Merge pull request #309940 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-30 18:00 UTC

Author: learn-build-service-prod[bot]

articles/azure-resource-manager/bicep/data-types.md

@@ -484,7 +484,7 @@ output optionalValue int? = null
 
 Secure strings use the same format as string, and secure objects use the same format as object. With Bicep, you add the `@secure()` [decorator](./parameters.md#use-decorators) to a string or object.
 
-When you set a parameter (or an output) to a secure string or secure object, the value of the parameter (or the output) isn't saved to the deployment history or logged. If you set that secure value to a property that isn't expecting a secure value, the value isn't protected. For example, if you set a secure string to a tag, that value is stored as plain text. Use secure strings for passwords and secrets.
+When you set a parameter (or an output) to a secure string or secure object, the value of the parameter (or the output) isn't saved to the deployment history or logged (except if --debug parameter is used). If you set that secure value to a property that isn't expecting a secure value, the value isn't protected. For example, if you set a secure string to a tag, that value is stored as plain text. Use secure strings for passwords and secrets.
 
 The following example shows two secure parameters:
 

articles/backup/blob-backup-support-matrix.md

@@ -58,7 +58,7 @@ Operational backup of blobs uses blob point-in-time restore, blob versioning, so
 
 - You can back up only block blobs in a *standard general-purpose v2 storage account* using the vaulted backup solution for blobs.
 - Blob vaulted backup is also supported when the storage account has private endpoints.
-- HNS-enabled storage accounts are currently not supported. This includes *ADLS Gen2 accounts*, *accounts using NFS 3.0*, and *SFTP protocols* for blobs.
+- Storage accounts using NFS 3.0*, and *SFTP protocols* for blobs are currently not supported. 
 - You can take up to five backups per storage account in a day.
 - You can back up storage accounts with *up to 100 containers*, there is no limit on the number of blobs within those containers. You can also select a subset of containers to back up (up to 100 containers).
   - If your storage account contains more than 100 containers, you need to select *up to 100 containers* to back up.

articles/cost-management-billing/manage/cloud-subscription.md

@@ -10,6 +10,7 @@ ms.topic: concept-article
 ms.date: 12/29/2025
 ms.custom:
 - build-2025
+service.tree.id: b69a7832-2929-4f60-bf9d-c6784a865ed8
 ---
 
 # What is a cloud subscription?

articles/frontdoor/end-to-end-tls.md

@@ -102,6 +102,7 @@ For the Azure Front Door Standard/Premium managed certificate option, the certif
 > [!IMPORTANT]
 > - For Azure Front Door Classic and Azure CDN Classic, managed certificates will no longer be supported starting August 15, 2025. To avoid service disruption, either switch to **Bring Your Own Certificate (BYOC)** or migrate to Azure Front Door Standard/Premium before this date. Existing managed certificates will continue to autorenew until August 15, 2025, and remain valid until April 14, 2026. However, it's highly recommended to switch to **BYOC** or migrate to Front Door Standard/Premium before August 15, 2025, to avoid unexpected certificate revocation.
 > - Auto-rotation for managed certificates fails if your domains don't have direct CNAME mapping to Azure Front Door Classic or Azure CDN Classic endpoints. See [Azure CDN Classic HTTPS for custom domains](/azure/cdn/cdn-custom-ssl?tabs=option-1-default-enable-https-with-a-cdn-managed-certificate#tlsssl-certificates) and [Azure Front Door Classic HTTPS for custom domains](/azure/frontdoor/front-door-custom-domain-https?tabs=powershell#option-1-default-use-a-certificate-managed-by-front-door).
+> - Azure Front Door (AFD) Standard and Premium use DigiCert‑issued managed TLS certificates, and DigiCert is retiring the G1 root certificate that expires on April 14, 2026, replacing it with the G2 root certificate. Azure Front Door will automatically rotate AFD‑managed certificates before expiration for custom domains that directly CNAME to the Azure Front Door endpoint, and no customer action is required. Customers whose domains do not directly CNAME to Azure Front Door must manually rotate their certificates to use the DigiCert G2 root certificate before April 14, 2026 to avoid TLS connectivity issues.
 
