Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into ip-freshness

Author: halkazwini

articles/api-center/includes/install-apic-extension.md

@@ -1,17 +1,17 @@
 ---
 title: Include file
-description: Include file
+description: Notes about 'apic-extension' Azure CLI extension installation.
 services: api-center
-
+author: dlepow
 
 ms.service: azure-api-center
 ms.topic: include
-ms.date: 05/23/2024
-
+ms.date: 02/20/2026
+ms.author: danlep
 ms.custom: Include file
 ---
 
 > [!NOTE]
-> `az apic` commands require the `apic-extension` Azure CLI extension. If you haven't used `az apic` commands, the extension can be installed dynamically when you run your first `az apic` command, or you can install the extension manually. Learn more about [Azure CLI extensions](/cli/azure/azure-cli-extensions-overview).
+> The `az apic` commands require the `apic-extension` Azure CLI extension. The extension can be installed dynamically when you run your first `az apic` command, or you can install the extension manually. For more information, see [Manage Azure CLI Extensions: Install, Update, and Remove](/cli/azure/azure-cli-extensions-overview).
 >
-> See the [release notes](https://github.com/Azure/azure-cli-extensions/blob/main/src/apic-extension/HISTORY.rst) for the latest changes and updates in the `apic-extension`. Certain features may require a preview or specific version of the extension.
+> For the latest changes and updates in the `apic-extension`, see the [release notes](https://github.com/Azure/azure-cli-extensions/blob/main/src/apic-extension/HISTORY.rst). Certain features might require a preview or specific version of the extension.

articles/api-center/media/register-apis-github-actions/api-registered-api-center.png

@@ -4,7 +4,7 @@ description: This how-to article walks you through configuring routing on a regi
 author: seligj95
 ms.author: jordanselig
 ms.topic: how-to
-ms.date: 11/24/2025
+ms.date: 02/25/2026
 ms.service: azure-app-service
 ---
 
@@ -20,7 +20,7 @@ Your app is already integrated using the regional virtual network integration fe
 
 Application routing defines what traffic is routed from your app and into the virtual network. You can configure routing at two levels:
 
-- **All traffic routing** (`outboundVnetRouting.allTraffic`): Routes all outbound traffic from your app through the virtual network integration, including application traffic and configuration traffic (such as container image pulls, content share access, and backup operations).
+- **All traffic routing** (`outboundVnetRouting.allTraffic`): Routes all outbound traffic from your app through the virtual network integration, including application traffic and configuration traffic (such as container image pulls, content share access, backup operations, and managed identity token acquisition).
 - **Application traffic only** (`outboundVnetRouting.applicationTraffic`): Routes only application-generated traffic through the virtual network integration, while configuration traffic continues to use the public route by default (unless individually configured in the configuration routing section).
 
 We recommend that you use the `outboundVnetRouting.allTraffic` property to enable routing of all traffic. Using this property allows you to audit the behavior with [a built-in policy](https://www.azadvertizer.net/azpolicyadvertizer/a691eacb-474d-47e4-b287-b4813ca44222.html). 
@@ -114,6 +114,14 @@ az resource update --resource-group <group-name> --name <app-name> --resource-ty
 > [!NOTE]
 > For backwards compatibility, the legacy `vnetBackupRestoreEnabled` property is still supported.
 
+### Managed identity
+
+Routing managed identity token acquisition traffic over virtual network integration can be configured using the Azure CLI. When enabled, requests to acquire Microsoft Entra tokens for managed identities are routed through the virtual network integration.
+
+```azurecli-interactive
+az resource update --resource-group <group-name> --name <app-name> --resource-type "Microsoft.Web/sites" --set properties.outboundVnetRouting.managedIdentityTraffic=true
+```
+
 ## Next steps
 
 - [Enable virtual network integration](./configure-vnet-integration-enable.md)

articles/api-center/media/register-apis-github-actions/repository-secrets-github-small.png

@@ -3,7 +3,7 @@ title: Integrate your app with an Azure virtual network
 description: Integrate your app in Azure App Service with Azure virtual networks.
 author: seligj95
 ms.topic: conceptual
-ms.date: 09/03/2025
+ms.date: 02/25/2026
 ms.update-cycle: 1095-days
 ms.author: jordanselig
 ms.custom:
@@ -92,7 +92,7 @@ For each App Service plan instance, you need:
 For 10 instances:
 5 x 10 = 50 IP addresses per App Service plan
 
-Since you have 1 App Service plan, 1 x 50 = 50 IP addresses.
+Since you have 1 App Service plan, 1 x 50 = 50 IP addresses
 
 You are in addition limited by the number of cores available in the worker tier used. Each core adds three networking units. The worker itself uses one unit and each virtual network connection uses one unit. The remaining units can be used for apps.
 
@@ -151,6 +151,10 @@ When using custom containers, you can pull the container over the virtual networ
 
 App Service has built-in backup/restore, but if you want to back up to your own storage account, you can use the custom backup/restore feature. If you want to route the traffic to the storage account through the virtual network integration, you must configure the route setting. Database backup isn't supported over the virtual network integration.
 
