Merge branch 'main' into release-migrate-new-structure

Author: v-alje

articles/app-service/configure-authentication-provider-openid-connect.md

@@ -27,6 +27,9 @@ Your provider requires you to register the details of your application with it.
 
 You need to collect a *client ID* and a *client secret* for your application. The client secret is an important security credential. Don't share this secret with anyone or distribute it in a client application.
 
+> [!NOTE]
+> You only need to provide a client secret to the configuration if you would like to acquire access tokens for the user through interactive login flow using the authorization code flow. If this is not your case, collecting a secret is not required.
+
 You also need the OIDC metadata for the provider. This metadata is often exposed in a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), which is the provider's issuer URL suffixed with `/.well-known/openid-configuration`. Get this configuration URL.
 
 If you can't use a configuration metadata document, get the following values separately:
@@ -52,7 +55,7 @@ To add provider information for your OpenID Connect provider, follow these steps
 
    Otherwise, select **Provide endpoints separately**. Put each URL from the identity provider in the appropriate field.
 
-1. Provide the values that you collected earlier for **Client ID** and **Client secret**.
+1. Provide the values that you collected earlier for **Client ID**. If the **Client secret** was also collected, provide it as part of the configuration process.
 
 1. Specify an application setting name for your client secret. Your client secret is stored as an app setting to ensure that secrets are stored in a secure fashion. If you want to manage the secret in Azure Key vault, update that setting later to use [Azure Key Vault references](./app-service-key-vault-references.md).
 
@@ -61,6 +64,8 @@ To add provider information for your OpenID Connect provider, follow these steps
 > [!NOTE]
 > The OpenID provider name can't contain a hyphen (-) because an app setting is created based on this name. The app setting doesn't support hyphens. Use an underscore (_) instead.  
 >
+> It also requires that the `aud` scope in your token be the same as the **Client Id** as configured above. It is currently not possible to configure the allowed audiences for this provider at the moment.
+>
 > Azure requires `openid`, `profile`, and `email` scopes. Make sure that you configure your app registration in your ID provider with at least these scopes.
 
 ## <a name="related-content"> </a>Related content

articles/application-gateway/toc.yml

@@ -77,6 +77,8 @@
     href: application-gateway-faq.yml
 - name: Security
   items:
+  - name: Security baseline
+    href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
   - name: Private Deployment
     href: application-gateway-private-deployment.md
   - name: Private Link
@@ -93,8 +95,6 @@
     href: key-vault-certs.md
   - name: SSL certificate management
     href: ssl-certificate-management.md
-  - name: Security baseline
-    href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
   - name: TLS 1.0 and 1.1 retirement
     href: application-gateway-tls-version-retirement.md
   - name: Network security blog

articles/azure-government/compliance/azure-services-in-fedramp-auditscope.md

@@ -7,7 +7,7 @@ ms.topic: article
 ms.service: azure-government
 ms.custom: references_regions
 recommendations: false
-ms.date: 01/27/2025
+ms.date: 04/11/2025
 ---
 
 # Azure, Dynamics 365, Microsoft 365, and Power Platform services compliance scope
@@ -89,6 +89,7 @@ This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
 | [Azure for Education](https://azureforeducation.microsoft.com/) | ✅ | ✅ |
 | [Azure Information Protection](/azure/information-protection/) | ✅ | ✅ |
 | [Azure Kubernetes Service (AKS)](/azure/aks/) | ✅ | ✅ |
+| [Azure Load Testing](/azure/load-testing/) | ✅ | ✅ |
 | [Azure Managed Grafana](../../managed-grafana/index.yml) | ✅ | ✅ |
 | [Azure Marketplace portal](https://azuremarketplace.microsoft.com/) | ✅ | ✅ |
 | [Azure Maps](../../azure-maps/index.yml) | ✅ | ✅ |
@@ -201,6 +202,7 @@ This article provides a detailed list of Azure, Dynamics 365, Microsoft 365, and
 | [Microsoft Fabric](/fabric/) | ✅ | ✅ |
 | [Microsoft Graph](/graph/) | ✅ | ✅ |
 | [Microsoft Intune](/mem/intune/) | ✅ | ✅ |
+| [Microsoft Pin Reset Service](/security/identity-protection/hello-for-business/index.yml) | ✅ | ✅ |
 | [Microsoft Purview](../../purview/index.yml) (incl. Data Map, Data Estate Insights, and governance portal) | ✅ | ✅ |
 | [Microsoft Secure Score](/defender-xdr/microsoft-secure-score/) | ✅ | ✅ |
 | [Microsoft Sentinel](../../sentinel/index.yml) (formerly Azure Sentinel) | ✅ | ✅ |

articles/azure-resource-manager/management/move-support-resources.md

@@ -756,6 +756,7 @@ Review the [Checklist before moving resources](./move-resource-group-and-subscri
 > | hostpools | **Yes** | **Yes** | No |
 > | scalingplans | **Yes** | **Yes** | No |
 > | workspaces | **Yes** | **Yes** | No |
+> | appattachpackages | **Yes** | **Yes** | No |
 
 ## Microsoft.Devices
 

articles/azure-vmware/media/attach-netapp-files-to-cloud/architecture-netapp-files-nfs-datastores.png

@@ -135,12 +135,12 @@ Now that you've created a virtual network, create a virtual network gateway:
    | **Name** | Enter a unique name for the virtual network gateway. |
    | **Region** | Select the geographical location of the virtual network gateway. |
    | **Gateway type** | Select **ExpressRoute**. |
-   | **SKU** | Select the gateway type that's appropriate for your workload. <br> For Azure NetApp Files datastores, select **UltraPerformance** or **ErGw3Az**. |
+   | **SKU** | Select the gateway type that's appropriate for your workload. <br> For external storage such as Azure Elastic SAN or Azure NetApp Files datastores, select **UltraPerformance** or **ErGw3Az**. |
    | **Virtual network** | Select the virtual network that you created previously. If you don't see the virtual network, make sure the gateway's region matches the region of your virtual network. |
    | **Gateway subnet address range** | The value is populated when you select the virtual network. Don't change the default value. |
    | **Public IP address** | Select **Create new**. |
-
-   :::image type="content" source="./media/tutorial-configure-networking/create-virtual-network-gateway.png" alt-text="Screenshot that shows the details for a virtual network gateway." border="true":::
+   
+      :::image type="content" source="./media/tutorial-configure-networking/create-virtual-network-gateway.png" alt-text="Screenshot that shows the details for a virtual network gateway." border="true":::
 
 1. Verify that the details are correct, and then select **Create** to start deployment of your virtual network gateway.
 

articles/azure-vmware/tutorial-configure-networking.md

@@ -291,6 +291,19 @@ The following timeouts apply to the Azure Communication Services Calling SDKs:
 | PSTN call establishment timeout. | 115 |
 | Promote a 1:1 call to a group call timeout. | 115 |
 
+### Virtual Rooms 
+The throttling policies of rooms service are determined by grouping requests through **resource id**.
+
+| API | Threshold |
+|--|--|
+| Create Room | 20 req/sec |
+| Update Room | 20 req/sec |
+| Delete Room | 20 req/sec |
+| Get Room    | 40 req/sec |
+| List Rooms  | 10 req/sec |
+| Update participant   | 20 req/sec |
+| List participants    | 40 req/sec |
+
 ### Action to take
 
 For more information about the voice and video calling SDK and service, see [Calling SDK overview](./voice-video-calling/calling-sdk-features.md) or [Known issues in the SDKs and APIs](./known-issues.md). You can also submit a request to [Azure Support](/azure/azure-portal/supportability/how-to-create-azure-support-request) to increase some of the limits. Our vetting team reviews all requests.

articles/communication-services/concepts/service-limits.md

@@ -174,10 +174,10 @@ You can perform the following actions on individual exports.
 When you create a scheduled export, the export runs at the same frequency for each export that runs later. For instance, if the export is scheduled to run once every UTC day, it creates a daily export of costs accumulated from the start of the month to the current date. Individual export runs can occur at different times throughout the day, so avoid relying on the exact time of the export runs. The run timing depends on the active load present in Azure during a given UTC day. Once an export run begins, your data should be available within 4 hours. Exports are scheduled using Coordinated Universal Time (UTC). The Exports API always uses and displays UTC.
 
