-| Gateway subnet address range | **10.2.1.0/27**. |

-| Public IP address name | **VNet2GW-ip**. |

- | Name | Enter *to-VNet2*. |

- | Shared key (PSK) | Enter *123*. |

-1. In **Shared key (PSK)**, enter *123* and then select **Save**.

-When no longer needed, delete the resource group and all of the resources it contains:

-1. Enter ***myResourceGroup*** in the search box at the top of the portal. When you see **myResourceGroup** in the search results, select it.

-## Next steps

-In this tutorial, you learned how to diagnose a connectivity problem between two connected virtual networks via VPN gateways. For more information about connecting virtual networks using VPN gateways, see [VNet-to-VNet connections](../../articles/vpn-gateway/design.md#V2V).

-To learn how to log network communication to and from a virtual machine so that you can review the log for anomalies, advance to the next tutorial.

-> [Log network traffic to and from a VM](network-watcher-nsg-flow-logging-portal.md)

- --image UbuntuLTS \

-# CustomerIntent: As an Azure administrator, I want to diagnose virtual machine (VM) network routing problem that prevents it from communicating with the internet.

-1. In the search box at the top of the portal, enter ***virtual networks***. Select **Virtual networks** in the search results.

-> [Monitor a network connection](monitor-vm-communication.md)

-## Sign in to Azure

-Sign in to the [Azure portal](https://portal.azure.com).

-1. In the search box at the top of the portal, enter *virtual networks*. Select **Virtual networks** in the search results.

-When no longer needed, delete the resource group and all of the resources it contains:

-1. In the search box at the top of the portal, enter *myResourceGroup*. When you see **myResourceGroup** in the search results, select it.

-1. In **Delete a resource group**, enter *myResourceGroup*, and then select **Delete**.

-## Next steps

-In this tutorial, you learned how to monitor a connection between two virtual machines. You learned that connection monitor detected the connection failure to port 22 on target virtual machine after you stopped it. To learn about all of the different metrics that connection monitor can return, see [Metrics in Azure Monitor](connection-monitor-overview.md#metrics-in-azure-monitor).

-To learn how to diagnose and troubleshoot problems with virtual network gateways, advance to the next tutorial.

-> [Diagnose communication problems between networks](diagnose-communication-problem-between-networks.md)

-description: Troubleshooting steps for issues that may arise while using Network insights

-# Troubleshooting Network Insights

-For general troubleshooting guidance, see the dedicated workbook-based insights [troubleshooting article](../azure-monitor/insights/troubleshoot-workbooks.md).

-This section will help you diagnose and troubleshoot some common problems you might encounter when you use Azure Monitor Network Insights.

-To learn about troubleshooting any networking-related problems you identify with Azure Monitor Network Insights, see the troubleshooting documentation for the malfunctioning resource.

-For more troubleshooting articles about these services, see the other articles in the Troubleshooting section of the table of contents for the service.

-## How do I make changes or add visualizations to Azure Monitor Network Insights?

-Azure Monitor Network Insights uses the **Auto** time grain, so the time grain is based on the selected time range.

-## What if I want to see other data or make my own visualizations? How can I make changes to Azure Monitor Network Insights?

-## Next steps

-description: This article describes how to use Azure Network Watcher and open source tools to perform network intrusion detection

-# Perform network intrusion detection with Network Watcher and open source tools

-Packet captures are a key component for implementing network intrusion detection systems (IDS) and performing Network Security Monitoring (NSM). There are several open source IDS tools that process packet captures and look for signatures of possible network intrusions and malicious activity. Using the packet captures provided by Network Watcher, you can analyze your network for any harmful intrusions or vulnerabilities.

-One such open source tool is Suricata, an IDS engine that uses rulesets to monitor network traffic and triggers alerts whenever suspicious events occur. Suricata offers a multi-threaded engine, meaning it can perform network traffic analysis with increased speed and efficiency. For more details about Suricata and its capabilities, visit their website at https://suricata.io/.

-![simple web application scenario][1]

-For all other methods of installation, visit https://suricata.readthedocs.io/en/suricata-5.0.2/quickstart.html#installation

-At this stage, we do not have any rules for Suricata to run. You can create your own rules if there are specific threats to your network you would like to detect, or you can also use developed rule sets from a number of providers, such as Emerging Threats, or VRT rules from Snort. We use the freely accessible Emerging Threats ruleset here:

-1. The Elastic Stack from version 5.0 and above requires Java 8. Run the command `java -version` to check your version. If you do not have Java installed, refer to documentation on the [Azure-supported JDKs](/azure/developer/java/fundamentals/java-support-on-azure).

