Merge pull request #296418 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 3/17

Author: ttorble

articles/automation/automation-use-azure-ad.md

@@ -41,7 +41,7 @@ Before installing the Microsoft Entra modules on your computer:
 
 1. Install Windows Management Framework (WMF) 5.1. See [Install and Configure WMF 5.1](/powershell/scripting/wmf/setup/install-configure).
 
-2. Install AzureRM and/or Az using instructions in [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/azurerm/install-azurerm-ps).
+2. Install AzureRM and/or Az using instructions in [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/install-azure-powershell).
 
 ### Install the MSOnline module
 

articles/azure-government/documentation-government-csp-list.md

@@ -321,7 +321,7 @@ The following tables contain lists of all the authorized Cloud Solution Provider
 |[Palecek Consulting Group](https://www.pcgit.net)|
 |[Pangea Group Inc.](http://www.pangea-group.com)|
 |[Paragon Software Solutions, Inc.](http://www.paragonhq.com/)|
-|[Patrocinium Systems, Inc.](https://www.patrocinium.com)|
+|[Patrocinium Systems, Inc.](https://www.linkedin.com/company/patrocinium-systems)|
 |[PCM](https://www.pcm.com/)|
 |[Peerless Tech Solutions](https://www.getpeerless.com)|
 |[People Services Inc. DBA CATCH Intelligence](https://catchintelligence.com)|

articles/azure-signalr/TOC.yml

@@ -141,7 +141,9 @@
       href: signalr-howto-authorize-application.md
     - name: Authorize from managed identity
       href: signalr-howto-authorize-managed-identity.md
-    - name: Disable local authentication.
+    - name: Configure cross tenant authorization
+      href: signalr-howto-authorize-cross-tenant.md
+    - name: Disable local authentication
       href: howto-disable-local-auth.md
     - name: Custom domain
       href: howto-custom-domain.md

articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md

@@ -1,14 +1,14 @@
 ---
 title: Authorize access with Microsoft Entra ID for Azure SignalR Service
-description: This article provides information on authorizing access to Azure SignalR Service resources by using Microsoft Entra ID.
-author: vicancy
-ms.author: lianwei
-ms.date: 09/06/2021
+description: This article explains how to authorize requests to Azure SignalR Service resources using Microsoft Entra ID. 
+author: terencefan
+ms.author: tefa
+ms.date: 03/12/2025
 ms.service: azure-signalr-service
 ms.topic: conceptual
 ---
 
-# Authorize access with Microsoft Entra ID for Azure SignalR Service
+# Microsoft Entra ID for Azure SignalR Service
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests to its resources. With Microsoft Entra ID, you can use role-based access control (RBAC) to grant permissions to a *security principal*. A security principal is a user/resource group, an application, or a service principal such as system-assigned identities and user-assigned identities.
 
@@ -86,12 +86,20 @@ You can scope access to Azure SignalR Service resources at the following levels,
 
 ## Next steps
 
-- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
+- To learn how to configure Microsoft Entra authorization, see:
 
-- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](./signalr-howto-authorize-managed-identity.md).
+  - [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
+  - [Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources](./signalr-howto-authorize-managed-identity.md).
 
-- To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).
+- To learn more about roles-based access control and role, see:
 
-- To learn how to create custom roles, see [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
+  - [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).
+  - [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
 
-- To learn how to use only Microsoft Entra authentication, see [Disable local authentication](./howto-disable-local-auth.md).
+- To learn how to configure cross tenant authorization with Microsoft Entra, see:
+
+  - [How to configure cross tenant authorization with Microsoft Entra](signalr-howto-authorize-cross-tenant.md)
+
+- To learn how to disable connection string and use only Microsoft Entra authentication, see:
+
+  - [How to disable local authentication](./howto-disable-local-auth.md).

