Merge pull request #308962 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-02 23:00 UTC

Author: learn-build-service-prod[bot]

articles/app-service/app-service-managed-certificate-changes-july-2025.md

@@ -171,13 +171,15 @@ Certificates for `*.trafficmanager.net` domains are not supported. If your app r
 ## Frequently asked questions (FAQ)
 
 **Why is public access now required?**  
-Due to MPIC compliance, App Service is migrating to Http Token validation for all ASMC creation and renewal requests. DigiCert must verify domain ownership by reaching a specific endpoint on your app. A successful validation with Http token is only possible if the app is publicly accessible. 
+Previously, public access was required so DigiCert could reach the validation file at `https://<hostname>/.well-known/pki-validation/fileauth.txt` during certificate issuance and renewal.
 
-**Can I still use CNAME records?**  
-Yes, you can still use CNAME records for domain name system (DNS) routing and for verifying domain ownership.
+[November 2025 update](#november-2025-update): Public access is no longer required for ASMC issuance. App Service now intercepts DigiCert’s validation requests at the front-end layer and presents the token without exposing your app. This behavior is the default for both initial certificate creation and renewals. Prerequisites such as correct DNS configuration still apply.
 
 **What if I allowlist DigiCert IP addresses?**  
-Allowlisting DigiCert’s domain validation IPs may work as a temporary workaround. However, Microsoft cannot guarantee that these IPs won’t change. DigiCert may update them without notice, and Microsoft does not maintain documentation for these IPs. Customers are responsible for monitoring and maintaining this configuration.
+You no longer need to allowlist DigiCert IP addresses. The [November 2025 update](#november-2025-update) ensures DigiCert’s requests never reach your app’s workers. The front-end handles validation securely, so IP allowlisting is unnecessary.
+
+**Can I still use CNAME records?**  
+Yes, you can still use CNAME records for domain name system (DNS) routing and for verifying domain ownership.
 
 **Are certificates for \*.azurewebsites.net impacted?**  
 No, these changes do not apply to the *.azurewebsites.net certificates. ASMC is only issued to customer’s custom domain and not the default hostname.

articles/application-gateway/application-gateway-ssl-policy-overview.md

@@ -136,7 +136,7 @@ Application Gateway supports the following cipher suites from which you can choo
 
 ## Limitations
 
-- The connections to backend servers are always with preferred TLS v1.3 and upto TLS v1.0. The TLS version and cipher suites cannot be customized for the backend TLS connections.
+- The connections to backend servers prefer TLS 1.3 when available, with fallback support for TLS 1.2. The TLS version and cipher suites for backend connections cannot be customized.
 - As of now, the TLS 1.3 implementation is not enabled with "Zero Round Trip Time (0-RTT)" feature.
 - TLS session (ID or Tickets) resumption is not supported.
 - Application Gateway v2 doesn't support the following DHE ciphers. These won't be used for the TLS connections with clients even though they are mentioned in the predefined policies. Instead of DHE ciphers, secure and faster ECDHE ciphers are recommended.

articles/azure-resource-manager/bicep/bicep-cli.md

@@ -2,7 +2,7 @@
 title: Bicep CLI commands 
 description: Learn about the commands that you can use in the Bicep CLI. These commands include building JSON Azure Resource Manager templates from Bicep.
 ms.topic: reference
-ms.date: 10/22/2025
+ms.date: 12/02/2025
 ms.custom: devx-track-azurecli, devx-track-bicep, devx-track-arm-template
 ---
 
@@ -320,7 +320,7 @@ The following methods are available through the JSON-RPC interface:
 
     On success, `"success": true` is returned, with contents holding the formatted Bicep source. On failure, `"success": false` with `diagnostics` describing the failure.
 
