Merge pull request #296375 from MicrosoftDocs/main

3/14/2025 PM Publish

Author: Albertyang0

.openpublishing.redirection.json

@@ -2819,6 +2819,11 @@
       "redirect_url": "/azure/bastion/bastion-connect-vm-ssh-linux",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/bastion/quickstart-developer-sku.md",
+      "redirect_url": "/azure/bastion/quickstart-developer",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/bastion/bastion-connect-vm-rdp.md",
       "redirect_url": "/azure/bastion/bastion-connect-vm-rdp-windows",

articles/application-gateway/for-containers/alb-controller-release-notes.md

@@ -26,12 +26,12 @@ Instructions for new or existing deployments of ALB Controller are found in the
 
 | ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
-| 1.4.12 | v1.1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Updated to Gateway API version 1.1.1, Regex match support for path and header match in HTTP and GRPC routes, [Wildcard hostname fix](https://github.com/Azure/AKS/issues/4713), Misc. bug fixes and improvements |
-
+| 1.4.14 | v1.1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Bug fixes, including [issue #4086](https://github.com/Azure/AKS/issues/4086)  |
 ## Release history
 
 | ALB Controller Version | Gateway API Version | Kubernetes Version | Release Notes |
 | ---------------------- | ------------------- | ------------------ | ------------- |
+| 1.4.12 | v1.1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Updated to Gateway API version 1.1.1, Regex match support for path and header match in HTTP and GRPC routes, [Wildcard hostname fix](https://github.com/Azure/AKS/issues/4713), Misc. bug fixes and improvements |
 | 1.3.7| v1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Minor fixes and improvements |
 | 1.2.3| v1.1 | v1.26, v1.27, v1.28, v1.29, v1.30 | Gateway API v1.1, gRPC support, frontend mutual authentication, readiness probe fixes, custom health probe port and TLS mode  |
 | 1.0.2| v1 | v1.26, v1.27, v1.28, v1.29 | ECDSA + RSA certificate support for both Ingress and Gateway API, Ingress fixes, Server-sent events support |

articles/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller.md

@@ -146,7 +146,7 @@ You need to complete the following tasks before deploying Application Gateway fo
     az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME
     helm install alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \
          --namespace $HELM_NAMESPACE \
-         --version 1.4.12 \
+         --version 1.4.14 \
          --set albController.namespace=$CONTROLLER_NAMESPACE \
          --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv)
     ```
@@ -164,7 +164,7 @@ You need to complete the following tasks before deploying Application Gateway fo
     az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME
     helm upgrade alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \
         --namespace $HELM_NAMESPACE \
-        --version 1.4.12 \
+        --version 1.4.14 \
         --set albController.namespace=$CONTROLLER_NAMESPACE \
         --set albController.podIdentity.clientID=$(az identity show -g $RESOURCE_GROUP -n azure-alb-identity --query clientId -o tsv)
     ```

articles/application-gateway/for-containers/troubleshooting-guide.md

@@ -25,10 +25,10 @@ Example output:
 
 | NAME                     | READY | UP-TO-DATE | AVAILABLE | AGE  | CONTAINERS              | IMAGES                                                                          | SELECTOR |
 | ------------------------ | ----- | ---------- | --------- | ---- | ----------------------- | ------------------------------------------------------------------------------- | -------- |
-| alb-controller           | 2/2   | 2          | 2         | 18d | alb-controller           | mcr.microsoft.com/application-lb/images/alb-controller:**1.4.12**           | app=alb-controller |
-| alb-controller-bootstrap | 1/1   | 1          | 1         | 18d | alb-controller-bootstrap | mcr.microsoft.com/application-lb/images/alb-controller-bootstrap:**1.4.12** | app=alb-controller-bootstrap |
+| alb-controller           | 2/2   | 2          | 2         | 18d | alb-controller           | mcr.microsoft.com/application-lb/images/alb-controller:**1.4.14**           | app=alb-controller |
+| alb-controller-bootstrap | 1/1   | 1          | 1         | 18d | alb-controller-bootstrap | mcr.microsoft.com/application-lb/images/alb-controller-bootstrap:**1.4.14** | app=alb-controller-bootstrap |
 
-In this example, the ALB controller version is **1.4.12**.
+In this example, the ALB controller version is **1.4.14**.
 
