Merge pull request #312294 from msmbaldwin/uuf-fixes-feb2026

Fix UUF feedback for 3 security fundamentals articles

Author: prmerger-automator[bot]

articles/security/fundamentals/azure-certificate-authority-details.md

@@ -24,7 +24,11 @@ Any entity trying to access Microsoft Entra identity services via the TLS/SSL pr
 
 - The Serial Number (top string in the table) contains the hexadecimal value of the certificate serial number.
 - The Thumbprint (bottom string in the table) is the SHA1 thumbprint.
-- For those CAs that must be downloaded over HTTP and not HTTPS, copy the link and paste into the URL field on a new tab. 
+- For those CAs that must be downloaded over HTTP and not HTTPS, copy the link and paste into the URL field on a new tab.
+
+**How to find certificate validity (expiry) dates:**
+
+To determine when a certificate expires, download the certificate file and view its properties. On Windows, double-click the downloaded `.crt` file and check the **Valid from** and **Valid to** fields under the **General** tab. On Linux or macOS, use `openssl x509 -in <certificate-file> -noout -dates` to display the validity period. Root CAs typically have validity periods of 15-25 years, while subordinate CAs have shorter validity periods of 3-10 years. 
 
 # [Root and Subordinate CAs list](#tab/root-and-subordinate-cas-list)
 

articles/security/fundamentals/azure-domains.md

@@ -15,11 +15,19 @@ ms.date: 01/06/2026
 
 This page is a partial list of the Azure domains in use. Some of them are REST API endpoints.
 
+Unlike IP address ranges (which Azure publishes in the [Azure IP Ranges and Service Tags](https://www.microsoft.com/download/details.aspx?id=56519) download), a complete list of all Azure FQDNs isn't feasible because:
+
+- **Dynamic resource names**: Azure creates subdomains dynamically based on customer-provided resource names (for example, `myapp.azurewebsites.net` or `mystorageaccount.blob.core.windows.net`), resulting in millions of unique FQDNs.
+- **Regional variations**: Many services use region-specific endpoints (for example, `*.westus2.cloudapp.azure.com`).
+- **Constant evolution**: New services and endpoints are added regularly.
+
+For firewall configurations, use the wildcard patterns shown in the **Subdomain** column (for example, `*.blob.core.windows.net`) rather than attempting to enumerate all possible FQDNs. For service-specific endpoint requirements, see the individual service documentation.
+
 
 |Service  |Subdomain  |
 |---------|---------|
 |[Azure Access Control Service](https://azure.microsoft.com/blog/one-month-retirement-notice-access-control-service/) (retired)|*.accesscontrol.windows.net|
-|[Microsoft Entra ID](/entra/fundamentals/active-directory-whatis.md)|*.graph.windows.net / *.onmicrosoft.com|
+|[Microsoft Entra ID](/entra/fundamentals/whatis)|*.graph.windows.net / *.onmicrosoft.com|
 |[Azure API Management](https://azure.microsoft.com/services/api-management/)|*.azure-api.net|
 |[Azure BizTalk Services](https://azure.microsoft.com/pricing/details/biztalk-services/) (retired)|*.biztalk.windows.net|
 |[Azure Blob storage](../../storage/blobs/storage-blobs-introduction.md)|*.blob.core.windows.net|

articles/security/fundamentals/identity-management-best-practices.md

@@ -60,7 +60,7 @@ In a hybrid identity scenario we recommend that you integrate your on-premises a
 > [!Note]
 > There are [factors that affect the performance of Microsoft Entra Connect](/entra/identity/hybrid/connect/plan-connect-performance-factors). Ensure Microsoft Entra Connect has enough capacity to keep underperforming systems from impeding security and productivity. Large or complex organizations (organizations provisioning more than 100,000 objects) should follow the [recommendations](/entra/identity/hybrid/connect/whatis-azure-ad-connect) to optimize their Microsoft Entra Connect implementation.
 
-- **Don’t synchronize accounts to Microsoft Entra ID that have high privileges in your existing Active Directory instance.**: Don't change the default [Microsoft Entra Connect configuration](/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering) that filters out these accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).
+- **Don't synchronize accounts to Microsoft Entra ID that have high privileges in your existing Active Directory instance.**: The default [Microsoft Entra Connect configuration](/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering) only excludes the built-in Administrator account (RID 500). To protect other highly privileged accounts such as Domain Admins and Enterprise Admins, use [OU-based filtering](/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering#organizational-unitbased-filtering) or [attribute-based filtering](/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering#attribute-based-filtering) to exclude them from synchronization. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could create a major incident).
 
 - **Turn on password hash synchronization.**: Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance. This sync helps to protect against leaked credentials being replayed from previous attacks.