articles/azure-signalr/signalr-howto-authorize-application.md

@@ -3,7 +3,7 @@ title: Authorize requests to Azure SignalR Service resources with Microsoft Entr
 description: This article provides information about authorizing requests to Azure SignalR Service resources with Microsoft Entra applications.
 author: terencefan
 ms.author: tefa
-ms.date: 03/14/2023
+ms.date: 03/12/2023
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
@@ -194,6 +194,7 @@ In the Azure portal, add settings as follows:
 
 See the following related articles:
 
-- [Authorize access with Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
-- [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](signalr-howto-authorize-managed-identity.md)
-- [Disable local authentication](./howto-disable-local-auth.md)
+- [Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
+- [Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources](./signalr-howto-authorize-managed-identity.md)
+- [How to configure cross tenant authorization with Microsoft Entra](signalr-howto-authorize-cross-tenant.md)
+- [How to disable local authentication](./howto-disable-local-auth.md)

articles/azure-signalr/signalr-howto-authorize-cross-tenant.md

@@ -0,0 +1,190 @@
+---
+title: Cross tenant authorization with Microsoft Entra
+description: This article provides information about building multitenant applications and configures authorization in SignalR.
+author: terencefan
+ms.author: tefa
+ms.date: 03/12/2023
+ms.service: azure-signalr-service
+ms.topic: how-to
+ms.devlang: csharp
+ms.custom: subject-rbac-steps
+---
+
+# Cross tenant authorization with Microsoft Entra
+
+For security reasons, your server may host in an independent tenant from your Azure SignalR resource.
+
+Since managed identity can't be used across tenants, you need to register an application in `tenantA` and then provision it as an enterprise application in `tenantB`.
+
+This doc helps you create an application in `tenantA` and use it to connect to a SignalR resource in `tenantB`.
+
+## Register a multitenant application in tenant A
+
+The first step is to create a multitenant application, see:
+
+[Quickstart: Register an application in Microsoft Entra ID](/entra/identity-platform/quickstart-register-app)
+
+In the case that you already have a single tenant application.
+
+[Convert single-tenant app to multitenant on Microsoft Entra ID](/entra/identity-platform/howto-convert-app-to-be-multi-tenant)
+
+There are four account types:
+
+- Accounts in this organizational directory
+- Accounts in any organizational directory	
+- Accounts in any organizational directory and personal Microsoft accounts
+- Personal Microsoft accounts
+
+Be sure to select either type 2 or type 3 when creating the application.
+
+![Screenshot of overview information for a registered application.](./media/signalr-howto-authorize-application/application-overview.png)
+
+Note down the **Application (client) ID** and **Directory (tenant) ID**, they can be useful in the following steps.
+
+## Provision the application in tenant B
+
+The role can't be assigned to the application registered in other tenants. We have to provision it as an external enterprise application in the tenant B.
+
+Click to learn [differences between App registration and Enterprise applications](/answers/questions/270680/app-registration-vs-enterprise-applications).
+
+For short, the enterprise application is a service principal, while the app registration isn't. The enterprise application inherits certain properties from the application object, such as **Application (client) ID**. 
+
+A default service principal is created in the tenant where the app is registered. For other tenants, you need to provision the app to get an enterprise application service principal, see:
+
+[Create an enterprise application from a multitenant application in Microsoft Entra ID](/entra/identity/enterprise-apps/create-service-principal-cross-tenant)
+
+Enterprise applications in different tenant have different **Directory (tenant) ID**, but share the same **Application (client) ID**.
+
+## Assign roles to the enterprise application
+
+Once you have the enterprise application provisioned in your tenant B. You will be able to assign roles to it.
+
+[!INCLUDE [add role assignments](includes/signalr-add-role-assignments.md)]
+
+## Configure SignalR SDK to use the enterprise application
+
+There are 3 different types of credentials for an application to authenticate itself:
+
+- Certificates
+- Client secrets
+- Federated identity
+
+We strongly recommend you to use the first 2 ways to make cross tenant requests.
+
+### Use Certificates or Client secrets
+
+- `tenantId` should be the ID of your **Tenant B**.
+- `clientId` in both tenants are equal.
+- `clientSecret` and `clientCert` should be configured in **Tenant A**, see [Add credentials](/entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api#add-credentials).
+
+If you aren't sure about your tenant ID, see [Find your Microsoft Entra tenant](/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant)
+
