Merge branch 'main' into tefa/signalr-cross-tenant-aad

Author: terencefan

articles/azure-functions/functions-create-your-first-function-visual-studio.md

@@ -77,9 +77,9 @@ Your function definition should now look like the following code:
 
 ```csharp
 [Function("HttpExample")]
-public IActionResult Run([HttpTrigger(AuthorizationLevel.AuthLevelValue, "get", "post")] HttpRequest req)
+public IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequest req)
 {
-    return new OkObjectResult("Welcome to Azure Functions!");
+    return new OkObjectResult("Hello, functions");
 }
 ```
 

articles/azure-functions/functions-infrastructure-as-code.md

@@ -20,7 +20,7 @@ This article shows you how to automate the creation of resources and deployment
 
 The template code required depends on the desired hosting options for your function app. This article supports the following hosting options:
 
-| Hosting option | Deployment type | To learn more, see... |
+| Hosting option | Deployment type | Sample template |
 | ----- | ----- | ----- |
 | [Azure Functions Consumption plan](functions-infrastructure-as-code.md?pivots=consumption-plan) | Code-only | [Consumption plan](./consumption-plan.md) |
 | [Azure Functions Flex Consumption plan](functions-infrastructure-as-code.md?pivots=consumption-plan) | Code-only | [Flex Consumption plan](./flex-consumption-plan.md) |

articles/azure-functions/supported-languages.md

@@ -37,6 +37,7 @@ For more information on operating system and language support, see [Operating sy
 
 When in-portal editing isn't available, you must instead [develop your functions locally](functions-develop-local.md#local-development-environments).
 
+To learn more about how to maintain full-support coverage while running your functions in Azure, see our [language-support-policy](language-support-policy.md) article.
 
 ### Language major version support
 

articles/azure-signalr/signalr-howto-authorize-application.md

@@ -1,6 +1,6 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
-description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra applications.
+description: This article provides information about authorizing requests to Azure SignalR Service resources with Microsoft Entra applications.
 author: terencefan
 ms.author: tefa
 ms.date: 03/12/2023
@@ -14,7 +14,7 @@ ms.custom: subject-rbac-steps
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests with [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
-This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
+This article explains how to set up your resource and code to authenticate requests to the resource using a Microsoft Entra application.
 
 ## Register an application in Microsoft Entra ID
 
@@ -32,7 +32,6 @@ After registering an app, you can add **certificates, client secrets (a string),
 - [Add a client secret](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials)
 - [Add a federated credential](/entra/identity-platform/quickstart-register-app?tabs=federated-credential#add-credentials)
 
-
 ## Add role assignments in the Azure portal
 
 [!INCLUDE [add role assignments](includes/signalr-add-role-assignments.md)]

articles/azure-signalr/signalr-howto-authorize-managed-identity.md

@@ -1,6 +1,6 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities
-description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra managed identities.
+description: This article provides information about authorizing requests to Azure SignalR resources with Managed identities for Azure resources.
 author: terencefan
 ms.author: tefa
 ms.date: 03/12/2023
@@ -10,18 +10,19 @@ ms.devlang: csharp
 ms.custom: subject-rbac-steps
 ---
 
-# Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources
+# Authorize requests to Azure SignalR resources with Managed identities for Azure resources
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).
 
-This article shows how to configure your Azure SignalR Service resource and code to authorize requests to the resource from a managed identity.
+This article explains how to set up your resource and code to authorize requests to the resource using a managed identity.
 
 ## Configure managed identities
 
 The first step is to configure managed identities on your app or virtual machine.
 
 - [Configure managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
-- [Configure managed identities for Azure resources on a virtual machine (VM)](/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access)
+- [Configure managed identities on Azure virtual machines (VMs)](/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities)
+- [Configure managed identities for Azure resources on a virtual machine scale set](/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities-scale-sets)
 
 ## Add role assignments in the Azure portal
 

articles/azure-web-pubsub/concept-azure-ad-authorization.md

@@ -24,7 +24,7 @@ _[1] security principal: a user/resource group, an application, or a service pri
 
 Authentication is necessary to access a Web PubSub resource when using Microsoft Entra ID. This authentication involves two steps:
 
-1. First, Azure authenticates the security principal and issues an OAuth 2.0 token.
+1. First, Azure authenticate the security principal and issues an OAuth 2.0 token.
 2. Second, the token is added to the request to the Web PubSub resource. The Web PubSub service uses the token to check if the service principal has the access to the resource.
 
 ### Client-side authentication while using Microsoft Entra ID
@@ -33,7 +33,7 @@ The negotiation server/Function App shares an access key with the Web PubSub res
 
 However, access key is often disabled when using Microsoft Entra ID to improve security.
 
-To address this issue, we have developed a REST API that generates a client token. This token can be used to connect to the Azure Web PubSub service.
+To address this issue, we developed a REST API that generates a client token. This token can be used to connect to the Azure Web PubSub service.
 
