Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into ps-freshness

halkazwini · halkazwini · commit a91d7b6f04b4 · 2026-02-25T12:41:38.000-06:00
diff --git a/articles/communication-services/concepts/interop/tpe/teams-phone-extensibility-capabilities.md b/articles/communication-services/concepts/interop/tpe/teams-phone-extensibility-capabilities.md
@@ -62,7 +62,7 @@ The following list of capabilities is supported for scenarios where at least one
 | | Cancel all Media Operations | ❌ | ✔️ |
 | | Start continuous DTMF Recognition from end user | N/A  | ✔️ |
 | | Stream real-time transcript of the call to a WebSocket | N/A | ✔️ |
-| | Mute other VoIP participants (such as other agents) | ✔️ | ✔️ |
+| | Mute other VoIP participants (such as other agents) | ✔️ | ❌ |
 | | Mute other PSTN users | ❌ | ❌ |
 | | [Dial-pad commands](/microsoftteams/audio-conferencing-common-questions#what-in-meeting-dial-pad-commands-are-supported) for PSTN users | ❌ | ❌ |
 | | Place call on hold and take call off hold (1:1 call only) | ✔️ | ❌ |
diff --git a/articles/firewall/change-sku.md b/articles/firewall/change-sku.md
@@ -5,7 +5,7 @@ services: firewall
 author: duongau
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 09/29/2025
+ms.date: 02/21/2026
 ms.author: duau
 ms.custom:
   - devx-track-azurepowershell
@@ -33,7 +33,7 @@ Before you begin, make sure you have:
 - A planned maintenance window (for manual migration method)
 
 > [!IMPORTANT]
-> This article applies to Azure Firewall Standard and Premium SKUs only. [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) doesn't support SKU changes and must be migrated to Standard SKU first before any upgrade to Premium. Always perform SKU change operations during scheduled maintenance times and test the process thoroughly in a nonproduction environment first.
+> This article applies primarily to Azure Firewall Standard and Premium SKUs. [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) doesn't support direct change to Premium SKU and must be migrated to Standard SKU first before any upgrade to Premium. Downgrading from Azure Firewall Premium or Standard to Basic is supported only through PowerShell or Terraform. Always perform SKU change operations during scheduled maintenance times and test the process thoroughly in a nonproduction environment first.
 
 ## Easy SKU change method (recommended)
 
@@ -46,7 +46,7 @@ Use the easy SKU change method when:
 - Your firewall is deployed in a supported region  
 - You want to minimize downtime (zero downtime with this method)
 - You have a standard deployment without complex custom configurations
-- **For downgrade**: Your Premium policy doesn't use Premium-exclusive features that are incompatible with Standard
+- **For downgrade**: A firewall policy created for a higher SKU (Premium or Standard) can't be attached to a lower SKU firewall. To downgrade, you must create a new firewall policy or use an existing policy that is compatible with the target SKU.
 
 ### Policy considerations for SKU changes
 
@@ -74,7 +74,6 @@ When downgrading from Premium to Standard, consider the following policy require
 **Policy handling options:**
 - **Use existing Standard policy**: Select a preexisting Standard policy that doesn't contain Premium features
 - **Create new Standard policy**: The system can create a new Standard policy, automatically removing Premium-specific features
-- **Modify current policy**: Manually remove Premium features from your current policy before downgrade
 
 ### Change SKU using the Azure portal
 
@@ -88,7 +87,7 @@ To change your firewall SKU using the Azure portal:
 1. In the SKU change dialog box, select **Premium** as the target SKU.
 1. Choose your policy option:
    - Select an existing Premium policy, or
-   - Allow the system to upgrade your current Standard policy to Premium
+   - Create a new Premium policy and select it.
 1. Select **Save** to begin the upgrade.
 
