MicrosoftDocs
diff --git a/‎articles/governance/policy/samples/built-in-initiatives.md
Lines changed: 1 addition & 1 deletion b/‎articles/governance/policy/samples/built-in-initiatives.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/governance/policy/samples/built-in-policies.md
Lines changed: 1 addition & 1 deletion b/‎articles/governance/policy/samples/built-in-policies.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/logic-apps/connectors/sap.md
Lines changed: 6 additions & 4 deletions b/‎articles/logic-apps/connectors/sap.md
Lines changed: 6 additions & 4 deletions
diff --git a/‎articles/logic-apps/edit-app-settings-host-settings.md
Lines changed: 26 additions & 2 deletions b/‎articles/logic-apps/edit-app-settings-host-settings.md
Lines changed: 26 additions & 2 deletions
diff --git a/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 9 additions & 11 deletions b/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 9 additions & 11 deletions
@@ -1,7 +1,7 @@
 ---
 title: List of built-in policy initiatives
 description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Azure Machine Configuration, and more.
-ms.date: 04/07/2025
+ms.date: 04/27/2025
 ms.topic: generated-reference
 ms.custom: generated
 ---
 
@@ -1,7 +1,7 @@
 ---
 title: List of built-in policy definitions
 description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Azure Machine Configuration, and more.
-ms.date: 04/07/2025
+ms.date: 04/27/2025
 ms.topic: generated-reference
 ms.custom: generated
 ---
 
@@ -7,7 +7,7 @@ author: daviburg
 ms.author: daviburg
 ms.reviewer: estfan, azla
 ms.topic: how-to
-ms.date: 04/14/2025
+ms.date: 04/25/2025
 
 #customer intent: As a developer, I want to know the prerequisites and details about using SAP with Azure Logic Apps, so I can connect to an SAP server from my Consumption or Standard workflow.
 ---
@@ -82,9 +82,11 @@ The SAP built-in connector significantly differs from the SAP managed connector
 
     This capability addresses a problem with the SAP managed connector where the outcome from the autocommit behavior is silent and observable only through logs.
 
-* A longer time out at 5 minutes compared to the managed connector.
+* A longer time-out compared to the SAP managed connector.
 
-  The SAP built-in connector doesn't use the shared or global connector infrastructure, which means time-outs are longer at 5 minutes compared to the SAP managed connector (two minutes). Long-running requests work without you having to implement the long-running webhook-based request action pattern.
+  The SAP built-in connector natively runs on the Azure Logic Apps runtime, unlike the SAP managed connector that runs on the shared, global, multitenant Azure infrastructure. This design difference means that you can change the default time-out value on the Standard logic app resource by using the **host.json** settings named [**Runtime.FlowRunRetryableActionJobCallback.ActionJobExecutionTimeout**](/azure/logic-apps/edit-app-settings-host-settings?tabs=azure-portal#run-actions) and [**functionTimeout**](/azure/logic-apps/edit-app-settings-host-settings?tabs=azure-portal#run-actions).
+
+  The capability to adjust the time-out value means that you can use the SAP built-in connector as-is for long-running synchronous requests. Otherwise, these requests have to use the action pattern for long-running webhook-based requests in the SAP managed connector, which has a much shorter two-minute time-out for synchronous requests.
 
 * By default, the SAP built-in connector operations are *stateless*. However, you can [enable stateful mode (affinity) for these operations](../../connectors/enable-stateful-affinity-built-in-connectors.md).
 
@@ -1185,7 +1187,7 @@ After your SAP operations run in your logic app workflow, you can review the tel
 
    :::image type="content" source="./media/sap/application-insights-query-panel.png" alt-text="Screenshot shows Azure portal with Application Insights open to the Logs page for creating queries." lightbox="./media/sap/application-insights-query-panel.png":::
 
-1. On the **Logs** page, you can create a [query](/kusto/query/) by using the [Kusto Query Language (KQL)](/kusto/concepts/) based on your specific requirements.
+1. On the **Logs** page, you can create a [query that uses Kusto Query Language (KQL)](/kusto/query/?view=azure-monitor&preserve-view=true), based on your specific requirements.
 
