Merge pull request #296393 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/api-center/enable-platform-api-catalog-vscode-extension.md

@@ -60,8 +60,8 @@ First, configure an app registration in your Microsoft Entra ID tenant. The app
 1. On the **Configure platforms** page, select **Mobile and desktop applications**.
 1. On the **Configure Desktop + devices** page, enter the following redirect URI and select **Configure**:
 
-    `https://vscode.dev/redirect`
-      
+    `https://vscode.dev/redirect` , `http://localhost` and `ms-appx-web://Microsoft.AAD.BrokerPlugin/<application-client-id>`
+   
 1. In the left menu, under **Manage**, select **API permissions** > **+ Add a permission**. 
 1. On the **Request API permissions** page, do the following:
     1. Select the **APIs my organization uses** tab. 

articles/app-service/configure-language-java-deploy-run.md

@@ -549,7 +549,7 @@ See respective sections below for details as well as opportunities to customize
 - The Keystore of the Java runtime is updated with any public and private certificates defined in Azure portal. 
     - Public certificates are provided by the platform in the */var/ssl/certs* directory, and they're loaded to *$JRE_HOME/lib/security/cacerts*.
     - Private certificates are provided by the platform in the */var/ssl/private* directory, and they're loaded to *$JRE_HOME/lib/security/client.jks*.
-- If any certificates are loaded in the Java keystore in this step, the properties `javax.net.ssl.keyStore`, `javax.net.ssl.keyStorePassword` and `javax.net.ssl.keyStoreType` are added to the `JAVA_TOOL_OPTIONS` environment variable.
+- If any certificates are loaded in the Java keystore in this step, the properties `javax.net.ssl.keyStore`, `javax.net.ssl.keyStorePassword` and `javax.net.ssl.keyStoreType` are added to the `JAVA_OPTS` environment variable.
 - Some initial JVM configuration is determined such as logging directories and Java memory heap parameters: 
     - If you provide the `–Xms` or `–Xmx` flags for memory in the app setting `JAVA_OPTS`, these values override the ones provided by the platform.
     - If you configure the app setting `WEBSITES_CONTAINER_STOP_TIME_LIMIT`, the value is passed to the runtime property `org.wildfly.sigterm.suspend.timeout`, which controls the maximum shutdown wait time (in seconds) when JBoss is being stopped.

articles/azure-functions/functions-create-your-first-function-visual-studio.md

@@ -77,9 +77,9 @@ Your function definition should now look like the following code:
 
 ```csharp
 [Function("HttpExample")]
-public IActionResult Run([HttpTrigger(AuthorizationLevel.AuthLevelValue, "get", "post")] HttpRequest req)
+public IActionResult Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", "post")] HttpRequest req)
 {
-    return new OkObjectResult("Welcome to Azure Functions!");
+    return new OkObjectResult("Hello, functions");
 }
 ```
 

articles/azure-functions/functions-infrastructure-as-code.md

@@ -20,7 +20,7 @@ This article shows you how to automate the creation of resources and deployment
 
 The template code required depends on the desired hosting options for your function app. This article supports the following hosting options:
 
-| Hosting option | Deployment type | To learn more, see... |
+| Hosting option | Deployment type | Sample template |
 | ----- | ----- | ----- |
 | [Azure Functions Consumption plan](functions-infrastructure-as-code.md?pivots=consumption-plan) | Code-only | [Consumption plan](./consumption-plan.md) |
 | [Azure Functions Flex Consumption plan](functions-infrastructure-as-code.md?pivots=consumption-plan) | Code-only | [Flex Consumption plan](./flex-consumption-plan.md) |

articles/azure-functions/supported-languages.md

@@ -37,6 +37,7 @@ For more information on operating system and language support, see [Operating sy
 
 When in-portal editing isn't available, you must instead [develop your functions locally](functions-develop-local.md#local-development-environments).
 
+To learn more about how to maintain full-support coverage while running your functions in Azure, see our [language-support-policy](language-support-policy.md) article.
 
 ### Language major version support
 

articles/azure-signalr/signalr-howto-authorize-application.md

@@ -1,6 +1,6 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
-description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra applications.
+description: This article provides information about authorizing requests to Azure SignalR Service resources with Microsoft Entra applications.
 author: terencefan
 ms.author: tefa
 ms.date: 03/14/2023
@@ -14,7 +14,7 @@ ms.custom: subject-rbac-steps
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests with [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
-This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
+This article explains how to set up your resource and code to authenticate requests to the resource using a Microsoft Entra application.
 
 ## Register an application in Microsoft Entra ID
 
@@ -32,7 +32,6 @@ After registering an app, you can add **certificates, client secrets (a string),
 - [Add a client secret](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials)
 - [Add a federated credential](/entra/identity-platform/quickstart-register-app?tabs=federated-credential#add-credentials)
 
-
 ## Add role assignments in the Azure portal
 
 [!INCLUDE [add role assignments](includes/signalr-add-role-assignments.md)]

articles/azure-signalr/signalr-howto-authorize-managed-identity.md

@@ -1,27 +1,28 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities
-description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra managed identities.
+description: This article provides information about authorizing requests to Azure SignalR resources with Managed identities for Azure resources.
 author: terencefan
 ms.author: tefa
-ms.date: 03/14/2025
+ms.date: 03/11/2025
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
 ms.custom: subject-rbac-steps
 ---
 
-# Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources
+# Authorize requests to Azure SignalR resources with Managed identities for Azure resources
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).
 
-This article shows how to configure your Azure SignalR Service resource and code to authorize requests to the resource from a managed identity.
+This article explains how to set up your resource and code to authorize requests to the resource using a managed identity.
 
 ## Configure managed identities
 
 The first step is to configure managed identities on your app or virtual machine.
 
 - [Configure managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
-- [Configure managed identities for Azure resources on a virtual machine (VM)](/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access)
+- [Configure managed identities on Azure virtual machines (VMs)](/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities)
+- [Configure managed identities for Azure resources on a virtual machine scale set](/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities-scale-sets)
 
 ## Add role assignments in the Azure portal
 

articles/azure-web-pubsub/concept-azure-ad-authorization.md

@@ -24,7 +24,7 @@ _[1] security principal: a user/resource group, an application, or a service pri
 
 Authentication is necessary to access a Web PubSub resource when using Microsoft Entra ID. This authentication involves two steps:
 
-1. First, Azure authenticates the security principal and issues an OAuth 2.0 token.
+1. First, Azure authenticate the security principal and issues an OAuth 2.0 token.
 2. Second, the token is added to the request to the Web PubSub resource. The Web PubSub service uses the token to check if the service principal has the access to the resource.
 
 ### Client-side authentication while using Microsoft Entra ID
@@ -33,7 +33,7 @@ The negotiation server/Function App shares an access key with the Web PubSub res
 
 However, access key is often disabled when using Microsoft Entra ID to improve security.
 
-To address this issue, we have developed a REST API that generates a client token. This token can be used to connect to the Azure Web PubSub service.
+To address this issue, we developed a REST API that generates a client token. This token can be used to connect to the Azure Web PubSub service.
 
 To use this API, the negotiation server must first obtain an **Microsoft Entra Token** from Azure to authenticate itself. The server can then call the Web PubSub Auth API with the **Microsoft Entra Token** to retrieve a **Client Token**. The **Client Token** is then returned to the client, who can use it to connect to the Azure Web PubSub service.
 
@@ -45,7 +45,8 @@ Microsoft Entra authorizes access rights to secured resources through [Azure rol
 
 ### Resource scope
 
-Before assigning an Azure RBAC role to a security principal, it's important to identify the appropriate level of access that the principal should have. It's recommended to grant the role with the narrowest possible scope. Resources located underneath inherit Azure RBAC roles with broader scopes.
+Before assigning an Azure RBAC role to a security principal, it's important to identify the appropriate level of access that the principal should have.
+It is recommended to grant the role to the most limited scope. Resources within it will inherit Azure RBAC roles assigned to the scope.
 
 You can scope access to Azure Web PubSub resources at the following levels, beginning with the narrowest scope:
 
@@ -67,36 +68,27 @@ You can scope access to Azure Web PubSub resources at the following levels, begi
 
 ## Azure built-in roles for Web PubSub resources
 
-- `Web PubSub Service Owner`
+   | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
+   | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+   | [Web PubSub Service Owner](/azure/role-based-access-control/built-in-roles#web-pubsub-service-owner)           | Full access to data-plane APIs, including read/write REST APIs and Auth APIs.                                               | Most commonly used for building an upstream server that handles negotiation requests and client events.                                                                                                             |
+   | [Web PubSub Service Reader](/azure/role-based-access-control/built-in-roles#web-pubsub-service-reader)           | Readonly access to data-plane APIs.                                                | Use it when write a monitoring tool that calls readonly REST APIs.
 
-  Full access to data-plane permissions, including read/write REST APIs and Auth APIs.
 
-  This role is the most common used for building an upstream server.
+Learn how to create a custom role if the built-in roles do not meet your requirements.
 
-- `Web PubSub Service Reader`
-
-  Use to grant read-only REST APIs permissions to Web PubSub resources.
-
-  It's used when you'd like to write a monitoring tool that calling **ONLY** Web PubSub data-plane **READONLY** REST APIs.
+[Azure custom roles: Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
 
 ## Next steps
 
-To learn how to create an Azure application and use Microsoft Entra authorization, see
-
-- [Authorize request to Web PubSub resources with Microsoft Entra ID from applications](howto-authorize-from-application.md)
-
-To learn how to configure a managed identity and use Microsoft Entra auth, see
-
-- [Authorize request to Web PubSub resources with Microsoft Entra ID from managed identities](howto-authorize-from-managed-identity.md)
-
-To learn more about roles and role assignments, see
+To learn how to use Microsoft Entra authentication with role-based access control, see
 
-- [What is Azure role-based access control](../role-based-access-control/overview.md)
+  - [Authorize requests to Azure Web PubSub resources with Microsoft Entra applications](howto-authorize-from-application.md)
+  - [Authorize requests to Azure Web PubSub resources with Managed identities for Azure resources](howto-authorize-from-managed-identity.md)
 
-To learn how to create custom roles, see
+To learn more about roles-based access control, see
 
-- [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
+  - [What is Azure role-based access control](../role-based-access-control/overview.md)
 
-To learn how to use only Microsoft Entra authorization, see
+To learn how to disable the connection string and use only Microsoft Entra authentication, see
 
-- [Disable local authentication](./howto-disable-local-auth.md)
+- [How to disable local authentication](./howto-disable-local-auth.md)