MicrosoftDocs
diff --git a/‎articles/azure-netapp-files/azure-netapp-files-resource-limits.md‎
Lines changed: 8 additions & 1 deletion b/‎articles/azure-netapp-files/azure-netapp-files-resource-limits.md‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎articles/event-grid/authenticate-with-namespaces-using-webhook-authentication.md‎
Lines changed: 54 additions & 3 deletions b/‎articles/event-grid/authenticate-with-namespaces-using-webhook-authentication.md‎
Lines changed: 54 additions & 3 deletions
@@ -43,7 +43,7 @@ The following table describes resource limits for the Flexible, Standard, Premiu
 |  Maximum size of a single file     |    16 TiB    |    No    |    
 |  Maximum size of directory metadata in a single directory      |    320 MB    |    No    |    
 |  Maximum number of files in a single directory  | *Approximately* 4 million. <br> See [Determine if a directory is approaching the limit size](directory-sizes-concept.md#directory-limit).  |    No    |   
-|  Maximum number of `maxfiles` per volume | See [`maxfiles`](maxfiles-concept.md)  | Yes |    
+|  Maximum number of `maxfiles` per volume | See [`maxfiles`](maxfiles-concept.md)  | Yes**** |    
 |  Maximum number of export policy rules per volume     |    5  |    No    | 
 |  Maximum number of quota rules per volume     |   1,000  |    No    | 
 |  Minimum assigned throughput for a manual Quality of Service (QoS) volume     |    1 MiB/s   |    No    |    
@@ -64,6 +64,13 @@ The following table describes resource limits for the Flexible, Standard, Premiu
 
 \*** This feature is available [when cool access is enabled and by request](large-volumes-requirements-considerations.md#requirements-and-considerations-for-large-volumes-up-to-72-pib-preview). When enabled, the minimum size of the volume is 2,400 GiB.
 
+\**** Support request to adjust maxfiles limits is appropriate only when the volume is already provisioned at a size that supports the requested file count. While Azure NetApp Files support can adjust maxfiles limits within supported backend thresholds, these adjustments cannot override the fundamental relationship between volume size and inode capacity. If a workload requires a higher maxfiles limit, then the volume must be provisioned at a size that natively supports that file count. Support requests cannot be used to keep a small volume size while enabling a maxfiles limit that is only supported by a much larger volume. Support requests should not be opened in the following situations as support engineers cannot make backend changes to satisfy the request:
+
+* To avoid increasing volume size
+* To request maxfiles limits that exceed what the current volume size supports
+* To request backend exceptions for inode limits
+
+
 For more information, see [Capacity management FAQs](faq-capacity-management.md).
 
 # [Elastic](#tab/elastic)
 
@@ -4,7 +4,7 @@ description: This article shows you how to authenticate with Azure Event Grid na
 ms.topic: how-to
 ms.custom:
   - build-2025
-ms.date: 07/30/2025
+ms.date: 03/23/2026
 author: Connected-Seth
 ms.author: seshanmugam
 ---
@@ -47,6 +47,40 @@ az eventgrid namespace update --resource-group <resource group name> --name <nam
 
 For information on how to configure system and user-assigned identities by using the Azure portal, see [Enable managed identity for an Event Grid namespace](event-grid-namespace-managed-identity.md).
 
+## Implementations
+
+### Option 1: Webhook Via Azure Functions implementation (Microsoft Entra App) 
+
+Azure Functions can host the webhook logic using `Microsoft.Identity.Web` to validate token automatically. We need Microsoft Entra app registration for Webhook API for validating Event Grid caller tokens, which has an Application ID URI for token issuance. Client side (Event Grid) already has managed identity. 
+
+**Pros:**
+
+- No infrastructure to manage 
+- Built-in authentication helpers (`Microsoft.Identity.Web`) 
+- Durable, scalable, cost-efficient 
+
+Function must do the following operations: 
+
+- Validate caller token from Event Grid Managed Identity 
+- Validate client Json Web Token (JWT)
+- Return allow or deny JSON 
+
+### Option 2: External HTTPS endpoint implementation 
+
+This implementation can be any external HTTPS Endpoint (any cloud, any backend), using Microsoft Entra ID JWT validation with `Microsoft.IdentityModel` libraries. 
+
+Use any runtime: .NET / Node / Java / Python. 
+
+Key requirements: 
+
+- Must be HTTPS 
+- Must validate caller JWT 
+- Must validate device JWT 
+- Must respond within timeout (~5 sec recommended) 
+
+    :::image type="content" source="./media/authenticate-with-namespaces-using-webhook-authentication/custom-webhook-implementations.svg" alt-text="Diagram that shows custom webhook implementations." lightbox="./media/authenticate-with-namespaces-using-webhook-authentication/custom-webhook-implementations.svg":::
+
+
 ## Grant the managed identity appropriate access to a function or webhook
 
 Grant the managed identity of your Event Grid namespace the appropriate access to the target Azure function or webhook.
@@ -131,7 +165,11 @@ Replace `<NAMESPACE_NAME>` and `<RESOURCE_GROUP_NAME>` with your actual values.
 
 ### Request headers
 
+Azure Event Grid sends the following headers in the request to the webhook:
+
+```
 **Authorization**: Bearer token
+```
 
 The token is a Microsoft Entra token for the managed identity that was configured to call the webhook.
 
@@ -158,9 +196,8 @@ The token is a Microsoft Entra token for the managed identity that was configure
 | `password` | Optional | Password from MQTT CONNECT packet in Base64 encoding. | 
 | `authenticationMethod` | Optional | Authentication method from MQTT CONNECT packet (MQTT5 only). | 
 | `authenticationData` | Optional | Authentication data from MQTT CONNECT packet in Base64 encoding (MQTT5 only). | 
-| `clientCertificate` | Optional | Client certificate in PEM format. | 
+| `clientCertificate` | Optional | Client certificate in Privacy-Enhanced Mail (PEM) format. | 
 | `clientCertificateChain`| Optional | Other certificates provided by the client required to build the chain from the client certificate to the Certificate Authority certificate. | 
-| `userProperties` | Optional | User properties from CONNECT packet (MQTT5 only). | 
 
 ### Response payload 
 
@@ -193,6 +230,20 @@ Content-Type: application/json
 }
 ```
 
+**Error codes:** 
+
+ 
+
+| Authentication Outcome | Function response | Event Grid MQTT reason code |
+|------------------------|-----------------|------------------|
+| Explicit authorization denial | `"decision": "deny"` | Not authorized |
+| Invalid / expired token | `"decision": "deny"` | Not authorized |
+| Function timeout | N/A | Server unavailable |
+| Function exception / crash | N/A | Server unavailable |
+| Transient platform failure | N/A | Server unavailable |
+| Internal broker processing error | N/A | Server unavailable |
+
+
 ### Response field descriptions
 
 | Field             | Description  |