 #### Downgrade to Standard
@@ -110,22 +109,22 @@ The SKU change process typically completes within a few minutes with zero downti
 ### PowerShell and Terraform SKU change
 
 You can also perform SKU changes using:
-- **PowerShell**: Change the `sku_tier` property to "Premium" or "Standard"
+- **PowerShell**: Change the `sku_tier` property to "Premium", "Standard" or "Basic"
 - **Terraform**: Update the `sku_tier` attribute in your configuration to the desired SKU
 
 ### Limitations
 
 The easy SKU change method has the following limitations:
 
 **General limitations:**
-- Doesn't support [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) - Basic SKU users must migrate to Standard first
+- Doesn't support direct upgrades from [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) - Basic SKU users must migrate to Standard first
 - Not available for firewalls with certain complex configurations
 - Limited availability in some regions
 - Requires existing firewall policy (not available for Classic rules)
 
 **Downgrade-specific limitations:**
 - Premium features (TLS inspection, IDPS Alert and Deny mode, URL filtering, web categories) must be removed before downgrade
-- If your Premium policy contains incompatible features, you must modify the policy or create a new Standard policy
+- For the new Firewall SKU, you mustuse an existing compatible policy or create a new Standard policy
 - Some rule configurations might need manual adjustment after downgrade
 
 If the easy SKU change method isn't available for your scenario, use the manual migration method described in the next section.
@@ -426,7 +425,6 @@ If you're unable to downgrade from Premium to Standard:
 
 2. **Policy modification options**:
    - Create a new Standard policy without Premium features
-   - Modify your existing policy to remove Premium features
    - Use Azure PowerShell to identify and remove incompatible rules
 
 3. **Validation steps**:
diff --git a/articles/storage/files/storage-files-identity-ad-ds-update-password.md b/articles/storage/files/storage-files-identity-ad-ds-update-password.md
@@ -4,27 +4,28 @@ description: Learn how to update the password of the Active Directory Domain Ser
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: how-to
-ms.date: 11/26/2025
+ms.date: 02/25/2026
 ms.author: kendownie
 # Customer intent: As a storage administrator, I want to update the password of the Active Directory Domain Services identity that represents my storage account, so that I can maintain Kerberos authentication and ensure uninterrupted access to Azure file shares.
 ---
 
-# Update the password of your storage account identity in AD DS
+# Update the password for your storage account identity in AD DS
 
 **Applies to:** :heavy_check_mark: SMB Azure file shares
 
-When you domain join your storage account in your Active Directory Domain Services (AD DS), you create an AD principal, either a computer account or service account, with a password. The password of the AD principal is one of the Kerberos keys of the storage account. Depending on the password policy of the organization unit of the AD principal, you must periodically rotate the password of the AD principal to avoid authentication issues. Failing to change the password before it expires could result in losing Kerberos authentication to your Azure file shares. Some AD environments may also delete AD principals with expired passwords using an automated cleanup script.
+When you domain join your storage account in your Active Directory Domain Services (AD DS), you create an AD principal, either a computer account or service account, with a password. The password for the AD principal is one of the Kerberos keys for the storage account. Depending on the password policy of the organizational unit for the AD principal, you must periodically rotate the password to avoid authentication problems. If you don't change the password before it expires, you lose Kerberos authentication to your Azure file shares. Some AD environments also delete AD principals with expired passwords by using an automated cleanup script.
 
 Instead of periodically rotating the password, you can also place the AD principal that represents the storage account into an organizational unit that doesn't require password rotation.
 
-There are two options for triggering password rotation. You can use the `AzFilesHybrid` module or Active Directory PowerShell. Use one method, not both.
+Two options exist for triggering password rotation. You can use the `AzFilesHybrid` module or Active Directory PowerShell. Use one method, not both.
 
