MicrosoftDocs
diff --git a/‎articles/azure-functions/functions-bindings-web-pubsub.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/azure-functions/functions-bindings-web-pubsub.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-web-pubsub/concept-client-protocols.md‎
Lines changed: 14 additions & 8 deletions b/‎articles/azure-web-pubsub/concept-client-protocols.md‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎articles/azure-web-pubsub/concept-service-internals.md‎
Lines changed: 2 additions & 0 deletions b/‎articles/azure-web-pubsub/concept-service-internals.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/azure-web-pubsub/concept-wildcard-group-roles.md‎
Lines changed: 133 additions & 0 deletions b/‎articles/azure-web-pubsub/concept-wildcard-group-roles.md‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎articles/azure-web-pubsub/howto-connect-mqtt-websocket-client.md‎
Lines changed: 2 additions & 0 deletions b/‎articles/azure-web-pubsub/howto-connect-mqtt-websocket-client.md‎
Lines changed: 2 additions & 0 deletions
@@ -3,7 +3,7 @@ title: Azure Functions Web PubSub bindings
 description: Understand how to use Web PubSub bindings with Azure Functions.
 ms.topic: reference
 ms.custom: devx-track-extended-java, devx-track-js, devx-track-python
-ms.date: 1/21/2026
+ms.date: 01/28/2026
 zone_pivot_groups: programming-languages-set-functions-lang-workers
 ---
 
 
@@ -4,8 +4,8 @@ description: This article presents an overview of the client protocols for Azure
 author: vicancy
 ms.author: lianwei
 ms.service: azure-web-pubsub
-ms.topic: reference
-ms.date: 11/08/2021
+ms.topic: conceptual
+ms.date: 03/30/2026
 ms.custom: sfi-ropc-nochange
 ---
 
@@ -42,13 +42,13 @@ You could also configure properties for the client connection when generating th
 
 You could also add custom claims into the access token, and these values are preserved as the `claims` property in [connect upstream request body](./reference-cloud-events.md#system-connect-event).
 
-[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients. 
+[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients.
 
 <a name="simple_client"></a>
 
 ## The simple WebSocket client
 
-A **simple WebSocket client**, as the naming indicates, is a simple WebSocket connection. It can also have its own custom subprotocol. 
+A **simple WebSocket client**, as the naming indicates, is a simple WebSocket connection. It can also have its own custom subprotocol.
 
 For example, in JavaScript, you can create a simple WebSocket client by using the following code:
 
@@ -62,7 +62,7 @@ var client2 = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', '
 
 Simple WebSocket client has two modes: `sendEvent` and `sendToGroup`. The mode is determined once the connection is established and cannot be changed later.
 
-`sendEvent` is the default mode for the simple WebSocket client. In `sendEvent` mode, every WebSocket frame the client sent is considered as a `message` event. Users can configure [event handlers](./concept-service-internals.md#event-handler) or [event listeners](./concept-service-internals.md#event-listener) to handle these `message` events. 
+`sendEvent` is the default mode for the simple WebSocket client. In `sendEvent` mode, every WebSocket frame the client sent is considered as a `message` event. Users can configure [event handlers](./concept-service-internals.md#event-handler) or [event listeners](./concept-service-internals.md#event-listener) to handle these `message` events.
 
 ```javascript
 // Every data frame is considered as a `message` event
@@ -102,7 +102,7 @@ var pubsubClient = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub
 
 ```js
 let ackId = 0;
-pubsubClient.send(    
+pubsubClient.send(
     JSON.stringify({
         type: 'joinGroup',
         group: 'group1',
@@ -114,7 +114,7 @@ pubsubClient.send(
 
 ```js
 let ackId = 0;
-pubsubClient.send(    
+pubsubClient.send(
     JSON.stringify({
         type: 'sendToGroup',
         group: 'group1',
@@ -191,6 +191,8 @@ As you likely noticed in the earlier PubSub WebSocket client description, a clie
 | `webpubsub.sendToGroup` | The client can publish messages to any group. |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join or leave group `<group>`. |
 | `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 | | |
 
 The permission of a client can be granted in several ways:
@@ -199,7 +201,7 @@ The permission of a client can be granted in several ways:
 
 Client can connect to the service using a JWT. The token payload can carry information such as the `role` of the client. When signing the JWT to the client, you can grant permissions to the client by giving the client specific roles.
 
-For example, let's sign a JWT that has the permission to send messages to `group1` and `group2`: 
+For example, let's sign a JWT that has the permission to send messages to `group1` and `group2`:
 
 ```js
 let token = await serviceClient.getClientAccessToken({
@@ -231,6 +233,10 @@ let service = new WebPubSubServiceClient("<your_connection_string>", "test-hub")
 await service.grantPermission("<connection_id>", "joinLeaveGroup", { targetName: "group1" });
 ```
 
+> [!NOTE]
+> Assigning wildcard roles (e.g., `webpubsub.sendToGroups.<pattern>`)  through REST APIs or server SDKs are not supported yet. This feature will be supported in a future update.
+
+
 ## Next steps
 
 [!INCLUDE [next step](includes/include-next-step.md)]
@@ -212,6 +212,8 @@ A client can publish to other clients only when it's _authorized_ to. The `role`
 | `webpubsub.sendToGroup`            | The client can publish messages to any group.       |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join/leave group `<group>`.          |
 | `webpubsub.sendToGroup.<group>`    | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 
 The server-side can also grant or revoke permissions of the client dynamically through [server protocol](#connection-manager) as to be illustrated in a later section.
 
 
@@ -0,0 +1,133 @@
+---
+title: Use wildcard group role patterns
+description: Learn how to grant Azure Web PubSub clients permissions to many groups using wildcard role patterns.
+author: kevinguo-ed
+ms.author: kevinguo
+ms.service: azure-web-pubsub
+ms.topic: conceptual
+ms.date: 01/28/2026
+ms.custom:
+---
+
+# Use wildcard group role patterns
+
+Azure Web PubSub now supports wildcard pattern matching in client "group" roles so you can authorize a client for many related groups with a single role string.
+
+You can continue to use the existing literal roles:
+
+- `webpubsub.sendToGroup.{groupName}`
+- `webpubsub.joinLeaveGroup.{groupName}`
+
+But you can now also use the new pattern roles:
+
+- `webpubsub.sendToGroups.{pattern}`
+- `webpubsub.joinLeaveGroups.{pattern}`
+
+Where `{pattern}` follows the wildcard syntax below.
+
+## When to use pattern roles
+
+Use pattern roles when:
+
+- A user or device must access a large but bounded dynamic set of groups (for example: all groups for a specific tenant or project)
+- You want to keep access tokens small (avoid listing dozens or hundreds of explicit group roles)
+
+## Pattern syntax
+
+| Symbol | Meaning |
+| ------ | ------- |
+| `?` | Matches exactly one character except `.` |
+| `*` | Matches zero or more characters except `.` |
+| `**` | Matches zero or more characters including `.` (crosses segment boundaries) |
+| `\` | Escape character for `\`, `*`, `?` |
+| `.` | Acts as a hierarchy separator and is never matched by `?` or `*` (only by `**`). |
+
+Additional rules:
+- Up to five total `*` characters (including those forming `**`) are allowed in a single pattern.
+
+### Examples
+
+| Pattern | Matches | Does not match |
+| ------- | ------- | -------------- |
+| `chat-*` | `chat-1`, `chat-room` | `chat.1`, `xchat-1` |
+| `clientA.*` | `clientA.alpha`, `clientA.1` | `clientA.alpha.room1`, `clientB.alpha` |
+| `clientA.**` | `clientA.alpha`, `clientA.alpha.room1` | `clientB.anything` |
+| `clientA.rooms.?1` | `clientA.rooms.a1`, `clientA.rooms.11` | `clientA.rooms.1`, `clientA.rooms.a.1` |
+| `literal\*star` | `literal*star` | `literalXstar` |
+
+### Escaping
+
+Prefix `*`, `?`, or `\` with `\` to match the literal character. Example: `project\*123` matches only `project*123`.
+
+## Using pattern roles in code
+
+Add the pattern role to the `roles` collection when generating a client access token. The client then automatically has the implied permissions for matching groups.
+
+## Code samples
+
+# [JavaScript](#tab/javascript)
+
+```js
+const token = await serviceClient.getClientAccessToken({
+  roles: [
+    // Can send to all groups under clientA.
+  'webpubsub.sendToGroups.clientA.**',
+    // Can join/leave any direct child group under public.
+  'webpubsub.joinLeaveGroups.public.*'
+  ]
+});
+```
+
+# [C#](#tab/csharp)
+
+```csharp
+var url = service.GetClientAccessUri(roles: new [] {
+    // Can send to all groups under clientA.
+  "webpubsub.sendToGroups.clientA.**",
+    // Can join/leave any direct child group under public.
+  "webpubsub.joinLeaveGroups.public.*"
+});
+```
+
+# [Python](#tab/python)
+
+```python
+token = service.get_client_access_token(roles=[
+  # Can send to all groups under clientA.
+  "webpubsub.sendToGroups.clientA.**",
+
+  # Can join/leave any direct child group under public.
+  "webpubsub.joinLeaveGroups.public.*"
+])
+```
+
+# [Java](#tab/java)
+
+```java
+GetClientAccessTokenOptions opt = new GetClientAccessTokenOptions();
+// Can send to all groups under clientA.
+opt.addRole("webpubsub.sendToGroups.clientA.**");
+
+// Can join/leave any direct child group under public.
+opt.addRole("webpubsub.joinLeaveGroups.public.*");
+WebPubSubClientAccessToken token = service.getClientAccessToken(opt);
+```
+
+---
+
+## Security guidance
+
+- Prefer the narrowest pattern that satisfies the scenario.
+- Minimize the use of `*` to reduce over-permissioning risks.
+
+## Frequently asked questions
+
+**Q: Can I mix literal and pattern roles?**
+
+Yes. A literal role always applies exactly; patterns add broader coverage.
+
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Generate client access URL and use roles](howto-generate-client-access-url.md)
@@ -43,6 +43,8 @@ A client can publish to other clients only when it's *authorized* to do so. A cl
 | `webpubsub.sendToGroup` | The client can publish messages to any group. |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join or leave group `<group>`. |
 | `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 | | |
 
 ## Authentication and authorization