 For your own custom TLS/SSL certificate:
 

articles/oracle/oracle-db/oracle-database-regions.md

@@ -25,12 +25,12 @@ The list below mentions the Azure and corresponding OCI regions with the regiona
 
 | Azure region   | OCI region   | Oracle Exadata Database@Azure | Oracle Autonomous Database@Azure | Oracle Database Autonomous Recovery Service@Azure | Exadata Database Service on Exascale Infrastructure@Azure | BaseDB | Golden Gate | Regional Availability |
 | -------------- | ----------------------- | ----------------------------- | -------------------------------- | -------- |---------|---------|---------|-----|
-| Australia East | Australia East (Sydney) | ✓         | ✓      | ✓ | ✓ | Preview available | |  Dual   |
+| Australia East | Australia East (Sydney) | ✓         | ✓      | ✓ | ✓ | Preview available | ✓|  Dual   |
 | Australia Southeast | Australia Southeast (Melbourne) | ✓        | ✓ | | |  | |   Dual   |
 | Central India | India West (Mumbai) | ✓  | ✓ | | | | |   Single   |
 | Japan East | Japan East (Tokyo) | ✓  | ✓  | ✓ | ✓ | ✓ | ✓ |   Dual   |
 | Japan West | Japan Central (Osaka) | ✓  | ✓ | | | | |   Single   |
-| South India | 	India South (Chennai) | ✓  |  | | | | |   Single   |
+| South India | 	India South (Chennai) | ✓  | ✓ | | | | |   Single   |
 | Southeast Asia |Singapore (Singapore) | ✓  | ✓   | ✓ | ✓ | ✓ | ✓ |  Dual   |
 
 
@@ -40,40 +40,42 @@ The list below mentions the Azure and corresponding OCI regions with the regiona
 | Azure region | OCI region                 | Oracle Exadata Database@Azure | Oracle Autonomous Database@Azure | Oracle Database Autonomous Recovery Service@Azure | Exadata Database Service on Exascale Infrastructure@Azure | BaseDB | Golden Gate | Regional Availability |
 | ------------ | -------------------------- | ----------------------------- | -------------------------------- | ------------------------------------------------- | --------------------------------------------------------- | ------ | --------------------- |-------|
 | Brazil South | Brazil Southeast (Vinhedo) | ✓    | ✓      | ✓   | ✓     | ✓  |    | Dual   |
+| Brazil Southeast | Brazil East (Rio de Janeiro) | ✓    |       |    |      |   |    | Single   |
 
 ## Europe, Middle East, Africa (EMEA)
 
 |Azure region |OCI region  | Oracle Exadata Database@Azure | Oracle Autonomous Database@Azure | Oracle Database Autonomous Recovery Service@Azure| Exadata Database Service on Exascale Infrastructure@Azure | BaseDB | Golden Gate | Regional Availability |
 |------------|--|--------------------------|------------------------------| ------| ---- | ---- |----|-------|
 | France Central       |France central (Paris) | ✓   | ✓ | ✓ | ✓ | | |  Dual |
-| France South | France South (Marseille) |  ✓  | | | | | |   Single   |
-| Germany North |Germany Central (Frankfurt) | ✓  | ✓ | | | | |   Single    |
+| France South | France South (Marseille) |  ✓  | ✓ | | | | |   Single   |
+| Germany North |Germany Central (Frankfurt) | ✓  | ✓ |  | ✓ | | |   Single    |
 | Germany West Central |Germany Central (Frankfurt) |  ✓  | ✓ | ✓ | ✓ | ✓ | ✓ | Dual |
 | Italy North | Italy North (Milan)   | ✓   | ✓   | ✓ |  ✓ | ✓ | ✓ | Dual |
-| North Europe | Ireland (Dublin) | ✓  | ✓ |   | | | |   Dual   |
-| Spain Central | 	Spain Central (Madrid) | ✓  | ✓ | ✓ | | | |   Dual    |
-| Sweden Central | 	Sweden Central (Stockholm) | ✓  | ✓ | | | | |   Dual    |
+| North Europe | Ireland (Dublin) | ✓  | ✓ |   | | | ✓ |   Dual   |
+| Spain Central | 	Spain Central (Madrid) | ✓  | ✓ |  |  | | |   Dual    |
+| Sweden Central | 	Sweden Central (Stockholm) | ✓  | ✓ | | ✓ | | |   Dual    |
 | Switzerland North | Switzerland North (Zurich) | ✓  | ✓ | | | | |   Single    |
 | UAE Central | UAE Central (Abu Dhabi) | ✓  | ✓ | | | | |   Single    |
-| UAE North | UAE North (Dubai) | ✓  | ✓ | ✓ | | | |   Dual    |
+| UAE North | UAE North (Dubai) | ✓  | ✓ | ✓ | | | ✓ |   Dual    |
 | UK South| UK South (London)   | ✓   | ✓   | ✓ | ✓ | ✓ | ✓ | Dual |
 | UK West | UK West (Newport)	   | ✓   | ✓  | | ✓ | ✓ |  | Single |
+| West Europe | Netherlands Northwest (Amsterdam)   | ✓   | || | | | Single |
 
 
 ## North America (NA)
 
 | Azure region     | OCI region                 | Oracle Exadata Database@Azure | Oracle Autonomous Database@Azure | Oracle Database Autonomous Recovery Service@Azure | Exadata Database Service on Exascale Infrastructure@Azure | BaseDB     | Golden Gate  | Regional Availability |
 | ---------------- | -------------------------- | ----------------------------- | -------------------------------- | ------------------------------------------------- | --------------------------------------------------------- | ----------------- | --------------------- |---------|
-| Canada Central   | Canada Southeast (Toronto) | ✓      | ✓   |  ✓  | ✓   | ✓ | ✓ |  Dual |
+| Canada Central   | Canada Southeast (Toronto) | ✓   | ✓   |  ✓  | ✓   | ✓ | ✓ |  Dual |
 | Canada East | Canada Southeast (Montreal) | ✓  | ✓ | | | | |   Single    |
-| Central US       | US Midwest (Chicago)       | ✓       | ✓      | ✓    |  ✓   |  ✓  |      | Dual    |
-| East US          | US East (Ashburn)          | ✓     | ✓      | ✓      | ✓     | ✓ | ✓ | Dual|
-| East US 2        | US East (Ashburn)          | ✓    | ✓         | ✓       |  ✓   |   |  | Dual     |
-| North Central US | US Midwest (Chicago)   | ✓    |       |      |     |  |  | Single   |
-| South Central US | US South (Dallas)   | ✓     |  ✓        |           |    |   |   | Dual |
-| West US          | US West (San Jose)    | ✓    | ✓      | ✓     |  ✓   |  Preview available  |  | Single   |
-| West US 2        | US West (Quincy)  | ✓    |   ✓  |  ✓   |     |  |  | Dual |
-| West US 3        | US West (Phoenix)   | ✓   |   |  ✓ |    |  |  | Dual   |
+| Central US       | US Midwest (Chicago) | ✓   | ✓   | ✓  |  ✓   |  ✓  |   ✓   | Dual    |
+| East US          | US East (Ashburn)  | ✓   | ✓   | ✓  | ✓    | ✓ | ✓ | Dual|
+| East US 2        | US East (Ashburn)  | ✓    | ✓  | ✓  |  ✓   |   |  | Dual     |
+| North Central US | US Midwest (Chicago) | ✓  |  ✓ |  |  |  |  | Single   |
+| South Central US | US South (Dallas)| ✓  |  ✓  | |  |   |   | Dual |
+| West US          | US West (San Jose) | ✓    | ✓  | ✓  |  ✓   |  Preview available  |  | Single   |
+| West US 2        | US West (Quincy) | ✓  | ✓ |  ✓ |   |  |  | Dual |
+| West US 3        | US West (Phoenix) | ✓ |   |  ✓ |   |  |  | Dual   |
 