- * **bicep/version**
+* **bicep/version**
 
   Returns the version of the Bicep CLI.
 

articles/bastion/quickstart-developer.md

@@ -1,21 +1,32 @@
 ---
-title: 'Quickstart: Connect to VMs using Azure Bastion Developer: Azure portal'
+title: 'Quickstart: Connect to a VM using Azure Bastion Developer: Azure portal'
 description: Learn how to connect to VMs using Bastion Developer.
 author: abell
 ms.service: azure-bastion
 ms.topic: quickstart
-ms.date: 09/08/2025
+ms.date: 12/02/2025
 ms.author: abell
 ms.custom: references_regions
 # Customer intent: As a cloud administrator, I want to connect to virtual machines securely using a browser-based solution, so that I can manage resources without exposing public IP addresses or installing additional software.
 ---
 
-# Quickstart: Connect with Azure Bastion Developer
+# Quickstart: Connect to a VM using Azure Bastion Developer: Azure portal
 
-In this quickstart, you learn how to connect to VMs using Azure Bastion Developer. In just a few seconds, you can connect to virtual machines (VM) in the virtual network at no extra cost via Bastion Developer using the private IP address of the VM. The VMs you connect to don't need a public IP address, client software, agent, or a special configuration. For more information about Azure Bastion, see [What is Azure Bastion](bastion-overview.md)?
+Azure Bastion Developer provides secure, browser-based connectivity to virtual machines without requiring public IP addresses or additional client software. This quickstart shows you how to deploy and use Bastion Developer to connect to a VM in your virtual network at no extra cost.
+
+In this quickstart, you learn how to:
+
+> [!div class="checklist"]
+> * Deploy Azure Bastion Developer to your virtual network
+> * Connect to a virtual machine using the Azure portal
+> * Enable audio output for your VM session
+> * Remove the public IP address from your VM
+> * Clean up resources when finished
+
+For more information about Azure Bastion, see [What is Azure Bastion](bastion-overview.md).
 
 > [!IMPORTANT]
-> Bastion Developer is currently only available in select regions, listed below.
+> Bastion Developer is currently only available in select regions.
 
 [!INCLUDE [Bastion developer](../../includes/bastion-developer-description.md)] Virtual network peering isn't currently supported for Bastion Developer.
 
@@ -25,35 +36,36 @@ The following diagram shows the architecture for Azure Bastion Developer.
 
 [!INCLUDE [regions](../../includes/bastion-developer-regions.md)]
 
-## <a name="prereq"></a>Prerequisites
+## Prerequisites
+
+### Azure subscription
+
+Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) or sign up for a [free account](https://azure.microsoft.com/pricing/free-trial).
 
-* Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) or sign up for a [free account](https://azure.microsoft.com/pricing/free-trial).
+### Virtual machine in a virtual network
 
-* **A VM in a virtual network**.
+You need a VM in a virtual network to connect to using Bastion Developer. When you connect with Bastion Developer, the configuration values are pulled from the virtual network in which your VM resides. Make sure the VM is in a resource group that's in a region where Bastion Developer is supported.
 
-  When you connect with Bastion Developer using default values, the values are pulled from the virtual network in which your VM resides. Make sure the VM resides in a resource group that's in a region where Bastion Developer is supported.
+* If you don't already have a VM in a virtual network, create one using [Quickstart: Create a Windows VM](/azure/virtual-machines/windows/quick-create-portal) or [Quickstart: Create a Linux VM](/azure/virtual-machines/linux/quick-create-portal).
+* If you already have a virtual network, make sure it's selected on the Networking tab when you create your VM.
+* If you don't have a virtual network, you can create one at the same time you create your VM.
+* If you have a virtual network, make sure you have the rights to write to it.
 
-  * If you don't already have a VM in a virtual network, create one using [Quickstart: Create a Windows VM](/azure/virtual-machines/windows/quick-create-portal), or [Quickstart: Create a Linux VM](/azure/virtual-machines/linux/quick-create-portal).
-  * If you need example values, see the [Example values](#values) section.
-  * If you already have a virtual network, make sure it's selected on the Networking tab when you create your VM.
-  * If you don't have a virtual network, you can create one at the same time you create your VM.
-  * If you have a virtual network, make sure you have the rights to write to it.
+### Required roles
 
