Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into credmgr

Author: dlepow

.openpublishing.redirection.json

@@ -6355,10 +6355,210 @@
       "redirect_url": "/azure/storage/container-storage/install-container-storage-aks",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/reliability/reliability-cosmos-mongodb.md",
+      "redirect_url": "/azure/reliability/reliability-documentdb",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/communications-gateway/connectivity.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/connectivity",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/connect-operator-connect.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/connect-operator-connect",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/connect-teams-direct-routing.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/connect-teams-direct-routing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/connect-zoom.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/connect-zoom",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/deploy.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/deploy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/emergency-calls-operator-connect.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/emergency-calls-operator-connect",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/emergency-calls-teams-direct-routing.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/emergency-calls-teams-direct-routing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/emergency-calls-zoom.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/emergency-calls-zoom",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/get-started.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/get-started",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/index.yml",
+      "redirect_url": "/previous-versions/azure/communications-gateway/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/integrate-with-provisioning-api.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/integrate-with-provisioning-api",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/interoperability-operator-connect.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/interoperability-operator-connect",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/interoperability-teams-direct-routing.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/interoperability-teams-direct-routing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/interoperability-zoom.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/interoperability-zoom",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/lab.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/lab",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/limits.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/limits",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/maintenance-notifications.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/maintenance-notifications",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/manage-enterprise-operator-connect.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/manage-enterprise-operator-connect",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/manage-enterprise-teams-direct-routing.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/manage-enterprise-teams-direct-routing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/manage-enterprise-zoom.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/manage-enterprise-zoom",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/mobile-control-point.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/mobile-control-point",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/monitor-azure-communications-gateway.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/monitor-azure-communications-gateway",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/monitoring-azure-communications-gateway-data-reference.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/monitoring-azure-communications-gateway-data-reference",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/onboarding.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/onboarding",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/overview.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/plan-and-manage-costs.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/plan-and-manage-costs",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/prepare-for-live-traffic-operator-connect.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/prepare-for-live-traffic-operator-connect",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/prepare-for-live-traffic-teams-direct-routing.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/prepare-for-live-traffic-teams-direct-routing",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/prepare-for-live-traffic-zoom.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/prepare-for-live-traffic-zoom",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/prepare-for-vnet-injection.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/prepare-for-vnet-injection",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/prepare-to-deploy.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/prepare-to-deploy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/provisioning-platform.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/provisioning-platform",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/provision-user-roles.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/provision-user-roles",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/reliability-communications-gateway.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/reliability-communications-gateway",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/request-changes.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/request-changes",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/role-in-network.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/role-in-network",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/security.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/security",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/communications-gateway/whats-new.md",
+      "redirect_url": "/previous-versions/azure/communications-gateway/whats-new",
+      "redirect_document_id": false
+      },
     {
       "source_path": "articles/vpn-gateway/about-zone-redundant-vnet-gateways.md",
       "redirect_url": "/azure/reliability/reliability-virtual-network-gateway",
       "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/dns/dns-sdk.md",
+      "redirect_url": "https://learn.microsoft.com/dotnet/api/overview/azure/resourcemanager.dns-readme",
+      "redirect_document_id": false
     }
 
   ]

articles/api-management/TOC.yml

@@ -714,6 +714,8 @@
       href: breaking-changes/identity-provider-adal-retirement-sep-2025.md
     - name: CAPTCHA endpoint update (September 2025)
       href: breaking-changes/captcha-endpoint-change-sep-2025.md
+    - name: Trusted service connectivity retirement (March 2026)
+      href: breaking-changes/trusted-service-connectivity-retirement-march-2026.md
     - name: Built-in analytics dashboard retirement (March 2027)
       href: breaking-changes/analytics-dashboard-retirement-march-2027.md
   - name: Regional availability

articles/api-management/api-management-howto-disaster-recovery-backup-restore.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 06/16/2025
+ms.date: 12/05/2025
 ms.author: danlep 
 ms.custom: devx-track-azurepowershell
 ---
@@ -399,7 +399,18 @@ Restore is a long-running operation that may take several minutes to complete. I
 ## Storage networking constraints
 
 
-If the storage account is **[firewall][azure-storage-ip-firewall] enabled**, it's recommended to use the API Management instance's system-assigned managed identity for access to the account. Ensure that the storage account [grants access to trusted Azure services](../storage/common/storage-network-security.md?tabs=azure-portal#grant-access-to-trusted-azure-services).
+If the storage account is **[firewall][azure-storage-ip-firewall] enabled**, it's recommended to use the API Management instance's system-assigned managed identity for access to the account. Ensure that you have networking line of sight from API Management. Configure one of the following network access options on the resource:
+
+- Allow public access from all networks.
+
+- Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.
+
+- Secure traffic from API Management with Private Link connectivity.
+
+- Use a [network security perimeter](/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources) to secure the resource and allow traffic from API Management. 
+
+> [!IMPORTANT]
+> Starting March 2026, trusted service connectivity to Azure services from API Management by enabling the **Allow Trusted Microsoft Services to bypass this firewall** firewall setting will no longer be supported. To continue accessing these services from API Management after this change, ensure that you choose a supported network access option as described above. [Learn more](breaking-changes/trusted-service-connectivity-retirement-march-2026.md)
 
