Merge pull request #306867 from MicrosoftDocs/main

Auto Publish – main to live - 2025-10-14 05:00 UTC

Author: learn-build-service-prod[bot]

articles/azure-functions/functions-bindings-mcp-trigger.md

@@ -16,8 +16,6 @@ zone_pivot_groups: programming-languages-set-functions
 
 Use the MCP tool trigger to define tool endpoints in a [Model Content Protocol (MCP)](https://github.com/modelcontextprotocol) server. Client language models and agents can use tools to perform specific tasks, such as storing or accessing code snippets.
 
-[!INCLUDE [functions-mcp-extension-preview-note](../../includes/functions-mcp-extension-preview-note.md)]
-
 For information on setup and configuration details, see the [overview](functions-bindings-mcp.md).
 
 ## Example
@@ -73,8 +71,6 @@ builder.Services
     .AddApplicationInsightsTelemetryWorkerService()
     .ConfigureFunctionsApplicationInsights();
 
-builder.EnableMcpToolMetadata();
-
 builder
     .ConfigureMcpTool("get_snippets")
     .WithProperty("snippetname", "string", "The name of the snippet.");
@@ -440,20 +436,6 @@ In C#, you can define properties for your tools in several ways. Which approach
 - You define a custom type with the properties, and the function binds to that type.
 - You use the `FunctionsApplicationBuilder` to define properties in your `Program.cs` file.
 
-In all cases, you must include a call to `builder.EnableMcpToolMetadata()` in your `Program.cs`:
-
-```csharp
-var builder = FunctionsApplication.CreateBuilder(args);
-
-builder.ConfigureFunctionsWebApplication();
-
-builder.EnableMcpToolMetadata();
-
-// other configuration
-
-builder.Build().Run();
-```
-
 #### [`McpToolProperty` attribute](#tab/attribute)
 
 You can define one or more tool properties by applying the `McpToolProperty` attribute to input binding-style parameters in your function.  
@@ -507,8 +489,6 @@ var builder = FunctionsApplication.CreateBuilder(args);
 
 builder.ConfigureFunctionsWebApplication();
 
-builder.EnableMcpToolMetadata();
-
 builder
     .ConfigureMcpTool("get_snippets")
     .WithProperty("snippetname", "string", "The name of the snippet.");

articles/azure-functions/functions-bindings-mcp.md

@@ -16,8 +16,6 @@ zone_pivot_groups: programming-languages-set-functions
 
 The [Model Context Protocol (MCP)](https://github.com/modelcontextprotocol) is a client-server protocol intended to enable language models and agents to more efficiently discover and use external data sources and tools. 
 
-[!INCLUDE [functions-mcp-extension-preview-note](../../includes/functions-mcp-extension-preview-note.md)]
-
 The Azure Functions MCP extension allows you to use Azure Functions to create remote MCP servers. These servers can host MCP tool trigger functions, which MCP clients, such as language models and agents, can query and access to do specific tasks.
 
 | Action | Type |
@@ -28,10 +26,11 @@ The Azure Functions MCP extension allows you to use Azure Functions to create re
 [!INCLUDE [functions-mcp-extension-powershell-note](../../includes/functions-mcp-extension-powershell-note.md)]
 ## Prerequisites 
 
-+ The MCP extension relies on Azure Queue storage provided by the [default host storage account](./storage-considerations.md) (`AzureWebJobsStorage`). When using identity-based connections, make sure that your function app has at least the equivalent of these role-based permissions in the host storage account: [Storage Queue Data Reader](/azure/role-based-access-control/built-in-roles#storage-queue-data-reader) and [Storage Queue Data Message Processor](/azure/role-based-access-control/built-in-roles#storage-queue-data-message-processor).   
++ When you use the SSE transport, the MCP extension relies on Azure Queue storage provided by the [default host storage account](./storage-considerations.md) (`AzureWebJobsStorage`). When using identity-based connections, make sure that your function app has at least the equivalent of these role-based permissions in the host storage account: [Storage Queue Data Reader](/azure/role-based-access-control/built-in-roles#storage-queue-data-reader) and [Storage Queue Data Message Processor](/azure/role-based-access-control/built-in-roles#storage-queue-data-message-processor).
 + When running locally, the MCP extension requires version 4.0.7030 of the [Azure Functions Core Tools](functions-run-local.md), or a later version.
 ::: zone pivot="programming-language-csharp"
-+ Requires version 2.0.2 or later of the `Microsoft.Azure.Functions.Worker.Sdk` package.  
++ Requires version 2.1.0 or later of the `Microsoft.Azure.Functions.Worker` package.
++ Requires version 2.0.2 or later of the `Microsoft.Azure.Functions.Worker.Sdk` package.
 
 ## Install extension
 
@@ -46,17 +45,16 @@ Add the extension to your project by installing this [NuGet package](https://www
 <!---At GA, replace with:
 [!INCLUDE [functions-install-extension-bundle](../../includes/functions-install-extension-bundle.md)]
 -->
-[!INCLUDE [functions-extension-bundles-json-preview](../../includes/functions-extension-bundles-json-preview.md)]  
+> [!IMPORTANT]
+> A generally available version of the extension is now available. However, it isn’t yet included in the default extension bundle. The instructions show how to use the preview extension bundle, which includes an earlier preview version of the MCP extension, along with other preview dependencies. For now, to use the generally available version of the extension, you must [manually install the extension](./functions-bindings-register.md#explicitly-install-extensions).
+[!INCLUDE [functions-extension-bundles-json-preview](../../includes/functions-extension-bundles-json-preview.md)]
 ::: zone-end
 
 ## host.json settings
 
 [!INCLUDE [functions-host-json-section-intro](../../includes/functions-host-json-section-intro.md)]
 
-> [!NOTE]
-> Until the extension is no longer in preview, the JSON schema for `host.json` isn't updated, and specific properties and behaviors might change. During the preview period, you might see warnings in your editor that say the `mcp` section isn't recognized. You can safely ignore these warnings.
-
-You can use `host.json` to define MCP server information.
+You can use the `extensions.mcp` section in `host.json` to define MCP server information.
 
 ```json
 {
@@ -66,6 +64,7 @@ You can use `host.json` to define MCP server information.
       "instructions": "Some test instructions on how to use the server",
       "serverName": "TestServer",
       "serverVersion": "2.0.0",
+      "encryptClientState": true,
       "messageOptions": {
         "useAbsoluteUriForEndpoint": false
       }
@@ -79,6 +78,7 @@ You can use `host.json` to define MCP server information.
 | **instructions** | Describes to clients how to access the remote MCP server. |
 | **serverName** | A friendly name for the remote MCP server. |
 | **serverVersion** | Current version of the remote MCP server. |
+| **encryptClientState** | Determines if client state is encrypted. Defaults to true. Setting to false may be useful for debugging and test scenarios but isn't recommended for production. |
 | **messageOptions** | Options object for the message endpoint in the SSE transport. |
 | **messageOptions.UseAbsoluteUriForEndpoint** | Defaults to `false`. Only applicable to the server-sent events (SSE) transport; this setting doesn't affect the Streamable HTTP transport. If set to `false`, the message endpoint is provided as a relative URI during initial connections over the SSE transport. If set to `true`, the message endpoint is returned as an absolute URI. Using a relative URI isn't recommended unless you have a specific reason to do so.|
 
@@ -91,15 +91,15 @@ To connect to the MCP server exposed by your function app, you need to provide a
 | Streamable HTTP | `/runtime/webhooks/mcp` |
 | Server-Sent Events (SSE)<sup>1</sup> | `/runtime/webhooks/mcp/sse` |
 
-<sup>1</sup> Newer protocol versions have deprecated the Server-Sent Events transport. Unless your client specifically requires it, you should use the Streamable HTTP transport instead.
+<sup>1</sup> Newer protocol versions deprecated the Server-Sent Events transport. Unless your client specifically requires it, you should use the Streamable HTTP transport instead.
 
 When hosted in Azure, the endpoints exposed by the extension also require the [system key](./function-keys-how-to.md) named `mcp_extension`. If it isn't provided in the `x-functions-key` HTTP header, your client receives a `401 Unauthorized` response. You can retrieve the key using any of the methods described in [Get your function access keys](./function-keys-how-to.md#get-your-function-access-keys). The following example shows how to get the key with the Azure CLI:
 