 ## Option 1: Use AzFilesHybrid module
-To regenerate and rotate the password of the AD principal that represents the storage account, use the `Update-AzStorageAccountADObjectPassword` cmdlet from the [AzFilesHybrid module](https://github.com/Azure-Samples/azure-files-samples/releases). To execute `Update-AzStorageAccountADObjectPassword`, you must:
+
+To regenerate and rotate the password for the AD principal that represents the storage account, use the `Update-AzStorageAccountADObjectPassword` cmdlet from the [AzFilesHybrid module](https://github.com/Azure-Samples/azure-files-samples/releases). To run `Update-AzStorageAccountADObjectPassword`, you must:
 
 - Run the cmdlet from a domain-joined client.
-- Have the owner permission on the storage account. 
-- Have AD DS permissions to change the password of the AD principal that represents the storage account.
+- Have the owner permission on the storage account.
+- Have AD DS permissions to change the password for the AD principal that represents the storage account.
 
 ```PowerShell
 # Update the password of the AD DS account registered for the storage account
@@ -35,14 +36,14 @@ Update-AzStorageAccountADObjectPassword `
         -StorageAccountName "<your-storage-account-name-here>"
 ```
 
-After you rotate to kerb2, we recommend waiting several hours and using `Update-AzStorageAccountADObjectPassword` cmdlet again regenerate and rotate back to kerb1, such that both Kerberos keys are regenerated.
+After you rotate to kerb2, wait several hours and use the `Update-AzStorageAccountADObjectPassword` cmdlet again to regenerate and rotate back to kerb1, so both Kerberos keys are regenerated.
 
 ## Option 2: Use Active Directory PowerShell
 
 If you don't want to download the `AzFilesHybrid` module, you can use [Active Directory PowerShell](/powershell/module/activedirectory).
 
 > [!IMPORTANT]
-> The Windows Server Active Directory PowerShell cmdlets in this section must be run in Windows PowerShell 5.1 with elevated privileges.
+> You must run the Windows Server Active Directory PowerShell cmdlets in this section in PowerShell 5.1 with elevated privileges.
 
 Replace `<domain-object-identity>` in the following script with the appropriate value for your environment:
 
@@ -57,9 +58,8 @@ Set-ADAccountPassword -Identity <domain-object-identity> -Reset -NewPassword $Ne
 
 ## Test that the AD DS account password matches a Kerberos key
 
-After you update the AD DS account password, you can test it using the following PowerShell command.
+After you update the AD DS account password, test it by using the following PowerShell command.
 
 ```powershell
  Test-AzStorageAccountADObjectPasswordIsKerbKey -ResourceGroupName "<your-resource-group-name>" -Name "<your-storage-account-name>" -Verbose
 ```
-
diff --git a/articles/synapse-analytics/cicd/continuous-integration-delivery.md b/articles/synapse-analytics/cicd/continuous-integration-delivery.md
@@ -253,6 +253,11 @@ You can choose the operation types based on the use case. Following part is an e
 > In CI/CD scenarios, the integration runtime type in different environments must be the same. For example, if you have a self-hosted integration runtime in the development environment, the same integration runtime must be self-hosted in other environments, such as in test and production. Similarly, if you're sharing integration runtimes across multiple stages, the integration runtimes must be linked and self-hosted in all environments, such as in development, test, and production.
 >           
 > Currently, the DevOps Service Connection with **Workload Identity Federation (WIF)** is not supported in Synapse Workspace deployment extension. Switch to secret mode to make the connection successful.
+> 
+> For secure, secretless alternatives that fully support Workload Identity Federation (WIF), use the [AzureCLI@2](/azure/devops/pipelines/tasks/reference/azure-cli-v2) or [PowerShell](/azure/devops/pipelines/tasks/reference/powershell-v2)
+> pipeline tasks with a federated service connection, as described in [Connect to Azure using Workload Identity Federation](https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops).
+>
+> These tasks support secretless authentication and can execute Synapse deployment commands (`az synapse pipeline create`, `az synapse artifact publish`) while maintaining the same deployment flow.
 
 ### Create a release for deployment
 