 ## What is not backed up
 -   **Usage data** used for creating analytics reports **isn't included** in the backup. Use [Azure API Management REST API][azure api management rest api] to periodically retrieve analytics reports for safekeeping.

articles/api-management/api-management-howto-use-managed-service-identity.md

@@ -314,14 +314,27 @@ You can use the system-assigned identity to authenticate to a backend service vi
 
 ### Connect to Azure resources behind an IP firewall by using a system-assigned managed identity
 
+For certain scenarios, API Management can communicate with resources in the following services using a system-assigned managed identity configured with an appropriate role assignment:
 
-API Management is a trusted Microsoft service to the following resources. This trusted status enables the service to connect to the following resources behind a firewall. After you explicitly assign the appropriate Azure role to the [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) for a resource instance, the scope of access for the instance corresponds to the Azure role that's assigned to the managed identity.
+- Azure Key Vault
+- Azure Storage
+- Azure Service Bus
+- Azure Event Hubs
+- Azure Container Registry
+- Azure Managed HSM
 
+For resources in these services that are protected by an IP firewall, ensure that you have networking line of sight from API Management. Configure one of the following network access options on the resource:
 
-- [Trusted access for Key Vault](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services)
-- [Trusted access for Azure Storage](../storage/common/storage-network-security-trusted-azure-services.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
-- [Trusted access for Azure Services Bus](../service-bus-messaging/service-bus-ip-filtering.md#trusted-microsoft-services)
-- [Trusted access for Azure Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)
+- Allow public access from all networks.
+
+- Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.
+
+- Secure traffic from API Management with Private Link connectivity.
+
+- Use a [network security perimeter](/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources) to secure the resource and allow traffic from API Management. 
+
+> [!IMPORTANT]
+> Starting March 2026, trusted service connectivity to Azure services from API Management by enabling the **Allow Trusted Microsoft Services to bypass this firewall** firewall setting will no longer be supported. To continue accessing these services from API Management after this change, ensure that you choose a supported network access option as described above. [Learn more](breaking-changes/trusted-service-connectivity-retirement-march-2026.md)
 
 ### Log events to an event hub
 
@@ -456,7 +469,7 @@ Following are some common scenarios for using a user-assigned managed identity i
 You can use a user-assigned identity to establish trust between an API Management instance and Key Vault. This trust can then be used to retrieve custom TLS/SSL certificates that are stored in Key Vault. You can then assign these certificates to custom domains in the API Management instance.
 
 > [!IMPORTANT]
-> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. In Key Vault firewall, the **Allow Trusted Microsoft Services to bypass this firewall** option must be enabled.
+> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. For more information, see the section [Requirements for key vault firewall](#requirements-for-key-vault-firewall).
 
 Take these considerations into account:
 
@@ -472,7 +485,7 @@ Take these considerations into account:
 You can use a user-assigned managed identity to access Key Vault to store and manage secrets for use in API Management policies. For more information, see [Use named values in Azure API Management policies](api-management-howto-properties.md). 
 
 > [!NOTE]
-> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. In Key Vault firewall, the **Allow Trusted Microsoft Services to bypass this firewall** option must be enabled.
+> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. For more information, see the section [Requirements for key vault firewall](#requirements-for-key-vault-firewall).
 
 ### Authenticate to a backend by using a user-assigned identity
 

articles/api-management/breaking-changes/media/trusted-service-connectivity-retirement-march-2026/network-connectivity-storage.png

@@ -6,14 +6,13 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 07/17/2025
+ms.date: 12/03/2025
 ms.author: danlep
 ---
 
 # Upcoming breaking changes
 
-[!INCLUDE [api-management-availability-premium-dev-standard-basic-consumption](../../../includes/api-management-availability-premium-dev-standard-basic-consumption.md)]
-
+[!INCLUDE [api-management-availability-all-tiers](../../../includes/api-management-availability-all-tiers.md)]
 The following table lists all the upcoming breaking changes and feature retirements for Azure API Management.
 
 | Change Title | Effective Date |
@@ -33,6 +32,7 @@ The following table lists all the upcoming breaking changes and feature retireme
 | [Managed certificates suspension][managed-certificates-suspension-august-2025] | August 15, 2025 - March 15, 2026|
 | [ADAL-based Microsoft Entra ID identity provider retirement][msal2025] | September 30, 2025 |
 | [CAPTCHA endpoint update][captcha2025] | September 30, 2025 |
+| [Trusted service connectivity retirement][trustedservice2026] | March 15, 2026 |
 | [Built-in analytics dashboard retirement][analytics2027] | March 15, 2027 |
 
 <!-- Links -->
@@ -52,3 +52,4 @@ The following table lists all the upcoming breaking changes and feature retireme
 [workspaces2024]: ./workspaces-breaking-changes-june-2024.md
 [workspaces2025march]: ./workspaces-breaking-changes-march-2025.md
 [managed-certificates-suspension-august-2025]: ./managed-certificates-suspension-august-2025.md
+[trustedservice2026]: ./trusted-service-connectivity-retirement-march-2026.md