Merge pull request #302559 from MicrosoftDocs/main

Auto Publish – main to live - 2025-07-10 22:00 UTC

Author: learn-build-service-prod[bot]

articles/api-management/TOC.yml

@@ -254,8 +254,6 @@
     href: azure-openai-enable-semantic-caching.md
   - name: Authenticate and authorize to Azure OpenAI
     href: api-management-authenticate-authorize-azure-openai.md
-  - name: Protect Azure OpenAI keys
-    href: /semantic-kernel/deploy/use-ai-apis-with-api-management?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json
 - name: Manage APIs with policies
   items:
   - name: API Management policies overview

articles/api-management/api-management-authenticate-authorize-azure-openai.md

@@ -165,4 +165,3 @@ Following are high level steps to restrict API access to users or apps that are
 
 * Learn more about [Microsoft Entra ID and OAuth2.0](../active-directory/develop/authentication-vs-authorization.md).  
 * [Authenticate requests to Azure AI services](/azure/ai-services/authentication)
-* [Protect Azure OpenAI keys with API Management](/semantic-kernel/deploy/use-ai-apis-with-api-management?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=/azure/api-management/breadcrumb/toc.json)

articles/azure-resource-manager/templates/template-functions-array.md

@@ -3,7 +3,7 @@ title: Template functions - arrays
 description: Describes the functions to use in an Azure Resource Manager template (ARM template) for working with arrays.
 ms.topic: reference
 ms.custom: devx-track-arm-template
-ms.date: 07/07/2025
+ms.date: 07/10/2025
 ---
 
 # Array functions for ARM templates
@@ -744,6 +744,73 @@ The output from the preceding example with the default values is:
 | arrayOutput | Array | ["one", "two"] |
 | stringOutput | String | on |
 
+## tryGet
+
+`tryGet(itemToTest, keyOrIndex)`
+
+`tryGet` helps you avoid deployment failures when trying to access a non-existent property or index in an object or array. If the specified key or index does not exist, `tryGet` returns null instead of throwing an error. 
+
+In Bicep, use the [safe-dereference](../bicep/operator-safe-dereference.md#safe-dereference) operator.
+
+### Parameters
+
+| Parameter | Required | Type | Description |
+|:--- |:--- |:--- |:--- |
+| itemToTest |Yes |array, object |An object or array to look into. |
+| keyOrIndex |Yes |string, int |A key or index to retrieve from the array or object. A property name for objects or index for arrays.|
+
+### Return value
+
+Returns the value at the key/index if it exists. Returns null if the key/index is missing or out of bounds.
+
+### Example
+
+The following example checks whether an array, object, and string are empty.
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "languageVersion": "2.0",
+  "contentVersion": "1.0.0.0",
+  "variables": {
+    "users": {
+      "name": "John Doe",
+      "age": 30
+    },
+    "colors": [
+      "red",
+      "green"
+    ]
+  },
+  "resources": [],
+  "outputs": {
+    "region": {
+      "type": "string",
+      "nullable": true,
+      "value": "[tryGet(variables('users'), 'region')]"
+    },
+    "name": {
+      "type": "string",
+      "nullable": true,
+      "value": "[tryGet(variables('users'), 'name')]"
+    },
+    "firstColor": {
+      "type": "string",
+      "nullable": true,
+      "value": "[tryGet(variables('colors'), 0)]"
+    }
+  }
+}
+```
+
+The output from the preceding example is:
+
+| Name | Type | Value |
+| ---- | ---- | ----- |
+| region | String | (NULL) |
+| name | String | John Doe |
+| firstColor | String | Red |
+
 ## tryIndexFromEnd
 
 `tryndexFromEnd(sourceArray, reverseIndex)`

articles/azure-resource-manager/templates/template-functions-object.md

@@ -3,7 +3,7 @@ title: Template functions - objects
 description: Describes the functions to use in an Azure Resource Manager template (ARM template) for working with objects.
 ms.topic: reference
 ms.custom: devx-track-arm-template
-ms.date: 02/12/2025
+ms.date: 07/10/2025
 ---
 
 # Object functions for ARM templates
@@ -540,6 +540,73 @@ The output from the preceding example with the default values is:
 
 **secondOutput** shows the shallow merge doesn't recursively merge these nested objects. Instead, the entire nested object is replaced by the corresponding property from the merging object.
 
+## tryGet
+
+`tryGet(itemToTest, keyOrIndex)`
+
+`tryGet` helps you avoid deployment failures when trying to access a non-existent property or index in an object or array. If the specified key or index doesn't exist, `tryGet` returns null instead of throwing an error. 
+
+In Bicep, use the [safe-dereference](../bicep/operator-safe-dereference.md#safe-dereference) operator.
+
+### Parameters
+
+| Parameter | Required | Type | Description |
+|:--- |:--- |:--- |:--- |
+| itemToTest |Yes |array, object |An object or array to look into. |
+| keyOrIndex |Yes |string, int |A key or index to retrieve from the array or object. A property name for objects or index for arrays.|
+
+### Return value
+
+Returns the value at the key/index if it exists. Returns null if the key/index is missing or out of bounds.
+
+### Example
+
+The following example checks whether an array, object, and string are empty.
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "languageVersion": "2.0",
+  "contentVersion": "1.0.0.0",
+  "variables": {
+    "users": {
+      "name": "John Doe",
+      "age": 30
+    },
+    "colors": [
+      "red",
+      "green"
+    ]
+  },
+  "resources": [],
+  "outputs": {
+    "region": {
+      "type": "string",
+      "nullable": true,
+      "value": "[tryGet(variables('users'), 'region')]"
+    },
+    "name": {
+      "type": "string",
+      "nullable": true,
+      "value": "[tryGet(variables('users'), 'name')]"
+    },
+    "firstColor": {
+      "type": "string",
+      "nullable": true,
+      "value": "[tryGet(variables('colors'), 0)]"
+    }
+  }
+}
+```
+
+The output from the preceding example is:
+
+| Name | Type | Value |
+| ---- | ---- | ----- |
+| region | String | (NULL) |
+| name | String | John Doe |
+| firstColor | String | Red |
+
 ## union
 
 `union(arg1, arg2, arg3, ...)`

articles/azure-resource-manager/templates/template-functions.md

@@ -3,7 +3,7 @@ title: Template functions
 description: Describes the functions to use in an Azure Resource Manager template (ARM template) to retrieve values, work with strings and numerics, and retrieve deployment information.
 ms.topic: reference
 ms.custom: devx-track-arm-template
-ms.date: 07/07/2025
+ms.date: 07/10/2025
 ---
 
 # ARM template functions
@@ -64,6 +64,7 @@ Resource Manager provides several functions for working with arrays.
 * [range](template-functions-array.md#range)
 * [skip](template-functions-array.md#skip)
 * [take](template-functions-array.md#take)
+* [tryGet](template-functions-array.md#tryget)
 * [tryIndexFromEnd](template-functions-array.md#tryindexfromend)
 * [union](template-functions-array.md#union)
 
@@ -229,6 +230,7 @@ Resource Manager provides several functions for working with objects.
 * [null](template-functions-object.md#null)
 * [objectKeys](template-functions-object.md#objectkeys)
 * [shallowMerge](template-functions-object.md#shallowmerge)
+* [tryGet](template-functions-object.md#tryget)
 * [union](template-functions-object.md#union)
 
 For Bicep files, use the [object](../bicep/bicep-functions-object.md) functions.

