Merge pull request #308927 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-02 12:00 UTC

Author: learn-build-service-prod[bot]

articles/application-gateway/application-gateway-faq.yml

@@ -137,7 +137,7 @@ sections:
           Yes. The Application Gateway v1 SKU continues to be supported. We strongly recommend moving to v2 to take advantage of the feature updates in that SKU. For more information on the differences between v1 and v2 features, see [Autoscaling and zone-redundant Application Gateway v2](application-gateway-autoscaling-zone-redundant.md). You can manually migrate Application Gateway v1 SKU deployments to v2 by following our [v1-v2 migration document](migrate-v1-v2.md).
           
       - question: Does Application Gateway v2 support proxying requests with NTLM or Kerberos authentication?
-        answer: Yes. Application Gateway v2 now supports proxying requests with NTLM or Kerberos authentication.For more information, see [Dedicated backend connection](configuration-http-settings.md#dedicated-backend-connection).
+        answer: Yes. Application Gateway v2 now supports proxying requests with NTLM or Kerberos authentication. For more information, see [Dedicated backend connection](configuration-http-settings.md#dedicated-backend-connection).
 
       - question: Why are some header values not present when requests are forwarded to my application?
         answer: Request header names can contain alphanumeric characters and hyphens. Request header names that contain other characters are discarded when a request is sent to the backend target. Response header names can contain any alphanumeric characters and specific symbols as defined in [RFC 7230](https://tools.ietf.org/html/rfc7230#page-27).
@@ -287,9 +287,9 @@ sections:
 
       - question: Does Application Gateway support FIPS?
         answer: |
-          Application Gateway v1 SKUs can run in a FIPS 140-2 approved mode of operation, which is commonly referred to as "FIPS mode." FIPS mode calls a FIPS 140-2 validated cryptographic module that ensures FIPS-compliant algorithms for encryption, hashing, and signing when enabled. To ensure FIPS mode is enabled, the `FIPSMode` setting must be configured via PowerShell, Azure Resource Manager template, or REST API after the subscription has been enrolled to enable configuration of `FIPSmode`.
-
-          **Note:** As part of the FedRAMP compliance, US Government mandates that systems operate in a [FIPS-approved mode](/azure/compliance/offerings/offering-fips-140-2) after August 2024. 
+          Application Gateway SKUs can run in a FIPS 140-2 approved mode of operation, which is commonly referred to as "FIPS mode." FIPS mode calls a FIPS 140-2 validated cryptographic module that ensures FIPS-compliant algorithms for encryption, hashing, and signing when enabled. To ensure FIPS mode is enabled, the `FIPSMode` setting must be configured via Portal (for V2), PowerShell, Azure Resource Manager template, or REST API.
+          
+          **Steps to enable FIPS Mode in V2 SKU**: See [Enable FIPS mode for Azure Application Gateway V2 SKU](fips.md).          
           
           **Steps to enable FIPS Mode in V1 SKU**:
           
@@ -430,7 +430,7 @@ sections:
         answer: |
           Yes, the Application Gateway v2 SKU supports Key Vault. For more information, see [TLS termination with Key Vault certificates](key-vault-certs.md).
           
-      - question: How do I configure HTTPS listeners for .com and .net sites? 
+      - question: How do I configure HTTPS listeners for .com and .NET sites? 
         answer: |
           For multiple domain-based (host-based) routing, you can create multisite listeners, set up listeners that use HTTPS as the protocol, and associate the listeners with the routing rules. For more information, see [Hosting multiple sites by using Application Gateway](./multiple-site-overview.md).
           

