Merge branch 'main' into release-aio-2603

Author: v-alje

articles/active-directory-b2c/add-password-change-policy.md

@@ -26,12 +26,12 @@ ms.custom: sfi-image-nochange
 
 [!INCLUDE [active-directory-b2c-choose-user-flow-or-custom-policy](../../includes/active-directory-b2c-choose-user-flow-or-custom-policy.md)]
 
-You can configure Azure Active Directory B2C (Azure AD B2C) so that a user who is signed in with a local account can change their password without using email verification to prove their identity. 
+You can configure Azure Active Directory B2C (Azure AD B2C) to allow users who are signed in with a local account to change their password without using email verification to prove their identity.
 
 The password change flow involves the following steps:
 
 1. The user signs in to their local account. If the session is still active, Azure AD B2C authorizes the user and skips to the next step.
-1. In **Old password**, the user verifies their old password. In **New password**, they create and confirm their new password.
+1. In **Old password**, the user verifies their current password. In **New password**, they create and confirm their new password.
 
    ![Screenshot that shows two numbered dialogs for making a password change.](./media/add-password-change-policy/password-change-flow.png)  
 

articles/active-directory-b2c/add-profile-editing-policy.md

@@ -44,7 +44,7 @@ If you haven't already done so, [register a web application in Azure Active Dire
 
 ## Create a profile editing user flow
 
-If you want to enable users to edit their profile in your application, you use a profile editing user flow.
+To enable users to edit their profile in your application, use a profile editing user flow.
 
 1. In the menu of the Azure AD B2C tenant overview page, select **User flows**, and then select **New user flow**.
 1. On the **Create a user flow** page, select the **Profile editing** user flow. 

articles/app-service/samples-terraform.md

@@ -6,19 +6,20 @@ ms.custom: devx-track-terraform
 
 ms.assetid: 1e5ecfa8-4ab1-47d3-ab23-97abf723516d
 ms.topic: sample
-ms.date: 06/25/2024
+ms.date: 03/16/2026
 author: ericgre
 ms.author: ericg
 ms.service: azure-app-service
 ---
+
 # Terraform samples for Azure App Service
 
 The following table includes links to Terraform scripts.
 
 | Script | Description |
 |-|-|
 |**Create app**||
-| [Create two apps and connect securely with Private Endpoint and VNet integration](./scripts/terraform-secure-backend-frontend.md)| Creates two App Service apps and connect apps together with Private Endpoint and VNet integration. |
+| [Create two apps and connect them securely with Private Endpoint and VNet integration](./scripts/terraform-secure-backend-frontend.md)| Creates two App Service apps and connects the apps together with Private Endpoint and virtual network integration. |
 | [Provision App Service and use slot swap to deploy](/azure/developer/terraform/provision-infrastructure-using-azure-deployment-slots)| Provision App Service infrastructure with Azure deployment slots. |
 | [Create an Azure Windows web app with a backup](./scripts/terraform-backup.md)| Create an Azure Windows web app with a backup schedule. |
 | [Create a Windows container app on App Service](/azure/app-service/provision-resource-terraform?tabs=windows-container)| Create an Azure Windows web app with a backup schedule. |

articles/app-service/scripts/powershell-deploy-private-endpoint.md

@@ -1,10 +1,10 @@
 ---
 title: 'PowerShell: Deploy Private Endpoint for Web App with PowerShell'
-description: Learn how to use PowerShell to deploy Private Endpoint for your Web App.
+description: Use this sample PowerShell script to deploy Private Endpoint for your Web App.
 author: ericgre
 ms.assetid: e1cc08d5-91cf-49d7-8d0a-c0e7bd2046ac
 ms.topic: sample
-ms.date: 12/06/2022
+ms.date: 03/16/2026
 ms.author: ericg
 ms.service: azure-app-service
 ms.custom: devx-track-azurepowershell

articles/app-service/scripts/template-deploy-private-endpoint.md

@@ -1,10 +1,10 @@
 ---
 title: 'Use an Azure Resource Manager template to deploy a private endpoint for a web app'
-description: Learn how to use ARM template to deploy a private endpoint for your web app.
+description: Learn how to use an ARM template to deploy a private endpoint for your web app.
 author: ericgre
 ms.assetid: 49e460d0-7759-4ceb-b5a4-f1357e4fde56
 ms.topic: sample
-ms.date: 07/08/2020
+ms.date: 03/16/2026
 ms.author: ericg
 ms.service: azure-app-service
 ms.custom: devx-track-arm-template
@@ -32,14 +32,14 @@ This template creates a private endpoint for an Azure web app.
 
 Here's how to deploy the Azure Resource Manager template to Azure:
 
-1. To sign in to Azure and open the template, select this link:  [Deploy to Azure](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.web%2Fprivate-endpoint-webapp%2Fazuredeploy.json). The template creates the virtual network, the web app, the private endpoint, and the private DNS zone.
-2. Select or create your resource group.
-3. Enter the name of your web app, Azure App Service plan, and private endpoint.
-5. Read the statement about terms and conditions. If you agree, select **I agree to the terms and conditions stated above** > **Purchase**. The deployment can take several minutes to finish.
+1. To sign in to Azure and open the template, select this link: [Deploy to Azure](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2Fquickstarts%2Fmicrosoft.web%2Fprivate-endpoint-webapp%2Fazuredeploy.json). The template creates the virtual network, the web app, the private endpoint, and the private DNS zone.
+1. Select or create your resource group.
+1. Enter the name of your web app, Azure App Service plan, and private endpoint.
+1. Read the statement about terms and conditions. If you agree, select **I agree to the terms and conditions stated above** > **Purchase**. The deployment can take several minutes to finish.
 
 ## Clean up resources
 
-When you no longer need the resources that you created with the private endpoint, delete the resource group. This removes the private endpoint and all the related resources.
+When you no longer need the resources that you created with the private endpoint, delete the resource group. By removing the resource group, you remove the private endpoint and all the related resources.
 
 To delete the resource group, call the `Remove-AzResourceGroup` cmdlet:
 

articles/azure-netapp-files/azure-netapp-files-resource-limits.md

@@ -24,7 +24,7 @@ The following table describes resource limits for the Flexible, Standard, Premiu
 |  Resource  |  Default limit  |  Adjustable via support request  |
 |----------------|---------------------|--------------------------------------|
 |  [Regional capacity quota per subscription](regional-capacity-quota.md)   |  25 TiB  |  Yes  |
-|  Number of NetApp accounts per Azure region per subscription  |  10    |  Yes   |
+|  Number of NetApp accounts per Azure region per subscription  |  100    |  Yes   |
 |  Number of capacity pools per NetApp account   |    25     |   Yes   |
 |  Number of volumes per subscription   |    500     |   Yes   |
 |  Number of volumes per capacity pool     |    500   |    Yes     |
@@ -43,7 +43,7 @@ The following table describes resource limits for the Flexible, Standard, Premiu
 |  Maximum size of a single file     |    16 TiB    |    No    |    
 |  Maximum size of directory metadata in a single directory      |    320 MB    |    No    |    
 |  Maximum number of files in a single directory  | *Approximately* 4 million. <br> See [Determine if a directory is approaching the limit size](directory-sizes-concept.md#directory-limit).  |    No    |   
-|  Maximum number of `maxfiles` per volume | See [`maxfiles`](maxfiles-concept.md)  | Yes |    
+|  Maximum number of `maxfiles` per volume | See [`maxfiles`](maxfiles-concept.md)  | Yes**** |    
 |  Maximum number of export policy rules per volume     |    5  |    No    | 
 |  Maximum number of quota rules per volume     |   1,000  |    No    | 
 |  Minimum assigned throughput for a manual Quality of Service (QoS) volume     |    1 MiB/s   |    No    |    
@@ -64,6 +64,13 @@ The following table describes resource limits for the Flexible, Standard, Premiu
 
 \*** This feature is available [when cool access is enabled and by request](large-volumes-requirements-considerations.md#requirements-and-considerations-for-large-volumes-up-to-72-pib-preview). When enabled, the minimum size of the volume is 2,400 GiB.
 
+\**** Support request to adjust maxfiles limits is appropriate only when the volume is already provisioned at a size that supports the requested file count. While Azure NetApp Files support can adjust maxfiles limits within supported backend thresholds, these adjustments cannot override the fundamental relationship between volume size and inode capacity. If a workload requires a higher maxfiles limit, then the volume must be provisioned at a size that natively supports that file count. Support requests cannot be used to keep a small volume size while enabling a maxfiles limit that is only supported by a much larger volume. Support requests should not be opened in the following situations as support engineers cannot make backend changes to satisfy the request:
+
+* To avoid increasing volume size
+* To request maxfiles limits that exceed what the current volume size supports
+* To request backend exceptions for inode limits
+
+
 For more information, see [Capacity management FAQs](faq-capacity-management.md).
 
 # [Elastic](#tab/elastic)

articles/data-factory/automatic-connector-upgrade.md

@@ -9,7 +9,7 @@ ms.topic: concept-article
 ms.custom:
   - references_regions
   - build-2025
-ms.date: 01/08/2026
+ms.date: 03/24/2026
 ---
 
 # Automatic connector upgrade
@@ -73,7 +73,7 @@ You can find more details from the table below on the connector list that is pla
 | [Greenplum](connector-greenplum.md) | If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.56 or above. |
 | [Hive](connector-hive.md) | Scenario that doesn't rely on below capability in Hive (version 1.0):<br><br>• Use Username authentication type.<br>• Thrift transport protocol:<br>&nbsp;&nbsp;• HiveServer1<br>• Service discovery mode: True<br>• Use native query: True <br><br>If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.59 or above.|
 | [Impala](connector-impala.md) | Scenario that doesn't rely on below capability in Impala (version 1.0):<br><br>• Use SASL Username authentication type.<br><br>If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.59 or above. |
-| [Jira](connector-jira.md) | Scenario that doesn't rely on below capability in Jira (version 1.0):<br><br>• Use `useEncryptedEndpoints`, `useHostVerification` and `usePeerVerification` as connection properties. <br>• Use `query`. <br><br>The following Jira tables are supported for automatic upgrade:<br>&nbsp;&nbsp;Platform.Api_Groups_Picker, Platform.Api_Issue_Type, Platform.Api_Project, Platform.Api_Field, Platform.Api_Status, Platform.Api_Status_Category, Platform.Api_Project_Type, Platform.Api_Resolution, Platform.Api_Priority, Platform.ApiAllUsers, Platform.Api_Issue_Link_Type, Platform.Api_Role, Platform.Api_Project_Versions, Platform.Api_Component, Platform.Api_Project_IssueTypes, Agile.Agile_Board_Epic, Agile.Agile_Board, Agile.Agile_Board_Sprint, Agile.Agile_Board_Issue, Agile.Agile_Board_Epic_Issue. <br><br>If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.63 or above. |
+| [Jira](connector-jira.md) | Scenario that doesn't rely on below capability in Jira (version 1.0):<br><br>• Use `useEncryptedEndpoints`, `useHostVerification` and `usePeerVerification` as connection properties. <br>• Use `query`. <br><br>The following Jira tables are supported for automatic upgrade:<br>&nbsp;&nbsp;Platform.Api_Groups_Picker, Platform.Api_Issue_Type, Platform.Api_Project, Platform.Api_Field, Platform.Api_Status, Platform.Api_Status_Category, Platform.Api_Project_Type, Platform.Api_Resolution, Platform.Api_Priority, Platform.ApiAllUsers, Platform.Api_Issue_Link_Type, Platform.Api_Role, Platform.Api_Project_Versions, Platform.Api_Component, Platform.Api_Project_IssueTypes, Platform.Api_Issue, Agile.Agile_Board_Epic, Agile.Agile_Board, Agile.Agile_Board_Sprint, Agile.Column_Config_Columns, Agile.Agile_Board_Issue_Fields_Components, Agile.Agile_Board_Issue_Fields_Closed_Sprints, Agile.AgileBoardProjects. <br><br>If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.64 or above. |
 | [MariaDB](connector-mariadb.md) | If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.58 or above. |
 | [MySQL](connector-mysql.md) | If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.58 or above. |
 | [Netezza](connector-netezza.md) | If your pipeline runs on self-hosted integration runtime, it requires SHIR version 5.59 or above. |

articles/event-grid/authenticate-with-namespaces-using-webhook-authentication.md

@@ -4,7 +4,7 @@ description: This article shows you how to authenticate with Azure Event Grid na
 ms.topic: how-to
 ms.custom:
   - build-2025
-ms.date: 07/30/2025
+ms.date: 03/23/2026
 author: Connected-Seth
 ms.author: seshanmugam
 ---
@@ -47,6 +47,40 @@ az eventgrid namespace update --resource-group <resource group name> --name <nam
 
 For information on how to configure system and user-assigned identities by using the Azure portal, see [Enable managed identity for an Event Grid namespace](event-grid-namespace-managed-identity.md).
 
+## Implementations
+
+### Option 1: Webhook Via Azure Functions implementation (Microsoft Entra App) 
+
+Azure Functions can host the webhook logic using `Microsoft.Identity.Web` to validate token automatically. We need Microsoft Entra app registration for Webhook API for validating Event Grid caller tokens, which has an Application ID URI for token issuance. Client side (Event Grid) already has managed identity. 
+
+**Pros:**
+
+- No infrastructure to manage 
+- Built-in authentication helpers (`Microsoft.Identity.Web`) 
+- Durable, scalable, cost-efficient 
+
+Function must do the following operations: 
+
+- Validate caller token from Event Grid Managed Identity 
+- Validate client Json Web Token (JWT)
+- Return allow or deny JSON 
+
+### Option 2: External HTTPS endpoint implementation 
+
+This implementation can be any external HTTPS Endpoint (any cloud, any backend), using Microsoft Entra ID JWT validation with `Microsoft.IdentityModel` libraries. 
+
+Use any runtime: .NET / Node / Java / Python. 
+
+Key requirements: 
+
+- Must be HTTPS 
+- Must validate caller JWT 
+- Must validate device JWT 
+- Must respond within timeout (~5 sec recommended) 
+
+    :::image type="content" source="./media/authenticate-with-namespaces-using-webhook-authentication/custom-webhook-implementations.svg" alt-text="Diagram that shows custom webhook implementations." lightbox="./media/authenticate-with-namespaces-using-webhook-authentication/custom-webhook-implementations.svg":::
+
+
 ## Grant the managed identity appropriate access to a function or webhook
 
 Grant the managed identity of your Event Grid namespace the appropriate access to the target Azure function or webhook.
@@ -131,7 +165,11 @@ Replace `<NAMESPACE_NAME>` and `<RESOURCE_GROUP_NAME>` with your actual values.
 
 ### Request headers
 
+Azure Event Grid sends the following headers in the request to the webhook:
+
+```
 **Authorization**: Bearer token
+```
 
 The token is a Microsoft Entra token for the managed identity that was configured to call the webhook.
 
@@ -158,9 +196,8 @@ The token is a Microsoft Entra token for the managed identity that was configure
 | `password` | Optional | Password from MQTT CONNECT packet in Base64 encoding. | 
 | `authenticationMethod` | Optional | Authentication method from MQTT CONNECT packet (MQTT5 only). | 
 | `authenticationData` | Optional | Authentication data from MQTT CONNECT packet in Base64 encoding (MQTT5 only). | 
-| `clientCertificate` | Optional | Client certificate in PEM format. | 
+| `clientCertificate` | Optional | Client certificate in Privacy-Enhanced Mail (PEM) format. | 
 | `clientCertificateChain`| Optional | Other certificates provided by the client required to build the chain from the client certificate to the Certificate Authority certificate. | 
-| `userProperties` | Optional | User properties from CONNECT packet (MQTT5 only). | 
 
 ### Response payload 
 
@@ -193,6 +230,20 @@ Content-Type: application/json
 }
 ```
 
+**Error codes:** 
+
+ 
+
+| Authentication Outcome | Function response | Event Grid MQTT reason code |
+|------------------------|-----------------|------------------|
+| Explicit authorization denial | `"decision": "deny"` | Not authorized |
+| Invalid / expired token | `"decision": "deny"` | Not authorized |
+| Function timeout | N/A | Server unavailable |
+| Function exception / crash | N/A | Server unavailable |
+| Transient platform failure | N/A | Server unavailable |
+| Internal broker processing error | N/A | Server unavailable |
+
+
 ### Response field descriptions
 
 | Field             | Description  |