Merge branch 'main' into kimberlm/march-2026-updates

Author: kmurphy1000

.openpublishing.publish.config.json

@@ -70,7 +70,7 @@
         },
         {
             "path_to_root": "azure_cli_scripts",
-            "url": "https://github.com/ggailey777/azure-cli-samples",
+            "url": "https://github.com/Azure-Samples/azure-cli-samples",
             "branch": "master",
             "branch_mapping": {}
         },
@@ -236,6 +236,12 @@
           "branch": "main",
           "branch_mapping": {}
         },
+        {
+          "path_to_root": "functions-flex-azure-files-samples",
+          "url": "https://github.com/Azure-Samples/Azure-Functions-Flex-Consumption-with-Azure-Files-OS-Mount-Samples",
+          "branch": "main",
+          "branch_mapping": {}
+        },
         {
           "path_to_root": "functions-quickstart-java-azd",
           "url": "https://github.com/Azure-Samples/azure-functions-java-flex-consumption-azd",

articles/api-management/cors-policy.md

@@ -82,12 +82,16 @@ The `cors` policy adds cross-origin resource sharing (CORS) support to an operat
 |----------|-----------------|--------------|-------------|
 |header|Specifies a header name.|At least one `header` element is required in `allowed-headers` if that section is present.|N/A|
 
+The value `*` indicates all headers.
+
 ### expose-headers elements
 
 |Name|Description|Required|Default|
 |----------|-----------------|--------------|-------------|
 |header|Specifies a header name.|At least one `header` element is required in `expose-headers` if that section is present.|N/A|
 
+The value `*` indicates all headers.
+
 ## Usage
 
 - [**Policy sections:**](./api-management-howto-policies.md#understanding-policy-configuration) inbound

articles/api-management/export-api-postman.md

@@ -48,7 +48,7 @@ To enhance development of your APIs, you can export an API fronted in API Manage
 
 API developers can rapidly iterate on API changes by using Postman's API testing, monitoring, and development capabilities.
 
-APIs developed in Postman can then be exported and imported back into API Management as API revisions. This enables you to develop APIs in Postman and then deploy them to API Management for runtime access and management. [Learn more](https://learning.postman.com/docs/designing-and-developing-your-api/deploying-an-api/deploying-an-api-azure/)
+APIs developed in Postman can then be exported and imported back into API Management as API revisions. This enables you to develop APIs in Postman and then deploy them to API Management for runtime access and management. For more information, see [Deploy to Azure API Management from the Postman API Builder](https://learning.postman.com/v11/docs/integrations/available-integrations/azure-api-management/deploying-an-api-azure).
 
 
 > [!CAUTION]

articles/api-management/llm-content-safety-policy.md

@@ -8,7 +8,7 @@ ms.service: azure-api-management
 ms.collection: ce-skilling-ai-copilot
 ms.custom:
 ms.topic: reference
-ms.date: 09/03/2025
+ms.date: 03/23/2026
 ms.update-cycle: 180-days
 ms.author: danlep
 ---
@@ -17,16 +17,16 @@ ms.author: danlep
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2](../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
 
-The `llm-content-safety` policy enforces content safety checks on large language model (LLM) requests (prompts) by transmitting them to the [Azure AI Content Safety](/azure/ai-services/content-safety/overview) service before sending to the backend LLM API. When the policy is enabled, and Azure AI Content Safety detects malicious content, API Management blocks the request and returns a `403` error code. 
+The `llm-content-safety` policy enforces content safety checks on large language model (LLM) requests (prompts) or responses (completions) by sending them to the [Azure AI Content Safety](/azure/ai-services/content-safety/overview) service. When you enable the policy and Azure AI Content Safety detects malicious content, API Management blocks the request or response and returns a `403` error code. 
 
 > [!NOTE]
-> The terms _category_ and _categories_ used in API Management are synonymous with _harm category_ and _harm categories_ in the Azure AI Content Safety service. Details can be found on the [Harm categories in Azure AI Content Safety](/azure/ai-services/content-safety/concepts/harm-categories) page.
+> The terms _category_ and _categories_ used in API Management are synonymous with _harm category_ and _harm categories_ in the Azure AI Content Safety service. For more information, see [Harm categories in Azure AI Content Safety](/azure/ai-services/content-safety/concepts/harm-categories).
 
 Use the policy in scenarios such as the following:
 
-* Block requests that contain predefined categories of harmful content or hate speech
-* Apply custom blocklists to prevent specific content from being sent
-* Shield against prompts that match attack patterns
+* Block requests or responses that contain predefined categories of harmful content or hate speech.
+* Apply custom blocklists to prevent specific content from being sent or received.
+* Shield against prompts that match attack patterns.
 
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
@@ -41,7 +41,7 @@ Use the policy in scenarios such as the following:
 ## Policy statement
 
 ```xml
-<llm-content-safety backend-id="name of backend entity" shield-prompt="true | false" enforce-on-completions="true | false">
+<llm-content-safety backend-id="name of backend entity" shield-prompt="true | false" enforce-on-completions="true | false" window-size="integer" window-overlap-size="integer">
     <categories output-type="FourSeverityLevels | EightSeverityLevels">
         <category name="Hate | SelfHarm | Sexual | Violence" threshold="integer" />
         <!-- If there are multiple categories, add more category elements -->
@@ -60,8 +60,10 @@ Use the policy in scenarios such as the following:
 | Attribute           | Description                                                                                           | Required | Default |
 | -------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
 | backend-id	| Identifier (name) of the Azure AI Content Safety backend to route content-safety API calls to. Policy expressions are allowed.	|  Yes	| N/A |
-| shield-prompt	| If set to `true`, content is checked for user attacks. Otherwise, skip this check. Policy expressions are allowed.	| No	| `false` |
-| enforce-on-completions| If set to `true`, content safety checks are enforced on chat completions for response validation. Otherwise, skip this check. Policy expressions are allowed.	| No	| `false` |
+| shield-prompt	| If set to `true`, check content for user attacks. Otherwise, skip this check. Policy expressions are allowed.	| No	| `false` |
+| enforce-on-completions| If set to `true` when you set the policy in the inbound section for content safety checks on requests, enforce content safety checks also on chat completions for response validation. When you set the policy in the outbound section for content safety checks on responses, this attribute is ignored. Policy expressions are allowed.	| No	| `false` |
+| window-size | The size of the text window in characters that the policy sends to Azure AI Content Safety for evaluation. Configurable only for responses; for requests, the default window size is always used. Policy expressions are allowed. | No | 10,000 characters (Azure AI Content Safety limit) |
+| window-overlap-size | The size of the overlap in characters between text windows when the content is split by using the `window-size` attribute. If you don't specify a value, windows don't overlap. Policy expressions are allowed. | No | N/A |
 
 
 ## Elements
@@ -83,24 +85,25 @@ Use the policy in scenarios such as the following:
 | Attribute           | Description                                                                                           | Required | Default |
 | -------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
 | name	| Specifies the name of this category. The attribute must have one of the following values: `Hate`, `SelfHarm`, `Sexual`, `Violence`. Policy expressions are allowed.	| Yes	| N/A |
-| threshold	| Specifies the threshold value for this category at which request are blocked. Requests with content severities less than the threshold aren't blocked. The value must be between 0 (most restrictive) and 7 (least restrictive). Policy expressions are allowed.	| Yes	| N/A |
+| threshold	| Specifies the threshold value for this category at which requests or responses are blocked. Requests with content severities less than the threshold aren't blocked. The value must be between 0 (most restrictive) and 7 (least restrictive). Policy expressions are allowed.	| Yes	| N/A |
 
 
 ## Usage
 
-- [**Policy sections:**](./api-management-howto-policies.md#understanding-policy-configuration) inbound
+- [**Policy sections:**](./api-management-howto-policies.md#understanding-policy-configuration) inbound, outbound
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API
 - [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
 ### Usage notes
 
-* The policy runs on a concatenation of all text content in a completion or chat completion request.
-* If the request exceeds the character limit of Azure AI Content Safety, a `403` error is returned.
-* This policy can be used multiple times per policy definition.
+* Configure the policy in the inbound section to check requests and in the outbound section to check responses.
+* For streaming responses, the stream handler buffers events in a sliding window and, if a content safety violation is detected, stops forwarding further events to the client. A `403` error isn't returned in this case. 
+* If the request or response exceeds the character limit of Azure AI Content Safety, the policy returns a `403` error.
+* You can use this policy multiple times per policy definition.
 
 ## Example
 
-The following example enforces content safety checks on LLM requests using the Azure AI Content Safety service. The policy blocks requests that contain speech in the `Hate` or `Violence` category with a severity level of 4 or higher. In other words, the filter allows levels 0-3 to continue whereas levels 4-7 are blocked. Raising a category's threshold raises the tolerance and potentially decreases the number of blocked requests. Lowering the threshold lowers the tolerance and potentially increases the number of blocked requests. The `shield-prompt` attribute is set to `true` to check for adversarial attacks.
+The following example, when configured in the inbound section, enforces content safety checks on LLM requests by using the Azure AI Content Safety service. The policy blocks requests that contain speech in the `Hate` or `Violence` category with a severity level of 4 or higher. In other words, the filter allows levels 0-3 to continue whereas levels 4-7 are blocked. Raising a category's threshold raises the tolerance and potentially decreases the number of blocked requests. Lowering the threshold lowers the tolerance and potentially increases the number of blocked requests. The `shield-prompt` attribute is set to `true` to check for adversarial attacks.
 
 ```xml
 <policies>
@@ -117,7 +120,7 @@ The following example enforces content safety checks on LLM requests using the A
 
 ## Related policies
 
-* [Content validation](api-management-policies.md#content-validation)
+* [Content validation](api-management-policies.md#content-validation) policies
 * [llm-token-limit](llm-token-limit-policy.md) policy
 * [llm-emit-token-metric](llm-emit-token-metric-policy.md) policy
 

articles/application-gateway/for-containers/application-gateway-for-containers-components.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-appgw-for-containers
 ms.topic: concept-article
-ms.date: 12/05/2025
+ms.date: 3/25/2026
 ms.author: mbender
 # Customer intent: "As a cloud architect, I want to understand the components of Application Gateway for Containers, so that I can effectively configure and manage traffic routing to backend services in my cloud deployment."
 ---
@@ -138,3 +138,32 @@ Application Gateway for Containers enforces the following timeouts as it initiat
 
 > [!NOTE]
 > Request timeout strictly enforces the request to complete in the defined time irrespective if data is actively streaming or the request is idle. For example, if you're serving large file downloads and you expect transfers to take greater than 60 seconds due to size or slow transfer rates, consider increasing the request timeout value or setting it to 0.
+
+## Connectivity
+
+The following connectivity requirements are needed for successful operation of Application Gateway for Containers.
+
+### ALB controller outbound connectivity
+
+|Endpoint|Port|Purpose|
+|--|--|--|
+| management.azure.com | TCP 443 | Azure ARM API |
+| login.microsoftonline.com | TCP 443 | Entra AD authentication |
+| *.oic.prod-aks.azure.com | TCP 443 | AKS OIDC issuer (Workload Identity) |
+| *.alb.azure.com | TCP 443 | Configuration Endpoint |
+| mcr.microsoft.com | TCP 443 | Container images for helm deployment |
+| DNS Resolution | UDP 53 | In a default AKS deployment, ALB Controller will query coreDNS/kube-dns within the cluster |
+
+### ALB controller inbound connectivity
+
+>[!Note]
+>These inbound ports are exposed via ClusterIP Service and not published directly to the internet. They are exposed to help with troubleshooting / diagnostics and may be blocked with network policy if desired.
+
+|Port|Name|Purpose|
+|--|--|--|
+| TCP 8000 | backend health | Backend health endpoint (/backendHealth) |
+| TCP 8001 | metrics | Prometheus metrics endpoint (/metrics) |
+
+### Frontend connectivity
+
+Each frontend for Application Gateway for Containers is in the format of `*.fzXX.alb.azure.com`, where XX are numeric digits 0-99.  Frontends may only listen on port 443 and 80.

articles/azure-functions/TOC.yml

@@ -28,9 +28,9 @@
     - name: Scalable web API
       displayName: Flex Consumption plan
       href: create-first-function-azure-developer-cli.md
-    - name: Process file uploads
-      displayName: storage, blob, Event Grid
-      href: scenario-blob-storage-events.md  
+    - name: Respond to blob storage events
+      displayName: storage, blob, Event Grid, file uploads
+      href: scenario-blob-storage-events.md
     - name: AI tools and MCP
       items:
       - name: Custom remote MCP server
@@ -117,9 +117,7 @@
     href: functions-twitter-email.md
   - name: Host MCP servers for AI-enabled functions
     displayName: agent, agentic, Foundry
-    href: functions-mcp-tutorial.md 
-  - name: Develop Python functions with VS Code
-    href: ./create-first-function-vs-code-python.md
+    href: functions-mcp-tutorial.md
   - name: Create serverless APIs using Visual Studio
     displayName: OpenAPI, Swagger
     href: openapi-apim-integrate-visual-studio.md
@@ -147,8 +145,8 @@
     href: functions-event-grid-blob-trigger.md
   - name: Image resize with Event Grid
     href: ../event-grid/resize-images-on-storage-blob-upload-event.md?toc=/azure/azure-functions/toc.json&bc=/azure/azure-functions/breadcrumb/toc.json
-  - name: Create a serverless web app
-    href: /training/modules/automatic-update-of-a-webapp-using-azure-functions-and-signalr/
+  - name: Real-time serverless app with SignalR
+    href: /azure/azure-signalr/signalr-tutorial-authenticate-azure-functions?toc=/azure/azure-functions/toc.json&bc=/azure/azure-functions/breadcrumb/toc.json
   - name: Data + AI
     items:
     - name: Azure OpenAI for text completion
@@ -159,6 +157,14 @@
       href: machine-learning-pytorch.md
   - name: Functions on IoT Edge device
     href: ../iot-edge/tutorial-deploy-function.md?toc=/azure/azure-functions/toc.json&bc=/azure/azure-functions/breadcrumb/toc.json
+  - name: Azure Files storage mounts
+    items:
+    - name: Process images with FFmpeg on a mounted share
+      displayName: Azure Files, storage mount, ffmpeg, Flex Consumption
+      href: tutorial-ffmpeg-processing-azure-files.md
+    - name: Durable text analysis on a mounted share
+      displayName: Azure Files, storage mount, Durable Functions, Flex Consumption
+      href: durable/tutorial-durable-text-analysis-azure-files.md?toc=/azure/azure-functions/toc.json&bc=/azure/azure-functions/breadcrumb/toc.json
   - name: Java with Azure Cosmos DB and Event Hubs
     href: functions-event-hub-cosmos-db.md
 - name: Samples
@@ -198,6 +204,9 @@
     - name: Storage considerations
       displayName: encryption, keys, mount, files
       href: storage-considerations.md
+    - name: Choose a file access strategy
+      displayName: Azure Files, storage mount, bindings, file mounts, file access, shared files
+      href: concept-file-access-options.md
     - name: Error handling and function retries
       displayName: best practices, retry policies
       href: functions-bindings-error-pages.md