-![kibana dashboard][2]

- ![geo ip][3]

- ![image 4][4]

- ![image 5][5]

- ![image 6][6]

- ![image 7][7]

-## Next steps

-Learn how to trigger packet captures based on alerts by visiting [Use packet capture to do proactive network monitoring with Azure Functions](network-watcher-alert-triggered-packet-capture.md)

-Learn how to visualize your NSG flow logs with Power BI by visiting [Visualize NSG flows logs with Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md)

-<!-- images -->

-[1]: ./media/network-watcher-intrusion-detection-open-source-tools/figure1.png

-[2]: ./media/network-watcher-intrusion-detection-open-source-tools/figure2.png

-[3]: ./media/network-watcher-intrusion-detection-open-source-tools/figure3.png

-[4]: ./media/network-watcher-intrusion-detection-open-source-tools/figure4.png

-[5]: ./media/network-watcher-intrusion-detection-open-source-tools/figure5.png

-[6]: ./media/network-watcher-intrusion-detection-open-source-tools/figure6.png

-[7]: ./media/network-watcher-intrusion-detection-open-source-tools/figure7.png

-description: Learn how to enable network security group (NSG) flow logs programmatically using Bicep and Azure PowerShell.

-#Customer intent: I need to enable the network security group flow logs by using a Bicep file.

-# Quickstart: Configure network security group flow logs using a Bicep file

-In this quickstart, you learn how to enable [network security group (NSG) flow logs](network-watcher-nsg-flow-logging-overview.md) by using a Bicep file

-We start with an overview of the properties of the NSG flow log object. We provide a sample Bicep file. Then, we deploy the Bicep file.

-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.

-The Bicep file that we use in this quickstart is from [Azure Quickstart Templates](https://azure.microsoft.com/resources/templates/networkwatcher-flowlogs-create/).

-These resources are defined in the Bicep file:

-The highlighted code in the preceding sample shows an NSG flow resource definition.

-This tutorial assumes that you have a network security group that you can enable flow logging on.

- # [CLI](#tab/CLI)

- # [PowerShell](#tab/PowerShell)

- You will be prompted to enter the resource ID of the existing network security group. The syntax of the network security group resource ID is:

-If there were issues with the deployment, see [Troubleshoot common Azure deployment errors with Azure Resource Manager](../azure-resource-manager/troubleshooting/common-deployment-errors.md).

-You can delete Azure resources by using complete deployment mode. To delete a flow logs resource, specify a deployment in complete mode without including the resource you want to delete. Read more about [complete deployment mode](../azure-resource-manager/templates/deployment-modes.md#complete-mode).

-1. Select **All services**. In the **Filter** box, enter **network watcher**. In the search results, select **Network Watcher**.

-1. Under **Logs**, select **NSG flow logs**.

-1. In the list of NSGs, select the NSG for which you want to disable flow logs.

-1. Under **Flow logs settings**, select **Off**.

-1. Select **Save**.

-## Next steps

-In this quickstart, you learned how to enable NSG flow logs by using a Bicep file. Next, learn how to visualize your NSG flow data by using one of these options:

- --image UbuntuLTS \

-Here's an example Azure CLI command:

-```azurecli

-```azurecli

-```azurecli

-```azurecli

-```azurecli

- az vm create \--resource-group myResourceGroup \--name myVMEdge \--image UbuntuLTS \--admin-username azureuser \--admin-password <password> \--edge-zone <edgezone ID> \--public-ip-sku Standard

- az vm create --resource-group myResourceGroup --name myVMRegion --image UbuntuLTS --admin-username azureuser --admin-password <password> --vnet-name MyVnetRegion --subnet MySubnetRegion --public-ip-sku Standard

-[Azure Resource Mover](overview.md) helps you to move Azure resources across Azure regions. This article summarizes the components used by Resource Mover and describes the move process.

-[Move](tutorial-move-region-virtual-machines.md) Azure VMs to another region.

-[Move](tutorial-move-region-sql.md) Azure SQL resources to another region.

-Select resources you want to move.

-4. In **Destination**, select the region to which you want to move the VMs. Then click **Next**.

-6. In **Resources to move**, click **Select resources**.

-7. In **Select resources**, select the VM. You can only add resources supported for move. Then click **Done**. In **Resources to move**, click **Next**.

-9. Click **Proceed**, to begin adding the resources.

-10. After the add process finishes successfully, click **Adding resources for move** in the notification icon.

-After clicking the notification, resources appear on the **Across regions** page

-> After clicking the notification, resources appear on the **Across regions** page, in a *Prepare pending* state.

-2. If dependencies are found, click **Add dependencies**.

-2. In **Prepare resources**, click **Prepare**.

-2. ln **Move Resources**, click **Initiate move**. The resource group moves into an *Initiate move in progress* state.

-2. ln **Move Resources**, click **Commit**.

-1. In the **Across regions** page, click the link in the **Destination configuration** column of the VM you're moving.

-1. In **Across regions**, select resources with state *Initiate move pending*. Then click **Initiate move**

-2. In **Move resources**, click **Initiate move**.

-1. In **Across regions**, select resources with state *Commit move pending*, and click **Discard move**.

-2. In **Discard move**, click **Discard**.

-1. In **Across regions**, select resources with state *Commit move pending*, and click **Commit move**.

-2. In **Commit resources**, click **Commit**.

-1. In **Across Regions**, click the name of each source resource that you want to delete.

-1. Dependencies are *auto validated* at the beginning when you add the resources. If the initial auto validation does not resolves the issue, you will see a **Validate dependencies** ribbon, select it to validate manually.

-1. Dependencies are automatically validated in the background when you add the resources. If you still see the **Validate dependencies** option, select it to trigger the validation manually.

