Merge branch 'main' into prefer-header-update

Author: Danielabom

.vscode/settings.json

@@ -1,5 +1,6 @@
 {
     "githubPullRequests.ignoredPullRequestBranches": [
+        "main",
         "main",
         "main",
         "main"

api-reference/beta/api/group-post-members.md

@@ -33,20 +33,21 @@ The following table shows the least privileged permission that's required by eac
 | [servicePrincipal](../resources/group.md) | GroupMember.ReadWrite.All and Application.ReadWrite.All | Not supported.                         | GroupMember.ReadWrite.All and Application.ReadWrite.All |
 | [user](../resources/user.md)              | GroupMember.ReadWrite.All                               | Not supported.                         | GroupMember.ReadWrite.All                               |
 
-In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following roles are the least privileged roles that are supported for this operation, except for role-assignable groups:
-
-- Group owners
-- Directory Writers
-- Groups Administrator
-- Identity Governance Administrator
-- User Administrator
-- Exchange Administrator - only for Microsoft 365 groups
-- SharePoint Administrator - only for Microsoft 365 groups
-- Teams Administrator - only for Microsoft 365 groups
-- Yammer Administrator - only for Microsoft 365 groups
-- Intune Administrator - only for security groups
-
-To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
+> [!IMPORTANT]
+> In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following roles are the least privileged roles that are supported for this operation, except for role-assignable groups:
+> 
+> - Group owners
+> - Directory Writers
+> - Groups Administrator
+> - Identity Governance Administrator
+> - User Administrator
+> - Exchange Administrator - only for Microsoft 365 groups
+> - SharePoint Administrator - only for Microsoft 365 groups
+> - Teams Administrator - only for Microsoft 365 groups
+> - Yammer Administrator - only for Microsoft 365 groups
+> - Intune Administrator - only for security groups
+> 
+> To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
 
 ## HTTP request
 
@@ -74,7 +75,10 @@ If using the **directoryObjects** reference, that is, `https://graph.microsoft.c
 
 ## Response
 
-If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist.
+If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist. It returns `403 Unauthorized` in one of the following scenarios:
+- You're attempting to add a member to a [group that can't be managed through Microsoft Graph](../resources/groups-overview.md#group-types-in-microsoft-entra-id-and-microsoft-graph). This API supports only security and Microsoft 365 groups.
+- You're attempting to add a member you don't have permissions to add. Refer to the preceding [Permissions](#permissions) section for the permissions required to add different member types.
+- You're attempting to add a member to a role-assignable group and you don't have the required permissions.
 
 ## Example
 

api-reference/v1.0/api/group-post-members.md

@@ -31,20 +31,21 @@ The following table shows the least privileged permission that's required by eac
 | [servicePrincipal](../resources/group.md) | GroupMember.ReadWrite.All and Application.ReadWrite.All | Not supported.                         | GroupMember.ReadWrite.All and Application.ReadWrite.All |
 | [user](../resources/user.md)              | GroupMember.ReadWrite.All                               | Not supported.                         | GroupMember.ReadWrite.All                               |
 
-In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following least privileged roles are supported for this operation, except for role-assignable groups:
-
-- Group owners
-- Directory Writers
-- Groups Administrator
-- Identity Governance Administrator
-- User Administrator
-- Exchange Administrator - only for Microsoft 365 groups
-- SharePoint Administrator - only for Microsoft 365 groups
-- Teams Administrator - only for Microsoft 365 groups
-- Yammer Administrator - only for Microsoft 365 groups
-- Intune Administrator - only for security groups
-
-To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
+> [!IMPORTANT]
+> In delegated scenarios, the signed-in user must also be assigned a supported [Microsoft Entra role](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json) or a custom role with the `microsoft.directory/groups/members/update` role permission. The following roles are the least privileged roles that are supported for this operation, except for role-assignable groups:
+> 
+> - Group owners
+> - Directory Writers
+> - Groups Administrator
+> - Identity Governance Administrator
+> - User Administrator
+> - Exchange Administrator - only for Microsoft 365 groups
+> - SharePoint Administrator - only for Microsoft 365 groups
+> - Teams Administrator - only for Microsoft 365 groups
+> - Yammer Administrator - only for Microsoft 365 groups
+> - Intune Administrator - only for security groups
+> 
+> To add members to a role-assignable group, the app must also be assigned the *RoleManagement.ReadWrite.Directory* permission and the calling user must be assigned a supported Microsoft Entra role. *Privileged Role Administrator* is the least privileged role that is supported for this operation.
 
