Merge pull request #311307 from MicrosoftDocs/main

Auto Publish – main to live - 2026-02-03 23:00 UTC

Author: learn-build-service-prod[bot]

articles/app-service/environment/networking.md

@@ -167,8 +167,18 @@ If your alternate subnet is in a different resource group than your app, run `az
 
 To change the alternate subnet for an app, first remove the existing integration and then add a new one.
 
+To remove the alternate subnet join for an app, remove the virtual network integration using the Azure CLI or ARM/Bicep:
+
+```azurecli-interactive
+az webapp vnet-integration remove --resource-group <APP-RESOURCE-GROUP> --name <APP-NAME>
+```
+
+> [!IMPORTANT]
+> Don't add the App Service Environment's subnet as the alternate subnet. This configuration causes a conflict and will prevent your app from functioning correctly.
+
 ### Limitations
 
+- The app, App Service Environment, and virtual network must all be in the same subscription.
 - Each app from a given plan can only integrate with one alternate subnet.
 - A plan can have up to four different subnet connections, and apps in the same plan can use any of the connections.
 - This feature isn't compatible with the [multi-plan subnet join](../overview-vnet-integration.md#subnet-requirements) feature available in the multitenant App Service offering.

articles/artifact-signing/how-to-signing-integrations.md

@@ -61,7 +61,7 @@ The Artifact Signing Client Tools installer is available on the Windows Package
 > winget is available by default in Windows 11 and modern versions of Windows 10. However, it may not be installed in older versions of Windows. See the [winget documentation](/windows/package-manager/winget/) for installation instructions.
 
    ```PowerShell
-   winget install -e --id Microsoft.Azure.TrustedSigningClientTools
+   winget install -e --id Microsoft.Azure.ArtifactSigningClientTools
    ```
 
 The `-e` option is to ensure the official Artifact Signing Client Tools package is installed. This command installs the latest version by default. To specify a version, add a `-v <version>` with your desired version to the command.
@@ -179,8 +179,8 @@ For example, when authenticating with [EnvironmentCredential](/dotnet/api/azure.
 
    ```json
    {
-     "Endpoint": "<Trusted Signing account endpoint>",
-     "CodeSigningAccountName": "<Trusted Signing account name>",
+     "Endpoint": "<Artifact Signing account endpoint>",
+     "CodeSigningAccountName": "<Signing account name>",
      "CertificateProfileName": "<Certificate profile name>",
      "CorrelationId": "<Optional CorrelationId value>",
      "ExcludeCredentials": [

articles/azure-vmware/native-network-design-consideration.md

@@ -6,7 +6,6 @@ ms.service: azure-vmware
 ms.date: 12/16/2025
 ms.custom:
   - build-2025
-# customer intent: As a cloud administrator, I want to learn about Azure VMware Solution Generation 2 private cloud design considerations so that I can make informed decisions about my Azure VMware Solution deployment.
 # Customer intent: As a cloud administrator, I want to understand the design considerations for Azure VMware Solution Generation 2 private clouds so that I can effectively plan and implement my private cloud deployment while ensuring compliance with current limitations and requirements.
 ---
 
@@ -36,8 +35,7 @@ The following functionality is limited during this time. These limitations will
 1. **vSAN Stretched Clusters** isn't supported.
 