 When you create an export using the [Exports API](/rest/api/cost-management/exports/create-or-update?tabs=HTTP), specify the `recurrencePeriod` in UTC time. The API doesn’t convert your local time to UTC.
-  - Example - A daily export is scheduled on Friday, August 19 with `recurrencePeriod` set to 2:00 PM. The API receives the input as 2:00 PM UTC, Friday, August 19.
+- Example - A daily export is scheduled on Friday, August 19 with `recurrencePeriod` set to 2:00 PM. The API receives the input as 2:00 PM UTC, Friday, August 19.
 
 When you create an export in the Azure portal, its start date time is automatically converted to the equivalent UTC time.
-  - Example - A daily export is scheduled on Friday, August 19 with the local time of 2:00 AM IST (UTC+5:30) from the Azure portal. The API receives the input as 8:30 PM, Thursday, August 18.
+- Example - A daily export is scheduled on Friday, August 19 with the local time of 2:00 AM IST (UTC+5:30) from the Azure portal. The API receives the input as 8:30 PM, Thursday, August 18.
 
 Various datasets support different schedule frequency options as described in the following table.
 
@@ -330,27 +330,48 @@ Here are some frequently asked questions and answers about exports.
 ### Why is file partitioning enabled in exports?
 The file partitioning is a feature that is activated by default to facilitate the management of large files. This functionality divides larger files into smaller segments, which enhances the ease of file transfer, download, ingestion, and overall readability. It's advantageous for customers whose cost files increase in size over time. The specifics of the file partitions are described in a manifest.json file provided with each export run, enabling you to rejoin the original file.
 
-#### How does the enhanced export experience handle missing attributes like subscription IDs?
+### How does the enhanced export experience handle missing attributes like subscription IDs?
 
 In the new export experience, missing attributes such as subscription IDs are set to null or empty rather than using a default empty GUID (00000000-0000-0000-0000-000000000000). The null or empty values more accurately indicate the absence of a value. It affects charges pertaining to unused reservations, unused savings plan, and rounding adjustments.
 
-#### How much historical data can I retrieve using Exports?
+### How much historical data can I retrieve using exports?
 
-You can retrieve up to 13 months of historical data through the Azure portal for all datasets, except for reservation recommendations, which are limited to the current recommendation snapshot. To access data older than 13 months, you can use the REST API.
+You can retrieve historical data using exports through either the **Azure portal** or the **REST API**, depending on your dataset and time range requirements.
 
-- Cost and usage (Actual), Cost and usage (Amortized), and Cost and usage (FOCUS): Up to seven years of data.
+#### Retrieve historical data via Azure portal
 
-- Reservation transactions: Up to seven years of data across all channels.
+The Azure portal supports retrieval of up to **13 months** of historical data for most datasets.
 
-- Reservation recommendations, Reservation details: Up to 13 months of data.
+To retrieve historical data:
 
-- All available prices:
-
-  - MCA/MPA: Up to 13 months.
+1. Create a one-time or custom export (e.g., Actual cost, Amortized cost, or Price sheet).
+2. After saving the export, go to **Cost Management > Exports**, and select your export.
+3. Click **Export selected dates** to rerun the export for specific historical months — note that data can be retrieved **one month at a time**, up to the 13-month limit.
 
