zone pivot adjustment, merge conflict

Author: dlepow

.openpublishing.redirection.json

@@ -565,6 +565,81 @@
       "redirect_url": "/azure/storage/files/create-file-share",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/trusted-signing/overview.md",
+      "redirect_url": "/azure/artifact-signing/overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/how-to-sign-ci-policy.md",
+      "redirect_url": "/azure/artifact-signing/how-to-sign-ci-policy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/quickstart.md",
+      "redirect_url": "/azure/artifact-signing/quickstart",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/tutorial-assign-roles.md",
+      "redirect_url": "/azure/artifact-signing/tutorial-assign-roles",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/how-to-signing-integrations.md",
+      "redirect_url": "/azure/artifact-signing/how-to-signing-integrations",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/how-to-sign-history.md",
+      "redirect_url": "/azure/artifact-signing/how-to-sign-history",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/how-to-renew-identity-validation.md",
+      "redirect_url": "/azure/artifact-signing/how-to-renew-identity-validation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/how-to-device-guard-signing-service-migration.md",
+      "redirect_url": "/azure/artifact-signing/how-to-device-guard-signing-service-migration",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/how-to-change-sku.md",
+      "redirect_url": "/azure/artifact-signing/how-to-change-sku",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/how-to-cert-revocation.md",
+      "redirect_url": "/azure/artifact-signing/how-to-cert-revocation",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/concept-trust-models.md",
+      "redirect_url": "/azure/artifact-signing/concept-trust-models",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/concept-resources-roles.md",
+      "redirect_url": "/azure/artifact-signing/concept-resources-roles",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/concept-cert-management.md",
+      "redirect_url": "/azure/artifact-signing/concept-certificate-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/index.yml",
+      "redirect_url": "/azure/artifact-signing/index",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/trusted-signing/faq.yml",
+      "redirect_url": "/azure/artifact-signing/faq",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/managed-ccf/application-scenarios.md",
       "redirect_url": "/azure/confidential-ledger/managed-confidential-consortium-framework-migration",
@@ -6579,7 +6654,11 @@
       "source_path": "articles/reliability/reliability-health-insights.md",
       "redirect_url": "/azure/azure-health-insights/reliability-health-insights",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/reliability/migrate-load-balancer.md",
+      "redirect_url": "/azure/reliability/reliability-load-balancer",
+      "redirect_document_id": false
     }
-    
   ]
 }

articles/active-directory-b2c/client-credentials-grant-flow.md

@@ -152,7 +152,7 @@ There are no specific actions to enable the client credentials for user flows or
 | grant_type | `client_credentials` |
 | client_id | The **Client ID** from the [Step 2 Register an application](#step-2-register-an-application). |
 | client_secret | The **Client secret** value from [Step 2.1 Create a client secret](#step-21-create-a-client-secret). |
-| scope | The **Application ID URI** from [Step 1.1 Define web API roles (scopes)](#step-11-define-web-api-roles-scopes) and `.default`. For example `https://contoso.onmicrosoft.com/api/.default`, or `https://contoso.onmicrosoft.com/00001111-aaaa-2222-bbbb-3333cccc4444/.default`.|
+| scope | The **Application ID URI** from [Step 1.1 Define web API roles (scopes)](#step-11-define-web-api-roles-scopes) and `.default`. For example `https://contoso.onmicrosoft.com/api/.default`, or `https://contoso.onmicrosoft.com/aaaabbbb-0000-cccc-1111-dddd2222eeee/.default`.|
 
 The actual POST request looks like the following example:
 

articles/active-directory-b2c/partner-biocatch.md

@@ -407,7 +407,7 @@ For the following instructions, see [Tutorial: Register a web application in Azu
 
       "score": 275, 
 
-      "tid": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb" 
+      "tid": "bbbbcccc-1111-dddd-2222-eeee3333ffff" 
 
     }.[Signature]  
 

articles/active-directory-b2c/partner-dynamics-365-fraud-protection.md

@@ -117,7 +117,7 @@ In the provided [custom policies](https://github.com/azure-ad-b2c/partner-integr
 |{Settings:FacebookClientId}|App ID of the Facebook app you configured for federation with B2C| `000000000000000`|
 |{Settings:FacebookClientSecretKeyContainer}| Name of the policy key, in which you saved Facebook's app secret |`B2C_1A_FacebookAppSecret`|
 |{Settings:ContentDefinitionBaseUri}|Endpoint in where you deployed the UI files|`https://<my-storage-account>.blob.core.windows.net/<my-storage-container>`|
-|{Settings:DfpApiBaseUrl}|The base path for your DFP API instance, found in the DFP portal| `https://tenantname-00001111-aaaa-2222-bbbb-3333cccc4444.api.dfp.dynamics.com/v1.0/`|
+|{Settings:DfpApiBaseUrl}|The base path for your DFP API instance, found in the DFP portal| `https://tenantname-aaaabbbb-0000-cccc-1111-dddd2222eeee.api.dfp.dynamics.com/v1.0/`|
 |{Settings:DfpApiAuthScope}|The client_credentials scope for the DFP API service|`https://api.dfp.dynamics-int.com/.default or https://api.dfp.dynamics.com/.default`|
 |{Settings:DfpTenantId}|The ID of the Microsoft Entra tenant (not B2C) where DFP is licensed and installed|`00001111-aaaa-2222-bbbb-3333cccc4444` or `contoso.onmicrosoft.com` |
 |{Settings:DfpAppClientIdKeyContainer}|Name of the policy key-in which you save the DFP client ID|`B2C_1A_DFPClientId`|

articles/active-directory-b2c/partner-onfido.md

@@ -128,7 +128,7 @@ In [/samples/OnFido-Combined/Policies](https://github.com/azure-ad-b2c/partner-i
 |{your_tenant_IdentityExperienceFramework_appid}|IdentityExperienceFramework app App ID configured in your Azure AD B2C tenant|00001111-aaaa-2222-bbbb-3333cccc4444|
 |{your_tenant_ ProxyIdentityExperienceFramework_appid}|ProxyIdentityExperienceFramework app App ID configured in your Azure AD B2C tenant| 00001111-aaaa-2222-bbbb-3333cccc4444|
 |{your_tenant_extensions_appid}|Your tenant storage application App ID| 00001111-aaaa-2222-bbbb-3333cccc4444|
-|{your_tenant_extensions_app_objectid}|Your tenant storage application Object ID| aaaabbbb-0000-cccc-1111-dddd2222eeee|
+|{your_tenant_extensions_app_objectid}|Your tenant storage application Object ID| aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb|
 |{your_app_insights_instrumentation_key}|Your app insights instance* instrumentation key|00001111-aaaa-2222-bbbb-3333cccc4444|
 |{your_ui_file_base_url}|Location URL of your UI folders **ocean_blue**, **dist**, and **assets**| `https://yourstorage.blob.core.windows.net/UI/`|
 |{your_app_service_URL}|The app service URL you set up|`https://yourapp.azurewebsites.net`|

articles/active-directory-b2c/partner-twilio.md

@@ -82,7 +82,7 @@ The following components make up the Twilio solution:
    - Update the following lines based on your certificate in the web.config:
 
      ```xml
-     <add key="ida:SigningCertThumbprint" value="4F39D6014818082CBB763E5BA5F230E545212E89" />
+     <add key="ida:SigningCertThumbprint" value="AA11BB22CC33DD44EE55FF66AA77BB88CC99DD00" />
      <add key="ida:SigningCertAlgorithm" value="RS256" />
      ```
 

articles/api-center/export-to-copilot-studio.yml

@@ -5,7 +5,7 @@ metadata:
   description: Learn how to export an API definition from your Azure API center as a custom connector in Microsoft Copilot Studio.
   author: dlepow
   ms.author: danlep
-  ms.service: azure-api-management
+  ms.service: azure-api-center
   ms.topic: how-to 
   ms.date: 04/28/2025
   ms.collection: ce-skilling-ai-copilot

articles/api-management/api-management-gateways-overview.md

@@ -16,7 +16,7 @@ ms.author: danlep
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
-This article provides information about the roles and features of the API Management *gateway* component and compares the gateways you can deploy.
+This article describes the roles and features of the API Management *gateway* component. It also compares the gateways you can deploy.
 
 Related information:
 
@@ -34,21 +34,21 @@ The API Management *gateway* (also called *data plane* or *runtime*) is the serv
 
 
 > [!NOTE]
-> All requests to the API Management gateway, including those rejected by policy configurations, count toward configured rate limits, quotas, and billing limits if applied in the service tier. 
+> All requests to the API Management gateway, including those rejected by policy configurations, count toward configured rate limits, quotas, and billing limits if the service tier applies them. 
 
 
-## Managed and self-hosted
+## Managed and self-hosted gateways
 
 API Management offers both managed and self-hosted gateways:
 
-* **Managed** - The managed gateway is the default gateway component that is deployed in Azure for every API Management instance in every service tier. A standalone managed gateway can also be associated with a [workspace](workspaces-overview.md) in an API Management instance. With the managed gateway, all API traffic flows through Azure regardless of where backends implementing the APIs are hosted. 
+* **Managed** - The managed gateway is the default gateway component that Azure deploys for every API Management instance in every service tier. You can also associate a standalone managed gateway with a [workspace](workspaces-overview.md) in an API Management instance in select service tiers. By using the managed gateway, all API traffic flows through Azure regardless of where backends implementing the APIs are hosted.  
 
     > [!NOTE]
     > Because of differences in the underlying service architecture, the gateways provided in the different API Management service tiers have some differences in capabilities. For details, see the section [Feature comparison: Managed versus self-hosted gateways](#feature-comparison-managed-versus-self-hosted-gateways).
     >    
  
 
-* **Self-hosted** - The [self-hosted gateway](self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway that is available in select service tiers. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure. 
+* **Self-hosted** - The [self-hosted gateway](self-hosted-gateway-overview.md) is an optional, containerized version of the default managed gateway that's available in select service tiers. It's useful for hybrid and multicloud scenarios where there's a requirement to run the gateways off of Azure in the same environments where API backends are hosted. The self-hosted gateway enables customers with hybrid IT infrastructure to manage APIs hosted on-premises and across clouds from a single API Management service in Azure. 
 
     * The self-hosted gateway is [packaged](self-hosted-gateway-overview.md#packaging) as a Linux-based Docker container and is commonly deployed to Kubernetes, including to [Azure Kubernetes Service](how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md) and [Azure Arc-enabled Kubernetes](how-to-deploy-self-hosted-gateway-azure-arc.md).
 
@@ -66,7 +66,7 @@ The following tables compare features available in the following API Management
 
 > [!NOTE]
 > * Some features of managed and self-hosted gateways are supported only in certain [service tiers](api-management-features.md) or with certain [deployment environments](self-hosted-gateway-overview.md#packaging) for self-hosted gateways.
-> * For the current supported features of the self-hosted gateway, ensure that you have upgraded to the latest major version of the self-hosted gateway [container image](self-hosted-gateway-overview.md#container-images).
+> * To see the current supported features of the self-hosted gateway, make sure you upgraded to the latest major version of the self-hosted gateway [container image](self-hosted-gateway-overview.md#container-images).
 > * See also self-hosted gateway [limitations](self-hosted-gateway-overview.md#limitations).
 
 ### Infrastructure
@@ -90,7 +90,7 @@ The following tables compare features available in the following API Management
 
 <sup>1</sup> Depends on how the gateway is deployed, but is the responsibility of the customer.<br/>
 <sup>2</sup> Connectivity to the self-hosted gateway v2 [configuration endpoint](self-hosted-gateway-overview.md#fqdn-dependencies) requires DNS resolution of the endpoint hostname.<br/>
-<sup>3</sup> CA root certificates for self-hosted gateway are managed separately per gateway<br/>
+<sup>3</sup> CA root certificates for self-hosted gateway are managed separately per gateway.<br/>
 <sup>4</sup> Client protocol needs to be enabled.<br/>
 <sup>5</sup> Configure using the [forward-request](forward-request-policy.md) policy.<br/>
 <sup>6</sup> Configure CA certificate details for backend certificate authentication in [backend](backends.md) settings.
@@ -154,7 +154,7 @@ For details about monitoring options, see [Observability in Azure API Management
 | [Request tracing](api-management-howto-api-inspector.md) | ✔️ | ✔️ | ✔️ | ✔️ | ✔️ |
 
 <sup>1</sup> The v2 tiers support Azure Monitor-based analytics.<br/>
-<sup>2</sup> Gateway uses [Azure Application Insight's built-in memory buffer](/azure/azure-monitor/app/telemetry-channels#built-in-telemetry-channels) and does not provide delivery guarantees.<br/>
+<sup>2</sup> Gateway uses [Azure Application Insight's built-in memory buffer](/azure/azure-monitor/app/telemetry-channels#built-in-telemetry-channels) and doesn't provide delivery guarantees.<br/>
 <sup>3</sup> The self-hosted gateway currently doesn't send resource logs (diagnostic logs) to Azure Monitor. Optionally [send metrics](how-to-configure-cloud-metrics-logs.md) to Azure Monitor, or [configure and persist logs locally](how-to-configure-local-metrics-logs.md) where the self-hosted gateway is deployed.<br/>
 
 ### Authentication and authorization
@@ -169,17 +169,17 @@ Managed and self-hosted gateways support all available [API authentication and a
 ## Gateway throughput and scaling
 
 > [!IMPORTANT]
-> Throughput is affected by the number and rate of concurrent client connections, the kind and number of configured policies, payload sizes, backend API performance, and other factors. Self-hosted gateway throughput is also dependent on the compute capacity (CPU and memory) of the host where it runs. Perform gateway load testing using anticipated production conditions to determine expected throughput accurately.
+> Throughput depends on many factors, including the number and rate of concurrent client connections, the kind and number of configured policies, payload sizes, backend API performance, and other factors. Self-hosted gateway throughput also depends on the compute capacity (CPU and memory) of the host where it runs. To accurately determine expected throughput, perform gateway load testing by using anticipated production conditions.
 
 ### Managed gateway
 
 For estimated maximum gateway throughput in the API Management service tiers, see [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/).
 
 > [!IMPORTANT]
-> Throughput figures are presented for information only and must not be relied upon for capacity and budget planning. See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/) for details.
+> Use the throughput figures for information only. Don't rely on them for capacity and budget planning. See [API Management pricing](https://azure.microsoft.com/pricing/details/api-management/) for details.
 
 * **Classic tiers**
-    * Scale gateway capacity by adding and removing scale [units](upgrade-and-scale.md), or upgrade the service tier. (Scaling not available in the Developer tier.)
+    * Scale gateway capacity by adding and removing scale [units](upgrade-and-scale.md), or upgrade the service tier. (Scaling isn't available in the Developer tier.)
     * In the Basic, Standard, and Premium tiers, optionally configure [Azure Monitor autoscale](api-management-howto-autoscale.md).
     * In the Premium tier, optionally add and distribute gateway capacity across multiple [regions](api-management-howto-deploy-multi-region.md).
 
@@ -198,6 +198,19 @@ For estimated maximum gateway throughput in the API Management service tiers, se
 
 Scale capacity by adding and removing scale [units](upgrade-and-scale.md) in the workspace gateway.
 
+## Gateway health check endpoint
+
+In all tiers except the Consumption tier, Azure API Management provides a built-in gateway health check endpoint at path `/status-0123456789abcdef`. Reach this endpoint to help confirm that the API gateway is available and functioning correctly. It doesn't test backend APIs, only the gateway itself.
+
+A request to the endpoint returns a `200 OK` HTTP response when the gateway is healthy; failures indicate networking or gateway issues.  
+
+* Azure uses this endpoint internally for continuous SLA monitoring and gateway health validation.
+* Customers can integrate requests to this endpoint into their own monitoring tools and probes.
+* The endpoint is available for managed gateways (including regional gateways in multi-region deployments), self-hosted gateways, and workspace gateways. 
+
+> [!TIP]
+> When you [integrate Azure Application Insights](api-management-howto-app-insights.md) with API Management, you can optionally enable availability monitoring of the gateway. This setting regularly polls the gateway health check endpoint and reports results on the **Availability** tab in Application Insights.
+
 ## Related content
 
 Learn more about:

articles/api-management/api-management-howto-manage-protocols-ciphers.md

@@ -1,12 +1,12 @@
 ---
-title: Manage protocols and ciphers in Azure API Management | Microsoft Learn
+title: Manage Protocols and Ciphers in Azure API Management
 description: Learn how to manage transport layer security (TLS) protocols and cipher suites in Azure API Management.
 services: api-management
 author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 10/10/2025
+ms.date: 01/06/2026
 ms.author: danlep
 ---
 
@@ -41,7 +41,7 @@ API Management supports TLS versions up to TLS 1.3 for client and backend connec
 
 ## How to manage TLS protocols and cipher suites
 
-1. In the sidebar of your API Management instance, under **Security**, select **Protocols + ciphers**.  
+1. In the sidebar menu of your API Management instance, under **Security**, select **Protocols + ciphers**.  
 1. Enable or disable desired protocols or ciphers.
 1. Select **Save**.
 
@@ -58,7 +58,7 @@ TLS 1.3 is a major revision of the TLS protocol that provides improved security
 
 TLS 1.3 doesn't support certificate renegotiation. Certificate renegotiation in TLS allows client and server to renegotiate connection parameters mid-session for authentication without terminating the connection.
 
-Services that API Management identifies as reliant on client certificate renegotiation do not have TLS 1.3 enabled by default. You can choose to enable TLS 1.3 manually. 
+API Management instances that are detected as reliant on client certificate renegotiation do not have TLS 1.3 enabled by default. In these instances, you can choose to enable TLS 1.3 manually. 
 
 > [!WARNING]
 > If your APIs are accessed by TLS-compliant clients that rely on certificate renegotiation, enabling TLS 1.3 for client-side connections will cause those clients to fail to connect. Review APIs that recently used certificate renegotiation before enabling client-side TLS 1.3 in any service that doesn't have it enabled by default.