 To use this API, the negotiation server must first obtain an **Microsoft Entra Token** from Azure to authenticate itself. The server can then call the Web PubSub Auth API with the **Microsoft Entra Token** to retrieve a **Client Token**. The **Client Token** is then returned to the client, who can use it to connect to the Azure Web PubSub service.
 
@@ -45,7 +45,8 @@ Microsoft Entra authorizes access rights to secured resources through [Azure rol
 
 ### Resource scope
 
-Before assigning an Azure RBAC role to a security principal, it's important to identify the appropriate level of access that the principal should have. It's recommended to grant the role with the narrowest possible scope. Resources located underneath inherit Azure RBAC roles with broader scopes.
+Before assigning an Azure RBAC role to a security principal, it's important to identify the appropriate level of access that the principal should have.
+It is recommended to grant the role to the most limited scope. Resources within it will inherit Azure RBAC roles assigned to the scope.
 
 You can scope access to Azure Web PubSub resources at the following levels, beginning with the narrowest scope:
 
@@ -67,36 +68,27 @@ You can scope access to Azure Web PubSub resources at the following levels, begi
 
 ## Azure built-in roles for Web PubSub resources
 
-- `Web PubSub Service Owner`
+   | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
+   | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+   | [Web PubSub Service Owner](/azure/role-based-access-control/built-in-roles#web-pubsub-service-owner)           | Full access to data-plane APIs, including read/write REST APIs and Auth APIs.                                               | Most commonly used for building an upstream server that handles negotiation requests and client events.                                                                                                             |
+   | [Web PubSub Service Reader](/azure/role-based-access-control/built-in-roles#web-pubsub-service-reader)           | Readonly access to data-plane APIs.                                                | Use it when write a monitoring tool that calls readonly REST APIs.
 
-  Full access to data-plane permissions, including read/write REST APIs and Auth APIs.
 
-  This role is the most common used for building an upstream server.
+Learn how to create a custom role if the built-in roles do not meet your requirements.
 
-- `Web PubSub Service Reader`
-
-  Use to grant read-only REST APIs permissions to Web PubSub resources.
-
-  It's used when you'd like to write a monitoring tool that calling **ONLY** Web PubSub data-plane **READONLY** REST APIs.
+[Azure custom roles: Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
 
 ## Next steps
 
-To learn how to create an Azure application and use Microsoft Entra authorization, see
-
-- [Authorize request to Web PubSub resources with Microsoft Entra ID from applications](howto-authorize-from-application.md)
-
-To learn how to configure a managed identity and use Microsoft Entra auth, see
-
-- [Authorize request to Web PubSub resources with Microsoft Entra ID from managed identities](howto-authorize-from-managed-identity.md)
-
-To learn more about roles and role assignments, see
+To learn how to use Microsoft Entra authentication with role-based access control, see
 
-- [What is Azure role-based access control](../role-based-access-control/overview.md)
+  - [Authorize requests to Azure Web PubSub resources with Microsoft Entra applications](howto-authorize-from-application.md)
+  - [Authorize requests to Azure Web PubSub resources with Managed identities for Azure resources](howto-authorize-from-managed-identity.md)
 
-To learn how to create custom roles, see
+To learn more about roles-based access control, see
 
-- [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
+  - [What is Azure role-based access control](../role-based-access-control/overview.md)
 
-To learn how to use only Microsoft Entra authorization, see
+To learn how to disable the connection string and use only Microsoft Entra authentication, see
 
-- [Disable local authentication](./howto-disable-local-auth.md)
+- [How to disable local authentication](./howto-disable-local-auth.md)

articles/azure-web-pubsub/howto-authorize-from-application.md

@@ -1,119 +1,43 @@
 ---
 title: Authorize an application request by using Microsoft Entra ID
-description: Learn how to authorize an application request to Web PubSub resources by using Microsoft Entra ID.
+description: This article provides information about authorizing requests to Azure Web PubSub resources with Microsoft Entra applications.
 author: terencefan
 ms.author: tefa
-ms.date: 10/12/2024
+ms.date: 03/11/2025
 ms.service: azure-web-pubsub
 ms.topic: conceptual
 ---
 
-# Authorize an application request by using Microsoft Entra ID
+# Authorize requests to Azure Web PubSub resources with Microsoft Entra applications
 
-Azure Web PubSub supports Microsoft Entra ID for authorizing requests from [applications](../active-directory/develop/app-objects-and-service-principals.md).
+Azure Web PubSub Service supports Microsoft Entra ID for authorizing requests with [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
-This article shows you how to configure your Web PubSub resource and code to authorize a request to a Web PubSub resource from an Azure application.
 
-## Register an application
+This article explains how to set up your resource and code to authenticate requests to the resource using a Microsoft Entra application.
 
-The first step is to register an Azure application.
+## Register an application in Microsoft Entra ID
 
-1. In the [Azure portal](https://portal.azure.com/), search for and then select **Microsoft Entra ID**.
-1. On the left menu under **Manage**, select **App registrations**.
-1. Select **New registration**.
-1. For **Name**, enter a name to use for your application.
-1. Select **Register** to confirm the application registration.
+The first step is to [Register an application in Microsoft Entra ID](/entra/identity-platform/quickstart-register-app):
 
-:::image type="content" source="media/howto-authorize-from-application/register-an-application.png" alt-text="Screenshot that shows registering an application.":::
+After you register your application, you can find the **Application (client) ID** and **Directory (tenant) ID** values on the application's overview page. These GUIDs can be useful in the following steps.
 
