You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md
+28-2Lines changed: 28 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: dlepow
6
6
ms.service: azure-api-management
7
7
ms.topic: reference
8
8
ai-usage: ai-assisted
9
-
ms.date: 01/26/2026
9
+
ms.date: 02/06/2026
10
10
ms.author: danlep
11
11
---
12
12
@@ -36,11 +36,37 @@ If you need to add new managed certificates, plan to do so before August 15, 202
36
36
37
37
If you already have managed certificates for your custom domains, do the following to ensure continued access:
38
38
39
-
- Ensure that your API Management service allows [inbound traffic from DigiCert IP addresses on port 80](#allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
39
+
1. Ensure that your API Management service [allows inbound traffic from DigiCert IP addresses on port 80](#step-1-allow-access-to-digicert-ip-addresses). This access is now required for the certificate autorenewal process.
40
+
1.[Configure DNS records](#step-2-configure-dns-records) to resolve your custom domain name.
41
+
1.[Allow API Management service access to port 80](#step-3-allow-api-management-service-access-to-port-80) if you have inbound network restrictions in place.
Configure DNS records for your custom domain to point to your API Management gateway. The type of DNS record you need to add depends on your API Management tier.
50
+
51
+
#### DNS records for Developer, Basic, Standard, or Premium tier
52
+
53
+
1. Add either a [CNAME](/azure/api-management/configure-custom-domain?tabs=custom#cname-record) or A-record with your DNS provider.
54
+
55
+
1. Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools.
56
+
57
+
#### DNS records for Consumption tier
58
+
59
+
1. Add either a [CNAME](/azure/api-management/configure-custom-domain?tabs=custom#cname-record) or [TXT](/azure/api-management/configure-custom-domain?tabs=managed#txt-record) record with your DNS provider. If you configure both, the TXT record takes precedence.
60
+
1. Add DigiCert as an authorized certificate authority (CA) in Azure DNS. For this, you need to create a specific CAA record set within your domain's DNS zone using the Azure portal or other management tools
61
+
62
+
### Step 3: Allow API Management service access to port 80
63
+
64
+
If you have inbound network restrictions configured for your API Management service, allow the Azure API Management resource provider access on port 80. This is required to allow inbound traffic to support certificate revocation list (CRL) checks, certificate renewal, and management communication.
65
+
66
+
1. In the Azure portal, go to **Network security groups**.
67
+
1. Select the network security group associated with your API Management subnet.
68
+
1. Under **Settings** > **Inbound security rules**, add a new rule allowing traffic on port 80 from the **ApiManagement** service tag to the API Management instance.
69
+
44
70
## Help and support
45
71
46
72
If you have questions, get answers from community experts in [Microsoft Q&A](https://aka.ms/apim/azureqa/change/captcha-2022). If you have a support plan and need technical help, create a [support request](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).
Copy file name to clipboardExpand all lines: articles/sentinel/datalake/sentinel-lake-connectors.md
+74Lines changed: 74 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -49,6 +49,80 @@ Tables created by using the Logs Ingestion API or Azure Monitor Agent (AMA) and
49
49
50
50
When you onboard to both Microsoft Defender and Microsoft Sentinel and then onboard to the data lake, you no longer see auxiliary log tables in Microsoft Defender’s Advanced hunting or in the Microsoft Sentinel Azure portal. The auxiliary table data is available in the data lake and you can query it by using KQL queries or Jupyter notebooks. Find KQL queries under **Microsoft Sentinel** > **Data lake exploration** in the Defender portal.
51
51
52
+
## Direct ingestion to the data lake tier
53
+
54
+
Depending on your organization's security needs, you might choose to ingest some log sources directly into the data
55
+
lake. Directly ingesting logs to the data lake allows you to better manage costs by optimizing data retention and storage based on the value of the data for real-time detection versus long-term analysis.
56
+
57
+
Ingest high-volume logs that are less critical for real-time detection but valuable for deep analysis and forensics directly to the lake, and ingest only high-value logs to the analytics tier. Note that logs ingested to the analytics tier are also mirrored to the data lake.
58
+
59
+
Use the following table to prioritize which sources you should ingest directly to the data lake versus the analytics tier.
60
+
61
+
| Log source type | Typical log volume | Value for real-time threat detection and alerting | Value for threat hunting | Value for incident investigation and forensics | Ingest to data lake |
| Enable behaviors | At least the **Security Administrator** role in Microsoft Entra ID. |
221
-
| Query behaviors tables | <ul><li>**Security Reader** or **Security Operator** role in Microsoft Entra ID to run Advanced Hunting queries in the Defender portal</li><li>`Read` access to the `BehaviorInfo` and `BehaviorEntities` tables in your Sentinel workspace</li><li>`Read` access to source tables to drill down to raw events</li></ul> |
220
+
| Enable behaviors | At least the **Security Administrator** role in Microsoft Entra ID and the **Microsoft Sentinel Contributor** role in your Sentinel workspace. |
221
+
| Query behaviors tables | <ul><li>**Security Reader** or **Security Operator** role in Microsoft Entra ID to run Advanced Hunting queries in the Defender portal.</li><li>**Read** access to the `BehaviorInfo` and `BehaviorEntities` tables in your Sentinel workspace.</li><li>**Read** access to source tables to drill down to raw events.</li></ul> |
222
222
223
223
For more information about unified RBAC in the Defender portal, see [Microsoft Defender XDR Unified role-based access control (RBAC)](/defender-xdr/manage-rbac).
Copy file name to clipboardExpand all lines: includes/api-management-managed-certificate-ip-access.md
-2Lines changed: 0 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,8 +7,6 @@ ms.author: danlep
7
7
ms.custom:
8
8
---
9
9
10
-
### Allow access to DigiCert IP addresses
11
-
12
10
Starting January 2026, Azure API Management needs inbound access on port 80 to [specific DigiCert IP addresses](https://knowledge.digicert.com/alerts/ip-address-domain-validation?utm_medium=organic&utm_source=docs-digicert&referrer=https://docs.digicert.com/en/certcentral/manage-certificates/domain-control-validation-methods/automatic-domain-control-validation-check.html) to renew (rotate) your managed certificate.
13
11
14
12
If your API Management instance restricts incoming IP addresses, we recommend that you remove or modify existing IP restrictions by using one of the following methods based on your deployment architecture.
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments