Merge branch 'main' into appgwpace/cve-docs-and-key-vault-limitation

Author: riturajc

.openpublishing.redirection.json

@@ -5375,51 +5375,6 @@
       "redirect_url": "/azure/role-based-access-control/resource-provider-operations",
       "redirect_document_id": false
     },
-    {
-      "source_path_from_root": "/articles/scheduler/get-started-portal.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-advanced-complexity.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-concepts-terms.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-high-availability-reliability.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-intro.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-limits-defaults-errors.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-outbound-authentication.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-plans-billing.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
-    {
-      "source_path_from_root": "/articles/scheduler/scheduler-powershell-reference.md",
-      "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
-      "redirect_document_id": false
-    },
     {
       "source_path_from_root": "/articles/sdks/index.yml",
       "redirect_url": "https://azure.microsoft.com/downloads/",

articles/app-service/industry-wide-certificate-changes.md

@@ -0,0 +1,150 @@
+---
+title: Industry-wide certificate changes impacting Azure App Service
+description: Describes industry-wide TLS certificate changes that affect Azure App Service Managed Certificates and App Service Certificates, including scope, timelines, and required actions.
+author: msangapu-msft
+ms.author: msangapu
+ms.date: 02/03/2026
+ms.topic: conceptual
+ms.service: azure-app-service
+---
+
+# Industry-wide certificate changes impacting Azure App Service
+
+Industry-wide requirements defined by browser programs and the CA/Browser Forum (CA/B Forum) are changing how public TLS certificates are issued and validated. To remain compliant with these requirements, Azure App Service applies the changes to App Service Managed Certificates (ASMC) and App Service Certificates (ASC).
+
+Most customers using certificates within Azure App Service do not need to take action. However, certain scenarios may require customer action to avoid service disruption or may change how certificates are managed over time. This article explains what is changing, when action is required, and what operational impacts to expect.
+
+
+## Scope
+
+This article applies to:
+- App Service Managed Certificates (ASMC)
+- App Service Certificates (ASC)
+
+## When action is required
+Action is required **only** in the following scenarios to avoid service disruption:
+
+- **Certificate pinning**  
+  Apps that pin certificates or certificate chains must review and remove pinning before the certificate chain migration.
+
+- **Mutual TLS (mTLS)**  
+  Apps that rely on these certificates for client authentication must transition to an alternative authentication mechanism.
+
+If neither of these scenarios applies, no immediate action is required.
+
+## Operational changes to be aware of
+
+Some scenarios do not require immediate action, but may require changes to how you manage certificates over time:
+
+- **Exporting App Service Certificates**  
+  If you export certificates for use outside Azure App Service, you may need to re-export and update them more frequently due to the shortened validity period.
+
+- **Domain ownership validation (ASC only)**  
+  Domain ownership validation may be required more frequently for certificate issuance, renewals, or rekeys.
+
+
+## Quick reference: What’s changing
+
+| Change area | Affected certificate type | Customer impact |
+|------------|--------------------------|-----------------|
+| Certificate validity period | ASC only | Shorter validity with overlapping issuance |
+| Domain validation reuse | ASC only | More frequent domain validation required |
+| Certificate chain | ASMC and ASC | Certificate pinning must be removed |
+| Client authentication EKU | ASMC and ASC | mTLS using these certs no longer supported |
+
+## Certificate validity period (ASC only)
+
+### What’s changing
+Starting March 2026, App Service Certificates are issued with a shorter validity period of **198 days** to remain compliant with industry requirements defined by the CA/Browser Forum, including the schedule introduced in 
+[CA/Browser Forum Ballot SC‑081v3](https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-schedule-of-reducing-validity-and-data-reuse-periods/).
+
+### Impact on App Service Managed Certificates (ASMC)
+No change. ASMCs already comply with the new industry requirements.
+
+### Impact on App Service Certificates (ASC)
+To maintain one year of certificate coverage, Azure App Service automatically issues overlapping certificates at no additional cost.
+
+- If App Service Certificates are used only with Azure App Service, no action is required. The platform automatically syncs and updates certificates.
+- If certificates are exported and used outside Azure App Service, the certificates may need to be re-exported more frequently due to the shorter validity period.
+
+
+## Domain validation reuse (ASC only)
+
