MicrosoftDocs
diff --git a/‎articles/communication-services/concepts/interop/guest/capabilities.md
Lines changed: 2 additions & 2 deletions b/‎articles/communication-services/concepts/interop/guest/capabilities.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/communication-services/how-tos/calling-sdk/includes/spotlight/spotlight-web.md
Lines changed: 86 additions & 0 deletions b/‎articles/communication-services/how-tos/calling-sdk/includes/spotlight/spotlight-web.md
Lines changed: 86 additions & 0 deletions
diff --git a/‎articles/communication-services/tutorials/chat-interop/meeting-interop-features-inline-image.md
Lines changed: 2 additions & 0 deletions b/‎articles/communication-services/tutorials/chat-interop/meeting-interop-features-inline-image.md
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/container-instances/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/container-instances/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/container-instances/confidential-containers-attestation-concepts.md
Lines changed: 104 additions & 0 deletions b/‎articles/container-instances/confidential-containers-attestation-concepts.md
Lines changed: 104 additions & 0 deletions
@@ -174,9 +174,9 @@ When Teams external users leave the meeting, or the meeting ends, they can no lo
 
 *Azure Communication Services provides developers tools to integrate Microsoft Teams Data Loss Prevention that is compatible with Microsoft Teams. For more information, go to [how to implement Data Loss Prevention (DLP)](../../../how-tos/chat-sdk/data-loss-prevention.md)
 
-**Inline image support is currently in public preview and is available in the Chat SDK for JavaScript only. Preview APIs and SDKs are provided without a service-level agreement. We recommend that you don't use them for production workloads. Some features might not be supported, or they might have constrained capabilities. For more information, review [Supplemental Terms of Use for Microsoft Azure Previews.](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
+**Inline images are images that are copied and pasted directly into the send box of Teams client. For images that were uploaded via "Upload from this device" menu or via drag-and-drop (such as dragging images directly to the send box) in the Teams, they are not supported at this moment. To copy an image, the Teams user can either use their operating system's context menu to copy the image file then paste it into the send box of their Teams client, or use keyboard shortcuts instead.
 
-**If the Teams external user sends a message with images uploaded via "Upload from this device" menu or via drag-and-drop (such as dragging images directly to the send box) in the Teams, then these scenarios would be covered under the file sharing capability, which is currently not supported.
+**Inline image support is currently in public preview and is available in the Chat SDK for JavaScript only. Preview APIs and SDKs are provided without a service-level agreement. We recommend that you don't use them for production workloads. Some features might not be supported, or they might have constrained capabilities. For more information, review [Supplemental Terms of Use for Microsoft Azure Previews.](https://azure.microsoft.com/support/legal/preview-supplemental-terms/)
 