-* **Required VM roles:**
+* Reader role on the virtual machine
+* Reader role on the NIC with private IP of the virtual machine
 
-  * Reader role on the virtual machine.
-  * Reader role on the NIC with private IP of the virtual machine.
-  
-* **Required VM ports inbound ports:**
+### Required inbound ports
 
-  * 3389 for Windows VMs
-  * 22 for Linux VMs
+* 3389 for Windows virtual machines
+* 22 for Linux virtual machines
 
 [!INCLUDE [DNS private zone](../../includes/bastion-private-dns-zones-non-support.md)]
 
-### <a name="values"></a>Example values
+### Example values
 
-You can use the following example values when creating this configuration as an exercise, or you can substitute your own.
+You can use the following example values when creating this configuration, or you can substitute your own values.
 
 **Basic VNet and VM values:**
 
@@ -66,42 +78,43 @@ You can use the following example values when creating this configuration as an
 | Address space | 10.1.0.0/16 |
 | Subnets | FrontEnd: 10.1.0.0/24 |
 
-## <a name="createvmset"></a>Deploy Bastion and connect to VM
+## Deploy Bastion and connect to a VM
 
-These steps help you automatically connect to your VM via the portal with Bastion Developer. The VM must be located in a region that supports Bastion Developer. Additionally, to connect to a VM, your NSG rules must allow traffic to ports 22 and 3389 from the private IP address 168.63.129.16.
+In this section, you deploy Bastion Developer and connect to your VM through the Azure portal. The VM must be in a region that supports Bastion Developer. Your NSG rules must allow traffic to ports 22 and 3389 from the private IP address 168.63.129.16.
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-1. In the portal, go to the VM to which you want to connect. The values from the virtual network in which this VM resides are used to connect with Bastion Developer. 
-1. On the page for your VM, expand the settings on the left menu if necessary, and select **Bastion**.
-1. On the **Bastion** page, you'll see multiple options, including dedicated SKUs and Bastion **Developer**. To automatically deploy using the Bastion Developer offering, select **Authentication Type** and input the required credential values. Then, click **Connect** to connect to your virtual machine in just a few seconds through Bastion Developer. When you click **Connect**, a free Bastion Developer resource automatically deploys to your virtual network. You could also deploy Bastion Developer using the "Configure manually" button, but it's more efficient to use the **Connect** button.
-1. The connection to this virtual machine via Bastion Developer will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service. Select **Allow** when asked for permissions to the clipboard. This lets you use the remote clipboard arrows on the left of the screen.
+1. Go to the VM you want to connect to. The configuration values from the VM's virtual network are used to deploy Bastion Developer.
+1. On the VM page, select **Bastion** from the left menu.
+1. On the **Bastion** page, select your **Authentication Type** and enter your credentials.
+1. Select **Connect**. When you select **Connect**, Bastion Developer automatically deploys to your virtual network at no cost. This deployment takes a few seconds.
+1. The connection opens directly in the Azure portal over HTML5 using port 443. When prompted for clipboard permissions, select **Allow**. This enables the remote clipboard arrows on the left side of the screen.
 
-   * When you connect, the desktop of the VM might look different than the example screenshot.
-   * Using keyboard shortcut keys while connected to a VM might not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.
+   * When you connect, the desktop might look different than the example screenshot.
+   * Keyboard shortcut keys while connected to a VM might not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.
 
-1. When you disconnect from the VM, the Bastion Developer resource remains deployed to the virtual network. You can reconnect to the VM from the virtual machine page in the Azure portal by selecting **Bastion -> Connect**.
+1. When you disconnect from the VM, the Bastion Developer resource remains deployed to the virtual network. You can reconnect by going to the VM page in the Azure portal and selecting **Bastion** > **Connect**.
 
