Merge pull request #310383 from MicrosoftDocs/main

Auto Publish – main to live - 2026-01-12 18:00 UTC

Author: learn-build-service-prod[bot]

articles/app-service/includes/configure-azure-storage/azure-storage-linux-container-pivot.md

@@ -203,6 +203,46 @@ To validate that the Azure Storage is mounted successfully for the app:
    tcpping Storageaccount.file.core.windows.net 
    ```
 
+### Storage mount health checks and auto‑recovery
+
+Azure App Service includes a built‑in health‑check mechanism to ensure that mounted Azure Storage volumes (Azure Files or Azure Blob) remain accessible and responsive. This system helps prevent application hangs caused by stale or disconnected storage mounts.
+
+#### How the health check works
+
+1. **Periodic I/O test**  
+   App Service periodically performs file I/O on a marker file named `__lastCheckTime.txt`.  
+   - **Location:** A `LogFiles` subdirectory under the mounted path (for example, `/mount/path/LogFiles/__lastCheckTime.txt`).  
+   - **Behavior:**  
+     - A read operation is attempted on this file.  
+     - The file does *not* need to exist—“file not found” is treated as a successful check.
+
+2. **Frequency**  
+   The check runs every **5 seconds** by default.
+
+3. **Failure handling**  
+   - Each failed or timed‑out check increments a *failed ping counter*.  
+   - When failures exceed the configured threshold:  
+     - **Azure Files:** 18 failed pings  
+     - **Azure Blob:** 15 failed pings  
+   - The mount is marked **Faulted**, and **App Service automatically restarts the app** to restore connectivity to the share.
+
+#### Configuration via App Settings
+
+You can customize health‑check behavior using the following app settings.
+
+| Storage type | Setting name | Default value | Description |
+|--------------|--------------|---------------|-------------|
+| Azure Files | `WEBSITE_BYOS_FILES_HEALTH_CHECK_FREQUENCY` | `5` | Interval in seconds between health checks. |
+| Azure Files | `WEBSITE_BYOS_FILES_MAX_FAILED_PINGS` | `18` | Number of consecutive failures before marking the volume as faulted. |
+| Azure Files | `WEBSITE_BYOS_FILES_AUTO_RECOVERY_ENABLED` | `true` | Set to `false` to disable auto‑recovery logic. |
+| Azure Blob | `WEBSITE_BYOS_BLOB_HEALTH_CHECK_FREQUENCY` | `5` | Interval in seconds between health checks. |
+| Azure Blob | `WEBSITE_BYOS_BLOB_MAX_FAILED_PINGS` | `15` | Number of consecutive failures before marking the volume as faulted. |
+| Azure Blob | `WEBSITE_BYOS_BLOB_AUTO_RECOVERY_ENABLED` | `true` | Set to `false` to disable auto‑recovery logic. |
+
+#### Notes
+- Auto‑recovery helps prevent long‑running application hangs caused by unresponsive storage paths.  
+- Disabling auto‑recovery is not recommended unless troubleshooting specific mount behavior.
+
 ## Best practices
 
 ### Performance

articles/app-service/overview-managed-instance.md

@@ -3,7 +3,7 @@ title: Managed Instance on App Service overview (preview)
 description: Managed Instance on Azure App Service is a specialized hosting option that provides isolation, customization, and secure integration with Azure resources, ideal for legacy, and infrastructure-dependent web apps.
 keywords: app service, azure app service, managed instance, isolation, vnet integration, registry, COM, RDP, installation scripts, key vault, pv4, pmv4, windows services, GAC, third-party dependencies
 ms.topic: overview
-ms.date: 11/08/2025
+ms.date: 01/09/2026
 ms.author: msangapu
 author: msangapu-msft
 ms.service: azure-app-service
@@ -95,7 +95,7 @@ Managed Instance provides plan-level configuration through:
 |-----------|---------|
 | **Platform** | • Windows only (no Linux/containers)<br>• Not available in ASE |
 | **SKUs** | Pv4 and Pmv4 only |
-| **Regions** | East Asia, West Central US, North Europe, East US |
+| **Regions** | East Asia, West Central US, North Europe, East US, Australia East |
 | **Authentication** | Entra ID and Managed Identity only (no domain join/NTLM/Kerberos) |
 | **Workloads** | Web apps only (no WebJobs, TCP/NetPipes) |
 | **Configuration** | Persistent changes require scripts (RDP is diagnostics-only) |
@@ -114,4 +114,4 @@ Managed Instance provides plan-level configuration through:
 - [Managed Instance Quickstart](quickstart-managed-instance.md)
 - [App Service overview](overview.md)
 - [Configure Managed Instance](configure-managed-instance.md)
-- [App Service Environment comparison](./environment/overview.md)
+- [App Service Environment comparison](./environment/overview.md)

articles/azure-resource-manager/bicep/diagnostics/bcp337.md

@@ -6,7 +6,7 @@ ms.date: 12/03/2025
 ms.custom: devx-track-bicep
 ---
 
-# BCP337
+# Bicep diagnostic code - BCP337
 
 This diagnostic occurs when an invalid declaration type is found in a Bicep parameters file. 
 