-1. Dependencies are automatically validated in the background when you add the resources. If you still see the **Validate dependencies** option, select it to trigger the validation manually.

-4. Dependencies are automatically validated in the background once you add the dependencies. If you see a **Validate dependencies** option, select it to trigger the manual validation.

-1. Dependencies are automatically validated in the background when you add the resources. If you still see the **Validate dependencies** option, select it to trigger the validation manually.

-4. Dependencies are automatically validated in the background once you add them. If you see a **Validate dependencies** button, select it to trigger the manual validation.

-# BM25 relevance and scoring for full text search

-In Azure Cognitive Search, you can configure algorithm parameters, and tune search relevance and boost search scores through these mechanisms:

-+ Scoring algorithm configuration

-+ Scoring profiles

-+ [Semantic ranking](semantic-search-overview.md)

-+ Custom scoring logic enabled through the *featuresMode* parameter

-## Relevance scoring

-## Scoring algorithms in Search

-Azure Cognitive Search provides the following scoring algorithms:

-| Algorithm | Usage | Range |

-|--|-|-|

-| `BM25Similarity` | Fixed algorithm on all search services created after July 2020. You can configure this algorithm, but you can't switch to an older one (classic). | Unbounded. |

-|`ClassicSimilarity` | Present on older search services. You can [opt-in for BM25](index-ranking-similarity.md) and choose an algorithm on a per-index basis. | 0 < 1.00 |

-Both BM25 and Classic are TF-IDF-like retrieval functions that use the term frequency (TF) and the inverse document frequency (IDF) as variables to calculate relevance scores for each document-query pair, which is then used for ranking results. While conceptually similar to classic, BM25 is rooted in probabilistic information retrieval that produces more intuitive matches, as measured by user research.

-BM25 offers advanced customization options, such as allowing the user to decide how the relevance score scales with the term frequency of matched terms. For more information, see [Configure the scoring algorithm](index-ranking-similarity.md).

-> [!NOTE]

-> If you're using a search service that was created before July 2020, the scoring algorithm is most likely the previous default, `ClassicSimilarity`, which you can upgrade on a per-index basis. See [Enable BM25 scoring on older services](index-ranking-similarity.md#enable-bm25-scoring-on-older-services) for details.

-The following video segment fast-forwards to an explanation of the generally available ranking algorithms used in Azure Cognitive Search. You can watch the full video for more background.

-> [!VIDEO https://www.youtube.com/embed/Y_X6USgvB1g?version=3&start=322&end=643]

-## Score variation

-## Scoring statistics and sticky sessions

-## Scoring profiles

-You can customize the way different fields are ranked by defining a *scoring profile*. Scoring profiles provide criteria for boosting the search score of a match based on content characteristics. For example, you might want to boost matches based on their revenue potential, promote newer items, or perhaps boost items that have been in inventory too long.

-A scoring profile is part of the index definition, composed of weighted fields, functions, and parameters. For more information about defining one, see [Scoring Profiles](index-add-scoring-profiles.md).

-| [Hybrid search](vector-search-ranking.md#hybrid-search) | Combines any or all of the above query techniques. Vector and non-vector queries execute in parallel and are returned in a unified result set. | The most significant gains in precision and recall are through hybrid queries. |

-A cross-field vector query sends a single query across multiple vector fields in your search index. This query example looks for similarity in both "titleVector" and "contentVector" and displays scores using [Reciprocal Rank Fusion (RRF)](vector-search-ranking.md#reciprocal-rank-fusion-rrf-for-hybrid-queries):

-Multi-query vector search sends multiple queries across multiple vector fields in your search index. This query example looks for similarity in both `titleVector` and `contentVector`, but sends in two different query embeddings respectively. This scenario is ideal for multi-modal use cases where you want to search over a `textVector` field and an `imageVector` field. You can also use this scenario if you have different embedding models with different dimensions in your search index. This also displays scores using [Reciprocal Rank Fusion (RRF)](vector-search-ranking.md#reciprocal-rank-fusion-rrf-for-hybrid-queries).

-The response includes the top 10 ordered by search score. Both vector queries and free text queries are assigned a search score according to the scoring or similarity functions configured on the fields (BM25 for text fields). The scores are merged using [Reciprocal Rank Fusion (RRF)](vector-search-ranking.md#reciprocal-rank-fusion-rrf-for-hybrid-queries) to weight each document with the inverse of its position in the ranked result set.

-description: Explore Lucene query processing and document retrieval concepts for full text search, as related to Azure Cognitive Search.

-This article is for developers who need a deeper understanding of how Apache Lucene full text search works in Azure Cognitive Search. For text queries, Azure Cognitive Search will seamlessly deliver expected results in most scenarios, but occasionally you might get a result that seems "off" somehow. In these situations, having a background in the four stages of Lucene query execution (query parsing, lexical analysis, document matching, scoring) can help you identify specific changes to query parameters or index configuration that will deliver the desired outcome.