 ## Server capabilities
 
 
@@ -0,0 +1,86 @@
+---
+author: cnwankwo
+ms.service: azure-communication-services
+ms.topic: include
+ms.date: 03/01/2023
+ms.author: cnwankwo
+---
+[!INCLUDE [Install SDK](../install-sdk/install-sdk-web.md)]
+
+Spotlight is an extended feature of the core `Call` API. You first need to import calling Features from the Calling SDK:
+
+```js
+import { Features} from "@azure/communication-calling";
+```
+
+Then you can get the feature API object from the call instance:
+
+```js
+const spotLightFeature = call.feature(Features.Spotlight);
+```
+
+### Start spotlight for current participant:
+To pin the video of the current/local participant, use the following code. This action is idempotent, trying to start spotlight on a pinned participant does nothing
+```js
+spotLightFeature.startSpotlight();
+```
+
+### Spotlight specific participants
+Any participant in the call or meeting can be pinned. Only Microsoft 365 users who have an organizer, coorganizer or presenter role can start spotlight for other participants. This action is idempotent, trying to start spotlight on a pinned participant does nothing
+```js
+// Specify list of participants to be spotlighted
+CommunicationUserIdentifier acsUser = new CommunicationUserIdentifier(<USER_ID>);
+MicrosoftTeamsUserIdentifier teamsUser = new MicrosoftTeamsUserIdentifier(<USER_ID>)
+spotLightFeature.startSpotlight([acsUser, teamsUser]);
+```
+
+### Stop spotlight for current participant:
+To unpin the video of the current/local participant, use the following code. This action is idempotent, trying to stop spotlight on an unpinned participant does nothing
+```js
+spotLightFeature.stopSpotlight();
+```
+
+
+
+### Remove spotlight from participants
+Any pinned participant in the call or meeting can be unpinned. Only Microsoft 365 users who have an organizer, coorganizer or presenter role can unpin other participants. This action is idempotent, trying to stop spotlight on an unpinned participant does nothing 
+```js
+// Specify list of participants to be spotlighted
+CommunicationUserIdentifier acsUser = new CommunicationUserIdentifier(<USER_ID>);
+MicrosoftTeamsUserIdentifier teamsUser = new MicrosoftTeamsUserIdentifier(<USER_ID>)
+spotLightFeature.stopSpotlight([acsUser, teamsUser]);
+```
+
+### Remove all spotlights
+All pinned participants can be unpinned using this API. Only MicrosoftTeamsUserIdentifier users who have an organizer, coorganizer or presenter role can unpin all participants.
+```js
+spotLightFeature.stopAllSpotLight();
+```
+
+
+
+### Handle changed states
+The `Spotlight` API allows you to subscribe to `spotlightUpdated` events. A `spotlightUpdated` event comes from a `call` instance and contains information about newly spotlighted participants and participants whose spotlight were stopped
+```js
+// event : { added: SpotlightedParticipant[]; removed: SpotlightedParticipant[] }
+// SpotlightedParticipant = { identifier: CommunicationIdentifier, order?: number }
+// where: 
+//  identifier: ID of participant whos spotlight state is changed
+//  order: sequence of the event
+
+const spotlightChangedHandler = (event) => {
+    console.log(`Newly added spotlight state ${JSON.stringify(event.added)}`);
+    console.log(`Newly removed spotlight state ${JSON.stringify(event.removed)}`);
+};
+spotLightFeature.on('spotlightChanged', spotlightChangedHandler);
+```
+
+Use the following to stop receiving spotlightUpdated events
+```js
+spotLightFeature.off('spotlightChanged', spotlightChangedHandler);
+```
+### Get List of all participants currently spotlighted
+To get information about all participants that are spotlighted on the current call, use the following API call. It returns an array of SpotlightedParticipant
+```js
+let spotlightedParticipants = spotLightFeature.getSpotlightedParticipants();
+```
@@ -16,6 +16,8 @@ ms.custom: mode-other
 ## Add inline image support
 The Chat SDK is designed to work with Microsoft Teams seamlessly. Specifically, Chat SDK provides a solution to receive inline images sent by users from Microsoft Teams. Currently this feature is only available in the Chat SDK for JavaScript. 
 
+The Chat SDK for JavaScript provides `previewUrl` and `url` for each inline images. Please note that some GIF images fetched from `previewUrl` might not be animated and a static preview image would be returned instead. Developers are expected to use the `url` if the intention is to fetch animated images only.
+
 [!INCLUDE [Public Preview Notice](../../includes/public-preview-include.md)]
 
 [!INCLUDE [Teams Inline Image Interop with JavaScript SDK](./includes/meeting-interop-features-inline-image-javascript.md)]
 
@@ -77,6 +77,8 @@
     href: container-instances-virtual-network-concepts.md
   - name: Confidential container groups
     href: container-instances-confidential-overview.md
+  - name: Attestation in Confidential container 
+    href: confidential-containers-attestation-concepts.md 
 - name: How-to guides
   items:
   - name: Deploy
 
