Merge branch 'main' into release-sre-agent

v-alje · v-alje · commit 74fde71b6224 · 2026-03-25T10:40:01.000-07:00
diff --git a/articles/api-management/llm-content-safety-policy.md b/articles/api-management/llm-content-safety-policy.md
@@ -8,7 +8,7 @@ ms.service: azure-api-management
 ms.collection: ce-skilling-ai-copilot
 ms.custom:
 ms.topic: reference
-ms.date: 09/03/2025
+ms.date: 03/23/2026
 ms.update-cycle: 180-days
 ms.author: danlep
 ---
@@ -17,16 +17,16 @@ ms.author: danlep
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2](../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
 
-The `llm-content-safety` policy enforces content safety checks on large language model (LLM) requests (prompts) by transmitting them to the [Azure AI Content Safety](/azure/ai-services/content-safety/overview) service before sending to the backend LLM API. When the policy is enabled, and Azure AI Content Safety detects malicious content, API Management blocks the request and returns a `403` error code. 
+The `llm-content-safety` policy enforces content safety checks on large language model (LLM) requests (prompts) or responses (completions) by sending them to the [Azure AI Content Safety](/azure/ai-services/content-safety/overview) service. When you enable the policy and Azure AI Content Safety detects malicious content, API Management blocks the request or response and returns a `403` error code. 
 
 > [!NOTE]
-> The terms _category_ and _categories_ used in API Management are synonymous with _harm category_ and _harm categories_ in the Azure AI Content Safety service. Details can be found on the [Harm categories in Azure AI Content Safety](/azure/ai-services/content-safety/concepts/harm-categories) page.
+> The terms _category_ and _categories_ used in API Management are synonymous with _harm category_ and _harm categories_ in the Azure AI Content Safety service. For more information, see [Harm categories in Azure AI Content Safety](/azure/ai-services/content-safety/concepts/harm-categories).
 
 Use the policy in scenarios such as the following:
 
-* Block requests that contain predefined categories of harmful content or hate speech
-* Apply custom blocklists to prevent specific content from being sent
-* Shield against prompts that match attack patterns
+* Block requests or responses that contain predefined categories of harmful content or hate speech.
+* Apply custom blocklists to prevent specific content from being sent or received.
+* Shield against prompts that match attack patterns.
 