 
 > [!NOTE]

articles/sentinel/roles.md

@@ -30,15 +30,15 @@ The following built-in Azure roles are used for Microsoft Sentinel SIEM and gran
 
 | Role | SIEM support | Data lake support |
 |------|----------------------|------------------|
-| [**Microsoft Sentinel Reader**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) | View data, incidents, workbooks, and other resources | Access advanced analytics and run interactive queries on workspaces only. |
+| [**Microsoft Sentinel Reader**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) | View data, incidents, workbooks, recommendations and other resources | Access advanced analytics and run interactive queries on workspaces only. |
 | [**Microsoft Sentinel Responder**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-responder) | All Reader permissions, plus manage incidents | N/A |
 | [**Microsoft Sentinel Contributor**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) | All Responder permissions, plus install/update solutions, create/edit resources | Access advanced analytics and run interactive queries on workspaces only. |
 | [**Microsoft Sentinel Playbook Operator**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-playbook-operator) | List, view, and manually run playbooks | N/A |
 | [**Microsoft Sentinel Automation Contributor**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-automation-contributor) | Allows Microsoft Sentinel to add playbooks to automation rules. Not used for user accounts. | N/A |
 
 For example, the following table shows examples of tasks that each role can perform in Microsoft Sentinel:
 
-| Role | Run playbooks | Create/edit playbooks | Create/edit analytics rules, workbooks, etc. | Manage incidents | View data, incidents, workbooks | Manage content hub |
+| Role | Run playbooks | Create/edit playbooks | Create/edit analytics rules, workbooks, etc. | Manage incidents | View data, incidents, workbooks, recommendations | Manage content hub |
 |------|--------------|----------------------|----------------------------------------------|------------------|-------------------------------|-------------------|
 | [**Microsoft Sentinel Reader**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) | -- | -- | --* | -- | ✓ | -- |
 | [**Microsoft Sentinel Responder**](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-responder) | -- | -- | --* | ✓ | ✓ | -- |

articles/virtual-wan/howto-private-link.md

@@ -19,7 +19,7 @@ ms.custom:
 
 ## Before you begin
 
-The steps in this article assume that you've  deployed a virtual WAN with one or more hubs and at least two virtual networks connected to Virtual WAN.
+The steps in this article assume that you  deployed a virtual WAN with one or more hubs and at least two virtual networks connected to Virtual WAN.
 
 To create a new virtual WAN and a new hub, use the steps in the following articles:
 
@@ -31,14 +31,14 @@ To create a new virtual WAN and a new hub, use the steps in the following articl
 
 Private Endpoint connectivity in Azure is stateful. When a connection to a private endpoint gets established through Virtual WAN, traffic is routed through one or more traffic hops through different Virtual WAN components (for example Virtual Hub router, ExpressRoute Gateway, VPN Gateway, Azure Firewall, or NVA). The exact hops traffic takes is based on your Virtual WAN routing configurations. Behind the scenes, Azure's software-defined networking layer sends all packets related to a single 5-tuple flow to one of the backend instances servicing different Virtual WAN components. Asymmetrically routed traffic (for example, traffic corresponding to a single 5-tuple flow routed to different backend instances) is not supported and is dropped by the Azure platform.
 
-During maintenance events on Virtual WAN infrastructure, backend instances are rebooted one at a time, which can lead to intermittent connectivity issues to Private Endpoint as the instance servicing the flow is temporarily unavailable. The similar problem can occur when Azure Firewall or Virtual hub router scales out. The same traffic flow can be load-balanced to a new backend instance that is different than the instance currently servicing the flow.
+During maintenance events on Virtual WAN infrastructure, backend instances are rebooted one at a time. This can lead to intermittent connectivity issues to Private Endpoint as the instance servicing the flow is temporarily unavailable. The similar problem can occur when Azure Firewall or Virtual hub router scales out. The same traffic flow can be load-balanced to a new backend instance that's different than the instance currently servicing the flow.
 
