docs: update NSP page - fix Geo-DR claims, add CLI verify and troubleshooting

EldertGrootenboerMS · EldertGrootenboerMS · commit 2639b891a855 · 2026-04-10T12:25:06.000-07:00
- Fix inaccurate NOTE block: Geo-Replication works with NSP, legacy Geo-DR
  requires both namespaces on the same perimeter (not unsupported)
- Add CLI verification section (az servicebus namespace network-rule-set show)
- Add troubleshooting section for feature flag errors and Geo-DR pairing error
- Update ms.date to 04/10/2026
diff --git a/articles/service-bus-messaging/network-security-perimeter.md b/articles/service-bus-messaging/network-security-perimeter.md
@@ -3,7 +3,7 @@ title: Network Security Perimeter
 titleSuffix: Azure Service Bus
 description: Learn how to associate an Azure Service Bus namespace with a network security perimeter
 ms.reviewer: spelluru
-ms.date: 03/30/2026
+ms.date: 04/10/2026
 author: EldertGrootenboer
 ms.author: egrootenboer
 ms.topic: feature-guide
@@ -34,7 +34,7 @@ Azure Service Bus supports scenarios that require access to other PaaS resources
 - **Customer-managed keys (CMK)** require communication with Azure Key Vault. For more information, see [Configure customer-managed keys for encrypting Azure Service Bus data at rest](configure-customer-managed-key.md).
 
 > [!NOTE]
-> - Network security perimeter currently doesn't support [Azure Service Bus Geo-Replication](./service-bus-geo-replication.md).
+> - For legacy Geo-disaster recovery (alias-based pairing), both the primary and secondary namespaces must be associated with the same network security perimeter. If only the primary is associated, pairing fails.
 > - Network security perimeter rules don't govern private link traffic through [private endpoints](../private-link/private-endpoint-overview.md).
 
 ## Create a network security perimeter
@@ -52,6 +52,41 @@ You can associate your Service Bus namespace with a network security perimeter d
 1. Select a profile to associate with the namespace.
 1. Select **Associate** to complete the association.
 
+## Verify NSP association using Azure CLI
+
+To verify that your namespace is associated with a network security perimeter:
+
+```azurecli
+az servicebus namespace network-rule-set show \
+  --name <namespace-name> \
+  --resource-group <resource-group>
+```
+
+When associated, the `publicNetworkAccess` field shows `SecuredByPerimeter`.
+
+## Troubleshooting
+
+### "This feature isn't available for given subscription"
+
+Some network security perimeter capabilities require feature flags to be registered on your subscription. If you encounter this error when configuring access rules or perimeter links, register the required feature flag and re-register the network provider:
+
+| Capability | Feature flag | Registration command |
+|------------|-------------|---------------------|
+| Cross-perimeter links | `AllowNspLink` | `az feature register --namespace Microsoft.Network --name AllowNspLink` |
+| Service tag inbound rules | `EnableServiceTagsInNsp` | `az feature register --namespace Microsoft.Network --name EnableServiceTagsInNsp` |
+
+After registering, propagate the change:
+
+```azurecli
+az provider register -n Microsoft.Network
+```
+
+Feature flag propagation can take up to 15 minutes.
+
+### "DisasterRecoveryConfigSecondaryMustHaveAssociationsUnderSameNSP"
+
+When creating a legacy Geo-disaster recovery pairing, both the primary and secondary namespaces must be associated with the same network security perimeter. Associate the secondary namespace with the same perimeter, then retry the pairing.
+
 ## Related content
 
 - [Network security perimeter concepts](../private-link/network-security-perimeter-concepts.md)
