MicrosoftDocs
diff --git a/‎articles/azure-app-configuration/configuration-provider-overview.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/azure-app-configuration/configuration-provider-overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-app-configuration/reference-go-provider.md‎
Lines changed: 21 additions & 0 deletions b/‎articles/azure-app-configuration/reference-go-provider.md‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎articles/azure-functions/functions-reference.md‎
Lines changed: 42 additions & 7 deletions b/‎articles/azure-functions/functions-reference.md‎
Lines changed: 42 additions & 7 deletions
diff --git a/‎articles/backup/azure-data-lake-storage-backup-support-matrix.md‎
Lines changed: 0 additions & 1 deletion b/‎articles/backup/azure-data-lake-storage-backup-support-matrix.md‎
Lines changed: 0 additions & 1 deletion
@@ -71,7 +71,7 @@ Replica Load Balancing | [GA](./reference-dotnet-provider.md#geo-replication) |
 Snapshots | [GA](./reference-dotnet-provider.md#snapshot) | GA | GA | WIP | [GA](./reference-javascript-provider.md#snapshot) | GA
 Distributed Tracing | [GA](./reference-dotnet-provider.md#distributed-tracing) | WIP | WIP | WIP | WIP | N/A
 Health Check | [GA](./reference-dotnet-provider.md#health-check) | GA | WIP | WIP | WIP | N/A 
-Select by Tag Filters | [GA](./reference-dotnet-provider.md#load-specific-key-values-using-selectors) | WIP | WIP | GA | [GA](./reference-javascript-provider.md#tag-filters) | WIP 
+Select by Tag Filters | [GA](./reference-dotnet-provider.md#load-specific-key-values-using-selectors) | WIP | WIP | GA | [GA](./reference-javascript-provider.md#tag-filters) | GA 
 Snapshot Reference | [GA](./reference-dotnet-provider.md#snapshot-reference) | WIP | WIP | WIP | WIP | WIP
 
 ## Support policy
 
@@ -138,6 +138,27 @@ The `Selector` struct supports the following fields:
 > [!NOTE]
 > When multiple selectors include overlapping keys, later selectors take precedence over earlier ones.
 
+#### Tag filters
+
+The `TagFilters` parameter selects key-values with specific tags. A key-value is only loaded if it has all of the tags and corresponding values specified in the filters.
+
+```golang
+options := &azureappconfiguration.Options{
+	Selectors: []azureappconfiguration.Selector{
+		{
+			// Load configuration values with prefix "App:" and specific tags
+			KeyFilter:   "App:*",
+			TagFilters: []string{"env=prod"},
+		},
+	},
+}
+
+appConfig, err := azureappconfiguration.Load(ctx, authOptions, options)
+```
+
+> [!NOTE]
+> The characters asterisk (`*`), comma (`,`), and backslash (`\`) are reserved and must be escaped with a backslash when used in a tag filter.
+
 ### Trim prefix from keys
 
 When loading configuration values with specific prefixes, you can use the `TrimKeyPrefixes` option to remove those prefixes from the keys in your configuration. This creates cleaner configuration keys in your application while maintaining organization in your App Configuration store.
 
@@ -2,8 +2,8 @@
 title: Guidance for developing Azure Functions
 description: Learn the Azure Functions concepts and techniques that you need to develop functions in Azure, across all programming languages and bindings.
 ms.assetid: d8efe41a-bef8-4167-ba97-f3e016fcd39e
-ms.topic: conceptual
-ms.date: 06/26/2024
+ms.topic: article
+ms.date: 12/03/2025
 ms.custom:
   - devx-track-extended-java
   - devx-track-js
@@ -252,11 +252,14 @@ You need to create a role assignment that provides access to Azure SignalR Servi
 
 An identity-based connection for an Azure service accepts the following common properties, where `<CONNECTION_NAME_PREFIX>` is the value of your `connection` property in the trigger or binding definition:
 