-A full text search query starts with parsing the query text to extract search terms and operators. There are two parsers so that you can choose between speed and complexity. An analysis phase is next, where individual query terms are sometimes broken down and reconstituted into new forms to cast a broader net over what could be considered as a potential match. The search engine then scans the index to find documents with matching terms and scores each match. A result set is then sorted by a relevance score assigned to each individual matching document. Those at the top of the ranked list are returned to the calling application.

-For a full list of supported query types see [Lucene query syntax](/rest/api/searchservice/lucene-query-syntax-in-azure-search)

-When the default analyzer processes the term, it will lowercase "ocean view" and "spacious", and remove the comma character. The modified query tree will look as follows:

-The behavior of an analyzer can be tested using the [Analyze API](/rest/api/searchservice/test-analyzer). Provide the text you want to analyze to see what terms given analyzer will generate. For example, to see how the standard analyzer would process the text "air-condition", you can issue the following request:

-In general, document score isn't the best attribute for ordering documents if order stability is important. For example, given two documents with an identical score, there's no guarantee which one appears first in subsequent runs of the same query. Document score should only give a general sense of document relevance relative to other documents in the results set.

-The success of commercial search engines has raised expectations for full text search over private data. For almost any kind of search experience, we now expect the engine to understand our intent, even when terms are misspelled or incomplete. We might even expect matches based on near equivalent terms or synonyms that we never actually specified.

-# Create a full-text query in Azure Cognitive Search

-A full text query is specified in a `search` parameter and consists of terms, quote-enclosed phrases, and operators. Other parameters add more definition. For example, `searchFields` scopes query execution to specific fields, `select` specifies which fields are returned in results, and `count` returns the number of matches found in the index.

-Start with [Create a search index using REST and Postman](search-get-started-rest.md) for step-by-step instructions for setting up requests.

-For more information and an example, see [Geospatial search example](search-query-simple-examples.md#example-6-geospatial-search).

-+ Azure Cognitive Search, in any region and on any tier. Most existing services support vector search. For a small subset of services created prior to January 2019, an index containing vector fields fails on creation. In this situation, a new service must be created.

- + "Bi-directional link count" default is 4. The range is 2 to 100. Lower values should return less noise in the results.

- + "efConstruction" default is 400. It's the number of nearest neighbors used during indexing.

- + "efSearch default is 500. It's the number of nearest neighbors used during search.

-description: Build queries for vector-only fields and hybrid search scenarios that combine vectors with semantic and standard search syntax.

-# Query vector data in a search index

-+ Azure Cognitive Search, in any region and on any tier. Most existing services support vector search. For a small subset of services created prior to January 2019, an index containing vector fields will fail on creation. In this situation, a new service must be created.

-+ A `vectorSearch` algorithm configuration embedded in the index schema.

-To query a vector field, the query itself must be a vector. To convert a text query string provided by a user into a vector representation, your application must call an embedding library that provides this capability. Use the same embedding library that you used to generate embeddings in the source documents.

-description: Describes concepts, scenarios, and availability of the vector search feature in Cognitive Search.

-# Vector search within Azure Cognitive Search

-+ **Hybrid search**. Vector search is implemented at the field level, which means you can build queries that include both vector fields and searchable text fields. The queries execute in parallel and the results are merged into a single response. Optionally, add [semantic search (preview)](semantic-search-overview.md) for even more accuracy with L2 reranking using the same language models that power Bing.

-description: Explains the concepts behind vector query execution, including how matches are found in vector space and ranked in search results.

-# Vector query execution and scoring in Azure Cognitive Search

-This article is for developers who need a deeper understanding of vector query execution and ranking in Azure Cognitive Search.

-## Vector similarity

-In a vector query, the search query is a vector, as opposed to a string in full-text queries. Documents that match the vector query are ranked using the vector similarity algorithm configured on the vector field defined in the index. A vector query specifies the `k` parameter, which determines how many nearest neighbors of the query vector should be returned in the results.

-> [!NOTE]

-> Full-text search queries could return fewer than the requested number of results if there are insufficient matches, but vector search always return up to `k` matches as long as there are enough documents in the index. This is because with vector search, similarity is relative to the input query vector, not absolute. Less relevant results have a worse similarity score, but they are still the "nearest" vectors if there isn't anything closer. As such, a response with no meaningful results can still return `k` results, but each result's similarity score would be low.

-In a typical application, the input value within a query request would be fed into the same machine learning model that generated the embedding space for the vector index. This model would output a vector in the same embedding space. Since similar vectors are clustered close together, finding matches is equivalent to finding the nearest vectors and returning the associated documents as the search result.

-For example, if a query request is about dogs, the model maps the query into a vector that exists somewhere in the cluster of vectors representing documents about dogs. Identifying which vectors are the most similar to the query, based on a similarity metric, determines which documents are the most relevant.

-### Similarity metrics used to measure nearness

-A similarity metric measures the distance between neighboring vectors. Commonly used similarity metrics include `cosine`, `euclidean` (also known as `l2 norm`), and `dotProduct`, which are summarized in the following table.

-| `cosine` | Calculates the angle between two vectors. Cosine is the similarity metric used by [Azure OpenAI embedding models](/azure/ai-services/openai/concepts/understand-embeddings#cosine-similarity). |

-## Hybrid search

-By performing similarity searches over vector representations of your data, you can find information that's similar to your search query, even if the search terms don't match up perfectly to the indexed content. In practice, we often need to expand lexical matches with semantic matches to guarantee good recall. The notion of composing term queries with vector queries is called *hybrid search*.

