Merge pull request #303566 from MicrosoftDocs/main

Auto Publish – main to live - 2025-07-30 05:00 UTC

Author: learn-build-service-prod[bot]

articles/application-gateway/application-gateway-tls-version-retirement.md

@@ -102,7 +102,7 @@ To determine whether clients connecting to your Application Gateway resource are
 You can also check the [Application Gateway Access logs](monitor-application-gateway-reference.md#access-log-category) to view this information in log format.
 
 > [!NOTE]
-> The metrics or logs for the V1 SKUs do not provide client TLS protocol information.
+> The metrics and logs for the V1 SKUs do not provide client TLS protocol information.
 
 ### Error information
 Once support for TLS versions 1.0 and 1.1 is discontinued, clients may encounter errors such as `curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure`. Depending on the browser being used, various messages indicating TLS handshake failures may be displayed.

articles/dev-box/how-to-configure-dev-box-serverless-gpu.md

@@ -33,6 +33,7 @@ Serverless GPU compute in Dev Box uses Azure Container Apps (ACA). When a develo
 
 ## Prerequisites
 - An Azure subscription
+- *Microsoft.App* registered for your subscription
 - A Microsoft Dev Box project 
 
 ## Configure serverless GPU
@@ -44,6 +45,9 @@ Administrators control serverless GPU access at the project level through Dev Ce
 
 Access to serverless GPU resources is managed through project-level properties. When the serverless GPU feature is enabled for a project, all Dev Boxes in that project can use GPU compute. This simple access model removes the need for custom roles or pool-based configurations.
 
+> [!IMPORTANT]
+> Serverless GPU is available only in specific regions. Your project must be in one of the following regions: BrazilSouth, CanadaCentral, CentralUS, EastUS, EastUS2, SouthCentralUS, or WestUS3.
+
 ### Register serverless GPU for the subscription
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
@@ -61,7 +65,7 @@ Access to serverless GPU resources is managed through project-level properties.
 
 ## Connect to a GPU
 
-After you enable serverless GPU, Dev Box users in that project see GPU options in their terminal and VS Code environments.
+After you enable serverless GPU, Dev Box users in that project see GPU options in their terminal and Visual Studio (VS) Code environments.
 
 You can connect using one of these methods:
 

articles/dev-box/how-to-move-dev-box-pool-region.md

@@ -20,7 +20,10 @@ Move Dev Box pools and individual dev boxes to a different region to optimize pe
 You can move Dev Box pools and individual dev boxes to a different region. This action lets you align dev boxes with the pool's region or change the network connection. Changing the region of the Dev Box pool uses a different network connection. Dev boxes aren't available while the move is in progress.
 
 ## Prerequisites
-- You need the **Project Admin** role to move a dev box to another region. Check that you have the right permissions before using this feature.
+You need the following permissions to move a dev box to another region:
+- **Project Admin** role on the Microsoft Dev Box project.
+- **adminAlign** permission on the subscription that contains the Dev Box pool.
+- **Microsoft.DevBox/project/read** permission on the subscription.
 
 ## Move a pool by using the Azure portal
 

articles/event-hubs/event-hubs-business-continuity-outages-disasters.md

@@ -39,6 +39,7 @@ Event Hubs supports **availability zones** in select Azure regions. Data (metada
 
 > [!NOTE]
 > Availability zones are enabled by default in supported regions.
+> 
 
 ### Geo-Disaster Recovery (Geo-DR)
 

articles/event-hubs/event-hubs-dedicated-overview.md

@@ -14,9 +14,6 @@ ms.custom:
 # Azure Event Hubs Dedicated tier overview
 Azure Event Hubs Dedicated tier is a single-tenant solution designed to meet the needs of enterprise-scale, mission-critical event streaming workloads. This article provides an overview of the Dedicated tier, highlighting its key features, benefits, and use cases, showing how it supports high-performance, low-latency applications using Event Hubs SDK or Apache Kafka APIs.
 