-### <a name="audio"></a>To enable audio output
+### Enable audio output
 
 [!INCLUDE [Enable VM audio output](../../includes/bastion-vm-audio.md)]
 
-## <a name="remove"></a>Remove VM public IP address
+## Remove VM public IP address
 
 [!INCLUDE [Remove a public IP address from a VM](../../includes/bastion-remove-ip.md)]
 
 ## Clean up resources
 
-When you're done using the virtual network and the virtual machines, delete the resource group and all of the resources it contains:
+If you're not going to continue to use this application, delete the resource group and all the resources it contains by using the following steps:
 
-1. Enter the name of your resource group in the **Search** box at the top of the portal and select it from the search results.
+1. In the Azure portal, enter the name of your resource group in the **Search** box at the top of the portal. Select the resource group from the search results.
 
 1. Select **Delete resource group**.
 
-1. Enter your resource group for **TYPE THE RESOURCE GROUP NAME** and select **Delete**.
+1. For **Enter resource group name to confirm deletion**, enter your resource group name, and then select **Delete**.
 
 ## Next steps
 
-In this quickstart, you used Bastion Developer to connect to a virtual machine securely. Next, you can configure more features and work with VM connections.
+In this quickstart, you deployed Bastion Developer and used it to connect securely to a virtual machine. Next, configure additional features and explore VM connection options.
 
 > [!div class="nextstepaction"]
 > [Upgrade to a dedicated SKU](upgrade-sku.md)

articles/cloud-shell/faq-troubleshooting.md

@@ -1,6 +1,6 @@
 ---
 description: This article answers common questions and explains how to troubleshoot Cloud Shell issues.
-ms.date: 11/04/2024
+ms.date: 12/02/2025
 ms.topic: troubleshooting
 tags: azure-resource-manager
 ms.custom: has-azure-ad-ps-ref
@@ -191,7 +191,6 @@ command that requires elevated permissions.
 
 ### Terminal output - Sorry, your Cloud Shell failed to provision: {"code":"TenantDisabled" ...}
 
-
 - **Details**: In rare cases, Azure might flag out-of-the-ordinary resource consumption based in
   from Cloud Shell as fraudulent activity. When this occurs, Azure disables Cloud Shell at the
   tenant level and you see the following error message:
@@ -210,6 +209,14 @@ command that requires elevated permissions.
   1. Tenant ID
   2. The business justification and a description of how you use Cloud Shell.
 
+### Terminal Output - Audience `<service-audience-url>` is not a supported MSI token audience
+
+- **Details**: Cloud Shell was unable to fetch the necessary token for the Azure service that the
+  command required. This happens when Cloud Shell doesn't support the token audience requested by
+  the command.
+- **Resolution**: Run the following command in Cloud Shell to sign in interactively and acquire the
+  necessary credentials before retrying your original command: `az login --use-device-code`
+
 ## Managing Cloud Shell
 
 ### Manage personal data

articles/container-apps/TOC.yml

@@ -127,7 +127,7 @@ items:
       items:
         - name: Overview
           href: functions-overview.md
-        - name: Create a Functions app
+        - name: Manage a Functions app through the portal and CLI
           href: functions-usage.md
         - name: Create your Azure functions on Azure Container Apps
           href: functions-container-apps.md

articles/data-factory/how-to-assess-your-azure-data-factory-to-fabric-data-factory-migration.md

@@ -3,8 +3,8 @@ title: Assess your Azure Data Factory pipelines for migration to Fabric
 description: Learn how to check which pipelines are ready to migrate and which ones need attention 
 author: ssindhub
 ms.author: ssrinivasara
-ms.topic: conceptual
-ms.date: 11/18/2024
+ms.topic: article
+ms.date: 12/02/2025
 ms.custom: pipelines
 ---
 
@@ -51,6 +51,7 @@ When your assessment shows acceptable readiness:
 1. Use [PowerShell upgrade tool](/fabric/data-factory/migrate-pipelines-powershell-upgrade-module-for-azure-data-factory-to-fabric) for early migration.
 1. Refer to planning guides for best practices.
 
+[!VIDEO https://learn.microsoft.com/_themes/docs.theme/master/en-us/_themes/global/video-embed-one-stream.html?id=2333b246-4581-44d0-b080-cb1dcb9f6e60]
 
 ## FAQ
 **Does the assessment change my factory?**