-In Azure Cognitive Search, embeddings are indexed alongside textual and numerical fields allowing you to issue hybrid term and vector queries and take advantage of existing functionalities like filtering, faceting, sorting, scoring profiles, and [semantic search](semantic-search-overview.md) in a single search request.

-Hybrid search combines results from both term and vector queries, which use different ranking functions such as BM25 and cosine similarity. To present these results in a single ranked list, a method of merging the ranked result lists is needed.

-## Reciprocal Rank Fusion (RRF) for hybrid queries

-For hybrid search scoring, Cognitive Search uses Reciprocal Rank Fusion (RRF). In information retrieval, RRF combines the results of different search methods to produce a single, more accurate and relevant result. Here, a search method refers to methods such as vector search and full-text search. RRF is based on the concept of reciprocal rank, which is the inverse of the rank of the first relevant document in a list of search results. 

-At a basic level, RRF works by taking the search results from multiple methods, assigning a reciprocal rank score to each document in the results, and then combining these scores to create a new ranking. The main idea behind this method is that documents appearing in the top positions across multiple search methods are likely to be more relevant and should be ranked higher in the combined result.

-Here's a simple explanation of the RRF process:

-1. Obtain search results from multiple methods.

- In the context of Azure Cognitive Search, this is vector search and full-text search, with or without semantic ranking. We search for a specific query using both methods and get parallel ranked lists of documents as results. Each method has a ranking methodology. With BM25 ranking on full-text search, rank is by **`@search.score`**. With semantic reranking over BM25 ranked results, rank is by **`@search.rerankerScore`**. With similarity search for vector queries, the similarity score is also articulated as **`@search.score`** within its result set.

-1. Assign reciprocal rank scores for result in each of the ranked lists. A new **`@search.score`** property is generated by the RFF algorithm for each match in each result set. For each document in the search results, we assign a reciprocal rank score based on its position in the list. The score is calculated as `1/(rank + k)`, where `rank` is the position of the document in the list, and `k` is a constant, which was experimentally observed to perform best if it's set to a small value like 60.

-1. Combine scores. For each document, we sum the reciprocal rank scores obtained from each search system. This gives us a combined score for each document. 

-1. Rank documents based on combined scores. Finally, we sort the documents based on their combined scores, and the resulting list is the fused ranking. A

-Whenever results are ranked, **`@search.score`** property contains the value used to order the results. Scores are generated by ranking algorithms that vary for each method and aren't comparable.

-| Search method | @search.score algorithm |

-||-|

-| full-text search | **`@search.score`** is produced by the BM25 algorithm and its values are unbounded. |

-| vector similarity search | **`@search.score`** is produced by the HNSW algorithm, plus the similarity metric specified in the configuration. |

-| hybrid search | **`@search.score`** is produced by the RFF algorithm that merges results from parallel query execution, such as vector and full-text search. |

-| hybrid search with semantic reranking | **`@search.score`** is the RRF score from your initial retrieval, but you'll also see the **@search.rerankerScore** which is from the reranking model powered by Bing, which ranges from 0-4.

-By default, if you aren't using pagination, Cognitive Search returns the top 50 highest ranking matches for full text search, and it returns `k` matches for vector search. In a hybrid query, the top 50 highest ranked matches of the unified result set are returned. You can use `$top`, `$skip`, and `$next` for paginated results. For more information, see [How to work with search results](search-pagination-page-layout.md).

-As you consider and evaluate public cloud services, itΓÇÖs critical to understand the shared responsibility model and which security tasks are handled by the cloud provider and which tasks are handled by you. The workload responsibilities vary depending on whether the workload is hosted on Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in an on-premises datacenter

-For all cloud deployment types, you own your data and identities. You are responsible for protecting the security of your data and identities, on-premises resources, and the cloud components you control (which varies by service type).

-Regardless of the type of deployment, the following responsibilities are always retained by you:

-The following diagram shows a traditional approach where many security responsibilities are unmet due to limited resources. In the cloud-enabled approach, you are able to shift day to day security responsibilities to your cloud provider and reallocate your resources.

-In the cloud-enabled approach, you are also able to leverage cloud-based security capabilities for more effectiveness and use cloud intelligence to improve your threat detection and response time. By shifting responsibilities to the cloud provider, organizations can get more security coverage, which enables them to reallocate security resources and budget to other business priorities.

-## Next steps

-For more information on the division of responsibility between you and Microsoft in a SaaS, PaaS, and IaaS deployment, see [Shared responsibilities for cloud computing](https://azure.microsoft.com/resources/shared-responsibility-for-cloud-computing/).

-In this document, you learned how to connect external data sources to the Microsoft Sentinel Data Collector API. To take full advantage of the capabilities built in to these data connectors, select the **Next steps** tab on the data connector page. There you'll find some ready-made sample queries, workbooks, and analytics rule templates so you can get started finding useful information.

- - To use Microsoft Sentinel, you need either **contributor** or **reader** permissions on the resource group that the workspace belongs to.