-> [!NOTE]
-> The Dedicated tier isn't available in all regions. Try to create a dedicated cluster in the Azure portal. See the supported regions in the **Location** dropdown list on the **Create Event Hubs Cluster** page.
-
 ## Benefits of dedicated clusters
 
 The Dedicated tier of Event Hubs offers several benefits to customers who need to run mission-critical workloads at enterprise-level capacity.
@@ -78,7 +75,9 @@ Approximately one CU in a self-serve scalable cluster provides *ingress capacity
 With self-serve scalable clusters, you can purchase up to 10 CUs for a cluster in the Azure portal. In contrast to traditional clusters, these clusters can be scaled incrementally with CUs ranging from 1 to 10. If you need a cluster larger than 10 CUs, you can [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) to scale up your cluster after its creation.
 
 > [!IMPORTANT]
-> To create or scale an AZ-enabled self-serve cluster, you must [submit a support request](event-hubs-dedicated-cluster-create-portal.md#submit-a-support-request) requesting three CUs or greater. A three CU (or greater) self-serve cluster created via Portal is NOT AZ-enabled.
+> To enable Availability zones on a Event Hubs dedicated cluster, it must be provisioned with three or more CUs.
+>
+
 ### Legacy clusters
 
 Event Hubs dedicated clusters created before the availability of self-serve scalable clusters are referred to as legacy clusters.

articles/event-hubs/event-hubs-premium-overview.md

@@ -70,7 +70,7 @@ Event Hubs Standard, Premium, and Dedicated tiers offer [availability zones](../
 
 > [!IMPORTANT]
 > - Availability zone support is only available in [Azure regions with availability zones](../reliability/availability-zones-region-support.md).
-> - In certain regions, the Premium tier's support for availability zones is limited even though the region supports availability zones.
+>
 
 ## Premium vs. Dedicated tiers
 

articles/expressroute/about-fastpath.md

@@ -25,12 +25,12 @@ ExpressRoute FastPath is available for ExpressRoute Direct and ExpressRoute prov
 
 The following table lists the availability of ExpressRoute FastPath for the different type of ExpressRoute circuit:
 
-| Feature | Availability |
-|--|--|
-| ExpressRoute FastPath to Hub virtual network on ExpressRoute circuits | Available on all ExpressRoute circuits |
-| Virtual network peering over ExpressRoute FastPath | Generally available in all public cloud regions and only for ExpressRoute Direct. |
-| User-Defined Routing (UDR) over ExpressRoute FastPath | Generally available in all public cloud regions and only for ExpressRoute Direct. |
-| Private endpoint and Private Link over ExpressRoute FastPath | Limited general availability and only for ExpressRoute Direct. |
+| Feature | IP address family | Availability |
+|--|--|--|
+| ExpressRoute FastPath to Hub virtual network on ExpressRoute circuits | IPv4 and IPv6*  | IPv4 is available on all ExpressRoute circuits. *IPv6 is supported on ER Direct only |
+| Virtual network peering over ExpressRoute FastPath | IPv4 and IPv6 | Generally available in all public cloud regions and only for ExpressRoute Direct. |
+| User-Defined Routing (UDR) over ExpressRoute FastPath | IPv4 and IPv6 | Generally available in all public cloud regions and only for ExpressRoute Direct. |
+| Private endpoint and Private Link over ExpressRoute FastPath | IPv4 only | Limited general availability and only for ExpressRoute Direct. |
 
 #### IP address limits
 

articles/expressroute/expressroute-howto-add-ipv6.md

@@ -240,6 +240,7 @@ Follow these steps if you have an existing environment of Azure resources that y
 
 > [!NOTE]
 > If you have an existing gateway that is not zone-redundant (meaning it is Standard, High Performance, or Ultra Performance SKU) and uses a public IP address of Basic SKU, you will need to delete and recreate the gateway using any SKU.
+>  The gateway of type zone-redundant SKU (meaning it is Standard, High Performance, or Ultra Performance) can be deployed only in availability-zone supported regions.
 