articles/application-gateway/fips.md

@@ -0,0 +1,77 @@
+---
+title: FIPS 140 on Azure Application Gateway
+description: Learn how to enable FIPS mode for Azure Application Gateway V2 SKU.
+services: application gateway
+author: jaesoni
+ms.service: azure-application-gateway
+ms.topic: concept-article
+ms.date: 12/01/2025
+ms.author: greglin
+---
+
+# FIPS mode in Application Gateway
+
+Application Gateway V2 SKUs can run in a FIPS (Federal Information Processing Standard) 140 approved mode of operation, which is commonly referred to as "FIPS mode." With FIPS mode, Application Gateway supports cryptographic modules and data encryption. The FIPS mode calls a FIPS 140-2 validated cryptographic module that ensures FIPS-compliant algorithms for encryption, hashing, and signing when enabled.
+
+## Clouds and Regions
+
+| Cloud | Status  | Default behavior | 
+| ---------- | ---------- | ---------- |
+| Azure Government (Fairfax) | Supported | Enabled for deployments through Portal |
+| Public | Supported | Disabled |
+| Microsoft Azure operated by 21Vianet | Supported | Disabled |
+
+Since FIPS 140 is mandatory for US federal agencies, Application Gateway V2 has FIPS mode enabled by default in Azure Government (Fairfax) cloud. Customers can disable FIPS mode if they have legacy clients using older cipher suites, though it isn't recommended. As part of the FedRAMP compliance, the US Government mandates that systems operate in a [FIPS-approved mode](/azure/compliance/offerings/offering-fips-140-2) after August 2024.
+
+For rest of the clouds, customers must opt in to enable the FIPS mode.
+
+## FIPS mode operation
+
+Application Gateway utilizes a rolling upgrade process to implement configurations with the FIPS validated cryptographic module across all instances. The duration for enabling or disabling FIPS mode may range from 15 to 60 minutes, depending on the number of configured or currently running instances.
+
+> [!IMPORTANT]
+> The FIPS mode configuration change can take anywhere between 15 to 60 minutes depending on the number of instances for your gateway.
+
+Once enabled, the gateway exclusively supports TLS policies and cipher suites that comply with FIPS standards. Consequently, the portal displays only the restricted selection of TLS policies (both Predefined and Custom).
+
+## Supported TLS policies
+
+Application Gateway offers two mechanisms for controlling TLS policy. You can use either a Predefined policy or a Custom policy. For complete details, visit [TLS policy overview](application-gateway-ssl-policy-overview.md). A FIPS-enabled Application Gateway resource only supports the following policies.
+
+### Predefined
+* AppGwSslPolicy20220101
+* AppGwSslPolicy20220101S
+
+### Custom V2
+**Versions**
+* TLS 1.3
+* TLS 1.2 
+
+**Cipher suites**
+
+* TLS_AES_128_GCM_SHA256
+* TLS_AES_256_GCM_SHA384
+* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
+* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
+* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
+
+Due to the restricted compatibility of TLS policies, enabling FIPS automatically selects AppGwSslPolicy20220101 for both "SSL Policy" and "SSL Profile." It can be modified to use other FIPS-compliant TLS policies later. To support legacy clients with other noncompliant cipher suites, it's possible to disable the FIPS mode, although it isn't recommended for resources within the scope of FedRAMP infrastructure.
+
+## Enabling FIPS mode in V2 SKU
+
+**Azure portal**
+
+To control the FIPS mode setting through Azure portal,
+
+1. Navigate to your application gateway resource.
+2. Open the Configuration blade in the left menu pane.
+3. Switch the FIPS mode toggle as "Enabled".
+
+## Next steps
+
+Know about the supported [TLS policies on Application Gateway](application-gateway-ssl-policy-overview.md).

articles/application-gateway/toc.yml

@@ -99,6 +99,8 @@
     href: key-vault-certs.md
   - name: SSL certificate management
     href: ssl-certificate-management.md
+  - name: FIPS 140 support on V2
+    href: fips.md
   - name: Security baseline
     href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
   - name: TLS 1.0 and 1.1 retirement

articles/azure-change-tracking-inventory/overview-monitoring-agent.md

@@ -3,7 +3,7 @@ title: Azure Change Tracking and Inventory overview using Azure Monitoring Agent
 description: Learn about Change Tracking and Inventory feature using Azure monitoring agent, which helps you identify software and Microsoft service changes in your environment.
 #customer intent: As a customer, I want to evaluate the compatibility of Azure Change Tracking and Inventory with my existing infrastructure so that I can ensure seamless integration.
 services: automation
-ms.date: 11/06/2025
+ms.date: 12/02/2025
 ms.topic: overview
 ms.service: azure-change-tracking-inventory
 ms.author: v-jasmineme
@@ -12,7 +12,7 @@ author: jasminemehndir
 
 # About Azure Change Tracking and Inventory
 
-This article provides an overview of Azure Change Tracking and Inventory (CTI) using Azure Monitoring Agent (AMA). This article also includes the key features and benefits of the service.
+This article provides an overview of Azure Change Tracking and Inventory (CTI) using Azure Monitor Agent (AMA). This article also includes the key features and benefits of the service.
 
 ## What is Change Tracking and Inventory
 

articles/migrate/concepts-overview.md

@@ -30,10 +30,9 @@ This article provides an overview of Azure Migrate assessments. An Azure Migrate
 | **Workloads**  | **Details**  |
 |----------|-------|
 | Servers | Assess your servers hosted on-premises or public clouds to migrate to Azure virtual machines. |
+| Azure VMware Solution (AVS) | Assess your on-premises servers hosted on VMware to Azure VMware Solution (AVS). [Learn more.](/azure/azure-vmware/introduction) |
 | SQL servers and databases | Assess your SQL servers to migrate to Azure SQL Database, Azure SQL Managed Instance, or SQL server on Azure VM. |
 | Webapps | Assess your web apps to migrate to Azure App Service, Azure Spring Apps, or Azure Kubernetes Service. |
- Azure VMware Solution (AVS) | Assess your on-premises servers hosted on VMware to Azure VMware Solution (AVS). Learn more. |
-
 
 ## Prerequisites for assessments
 
@@ -55,17 +54,17 @@ The recommended discovery source is Azure Migrate appliance as it provides an in
 
 After you populate the inventory, you can gather relevant workloads to assess into a group and run an assessment for the group with appropriate assessment type.
 
