Merge pull request #314669 from ggailey777/paulyuk-fixup

[Functions] UAMI updates from PaulYuk's agents

Author: denrea

articles/azure-functions/functions-bindings-cosmosdb-v2-trigger.md

@@ -14,24 +14,24 @@ This article explains how to work with Azure Functions bindings for IoT Hub. The
 For information on setup and configuration details, see the [overview](functions-bindings-event-iot.md).
 
 > [!IMPORTANT]
-> While the following code samples use the Event Hub API, the given syntax is applicable for IoT Hub functions.
+> While the following code samples use the Event Hubs API, the given syntax is applicable for IoT Hub functions.
 
 [!INCLUDE [functions-bindings-event-hubs](../../includes/functions-bindings-event-hubs-trigger.md)]
 
 ## Connections
 
-The `connection` property is a reference to environment configuration that contains name of an application setting containing a connection string. You can get this connection string by selecting the **Connection Information** button for the [namespace](../event-hubs/event-hubs-create.md#create-an-event-hubs-namespace). The connection string must be for an Event Hubs namespace, not the event hub itself.
+The `connection` property references environment configuration that contains the name of an application setting with a connection string. You get this connection string by selecting the **Connection Information** button for the [namespace](../event-hubs/event-hubs-create.md#create-an-event-hubs-namespace). The connection string must be for an Event Hubs namespace, not the event hub itself.
 
-The connection string must have at least "read" permissions to activate the function. 
+The connection string must have at least **read** permissions to activate the function. 
 
-This connection string should be stored in an application setting with a name matching the value specified by the `connection` property of the binding configuration.
+Store this connection string in an application setting with a name that matches the value you specify in the `connection` property of the binding configuration.
 
 > [!NOTE]  
-> Identity-based connections aren't supported by the IoT Hub trigger. If you need to use managed identities end-to-end, you can instead use IoT Hub Routing to send data to an event hub you control. In that way, outbound routing can be authenticated with managed identity the event can be read [from that event hub using managed identity](functions-bindings-event-hubs-trigger.md?tabs=extensionv5#identity-based-connections).
+> The IoT Hub trigger doesn't support identity-based connections. If you need to use managed identities end-to-end, you can instead use IoT Hub Routing to send data to an event hub you control. In that way, outbound routing can be authenticated by using managed identity and the event is read [from that event hub using managed identity](functions-bindings-event-hubs-trigger.md?tabs=identity-based#connections).
 
 ## host.json properties
 
-The [host.json](functions-host-json.md#eventhub) file contains settings that control Event Hub trigger behavior. See the [host.json settings](functions-bindings-event-iot.md#hostjson-settings) section for details regarding available settings.
+The [host.json](functions-host-json.md#eventhub) file contains settings that control Event Hubs trigger behavior. See the [host.json settings](functions-bindings-event-iot.md#hostjson-settings) section for details regarding available settings.
 
 ## Next steps
 

articles/azure-functions/functions-bindings-event-iot-trigger.md

@@ -197,7 +197,7 @@ Create the queue where your Azure Functions Service Bus trigger gets events:
 1. Select **Create**.
 
 > [!IMPORTANT]
-> This tutorial currently shows you how to connect to Service Bus using a connection string, which requires you to handle a share secret. For improved security, you should instead use managed identities when connecting to Service Bus from your app. For more information, see [Identity-based connections](functions-bindings-service-bus-trigger.md?tabs=extensionv5#identity-based-connections) in the Service Bus binding reference article.
+> This tutorial currently shows you how to connect to Service Bus using a connection string, which requires you to handle a share secret. For improved security, you should instead use managed identities when connecting to Service Bus from your app. For more information, see [Identity-based connections](functions-bindings-service-bus-trigger.md?tabs=identity-based#connections) in the Service Bus binding reference article.
 
 ## Get a Service Bus connection string
 

articles/azure-functions/functions-create-vnet.md

@@ -1,39 +1,61 @@
 ---
-author: mattchenderson
+author: ggailey777
 ms.service: azure-functions
 ms.topic: include
-ms.date: 11/12/2021
-ms.author: mahender
+ms.date: 04/13/2026
+ms.author: glenga
 ms.custom: sfi-ropc-nochange
 ---
 
 ## Connections
 
-The `connectionStringSetting`/`connection` and `leaseConnectionStringSetting`/`leaseConnection` properties are references to environment configuration which specifies how the app should connect to Azure Cosmos DB. They may specify:
+The `connectionStringSetting`/`connection` and `leaseConnectionStringSetting`/`leaseConnection` properties reference environment configuration that specifies how the app connects to Azure Cosmos DB. They can specify:
 
-- The name of an application setting containing a [connection string](#connection-string)
-- The name of a shared prefix for multiple application settings, together defining an [identity-based connection](#identity-based-connections). This option is only available for the `connection` and `leaseConnection` versions from [version 4.x or higher of the extension].
+- The name of an application setting containing a connection string.
+- The name of a shared prefix for multiple application settings, which together define a managed identity connection. This option is only available for the `connection` and `leaseConnection` versions from [version 4.x or higher of the extension].
 