 The ALB Controller version can be upgraded by running the `helm upgrade alb-controller` command. For more information, see [Install the ALB Controller](quickstart-deploy-application-gateway-for-containers-alb-controller.md#install-the-alb-controller).
 

articles/azure-cache-for-redis/cache-migration-guide.md

@@ -7,6 +7,8 @@ description: Learn how to migrate your existing cache to Azure Cache for Redis
 ms.topic: conceptual
 ms.custom:
   - ignite-2024
+  - migration
+  - aws-to-azure
 ms.date: 11/17/2021
 ---
 # Migrate to Azure Cache for Redis

articles/azure-resource-manager/management/resource-name-rules.md

@@ -2,7 +2,7 @@
 title: Naming rules and restrictions for Azure resources
 description: Learn the rules and restrictions for naming Azure resources.
 ms.topic: conceptual
-ms.date: 02/19/2025
+ms.date: 03/14/2025
 ---
 
 # Naming rules and restrictions for Azure resources
@@ -634,9 +634,10 @@ In the following tables, the term alphanumeric refers to:
 > | netAppAccounts / backups | NetApp account | 3-225 | Alphanumerics, underscores, periods, and hyphens <br><br> Start with alphanumeric. |
 > | netAppAccounts / backupPolicies | NetApp account | 1-64 | Alphanumerics, underscores, and hyphens <br><br> Start with alphanumeric. |
 > | netAppAccounts / capacityPools | NetApp account | 1-64 |  Alphanumerics, underscores, and hyphens<br><br>Start with alphanumeric. |
+> | netAppAccounts / shareNames | NetApp account | 1-64 | Alphanumerics and hyphens. <br><br>Start with alphanumeric.<br><br>Underscores aren't supported. |
 > | netAppAccounts / snapshots | NetApp account | 1-255 | Alphanumerics, underscores, and hyphens <br><br> Start with alphanumeric. |
 > | netAppAccounts / snapshotPolicies | NetApp account | 1-64 |  Alphanumerics, underscores, and hyphens<br><br>Start with alphanumeric. |
-> | netAppAccounts / volumes | NetApp account | 1-64 | Alphanumerics, underscores, and hyphens <br><br> Start with alphanumeric. <br><br> Volume can't be named `bin` or `default`. |
+> | netAppAccounts / volumes | NetApp account | 1-64 | Alphanumerics and hyphens <br><br> Start with alphanumeric. <br><br> Volume can't be named `bin` or `default`. |
 > | netAppAccounts / volumeGroups | NetApp account | 3-64 |  Alphanumerics, underscores, and hyphens<br><br>Start with alphanumeric. |
 
 ## Microsoft.Network

articles/azure-signalr/includes/signalr-add-role-assignments.md

@@ -0,0 +1,62 @@
+---
+title: include file
+description: include file
+author: terencefan
+ms.service: azure-signalr-service
+ms.topic: include
+ms.date: 03/12/2025
+ms.author: tefa
+ms.custom: include file
+---
+
+The following steps describe how to assign a **SignalR App Server** role to a service principal or a managed identity for an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml).
+
+> [!NOTE]
+> A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see [Understand scope for Azure RBAC](../../role-based-access-control/scope-overview.md).
+
+1. In the [Azure portal](https://portal.azure.com/), go to your Azure SignalR Service resource.
+
+1. Select **Access control (IAM)** in the sidebar.
+
+1. Select **Add** > **Add role assignment**.
+
+   :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
+
+1. On the **Role** tab, select **SignalR App Server** or other SignalR built-in roles depends on your scenario.
+
+   | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
+   | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+   | [SignalR App Server](../../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+   | [SignalR Service Owner](../../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+   | [SignalR REST API Owner](../../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+   | [SignalR REST API Reader](../../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.                                      |
+
+1. Select Next.
+
+
+1. For Microsoft Entra application.
+
+
+   1. In the `Assign access` to row, select **User, group, or service principal**.
+   1. In the `Members` row, click `select members`, then choose the identity in the pop-up window.
+
+1. For managed identity for Azure resources.
+
+   1. In the `Assign access` to row, select **Managed identity**.
+   1. In the `Members` row, click `select members`, then choose the application in the pop-up window.
+
+1. Select Next.
+
+
+1. Review your assignment, then click **Review + assign** to confirm the role assignment.
+
+> [!IMPORTANT]
+> Newly added role assignments might take up to 30 minutes to propagate.
+
+To learn more about how to assign and manage Azure roles, see these articles:
+
+- [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml)
+- [Assign Azure roles using the REST API](../../role-based-access-control/role-assignments-rest.md)
+- [Assign Azure roles using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md)
+- [Assign Azure roles using the Azure CLI](../../role-based-access-control/role-assignments-cli.md)
+- [Assign Azure roles using Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md)

articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md

@@ -33,7 +33,7 @@ When a security principal tries to access an Azure SignalR Service resource, the
 