    You can use a query pattern similar to the following example query:
 
 
@@ -5,8 +5,9 @@ services: logic-apps
 ms.suite: integration
 ms.reviewer: estfan, azla
 ms.topic: how-to
-ms.date: 03/14/2025
+ms.date: 04/25/2025
 ms.custom: fasttrack-edit
+# Customer intent: As a logic app workflow developer, I want to learn about application settings and host settings that I can edit to customize the way that my Standard workflows run.
 ---
 
 # Edit host and app settings for Standard logic apps in single-tenant Azure Logic Apps
@@ -229,7 +230,30 @@ The following settings work only for workflows that start with a recurrence-base
 
 | Setting | Default value | Description |
 |---------|---------------|-------------|
-| `Runtime.FlowRunRetryableActionJobCallback.ActionJobExecutionTimeout` | `00:10:00` <br>(10 minutes) | Sets the amount of time for a workflow action job to run before timing out and retrying. |
+| `Runtime.FlowRunRetryableActionJobCallback.ActionJobExecutionTimeout` | `00:10:00` <br>(10 minutes) | Sets the duration for a workflow action job to run before timing out and retrying. To change the default time-out for a built-in operation such as SAP, also set the **`functionTimeout`** host setting. For more information, see the next entry. |
+| `functionTimeout` | `00:30:00` <br>(30 minutes) | Sets the duration to run before timing out for calls from Azure Functions and some built-in operations, such as SAP, that work as function calls. Standard logic apps use the same underlying design as function apps. So, the **`functionTimeout`** host setting in Azure Functions also affects built-in operations that run as function calls. For more information, see [**functionTimeout**](/azure/azure-functions/functions-host-json#functiontimeout). <br><br>**Note**: In the **host.json** file, the **`functionTimeout`** setting exists at the same level as the **`extensions`** object where the host settings exist for a Standard logic app. For more information, see the example in this section: [Change time-out value for function-based built-in operations](#change-time-out-value-for-function-based-built-in-operations). |
+
+#### Change time-out value for function-based built-in operations
+
+For built-in operations that run as function calls in Azure Functions, add both the **`Runtime.FlowRunRetryableActionJobCallback.ActionJobExecutionTimeout`** and **`functionTimeout`** host settings to your **host.json** file as shown in the following example:
+
+```json
+{
+   "version": "2.0",
+   "extensionBundle": {
+      "id": "Microsoft.Azure.Functions.ExtensionBundle.Workflows",
+      "version": "[1.*, 2.0.0)"
+   },
+   "extensions": {
+      "workflow": {
+         "settings": {
+            "Runtime.FlowRunRetryableActionJobCallback.ActionJobExecutionTimeout": "01:00:00"
+         }
+      }
+   },
+   "functionTimeout": "01:00:00"
+}
+```
 
 <a name="inputs-outputs"></a>
 
 
@@ -2,12 +2,12 @@
 title: Azure built-in roles - Azure RBAC
 description: This article describes the Azure built-in roles for Azure role-based access control (Azure RBAC). It lists Actions, NotActions, DataActions, and NotDataActions.
 ms.service: role-based-access-control
-ms.topic: reference
+ms.topic: generated-reference
 ms.workload: identity
 author: rolyon
 manager: femila
 ms.author: rolyon
-ms.date: 01/25/2025
+ms.date: 04/25/2025
 ms.custom: generated
 ---
 