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
@@ -41,7 +41,7 @@ Use the policy in scenarios such as the following:
 ## Policy statement
 
 ```xml
-<llm-content-safety backend-id="name of backend entity" shield-prompt="true | false" enforce-on-completions="true | false">
+<llm-content-safety backend-id="name of backend entity" shield-prompt="true | false" enforce-on-completions="true | false" window-size="integer" window-overlap-size="integer">
     <categories output-type="FourSeverityLevels | EightSeverityLevels">
         <category name="Hate | SelfHarm | Sexual | Violence" threshold="integer" />
         <!-- If there are multiple categories, add more category elements -->
@@ -60,8 +60,10 @@ Use the policy in scenarios such as the following:
 | Attribute           | Description                                                                                           | Required | Default |
 | -------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
 | backend-id	| Identifier (name) of the Azure AI Content Safety backend to route content-safety API calls to. Policy expressions are allowed.	|  Yes	| N/A |
-| shield-prompt	| If set to `true`, content is checked for user attacks. Otherwise, skip this check. Policy expressions are allowed.	| No	| `false` |
-| enforce-on-completions| If set to `true`, content safety checks are enforced on chat completions for response validation. Otherwise, skip this check. Policy expressions are allowed.	| No	| `false` |
+| shield-prompt	| If set to `true`, check content for user attacks. Otherwise, skip this check. Policy expressions are allowed.	| No	| `false` |
+| enforce-on-completions| If set to `true` when you set the policy in the inbound section for content safety checks on requests, enforce content safety checks also on chat completions for response validation. When you set the policy in the outbound section for content safety checks on responses, this attribute is ignored. Policy expressions are allowed.	| No	| `false` |
+| window-size | The size of the text window in characters that the policy sends to Azure AI Content Safety for evaluation. Configurable only for responses; for requests, the default window size is always used. Policy expressions are allowed. | No | 10,000 characters (Azure AI Content Safety limit) |
+| window-overlap-size | The size of the overlap in characters between text windows when the content is split by using the `window-size` attribute. If you don't specify a value, windows don't overlap. Policy expressions are allowed. | No | N/A |
 
 
 ## Elements
@@ -83,24 +85,25 @@ Use the policy in scenarios such as the following:
 | Attribute           | Description                                                                                           | Required | Default |
 | -------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
 | name	| Specifies the name of this category. The attribute must have one of the following values: `Hate`, `SelfHarm`, `Sexual`, `Violence`. Policy expressions are allowed.	| Yes	| N/A |
-| threshold	| Specifies the threshold value for this category at which request are blocked. Requests with content severities less than the threshold aren't blocked. The value must be between 0 (most restrictive) and 7 (least restrictive). Policy expressions are allowed.	| Yes	| N/A |
+| threshold	| Specifies the threshold value for this category at which requests or responses are blocked. Requests with content severities less than the threshold aren't blocked. The value must be between 0 (most restrictive) and 7 (least restrictive). Policy expressions are allowed.	| Yes	| N/A |
 
 
 ## Usage
 
-- [**Policy sections:**](./api-management-howto-policies.md#understanding-policy-configuration) inbound
+- [**Policy sections:**](./api-management-howto-policies.md#understanding-policy-configuration) inbound, outbound
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API
 - [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
 ### Usage notes
 
-* The policy runs on a concatenation of all text content in a completion or chat completion request.
-* If the request exceeds the character limit of Azure AI Content Safety, a `403` error is returned.
-* This policy can be used multiple times per policy definition.
+* Configure the policy in the inbound section to check requests and in the outbound section to check responses.
+* For streaming responses, the stream handler buffers events in a sliding window and, if a content safety violation is detected, stops forwarding further events to the client. A `403` error isn't returned in this case. 
+* If the request or response exceeds the character limit of Azure AI Content Safety, the policy returns a `403` error.
+* You can use this policy multiple times per policy definition.
 
 ## Example
 
-The following example enforces content safety checks on LLM requests using the Azure AI Content Safety service. The policy blocks requests that contain speech in the `Hate` or `Violence` category with a severity level of 4 or higher. In other words, the filter allows levels 0-3 to continue whereas levels 4-7 are blocked. Raising a category's threshold raises the tolerance and potentially decreases the number of blocked requests. Lowering the threshold lowers the tolerance and potentially increases the number of blocked requests. The `shield-prompt` attribute is set to `true` to check for adversarial attacks.
+The following example, when configured in the inbound section, enforces content safety checks on LLM requests by using the Azure AI Content Safety service. The policy blocks requests that contain speech in the `Hate` or `Violence` category with a severity level of 4 or higher. In other words, the filter allows levels 0-3 to continue whereas levels 4-7 are blocked. Raising a category's threshold raises the tolerance and potentially decreases the number of blocked requests. Lowering the threshold lowers the tolerance and potentially increases the number of blocked requests. The `shield-prompt` attribute is set to `true` to check for adversarial attacks.
 
 ```xml
 <policies>
@@ -117,7 +120,7 @@ The following example enforces content safety checks on LLM requests using the A
 
 ## Related policies
 
-* [Content validation](api-management-policies.md#content-validation)
+* [Content validation](api-management-policies.md#content-validation) policies
 * [llm-token-limit](llm-token-limit-policy.md) policy
 * [llm-emit-token-metric](llm-emit-token-metric-policy.md) policy
 
diff --git a/articles/application-gateway/for-containers/application-gateway-for-containers-components.md b/articles/application-gateway/for-containers/application-gateway-for-containers-components.md
@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.topic: concept-article
-ms.date: 12/05/2025
+ms.date: 3/25/2026
 ms.author: mbender
 # Customer intent: "As a cloud architect, I want to understand the components of Application Gateway for Containers, so that I can effectively configure and manage traffic routing to backend services in my cloud deployment."
 ---
@@ -138,3 +138,32 @@ Application Gateway for Containers enforces the following timeouts as it initiat
 