 ## HTTP request
 
@@ -72,7 +73,10 @@ If using the **directoryObjects** reference, that is, `https://graph.microsoft.c
 
 ## Response
 
-If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist.
+If successful, this method returns a `204 No Content` response code. It returns a `400 Bad Request` response code when the object is already a member of the group or is unsupported as a group member. It returns a `404 Not Found` response code when the object being added doesn't exist. It returns `403 Unauthorized` in one of the following scenarios:
+- You're attempting to add a member to a [group that can't be managed through Microsoft Graph](../resources/groups-overview.md#group-types-in-microsoft-entra-id-and-microsoft-graph). This API supports only security and Microsoft 365 groups.
+- You're attempting to add a member you don't have permissions to add. Refer to the preceding [Permissions](#permissions) section for the permissions required to add different member types.
+- You're attempting to add a member to a role-assignable group and you don't have the required permissions.
 
 ## Examples
 

api-reference/v1.0/resources/onlinemeeting.md

@@ -45,6 +45,8 @@ Contains information about a meeting, including the URL used to join a meeting,
 | allowMeetingChat      | [meetingChatMode](#meetingchatmode-values) | Specifies the mode of meeting chat. Inherited from [onlineMeetingBase](../resources/onlineMeetingBase.md). |
 | allowParticipantsToChangeName | Boolean | Specifies if participants are allowed to rename themselves in an instance of the meeting. Inherited from [onlineMeetingBase](../resources/onlineMeetingBase.md). |
 | allowTeamworkReactions | Boolean | Indicates whether Teams reactions are enabled for the meeting. Inherited from [onlineMeetingBase](../resources/onlineMeetingBase.md). |
+| allowRecording | Boolean | Indicates whether recording is enabled for the meeting. Inherited from [onlineMeetingBase](../resources/onlinemeetingbase.md). |
+| allowTranscription | Boolean | Indicates whether transcription is enabled for the meeting. Inherited from [onlineMeetingBase](../resources/onlinemeetingbase.md). |
 | audioConferencing     | [audioConferencing](audioconferencing.md)     | The phone access (dial-in) information for an online meeting. Read-only. Inherited from [onlineMeetingBase](../resources/onlineMeetingBase.md).                                                  |
 | chatInfo              | [chatInfo](chatinfo.md)                       | The chat information associated with this online meeting. Inherited from [onlineMeetingBase](../resources/onlineMeetingBase.md).                                                                 |
 | creationDateTime      | DateTime                                      | The meeting creation time in UTC. Read-only.                                                                               |

api-reference/v1.0/resources/onlinemeetingbase.md

@@ -98,6 +98,8 @@ The following JSON representation shows the resource type.
   "allowMeetingChat": {"@odata.type": "microsoft.graph.meetingChatMode"},
   "allowTeamworkReactions": "Boolean",
   "allowedPresenters": "String",
+  "allowRecording": "Boolean",
+  "allowTranscription": "Boolean",
   "anonymizeIdentityForRoles": ["String"],
   "audioConferencing": {"@odata.type": "microsoft.graph.audioConferencing"},
   "chatInfo": {"@odata.type": "microsoft.graph.chatInfo"},

changelog/Microsoft.IdentityProtectionServices.json

@@ -36,6 +36,24 @@
         "WorkloadArea": "Identity and access",
         "SubArea": "Identity and sign-in"
       },
+      {
+       "ChangeList": [
+          {
+          "Id": "95e7994e-b2ca-48bd-bc51-173812e9422a",
+          "ApiChange": "Property",
+          "ChangedApiName": "riskEventType",
+          "ChangeType": "Change",
+          "Description": "Added `suspiciousAPITraffic` as a supported value for the **riskEventType** property in the [servicePrincipalRiskDetection](https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipalriskdetection?view=graph-rest-v1.0) resource.",
+          "Target": "servicePrincipalRiskDetection"
+          }
+        ],
+        "Id": "95e7994e-b2ca-48bd-bc51-173812e9422a",
+        "Cloud": "Prod",
+        "Version": "v1.0",
+        "CreatedDateTime": "2025-01-15T22:19:32.3422617Z",
+        "WorkloadArea": "Identity and access",
+        "SubArea": "Identity and sign-in"
+      },
       {
        "ChangeList": [
           {

changelog/Microsoft.Skype.Calling.json

@@ -1,5 +1,31 @@
 {
   "changelog": [
+    {
+      "ChangeList": [
+        {
+          "Id": "e9108fde-6bae-4b24-a1ab-993bb6f9ac23",
+          "ApiChange": "Property",
+          "ChangedApiName": "allowRecording",
+          "ChangeType": "Addition",
+          "Description": "Added the **allowRecording** property to the [onlineMeetingBase](https://learn.microsoft.com/en-us/graph/api/resources/onlineMeetingBase?view=graph-rest-1.0) resource.",
+          "Target": "onlineMeetingBase"
+        },
+        {
+          "Id": "e9108fde-6bae-4b24-a1ab-993bb6f9ac23",
+          "ApiChange": "Property",
+          "ChangedApiName": "allowTranscription",
+          "ChangeType": "Addition",
+          "Description": "Added the **allowTranscription** property to the [onlineMeetingBase](https://learn.microsoft.com/en-us/graph/api/resources/onlineMeetingBase?view=graph-rest-1.0) resource.",
+          "Target": "onlineMeetingBase"
+        }
+      ],
+      "Id": "e9108fde-6bae-4b24-a1ab-993bb6f9ac23",
+      "Cloud": "Prod",
+      "Version": "v1.0",
+      "CreatedDateTime": "2025-01-15T20:42:00.4091409Z",
+      "WorkloadArea": "Cloud communications",
+      "SubArea": "Call"
+    },
     {
       "ChangeList": [
         {

changelog/Microsoft.Teams.Core.json

@@ -5712,9 +5712,9 @@
       "Id": "f9666fc8-6101-4ca6-bd26-3f11395ffc5f",
       "Cloud": "Prod",
       "Version": "v1.0",
-      "CreatedDateTime": "2024-10-08T18:15:55.2254479Z",
+      "CreatedDateTime": "2025-01-14T18:15:55.2254479Z",
       "WorkloadArea": "Teamwork and communications",
-      "SubArea": ""
+      "SubArea": "Messaging"
        },
       {
       "ChangeList": [ 

concepts/change-notifications-delivery-webhooks.md

@@ -8,7 +8,7 @@ ms.topic: how-to
 ms.subservice: change-notifications
 ms.localizationpriority: high
 ms.custom: graphiamtop20
-ms.date: 01/03/2024
+ms.date: 01/15/2025
 #customer intent: As a developer, I want to receive notifications of changes to specific Microsoft Graph resources through webhooks, so that I can build apps that process the changes according to business requirements.
 ---
 
@@ -23,6 +23,7 @@ The article guides you through the process of implementing your webhook endpoint
 For details about how to create change notifications, see [Microsoft Graph API change notifications](/graph/api/resources/change-notifications-api-overview).
 
 ## Considerations for a webhook endpoint
+
 Before you can receive a notification via webhooks, you must create a publicly accessible, HTTPS-secured endpoint that is addressable via URL. If your endpoint isn't publicly accessible, Microsoft Graph doesn't send notifications to your endpoint.
 
 Your endpoint must provide correct, consistent, and timely HTTP responses in order to reliably receive notifications. If an endpoint doesn't respond in a timely manner, the change notification service may begin to drop notifications. Dropped notifications can't be recovered.
@@ -52,13 +53,13 @@ For security and performance reasons, Microsoft Graph throttles notifications se
 If your endpoint is unable to meet these performance characteristics, consider using [Event Hubs](/graph/change-notifications-delivery-event-hubs) or [Event Grid](/azure/event-grid/subscribe-to-graph-api-events?context=graph/context) as a target for receiving notifications.
 
 ### Authentication
-When you create your subscription, an access token is sent to your endpoint. This access token is used only to check the validity of your endpoint and has a lifecycle different from that of your change notification subscription. This access token generally expires within 1 hour.
+When you create your subscription, an access token is sent to your endpoint. This access token is used only to check the validity of your endpoint and has a lifecycle different from your change notification subscription. This access token generally expires within 1 hour.
 