-When your application is registered, go to the application overview to view the values for **Application (client) ID** and **Directory (tenant) ID**. You use these values in the following sections.
-
-:::image type="content" source="media/howto-authorize-from-application/application-overview.png" alt-text="Screenshot that shows an application.":::
-
-For more information about registering an application, see the quickstart [Register an application by using the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
+![Screenshot of overview information for a registered application.](./media/howto-authorize-from-application/application-overview.png)
 
 ## Add credentials
 
-You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
-
-For more information about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).
-
-### Add a client secret
-
-The application requires a client secret for a client to prove its identity when it requests a token.
-
-To create a client secret:
-
-1. On the left menu under **Manage**, select **Certificates & secrets**.
-1. On the **Client secrets** tab, select **New client secret**.
-
-   :::image type="content" source="media/howto-authorize-from-application/new-client-secret.png" alt-text="Screenshot that shows creating a client secret.":::
-
-1. Enter a description for the client secret, and then choose an **Expires** time for the secret.
-1. Copy the value of the client secret and paste it in a secure location for later use.
-
-   > [!NOTE]
-   > The secret is visible only when you create the secret. You can't view the client secret in the portal later.
-
-### Add a certificate
-
-You can upload a certificate instead of creating a client secret.
-
-:::image type="content" source="media/howto-authorize-from-application/upload-certificate.png" alt-text="Screenshot that shows uploading a certificate.":::
-
-## Add a role assignment in the Azure portal
-
-This section demonstrates how to assign a Web PubSub Service Owner role to a service principal (application) for a Web PubSub resource.
-
-> [!NOTE]
-> You can assign a role to any scope, including management group, subscription, resource group, and single resource. For more information about scope, see [Understand scope for Azure role-based access control](../role-based-access-control/scope-overview.md).
-
-1. In the [Azure portal](https://portal.azure.com/), go to your Web PubSub resource.
-
-1. On the left menu, select **Access control (IAM)** to display access control settings for the resource.
-
-1. Select the **Role assignments** tab and view the role assignments at this scope.
-
-   The following figure shows an example of the **Access control (IAM)** pane for a Web PubSub resource:
-
-   :::image type="content" source="media/howto-authorize-from-application/access-control.png" alt-text="Screenshot that shows an example of the Access control (IAM) pane.":::
-
-1. Select **Add** > **Add role assignment**.
-
-1. Select the **Roles** tab, and then select **Web PubSub Service Owner**.
-
-1. Select **Next**.
-
-   :::image type="content" source="media/howto-authorize-from-application/add-role-assignment.png" alt-text="Screenshot that shows adding a role assignment.":::
-
-1. Select the **Members** tab. Under **Assign access to**, select **User, group, or service principal**.
-
-1. Choose **Select members**.
-
-1. Search for and select the application to assign the role to.
-
-1. Choose **Select** to confirm the selection.
-
-1. Select **Next**.
-
-   :::image type="content" source="media/howto-authorize-from-application/assign-role-to-service-principals.png" alt-text="Screenshot that shows assigning a role to service principals.":::
-
-1. Select **Review + assign** to confirm the change.
+After registering an app, you can add **certificates, client secrets (a string), or federated identity credentials** as credentials to your confidential client app registration. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime, and are used by confidential client applications that access a web API.
 
-> [!IMPORTANT]
-> Azure role assignments might take up to 30 minutes to propagate.
+- [Add a certificate](/entra/identity-platform/quickstart-register-app?tabs=certificate#add-credentials)
+- [Add a client secret](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials)
+- [Add a federated credential](/entra/identity-platform/quickstart-register-app?tabs=federated-credential#add-credentials)
 
-To learn more about how to assign and manage Azure role assignments, see these articles:
+## Add role assignments in the Azure portal
 
-- [Assign Azure roles by using the Azure portal](../role-based-access-control/role-assignments-portal.yml)
-- [Assign Azure roles by using REST API](../role-based-access-control/role-assignments-rest.md)
-- [Assign Azure roles by using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
-- [Assign Azure roles by using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
-- [Assign Azure roles by using an Azure Resource Manager template](../role-based-access-control/role-assignments-template.md)
+[!INCLUDE [add role assignments](includes/web-pubsub-add-role-assignments.md)]
 
-## Code samples that use Microsoft Entra authorization
+## Code samples with Microsoft Entra authorization
 
-Get samples that use Microsoft Entra authorization in our four officially supported programming languages:
+Check out our samples that show how to use Microsoft Entra authorization in programming languages we officially support.
 
 - [C#](./howto-create-serviceclient-with-net-and-azure-identity.md)
 - [Python](./howto-create-serviceclient-with-python-and-azure-identity.md)