-## Data collected by appliance collect
+## Data collected by appliance
 
 If you're using the Azure Migrate appliance for assessment, see metadata and performance data collected as an input for the assessment.
 
 ## Assessments are calculated
 
 Every assessment calculates the following three attributes:
 
-**Identifying Azure readiness**: Assess whether workloads are suitable for migration to Azure.
-**Calculate right-sizing recommendations**: Estimate compute, storage, and network sizing and recommend customers right-sized Azure target services to migrate.
-**Calculate monthly costs**: Calculate the estimated monthly resource cost for running the migrated workloads in Azure after migration.
+1. **Identifying Azure readiness**: Assess whether workloads are suitable for migration to Azure.
+1. **Calculate right-sizing recommendations**: Estimate compute, storage, and network sizing and recommend customers right-sized Azure target services to migrate.
+1. **Calculate monthly costs**: Calculate the estimated monthly resource cost for running the migrated workloads in Azure after migration.
 
 Calculations are in the preceding order. A workload moves to a later stage only if it passes the previous one. For example, if a server fails the Azure readiness stage, it's marked as unsuitable for Azure. Sizing and cost calculations aren't done for that server.
 
@@ -83,7 +82,7 @@ Apart from configuration and performance data, Azure Migrate assessment also con
 | Azure Hybrid Benefit | Specifies whether you have software assurance and are eligible for Azure Hybrid Benefit to use your existing OS and SQL licenses. If the setting is enabled, Azure prices for selected operating systems aren't considered for VM costing and SQL license cost isn't considered in SQL target costing. |
 | Security |Specifies whether you want to assess readiness and cost for security tooling on Azure. If the setting has the default value Yes, with Microsoft Defender for Cloud, it assesses security readiness and costs for your Azure VM with Microsoft Defender for Cloud.|
 
-Review the best practices for creating an assessment with Azure Migrate.
+Review the [best practices for creating an assessment](./best-practices-assessment.md) with Azure Migrate.
 
 ## Next steps
 

articles/migrate/how-to-create-azure-vmware-solution-assessment.md

@@ -20,7 +20,6 @@ This article describes how to create an Azure VMware Solution assessment for on-
 ## Before you start
 
 - [Create](./create-manage-projects.md) an Azure Migrate project.
-- [Add](how-to-assess.md) the Azure Migrate: Discovery and assessment tool if you've already created a project.
 - Discover your on-premises inventory data using any of the following approaches:
     - [Import your RVTools XLSX file](tutorial-import-vmware-using-rvtools-xlsx.md) OR
     - [Import the server metadata in comma-separated values (CSV) format](./tutorial-discover-import.md) OR
@@ -80,7 +79,7 @@ There are two types of sizing criteria that you can use to create Azure VMware S
     - In **SDDC type**, specify "New SDDC" if you are creating a new private cloud. Use "AVS SDDC expansion" if you already have an AVS private cloud with hosts deployed and want to add more VMs to the existing SDDC. When assessing for expanding a private cloud, it will not consider the available capacity in the AVS private cloud but will consider the capacity requirements for management appliances.
     - The **Storage type** is defaulted to consider three supported storage solutions in AVS: **vSAN**, **Elastic SAN** and **Azure NetApp Files (ANF)** (Standard, Premium and Ultra tiers). Elastic SAN and ANF are external storage types in AVS that will be used when storage is the limiting factor considering the configuration/performance of the incoming VMs. **Elastic SAN** can be selected if assessment needs to be performed using vSAN & Elastic SAN as the storage datastores.
         - When performance metrics are provided (IOPS and throughput) in settings or via data discovered using the Azure migrate appliance or in the imported CSV file, the assessment selects the tier that satisfies the performance requirements of the incoming VMs’ disks.
-        - If the assessment is performed using data from an RVTools file or if the Azure Migrate appliance is unable to discover performance metrics like throughput and IOPS, **Elastic SAN** or **ANF - Standard** (the most cost-effective one among the two) is considered for assessment.
+        - If the assessment is performed using data from an RVTools file or if the Azure Migrate appliance is unable to discover performance metrics like throughput and IOPS, the most cost-effective storage solution and tier among **Elastic SAN** and **ANF - Standard** is considered for assessment.
 