-Your endpoint must be prepared to be regularly reauthorized by Microsoft Graph to ensure that Microsoft Graph can continue to deliver notifications to your endpoint.
+To ensure uninterrupted notifications, your endpoint must be prepared for regular reauthorization by Microsoft Graph.
 
-If an access token expires, notifications aren't delivered.  However, it doesn't trigger endpoint throttling behavior and Microsoft Graph continues to retry sending each notification for up to 4 hours. So if the access token is refreshed within 4 hours of expiration, unsent notifications are delivered.
+If an access token expires, notifications aren't delivered. However, it doesn't trigger endpoint throttling behavior and Microsoft Graph continues to retry sending each notification for up to 4 hours. So if the access token is refreshed within 4 hours of expiration, unsent notifications are delivered.
 
-It's recommended that you add [lifecycle notifications](.\change-notifications-lifecycle-events.md) to your subscription to receive a warning about token expiration so you can reauthorize your endpoint in a timely manner.
+We recommend that you add [lifecycle notifications](.\change-notifications-lifecycle-events.md) to your subscription to receive a warning about token expiration so you can reauthorize your endpoint in a timely manner.
 
 When you [renew your subscription](#renew-a-subscription), your access token is also refreshed.
 
@@ -69,21 +70,22 @@ You can configure the firewall that protects your endpoint to allow inbound conn
 > The listed IP addresses that are used to deliver change notifications can be updated at any time without notice.
 
 ## Create a subscription
+
 > [!IMPORTANT]
 > Multiple steps are required to ensure a secure communication channel is established and maintained between the Microsoft Graph change notifications service and your endpoint.
 
 To start receiving Microsoft Graph change notifications, you must create a subscription using the URL of your endpoint (notification URL) to establish the subscription. The pattern of establishing a subscription is as follows:
 
 1. The client app sends a subscription request to subscribe to changes on a specific resource.
 
-1. Microsoft Graph checks the request.
+2. Microsoft Graph checks the request.
 
     - If the request is valid, Microsoft Graph sends a validation token to the notification URL for the client app to validate the notification URL.
     - If the request is invalid, Microsoft Graph sends an error response with an error code and details.
 
-1. When the client receives the notification URL validation request, the client responds with the validation token in plain text.
+3. When the client receives the notification URL validation request, the client responds with the validation token in plain text.
 
-1. Microsoft Graph validates the client's validation token response and if the validation token is valid, responds with a subscription ID.
+4. Microsoft Graph validates the client's validation token response and if the validation token is valid, responds with a subscription ID.
 
 ### Subscription request
 
@@ -151,7 +153,7 @@ Each subscription has a unique **subscriptionId**, even if you have multiple sub
 > [!NOTE]
 > Any query string parameter included in the **notificationUrl** property is included in the HTTP POST request when notifications are being delivered to your service.
 >
-> Duplicate subscriptions are not allowed. When a subscription request contains the same values for **changeType** and **resource** as an existing subscription, the request fails with an HTTP error code `409 Conflict`, and the error message `Subscription Id <> already exists for the requested combination`.
+> Duplicate subscriptions aren't allowed. When a subscription request contains the same values for **changeType** and **resource** as an existing subscription, the request fails with an HTTP error code `409 Conflict`, and the error message `Subscription Id <> already exists for the requested combination`.
 
 #### notificationUrl validation
 
@@ -321,7 +323,7 @@ When you subscribe to lifecycle notifications, Microsoft Graph alerts you:
 - When a tenant administrator revokes your app's permissions to read a resource.
 
 > [!NOTE]
-> If an access token expires, notifications are not delivered to the endpoint. But Microsoft Graph continues to retry sending each notification for up to 4 hours. So if the access token is refreshed within 4 hours of expiration, unsent notifications are delivered.
+> If an access token expires, notifications aren't delivered to the endpoint. But Microsoft Graph continues to retry sending each notification for up to 4 hours. So if the access token is refreshed within 4 hours of expiration, unsent notifications are delivered.
 
 For more information on how to utilize lifecycle notifications for your subscription, see [lifecycle notifications](/graph/change-notifications-lifecycle-events).