articles/azure-resource-manager/templates/toc.yml

@@ -470,7 +470,7 @@ items:
     - name: All functions
       href: template-functions.md
     - name: Array functions
-      displayName: array,concat,contains,createArray,empty,first,indexFromEnd,indexOf,intersection,last,lastIndexOf,length,max,min,range,skip,take,tryIndexFromEdn,union
+      displayName: array,concat,contains,createArray,empty,first,indexFromEnd,indexOf,intersection,last,lastIndexOf,length,max,min,range,skip,take,tryIndexFromEnd,tryGet,union
       href: template-functions-array.md
     - name: CIDR functions
       displayName: parseCidr,cidrSubnet,cidrHost
@@ -494,7 +494,7 @@ items:
       displayName: add,copyIndex,div,float,int,max,min,mod,mul,sub
       href: template-functions-numeric.md
     - name: Object functions
-      displayName: contains,createObject,empty,intersection,items,json,length,null,objectKeys,shallowMerge,union
+      displayName: contains,createObject,empty,intersection,items,json,length,null,objectKeys,shallowMerge,tryGet,union
       href: template-functions-object.md
     - name: Resource functions
       displayName: extensionResourceId,listAccountSas,listKeys,listSecrets,list*,pickZones,providers,reference,references,resourceId,subscriptionResourceId,managementGroupResourceId,tenantResourceId

articles/azure-vmware/azure-vmware-solution-known-issues.md

@@ -15,16 +15,16 @@ Refer to the table to find details about resolution dates or possible workaround
 
 |Issue | Date discovered | Workaround | Date resolved |
 | :------------------------------------- | :------------ | :------------- | :------------- |
-| Changing the default NSX Tier-1 name may cause some NSX features added through the Azure portal, such as DNS Zone and the Segment page, to not function as expected. | June 2025 | Azure VMware Solution uses the NSX Tier-1 name "TNTxx-T1" (where xx is the internal tenant ID) for these features. Therefore, please do not change the default Tier-1 name. | N/A
-| Creating stateful gateway firewall rules associated with Azure VMware Solution default NSX-T tier-0 router causes unwanted/unexpected behavior. | May 2025 | Azure VMware Solution deploys with a stateless NSX-T tier-0 router.  As such, stateful firewall rules are incompatible even though the NSX-T UI may allow it.  Apply stateful services and/or firewall rules at the tier-1 router. | N/A
-| AV64 hosts running vSAN Express Storage Architecture (ESA), may see a High pNIC errors due to buffer overflows. [Getting alarm in relation to "High pNic error rate detected" on hosts in vSAN clusters when using Mellanox NICs](https://knowledge.broadcom.com/external/article/392333/getting-alarm-in-relation-to-high-pnic-e.html) | June 2025 |  The alert should be considered an informational message, since Microsoft manages the service. Select the **Reset to Green** link to clear it. |
+| Changing the default NSX Tier-1 name may cause some NSX features added through the Azure portal, such as DNS Zone and the Segment page, to not function as expected. | June 2025 | Azure VMware Solution uses the NSX Tier-1 name "TNTxx-T1" (where xx is the internal tenant ID) for these features. Therefore, please do not change the default Tier-1 name. | N/A|
+| Creating stateful gateway firewall rules associated with Azure VMware Solution default NSX-T tier-0 router causes unwanted/unexpected behavior. | May 2025 | Azure VMware Solution deploys with a stateless NSX-T tier-0 router.  As such, stateful firewall rules are incompatible even though the NSX-T UI may allow it.  Apply stateful services and/or firewall rules at the tier-1 router. | N/A|
+| AV64 hosts running vSAN Express Storage Architecture (ESA), may see a High pNIC errors due to buffer overflows. [Getting alarm in relation to "High pNic error rate detected" on hosts in vSAN clusters when using Mellanox NICs](https://knowledge.broadcom.com/external/article/392333/getting-alarm-in-relation-to-high-pnic-e.html) | June 2025 |  The alert should be considered an informational message, since Microsoft manages the service. Select the **Reset to Green** link to clear it. ||
 |[VMSA-2025-0012](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25738) Multiple vulnerabilities (CVE-2025-22243, CVE-2025-22244, CVE-2025-22245) have been identified in VMware NSX. | May 2025 | The vulnerability described in the Broadcom document does not apply to Azure VMware Solution due to existing compensating controls mitigate the risk of exploitation. | The upcoming version of NSX will include a patch to address this vulnerability. |
 |[VMSA-2025-0010](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25717) Multiple vulnerabilities (CVE-2025-41225, CVE-2025-41226, CVE-2025-41227, CVE-2025-41228) have been identified in VMware ESXi and vCenter Server. | May 2025 | Microsoft, in collaboration with Broadcom/VMware, has confirmed the applicability of these vulnerabilities to Azure VMware Solution (AVS). Existing security controls, including cloudadmin role restrictions and network isolation, are deemed to significantly mitigate the impact of these vulnerabilities prior to official patching. The vulnerabilities have been adjudicated with a combined adjusted Environmental Score of [6.8](https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) within the Azure VMware Solution. Until the update is fully addressed, customers are advised to exercise additional caution when granting administrative access to guest virtual machines and to actively monitor any administrative activities performed on them. | N/A |
 |[VMSA-2025-0007](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683) VMware Tools update addresses an insecure file handling vulnerability (CVE-2025-22247). | May 2025 | To remediate CVE-2025-22247, apply version 12.5.2 of VMware Tools, use the Azure VMware Solution Run command ``Set-Tools-Repo.`` | May 2025 |
 | ESXi hosts may experience operational issues if NSX Layer-2 DFW default rule logging is enabled. More information can be obtained in this Knowledge Base article from Broadcom: [ESXi hosts may experience operational issues if L2 DFW default rule logging is enabled.](https://knowledge.broadcom.com/external/article/326455/esxi-hosts-may-experience-operational-is.html) | May 2025 | It is not recommended to enable logging on the default Layer-2 DFW rule in a Production environment for any sustained period of time. If logging must be enabled on an L2 rule, it is advised to create a new L2 rule specific to the traffic flow in question and enable logging on that rule only. Please see [Broadcom Knowledge Base Article 326455.](https://knowledge.broadcom.com/external/article/326455/esxi-hosts-may-experience-operational-is.html).| N/A |
 | With VMware HCX versions 4.10.3 and earlier, attempts to download upgrade bundles or the Connector OVA directly from the HCX Manager UI (port 443) fail due to the decommissioning of the external image depot server. More information can be obtained in this Knowledge Base article from Broadcom: [Upgrade Bundle Download from 443 UI will Fail in All HCX versions prior to 4.11](https://knowledge.broadcom.com/external/article/395372)| April 2025 | We will begin upgrading all Azure VMware Solution customers to HCX 4.11.0 in the coming weeks, this will provide customers with access to the HCX Connector upgrade bundles, which will be stored on their vSAN datastore. Until then, all customers will need to submit a support request (SR) to obtain the required upgrade bundles. | May 2025 |
 |[VMSA-2025-0005](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25518) VMware Tools for Windows update addresses an authentication bypass vulnerability (CVE-2025-22230). | April 2025 | To remediate CVE-2025-22230, apply version 12.5.1 of VMware Tools, use the Azure VMware Solution Run command ``Set-Tools-Repo.`` | May 2025 |
-| If you're a user of AV64, you may notice a “Status of other hardware objects” alarm on your hosts in vCenter Server. This alarm doesn't indicate a hardware issue. It's triggered when the System Event Log (SEL) reaches its capacity threshold according to vCenter Server. Despite the alarm, the host remains healthy with no hardware-related error signatures detected, and no high availability (HA) events are expected as a result. It's safe to continue operating your private cloud without interruption. The alarm has only two possible states—green and red—with no intermediate warning state. Once the status changes to red, it will remain red even if conditions improve to what would typically qualify as a warning. | April 2025 | This alarm should be treated as a warning and won't affect operability of your private cloud. Microsoft adjusts thresholds for the alarm, so it doesn't alert in vCenter Server. | May 2025 |
+| If you're a user of AV64, you may notice a “Status of other hardware objects” alarm on your hosts in vCenter Server. This alarm doesn't indicate a hardware issue. It's triggered when the System Event Log (SEL) reaches its capacity threshold according to vCenter Server. Despite the alarm, the host remains healthy with no hardware-related error signatures detected, and no high availability (HA) events are expected as a result. It's safe to continue operating your private cloud without interruption. The alarm has only two possible states—green and red—with no intermediate warning state. Once the status changes to red, it will remain red even if conditions improve to what would typically qualify as a warning. | April 2025 | This alarm should be treated as a warning and won't affect operability of your private cloud. Microsoft adjusts thresholds for the alarm, so it doesn't alert in vCenter Server. | July 2025 |
 | After deploying an AV48 private cloud, you may see a High pNIC error rate detected. Check the host's vSAN performance view for details if alert is active in the vSphere Client.  | April 2025  | The alert should be considered an informational message, since Microsoft manages the service. Select the **Reset to Green** link to clear it. | April 2025 |
 | [VMSA-2025-0004](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390) VMCI Heap-overflow, ESXi arbitrary write, and Information disclosure vulnerabilities | March 2025 | Microsoft has verified the applicability of the vulnerabilities within the Azure VMware Solution service and have adjudicated the vulnerabilities at a combined adjusted Environmental Score of [9.4](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/MAC:L/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H). Customers are advised to take additional precautions when granting administrative access to, and monitor any administrative activities on, guest VMs until the update is fully addressed. For additional information on the vulnerability and Microsoft’s involvement, please see [this blog post](https://techcommunity.microsoft.com/blog/azuremigrationblog/azure-vmware-solution-broadcom-vmsa-2025-0004-remediation/4388074). (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) | March 2025 - Resolved in [ESXi 8.0_U2d](https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/release-notes/esxi-update-and-patch-release-notes/vsphere-esxi-80u2d-release-notes.html) |
 |Issue 3464419: After upgrading HCX 4.10.2 users are unable to log in or perform various management operations. | 2024 | None | December 2024- Resolved in [HCX 4.10.3](https://techdocs.broadcom.com/us/en/vmware-cis/hcx/vmware-hcx/4-10/hcx-4-10-release-notes/vmware-hcx-4103-release-notes.html#GUID-ca55e2de-cd98-494d-b026-201132967232-en_id-6fc83b19-af5d-4a89-a258-3ce63559ffb8) |

articles/cost-management-billing/cost-management-billing-faq.yml

@@ -162,7 +162,7 @@ sections:
           If you’re an EA or MCA customer, `PayGPrice` is populated only for first-party Azure usage charges where `PricingModel` is `OnDemand`, `Spot`, or `SavingsPlan`. `PayGprice` isn't populated when `PricingModel` is `Reservations` or `Marketplace`.
       - question: Does Cost and usage details data have Reservation charges?
         answer: |
-          Yes it does. You can see those charges when the actual charges occurred in the Actual Cost dataset or you can see the charges spread across the resources that consumed the Reservation or Savings Plan in the Amortized Cost dataset. For more information, see [Get amortized costs](costs/manage-automation.md#get-amortized-cost-details).
+          Yes it does. You can see those charges when the actual charges occurred in the Actual Cost dataset or you can see the charges spread across the resources that consumed the Reservation or Savings Plan in the Amortized Cost dataset.
       - question: Am I charged for using Cost Details API or Exports?
         answer: |
           The Cost Details API is free. However, make sure to abide by the rate-limiting policies. For more information, see [Data latency and rate limits](costs/manage-automation.md#data-latency-and-rate-limits). The Exports feature is free to use, but you pay for the storage account that you use to store the exported data.