 11. **Public IP down to the VMware NSX Microsoft Edge** for configuring internet will not be supported. You can find what internet options are supported in [Internet connectivity options](native-internet-connectivity-design-considerations.md).  
-1. During **unplanned maintenance** – like a host hardware failure – on any of the first four hosts in your SDDC, you may experience a temporary North-South network connectivity disruption for some workloads, lasting up to 30 seconds. North-South connectivity refers to traffic between your AVS VMware workloads and external endpoints beyond the NSX-T Tier-0 (T0) Edge, such as Azure services or on-premises environments.  
-
+1. During **unplanned maintenance** – like a host hardware failure – on any of the first four hosts in your SDDC, you may experience a temporary North-South network connectivity disruption for some workloads, lasting up to 30 seconds. North-South connectivity refers to traffic between your AVS VMware workloads and external endpoints beyond the NSX-T Tier-0 (T0) Edge, such as Azure services or on-premises environments. This limitation has been removed in specific Azure regions. Check with with Azure Support to see if your region is affected by this limitation.
 13. **Network Security Groups** associated with the private cloud host virtual network must be created in the ***same*** resource group as the private cloud and its virtual network.  
 14. **Cross-resource group and cross-subscription references** from customer virtual networks to the Azure VMware Solution virtual network are not supported by default. This includes resource types such as: User-defined routes (UDRs), DDoS Protection Plans, and other linked networking resources. If a customer virtual network is associated with one of these references that resides in a different resource group or subscription than the Azure VMware Solution virtual network, network programming (such as NSX segment propagation) may fail. To avoid issues, customers must ensure that the Azure VMware Solution virtual network isn't linked to resources in a different resource group or subscription and detach such resources (for example, DDoS Protection Plans) from the virtual network before proceeding.  
     - To maintain your cross-resource group reference, create a role assignment from your cross-resource group or subscription and give the “AzS VIS Prod App” the "AVS on Fleet VIS Role". The role assignment allows you to use reference and have your reference correctly applied for your Azure VMware Solution private cloud.  
@@ -88,13 +86,14 @@ Example /22 CIDR network address block **10.31.0.0/22** is divided into the foll
 | :-- | :-- | :-- | :-- |
 |VMware NSX Network | /27 | NSX Manager network. | 10.31.0.0/27 |
 |vCSA Network | /27 | vCenter Server network. | 10.31.0.32/27  |
-|avs-mgmt| /27 |The management appliances (vCenter Server and NSX manager) are behind the "avs-mgmt” subnet, programmed as secondary IP ranges on this subnet. | 10.31.0.64/27  |
+|avs-mgmt| /27|The management appliances (vCenter Server and NSX manager) are behind the "avs-mgmt” subnet, programmed as secondary IP ranges on this subnet. You may need to adjust the route tables associated with this subnet if your network traffic, for your management appliances, needs to route through an NVA or firewall | 10.31.0.64/27  |
 |avs-vnet-sync| /27 |Used by Azure VMware Solution Gen 2 to program routes created in VMware NSX into the virtual network. | 10.31.0.96/27 |
-|avs-services | /27 |Used for Azure VMware Solution Gen 2 provider services. Also used to configure private DNS resolution for your private cloud. | 10.31.0.160/27  |
-|avs-nsx-gw, avs-nsx-gw-1| /28 |Subnets off each of the T0 Gateways per edge. These subnets are used to program VMware NSX network segments as secondary IPs addresses. | 10.31.0.224/28, 10.31.0.240/28 |
-|esx-mgmt-vmk1 | /24 |vmk1 is the management interface used by customers to access the host. IPs from the vmk1 interface come from these subnets. All of the vmk1 traffic for all hosts comes from this subnet range. | 10.31.1.0/24  |
-|esx-vmotion-vmk2 | /24 | vMotion VMkernel interfaces. | 10.31.2.0/24  |
-|esx-vsan-vmk3  | /24 | vSAN VMkernel interfaces and node communication. | 10.31.3.0/24 |
+|avs-services | /27 |Used for Azure VMware Solution Gen 2 provider services. Also used to configure private DNS resolution for your private cloud. | 10.31.0.224/27  |
+|avs-nsx-gw, avs-nsx-gw-1| /27 |Subnets off each of the T0 Gateways per edge. These subnets are used to program VMware NSX network segments as secondary IPs addresses. |10.31.0.128/27, 10.31.0.160/27 |
+|esx-mgmt-vmk1 | /25 |vmk1 is the management interface used by customers to access the host. IPs from the vmk1 interface come from these subnets. All of the vmk1 traffic for all hosts comes from this subnet range. | 10.31.1.0/25  |
+|esx-vmotion-vmk2 | /25 | vMotion VMkernel interfaces. | 10.31.1.128/25  |
+|esx-vsan-vmk3  | /25 | vSAN VMkernel interfaces and node communication. | 10.31.2.0/25 |
+|avs-network-infra-gw|/26|Used by Azure VMware Solution management for programming NSX segments. Customers do no need to modify this subnet because it s only used for Azure VMware Solution infrastructure.|10.31.2.128/26|
 |Reserved | /27 | Reserved Space. | 10.31.0.128/27 |
 |Reserved | /27 | Reserved Space. | 10.31.0.192/27 |
 