- - To install or manage solutions in the content hub, you need the **Template Spec Contributor** role on the resource group that the workspace belongs to.

- Find packaged solutions for end-to-end products or standalone content from the content hub in Microsoft Sentinel. To install and manage content from the content hub, assign the [**Template Spec Contributor**](../role-based-access-control/built-in-roles.md#template-spec-contributor) role at the resource group level.

-| Microsoft Sentinel Contributor | -- | -- | &#10003; | &#10003; | &#10003; | --|

-| Template Spec Contributor | -- | -- | -- | -- | -- |&#10003; |

-|**Security engineers** | [Microsoft Sentinel Contributor](../role-based-access-control/built-in-roles.md#microsoft-sentinel-contributor) |Microsoft Sentinel's resource group | View data, incidents, workbooks, and other Microsoft Sentinel resources. <br><br>Manage incidents, such as assigning or dismissing incidents. <br><br>Create and edit workbooks, analytics rules, and other Microsoft Sentinel resources. |

-In order to install, update and delete standalone content or solutions in content hub, you need the **Template Spec Contributor** role at the resource group level. See [Azure RBAC built in roles](../role-based-access-control/built-in-roles.md#template-spec-contributor) for details on this role.

- "ResourceId": "/SUBSCRIPTIONS/<AZURE SUBSCRPTION ID>/RESOURCEGROUPS/<RESOURCE GROUP NAME>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<SERVICE BUS NAMESPACE NAME>",

- "ResourceId": "/SUBSCRIPTIONS/<AZURE SUBSCRPTION ID>/RESOURCEGROUPS/<RESOURCE GROUP NAME>/PROVIDERS/MICROSOFT.SERVICEBUS/NAMESPACES/<SERVICE BUS NAMESPACE NAME>",

-This video provides another example. It demonstrates how to recover a two-tier WordPress application to Azure:

-description: Learn how to allow or disallow anonymous access to blob data for the storage account. Set the container public access setting to make containers and blobs available for anonymous access.

-# Configure anonymous public read access for containers and blobs

-Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. When you configure a container's public access level setting to permit anonymous access, clients can read data in that container without authorizing the request.

-> When a container is configured for public access, any client can read data in that container. Public access presents a potential security risk, so if your scenario does not require it, we recommend that you disallow it for the storage account.

-This article describes how to configure anonymous public read access for a container and its blobs. For information about how to remediate anonymous access for optimal security, see one of these articles:

-## About anonymous public read access

-Public access to your data is always prohibited by default. There are two separate settings that affect public access:

-1. **Allow public access for the storage account.** By default, an Azure Resource Manager storage account allows a user with the appropriate permissions to enable public access to a container. Blob data is not available for public access unless the user takes the additional step to explicitly configure the container's public access setting.

-1. **Configure the container's public access setting.** By default, a container's public access setting is disabled, meaning that authorization is required for every request to the container or its data. A user with the appropriate permissions can modify a container's public access setting to enable anonymous access only if anonymous access is allowed for the storage account.

-The following table summarizes how both settings together affect public access for a container.

-| | Public access level for the container is set to Private (default setting) | Public access level for the container is set to Container | Public access level for the container is set to Blob |

-| **Public access is disallowed for the storage account** | No public access to any container in the storage account. | No public access to any container in the storage account. The storage account setting overrides the container setting. | No public access to any container in the storage account. The storage account setting overrides the container setting. |

-| **Public access is allowed for the storage account (default setting)** | No public access to this container (default configuration). | Public access is permitted to this container and its blobs. | Public access is permitted to blobs in this container, but not to the container itself. |

-When anonymous public access is permitted for a storage account and configured for a specific container, then a request to read a blob in that container that is passed without an *Authorization* header is accepted by the service, and the blob's data is returned in the response.

-## Allow or disallow public read access for a storage account

-By default, a storage account is configured to allow a user with the appropriate permissions to enable public access to a container. When public access is allowed, a user with the appropriate permissions can modify a container's public access setting to enable anonymous public access to the data in that container. Blob data is never available for public access unless the user takes the additional step to explicitly configure the container's public access setting.

-Keep in mind that public access to a container is always turned off by default and must be explicitly configured to permit anonymous requests. Regardless of the setting on the storage account, your data will never be available for public access unless a user with appropriate permissions takes this additional step to enable public access on the container.

-Disallowing public access for the storage account overrides the public access settings for all containers in that storage account, preventing anonymous access to blob data in that account. When public access is disallowed for the account, it is not possible to configure the public access setting for a container to permit anonymous access, and any future anonymous requests to that account will fail. Before changing this setting, be sure to understand the impact on client applications that may be accessing data in your storage account anonymously. For more information, see [Prevent anonymous public read access to containers and blobs](anonymous-read-access-prevent.md).

-> After anonymous public access is disallowed for a storage account, clients that use the anonymous bearer challenge will find that Azure Storage returns a 403 error (Forbidden) rather than a 401 error (Unauthorized). We recommend that you make all containers private to mitigate this issue. For more information on modifying the public access setting for containers, see [Set the public access level for a container](anonymous-read-access-configure.md#set-the-public-access-level-for-a-container).