 ## Create a connection to a new virtual network
 

articles/governance/policy/samples/australia-ism.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for Australian Government ISM PROTECTED
 description: Details of the Australian Government ISM PROTECTED Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 07/23/2025
+ms.date: 07/29/2025
 ms.topic: generated-reference
 ms.custom: generated
 ---

articles/governance/policy/samples/azure-security-benchmark.md

@@ -1,7 +1,7 @@
 ---
 title: Regulatory Compliance details for Microsoft cloud security benchmark
 description: Details of the Microsoft cloud security benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
-ms.date: 07/23/2025
+ms.date: 07/29/2025
 ms.topic: generated-reference
 ms.custom: generated
 ---
@@ -91,7 +91,9 @@ initiative definition.
 |[Storage account public access should be disallowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4fa4b6c0-31ca-4c0d-b10d-24b96f62a751) |Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |audit, Audit, deny, Deny, disabled, Disabled |[3.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json) |
 |[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
 |[Storage accounts should restrict network access using virtual network rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) |
+|[Storage accounts should restrict network access using virtual network rules (excluding storage accounts created by Databricks)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdb4f9b05-5ffd-4b34-b714-3c710dbb3fd6) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabledWithDatabricksExcluded_Audit.json) |
 |[Storage accounts should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
+|[Storage accounts should use private link (excluding storage accounts created by Databricks)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1604f626-4d8d-4124-8bb8-b1e5f95562de) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced. Learn more about private links at - [https://aka.ms/azureprivatelinkoverview](https://aka.ms/azureprivatelinkoverview) |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabledWithDatabricksExcluded_Audit.json) |
 |[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced. Learn more about private links at: [https://docs.microsoft.com/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet](/azure/virtual-machines/linux/image-builder-networking#deploy-using-an-existing-vnet). |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |
 
 ### Deploy firewall at the edge of enterprise network
@@ -156,6 +158,7 @@ initiative definition.
 |[Cosmos DB database accounts should have local authentication methods disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5450f5bd-9c72-4390-a9c4-a7aba4edfdd2) |Disabling local authentication methods improves security by ensuring that Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication. Learn more at: [https://docs.microsoft.com/azure/cosmos-db/how-to-setup-rbac#disable-local-auth](/azure/cosmos-db/how-to-setup-rbac#disable-local-auth). |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_DisableLocalAuth_AuditDeny.json) |
 |[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/AuditADAuth_Audit.json) |
 |[Storage accounts should prevent shared key access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54) |Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountAllowSharedKeyAccess_Audit.json) |
+|[Storage accounts should prevent shared key access (excluding storage accounts created by Databricks)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffd9903f1-38c2-4d36-8e44-5c1c20c561e8) |Audit requirement of Azure Active Directory (Azure AD) to authorize requests for your storage account. By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountAllowSharedKeyAccessWithDatabricksExcluded_Audit.json) |
 |[Synapse Workspaces should have Microsoft Entra-only authentication enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6ea81a52-5ca7-4575-9669-eaa910b7edf8) |Require Synapse Workspaces to use Microsoft Entra-only authentication. This policy doesn't block workspaces from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/Synapse](https://aka.ms/Synapse). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/WorkspaceDisableAadOnlyAuthentication_Audit.json) |
 |[Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2158ddbe-fefa-408e-b43f-d4faef8ff3b8) |Require Synapse Workspaces to be created with Microsoft Entra-only authentication. This policy doesn't block local authentication from being re-enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: [https://aka.ms/Synapse](https://aka.ms/Synapse). |Audit, Deny, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Synapse/SynaspeWorkspaceAadOnlyAuthentication_Audit.json) |
 |[VPN gateways should use only Azure Active Directory (Azure AD) authentication for point-to-site users](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F21a6bc25-125e-4d13-b82d-2e19b7208ab7) |Disabling local authentication methods improves security by ensuring that VPN Gateways use only Azure Active Directory identities for authentication. Learn more about Azure AD authentication at [https://docs.microsoft.com/azure/vpn-gateway/openvpn-azure-ad-tenant](/azure/vpn-gateway/openvpn-azure-ad-tenant) |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VPN-AzureAD-audit-deny-disable-policy.json) |