articles/communication-services/quickstarts/tpe/teams-phone-extensibility-quickstart.md

@@ -23,13 +23,13 @@ This article describes how an independent software vendor (ISV) can provision Te
 - ISV’s Customer has access to Microsoft 365 Admin Center.
 - ISV has access to change Azure Communication Services Resource settings.
 - You grant Teams Tenant access to a CCaaS service for Graph API usage.
-- ISV is using the .NET, JavaScript  or Java ACS Call Automation SDK version 1.5.0 or above (Python version will be released soon).
-- ISV is using the JavaScript ACS Client SDK version 1.37 and above.
+- ISV uses the .NET, JavaScript, or Java ACS Call Automation SDK version 1.5.0 or above (Python version will be released soon).
+- ISV uses the JavaScript ACS Client SDK version 1.37 and above.
 
 
 ## Quick start
 
-The rest of this article describes quick starts for two different personas: CCaaS Developer and Teams Tenant. The CCaaS developer is the ISV persona building the CCaaS service using Azure Communication Services. The Teams Tenant is the persona that is a customer of the ISV that is administering to Teams Phone.  
+The rest of this article describes quick starts for two different personas: CCaaS Developer and Teams Tenant. The CCaaS developer is the ISV persona building the CCaaS service using Azure Communication Services. The Teams Tenant is the persona that's a customer of the ISV that's administering to Teams Phone.  
 
 ### CCaaS Developer: Provision the AppID (Application ID)
 
@@ -112,7 +112,7 @@ Connect-MicrosoftTeams
 Update-Module MicrosoftTeams 
 ```
 
-Use the [New-CsOnlineApplicationInstance (MicrosoftTeamsPowerShell)](/powershell/module/teams/new-csonlineapplicationinstance) cmdlet to create a Resource Account. There's no change for Teams Phone extensibility in this command. The ApplicationId parameter is your third party bot ID. Don't use the Teams first person Application IDs defined in [Set-CsOnlineApplicationInstance (MicrosoftTeamsPowerShell)](/powershell/module/teams/set-csonlineapplicationinstance#-applicationid) because they don't work for Teams Phone extensibility. It's up to the CCaaS developer on how to communicate the Application ID to the Teams Tenant.
+Use the [New-CsOnlineApplicationInstance (MicrosoftTeamsPowerShell)](/powershell/module/teams/new-csonlineapplicationinstance) cmdlet to create a Resource Account. There's no change for Teams Phone extensibility in this command. The ApplicationId parameter is your third party bot ID. Don't use the Teams first person Application identifiers (IDs) defined in [Set-CsOnlineApplicationInstance (MicrosoftTeamsPowerShell)](/powershell/module/teams/set-csonlineapplicationinstance#-applicationid) because they don't work for Teams Phone extensibility. It's up to the CCaaS developer on how to communicate the Application ID to the Teams Tenant.
 
 Example:
 
@@ -192,14 +192,31 @@ Once you grant the Microsoft Entra application appropriate Graph permissions, th
 
 The CCaaS Admin also needs elevated permissions to access Teams Resource Account information. The Graph API is getting Teams Resource Account information and that information is an asset owned by Teams Admin, so it requires privileged access as a Teams Admin. For more information, see [Permissions for Managing Resource Accounts](/microsoftteams/manage-resource-accounts#assign-permissions-for-managing-a-resource-account).
 
-Query definition:
+
+### Querying Teams Resource Accounts with Filtering and Paging
+
+The Teams Resource Accounts API supports **OData filtering**, **server‑side paging**, and **cursor-based continuation** via the `@odata.nextLink` field.  
+This capability enables CCaaS developers to efficiently retrieve Resource Accounts associated with their Azure Communication Services (ACS) resources.
+
+#### Query definition
+
 
 > https://graph.microsoft.com/beta/admin/teams/resourceAccounts 
 
-Example request URI (RURI) to get Resource Accounts with a filter on appId:
+You can extend the base query with OData options such as:
+
+- `$filter`—filter Resource Accounts by fields such as `appId` or `acsResourceId`
+- `$top`—limit the number of results returned per page
+- `@odata.nextLink`—Graph-provided URL for retrieving subsequent pages
+
+---
+
+### Filter by ACS Resource ID
+
+The following example returns only Resource Accounts that are associated with a specific ACS Resource ID:
 