 > [!NOTE]
 > Request timeout strictly enforces the request to complete in the defined time irrespective if data is actively streaming or the request is idle. For example, if you're serving large file downloads and you expect transfers to take greater than 60 seconds due to size or slow transfer rates, consider increasing the request timeout value or setting it to 0.
+
+## Connectivity
+
+The following connectivity requirements are needed for successful operation of Application Gateway for Containers.
+
+### ALB controller outbound connectivity
+
+|Endpoint|Port|Purpose|
+|--|--|--|
+| management.azure.com | TCP 443 | Azure ARM API |
+| login.microsoftonline.com | TCP 443 | Entra AD authentication |
+| *.oic.prod-aks.azure.com | TCP 443 | AKS OIDC issuer (Workload Identity) |
+| *.alb.azure.com | TCP 443 | Configuration Endpoint |
+| mcr.microsoft.com | TCP 443 | Container images for helm deployment |
+| DNS Resolution | UDP 53 | In a default AKS deployment, ALB Controller will query coreDNS/kube-dns within the cluster |
+
+### ALB controller inbound connectivity
+
+>[!Note]
+>These inbound ports are exposed via ClusterIP Service and not published directly to the internet. They are exposed to help with troubleshooting / diagnostics and may be blocked with network policy if desired.
+
+|Port|Name|Purpose|
+|--|--|--|
+| TCP 8000 | backend health | Backend health endpoint (/backendHealth) |
+| TCP 8001 | metrics | Prometheus metrics endpoint (/metrics) |
+
+### Frontend connectivity
+
+Each frontend for Application Gateway for Containers is in the format of `*.fzXX.alb.azure.com`, where XX are numeric digits 0-99.  Frontends may only listen on port 443 and 80.
diff --git a/articles/data-factory/connector-microsoft-fabric-lakehouse.md b/articles/data-factory/connector-microsoft-fabric-lakehouse.md
@@ -6,7 +6,7 @@ ms.author: jianleishen
 author: jianleishen
 ms.subservice: data-movement
 ms.topic: conceptual
-ms.date: 10/23/2025
+ms.date: 01/30/2026
 ms.custom:
   - synapse
   - sfi-image-nochange
@@ -692,6 +692,9 @@ For more information, see the [source transformation](data-flow-source.md) and [
 
 To use Microsoft Fabric Lakehouse Files dataset as a source or sink dataset in mapping data flow, go to the following sections for the detailed configurations.
 
+>[!NOTE]
+> Mapping data flows currently support service principal authentication only.
+
 #### Microsoft Fabric Lakehouse Files as a source or sink type
 
 Microsoft Fabric Lakehouse connector supports the following file formats. Refer to each article for format-based settings.
diff --git a/articles/iot-operations/reference/observability-metrics-opcua-broker.md b/articles/iot-operations/reference/observability-metrics-opcua-broker.md
@@ -6,7 +6,7 @@ ms.author: sethm
 ms.topic: reference
 ms.custom:
   - ignite-2023
-ms.date: 10/22/2024
+ms.date: 03/25/2026
 
 # CustomerIntent: As an IT admin or operator, I want to be able to monitor and visualize data
 # on the health of my industrial assets and edge environment.
@@ -112,4 +112,4 @@ Emitted by all components: Supervisor, OPC UA Connector, and OPC UA Commander.
 
 ## Related content
 
-- [Configure observability](../configure-observability-monitoring/howto-configure-observability.md)
+[Configure observability](../configure-observability-monitoring/howto-configure-observability.md)