+### What’s changing
+Starting March 2026, domain ownership validation for App Service Certificates can be reused for up to **198 days** to remain compliant with industry requirements defined by the CA/Browser Forum.
+
+### Impact on App Service Managed Certificates (ASMC)
+No change. Domain ownership validation for ASMC is automated and requires no customer action.
+
+### Impact on App Service Certificates (ASC)
+- Domain validation completed before March 2026 cannot be reused. Certificate issuance starting March 2026 requires domain ownership validation.
+- During March 2026, domain ownership validation might be required again for each renewal and rekey.
+- After March 2026, domain ownership must be revalidated only if the domain was not validated within the past 198 days.
+- App Service Certificates do not automatically revalidate domains.
+
+If validation is required, certificate orders remain in a pending issuance state until validation is completed.
+
+> [!IMPORTANT]
+> Failure to complete domain validation can result in certificate issuance or renewal failure, potentially leading to certificate expiration and service disruption.
+
+## Client authentication EKU (ASMC and ASC)
+
+App Service Managed Certificates and App Service Certificates will stop supporting the client authentication extended key usage (EKU) as part of industry-driven changes to public TLS certificates.
+
+For background on this change across Azure services, see [Changes to the Managed TLS feature](/azure/security/fundamentals/managed-tls-changes).
+
+> [!NOTE]
+> Apps that rely on these certificates for mutual TLS (mTLS) must transition to an alternative authentication mechanism before the migration dates.
+
+
+## Certificate chain changes (ASMC and ASC)
+
+Both App Service Managed Certificates and App Service Certificates will migrate to a new certificate chain as part of industry-driven updates to TLS certificates, which includes changes to certificate authorities and intermediates.
+
+Apps that pin certificates or certificate chains must review and remove pinning before the migration dates to avoid service disruption.
+
+For background on the managed TLS certificate authority changes across Azure services, see [Changes to the Managed TLS feature](/azure/security/fundamentals/managed-tls-changes).
+
+> [!NOTE]
+> Certificate pinning is not recommended for App Service Managed Certificates (ASMC), because certificate issuance and rotation are controlled by the service.  
+> For App Service Certificates (ASC), pinning may also break due to certificate chain changes and should be reviewed carefully before the migration.
+
+## Timeline of key dates
+
+| Date | Change | ASMC | ASC |
+|-----|--------|------|-----|
+| Feb–Mar 2026 | New certificate chain | Migrates to new chain | — |
+| Starting March 2026 | Validity period + validation reuse | — | Shortened validity and validation reuse |
+| Mar–Apr 2026 (TBD) | New certificate chain + Client auth EKU | — | Migrates to new chain; EKU removed |
+| Mar–Apr 2026 (TBD) | Client auth EKU | EKU removed | — |
+
+
+## Frequently asked questions
+
+### Will I lose certificate coverage due to the shorter validity period?
+No. For App Service Certificates, Azure App Service automatically issues overlapping certificates to maintain continuous coverage for the full term you purchased.
+
+### Are these changes specific to DigiCert or GoDaddy?
+No. These are industry-wide changes driven by browser programs and the CA/Browser Forum, and they apply to public TLS certificates issued by all certificate authorities.
+
+### Do these changes affect certificates from other certificate authorities?
+Yes. These are industry-wide changes that apply to public TLS certificates regardless of the issuing certificate authority. For certificates not managed by Azure App Service, contact your certificate authority for guidance.
+
+### Do I need to take action now?
+If you do not pin certificates and do not use these certificates for mutual TLS (mTLS), no immediate action is required.
+
+### Why does my App Service Managed Certificate show an expiration date in April 2026 even though it was renewed recently?
+App Service Managed Certificates are issued with an approximately six-month validity period, which already complies with current industry requirements.
+
+The April 2026 expiration date is not related to certificate validity changes. It reflects a certificate chain transition that is occurring across the industry to maintain browser trust.
+
+Certificates issued from the existing certificate chain can only be issued until April 2026. To address this, Azure App Service is migrating App Service Managed Certificates to a new certificate chain and reissuing certificates from that chain.
+
+For customers using App Service Managed Certificates as intended, this process is fully automated and no service disruption is expected. As a best practice, App Service Managed Certificates should not be pinned, because both the certificate and its issuing chain are managed and rotated by the platform.
+
+
+## Related documentation
+
+- App Service Managed Certificates
+- App Service Certificates
+- Configure TLS/SSL bindings in Azure App Service