@@ -316,9 +316,9 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='cognitive-services-speech-user'></a>[Cognitive Services Speech User](./built-in-roles/ai-machine-learning.md#cognitive-services-speech-user) | Access to the real-time speech recognition and batch transcription APIs, real-time speech synthesis and long audio APIs, as well as to read the data/test/model/endpoint for custom models, but can't create, delete or modify the data/test/model/endpoint for custom models. | f2dc8367-1007-4938-bd23-fe263f013447 |
 > | <a name='cognitive-services-usages-reader'></a>[Cognitive Services Usages Reader](./built-in-roles/ai-machine-learning.md#cognitive-services-usages-reader) | Minimal permission to view Cognitive Services usages. | bba48692-92b0-4667-a9ad-c31c7b334ac2 |
 > | <a name='cognitive-services-user'></a>[Cognitive Services User](./built-in-roles/ai-machine-learning.md#cognitive-services-user) | Lets you read and list keys of Cognitive Services. | a97b65f3-24c7-4388-baec-2e87135dc908 |
-> | <a name='health-bot-admin'></a>[Health Bot Admin](./built-in-roles/ai-machine-learning.md#health-bot-admin) | Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. | f1082fec-a70f-419f-9230-885d2550fb38 |
-> | <a name='health-bot-editor'></a>[Health Bot Editor](./built-in-roles/ai-machine-learning.md#health-bot-editor) | Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. | af854a69-80ce-4ff7-8447-f1118a2e0ca8 |
-> | <a name='health-bot-reader'></a>[Health Bot Reader](./built-in-roles/ai-machine-learning.md#health-bot-reader) | Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). | eb5a76d5-50e7-4c33-a449-070e7c9c4cf2 |
+> | <a name='healthcare-agent-admin'></a>[Healthcare Agent Admin](./built-in-roles/ai-machine-learning.md#healthcare-agent-admin) | Users with admin access can sign in, view and edit all of the bot resources, scenarios and configuration setting including the bot instance keys & secrets. | f1082fec-a70f-419f-9230-885d2550fb38 |
+> | <a name='healthcare-agent-editor'></a>[Healthcare Agent Editor](./built-in-roles/ai-machine-learning.md#healthcare-agent-editor) | Users with editor access can sign in, view and edit all the bot resources, scenarios and configuration setting except for the bot instance keys & secrets and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). A read-only access to the bot skills and channels. | af854a69-80ce-4ff7-8447-f1118a2e0ca8 |
+> | <a name='healthcare-agent-reader'></a>[Healthcare Agent Reader](./built-in-roles/ai-machine-learning.md#healthcare-agent-reader) | Users with reader access can sign in, have read-only access to the bot resources, scenarios and configuration setting except for the bot instance keys & secrets (including Authentication, Data Connection and Channels keys) and the end-user inputs (including Feedback, Unrecognized utterances and Conversation logs). | eb5a76d5-50e7-4c33-a449-070e7c9c4cf2 |
 > | <a name='search-index-data-contributor'></a>[Search Index Data Contributor](./built-in-roles/ai-machine-learning.md#search-index-data-contributor) | Grants full access to Azure Cognitive Search index data. | 8ebe5a00-799e-43f5-93ac-243d3dce84a7 |
 > | <a name='search-index-data-reader'></a>[Search Index Data Reader](./built-in-roles/ai-machine-learning.md#search-index-data-reader) | Grants read access to Azure Cognitive Search index data. | 1407120a-92aa-4202-b7e9-c0e197c71c8f |
 > | <a name='search-service-contributor'></a>[Search Service Contributor](./built-in-roles/ai-machine-learning.md#search-service-contributor) | Lets you manage Search services, but not access to them. | 7ca78c08-252a-4471-8644-bb5ff32d4ba0 |
@@ -383,8 +383,6 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='azure-service-bus-data-receiver'></a>[Azure Service Bus Data Receiver](./built-in-roles/integration.md#azure-service-bus-data-receiver) | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 |
 > | <a name='azure-service-bus-data-sender'></a>[Azure Service Bus Data Sender](./built-in-roles/integration.md#azure-service-bus-data-sender) | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 |
 > | <a name='biztalk-contributor'></a>[BizTalk Contributor](./built-in-roles/integration.md#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |
-> | <a name='chamber-admin'></a>[Chamber Admin](./built-in-roles/integration.md#chamber-admin) | Lets you manage everything under your Modeling and Simulation Workbench chamber. | 4e9b8407-af2e-495b-ae54-bb60a55b1b5a |
-> | <a name='chamber-user'></a>[Chamber User](./built-in-roles/integration.md#chamber-user) | Lets you view everything under your Modeling and Simulation Workbench chamber, but not make any changes. | 4447db05-44ed-4da3-ae60-6cbece780e32 |
 > | <a name='deid-batch-data-owner'></a>[DeID Batch Data Owner](./built-in-roles/integration.md#deid-batch-data-owner) | Create and manage DeID batch jobs. This role is in preview and subject to change. | 8a90fa6b-6997-4a07-8a95-30633a7c97b9 |