articles/azure-resource-manager/bicep/diagnostics/bcp338.md

@@ -6,7 +6,7 @@ ms.date: 10/30/2025
 ms.custom: devx-track-bicep
 ---
 
-# BCP338
+# Bicep diagnostic code - BCP338
 
 This diagnostic occurs when Bicep can't resolve a parameter name in a Bicep parameters file.
 

articles/azure-vmware/faq.yml

@@ -177,7 +177,35 @@ sections:
 
       - question: What about support for ISV backup solutions?
         answer: As these backup solutions are installed and managed by customers, they can reach out to the respective ISV for support. 
-   
+
+  - name: Reliability and availability
+    questions:
+
+      - question: Can I deploy a stretched cluster across availability zones for higher availability?
+        answer: Azure VMware Solution supports stretched clusters across availability zones in supported Azure regions and configurations. Availability varies by Azure VMware Solution generation and region. For more information, see [Deploy a stretched cluster](deploy-vsan-stretched-clusters.md).
+
+      - question: Does Azure VMware Solution Gen2 support Availability Zones?
+        answer: Yes. In Azure VMware Solution Gen2, you can select the Availability Zone where your private cloud is deployed (subject to capacity availability in that zone). You can also deploy separate private clouds in different Availability Zones as part of a disaster recovery (DR) or high-availability strategy.
+
+      - question: Does Azure VMware Solution Gen2 support vSAN stretched clusters across Availability Zones?
+        answer: No. vSAN stretched clusters (a single private cloud stretched across two Availability Zones) aren't supported on Azure VMware Solution Gen2 today.
+
+      - question: In Azure VMware Solution Gen1, can I choose the Availability Zone for my private cloud?
+        answer: No. In Azure VMware Solution Gen1, selecting an Availability Zone isn't supported when deploying a private cloud.
+
+      - question: In Azure VMware Solution Gen1 stretched clusters, what happens if the Availability Zone hosting the vSAN witness becomes unavailable?
+        answer: |
+          Azure VMware Solution Gen1 uses a single vSAN witness that is statically placed in a specific Availability Zone within a region. If the Availability Zone hosting the witness becomes unavailable, the witness becomes unreachable.
+
+          As long as sufficient data replicas remain available, data hosts and running workloads continue operating without immediate data loss. However, vSAN loses quorum awareness in this state, which prevents it from safely making placement and recovery decisions and causes certain operations (such as VM power-on after failures, rebalancing, and repairs) to be blocked.
+
+          The witness isn't automatically recreated or moved to another Availability Zone during this time.
+
+      - question: Do four-zone Azure regions change how Azure VMware Solution uses Availability Zones?
+        answer: No. Azure VMware Solution remains unaffected. Availability Zone capabilities depend on what Azure VMware Solution supports in that region and available capacity.
+
+      - question: Are there built-in capabilities to run workloads across multiple Azure VMware Solution private clouds for DR/HA?
+        answer: No. Deploying workloads across multiple private clouds (for example, across Availability Zones) typically requires customer-managed orchestration and replication. For DR, customers commonly use third-party solutions such as Jetstream, Zerto, or Azure Site Recovery, based on workload requirements.
 
   - name: Networking and interconnectivity
     questions:
@@ -330,7 +358,7 @@ sections:
         answer: No. We currently don't support cloudadmin extension privileges and have no plans to support it.   
 
 
-  - name: CSP and multi-tenancy
+  - name: CSP and multitenancy
     questions:
 
       - question: Does Azure VMware Solution provide an option for hoster partners to resell the service?

articles/backup/soft-delete-azure-backup-faq.yml

@@ -4,7 +4,7 @@ metadata:
   description: Answers to common questions about the security feature - soft delete.
   ms.topic: faq
   ms.service: azure-backup
-  ms.date: 01/31/2025
+  ms.date: 01/12/2026
   author: AbhishekMallick-MS
   ms.author: v-mallicka
 
@@ -33,7 +33,7 @@ sections:
       - question: |
           Can I perform a restore operation when my data is in soft delete state?
         answer: |
-          No, you need to undelete the soft deleted resource in order to restore. The undelete operation will bring the resource back into the **Stop protection with retain data state** where you can restore to any point in time. Garbage collector remains paused in this state.
+          No, you need to undelete the soft deleted resource in order to restore. The undelete-operation will bring the resource back into the **Stop protection with retain data state** where you can restore to any point in time. Garbage collector remains paused in this state.
 
