Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Learn Build Service GitHub App

articles/api-management/api-management-howto-use-managed-service-identity.md

@@ -315,6 +315,12 @@ You can use a system-assigned managed identity to access Key Vault to store and
 
 Use the system-assigned identity to authenticate to a backend service via the [authentication-managed-identity](authentication-managed-identity-policy.md) policy.
 
+> [!CAUTION]
+> **Security consideration:** Users with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use the [`authentication-managed-identity`](authentication-managed-identity-policy.md) policy to authenticate as the service's managed identity. When you assign roles or permissions to the API Management resouce, be aware that any user who can edit policies may be able to access those same resources through the managed identity. To mitigate risk:
+> - Follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) when assigning roles to managed identities.
+> - Only grant the API Management Contributor role or policy editing permissions to trusted users.
+> - Regularly review and audit managed identity role assignments and who has access to edit API Management policies.
+
 ### Connect to Azure resources behind an IP firewall by using a system-assigned managed identity
 
 API Management is a trusted Microsoft service to the following resources. This trusted status enables the service to connect to the following resources behind a firewall when the firewall enables the **Allow Trusted Microsoft Services to bypass this firewall** setting. After you explicitly assign the appropriate Azure role to the [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) for a resource instance, the scope of access for the instance corresponds to the Azure role that's assigned to the managed identity.
@@ -481,6 +487,12 @@ You can use a user-assigned managed identity to access Key Vault to store and ma
 
 You can use the user-assigned identity to authenticate to a backend service via the [authentication-managed-identity](authentication-managed-identity-policy.md) policy.
 
+> [!CAUTION]
+> **Security consideration:** Users with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use the [`authentication-managed-identity`](authentication-managed-identity-policy.md) policy to authenticate as the service's managed identity. When you assign roles or permissions to the API Management resouce, be aware that any user who can edit policies may be able to access those same resources through the managed identity. To mitigate risk:
+> - Follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) when assigning roles to managed identities.
+> - Only grant the API Management Contributor role or policy editing permissions to trusted users.
+> - Regularly review and audit managed identity role assignments and who has access to edit API Management policies.
+
 ### Log events to an event hub
 
 You can configure and use a user-assigned managed identity to access an event hub to log events from an API Management instance. For more information, see [How to log events to Azure Event Hubs in Azure API Management](api-management-howto-log-event-hubs.md).

articles/api-management/authentication-managed-identity-policy.md

@@ -20,6 +20,8 @@ Both system-assigned identity and any of the multiple user-assigned identities c
 
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
+> [!CAUTION]
+> **Security consideration:** Any user with permissions to edit API Management policies (for example, users assigned the [API Management Service Contributor](/azure/role-based-access-control/built-in-roles#api-management-service-contributor) role) can use this policy to authenticate as the service's managed identity. This effectively grants that user access to any resource for which the managed identity has permissions. Ensure that you follow the [principle of least privilege](/entra/identity-platform/secure-least-privileged-access) when assigning permissions to API Management resource. For more information, see [How to use managed identities in Azure API Management](api-management-howto-use-managed-service-identity.md).
   
 ## Policy statement  
 

articles/app-service/configure-sidecar.md

@@ -128,7 +128,7 @@ In a Linux app, all containers (main and sidecars) share environment variables.
 
 ## Add the Redis sidecar extension
 
-From the Azure portal, you can add a Redis sidecar extension to your app for caching. The Redis sidecar is for lightweight caching only, not a replacement for Azure Cache for Redis.
+From the Azure portal, you can add a Redis sidecar extension to your app for caching. The Redis sidecar is for lightweight caching only, not a replacement for Azure Managed Redis.
 
 To use the Redis sidecar:
 

articles/app-service/environment/configure-zone-redundancy-environment.md

@@ -122,9 +122,14 @@ To see whether an existing App Service Environment supports zone redundancy:
 
 ## Configure Isolated v2 App Service plans with zone redundancy
 
-All App Service plans created in an App Service Environment must use the Isolated v2 pricing tier.
+After you enable your App Service Environment to be zone redundant, you can also make each Isolated v2 App Service plan as zone redundant.
+
+> [!NOTE]
+> Each plan has its own independent zone redundancy setting, so you can manually enable or disable zone redundancy on specific plans in an App Service Environment.
+>
+> If a specific plan doesn't need to be zone-redundant, you can disable zone redundancy and then optionally scale it to a single instance.
 
-If you enable your App Service Environment to be zone redundant, you can also set the Isolated v2 App Service plans as zone redundant. Each plan has its own independent zone redundancy setting, so you can manually enable or disable zone redundancy on specific plans in an App Service Environment, as long as the environment is configured to be zone redundant.
+All App Service plans created in an App Service Environment must use the Isolated v2 pricing tier.
 
 - **To create a new Isolated v2 App Service plan with zone redundancy**, use the Azure portal, the Azure CLI, or Bicep.
     

articles/azure-functions/functions-bindings-mcp-tool-trigger.md

@@ -81,7 +81,7 @@ builder.Build().Run();
 > [!TIP]
 > The example above uses literal strings for things like the name of the "get_snippets" tool in both `Program.cs` and the function. Consider instead using shared constant strings to keep things in sync across your project.
 
-For the complete code example, see [SnippetTool.cs](https://github.com/Azure-Samples/remote-mcp-functions-dotnet/blob/main/src/SnippetsTool.cs).  
+For the complete code example, see [SnippetTool.cs](https://github.com/Azure-Samples/remote-mcp-functions-dotnet/blob/main/src/FunctionsMcpTool/SnippetsTool.cs).  
 ::: zone-end
 ::: zone pivot="programming-language-java"
 
@@ -167,7 +167,7 @@ public String getSnippet(
 }
 ```
 
-For the complete code example, see [Snippets.java](https://github.com/Azure-Samples/remote-mcp-functions-java/blob/main/src/main/java/com/function/Snippets.java).  
+For the complete code example, see [Snippets.java](https://github.com/Azure-Samples/remote-mcp-functions-java/blob/main/samples/FunctionsMcpTool/src/main/java/com/function/Snippets.java).  
 ::: zone-end  
 ::: zone pivot="programming-language-javascript"  
 Example code for JavaScript isn't currently available. See the TypeScript examples for general guidance using Node.js.
@@ -511,7 +511,6 @@ builder.Build().Run();
 
 You can call the `WithProperty()` method multiple times to define multiple properties for the tool. Each call to `WithProperty()` includes a string representation of the MCP property type, which might not directly correspond to a CLR type. For example, use `"boolean"` to define a boolean property, even though the corresponding CLR type is `bool`. Valid types are: `"string"`, `"number"`, `"integer"`, `"boolean"`, `"object"`.
 
-For the complete example, see the [`Program.cs` file](https://github.com/Azure-Samples/remote-mcp-functions-dotnet/blob/main/src/Program.cs).
 
 ---