+#### Managed identity
+
+By default, managed identity token acquisition traffic goes over the public route. You can route this traffic through the virtual network integration so that token requests to Microsoft Entra ID are sent through the virtual network. Learn [how to configure managed identity routing](./configure-vnet-integration-routing.md#managed-identity).
+
 #### App settings using Key Vault references
 
 App settings using Key Vault references attempt to get secrets over the public route. If the Key Vault is blocking public traffic and the app is using virtual network integration, an attempt is made to get the secrets through the virtual network integration.

articles/api-center/media/register-apis-github-actions/repository-secrets-github.png

@@ -62,7 +62,7 @@ The following list of capabilities is supported for scenarios where at least one
 | | Cancel all Media Operations | ❌ | ✔️ |
 | | Start continuous DTMF Recognition from end user | N/A  | ✔️ |
 | | Stream real-time transcript of the call to a WebSocket | N/A | ✔️ |
-| | Mute other VoIP participants (such as other agents) | ✔️ | ✔️ |
+| | Mute other VoIP participants (such as other agents) | ✔️ | ❌ |
 | | Mute other PSTN users | ❌ | ❌ |
 | | [Dial-pad commands](/microsoftteams/audio-conferencing-common-questions#what-in-meeting-dial-pad-commands-are-supported) for PSTN users | ❌ | ❌ |
 | | Place call on hold and take call off hold (1:1 call only) | ✔️ | ❌ |

articles/api-center/media/register-apis-github-actions/workflow-action.png

@@ -5,7 +5,7 @@ services: firewall
 author: duongau
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 09/29/2025
+ms.date: 02/21/2026
 ms.author: duau
 ms.custom:
   - devx-track-azurepowershell
@@ -33,7 +33,7 @@ Before you begin, make sure you have:
 - A planned maintenance window (for manual migration method)
 
 > [!IMPORTANT]
-> This article applies to Azure Firewall Standard and Premium SKUs only. [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) doesn't support SKU changes and must be migrated to Standard SKU first before any upgrade to Premium. Always perform SKU change operations during scheduled maintenance times and test the process thoroughly in a nonproduction environment first.
+> This article applies primarily to Azure Firewall Standard and Premium SKUs. [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) doesn't support direct change to Premium SKU and must be migrated to Standard SKU first before any upgrade to Premium. Downgrading from Azure Firewall Premium or Standard to Basic is supported only through PowerShell or Terraform. Always perform SKU change operations during scheduled maintenance times and test the process thoroughly in a nonproduction environment first.
 
 ## Easy SKU change method (recommended)
 
@@ -46,7 +46,7 @@ Use the easy SKU change method when:
 - Your firewall is deployed in a supported region  
 - You want to minimize downtime (zero downtime with this method)
 - You have a standard deployment without complex custom configurations
-- **For downgrade**: Your Premium policy doesn't use Premium-exclusive features that are incompatible with Standard
+- **For downgrade**: A firewall policy created for a higher SKU (Premium or Standard) can't be attached to a lower SKU firewall. To downgrade, you must create a new firewall policy or use an existing policy that is compatible with the target SKU.
 
 ### Policy considerations for SKU changes
 
@@ -74,7 +74,6 @@ When downgrading from Premium to Standard, consider the following policy require
 **Policy handling options:**
 - **Use existing Standard policy**: Select a preexisting Standard policy that doesn't contain Premium features
 - **Create new Standard policy**: The system can create a new Standard policy, automatically removing Premium-specific features
-- **Modify current policy**: Manually remove Premium features from your current policy before downgrade
 
 ### Change SKU using the Azure portal
 
@@ -88,7 +87,7 @@ To change your firewall SKU using the Azure portal:
 1. In the SKU change dialog box, select **Premium** as the target SKU.
 1. Choose your policy option:
    - Select an existing Premium policy, or
-   - Allow the system to upgrade your current Standard policy to Premium
+   - Create a new Premium policy and select it.
 1. Select **Save** to begin the upgrade.
 
 #### Downgrade to Standard
@@ -110,22 +109,22 @@ The SKU change process typically completes within a few minutes with zero downti
 ### PowerShell and Terraform SKU change
 
 You can also perform SKU changes using:
-- **PowerShell**: Change the `sku_tier` property to "Premium" or "Standard"
+- **PowerShell**: Change the `sku_tier` property to "Premium", "Standard" or "Basic"
 - **Terraform**: Update the `sku_tier` attribute in your configuration to the desired SKU
 
 ### Limitations
 
 The easy SKU change method has the following limitations:
 
 **General limitations:**
-- Doesn't support [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) - Basic SKU users must migrate to Standard first
+- Doesn't support direct upgrades from [Azure Firewall Basic SKU](overview.md#azure-firewall-basic) - Basic SKU users must migrate to Standard first
 - Not available for firewalls with certain complex configurations
 - Limited availability in some regions
 - Requires existing firewall policy (not available for Classic rules)
 
 **Downgrade-specific limitations:**
 - Premium features (TLS inspection, IDPS Alert and Deny mode, URL filtering, web categories) must be removed before downgrade
-- If your Premium policy contains incompatible features, you must modify the policy or create a new Standard policy
+- For the new Firewall SKU, you mustuse an existing compatible policy or create a new Standard policy
 - Some rule configurations might need manual adjustment after downgrade
 
 If the easy SKU change method isn't available for your scenario, use the manual migration method described in the next section.
@@ -426,7 +425,6 @@ If you're unable to downgrade from Premium to Standard:
 
 2. **Policy modification options**:
    - Create a new Standard policy without Premium features
-   - Modify your existing policy to remove Premium features
    - Use Azure PowerShell to identify and remove incompatible rules
 
 3. **Validation steps**: