Merge pull request #308035 from MicrosoftDocs/main

Auto Publish – main to live - 2025-11-08 06:00 UTC

Author: learn-build-service-prod[bot]

articles/application-gateway/for-containers/understanding-pricing.md

@@ -32,8 +32,7 @@ Application Gateway for Containers consists of four billable items:
 - Association resource 
 - Capacity units
 
-> [!NOTE]
-> Currently, there's no additional charge to enable Web Application Firewall (WAF) on Application Gateway for Containers beyond the added capacity units required to process requests.
+When you enable Web Application Firewall (WAF) on your Application Gateway for Containers resource you're billed at the higher WAF rates for each meter and will incur higher capacity unit usage to run the WAF.
 
 #### Application Gateway for Containers hour
 
@@ -61,12 +60,12 @@ The parameter with the highest utilization is internally used for calculating ca
 
 Estimated costs are used for the East US 2 region. 
 
-| Meter | Price |
-| ----- | ----- |
-| Application Gateway for Container | $0.017 per application gateway for container-hour |
-| Frontend | $0.01 per frontend-hour |
-| Association | $0.12 per association-hour |
-| Capacity Unit | $0.008 per capacity unit-hour |
+| Meter | Price | Price with WAF |
+| ----- | ----- | ----- |
+| Application Gateway for Container | $0.017 per application gateway for container-hour | $0.031 per application gateway for container WAF-hour |
+| Frontend | $0.01 per frontend-hour | $0.018 per frontend WAF-hour |
+| Association | $0.12 per association-hour | $0.216 per association WAF-hour |
+| Capacity Unit | $0.008 per capacity unit-hour | $0.014 per capacity unit WAF-hour |
 
 For the latest pricing information according to your region, see the [pricing page](https://azure.microsoft.com/pricing/details/application-gateway/).
 

articles/application-gateway/for-containers/web-application-firewall.md

@@ -135,9 +135,15 @@ spec:
 
 The following functionality is not supported on an Azure Web Application Firewall policy that's associated with Application Gateway for Containers:
 
-* Azure Web Application Firewall integration in Microsoft Security Copilot
-* JavaScript challenge actions
-* Core Rule Set (CRS) 3.2 and earlier rule sets
-
-> [!NOTE]
-> The association of Application Gateway for Containers with Azure Web Application Firewall is in preview. For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+- **Cross-region, cross-subscription policy**: Your WAF policy must be in the same subscription and region as your Application Gateway for Containers resource.
+- **Core Rule Set (CRS) managed rules**: An Application Gateway for Containers WAF supports only Default Rule Set (DRS) managed rule sets.
+- **Legacy Bot Manager Rule Set**: Bot Manager Ruleset 0.1 isn't supported, but Bot Manager Ruleset versions 1.0 and 1.1 are supported.
+- **JavaScript challenge actions on Bot Manager rules**: You can't set the action on a Bot Manager rule to JavaScript challenge.
+- **Captcha challenge actions on Bot Manager rules**: You can't set the action on a Bot Manager rule to Captcha.
+- **Microsoft Security Copilot**: The Security Copilot is not supported on Application Gateway for Containers WAF.
+- **Custom Block Response**: Setting a custom block response in your WAF policy is not supported on Application Gateway for Containers WAF.
+- **X-Forwarded-For Header (XFF)**: Application Gateway for Containers WAF doesn't support the XFF variable in custom rules.
+
+## Pricing
+
+For pricing details, see [Understanding pricing for Application Gateway for Containers](understanding-pricing.md).

articles/azure-vmware/native-auto-peering-sync.md

@@ -37,7 +37,7 @@ Ensures that virtual machines hosted in Azure VMware Solution can securely and c
 ## Prerequisite
 
 - Ensure the "Microsoft.BareMetal" resource provider is registered.
-- When updating an Automated Peering Sync setting, the user needs [Role Based Access Control Administrator](/role-based-access-control/built-in-roles/privileged.md) access on the remote virtual network.
+- When updating an Automated Peering Sync setting, the user needs Role Based Access Control Administrator access on the remote virtual network.
 
 ## Deployment steps 
 

articles/communication-services/how-tos/calling-sdk/active-call-transfer.md

@@ -0,0 +1,37 @@
+---
+title: Active Call Transfer
+titleSuffix: An Azure Communication Services how-to guide
+description: Use Azure Communication Services SDKs to transfer active calls between clients.
+author: probableprime
+ms.author: dmceachern
+ms.service: azure-communication-services
+ms.subservice: calling
+ms.topic: how-to 
+ms.date: 10/03/2025
+ms.custom: template-how-to
+
+#Customer intent: As a developer, I want to learn how to transfer calls between devices so that users have the option to transfer calls to their other devices while in a call.
+---
+
+# Active Call Transfer
+
+[!INCLUDE [Public Preview Notice](../../includes/public-preview-include.md)]
+
+During an active call, you may want to transfer the call to device that you are signed in on. Let's learn how. 
+
+
+
+## Prerequisites
+
+- An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F). 
+- A deployed Communication Services resource. [Create a Communication Services resource](../../quickstarts/create-communication-resource.md).
+- A user access token to enable the calling client. For more information, see [Create and manage access tokens](../../quickstarts/identity/access-tokens.md).
+- Complete the quickstart to [add voice calling to your application](../../quickstarts/voice-video-calling/getting-started-with-calling.md)
+
+[!INCLUDE [Transfer active calls Client-side JavaScript](./includes/active-call-transfer/active-call-transfer.md)]
+
+## Next steps
+- [Learn how to manage calls](./manage-calls.md)
+- [Learn how to manage video](./manage-video.md)
+- [Learn how to record calls](./record-calls.md)
+- [Learn how to transcribe calls](./call-transcription.md)

articles/communication-services/how-tos/calling-sdk/includes/active-call-transfer/active-call-transfer.md

@@ -0,0 +1,70 @@
+---
+author: probableprime
+ms.service: azure-communication-services
+ms.topic: include
+ms.date: 10/03/2025
+ms.author: dmceachern
+---
+
+[!INCLUDE [Install SDK](../install-sdk/install-sdk-web.md)]
+
+## Active Call Management
+Active Call Transfer is a feature of the core `CallAgent` API. This guide talks about how you can manage and track any ongoing calls for your users and how to transfer their client to that active call.
+
+**Note:** This feature is also enabled for the `TeamsCallAgent` as this feature is supported for Teams users as well.
+
+This guide assumes you went through the QuickStart or that you implemented an application that is able to make and receive calls. If you didn't complete the getting starting guide, refer to our [Quickstart](../../../../quickstarts/voice-video-calling/getting-started-with-calling.md).
+
+### Fetch your Active Call
+
+When your user signs to the `CallAgent` there is a new method that you can use to fetch the ongoing calls `getActiveCallDetails` the response will return to you the active call, or active meeting that your users are in.
+
+```js
+const activeCallDetails = await callAgent.getActiveCallDetails();
+```
+
+The function `getActiveCallDetails` a way that you can manually query for this data. Once you have the active call details, you can use it to switch the client to the call that was found. This function returns `undefined` if there is no active call ongoing for your user. You can use `getActiveCallDetails` to fetch any ongoing calls when you first sign into the `CallAgent` to pick up on any calls that are already ongoing.
+
+### Switch your Active Call
+
+Once you have your active call data, you can switch the client over to the new call. This call switching behavior can be done with the `activeCallTransfer` function.
+
+```js
+const activeCallDetails = await callAgent.getActiveCallDetails();
+const call = await callAgent.activeCallTransfer(activeCallDetails, {isTransfer: true});
+```
+
+This function returns the call object for your applications state.
+
+### Companion mode
+
+When transferring the active call to your client, you can just bring the client into the call without hanging up on the device that initiated the call the user is in.
+
+```js
+const activeCallDetails = await callAgent.getActiveCallDetails();
+const call = await callAgent.activeCallTransfer(activeCallDetails, {isTransfer: false}); // <-- isTransfer: false - does not remove the original client. 
+```
+
+### Subscribe to Active Call Notification events
+
+There are two new events that you can subscribe to so you can receive events notifying you of your user joining a call on another client. The first event notifies the application that the user is in a call on another device. This event is also emitted when the user logs into the `CallAgent` if they are on a call already elsewhere.
+
+```js
+callAgent.on("activeCallsUpdated", (args) => {
+    // show UI indicating that the user is in another call on another device
+    await callAgent.activeCallTransfer(args.activeCallDetails, {isTransfer: true});
+});
+```
+The second event notifies the application that the user is no longer in an active call anywhere else. This event is to be used to hide any UI indicating that they are in a call elsewhere, and any controls to manually transfer the call over.
+
+```js
+callAgent.on("NoActiveCalls", () => {
+    // hide UI indicating that the user is in a call elsewhere
+});
+```
+
+
+
+
+
+

articles/communication-services/toc.yml

@@ -499,6 +499,8 @@ items:
         href: how-tos/calling-sdk/dominant-speaker.md
       - name: Transfer calls
         href: how-tos/calling-sdk/transfer-calls.md
+      - name: Active Call Transfer
+        href: how-tos/calling-sdk/active-call-transfer.md
       - name: Get local capabilities
         href: how-tos/calling-sdk/capabilities.md
       - name: View PowerPoint Live

articles/governance/policy/samples/cis-linux/alma-ado.md

@@ -0,0 +1,171 @@
+---
+title: Reference - CIS Security Benchmarks for AlmaLinux via Machine Configuration
+description: Reference - CIS Security Benchmarks for AlmaLinux via Machine Configuration
+ms.date: 11/07/2025
+author: pallakatos
+ms.author: pallakatos
+ms.topic: reference
+ms.custom: generated
+---
+# Release notes - AlmaLinux
+
+This article provides detailed information about the CIS Security Benchmarks for AlmaLinux, including supported benchmarks, mismatched rules, and configurable parameters across all supported versions.
+
+## Supported benchmarks
+
+|AlmaLinux Version|Benchmark Title|
+|---|---|
+|AlmaLinux 8|[CIS AlmaLinux OS 8 Benchmark 3.0.0 Level 1 + Level 2 - Server](#cis-almalinux-os-8-benchmark-300-level-1--level-2---server)|
+|AlmaLinux 9|[CIS AlmaLinux OS 9 Benchmark 2.0.0 Level 1 + Level 2 - Server](#cis-almalinux-os-9-benchmark-200-level-1--level-2---server)|
+
+## CIS AlmaLinux OS 8 Benchmark 3.0.0 Level 1 + Level 2 - Server
+
+### Mismatched rules
+
+> [!NOTE]
+> The mismatched rules are the ones that in some circumstances the assessment might differ from CIS-CAT® Pro Assessor; usually our implementation enforces stricter criteria.
+
+- Ensure only one logging system is in use
+
+### Not implemented rules
+
+- Ensure access to the su command is restricted
+
+### Configurable parameters
+
+|Rule|Parameter|Default Value|
+|---|---|---|
+|Ensure dns server services are not in use|serviceName|named.service|
+||expectedUnitFileState|enabled|
+||expectedActiveState|active|
+||packageName|bind|
+|Ensure permissions on /etc/crontab are configured|mask|0177|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/cron.hourly are configured|mask|0077|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/cron.daily are configured|mask|0077|
+||owner|root|
+||group|root|
+||packageName|cron|
+||alternativePackageName|cronie|
+|Ensure permissions on /etc/cron.weekly are configured|mask|0077|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/cron.monthly are configured|mask|0077|
+||owner|root|
+||group|root|
+||alternativePackageName|cronie|
+|Ensure permissions on /etc/cron.d are configured|mask|0077|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/ssh/sshd_config are configured|mask|0177|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/passwd are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/passwd- are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/group are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/group- are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/shadow are configured|mask|0137|
+||owner|root|
+||group|root\|shadow|
+|Ensure permissions on /etc/shadow- are configured|mask|0137|
+||owner|root|
+||group|root\|shadow|
+|Ensure permissions on /etc/gshadow are configured|mask|0137|
+||owner|root|
+||group|shadow\|root|
+|Ensure permissions on /etc/gshadow- are configured|mask|0137|
+||owner|root|
+||group|shadow\|root|
+|Ensure permissions on /etc/shells are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/security/opasswd are configured|mask|0177|
+||owner|root|
+||group|root|
+
+## CIS AlmaLinux OS 9 Benchmark 2.0.0 Level 1 + Level 2 - Server
+
+### Mismatched rules
+
+> [!NOTE]
+> The mismatched rules are the ones that in some circumstances the assessment might differ from CIS-CAT® Pro Assessor; usually our implementation enforces stricter criteria.
+
+- Ensure only one logging system is in use
+
+### Not implemented rules
+
+- Ensure access to the su command is restricted
+
+### Configurable parameters
+
+|Rule|Parameter|Default Value|
+|---|---|---|
+|Ensure dns server services are not in use|serviceName|named.service|
+||expectedUnitFileState|enabled|
+||expectedActiveState|active|
+||packageName|bind|
+|Ensure permissions on /etc/crontab are configured|mask|0177|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/cron.hourly are configured|mask|0077|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/cron.daily are configured|mask|0077|
+||owner|root|
+||group|root|
+||packageName|cron|
+||alternativePackageName|cronie|
+|Ensure permissions on /etc/cron.weekly are configured|mask|0077|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/cron.monthly are configured|mask|0077|
+||owner|root|
+||group|root|
+||alternativePackageName|cronie|
+|Ensure permissions on /etc/cron.d are configured|mask|0077|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/ssh/sshd_config are configured|mask|0177|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/passwd are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/passwd- are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/group are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/group- are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/shadow are configured|mask|0137|
+||owner|root|
+||group|root\|shadow|
+|Ensure permissions on /etc/shadow- are configured|mask|0137|
+||owner|root|
+||group|root\|shadow|
+|Ensure permissions on /etc/gshadow are configured|mask|0137|
+||owner|root|
+||group|shadow\|root|
+|Ensure permissions on /etc/gshadow- are configured|mask|0137|
+||owner|root|
+||group|shadow\|root|
+|Ensure permissions on /etc/shells are configured|mask|0133|
+||owner|root|
+||group|root|
+|Ensure permissions on /etc/security/opasswd are configured|mask|0177|
+||owner|root|
+||group|root|