 ```azurecli
 az functionapp keys list --resource-group <RESOURCE_GROUP> --name <APP_NAME> --query systemKeys.mcp_extension --output tsv
 ```
 
-MCP clients accept this configuration in various ways. Consult the documentation for your chosen client. The following example shows an `mcp.json` file like you might use to [configure MCP servers for GitHub Copilot in Visual Studio Code](https://code.visualstudio.com/docs/copilot/customization/mcp-servers#_configuration-format). The example sets up two servers, both using the Streamable HTTP transport. The first is for local testing with the Azure Functions Core Tools. The second is for a function app hosted in Azure. The configuration takes input parameters for which VS Code prompts you when you first run the remote server. Using inputs ensures that secrets like the system key aren't saved to the file and checked into source control.
+MCP clients accept this configuration in various ways. Consult the documentation for your chosen client. The following example shows an `mcp.json` file like you might use to [configure MCP servers for GitHub Copilot in Visual Studio Code](https://code.visualstudio.com/docs/copilot/customization/mcp-servers#_configuration-format). The example sets up two servers, both using the Streamable HTTP transport. The first is for local testing with the Azure Functions Core Tools. The second is for a function app hosted in Azure. The configuration takes input parameters for which Visual Studio Code prompts you when you first run the remote server. Using inputs ensures that secrets like the system key aren't saved to the file and checked into source control.
 
 ```json
 {

articles/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines.md

@@ -2,7 +2,7 @@
 title: Back up Azure Local virtual machines with MABS
 description: This article contains the procedures to back up and recover virtual machines using Microsoft Azure Backup Server (MABS).
 ms.topic: how-to
-ms.date: 03/06/2025
+ms.date: 10/14/2025
 ms.service: azure-backup
 ms.custom: engagement-fy24
 author: AbhishekMallick-MS
@@ -91,8 +91,9 @@ These are the prerequisites for backing up virtual machines with MABS:
         ```
         Install DPMAgentInstaller.exe`
         ```
-     >[!Note]
-     >Default Application Control settings may prevent agent deployment, [switch application control to "Audit" mode](/azure/azure-local/manage/manage-wdac#switch-application-control-policy-modes) before agent installation to work around this issue. After deployment is complete, it is highly recommended to switch the application control back to "Enforced" mode. 
+        >[!Note]
+        >Default Application Control settings may prevent agent deployment, [switch application control to "Audit" mode](/azure/azure-local/manage/manage-wdac#switch-application-control-policy-modes) before agent installation to work around this issue. After deployment is complete, we recommend that you switch the application control back to **Enforced** mode. 
+
      2. After the installation is complete, run the following command to configure the agent on the node:
 
         ```

articles/firewall/firewall-best-practices.md

@@ -72,6 +72,8 @@ Use the following best practices for testing and monitoring:
    - Look for spikes in network performance or latency. Correlate rule hit timestamps, such as application rules hit count and network rules hit count, to determine if rule processing is a significant factor contributing to performance or latency issues. By analyzing these patterns, you can identify specific rules or configurations that you might need to optimize.
 - **Add alerts to key metrics**
    - In addition to regular monitoring, it's crucial to set up alerts for key firewall metrics. This ensures that you're promptly notified when specific metrics surpass predefined thresholds. To configure alerts, see [Azure Firewall logs and metrics](metrics.md#alert-on-azure-firewall-metrics) for detailed instructions about setting up effective alerting mechanisms. Proactive alerting enhances your ability to respond swiftly to potential issues and maintain optimal firewall performance.
+- **Track configuration changes**
+   - Monitor changes to firewall rules and policies to maintain security compliance and troubleshoot issues. For comprehensive rule set change tracking using Azure Resource Graph, see [Track rule set changes](rule-set-change-tracking.md).
 
 ## Next steps
 

articles/firewall/firewall-workbook.md

@@ -153,3 +153,4 @@ The investigation section enables exploration and troubleshooting, offering addi
 ## Next steps
 
 - Learn more about [Azure Firewall Diagnostics](firewall-diagnostics.md)
+- Learn how to [Track rule set changes](rule-set-change-tracking.md) using Azure Resource Graph

articles/firewall/monitor-firewall-reference.md

@@ -219,4 +219,5 @@ To create a diagnostic setting and enable Resource Specific Table, see [Create d
 ## Related content
 
 - See [Monitor Azure Firewall](monitor-firewall.md) for a description of monitoring Azure Firewall.
+- See [Track rule set changes](rule-set-change-tracking.md) for detailed Azure Resource Graph queries to track firewall rule modifications.
 - See [Monitor Azure resources with Azure Monitor](/azure/azure-monitor/essentials/monitor-azure-resource) for details on monitoring Azure resources.

articles/firewall/monitor-firewall.md

@@ -40,23 +40,25 @@ For the available resource log categories, their associated Log Analytics tables
 You can also connect to your storage account and retrieve the JSON log entries for access and performance logs. After you download the JSON files, you can convert them to CSV and view them in Excel, Power BI, or any other data-visualization tool.
 