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var credential1 = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
+    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
+
+    option.Endpoints = new ServiceEndpoint[]
+    {
+        new ServiceEndpoint(new Uri("https://<resource1>.service.signalr.net"), credential1),
+        new ServiceEndpoint(new Uri("https://<resource2>.service.signalr.net"), credential2),
+    };
+});
+```
+
+### Use Federated identity
+
+However, for security reasons, certificates and client secrets might be disabled in your subscription. In this case, you need to either use an external identity provider or try the preview support for managed identity.
+
+- [Configure an app to trust an external identity provider](/entra/workload-id/workload-identity-federation-create-trust)
+- [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity)
+
+You can check this repo: [Entra Cross-Tenant Application Federated Identity Credential (FIC)](https://github.com/arsenvlad/entra-cross-tenant-app-fic-managed-identity) for detailed info and video guide.
+
+When using managed identity as an identity provider, the code should look like this:
+
+- `tenantId` should be the ID of your **Tenant B**.
+- `clientId` in both tenants are equal.
+
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var msiCredential = new ManagedIdentityCredential("msiClientId");
+
+    var credential = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
+    {
+        // Entra ID US Government: api://AzureADTokenExchangeUSGov
+        // Entra ID China operated by 21Vianet: api://AzureADTokenExchangeChina
+        var request = new TokenRequestContext([$"api://AzureADTokenExchange/.default"]);
+        var response = await msiCredential.GetTokenAsync(request, ctoken).ConfigureAwait(false);
+        return response.Token;
+    });
+
+    option.Endpoints = [
+        new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
+});
+```
+
+When using external identity providers, the code should look like this:
+
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var credential = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
+    {
+        // Find your own way to get a token from the external identity provider.
+        // The audience of the token should be "api://AzureADTokenExchange", as it is the recommended value.
+        return "TheTokenYouGetFromYourExternalIdentityProvider";
+    });
+
+    option.Endpoints = [
+        new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
+});
+```
+
+Debugging token acquisition with the SignalR SDK can be challenging since it depends on the token results. 
+We recommend testing the token acquisition process locally before integrating with the SignalR SDK.
+
+```csharp
+var assertion = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
+{
+    // Find your own way to get a token from the external identity provider.
+    // The audience of the token should be "api://AzureADTokenExchange", as it is the recommended value.
+    return TheTokenYouGetFromYourExternalIdentityProvider;
+});
+
+var request = new TokenRequestContext(["https://signalr.azure.com/.default");
+var token = await assertion.GetTokenAsync(assertion);
+Console.log(token.Token);
+```
+
+The key point is to use an inner credential to get a `clientAssertion` from `api://AzureADTokenExchange` or other trusted identity platforms. Then use it to exchange for a token with `https://signalr.azure.com/.default` audience to access your resource.
+
+Your goal is to get a token with following claims. Use [jwt.io](https://jwt.io/) to help you decode the token:
+
+- **oid**
+
+  The value should be equal to your enterprise application object ID. 
+
+  If you don't know where to get it, see [How Retrieve Enterprise Object ID](/answers/questions/1007608/how-retrieve-enterprise-object-id-from-azure-activ)
+
+- **tid**
+
+  The value should be equal to the Directory ID of your tenant B. 
+
+  If you aren't sure about your tenant ID, see [Find your Microsoft Entra tenant](/azure/azure-portal/get-subscription-tenant-id#find-your-microsoft-entra-tenant)
+
+- **audience**
+
+  Has to be `https://signalr.azure.com/.default` to access SignalR resources.
+
+## Next steps
+
+See the following related articles:
+
+- [Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
+- [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](signalr-howto-authorize-application.md)
+- [Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources](./signalr-howto-authorize-managed-identity.md)

articles/azure-signalr/signalr-howto-authorize-managed-identity.md

@@ -3,7 +3,7 @@ title: Authorize requests to Azure SignalR Service resources with Microsoft Entr
 description: This article provides information about authorizing requests to Azure SignalR resources with Managed identities for Azure resources.
 author: terencefan
 ms.author: tefa
-ms.date: 03/11/2025
+ms.date: 03/12/2023
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
@@ -131,6 +131,7 @@ If you want to use a user-assigned identity, you need to assign `clientId` in ad
 
