Merge pull request #308069 from MicrosoftDocs/main

Auto Publish – main to live - 2025-11-10 12:00 UTC

Author: learn-build-service-prod[bot]

articles/azure-resource-manager/management/azure-subscription-service-limits.md

@@ -354,6 +354,10 @@ The following table details the features and limits of the Basic, Standard, and
 
 [!INCLUDE [database-migration-service-limits](../../../includes/database-migration-service-limits.md)]
 
+## Azure Device Registry limits
+
+[!INCLUDE [device-registry-limits](../../iot-operations/includes/device-registry-limits.md)]
+
 ## Azure Device Update for IoT Hub limits
 
 [!INCLUDE [device-update-for-iot-hub-limits](../../../includes/device-update-for-iot-hub-limits.md)]
@@ -532,7 +536,7 @@ See [VM Applications overview](/azure/virtual-machines/vm-applications) for more
 
 A limit of 5,000 disk encryption sets are allowed per region and per subscription. [Contact Azure support](../../communications-gateway/request-changes.md) to increase the quota. 
 
-See the following documentation to learn more about about encryption restrictions:
+See the following documentation to learn more about encryption restrictions:
 
 - [Linux](/azure/virtual-machines/disk-encryption#restrictions)
 - [Windows](/azure/virtual-machines/disk-encryption#restrictions) virtual machines

articles/azure-vmware/native-first-party-principle-security.md

@@ -17,7 +17,10 @@ In this article, you learn how to re-enable the Azure VMware Solution service pr
 You must have the permissions to edit applications in your Microsoft Entra ID tenant, such as:  
 - Cloud Application Administrator  
 - Application Administrator  
-- Global Administrator  
+- Global Administrator
+
+> [!NOTE]
+> Roles must be assigned without conditions. Conditional role assignments are not supported for private cloud deployment.
 
 ## Enable first-party application service principal for Azure VMware Solution Gen 2 Private Clouds
 

articles/backup/about-azure-vm-restore.md

@@ -2,7 +2,7 @@
 title: About the Azure Virtual Machine restore process
 description: Learn how the Azure Backup service restores Azure virtual machines
 ms.topic: overview
-ms.date: 08/13/2025
+ms.date: 10/13/2025
 author: AbhishekMallick-MS
 ms.author: v-mallicka
 ms.custom: engagement-fy24

articles/backup/azure-data-lake-storage-backup-support-matrix.md

@@ -26,7 +26,7 @@ Vaulted backups of Azure Data Lake Storage are available in the following region
 
 | Availability type | Region |
 | --- | --- |
-| **General availability** | East Asia, France South, Southeast US, Switzerland North, Switzerland West, UAE North, UK West, West India. |
+| **General availability** | East Asia, France South, US South Central, Switzerland North, Switzerland West, UAE North, UK West, West India. |
 | **Preview** | Australia East, Central India, Central US, East US, East US 2, Germany West Central, North Central US, North Europe, South India, Southeast Asia, West Central US, West US, West US 2, West US 3. |
 
 ## Supported storage accounts

articles/backup/backup-azure-database-postgresql-troubleshoot.md

@@ -2,7 +2,7 @@
 title: Troubleshoot Azure Database for PostgreSQL backup
 description: Troubleshooting information for backing up Azure Database for PostgreSQL.
 ms.topic: troubleshooting
-ms.date: 11/20/2024
+ms.date: 09/09/2025
 ms.service: azure-backup
 author: AbhishekMallick-MS
 ms.author: v-mallicka

articles/backup/secure-by-default.md

@@ -2,7 +2,7 @@
 title: Secure by Default with soft delete for Azure Backup
 description: Learn how secure by default with soft delete works for Azure Backup.
 ms.topic: overview
-ms.date: 11/20/2024
+ms.date: 11/07/2025
 author: AbhishekMallick-MS
 ms.author: v-mallicka
 ms.custom: engagement-fy24, ignite-2024

articles/backup/tutorial-cross-region-restore.md

@@ -2,7 +2,7 @@
 title: Tutorial - Configure and run Cross Region Restore for Azure database for PostgreSQL
 description: Learn how to configure and run Cross Region Restore for Azure database for PostgreSQL using Azure Backup.
 ms.topic: tutorial
-ms.date: 11/22/2024
+ms.date: 04/07/2025
 ms.service: azure-backup
 ms.author: v-mallicka
 # Customer intent: "As a database administrator, I want to configure and run Cross Region Restore for Azure PostgreSQL databases, so that I can ensure data resiliency and perform recovery drills without downtime in the primary region."

articles/backup/tutorial-restore-aks-backups-across-regions.md

@@ -2,7 +2,7 @@
 title: Tutorial - Enable Vault Tier protection for Azure Kubernetes Cluster (AKS) clusters and restore backups in secondary region using Azure Backup
 description: Learn how to enable Vault Tier protection for AKS clusters and restore backups in secondary region using Azure Backup.
 ms.topic: tutorial
-ms.date: 11/19/2024
+ms.date: 05/28/2025
 ms.service: azure-backup
 ms.custom:
   - ignite-2024

articles/backup/tutorial-restore-files.md

@@ -2,7 +2,7 @@
 title: Tutorial - Restore files to a VM with Azure Backup
 description: Learn how to perform file-level restores on an Azure VM with Backup and Recovery Services.
 ms.topic: tutorial
-ms.date: 11/20/2024
+ms.date: 09/09/2025
 author: AbhishekMallick-MS
 ms.author: v-mallicka
 ms.custom:

articles/data-factory/data-factory-service-identity.md

@@ -29,7 +29,7 @@ There are two types of supported managed identities:
 
 - **System-assigned:** You can enable a managed identity directly on a service instance. When you allow a system-assigned managed identity during the creation of the service, an identity is created in Microsoft Entra tied to that service instance's lifecycle. By design, only that Azure resource can use this identity to request tokens from Microsoft Entra ID. So when the resource is deleted, Azure automatically deletes the identity for you.  
 - **User-assigned:** You may also create a managed identity as a standalone Azure resource. You can [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md) and assign it to one or more instances of a data factory. In user-assigned managed identities, the identity is managed separately from the resources that use it.
->[!NOTE]
+> [!NOTE]
 > [Trusted bypass](https://techcommunity.microsoft.com/t5/azure-data-factory-blog/data-factory-is-now-a-trusted-service-in-azure-storage-and-azure/ba-p/964993) cannot utilize user-assigned managed identities. It can only employ system-assigned managed identities for connecting to Azure Storage and Azure Key Vault. 
 
 Managed identity provides the below benefits:
@@ -51,9 +51,13 @@ To effectively use managed identities in Azure Data Factory, specific roles must
    - **Reader Role**: This role is necessary to read the metadata of the resources.
    - **Contributor Role**: This role is required to manage the resources that the managed identity needs to access.
 
+> [!NOTE]
+> - Users with the Data Factory Contributor role can create and run pipelines that use both the System‑assigned Managed Identity (SAMI) and any User‑assigned Managed Identities (UAMI) attached to the data factory. Those identities inherit all permissions already granted to them on external resources (for example, storage accounts, SQL databases, Key Vault, Fabric Lakehouse).
+> - Please assign the Contributor role only to trusted principals and on the narrowest scope possible. Review and limit the permissions granted to the data factory’s managed identities, use least‑privilege RBAC on downstream resources, and regularly audit role assignments and activity logs.
+
 ## System-assigned managed identity 
 
->[!NOTE]
+> [!NOTE]
 > System-assigned managed identity is also referred to as 'Managed identity' elsewhere in the documentation and in the Data Factory Studio for backward compatibility purpose. We will explicitly mention 'User-assigned managed identity' when referring to it. 
 
 ### <a name="generate-managed-identity"></a> Generate system-assigned managed identity
@@ -71,7 +75,7 @@ If you find your service instance doesn't have a managed identity associated fol
 - [Generate managed identity using an Azure Resource Manager template](#generate-system-assigned-managed-identity-using-an-azure-resource-manager-template)
 - [Generate managed identity using SDK](#generate-system-assigned-managed-identity-using-sdk)
 
->[!NOTE]
+> [!NOTE]
 >
 >- Managed identity cannot be modified. Updating a service instance which already has a managed identity won't have any impact, and the managed identity is kept unchanged.
 >- If you update a service instance which already has a managed identity without specifying the "identity" parameter in the factory objects or without specifying "identity" section in REST request body, you will get an error.
@@ -177,7 +181,7 @@ client.Factories.CreateOrUpdate(resourceGroup, dataFactoryName, dataFactory);
 
 You can retrieve the managed identity from Azure portal or programmatically. The following sections show some samples.
 
->[!TIP]
+> [!TIP]
 > If you don't see the managed identity, [generate managed identity](#generate-managed-identity) by updating your service instance.
 
 #### Retrieve system-assigned managed identity using Azure portal