Merge branch 'main' into v3-logic-apps

Author: johndowns

.openpublishing.redirection.json

@@ -6355,6 +6355,11 @@
       "redirect_url": "/azure/storage/container-storage/install-container-storage-aks",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/reliability/reliability-cosmos-mongodb.md",
+      "redirect_url": "/azure/reliability/reliability-documentdb",
+      "redirect_document_id": true
+    },
     {
       "source_path": "articles/communications-gateway/connectivity.md",
       "redirect_url": "/previous-versions/azure/communications-gateway/connectivity",

articles/api-management/TOC.yml

@@ -714,6 +714,8 @@
       href: breaking-changes/identity-provider-adal-retirement-sep-2025.md
     - name: CAPTCHA endpoint update (September 2025)
       href: breaking-changes/captcha-endpoint-change-sep-2025.md
+    - name: Trusted service connectivity retirement (March 2026)
+      href: breaking-changes/trusted-service-connectivity-retirement-march-2026.md
     - name: Built-in analytics dashboard retirement (March 2027)
       href: breaking-changes/analytics-dashboard-retirement-march-2027.md
   - name: Regional availability

articles/api-management/api-management-howto-disaster-recovery-backup-restore.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 06/16/2025
+ms.date: 12/05/2025
 ms.author: danlep 
 ms.custom: devx-track-azurepowershell
 ---
@@ -399,7 +399,18 @@ Restore is a long-running operation that may take several minutes to complete. I
 ## Storage networking constraints
 
 
-If the storage account is **[firewall][azure-storage-ip-firewall] enabled**, it's recommended to use the API Management instance's system-assigned managed identity for access to the account. Ensure that the storage account [grants access to trusted Azure services](../storage/common/storage-network-security.md?tabs=azure-portal#grant-access-to-trusted-azure-services).
+If the storage account is **[firewall][azure-storage-ip-firewall] enabled**, it's recommended to use the API Management instance's system-assigned managed identity for access to the account. Ensure that you have networking line of sight from API Management. Configure one of the following network access options on the resource:
+
+- Allow public access from all networks.
+
+- Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.
+
+- Secure traffic from API Management with Private Link connectivity.
+
+- Use a [network security perimeter](/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources) to secure the resource and allow traffic from API Management. 
+
+> [!IMPORTANT]
+> Starting March 2026, trusted service connectivity to Azure services from API Management by enabling the **Allow Trusted Microsoft Services to bypass this firewall** firewall setting will no longer be supported. To continue accessing these services from API Management after this change, ensure that you choose a supported network access option as described above. [Learn more](breaking-changes/trusted-service-connectivity-retirement-march-2026.md)
 
 ## What is not backed up
 -   **Usage data** used for creating analytics reports **isn't included** in the backup. Use [Azure API Management REST API][azure api management rest api] to periodically retrieve analytics reports for safekeeping.

articles/api-management/api-management-howto-use-managed-service-identity.md

@@ -314,14 +314,27 @@ You can use the system-assigned identity to authenticate to a backend service vi
 
 ### Connect to Azure resources behind an IP firewall by using a system-assigned managed identity
 
+For certain scenarios, API Management can communicate with resources in the following services using a system-assigned managed identity configured with an appropriate role assignment:
 
-API Management is a trusted Microsoft service to the following resources. This trusted status enables the service to connect to the following resources behind a firewall. After you explicitly assign the appropriate Azure role to the [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) for a resource instance, the scope of access for the instance corresponds to the Azure role that's assigned to the managed identity.
+- Azure Key Vault
+- Azure Storage
+- Azure Service Bus
+- Azure Event Hubs
+- Azure Container Registry
+- Azure Managed HSM
 
+For resources in these services that are protected by an IP firewall, ensure that you have networking line of sight from API Management. Configure one of the following network access options on the resource:
 
-- [Trusted access for Key Vault](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services)
-- [Trusted access for Azure Storage](../storage/common/storage-network-security-trusted-azure-services.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
-- [Trusted access for Azure Services Bus](../service-bus-messaging/service-bus-ip-filtering.md#trusted-microsoft-services)
-- [Trusted access for Azure Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)
+- Allow public access from all networks.
+
+- Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.
+
+- Secure traffic from API Management with Private Link connectivity.
+
+- Use a [network security perimeter](/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources) to secure the resource and allow traffic from API Management. 
+
+> [!IMPORTANT]
+> Starting March 2026, trusted service connectivity to Azure services from API Management by enabling the **Allow Trusted Microsoft Services to bypass this firewall** firewall setting will no longer be supported. To continue accessing these services from API Management after this change, ensure that you choose a supported network access option as described above. [Learn more](breaking-changes/trusted-service-connectivity-retirement-march-2026.md)
 
 ### Log events to an event hub
 
@@ -456,7 +469,7 @@ Following are some common scenarios for using a user-assigned managed identity i
 You can use a user-assigned identity to establish trust between an API Management instance and Key Vault. This trust can then be used to retrieve custom TLS/SSL certificates that are stored in Key Vault. You can then assign these certificates to custom domains in the API Management instance.
 
 > [!IMPORTANT]
-> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. In Key Vault firewall, the **Allow Trusted Microsoft Services to bypass this firewall** option must be enabled.
+> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. For more information, see the section [Requirements for key vault firewall](#requirements-for-key-vault-firewall).
 
 Take these considerations into account:
 
@@ -472,7 +485,7 @@ Take these considerations into account:
 You can use a user-assigned managed identity to access Key Vault to store and manage secrets for use in API Management policies. For more information, see [Use named values in Azure API Management policies](api-management-howto-properties.md). 
 
 > [!NOTE]
-> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. In Key Vault firewall, the **Allow Trusted Microsoft Services to bypass this firewall** option must be enabled.
+> If [Key Vault firewall](/azure/key-vault/general/network-security) is enabled on your key vault, you can't use a user-assigned identity for access from API Management. You can use the system-assigned identity instead. For more information, see the section [Requirements for key vault firewall](#requirements-for-key-vault-firewall).
 
 ### Authenticate to a backend by using a user-assigned identity
 

articles/api-management/breaking-changes/media/trusted-service-connectivity-retirement-march-2026/network-connectivity-storage.png

@@ -6,14 +6,13 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 07/17/2025
+ms.date: 12/03/2025
 ms.author: danlep
 ---
 
 # Upcoming breaking changes
 
-[!INCLUDE [api-management-availability-premium-dev-standard-basic-consumption](../../../includes/api-management-availability-premium-dev-standard-basic-consumption.md)]
-
+[!INCLUDE [api-management-availability-all-tiers](../../../includes/api-management-availability-all-tiers.md)]
 The following table lists all the upcoming breaking changes and feature retirements for Azure API Management.
 
 | Change Title | Effective Date |
@@ -33,6 +32,7 @@ The following table lists all the upcoming breaking changes and feature retireme
 | [Managed certificates suspension][managed-certificates-suspension-august-2025] | August 15, 2025 - March 15, 2026|
 | [ADAL-based Microsoft Entra ID identity provider retirement][msal2025] | September 30, 2025 |
 | [CAPTCHA endpoint update][captcha2025] | September 30, 2025 |
+| [Trusted service connectivity retirement][trustedservice2026] | March 15, 2026 |
 | [Built-in analytics dashboard retirement][analytics2027] | March 15, 2027 |
 
 <!-- Links -->
@@ -52,3 +52,4 @@ The following table lists all the upcoming breaking changes and feature retireme
 [workspaces2024]: ./workspaces-breaking-changes-june-2024.md
 [workspaces2025march]: ./workspaces-breaking-changes-march-2025.md
 [managed-certificates-suspension-august-2025]: ./managed-certificates-suspension-august-2025.md
+[trustedservice2026]: ./trusted-service-connectivity-retirement-march-2026.md

articles/api-management/breaking-changes/overview.md

@@ -0,0 +1,137 @@
+---
+title: Azure API Management - Trusted service connectivity retirement (March 2026)
+description: Azure API Management is retiring trusted service connectivity to supported Azure services as of March 2026. Use alternative networking options for secure connectivity.
+#customer intent: As an Azure admin, I want to determine if my API Management service is affected by the trusted service connectivity retirement so that I can plan necessary changes.
+author: dlepow
+ms.author: danlep
+ms.date: 12/05/2025
+ms.topic: reference
+ms.service: azure-api-management
+ai-usage: ai-assisted
+---
+
+
+# Trusted service connectivity retirement (March 2026)
+
+[!INCLUDE [api-management-availability-all-tiers](../../../includes/api-management-availability-all-tiers.md)]
+
+Effective 15 March 2026, Azure API Management is retiring trusted service connectivity to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hub, and Container Registry. If your API Management resource relies on this feature to communicate with these services after 15 March 2026, the communication will fail. Use alternative networking options to securely connect to those services.
+
+API Management services created on or after 1 December 2025 no longer support trusted service connectivity. Contact Azure support if you need to enable trusted service connectivity in those services until the retirement date.
+
+## Is my service affected by this change?
+
+First, check for an Azure Advisor recommendation:
+
+1. In the Azure portal, go to [Advisor](https://ms.portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/overview)
+1. Select the **Recommendations > Operational excellence** category.
+1. Search for "**Disable trusted service connectivity in API Management**".
+
+**If you don't see a recommendation**, your API Management resource isn't affected by the change.
+
+**If you see a recommendation**, your API Management resource is affected by the breaking change and you need to take action: 
+
+1. Determine if your API Management resource relies on trusted service connectivity to Azure services. 
+1. If it does, update the networking configuration to eliminate the dependency on trusted service connectivity. If it doesn’t, proceed to the next step. 
+1. Disable trusted service connectivity in API Management. 
+
+### Step 1: Does my API Management resource rely on trusted service connectivity? 
+
+API Management should no longer rely on trusted service connectivity to Azure services. Instead, it should establish a networking line of sight. 
+
+To verify if API Management relies on trusted connectivity to Azure services, check the networking configuration of all Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hub, and Container Registry resources that API Management connects to: 
+
+#### For Storage accounts
+
+1. Go to **Networking** under **Security + networking**.
+1. Select **Manage** in the **Public network access** tab.
+1. API Management may rely on trusted service connectivity if **Allow trusted Microsoft services to access this resource** is selected if:
+    - **Public network access** is set to **Disable**, or
+    - **Public network access** is set to **Enable** and **Public network access scope** is set to **Enable from selected networks**.
+1. API Management may rely on trusted service connectivity if API Management is configured under **Resource instances**, if **Public network access** is set to **Enable** and **Public network access scope** is set to **Enable from selected networks**.
+
+  :::image type="content" source="media/trusted-service-connectivity-retirement-march-2026/network-connectivity-storage.png" alt-text="Screenshot of trusted connectivity settings to Azure Storage in the portal.":::
+
+#### For Event Hubs and Key Vault Managed HSM
+
+1. Go to **Networking** under **Settings**.
+1. Select **Manage** in the **Public access** tab.
+1. API Management may rely on trusted service connectivity if **Allow trusted Microsoft service to access this resource** is selected if:
+    - **Public network access** is set to **Disable**, or
+    - **Public network access** is set to **Enable** and **Default action** is set to **Enable from selected networks**.
+
+#### For Service Bus (Premium only) and Key Vault
+
+1. Go to **Networking** under **Settings**.
+1. API Management may rely on trusted service connectivity if **Allow trusted Microsoft services to bypass this firewall** is selected if you're using the **Allow public access from specific virtual networks and IP addresses** or **Disable public access** options.
+
+#### For Container Registry (Premium pricing plan only)
+
+1. Go to **Networking** under **Settings**.
+1. API Management may rely on trusted service connectivity if **Allow trusted Microsoft services to access this container registry** is checked under **Firewall exception** if **Public network access** is set to **Selected networks** or **Disabled**.
+
+### Step 2: Eliminate dependency on trusted service connectivity  
+
+If you verified that API Management relies on trusted connectivity to Azure resources, you need to eliminate this dependency by establishing a networking line of sight for communication from API Management to the listed services. 
+
+You can configure the networking of target resources to one of the following options:
+
+- Enable public connectivity from all networks.
+
+- Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.
+
+- Secure traffic from API Management with Private Link connectivity.
+
+- Use Network Security Perimeter to secure your Azure backends and allow traffic from API Management, if supported (for example, for Azure Storage). Learn more about Network Security Perimeter:
+
+  - [What is a network security perimeter?](/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources)
+
+  - [Transition to a Network Security Perimeter in Azure](/azure/private-link/network-security-perimeter-transition)
+
+### Step 3: Disable trusted service connectivity in API Management 
+
+After ensuring that API Management doesn’t access other Azure services using trusted service connectivity, you must explicitly disable trusted connectivity in your API Management service to acknowledge you have verified that the service no longer depends on trusted connectivity.
+
+To do so, set a custom property `Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess` to `"True"` on the [API Management resource](/rest/api/apimanagement/api-management-service/create-or-update). For example: 
+
+
+```json
+{
+  "type": "Microsoft.ApiManagement/service",
+  "apiVersion": "2025-03-01-preview",
+  "name": "string",
+  "identity": {
+    "type": "SystemAssigned"
+  },
+  "location": "string",
+  "properties": {
+    "customProperties": {
+      "Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess": "True"
+    }
+  },
+  "sku": {
+    "capacity": "1",
+    "name": "Developer"
+  }
+}
+```
+
+The Azure Advisor recommendation should disappear within a day or two of disabling the trusted connectivity on the API Management service. 
+
+## What is the deadline for the change?
+
+After 15 March 2026, the trusted connectivity from API Management to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hubs, and Container Registry - is retired. If your API Management resource relies on this feature to establish communication with these services, the communication will start failing after that date.
+
+## Help and support
+
+If you have questions, get answers from community experts in [Microsoft Q&A](/answers). If you have a support plan and you need technical help, create a [support request](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/%7E/overview).
+
+1. Under **Issue type**, select **Technical**.
+1. Under **Subscription**, select your subscription.
+1. Under **Service**, select **My services**, then select **API Management Service**.
+1. Under **Resource**, select the Azure resource that you're creating a support request for.
+1. For **Summary**, type a description of your issue, for example, "Trusted service connectivity".
+
+## Related content
+
+See all [upcoming breaking changes and feature retirements](overview.md).