 > [!TIP]
-> If you are familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the [log converter tools](https://github.com/Azure-Samples/networking-dotnet-log-converter) available from GitHub.
+> If you're familiar with Visual Studio and basic concepts of changing values for constants and variables in C#, you can use the [log converter tools](https://github.com/Azure-Samples/networking-dotnet-log-converter) available from GitHub.
 
 [!INCLUDE [horz-monitor-activity-log](~/reusable-content/ce-skilling/azure/includes/azure-monitor/horizontals/horz-monitor-activity-log.md)]
 
 ## Change tracking (Preview)  
 
 Azure Resource Graph (ARG) is an Azure service designed to provide efficient and performant resource exploration at scale.  Azure Resource Graph (ARG) provides change analysis data for various management and troubleshooting scenarios. Users can find when changes were detected on an Azure Resource Manager (ARM) property, view property change details and query changes at scale across their subscription, management group, or tenant.  
 
-ARG change analysis recently added support for RuleCollectionGroups. You can now track changes to Azure Firewall Rule Collection Groups using an Azure Resource Graph query from the Azure Portal ResourceGraphExplorer page using a query like this:  
+ARG change analysis recently added support for RuleCollectionGroups. You can now track changes to Azure Firewall Rule Collection Groups using an Azure Resource Graph query from the Azure portal ResourceGraphExplorer page using a query like this:  
 
 :::image type="content" source="media/monitor-firewall/query.png" alt-text="Screenshot of the Azure Resource Graph query to track changes to Azure Firewall Rule Collection Groups.":::
 
 Below is a sample change output.  
 
 :::image type="content" source="media/monitor-firewall/output.png" alt-text="Screenshot of the output that depicts the change to Azure Firewall Rule Collection Groups.":::
 
-This capability can help you track changes made to your firewall rules helping ensure accountability for a sensitive resource like a firewall.  
+This capability can help you track changes made to your firewall rules helping ensure accountability for a sensitive resource like a firewall.
+
+For comprehensive tracking of rule set changes with detailed queries and examples, see [Track rule set changes](rule-set-change-tracking.md).
 
 ## Structured Azure Firewall logs
 
@@ -87,7 +89,7 @@ In **Resource specific** mode, individual tables in the selected workspace are c
 New resource specific tables are now available in Diagnostic setting that allows you to utilize the following categories:
 
 - [Network rule log](/azure/azure-monitor/reference/tables/azfwnetworkrule) - Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.
-- [NAT rule log](/azure/azure-monitor/reference/tables/azfwnatrule) - Contains all DNAT (Destination Network Address Translation) events log data. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes. Asa note, the AZFWNATRule table logs only when a DNAT rule match occurs. If there is no match, no log is generated. 
+- [NAT rule log](/azure/azure-monitor/reference/tables/azfwnatrule) - Contains all DNAT (Destination Network Address Translation) events log data. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes. As a note, the AZFWNATRule table logs only when a DNAT rule match occurs. If there's no match, no log is generated. 
 - [Application rule log](/azure/azure-monitor/reference/tables/azfwapplicationrule) - Contains all Application rule log data. Each match between data plane and Application rule creates a log entry with the data plane packet and the matched rule's attributes.
 - [Threat Intelligence log](/azure/azure-monitor/reference/tables/azfwthreatintel) - Contains all Threat Intelligence events.
 - [IDPS log](/azure/azure-monitor/reference/tables/azfwidpssignature) - Contains all data plane packets that were matched with one or more IDPS signatures.
@@ -112,7 +114,7 @@ To enable Azure Firewall structured logs, you must first configure a Log Analyti
 Once you configure the Log Analytics workspace, you can enable structured logs in Azure Firewall by navigating to the Firewall's **Diagnostic settings** page in the Azure portal. From there, you must select the **Resource specific** destination table and select the type of events you want to log.
 
 > [!NOTE]
-> * To enable Azure Firewall Fat Flow Log (Top flow log) you need to configure it through Azure PowerShell. For more information, see [Top flows log](monitor-firewall-reference.md#top-flows).
+> * To enable Azure Firewall Fat Flow Log (Top flow log), you need to configure it through Azure PowerShell. For more information, see [Top flows log](monitor-firewall-reference.md#top-flows).
 
 :::image type="content" source="media/firewall-structured-logs/diagnostics-setting-resource-specific.png" alt-text="Screenshot of Diagnostics settings page.":::