-Allowing or disallowing blob public access requires version 2019-04-01 or later of the Azure Storage resource provider. For more information, see [Azure Storage Resource Provider REST API](/rest/api/storagerp/).

-### Permissions for disallowing public access

-Role assignments must be scoped to the level of the storage account or higher to permit a user to disallow public access for the storage account. For more information about role scope, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md).

-To allow or disallow public access for a storage account, configure the account's **AllowBlobPublicAccess** property. This property is available for all storage accounts that are created with the Azure Resource Manager deployment model. For more information, see [Storage account overview](../common/storage-account-overview.md).

-The **AllowBlobPublicAccess** property is not set for a storage account by default and does not return a value until you explicitly set it. The storage account permits public access when the property value is either **null** or **true**.

-To allow or disallow public access for a storage account in the Azure portal, follow these steps:

-1. Set **Blob public access** to **Enabled** or **Disabled**.

- :::image type="content" source="media/anonymous-read-access-configure/blob-public-access-portal.png" alt-text="Screenshot showing how to allow or disallow blob public access for account":::

-To allow or disallow public access for a storage account with PowerShell, install [Azure PowerShell version 4.4.0](https://www.powershellgallery.com/packages/Az/4.4.0) or later. Next, configure the **AllowBlobPublicAccess** property for a new or existing storage account.

-# Create a storage account with AllowBlobPublicAccess set to false.

-To allow or disallow public access for a storage account with Azure CLI, install Azure CLI version 2.9.0 or later. For more information, see [Install the Azure CLI](/cli/azure/install-azure-cli). Next, configure the **allowBlobPublicAccess** property for a new or existing storage account.

-To allow or disallow public access for a storage account with a template, create a template with the **AllowBlobPublicAccess** property set to **true** or **false**. The following steps describe how to create a template in the Azure portal.

-> Disallowing public access for a storage account does not affect any static websites hosted in that storage account. The **$web** container is always publicly accessible.

-> After you update the public access setting for the storage account, it may take up to 30 seconds before the change is fully propagated.

-When a container is configured for anonymous public access, requests to read blobs in that container do not need to be authorized. However, any firewall rules that are configured for the storage account remain in effect and will block traffic inline with the configured ACLs.

-Allowing or disallowing blob public access requires version 2019-04-01 or later of the Azure Storage resource provider. For more information, see [Azure Storage Resource Provider REST API](/rest/api/storagerp/).

-The examples in this section showed how to read the **AllowBlobPublicAccess** property for the storage account to determine if public access is currently allowed or disallowed. To learn more about how to verify that an account's public access setting is configured to prevent anonymous access, see [Remediate anonymous public access for the storage account](anonymous-read-access-prevent.md#remediate-anonymous-public-access-for-the-storage-account).

-## Set the public access level for a container

-To grant anonymous users read access to a container and its blobs, first allow public access for the storage account, then set the container's public access level. If public access is denied for the storage account, you will not be able to configure public access for a container.

-When public access is allowed for a storage account, you can configure a container with the following permissions:

-You cannot change the public access level for an individual blob. Public access level is set only at the container level. You can set the container's public access level when you create the container, or you can update the setting on an existing container.

-To update the public access level for one or more existing containers in the Azure portal, follow these steps:

-1. Under **Data storage** on the menu blade, select **Blob containers**.

-1. Select the containers for which you want to set the public access level.

-1. Use the **Change access level** button to display the public access settings.

-1. Select the desired public access level from the **Public access level** dropdown and click the OK button to apply the change to the selected containers.

- :::image type="content" source="media/anonymous-read-access-configure/configure-public-access-container.png" alt-text="Screenshot showing how to set public access level in the portal." lightbox="media/anonymous-read-access-configure/configure-public-access-container.png":::

-When public access is disallowed for the storage account, a container's public access level cannot be set. If you attempt to set the container's public access level, you'll see that the setting is disabled because public access is disallowed for the account.

-To update the public access level for one or more containers with PowerShell, call the [Set-AzStorageContainerAcl](/powershell/module/az.storage/set-azstoragecontaineracl) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's public access level does not support authorization with Azure AD. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations).

-The following example creates a container with public access disabled, and then updates the container's public access setting to permit anonymous access to the container and its blobs. Remember to replace the placeholder values in brackets with your own values:

-# Create a new container with public access setting set to Off.

-# Read the container's public access setting.

-# Update the container's public access setting to Container.

-# Read the container's public access setting.

-When public access is disallowed for the storage account, a container's public access level cannot be set. If you attempt to set the container's public access level, Azure Storage returns error indicating that public access is not permitted on the storage account.

-To update the public access level for one or more containers with Azure CLI, call the [az storage container set permission](/cli/azure/storage/container#az-storage-container-set-permission) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's public access level does not support authorization with Azure AD. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations).

-The following example creates a container with public access disabled, and then updates the container's public access setting to permit anonymous access to the container and its blobs. Remember to replace the placeholder values in brackets with your own values:

-When public access is disallowed for the storage account, a container's public access level cannot be set. If you attempt to set the container's public access level, Azure Storage returns error indicating that public access is not permitted on the storage account.