articles/api-management/breaking-changes/trusted-service-connectivity-retirement-march-2026.md

@@ -64,11 +64,7 @@ The subnet needs to be delegated to the **Microsoft.Web/hostingEnvironments** se
 
 :::image type="content" source="media/virtual-network-injection-workspaces-resources/delegate-internal.png" alt-text="Screenshot showing subnet delegation to Microsoft.Web/hostingEnvironments in the portal.":::
 
-
-> [!NOTE]
-> You might need to register the `Microsoft.Web/hostingEnvironments` resource provider in the subscription so that you can delegate the subnet to the service.
-
-For more information about configuring subnet delegation, see [Add or remove a subnet delegation](../virtual-network/manage-subnet-delegation.md).
+[!INCLUDE [api-management-virtual-network-v2-delegation-requirement](../../includes/api-management-virtual-network-v2-delegation-requirement.md)]
 
 ### Permissions
 

articles/api-management/inject-vnet-v2.md

@@ -5,7 +5,7 @@ author: dlepow
 ms.author: danlep
 ms.service: azure-api-management
 ms.topic: how-to 
-ms.date: 11/11/2025
+ms.date: 12/04/2025
 ---
 
 # Integrate an Azure API Management instance with a private virtual network for outbound connections 
@@ -60,12 +60,7 @@ The subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.
 
 :::image type="content" source="media/virtual-network-injection-workspaces-resources/delegate-external.png" alt-text="Screenshot showing subnet delegation to Microsoft.Web/serverFarms in the portal.":::
 
-
-> [!NOTE]
-> You might need to register the `Microsoft.Web/serverFarms` resource provider in the subscription so that you can delegate the subnet to the service, even if you see it on the list of available services in the subnet delegation setup in the portal. 
-
-
-For more information about configuring subnet delegation, see [Add or remove a subnet delegation](../virtual-network/manage-subnet-delegation.md).
+[!INCLUDE [api-management-virtual-network-v2-delegation-requirement](../../includes/api-management-virtual-network-v2-delegation-requirement.md)]
 
 ### Permissions