 If the configured value is both an exact match for a single setting and a prefix match for other settings, the exact match is used.
 
-### Connection string
+> [!TIP]
+> Managed identity connections are recommended over connection strings for improved security. Connection strings include credentials that could be exposed, while managed identities eliminate the need to manage secrets.
 
-The connection string for your database account should be stored in an application setting with a name matching the value specified by the connection property of the binding configuration.
+### [Managed identity](#tab/identity-based)
 
-### Identity-based connections
+If you're using [version 4.x or higher of the extension], instead of using a connection string with a secret, you can have the app use a [Microsoft Entra identity](../articles/active-directory/fundamentals/active-directory-whatis.md). To do this, define settings under a common prefix that maps to the connection property in the trigger and binding configuration.
 
-If you are using [version 4.x or higher of the extension], instead of using a connection string with a secret, you can have the app use a [Microsoft Entra identity](../articles/active-directory/fundamentals/active-directory-whatis.md). To do this, you would define settings under a common prefix which maps to the connection property in the trigger and binding configuration.
+In this mode, the extension requires the following application settings:
 
-In this mode, the extension requires the following properties:
+| Template-based setting | Description | Identity type |
+| --- | --- | --- |
+| `<CONNECTION_NAME_PREFIX>__accountEndpoint` | The Azure Cosmos DB account endpoint URI. | System-assigned or user-assigned |
+| `<CONNECTION_NAME_PREFIX>__credential` | Must be set to `managedidentity`. | User-assigned |
+| `<CONNECTION_NAME_PREFIX>__clientId` | The client ID of the user-assigned managed identity. | User-assigned |
 
-| Property                  | Environment variable template                       | Description                                | Example value                                        |
-|---------------------------|-----------------------------------------------------|--------------------------------------------|------------------------------------------------|
-| Account Endpoint | `<CONNECTION_NAME_PREFIX>__accountEndpoint` | The Azure Cosmos DB account endpoint URI. | https://<database_account_name>.documents.azure.com:443/ |
+The value that you replace `<CONNECTION_NAME_PREFIX>` with is treated by the binding extension as the name of the connection setting.
 
-Additional properties may be set to customize the connection. See [Common properties for identity-based connections](../articles/azure-functions/functions-reference.md#common-properties-for-identity-based-connections).
+For example, if your binding configuration specifies `connection = "CosmosDBConnection"` with a user-assigned managed identity, configure the following application settings:
+
+```json
+{
+    "CosmosDBConnection__accountEndpoint": "https://mycosmosdb.documents.azure.com:443/",
+    "CosmosDBConnection__credential": "managedidentity",
+    "CosmosDBConnection__clientId": "00000000-0000-0000-0000-000000000000"
+}
+```
+
+> [!TIP]
+> Use user-assigned managed identities for production scenarios where you need fine-grained control over identity permissions across multiple resources.
+
+You can use additional settings in the template to further customize the connection. See [Common properties for identity-based connections](../articles/azure-functions/functions-reference.md#common-properties-for-identity-based-connections).
 
 [!INCLUDE [functions-identity-based-connections-configuration](./functions-identity-based-connections-configuration.md)]
 
 [!INCLUDE [functions-cosmos-permissions](./functions-cosmos-permissions.md)]
 
+### [Connection string](#tab/connection-string)
+
+Store the connection string for your database account in an application setting with a name that matches the value you specify in the connection property of the binding configuration.
+
+---
+
 [version 4.x or higher of the extension]: ../articles/azure-functions/functions-bindings-cosmosdb-v2.md?tabs=extensionv4

includes/functions-cosmosdb-connections.md

@@ -1,45 +1,67 @@
 ---
-author: mattchenderson
+author: ggailey777
 ms.service: azure-functions
 ms.topic: include
-ms.date: 10/08/2021
-ms.author: mahender
+ms.date: 04/13/2026
+ms.author: glenga
 ---
 
 ## Connections
 
 The `connection` property is a reference to environment configuration which specifies how the app should connect to Event Hubs. It may specify:
 
-- The name of an application setting containing a [connection string](#connection-string)
-- The name of a shared prefix for multiple application settings, together defining an [identity-based connection](#identity-based-connections).
+- The name of an application setting containing a connection string.
+- The name of a shared prefix for multiple application settings, together defining a managed identity connection.
 
 If the configured value is both an exact match for a single setting and a prefix match for other settings, the exact match is used.
 
-### Connection string
+> [!TIP]
+> Managed identity connections are recommended over connection strings for improved security. Connection strings include credentials that could be exposed, while managed identities eliminate the need to manage secrets.
 
-Obtain this connection string by clicking the **Connection Information** button for the [namespace](../articles/event-hubs/event-hubs-create.md#create-an-event-hubs-namespace), not the event hub itself. The connection string must be for an Event Hubs namespace, not the event hub itself.
+### [Managed identity](#tab/identity-based)
 
-When used for triggers, the connection string must have at least "read" permissions to activate the function. When used for output bindings, the connection string must have "send" permissions to send messages to the event stream.
+If you are using [version 5.x or higher of the extension](../articles/azure-functions/functions-bindings-event-hubs.md?tabs=extensionv5), instead of using a connection string with a secret, you can have the app use a [Microsoft Entra identity](../articles/active-directory/fundamentals/active-directory-whatis.md). To do this, you would define settings under a common prefix which maps to the `connection` property in the trigger and binding configuration.
 
-This connection string should be stored in an application setting with a name matching the value specified by the `connection` property of the binding configuration.
+In this mode, the extension requires the following application settings:
 
-### Identity-based connections
+| Template-based setting | Description | Identity type |
+| --- | --- | --- |
+| `<CONNECTION_NAME_PREFIX>__fullyQualifiedNamespace` | The fully qualified Event Hubs namespace. | System-assigned or user-assigned |
+| `<CONNECTION_NAME_PREFIX>__credential` | Must be set to `managedidentity`. | User-assigned |
+| `<CONNECTION_NAME_PREFIX>__clientId` | The client ID of the user-assigned managed identity. | User-assigned |
 
-If you are using [version 5.x or higher of the extension](../articles/azure-functions/functions-bindings-event-hubs.md?tabs=extensionv5), instead of using a connection string with a secret, you can have the app use a [Microsoft Entra identity](../articles/active-directory/fundamentals/active-directory-whatis.md). To do this, you would define settings under a common prefix which maps to the `connection` property in the trigger and binding configuration.
+The value that you replace `<CONNECTION_NAME_PREFIX>` with is treated by the binding extension as the name of the connection setting.
+
+For example, if your binding configuration specifies `connection = "EventHubConnection"` with a user-assigned managed identity, you would configure the following application settings:
 
-In this mode, the extension requires the following properties:
+```json
+{
+    "EventHubConnection__fullyQualifiedNamespace": "myeventhubns.servicebus.windows.net",
+    "EventHubConnection__credential": "managedidentity",
+    "EventHubConnection__clientId": "00000000-0000-0000-0000-000000000000"
+}
+```
 
-| Property   | Environment variable template     | Description     | Example value     |
-|--------------|----------|-----|----------|
-| Fully Qualified Namespace | `<CONNECTION_NAME_PREFIX>__fullyQualifiedNamespace` | The fully qualified Event Hubs namespace. | `myeventhubns.servicebus.windows.net`|
+> [!TIP]
+> Use user-assigned managed identities for production scenarios where you need fine-grained control over identity permissions across multiple resources.
 
-Additional properties may be set to customize the connection. See [Common properties for identity-based connections](../articles/azure-functions/functions-reference.md#common-properties-for-identity-based-connections).
+You can use additional settings in the template to further customize the connection. See [Common properties for identity-based connections](../articles/azure-functions/functions-reference.md#common-properties-for-identity-based-connections).
 
 > [!NOTE]
 > When using [Azure App Configuration](../articles/azure-app-configuration/quickstart-azure-functions-csharp.md) or [Key Vault](/azure/key-vault/general/overview) to provide settings for Managed Identity connections, setting names should use a valid key separator such as `:` or `/` in place of the `__` to ensure names are resolved correctly.
-> 
-> For example, `<CONNECTION_NAME_PREFIX>:fullyQualifiedNamespace`.
+>
+> For example: `EventHubConnection:fullyQualifiedNamespace`
 
 [!INCLUDE [functions-identity-based-connections-configuration](./functions-identity-based-connections-configuration.md)]
 
 [!INCLUDE [functions-event-hubs-permissions](./functions-event-hubs-permissions.md)]
+
+### [Connection string](#tab/connection-string)
+
+Obtain this connection string by clicking the **Connection Information** button for the [namespace](../articles/event-hubs/event-hubs-create.md#create-an-event-hubs-namespace), not the event hub itself. The connection string must be for an Event Hubs namespace, not the event hub itself.
+
+When used for triggers, the connection string must have at least "read" permissions to activate the function. When used for output bindings, the connection string must have "send" permissions to send messages to the event stream.
+
+This connection string should be stored in an application setting with a name matching the value specified by the `connection` property of the binding configuration.
+
+---