Merge pull request #296343 from MicrosoftDocs/main

Publish to live, Friday 4 AM PST, 3/14

Author: ttorble

articles/azure-signalr/media/signalr-howto-config-application-firewall/signalr-add-application-firewall-rule.png

@@ -1,9 +1,9 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
 description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra applications.
-author: vicancy
-ms.author: lianwei
-ms.date: 02/03/2023
+author: terencefan
+ms.author: tefa
+ms.date: 03/14/2023
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
@@ -12,52 +12,26 @@ ms.custom: subject-rbac-steps
 
 # Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
 
-Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](../active-directory/develop/app-objects-and-service-principals.md).
+Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
 This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
 
-## Register an application
+## Register an application in Microsoft Entra ID
 
-The first step is to register a Microsoft Entra application:
-
-1. In the [Azure portal](https://portal.azure.com/), search for and select **Microsoft Entra ID**.
-2. Under **Manage**, select **App registrations**.
-3. Select **New registration**. The **Register an application** pane opens.
-
-   ![Screenshot of the pane for registering an application.](./media/signalr-howto-authorize-application/register-an-application.png)
-5. For **Name**, enter a display name for your application.
-6. Select **Register** to confirm the registration.
+The first step is to [Register an application in Microsoft Entra ID](/entra/identity-platform/quickstart-register-app):
 
 After you register your application, you can find the **Application (client) ID** and **Directory (tenant) ID** values on the application's overview page. These GUIDs can be useful in the following steps.
 
 ![Screenshot of overview information for a registered application.](./media/signalr-howto-authorize-application/application-overview.png)
 
-To learn more about registering an application, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
-
 ## Add credentials
 
-You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
-
-### Client secret
-
-The application requires a client secret to prove its identity when it's requesting a token. To create a client secret, follow these steps:
-
-1. Under **Manage**, select **Certificates & secrets**.
-1. On the **Client secrets** tab, select **New client secret**.
-
-   ![Screenshot of selections for creating a client secret.](./media/signalr-howto-authorize-application/new-client-secret.png)
-1. Enter a description for the client secret, and choose an expiration time.
-1. Copy the value of the client secret and then paste it in a secure location.
-   > [!NOTE]
-   > The secret appears only once.
+After registering an app, you can add **certificates, client secrets (a string), or federated identity credentials** as credentials to your confidential client app registration. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime, and are used by confidential client applications that access a web API.
 
-### Certificate
+- [Add a certificate](/entra/identity-platform/quickstart-register-app?tabs=certificate#add-credentials)
+- [Add a client secret](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials)
+- [Add a federated credential](/entra/identity-platform/quickstart-register-app?tabs=federated-credential#add-credentials)
 
-You can upload a certificate instead of creating a client secret.
-
-![Screenshot of selections for uploading a certificate.](./media/signalr-howto-authorize-application/upload-certificate.png)
-
-To learn more about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).
 
 ## Add role assignments in the Azure portal
 
@@ -93,58 +67,72 @@ To learn more about how to assign and manage Azure roles, see these articles:
 - [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
 - [Assign Azure roles using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md)
 
-## Configure your app
+## Microsoft.Azure.SignalR app server SDK for C#
 
-### App server
+[Azure SignalR server SDK for C#](https://github.com/Azure/azure-signalr)
 
-The best practice is to configure identity and credentials in your environment variables:
+### Use Microsoft Entra application with certificate
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var credential = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
 
-| Variable                        | Description                                                                                                     |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------------- |
-| `AZURE_TENANT_ID`               | The Microsoft Entra tenant ID.                                                                                  |
-| `AZURE_CLIENT_ID`               | The client (application) ID of an app registration in the tenant.                                                |
-| `AZURE_CLIENT_SECRET`           | A client secret that was generated for the app registration.                                                    |
-| `AZURE_CLIENT_CERTIFICATE_PATH` | A path to a certificate and private key pair in PEM or PFX format, which can authenticate the app registration. |
-| `AZURE_USERNAME`                | The username, also known as User Principal Name (UPN), of a Microsoft Entra user account.                                            |
-| `AZURE_PASSWORD`                | The password of the Microsoft Entra user account. A password isn't supported for accounts with multifactor authentication enabled.       |
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
+});
+```
 
-You can use either [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) or [EnvironmentCredential](/dotnet/api/azure.identity.environmentcredential) to configure your Azure SignalR Service endpoints. Here's the code for `DefaultAzureCredential`:
+### Use Microsoft Entra application with client secret
 
-```C#
+```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
-    option.Endpoints = new ServiceEndpoint[]
-    {
-        new ServiceEndpoint(new Uri("https://<resource-name>.service.signalr.net"), new DefaultAzureCredential())
-    };
+    var credential = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
+
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
 });
 ```
 
-Here's the code for `EnvironmentCredential`:
+### Use Microsoft Entra application with Federated identity
 
-```C#
+> [!NOTE]
+> Configure an application to trust a managed identity is a preview feature. 
+> To learn more about it, see [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
+
+```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
-    option.Endpoints = new ServiceEndpoint[]
+    var msiCredential = new ManagedIdentityCredential("msiClientId");
+
+    var credential = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
     {
-        new ServiceEndpoint(new Uri("https://<resource-name>.service.signalr.net"), new EnvironmentCredential())
-    };
+        // Entra ID US Government: api://AzureADTokenExchangeUSGov
+        // Entra ID China operated by 21Vianet: api://AzureADTokenExchangeChina
+        var request = new TokenRequestContext([$"api://AzureADTokenExchange/.default"]);
+        var response = await msiCredential.GetTokenAsync(request, ctoken).ConfigureAwait(false);
+        return response.Token;
+    });
+
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
 });
 ```
 
-To learn how `DefaultAzureCredential` works, see [DefaultAzureCredential class](/dotnet/api/overview/azure/identity-readme#defaultazurecredential).
-
-#### Use endpoint-specific credentials
+### Use multiple endpoints
 
-In your organization, you might want to use different credentials for different endpoints.
+Credentials can be different for different endpoints.
 
-In this scenario, you can use [ClientSecretCredential](/dotnet/api/azure.identity.clientsecretcredential) or [ClientCertificateCredential](/dotnet/api/azure.identity.clientcertificatecredential):
+In this sample, the Azure SignalR SDK will connect to `resource1` with client secret and connect to `resource2` with certificate.
 
 ```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
     var credential1 = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
-    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "pathToCert");
+    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
 
     option.Endpoints = new ServiceEndpoint[]
     {
@@ -154,15 +142,15 @@ services.AddSignalR().AddAzureSignalR(option =>
 });
 ```
 
-### Azure SignalR Service bindings in Azure Functions
+## Azure SignalR Service bindings in Azure Functions
 
 Azure SignalR Service bindings in Azure Functions use [application settings](../azure-functions/functions-how-to-use-azure-function-app-settings.md) in the portal or [local.settings.json](../azure-functions/functions-develop-local.md#local-settings-file) locally to configure Microsoft Entra application identities to access your Azure SignalR Service resources.
 
 First, you need to specify the service URI of Azure SignalR Service. The key of the service URI is `serviceUri`. It starts with a connection name prefix (which defaults to `AzureSignalRConnectionString`) and a separator. The separator is an underscore (`__`) in the Azure portal and a colon (`:`) in the *local.settings.json* file. You can customize the connection name by using the binding property [`ConnectionStringSetting`](../azure-functions/functions-bindings-signalr-service.md). Continue reading to find the sample.
 
 Then, you choose whether to configure your Microsoft Entra application identity in [predefined environment variables](#configure-an-identity-in-predefined-environment-variables) or in [SignalR-specified variables](#configure-an-identity-in-signalr-specified-variables).
 
-#### Configure an identity in predefined environment variables
+### Configure an identity in predefined environment variables
 
 See [Environment variables](/dotnet/api/overview/azure/identity-readme#environment-variables) for the list of predefined environment variables. When you have multiple services, we recommend that you use the same application identity, so that you don't need to configure the identity for each service. Other services might also use these environment variables, based on the settings of those services.
 
@@ -188,7 +176,7 @@ AZURE_TENANT_ID = ...
 AZURE_CLIENT_SECRET = ...
 ```
 
-#### Configure an identity in SignalR-specified variables
+### Configure an identity in SignalR-specified variables
 
 SignalR-specified variables share the same key prefix with the `serviceUri` key. Here's the list of variables that you might use:
 

articles/azure-signalr/signalr-howto-authorize-application.md

@@ -1,5 +1,5 @@
 ---
-title: SignalR Application Firewall (Preview)
+title: SignalR Application Firewall
 description: An introduction about why and how to set up Application Firewall for Azure SignalR service
 author: biqian
 ms.service: azure-signalr-service
@@ -8,7 +8,7 @@ ms.topic: how-to
 ms.date: 07/10/2024
 ms.author: biqian
 ---
-# Application Firewall (Preview) for Azure SignalR Service
+# Application Firewall for Azure SignalR Service
 
 The Application Firewall provides sophisticated control over client connections in a distributed system. Before diving into its functionality and setup, let's clarify what the Application Firewall does not do:
 

articles/azure-signalr/signalr-howto-configure-application-firewall.md

@@ -1,5 +1,5 @@
 ---
-title: Web PubSub Application Firewall (Preview)
+title: Web PubSub Application Firewall
 description: An introduction about why and how to set up Application Firewall for Azure Web PubSub service
 author: biqian
 ms.service: azure-web-pubsub
@@ -8,7 +8,7 @@ ms.topic: how-to
 ms.date: 07/10/2024
 ms.author: biqian
 ---
-# Application Firewall (Preview) for Azure Web PubSub Service
+# Application Firewall for Azure Web PubSub Service
 
 The Application Firewall provides sophisticated control over client connections in a distributed system. Before diving into its functionality and setup, let's clarify what the Application Firewall does not do:
 

articles/azure-web-pubsub/howto-configure-application-firewall.md

@@ -239,7 +239,56 @@ To test drive redirection:
       S on DESKTOP
       ```
 
-### Optional: Disable drive redirection on a local device
+## Improve performance of enumerating files and folders on redirected drives
+
+When a user opens or lists the contents of a redirected drive, the remote session enumerates files and folders of the current directory. If you have a large number of files and folders on the redirected drives, the enumeration process can take a long time and impact the performance of the remote session. The time taken to enumerate depends on the round-trip time (RTT) between the local device and the remote session.
+
+::: zone pivot="azure-virtual-desktop"
+For session hosts running Windows 11 24H2 with the [2025-03 Cumulative Update for Windows 11 (KB5053598)](https://support.microsoft.com/kb/KB5053598) or later, the performance of enumerating files and folders on redirected drives is greatly improved.
+
+Once your session hosts have the correct version of Windows 11 and Cumulative Update, to enable the improved performance you need to:
+
+1. Add the following registry key and value to each session host:
+
+   - **Key**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp`
+   - **Type**: `REG_DWORD`
+   - **Value name**: `fAllowQueryDirPrefetch`
+   - **Value data**: `1`
+
+1. Connect to a remote session using the latest version of Windows App for Windows or the Remote Desktop client for Windows. Only Windows is supported; other platforms aren't currently supported.
+::: zone-end
+
+::: zone pivot="windows-365"
+For a Cloud PC running Windows 11 24H2 with the [2025-03 Cumulative Update for Windows 11 (KB5053598)](https://support.microsoft.com/kb/KB5053598) or later, the performance of enumerating files and folders on redirected drives is greatly improved.
+
+Once your Cloud PC has the correct version of Windows 11 and Cumulative Update, to enable the improved performance you need to:
+
+1. Add the following registry key and value to each Cloud PC:
+
+   - **Key**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp`
+   - **Type**: `REG_DWORD`
+   - **Value name**: `fAllowQueryDirPrefetch`
+   - **Value data**: `1`
+
+1. Connect to a remote session using the latest version of Windows App for Windows or the Remote Desktop client for Windows. Only Windows is supported; other platforms aren't currently supported.
+::: zone-end
+
+::: zone pivot="dev-box"
+For a dev box running Windows 11 24H2 with the [2025-03 Cumulative Update for Windows 11 (KB5053598)](https://support.microsoft.com/kb/KB5053598) or later, the performance of enumerating files and folders on redirected drives is greatly improved.