 > | <a name='deid-batch-data-reader'></a>[DeID Batch Data Reader](./built-in-roles/integration.md#deid-batch-data-reader) | Read DeID batch jobs. This role is in preview and subject to change. | b73a14ee-91f5-41b7-bd81-920e12466be9 |
 > | <a name='deid-data-owner'></a>[DeID Data Owner](./built-in-roles/integration.md#deid-data-owner) | Full access to DeID data. This role is in preview and subject to change | 78e4b983-1a0b-472e-8b7d-8d770f7c5890 |
@@ -434,8 +432,8 @@ The following table provides a brief description of each built-in role. Click th
 > [!div class="mx-tableFixed"]
 > | Built-in role | Description | ID |
 > | --- | --- | --- |
-> | <a name='app-compliance-automation-administrator'></a>[App Compliance Automation Administrator](./built-in-roles/security.md#app-compliance-automation-administrator) | Create, read, download, modify and delete reports objects and related other resource objects. | 0f37683f-2463-46b6-9ce7-9b788b988ba2 |
-> | <a name='app-compliance-automation-reader'></a>[App Compliance Automation Reader](./built-in-roles/security.md#app-compliance-automation-reader) | Read, download the reports objects and related other resource objects. | ffc6bbe0-e443-4c3b-bf54-26581bb2f78e |
+> | <a name='app-compliance-automation-administrator'></a>[App Compliance Automation Administrator](./built-in-roles/security.md#app-compliance-automation-administrator) | Allows managing App Compliance Automation tool for Microsoft 365 | 0f37683f-2463-46b6-9ce7-9b788b988ba2 |
+> | <a name='app-compliance-automation-reader'></a>[App Compliance Automation Reader](./built-in-roles/security.md#app-compliance-automation-reader) | Allows read-only access to App Compliance Automation tool for Microsoft 365 | ffc6bbe0-e443-4c3b-bf54-26581bb2f78e |
 > | <a name='attestation-contributor'></a>[Attestation Contributor](./built-in-roles/security.md#attestation-contributor) | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
 > | <a name='attestation-reader'></a>[Attestation Reader](./built-in-roles/security.md#attestation-reader) | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
 > | <a name='key-vault-administrator'></a>[Key Vault Administrator](./built-in-roles/security.md#key-vault-administrator) | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 |
@@ -450,6 +448,7 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='key-vault-reader'></a>[Key Vault Reader](./built-in-roles/security.md#key-vault-reader) | Read metadata of key vaults and its certificates, keys, and secrets. Cannot read sensitive values such as secret contents or key material. Only works for key vaults that use the 'Azure role-based access control' permission model. | 21090545-7ca7-4776-b22c-e363652d74d2 |
 > | <a name='key-vault-secrets-officer'></a>[Key Vault Secrets Officer](./built-in-roles/security.md#key-vault-secrets-officer) | Perform any action on the secrets of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | b86a8fe4-44ce-4948-aee5-eccb2c155cd7 |
 > | <a name='key-vault-secrets-user'></a>[Key Vault Secrets User](./built-in-roles/security.md#key-vault-secrets-user) | Read secret contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | 4633458b-17de-408a-b874-0445c86b69e6 |
+> | <a name='locks-contributor'></a>[Locks Contributor](./built-in-roles/security.md#locks-contributor) | Can Manage Locks Operations. | 28bf596f-4eb7-45ce-b5bc-6cf482fec137 |
 > | <a name='managed-hsm-contributor'></a>[Managed HSM contributor](./built-in-roles/security.md#managed-hsm-contributor) | Lets you manage managed HSM pools, but not access to them. | 18500a29-7fe2-46b2-a342-b16a415e101d |
 > | <a name='microsoft-sentinel-automation-contributor'></a>[Microsoft Sentinel Automation Contributor](./built-in-roles/security.md#microsoft-sentinel-automation-contributor) | Microsoft Sentinel Automation Contributor | f4c81013-99ee-4d62-a7ee-b3f1f648599a |
 > | <a name='microsoft-sentinel-contributor'></a>[Microsoft Sentinel Contributor](./built-in-roles/security.md#microsoft-sentinel-contributor) | Microsoft Sentinel Contributor | ab8e14d6-4a74-4a29-9ba8-549422addade |
@@ -460,7 +459,6 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='security-assessment-contributor'></a>[Security Assessment Contributor](./built-in-roles/security.md#security-assessment-contributor) | Lets you push assessments to Microsoft Defender for Cloud | 612c2aa1-cb24-443b-ac28-3ab7272de6f5 |
 > | <a name='security-manager-legacy'></a>[Security Manager (Legacy)](./built-in-roles/security.md#security-manager-legacy) | This is a legacy role. Please use Security Admin instead. | e3d13bf0-dd5a-482e-ba6b-9b8433878d10 |
 > | <a name='security-reader'></a>[Security Reader](./built-in-roles/security.md#security-reader) | View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.<br><br>For Microsoft Defender for IoT, see [Azure user roles for OT and Enterprise IoT monitoring](/azure/defender-for-iot/organizations/roles-azure). | 39bc4728-0917-49c7-9d2c-d95423bc2eb4 |
-> | <a name='locks-contributor'></a>[Locks Contributor](./built-in-roles/security.md#locks-contributor) | Lets you manage locks operations | 28bf596f-4eb7-45ce-b5bc-6cf482fec137 |
 