       - question: |
           Will my snapshots follow the same lifecycle as my recovery points in the vault?
@@ -43,7 +43,7 @@ sections:
       - question: |
           How can I trigger the scheduled backups again for a soft-deleted resource?
         answer: |
-          Undelete followed by a resume operation will protect the resource again. The resume operation associates a backup policy to trigger the scheduled backups with the selected retention period. Also, the garbage collector runs as soon as the resume operation completes. If you wish to perform a restore from a recovery point that's past its expiration date, you're advised to do it before triggering the resume operation.
+          Undelete followed by a resume operation will protect the resource again. The resume-operation associates a backup policy to trigger the scheduled backups with the selected retention period. Also, the garbage collector runs as soon as the resume-operation completes. If you wish to perform a restore from a recovery point that's past its expiration date, you're advised to do it before triggering the resume-operation.
 
       - question: |
           Can I delete my vault if there are soft-deleted items in the vault?
@@ -53,7 +53,7 @@ sections:
       - question: |
           Can I delete the data earlier than the 14 days soft-delete period after deletion?
         answer: |
-          No. You can't force-delete the soft-deleted items. They're automatically deleted after 14 days. This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes.  You should wait for 14 days before performing any other action on the item.  Soft-deleted items won't be charged.  If you need to reprotect the items marked for soft-delete within 14 days in a new vault, then contact Microsoft support.
+          No. You can't force-delete the soft-deleted items. They're automatically deleted after 14 days. This security feature is enabled to safeguard the backed-up data from accidental or malicious deletes. You should wait for 14 days before performing any other action on the item. Soft-deleted items won't be charged.  If you need to reprotect the items marked for soft-delete within 14 days in a new vault, then contact Microsoft support.
 
       - question: |
           Can soft delete operations be performed in PowerShell or CLI?
@@ -63,4 +63,5 @@ sections:
 additionalContent: |
 
   ## Next steps
-  [Manage the soft delete features in Azure Backup](backup-azure-security-feature-cloud.md).
+  - [Manage the soft delete features in Azure Backup](backup-azure-security-feature-cloud.md).
+  - [About enhanced soft delete for Azure Backup](backup-azure-enhanced-soft-delete-about.md).

articles/communication-services/quickstarts/tpe/teams-phone-extensibility-quickstart.md

@@ -166,6 +166,14 @@ You need to assign a public switched telephone network (PSTN) number to your Res
 1. Also, if you plan to make outbound PSTN calls using your Resource Accounts assigned phone number, now is a good time to assign a [Microsoft Teams Calling Plan](/microsoftteams/calling-plans-for-office-365).
 
 
+> **Note:** Proper configuration depends on the phone number service type assigned to the Resource account:
+> - **Direct Routing** – The tenant must be configured for Direct Routing with a verified Session Border Controller (SBC), a Direct Routing phone number assigned to the Resource account, and a Voice Routing Policy that allows PSTN calls assigned to the Resource account.
+> - **Calling Plan** – The Resource account must be assigned a Calling Plan service number and licensed with Microsoft Teams Phone Resource Account.
+> - **Operator Connect** – The phone number must be provisioned by an approved Operator Connect provider that supports outbound PSTN calling for voice applications.
+> - For all these connectivity options, you need to make sure you have the proper Microsoft licenses in place as detailed in the [general license prerequisite](/azure/communication-services/concepts/interop/tpe/teams-phone-extensibility-overview#prerequisites) or specifically for [Outbound license requirements](/azure/communication-services/quickstarts/tpe/teams-phone-extensibility-server-outbound-call#licensing-requirements)
+
+
+
 ### CCaaS Developer: Get Resource Account Information
 
 We're introducing a new Graph API to get a list of Resource Accounts and phone numbers where assigned. The Graph API supports an optional filter on your Microsoft Entra first party `applicationID` / `clientId`.

articles/container-apps/ip-restrictions.md

@@ -22,7 +22,7 @@ There are two types of restrictions:
 * *Allow*: Allow inbound traffic only from address ranges you specify in allow rules.
 * *Deny*: Deny all inbound traffic only from address ranges you specify in deny rules.
 
-when no IP restriction rules are defined, all inbound traffic is allowed.
+When no IP restriction rules are defined, all inbound traffic is allowed.
 
 IP restrictions rules contain the following properties:
 
@@ -186,6 +186,16 @@ az containerapp ingress access-restriction list
 
 ::: zone-end
 
+## Troubleshooting
+
+Use the following information to help you troubleshoot IP-related issues in your container app.
+
+### Access denied
+
+An *RBAC: Access Denied* message returned to the client indicates the client is blocked by IP restrictions from the container app. To fix this, make sure the client IP address requesting access is allowed based on either the "allow" or "deny" rules.
+
+If using an address range, make sure the blocked IP falls within an allowed range.
+
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/container-apps/premium-ingress.md

@@ -142,7 +142,7 @@ az containerapp env premium-ingress remove \
 To remove the workload profile from the environment, run the following command:
 
 ````azurecli
-az containerapp env workload-profile remove \
+az containerapp env workload-profile delete \
   --resource-group my-resource-group \
   --name my-container-apps-env \
   --workload-profile-name Ingress-D4