@@ -0,0 +1,104 @@
+---
+title: Attestation in Confidential containers on Azure Containers Instances 
+description: full attestation of container groups in confidential containers on Azure Container Instances  
+ms.topic: conceptual
+ms.author: tomcassidy
+author: pkhandavilli
+ms.service: container-instances
+services: container-instances
+ms.date: 04/20/2023
+---
+
+# What is attestation?
+
+Attestation is an essential part of confidential computing and appears in the definition by the Confidential Computing Consortium “Confidential Computing is the protection of data in use by performing computation in a hardware-based, attested Trusted Execution Environment."
+
+According to the [Remote ATtestation procedureS (RATS) Architecture](https://www.ietf.org/rfc/rfc9334.html) In remote attestation, “one peer (the "Attester") produces believable information about itself ("Evidence") to enable a remote peer (the "Relying Party") to decide whether to consider that Attester a trustworthy peer. Remote attestation procedures are facilitated by an additional vital party (the "Verifier").” In simpler terms, attestation is a way of proving that a computer system is trustworthy. 
+
+In Confidential Containers on ACI you can use an attestation token to verify that the container group
+
+- Is running on confidential computing hardware. In this case AMD SEV-SNP.
+- Is running on an Azure compliant utility VM.
+- Is enforcing the expected confidential computing enforcement policy (cce) that was generated using [tooling](https://github.com/Azure/azure-cli-extensions/blob/main/src/confcom/azext_confcom/README.md).
+
+## Full attestation in confidential containers on Azure Container Instances 
+
+Expanding upon this concept of attestation. Full attestation captures all the components that are part of the Trusted Execution Environment that is remotely verifiable. To achieve full attestation, in Confidential Containers, we have introduced the notion of a cce policy, which defines a set of rules, which is enforced in the utility VM. The security policy is encoded in the attestation report as an SHA-256 digest stored in the HostData attribute, as provided to the PSP by the host operating system during the VM boot-up. This means that the security policy enforced by the utility VM is immutable throughout the lifetime of the utility VM.
+
+The exhaustive list of attributes that are part of the SEV-SNP attestation can be found [here](https://www.amd.com/system/files/TechDocs/SEV-SNP%20PSP%20API%20Specification.pdf).
+
+Some important fields to consider in an attestation token returned by [Microsoft Azure Attestation ( MAA )](../attestation/overview.md) 
+
+| Claim                     | Sample value                                                | Description |
+|---------------------------|-------------------------------------------------------------|-------------|
+| x-ms-attestation-type     | sevsnpvm                                                    | String value that describes the attestation type. For example, in this scenario sevsnp hardware |
+| x-ms-compliance-status    | azure-compliant-uvm                                         | Compliance status of the utility VM that runs the container group. |
+| x-ms-sevsnpvm-hostdata    | 670fff86714a650a49b58fadc1e90fedae0eb32dd51e34931c1e7a1839c08f6f | Hash of the cce policy that was generated during deployment. |
+| x-ms-sevsnpvm-is-debuggable | false                                                     | Flag to indicate whether the underlying hardware is running in debug mode |