 See the following related articles:
 
-- [Authorize access with Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
+- [Microsoft Entra ID for Azure SignalR Service](signalr-concept-authorize-azure-active-directory.md)
 - [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](signalr-howto-authorize-application.md)
-- [Disable local authentication](./howto-disable-local-auth.md)
+- [How to configure cross tenant authorization with Microsoft Entra](signalr-howto-authorize-cross-tenant.md)
+- [How to disable local authentication](./howto-disable-local-auth.md)

articles/azure-vmware/azure-vmware-solution-nsx-scale-and-performance-recommendations-for-vmware-hcx.md

@@ -214,4 +214,4 @@ Once the new HCX Uplink Network Profile is created, update the existing Service
 
 ## More information 
 
-[VMware NSX Reference Design Guide](https://www.vmware.com/docs/nsx-t-reference-design-guide-3-2-v1.1-1)
+[VMware NSX Reference Design Guide](https://blogs.vmware.com/affiliates/nsx-t-reference-design-guide-updated-version-for-nsx-t-3-0)

articles/backup/backup-azure-immutable-vault-concept.md

@@ -11,7 +11,7 @@ ms.author: jsuri
 
 # Immutable vault for Azure Backup
 
-Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to make it irreversible and use WORM storage for backups to prevent any malicious actors from disabling immutability and deleting backups.
+Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to make it irreversible and use WORM (Write Once, Read Many) storage for backups to prevent any malicious actors from disabling immutability and deleting backups.
 
 ## Supported scenarios for WORM storage
 

articles/backup/backup-azure-immutable-vault-how-to-manage.md

@@ -3,7 +3,7 @@ title: How to manage Azure Backup Immutable vault operations
 description: This article explains how to manage Azure Backup Immutable vault operations.
 ms.topic: how-to
 ms.service: azure-backup
-ms.date: 11/11/2024
+ms.date: 03/13/2025
 author: jyothisuri
 ms.author: jsuri
 ms.custom: engagement-fy24, ignite-2024
@@ -15,7 +15,7 @@ This article describes how to manage Azure Backup Immutable vault operations for
 
 [Immutable vault](backup-azure-immutable-vault-concept.md) can help you protect your backup data by blocking any operations that could lead to loss of recovery points. Further, you can lock the Immutable vault setting to enable WORM storage immutability and make it irreversible to prevent any malicious actors from disabling immutability and deleting backups.
 
->[!Note]
+>[!NOTE]
 > Immutable WORM storage is currently in GA for Recovery Services Vaults in the following regions: West Central US, West Europe, East US, North Europe, Australia East 
 
 ## Enable Immutable vault
@@ -98,6 +98,9 @@ However, increasing the retention of backup items that are in suspended state is
 
 Let's try to stop backup on a VM and choose **Retain as per policy** for backup data retention.
 
+>[!NOTE]
+> When you stop backups and retain as per policy, the last RP is retained forever to ensure recovery against any unforeseen ransomware scenarios. You must manually delete this RP after the backup policy expires to stop incurring PI charges.
+
 :::image type="content" source="./media/backup-azure-immutable-vault/attempt-to-increase-retention-of-backup-items-in-suspended-state.png" alt-text="Screenshot shows an attempt to increase retention of backup items in suspended state.":::
 
 Now, let's go to **Modify Policy** and try to increase the retention of daily backup points to *45 days*, increasing the value by *5 days*, and save the policy.