-## Check the public access setting for a set of containers

-It is possible to check which containers in one or more storage accounts are configured for public access by listing the containers and checking the public access setting. This approach is a practical option when a storage account does not contain a large number of containers, or when you are checking the setting across a small number of storage accounts. However, performance may suffer if you attempt to enumerate a large number of containers.

-The following example uses PowerShell to get the public access setting for all containers in a storage account. Remember to replace the placeholder values in brackets with your own values:

-description: Learn how to remediate anonymous public read access to blob data for both Azure Resource Manager and classic storage accounts.

-# Overview: Remediating anonymous public read access for blob data

-Azure Storage supports optional anonymous public read access for containers and blobs. By default, anonymous access to your data is never permitted. Unless you explicitly enable anonymous access, all requests to a container and its blobs must be authorized. We recommend that you disable anonymous public access for all of your storage accounts.

-This article provides an overview of how to remediate anonymous public access for your storage accounts.

-> Anonymous public access presents a security risk. We recommend that you take the actions described in the following section to remediate public access for all of your storage accounts, unless your scenario specifically requires anonymous access.

-## Recommendations for remediating anonymous public access

-To remediate anonymous public access, first determine whether your storage account uses the Azure Resource Manager deployment model or the classic deployment model. For more information, see [Resource Manager and classic deployment](../../azure-resource-manager/management/deployment-models.md).

-If your storage account is using the Azure Resource Manager deployment model, then you can remediate public access by setting the account's **AllowBlobPublicAccess** property to **False**. After you set the **AllowBlobPublicAccess** property to **False**, all requests for blob data to that storage account will require authorization, regardless of the public access setting for any individual container.

-To learn more about how to remediate public access for Azure Resource Manager accounts, see [Remediate anonymous public read access to blob data (Azure Resource Manager deployments)](anonymous-read-access-prevent.md).

-If your storage account is using the classic deployment model, then you can remediate public access by setting each container's public access property to **Private**. To learn more about how to remediate public access for classic storage accounts, see [Remediate anonymous public read access to blob data (classic deployments)](anonymous-read-access-prevent-classic.md).

-If your scenario requires that certain containers need to be available for public access, then you should move those containers and their blobs into separate storage accounts that are reserved only for public access. You can then disallow public access for any other storage accounts using the recommendations provided in [Recommendations for remediating anonymous public access](#recommendations-for-remediating-anonymous-public-access).

-For information on how to configure containers for public access, see [Configure anonymous public read access for containers and blobs](anonymous-read-access-configure.md).

-description: Learn how to prevent anonymous requests against a classic storage account by disabling anonymous public access to containers.

-# Remediate anonymous public read access to blob data (classic deployments)

-Azure Blob Storage supports optional anonymous public read access to containers and blobs. However, anonymous access may present a security risk. We recommend that you disable anonymous access for optimal security. Disallowing public access helps to prevent data breaches caused by undesired anonymous access.

-By default, public access to your blob data is always prohibited. However, the default configuration for a classic storage account permits a user with appropriate permissions to configure public access to containers and blobs in a storage account. To prevent public access to a classic storage account, you must configure each container in the account to block public access.

-If your storage account is using the classic deployment model, we recommend that you [migrate](../../virtual-machines/migration-classic-resource-manager-overview.md#migration-of-storage-accounts) to the Azure Resource Manager deployment model as soon as possible. After you migrate your account, you can configure it to disallow anonymous public access at the account level. For information about how to disallow anonymous public access for an Azure Resource Manager account, see [Remediate anonymous public read access to blob data (Azure Resource Manager deployments)](anonymous-read-access-prevent.md).

-If you cannot migrate your classic storage accounts at this time, then you should remediate public access to those accounts now by setting all containers to be private. This article describes how to remediate access to the containers in a classic storage account.

-> Anonymous public access presents a security risk. We recommend that you take the actions described in the following section to remediate public access for all of your classic storage accounts, unless your scenario specifically requires anonymous access.

-To remediate anonymous access for a classic storage account, set the public access level for each container in the account to **Private**.

-To remediate public access for one or more containers in the Azure portal, follow these steps:

-1. Select the containers for which you want to set the public access level.

-1. Use the **Change access level** button to display the public access settings.

-1. Select **Private (no anonymous access)** from the **Public access level** dropdown and click the OK button to apply the change to the selected containers.

- :::image type="content" source="media/anonymous-read-access-prevent-classic/configure-public-access-container.png" alt-text="Screenshot showing how to set public access level in the portal." lightbox="media/anonymous-read-access-prevent-classic/configure-public-access-container.png":::

-To remediate anonymous access for one or more containers with PowerShell, call the [Set-AzStorageContainerAcl](/powershell/module/az.storage/set-azstoragecontaineracl) command. Authorize this operation by passing in your account key, a connection string, or a shared access signature (SAS). The [Set Container ACL](/rest/api/storageservices/set-container-acl) operation that sets the container's public access level does not support authorization with Azure AD. For more information, see [Permissions for calling blob and queue data operations](/rest/api/storageservices/authorize-with-azure-active-directory#permissions-for-calling-data-operations).