-  - EA: Up to 25 months (starting from December 2022).
+> [!NOTE]
+> Reservation recommendations are based on the current snapshot only and do not support historical backfill.
+
+#### Retrieve data via REST API
+
+- To access data older than 13 months, use the [Exports - Execute REST API](/rest/api/cost-management/exports/execute?view=rest-cost-management-2025-03-01&preserve-view=true).
+- This method allows programmatic backfill of data for specific date ranges, depending on dataset availability.
+
+#### Data retention limits by dataset
+
+| Dataset                                      | Azure portal limit     | REST API limit        |
+|---------------------------------------------|-------------------------|------------------------|
+| Cost and usage (Actual, Amortized, FOCUS)   | Up to 13 months         | Up to 7 years          |
+| Reservation transactions                     | Up to 13 months         | Up to 7 years          |
+| Reservation details                          | Up to 13 months         | Up to 13 months        |
+| Reservation recommendations                  | Current snapshot only   | Current snapshot only  |
+| Price sheet                                  | Up to 13 months 	 | MCA/MPA: 13 months<br>EA: 25 months |
+
+> [!TIP]
+> For retrieving more than 13 months of historical data, or automating backfills at scale, the REST API is recommended.
+
+
 
-#### Which datasets support Parquet format and compression?
+### Which datasets support Parquet format and compression?
 
 The following table captures the supported formats and compression formats for each of the exported datasets. If you're creating an export with multiple datasets, Parquet & compression options only appear in the dropdown if all of the selected datasets support them. 
 
@@ -370,7 +391,7 @@ The following table captures the supported formats and compression formats for e
 |Price Sheet|CSV|None, Gzip|
 ||Parquet|None, Snappy|
 
-#### Why do I get the 'Unauthorized' error while trying to create an Export? 
+### Why do I get the 'Unauthorized' error while trying to create an Export?
 
 When attempting to create an Export to a storage account with a firewall, the user must have the Owner role or a custom role with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/permissions/read` permissions. If these permissions are missing, you encounter an error similar to:
 
@@ -386,7 +407,7 @@ When attempting to create an Export to a storage account with a firewall, the us
 
 You can check for the permissions on the storage account by referring to the steps in [Check access for a user to a single Azure resource](../../role-based-access-control/check-access.md). 
 
-#### What is the maximum number of subscriptions allowed within a management group (MG) when creating an export? 
+### What is the maximum number of subscriptions allowed within a management group (MG) when creating an export?
 
 The maximum limit is **3,000 subscriptions** per management group in Cost Management, including exports. 
 
@@ -396,7 +417,7 @@ To manage more than 3,000 subscriptions:
 
 - Alternatively, if all subscriptions are under the same billing account, create an export at the **billing account scope** to get combined data.
 
-#### How are the exported files organized in the blob storage folders?
+### How are the exported files organized in the blob storage folders?
 
 The exported files are organized in a structured hierarchy within the storage folders. The naming and hierarchy of the folders are as follows:
 

articles/cost-management-billing/costs/tutorial-improved-exports.md

@@ -2,13 +2,14 @@
 title: Transfer billing ownership of an MOSP Azure subscription
 description: Describes how to transfer billing ownership of an MOSP Azure subscription to another account.
 keywords: transfer azure subscription, azure transfer subscription, move azure subscription to another account,azure change subscription owner, transfer azure subscription to another account, azure transfer billing
-author: preetione
-ms.reviewer: presharm
+author: kendayMS
+ms.reviewer: macyso
+
 ms.service: cost-management-billing
 ms.subservice: billing
 ms.topic: how-to
 ms.date: 01/22/2025
-ms.author: presharm
+ms.author: macyso
 ---
 
 # Transfer billing ownership of an MOSP Azure subscription to another account

articles/cost-management-billing/manage/billing-subscription-transfer.md

@@ -1,13 +1,14 @@
 ---
 title: Prepare for Azure classic administrator roles retirement
 description: Learn about the retirement of Azure classic administrator roles and how to transition them to Azure role-based access control (RBAC) roles.
-author: preetione
-ms.reviewer: presharm
+author: kendayMS
+ms.reviewer: macyso
+
 ms.service: cost-management-billing
 ms.subservice: billing
 ms.topic: conceptual
 ms.date: 01/22/2025
-ms.author: presharm
+ms.author: macyso
 ---
 
 # Prepare for Azure classic administrator roles retirement