 When you use an access key, the key is shared between your app server (or function app) and the Azure SignalR Service resource. Azure SignalR Service authenticates the client connection request by using the shared key.
 
-When you use Microsoft Entra ID, there is no shared key. Instead, Azure SignalR Service uses a *temporary access key* for signing tokens used in client connections. The workflow contains four steps:
+When you use Microsoft Entra ID, there's no shared key. Instead, Azure SignalR Service uses a *temporary access key* for signing tokens used in client connections. The workflow contains four steps:
 
 1. The security principal requires an OAuth 2.0 token from Microsoft Entra ID to authenticate itself.
 2. The security principal calls the SignalR authentication API to get a temporary access key.
@@ -44,13 +44,27 @@ The temporary access key expires in 90 minutes. We recommend that you get a new
 
 The workflow is built in the [Azure SignalR Service SDK for app servers](https://github.com/Azure/azure-signalr).
 
+### Cross tenant access when using Microsoft Entra ID
+
+In some cases, your server and your Azure SignalR resource may not be in the same tenant due to security concerns.
+
+A [multitenant applications](/entra/identity-platform/single-and-multi-tenant-apps#best-practices-for-multitenant-apps) could help you in this scenario.
+
+If you've already registered a single-tenant app, see [convert your single-tenant app to multitenant](/entra/identity-platform/howto-convert-app-to-be-multi-tenant).
+
+Once you have registered the multitenant application in your `tenantA`, you should provision it as an enterprise application in your `tenantB`.
+
+[Create an enterprise application from a multitenant application in Microsoft Entra ID](/entra/identity/enterprise-apps/create-service-principal-cross-tenant?pivots=msgraph-powershell)
+
+The application registered in your `tenantA` and the enterprise application provisioned in your `tenantB` share the same Application (client) ID.
+
 ## Assign Azure roles for access rights
 
 Microsoft Entra ID authorizes access rights to secured resources through [Azure RBAC](../role-based-access-control/overview.md). Azure SignalR Service defines a set of Azure built-in roles that encompass common sets of permissions for accessing Azure SignalR Service resources. You can also define custom roles for access to Azure SignalR Service resources.
 
 ### Resource scope
 
-You might have to determine the scope of access that the security principal should have before you assign any Azure RBAC role to a security principal. We recommend that you grant only the narrowest possible scope. Azure RBAC roles defined at a broader scope are inherited by the resources beneath them.
+Before assigning Azure RBAC roles to a security principal, it’s essential to define the appropriate scope of access they should have. We advise granting the most limited scope necessary to minimize unnecessary permissions. Keep in mind that Azure RBAC roles assigned at a higher or broader scope are automatically inherited by the resources nested within that scope.
 
 You can scope access to Azure SignalR Service resources at the following levels, beginning with the narrowest scope.
 
@@ -65,16 +79,16 @@ You can scope access to Azure SignalR Service resources at the following levels,
 
 | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
 | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the WebSocket connection creation API and authentication APIs.                                                | Most commonly used for an app server.                                                                                                             |
-| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the WebSocket connection creation API, and authentication APIs. | Use for *serverless mode* for authorization with Microsoft Entra ID, because it requires both REST API permissions and authentication API permissions. |
-| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | Often used to write a tool that manages connections and groups, but does *not* make connections or call authentication APIs.                          |
-| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Commonly used to write a monitoring tool that calls *only* Azure SignalR Service data-plane read-only REST APIs.                                      |
+| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](./signalr-howto-use-management-sdk.md) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.
 
 ## Next steps
 
-- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](signalr-howto-authorize-application.md).
+- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
 
-- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](signalr-howto-authorize-managed-identity.md).
+- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](./signalr-howto-authorize-managed-identity.md).
 
 - To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).