-| Property    |  Environment variable template | Description |
+| Property | Environment variable template | Description |
 |---|---|---|
-| Token Credential |  `<CONNECTION_NAME_PREFIX>__credential` | Defines how a token should be obtained for the connection. This setting should be set to `managedidentity` if your deployed Azure Function intends to use managed identity authentication. This value is only valid when a managed identity is available in the hosting environment. |
-| Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | When `credential` is set to `managedidentity`, this property can be set to specify the user-assigned identity to be used when obtaining a token. The property accepts a client ID corresponding to a user-assigned identity assigned to the application. It's invalid to specify both a Resource ID and a client ID. If not specified, the system-assigned identity is used. This property is used differently in [local development scenarios](#local-development-with-identity-based-connections), when `credential` shouldn't be set. |
-| Resource ID | `<CONNECTION_NAME_PREFIX>__managedIdentityResourceId` | When `credential` is set to `managedidentity`, this property can be set to specify the resource Identifier to be used when obtaining a token. The property accepts a resource identifier corresponding to the resource ID of the user-defined managed identity. It's invalid to specify both a resource ID and a client ID. If neither are specified, the system-assigned identity is used. This property is used differently in [local development scenarios](#local-development-with-identity-based-connections), when `credential` shouldn't be set.
+| Token Credential |  `<CONNECTION_NAME_PREFIX>__credential` | This property determines how a token should be obtained for the connection. The property shouldn't be set in [local development scenarios]. When you intend to use managed identity authentication, set this property to `managedidentity`. When you intend to [connect to a resource in another tenant][cross-tenant scenarios], instead use `managedidentityasfederatedidentity`. |
+| Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | When `credential` is set to `managedidentity`, this property can be set to specify the user-assigned identity to be used when obtaining a token. The property accepts a client ID corresponding to a user-assigned identity assigned to the application. It's invalid to specify both a resource ID and a client ID. If neither are specified, the system-assigned identity is used.<br/><br/>This property is used differently in cross-tenant scenarios. See the [cross-tenant scenarios] section.<br/><br/>This property is used differently in [local development scenarios], when `credential` shouldn't be set. |
+| Resource ID | `<CONNECTION_NAME_PREFIX>__managedIdentityResourceId` | When `credential` is set to `managedidentity`, this property can be set to specify the user-assigned identity to be used when obtaining a token. The property accepts a resource identifier corresponding to a user-assigned identity assigned to the application. It's invalid to specify both a resource ID and a client ID. If neither are specified, the system-assigned identity is used.|
+
+[local development scenarios]: #local-development-with-identity-based-connections
+[cross-tenant scenarios]: #connecting-to-a-resource-in-another-tenant
 
 Other options may be supported for a given connection type. Refer to the documentation for the component making the connection.
 
@@ -287,7 +290,7 @@ Your identity may already have some role assignments against Azure resources use
 
 In some cases, you may wish to specify use of a different identity. You can add configuration properties for the connection that point to the alternate identity based on a client ID and client Secret for a Microsoft Entra service principal. **This configuration option is not supported when hosted in the Azure Functions service.** To use an ID and secret on your local machine, define the connection with the following extra properties:
 
-| Property    | Environment variable template | Description |
+| Property | Environment variable template | Description |
 |---|---|---|
 | Tenant ID | `<CONNECTION_NAME_PREFIX>__tenantId` | The Microsoft Entra tenant (directory) ID. |
 | Client ID | `<CONNECTION_NAME_PREFIX>__clientId` |  The client (application) ID of an app registration in the tenant. |
@@ -335,6 +338,38 @@ If you're configuring `AzureWebJobsStorage` using a storage account that uses th
 
 [!INCLUDE [functions-azurewebjobsstorage-permissions](../../includes/functions-azurewebjobsstorage-permissions.md)]
 