+
+Once your session hosts have the correct version of Windows 11 and Cumulative Update, to enable the improved performance you need to:
+
+1. Add the following registry key and value to each dev box:
+
+   - **Key**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp`
+   - **Type**: `REG_DWORD`
+   - **Value name**: `fAllowQueryDirPrefetch`
+   - **Value data**: `1`
+
+1. Connect to a remote session using the latest version of Windows App for Windows or the Remote Desktop client for Windows. Only Windows is supported; other platforms aren't currently supported.
+::: zone-end
+
+## Optional: Disable drive redirection on a local device
 
 You can disable drive redirection on a local device to prevent the drives from being redirected between a remote session. This method is useful if you want to enable drive redirection for most users, but disable it for specific devices.
 

articles/azure-web-pubsub/media/howto-config-application-firewall/add-application-firewall-rule.png

@@ -2,22 +2,23 @@
 author: stevenmatthew
 ms.service: azure-databox
 ms.topic: include
-ms.date: 10/21/2021
+ms.date: 03/13/2025
 ms.author: shaas
 ---
 
 Take the following steps if returning the device in US or Canada.
 
-1. Make sure that the device is powered off and cables are removed.
-2. Spool and securely place the power cord that was provided with device in the back of the device.
-3. Ensure that the shipping label is displayed on the E-ink display and schedule a pickup with your carrier. If the label is damaged or lost or not displayed on the E-ink display, contact Microsoft Support. If the Support suggests, then you can go to **Overview > Download shipping label** in the Azure portal. Download the shipping label and affix on the device. 
-4. Schedule a pickup with UPS if returning the device. To schedule a pickup:
-
-    * Call the local UPS (country/region-specific toll free number).
-    * In your call, quote the reverse shipment tracking number as shown in the E-ink display or your printed label. If you don't quote the tracking number, UPS will require an additional charge during pickup.
-    * If any issues come up while you're scheduling a pickup, or you're asked to pay additional fees, contact Azure Data Box Operations. Send email to [[email protected]](mailto:[email protected]).
-
-    Instead of scheduling the pickup, you can also drop off the Data Box at the nearest drop-off location.
-4. Once the Data Box is picked up and scanned by your carrier, the order status in the portal updates to **Picked up**. A tracking ID is also displayed.
+**If you receive the device packaged in a box, retain the box, and DO NOT discard it**.
+1.	Make sure the data copy to device is complete, and the **Prepare to ship** step is completed successfully.
+1.	Note down the tracking number (shown as reference number on the Prepare to Ship page of the Data Box local web UI). The tracking number is available after the Prepare to Ship step completes successfully. **Download the shipping label from this page and paste on the packing box**. If you received a device without a box, ensure that the shipping label is displayed on the E-ink display. If the label is damaged or lost or not displayed on the E-ink display, contact Microsoft Support.
+1.	Make sure that the device is powered off and cables are removed.
+1.	Spool and securely place the power cord that was provided with device in the back of the device.
+1.	**Package the device using the original box that was used for shipping. Ensure that the return label is included.**
+1.	Schedule a pickup with UPS if returning the device. To schedule a pickup:
+    - Call the local UPS (country/region-specific toll-free number).
+    - In your call, quote the reverse shipment tracking number as shown in the E-ink display or your printed label. If you don't quote the tracking number, UPS will require an additional charge during pickup.
+    - If any issues are encountered while scheduling a pickup, or you're asked to pay additional fees, contact Azure Data Box Operations. Send email to [email protected].
+Instead of scheduling the pickup, you can also drop off the Data Box at the nearest drop-off location.
+1.	Once the Data Box is picked up and scanned by your carrier, the order status in the portal updates to **Picked up**. A tracking ID is also displayed.