articles/app-service/toc.yml

@@ -352,6 +352,9 @@ items:
         - name: Configure TLS mutual authentication
           href: app-service-web-configure-tls-mutual-auth.md
           displayName: TLS
+        - name: Industry-wide certificate changes 
+          href: industry-wide-certificate-changes.md
+          displayName: 2026 certificate changes
 - name: Database and service connection
   items:
     - name: Connectivity scenarios overview

articles/application-gateway/ssl-overview.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: mbender-ms
 ms.service: azure-application-gateway
 ms.topic: concept-article
-ms.date: 10/09/2025
+ms.date: 02/16/2026
 ms.author: mbender
 
 # Customer intent: "As a cloud architect, I want to configure end to end TLS on the application gateway, so that I can ensure secure communication and compliance for sensitive data transmitted between clients and backend servers."

articles/azure-functions/functions-bindings-azure-data-explorer-input.md

@@ -5,7 +5,7 @@ author: ramacg
 ms.topic: reference
 ms.custom: build-2023, devx-track-extended-java, devx-track-js, devx-track-python
 ms.date: 05/04/2023
-ms.author: shsagir
+ms.author: spelluru
 ms.reviewer: ramacg
 zone_pivot_groups: programming-languages-set-functions-data-explorer
 ---

articles/azure-functions/functions-bindings-azure-data-explorer-output.md

@@ -5,7 +5,7 @@ author: ramacg
 ms.topic: reference
 ms.custom: build-2023, devx-track-extended-java, devx-track-js, devx-track-python
 ms.date: 05/04/2023
-ms.author: shsagir
+ms.author: spelluru
 ms.reviewer: ramacg
 zone_pivot_groups: programming-languages-set-functions-data-explorer
 ---

articles/azure-functions/functions-bindings-azure-data-explorer.md

@@ -5,7 +5,7 @@ author: ramacg
 ms.topic: reference
 ms.custom: build-2023, devx-track-extended-java, devx-track-js, devx-track-python
 ms.date: 05/04/2023
-ms.author: shsagir
+ms.author: spelluru
 ms.reviewer: ramacg
 zone_pivot_groups: programming-languages-set-functions-data-explorer
 ---

articles/azure-vmware/configure-storage-policy.md

@@ -171,6 +171,84 @@ Run the `Update-StoragePolicyOfUnassociatedVsanObjects` cmdlet to modify curre
 
    3. Check **Notifications** to see the progress.
 
+## Delete unassociated vSAN objects using Run Command
+ 
+Unassociated vSAN objects can remain in a cluster due to interrupted operations, policy mismatches, or failed workflows. These objects consume storage capacity and may block certain cluster operations.
+ 
+This article explains how to **list** and **delete** unassociated vSAN objects in **Azure VMware Solution (AVS)** using **Run Command**.
+ 
+### Prerequisites
+ 
+Before listing or deleting unassociated vSAN objects, ensure that:
+ 
+- You have access to the Azure portal with permissions equivalent to the **cloudadmin** role for the AVS private cloud.
+- The cluster meets the minimum host requirements for its vSAN configuration (OSA or ESA).
+- You are using the latest supported version of the **Microsoft.AVS.Management** Run Command package.
+- You have validated that the objects to be deleted are **not required** by any workload, management VM, or system component.
+ 
+### List unassociated vSAN objects
+ 
+Before deleting any objects, list and review them to confirm that they are truly unassociated.
+ 
+Use the **Get‑UnassociatedVsanObjectsWithPolicy** Run Command to list unassociated vSAN objects and obtain their UUIDs.
+ 
+For detailed steps, see:
+
+- [List storage policies for Unassociated objects](configure-storage-policy.md#list-storage-policies-for-unassociated-objects)
+ 
+The output of this command includes the **UUID** of each unassociated vSAN object, which is required for deletion.
+ 
+ 
+### Delete unassociated vSAN objects
+ 
+After reviewing the list of unassociated objects, delete them **individually** by specifying their UUID and ClusterName.
+ 
+> [!IMPORTANT]  
+> Deleting a vSAN object is irreversible. Ensure that the object is not associated with any VM, management component, or system service before proceeding.
+ 
+### Run Command parameters: `Remove-AvsUnassociatedObject`
+  
+| Field | Description |
+|------|-------------|
+| **UUID** | UUID of the unassociated vSAN object to delete. Obtain this value from the output of `Get‑UnassociatedVsanObjectsWithPolicy`. |
+| **ClusterName** | Name of the vSAN cluster that contains the unassociated object. |
+| **Retain up to** | Retention period for the Run Command output. |
+| **Specify name for execution** | Alphanumeric name used to identify this Run Command execution. |
+| **Timeout** | Time after which the command exits if it does not complete. |
+
+1. Navigate to your AVS private cloud in the Azure portal.
+2. Select **Run command** > **Packages** > **Microsoft.AVS.Management**.
+3. Select **Remove-AvsUnassociatedObject**.
+
+  :::image type="content" source="media/run-command/run-command-overview-remove-unassociated-object.png" alt-text="Screenshot showing the Remove-AvsUnassociatedObject Run Command in the Azure portal." lightbox="media/run-command/run-command-overview-remove-unassociated-object.png":::
+ 
+4. Provide the **UUID** and **ClusterName** of the unassociated object you want to remove.
+
+ :::image type="content" source="media/run-command/run-command-remove-unassociated-object.png" alt-text="Screenshot of the Remove-AvsUnassociatedObject Run Command execution." lightbox="media/run-command/run-command-remove-unassociated-object.png":::
+ 
+5. Select **Run** and monitor execution progress.
+ 
+Once the command completes successfully, the specified vSAN object is permanently removed from the cluster.
+ 
+### Best practices and safety guidance
+ 
+- Always **list objects first** and review them carefully before deletion.
+- Delete objects **one at a time** to minimize risk.
+- Avoid deleting objects with names or attributes associated with:
+  - Management VMs
+  - vCenter
+  - NSX
+  - HCX
+  - SRM
+  - Backup or replication components
+- If you are unsure about an object, do not delete it and investigate further.
+ 
+### Next steps
+ 
+- Review storage policy assignments to prevent future unassociated objects.
+- Monitor vSAN health checks regularly.
+- Use Run Command outputs and retention settings to maintain auditability.
+
 ## Specify a storage policy for a cluster
 
 Run the `Set-ClusterDefaultStoragePolicy` cmdlet to specify a default storage policy for a cluster.