+#### Connecting to a resource in another tenant
+
+If your function needs to connect to a resource in a different Microsoft Entra tenant, your connection needs to use a _federated identity credential_. This requires a user-assigned managed identity and a multi-tenant Entra ID app registration. You cannot use a system-assigned managed identity for cross-tenant connections.
+
+> [!IMPORTANT]
+> When you configure a trigger for a cross-tenant connection in the Consumption or Flex Consumption plan types, the platform no longer scales the function app based on that trigger.
+
+To configure a cross-tenant identity-based connection, you first need to set up your infrastructure using the following steps:
+
+1. In the tenant where your function app is deployed, [create a new user-assigned managed identity](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity).
+1. [Assign that identity](../app-service/overview-managed-identity.md?toc=%2Fazure%2Fazure-functions%2Ftoc.json#add-a-user-assigned-identity) to the function app.
+1. In the same tenant, [create a multi-tenant Entra app registration](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity#configure-a-multi-tenant-app-registration) that represents the cross-tenant resource you want to access.
+1. [Add the managed identity as a federated identity credential for the app registration.](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity)
+1. In the tenant where the resource is deployed, [create an enterprise application for the app registration](/entra/identity/enterprise-apps/create-service-principal-cross-tenant).
+1. Assign permissions for the enterprise application to access the resource.
+
+A cross-tenant identity-based connection uses the following properties, where `<CONNECTION_NAME_PREFIX>` is the value of your `connection` property in the trigger or binding definition:
+
+| Property | Environment variable template | Description |
+|---|---|---|
+| Token Credential | `<CONNECTION_NAME_PREFIX>__credential` | **Required.** When connecting to a resource in another tenant, set this property to `managedidentityasfederatedidentity`. |
+| Azure Cloud | `<CONNECTION_NAME_PREFIX>__azureCloud` | **Required.** This property determines the Azure cloud environment. Allowed values are "public" for Azure Public Cloud, "usgov" for Azure US Government Cloud, and "china" for Azure operated by 21Vianet. |
+| Client ID | `<CONNECTION_NAME_PREFIX>__clientId` | **Required.** When `credential` is set to `managedidentityasfederatedidentity`, set this property to the client ID (app ID) of the app registration.<br/><br/>This property is used differently in single-tenant identity-based connections. See the [common properties](#common-properties-for-identity-based-connections) section.<br/><br/>This property is used differently in [local development scenarios], when `credential` shouldn't be set. |
+| Tenant ID  | `<CONNECTION_NAME_PREFIX>__tenantId` | **Required.** When `credential` is set to `managedidentityasfederatedidentity`, set this property to the tenant ID of the resource tenant.<br/><br/>This property is used differently in [local development scenarios], when `credential` shouldn't be set. |
+| Managed Identity Client ID | `<CONNECTION_NAME_PREFIX>__managedIdentityClientId` | When `credential` is set to `managedidentityasfederatedidentity`, this property specifies the user-assigned identity that you configured as a federated identity credential and assigned to the application.<sup>1</sup> The property accepts a client ID corresponding to that user-assigned identity. |
+| Managed Identity Object ID | `<CONNECTION_NAME_PREFIX>__managedIdentityObjectId` | When `credential` is set to `managedidentityasfederatedidentity`, this property specifies the user-assigned identity that you configured as a federated identity credential and assigned to the application.<sup>1</sup> The property accepts an object ID (principal ID) corresponding to that user-assigned identity. |
+| Managed Identity Resource ID | `<CONNECTION_NAME_PREFIX>__managedIdentityResourceId` | When `credential` is set to `managedidentityasfederatedidentity`, this property specifies the user-assigned identity that you configured as a federated identity credential and assigned to the application.<sup>1</sup> The property accepts a resource identifier corresponding to that user-assigned identity. |
+
+<sup>1</sup> When `credential` is set to `managedidentityasfederatedidentity`, your connection must specify exactly one of `managedIdentityClientId`, `managedIdentityObjectId`, or `managedIdentityResourceId`.
+
+This is also [documented by the Azure SDK](/dotnet/azure/sdk/authentication/create-token-credentials-from-configuration?tabs=client-id#managed-identity-as-a-federated-identity-credential) in a JSON format.
+
 ## Reporting Issues
 [!INCLUDE [Reporting Issues](../../includes/functions-reporting-issues.md)]
 
 
@@ -57,7 +57,6 @@ Azure Data Lake Storage protection has the following supported scenarios:
 - You can protect the storage account with the vault in another subscription but in the same region as storage account.
 - Azure Data Lake Storage accounts support both Blob and Data File System (DFS) APIs.
 - `$web` container can't be restored as `$web` on the target. Use the **renameTo** option and restore it with a different container name.
-- `$root` container can be restored as `$root` on the target only if `$root` doesn't already exist there. If it already exists, use the **renameTo** option and restore it with a different container name. 
 
 ### Unsupported scenarios and considerations for Azure Data Lake Storage protection