 ```rest
-GET https://graph.microsoft.com/beta/admin/teams/resourceAccounts?$filter=appid eq 'aa123456-1234-1234-1234-aaa123456789'
+GET https://graph.microsoft.com/beta/admin/teams/resourceAccounts?$filter=acsResourceId eq 'aa123456-1234-1234-1234-aaa123456789'
 ```
 
 Successful response:
@@ -208,15 +225,109 @@ Successful response:
 {
   "@odata.context": "https://graph.microsoft.com/beta/$metadata#admin/teams/resourceAccounts",
   "value": [
-  {
-      "id": "cc123456-5678-5678-1234-ccc123456789",
+    {
+      "id": "aa123456-1234-1234-1234-aaa123456789",
       "userPrincipalName": "[email protected]",
-      "appId": "aa123456-1234-1234-1234-aaa123456789",
       "displayName": "My RA Name",
+      "appId": "aa123456-1234-1234-1234-aaa123456789",
       "phoneNumber": "tel:+1234567890",
-      "acsResourceId": "bb567890-1234-1234-1234-bbb123456789"
-   }]
-} 
+      "acsResourceId": "aa123456-1234-1234-1234-aaa123456789"
+    }
+  ]
+}
+```
+
+### Paging with $top
+
+You can use $top to specify the maximum number of results per page:
+
+```rest
+GET https://graph.microsoft.com/beta/admin/teams/resourceAccounts?$top=5
+```
+
+If more than five Resource Accounts exist, Microsoft Graph returns an @odata.nextLink value for the next page:
+
+```rest
+
+{
+  "value": [
+    {
+      "id": "...",
+      "displayName": "...",
+      "acsResourceId": "..."
+    }
+  ],
+  "@odata.nextLink":
+    "https://graph.microsoft.com/beta/admin/teams/resourceAccounts?$top=5&$skiptoken=abc123..."
+}
+```
+To continue paging, call the URL in the @odata.nextLink field until it's no longer present.
+
+### Combined paging and filtering
+
+Developers can combine $top and $filter to retrieve a filtered, paginated list:
+
+```rest
+GET https://graph.microsoft.com/beta/admin/teams/resourceAccounts?$top=5&$filter=acsResourceId eq 'aa123456-1234-1234-1234-aaa123456789'
+```
+This query returns up to five Resource Accounts that match the specified ACS Resource ID.
+
+### C# Example—Filtering + Paging
+The following C# sample demonstrates how to:
+
+1. Query Teams Resource Accounts
+2. Filter by acsResourceId
+3. Limit results to 5 per page
+4. Follow @odata.nextLink for full pagination
+
+```csharp
+using System;
+using System.Collections.Generic;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Threading.Tasks;
+using Newtonsoft.Json.Linq;
+
+public static async Task<List<JObject>> GetResourceAccountsAsync(
+    string acsResourceId,
+    string accessToken)
+{
+    var results = new List<JObject>();
+
+    string requestUrl =
+        $"https://graph.microsoft.com/beta/admin/teams/resourceAccounts" +
+        $"?$top=5&$filter=acsResourceId eq '{acsResourceId}'";
+
+    string nextUrl = requestUrl;
+
+    while (!string.IsNullOrEmpty(nextUrl))
+    {
+        var request = new HttpRequestMessage(HttpMethod.Get, nextUrl);
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
+
+        using (var client = new HttpClient())
+        {
+            var response = await client.SendAsync(request);
+            response.EnsureSuccessStatusCode();
+
+            var json = await response.Content.ReadAsStringAsync();
+            var page = JObject.Parse(json);
+
+            if (page["value"] is JArray items)
+            {
+                foreach (var item in items)
+                {
+                    results.Add((JObject)item);
+                }
+            }
+
+            // Continue to the next page if returned
+            nextUrl = (string)page["@odata.nextLink"];
+        }
+    }
+
+    return results;
+}
 ```
 
 ### CCaaS Developer: Receive and answer incoming call
@@ -237,12 +348,12 @@ The following steps demonstrate how to receive and answer an incoming Teams call
 1. Complete client and server consent as defined in [Access a user's Teams Phone separate from their Teams client](https://github.com/Azure/communication-preview/blob/master/Teams%20Phone%20Extensibility/teams-phone-extensibility-access-teams-phone.md).
 
 > [!NOTE]
-> For the Azure Communication Services resource, ensure the data location matches the Teams Tenant location to comply with data boundary regulations. You can retrieve programmatically details about tenant organisation via [Get organization](/graph/api/organization-get)
+> For the Azure Communication Services resource, ensure the data location matches the Teams Tenant location to comply with data boundary regulations. You can retrieve programmatically details about tenant organization via [Get organization](/graph/api/organization-get)
 >
 
 #### Setup and host your Azure dev tunnels
 
-Azure dev tunnels enable you to share local web services hosted on the internet. Run the commands to connect your local development environment to the public internet. Dev tunnels creates a persistent endpoint URL and which enables anonymous access. We use this endpoint to notify your application about calling events from the Azure Communication Services Call Automation service. 
+Azure dev tunnels enable you to share local web services hosted on the internet. Run the commands to connect your local development environment to the public internet. Dev tunnels create a persistent endpoint URL that enables anonymous access. We use this endpoint to notify your application about calling events from the Azure Communication Services Call Automation service. 
 
 ```dotnetcli
 devtunnel create --allow-anonymous 
@@ -401,7 +512,7 @@ this._teamsCallAgent = await this._callClient.createTeamsCallAgent(this.tokenCre
 
 ### CCaaS Client Developer: How to place an outbound OBO call
 
-Developers need to get the on behalf of (OBO) identity (ID) Resource Account that the call needs to be placed on behalf of. The following articles describe how to place an outbound OBO call.
+Developers need to get the on-behalf-of (OBO) Resource Account identity that the call needs to be placed on behalf of. The following articles describe how to place an outbound OBO call.
 
 Once the OBO identity is acquired, you need to set the `onBehalfOfOptions` in the `StartTeamsGroupCallOptions()` or `StartTeamsCallOptions()` method. For more information, see [StartTeamsGroupCallOptions interface](/javascript/api/azure-communication-services/@azure/communication-calling/startteamsgroupcalloptions) or [StartTeamsCallOptions interface](/javascript/api/azure-communication-services/@azure/communication-calling/startteamscalloptions).
 

articles/container-apps/TOC.yml

@@ -195,6 +195,8 @@ items:
               href: gpu-image-generation.md
             - name: Deploy an NVIDIA Llama3 NIM
               href: serverless-gpu-nim.md
+            - name: Deploy OpenAI GPT with OSS Ollama
+              href: deploy-openai-gpt-oss-ollama.md
     - name: Dynamic sessions
       items:
         - name: Overview