 ## DevOps
 
@@ -560,7 +558,7 @@ The following table provides a brief description of each built-in role. Click th
 > [!div class="mx-tableFixed"]
 > | Built-in role | Description | ID |
 > | --- | --- | --- |
-> | <a name='azure-resource-bridge-deployment-role'></a>[Azure Resource Bridge Deployment Role](./built-in-roles/hybrid-multicloud.md#azure-resource-bridge-deployment-role) | Azure Resource Bridge Deployment Role | 7b1f81f9-4196-4058-8aae-762e593270df |
+> | <a name='azure-resource-bridge-deployment-role'></a>[Azure Resource Bridge Deployment Role](./built-in-roles/hybrid-multicloud.md#azure-resource-bridge-deployment-role) | Azure Resource Bridge Deployment Role is used only for Azure Stack HCI. | 7b1f81f9-4196-4058-8aae-762e593270df |
 > | <a name='azure-stack-hci-administrator'></a>[Azure Stack HCI Administrator](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-administrator) | Grants full access to the cluster and its resources, including the ability to register Azure Local and assign others as Azure Stack HCI VM Contributor and/or Azure Stack HCI VM Reader | bda0d508-adf1-4af0-9c28-88919fc3ae06 |
 > | <a name='azure-stack-hci-connected-infravms'></a>[Azure Stack HCI Connected InfraVMs](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-connected-infravms) | Role of Arc Integration for Azure Stack HCI Infrastructure Virtual Machines. | c99c945f-8bd1-4fb1-a903-01460aae6068 |
 > | <a name='azure-stack-hci-device-management-role'></a>[Azure Stack HCI Device Management Role](./built-in-roles/hybrid-multicloud.md#azure-stack-hci-device-management-role) | Microsoft.AzureStackHCI Device Management Role | 865ae368-6a45-4bd1-8fbf-0d5151f56fc1 |