 To mitigate the impact of maintenance and scale-out events on Private Link or Private Endpoint traffic consider the following best practices:
 
-* Configure the TCP time-out value of your on-premises application to fall between 15-30 seconds. A smaller TCP time-out value will allow application traffic to recover more quickly from maintenance and scale-out events. Alternatively, test different application time-out values to determine a suitable time-out based on your requirements.
+* Configure the TCP timeout value of any application (whether hosted on premises or in another Azure Virtual Network) that is accessing the Private Link/Private Endpoint to fall between 15-30 seconds. A smaller TCP timeout value allows application traffic to recover more quickly from maintenance and scale-out events. Alternatively, test different application timeout values to determine a suitable timeout based on your requirements.
 * Pre-scale Virtual WAN components to handle traffic bursts to prevent autoscale events from occurring. For the Virtual Hub router, you can set the minimum routing infrastructure units on your hub router to prevent scaling during traffic bursts.
 
-Lastly, if you are using on-premises connectivity between Azure and on-premises using VPN or ExpressRoute, ensure your on-premises device is configured to use the same VPN tunnel or same Microsoft Enterprise Edge router as the next-hop for each 5-tuple corresponding to private endpoint traffic.
+Lastly, if you're using on-premises connectivity between Azure and on-premises using VPN or ExpressRoute, ensure your on-premises device is configured to use the same VPN tunnel or same Microsoft Enterprise Edge router as the next-hop for each 5-tuple corresponding to private endpoint traffic.
 
 ## <a name="endpoint"></a>Create a private link endpoint
 
@@ -50,13 +50,13 @@ After creating the Azure SQL Database, you can verify the private endpoint IP ad
 
 :::image type="content" source="./media/howto-private-link/endpoints.png" alt-text="private endpoints" lightbox="./media/howto-private-link/endpoints.png":::
 
-Clicking on the private endpoint we've created, you should see its private IP address and its Fully Qualified Domain Name (FQDN). The private endpoint should have an IP address in the range of the VNet  (10.1.3.0/24):
+Clicking on the private endpoint we created, you should see its private IP address and its Fully Qualified Domain Name (FQDN). The private endpoint should have an IP address in the range of the VNet  (10.1.3.0/24):
 
 :::image type="content" source="./media/howto-private-link/sql-endpoint.png" alt-text="SQL endpoint" lightbox="./media/howto-private-link/sql-endpoint.png":::
 
 ## <a name="connectivity"></a>Verify connectivity from the same VNet
 
-In this example, we verify connectivity to the Azure SQL Database from a Linux virtual machine with the MS SQL tools installed. The first step is verifying that DNS resolution works and the Azure SQL Database Fully Qualified Domain Name is resolved to a private IP address, in the same VNet where the Private Endpoint has been deployed (10.1.3.0/24):
+In this example, we verify connectivity to the Azure SQL Database from a Linux virtual machine with the MS SQL tools installed. The first step is verifying that DNS resolution works and the Azure SQL Database Fully Qualified Domain Name is resolved to a private IP address, in the same VNet where the Private Endpoint is deployed (10.1.3.0/24):
 
 ```bash
 nslookup wantest.database.windows.net
@@ -72,7 +72,7 @@ Name:   wantest.privatelink.database.windows.net
 Address: 10.1.3.228
 ```
 
-As you can see in the previous output, the FQDN `wantest.database.windows.net` is mapped to `wantest.privatelink.database.windows.net`, that the private DNS zone created along the private endpoint will resolve to the private IP address `10.1.3.228`. Looking into the private DNS zone will confirm that there's an A record for the private endpoint mapped to the private IP address:
+As you can see in the previous output, the FQDN `wantest.database.windows.net` is mapped to `wantest.privatelink.database.windows.net`, that the private DNS zone created along the private endpoint resolves to the private IP address `10.1.3.228`. Looking into the private DNS zone confirms that there's an A record for the private endpoint mapped to the private IP address:
 
 :::image type="content" source="./media/howto-private-link/dns-zone.png" alt-text="DNS zone" lightbox="./media/howto-private-link/dns-zone.png":::