+
+## Sample attestation token generated by MAA
+
+```json
+{
+  "header": {
+    "alg": "RS256",
+    "jku": "https://sharedeus2.eus2.test.attest.azure.net/certs",
+    "kid": "3bdCYJabzfhISFtb3J8yuEESZwufV7hhh08N3ZflAuE=",
+    "typ": "JWT"
+  },
+  "payload": {
+    "exp": 1680259997,
+    "iat": 1680231197,
+    "iss": "https://sharedeus2.eus2.test.attest.azure.net",
+    "jti": "d288fef5880b1501ea70be1b9366840fd56f74e666a23224d6de113133cbd8d5",
+    "nbf": 1680231197,
+    "nonce": "3413764049005270139",
+    "x-ms-attestation-type": "sevsnpvm",
+    "x-ms-compliance-status": "azure-compliant-uvm",
+    "x-ms-policy-hash": "9NY0VnTQ-IiBriBplVUpFbczcDaEBUwsiFYAzHu_gco",
+    "x-ms-runtime": {
+      "keys": [
+        {
+          "e": "AQAB",
+          "key_ops": [
+            "encrypt"
+          ],
+          "kid": "Nvhfuq2cCIOAB8XR4Xi9Pr0NP_9CeMzWQGtW_HALz_w",
+          "kty": "RSA",
+          "n": "v965SRmyp8zbG5eNFuDCmmiSeaHpujG2bC_keLSuzvDMLO1WyrUJveaa5bzMoO0pA46pXkmbqHisozVzpiNDLCo6d3z4TrGMeFPf2APIMu-RSrzN56qvHVyIr5caWfHWk-FMRDwAefyNYRHkdYYkgmFK44hhUdtlCAKEv5UQpFZjvh4iI9jVBdGYMyBaKQLhjI5WIh-QG6Za5sSuOCFMnmuyuvN5DflpLFz595Ss-EoBIY-Nil6lCtvcGgR-IbjUYHAOs5ajamTzgeO8kx3VCE9HcyKmyUZsiyiF6IDRp2Bpy3NHTjIz7tmkpTHx7tHnRtlfE2FUv0B6i_QYl_ZA5Q"
+        }
+      ]
+    },
+    "x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+    "x-ms-sevsnpvm-bootloader-svn": 3,
+    "x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
+    "x-ms-sevsnpvm-guestsvn": 2,
+    "x-ms-sevsnpvm-hostdata": "670fff86714a650a49b58fadc1e90fedae0eb32dd51e34931c1e7a1839c08f6f",
+    "x-ms-sevsnpvm-idkeydigest": "cf7e12541981e6cafd150b5236785f4364850e2c4963825f9ab1d8091040aea0964bb9a8835f966bdc174d9ad53b4582",
+    "x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
+    "x-ms-sevsnpvm-is-debuggable": false,
+    "x-ms-sevsnpvm-launchmeasurement": "a1e1a4b64e8de5c664ceee069010441f74cf039065b5b847e82b9d1a7629aaf33d5591c6b18cee48a4dde481aa88d0fb",
+    "x-ms-sevsnpvm-microcode-svn": 115,
+    "x-ms-sevsnpvm-migration-allowed": false,
+    "x-ms-sevsnpvm-reportdata": "7ab000a323b3c873f5b81bbe584e7c1a26bcf40dc27e00f8e0d144b1ed2d14f10000000000000000000000000000000000000000000000000000000000000000",
+    "x-ms-sevsnpvm-reportid": "a489c8578fb2f54d895fc8d000a85b2ff4855c015e4fb7216495c4dba4598345",
+    "x-ms-sevsnpvm-smt-allowed": true,
+    "x-ms-sevsnpvm-snpfw-svn": 8,
+    "x-ms-sevsnpvm-tee-svn": 0,
+    "x-ms-sevsnpvm-uvm-endorsement": {
+      "x-ms-sevsnpvm-guestsvn": "100",
+      "x-ms-sevsnpvm-launchmeasurement": "a1e1a4b64e8de5c664ceee069010441f74cf039065b5b847e82b9d1a7629aaf33d5591c6b18cee48a4dde481aa88d0fb"
+    },
+    "x-ms-sevsnpvm-vmpl": 0,
+    "x-ms-ver": "1.0"
+  }
+}
+```
+## Generating an attestation token 
+
+We have open-sourced sidecar container implementations that provide an easy rest interface to get a raw SNP (Secure Nested Paging) report produced by the hardware or a MAA token. The sidecar is available at this [repository](https://github.com/microsoft/confidential-sidecar-containers) and can be deployed with your container group. 
+
+## Next steps
+
+- [Learn how to use attestation to release a secret to your container group](../confidential-computing/skr-flow-confidential-containers-azure-container-instance.md)
+- [Deploy a confidential container group with Azure Resource Manager](./container-instances-tutorial-deploy-confidential-containers-cce-arm.md)