 1. In **Storage Settings**:
     - In **FTT setting, RAID level**, select the Failure to Tolerate and RAID combination. **FTT 1, RAID 1 & FTT 2, RAID 6** are selected by default. The selected FTT option, combined with the on-premises server disk requirement, determines the total vSAN storage required in AVS.
@@ -111,7 +110,7 @@ There are two types of sizing criteria that you can use to create Azure VMware S
 1. In **Review + create assessment**, review the assessment details, and select **Create** to run the assessment.
 
     > [!NOTE]
-    > For discovering data using the Azure migrate appliance for creating assessments, we recommend that you wait at least a day after starting discovery before you create an assessment. This provides time to collect performance data with higher confidence. Ideally, after you start discovery, wait for the performance duration you specify (day/week/month) for a high [performance coverage](/azure/migrate/concepts-assessment-calculation?view=migrate#coverage.
+    > For discovering data using the Azure migrate appliance for creating assessments, we recommend that you wait at least a day after starting discovery before you create an assessment. This provides time to collect performance data with higher confidence. Ideally, after you start discovery, wait for the performance duration you specify (day/week/month) for a high [performance coverage](/azure/migrate/concepts-assessment-calculation?view=migrate#coverage).
 
     :::image type="content" source="./media/tutorial-assess-vmware-azure-vmware-solution/assessment-overview-v2.png" alt-text="Screenshot showing an overview of an Azure VMware Solution assessment." lightbox="./media/tutorial-assess-vmware-azure-vmware-solution/assessment-overview-v2.png" :::
 

articles/sentinel/datalake/sentinel-lake-onboarding.md

@@ -73,6 +73,8 @@ This article describes how customers using Microsoft Defender, Data Security Inv
 
 ## Prerequisites
 
+[!INCLUDE [Customer-managed keys limitation](../includes/customer-managed-keys-limitation.md)]
+
 To onboard to the Microsoft Sentinel data lake and graph in Microsoft Defender XDR, Data Security Investigations, and Insider Risk Management, you must meet the following prerequisites:
 
 + Microsoft Defender (`security.microsoft.com`) and Microsoft Sentinel must be configured. A Microsoft Defender XDR license isn't required to use Microsoft Sentinel data lake with Microsoft Sentinel in the Microsoft Defender portal.

articles/sentinel/includes/customer-managed-keys-limitation.md

@@ -0,0 +1,9 @@
+---
+author: EdB-MSFT
+ms.author: edbayansh
+ms.topic: include
+ms.date: 07/30/2025
+---
+
+> [!IMPORTANT]
+> If your organization uses Customer-Managed Keys (CMK) for data encryption, be aware that CMK isn't fully supported for data stored in the Microsoft Sentinel data lake. Any data ingested into the data lake, such as custom tables or transformed data is encrypted using Microsoft-managed keys. Onboarding to the Microsoft Sentinel data lake may not fully align with your organization's encryption policies or data protection standards.

articles/sentinel/includes/service-limits-table-manaement-ingestion.md

@@ -6,6 +6,8 @@ ms.date: 07/15/2025
 ---
 
 ## Service parameters and limits for tables, data management, and ingestion
+
+[!INCLUDE [Customer-managed keys limitation](../includes/customer-managed-keys-limitation.md)]
 
 The following table lists the service parameters and limits for the Microsoft Sentinel data lake service related to table management, data ingestion, and retention. These limits include, but aren't limited to, Azure Resource Graph data, Microsoft 365 data, and data mirroring.
 

articles/vpn-gateway/point-to-site-user-groups-create.md

@@ -205,17 +205,19 @@ Configure four members, one for each group:
 
 ```azurepowershell-interactive
 $member1 = New-AzVirtualNetworkGatewayPolicyGroupMember -Name "member1" `
--AttributeType "CertificateGroupId" -AttributeValue "marketing.contoso.com" `
+-AttributeType "CertificateGroupId" -AttributeValue "marketing.contoso.com"
 
 $member2 = New-AzVirtualNetworkGatewayPolicyGroupMember -Name "member2" `
--AttributeType "CertificateGroupId" -AttributeValue "sale.contoso.com" `
+-AttributeType "CertificateGroupId" -AttributeValue "sale.contoso.com"
 
 $member3 = New-AzVirtualNetworkGatewayPolicyGroupMember -Name "member3" `
--AttributeType "AADGroupId" -AttributeValue "{ObjectId1}" `
+-AttributeType "AADGroupId" -AttributeValue "{ObjectId1}"
 
 $member4 = New-AzVirtualNetworkGatewayPolicyGroupMember -Name "member4" `
--AttributeType "AADGroupId" -AttributeValue "{ObjectId2}" `
+-AttributeType "AADGroupId" -AttributeValue "{ObjectId2}"
 ```
+> [!NOTE]
+> We use curly brackets {} to indicate placeholders, for example {ObjectId1}. Replace {ObjectId1} with the actual value, and do not include the curly brackets in the final value.
 
 ### 7. Create virtual network gateway policy groups