Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into azure-web-application-firewall-documentation

Author: ShawnJackson

articles/api-management/policy-reference.md

@@ -14,7 +14,7 @@ ms.custom: subject-policy-reference
 
 This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy
 definitions for Azure API Management. For additional Azure Policy built-ins for other services, see
-[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md). If you're looking for policies you can use to modify API behavior in API Management, see [API Management policy reference](api-management-policies.md).
+[Azure Policy built-in definitions](/azure/governance/policy/samples/built-in-policies). If you're looking for policies you can use to modify API behavior in API Management, see [API Management policy reference](api-management-policies.md).
 
 The name of each built-in policy definition links to the policy definition in the Azure portal. Use
 the link in the **Version** column to view the source on the

articles/app-service/app-service-managed-certificate-changes-july-2025.md

@@ -29,18 +29,118 @@ For a detailed explanation of the underlying changes at DigiCert, refer to [chan
 
 ## Impacted scenarios
 
-You can't create or renew ASMCs if:
-- Your app is not publicly accessible.
-- You use Azure Traffic Manager with nested or external endpoints.
-- You rely on `*.trafficmanager.net` domains.
+You can't create or renew ASMCs if your:
+- Site is not publicly accessible:
+   - Public accessibility to your app is required. If your app is only accessible through private configurations, such as requiring a client certificate, disabling public network access, using private endpoints, or applying IP restrictions, you can't create or renew a managed certificate.
+   - Other configurations that restrict public access, such as firewalls, authentication gateways, or custom access policies, may also affect eligibility for managed certificate issuance or renewal.
 
-Existing certificates remain valid until expiration (up to 6 months), but will not renew automatically if your configuration is unsupported.
+- Site is an Azure Traffic Manager "nested" or "external" endpoint:
+   - Only "Azure Endpoints" on Traffic Manager is supported for certificate creation and renewal.
+   - "Nested endpoints" and "External endpoints" is not supported.
+- Site relies on _*.trafficmanager.net_ domains:
+   - Certificates for _*.trafficmanager.net_ domains is not supported for creation or renewal.
+
+Existing certificates remain valid until expiration (up to six months), but will not renew automatically if your configuration is unsupported.
+
+## Identify impacted resources
+You can use [Azure Resource Graph (ARG)](https://portal.azure.com/?feature.customPortal=false#view/HubsExtension/ArgQueryBlade) queries to help identify resources that may be affected under each scenario. These queries are provided as a starting point and may not capture every configuration. Review your environment for any unique setups or custom configurations. 
+
+### Scenario 1: Site is not publicly accessible
+This ARG query retrieves a list of sites that either have the public network access property disabled or are configured to use client certificates. It then filters for sites that are using App Service Managed Certificates (ASMC) for their custom hostname SSL bindings. These certificates are the ones that could be affected by the upcoming changes. However, this query does not provide complete coverage, as there may be other configurations impacting public access to your app that are not included here. Ultimately, this query serves as a helpful guide for users, but a thorough review of your environment is recommended. You can copy this query, paste it into [ARG Explorer](https://portal.azure.com/?feature.customPortal=false#view/HubsExtension/ArgQueryBlade), and then click "Run query" to view the results for your environment. 
+
+```kql
+// ARG Query: Identify App Service sites that commonly restrict public access and use ASMC for custom hostname SSL bindings 
+resources 
+| where type == "microsoft.web/sites" 
+// Extract relevant properties for public access and client certificate settings 
+| extend  
+    publicNetworkAccess = tolower(tostring(properties.publicNetworkAccess)), 
+    clientCertEnabled = tolower(tostring(properties.clientCertEnabled)) 
+// Filter for sites that either have public network access disabled  
+// or have client certificates enabled (both can restrict public access) 
+| where publicNetworkAccess == "disabled"  
+    or clientCertEnabled != "false" 
+// Expand the list of SSL bindings for each site 
+| mv-expand hostNameSslState = properties.hostNameSslStates 
+| extend  
+    hostName = tostring(hostNameSslState.name), 
+    thumbprint = tostring(hostNameSslState.thumbprint) 
+// Only consider custom domains (exclude default *.azurewebsites.net) and sites with an SSL certificate bound 
+| where tolower(hostName) !endswith "azurewebsites.net" and isnotempty(thumbprint) 
+// Select key site properties for output 
+| project siteName = name, siteId = id, siteResourceGroup = resourceGroup, thumbprint, publicNetworkAccess, clientCertEnabled 
+// Join with certificates to find only those using App Service Managed Certificates (ASMC) 
+// ASMCs are identified by the presence of the "canonicalName" property 
+| join kind=inner ( 
+    resources 
+    | where type == "microsoft.web/certificates" 
+    | extend  
+        certThumbprint = tostring(properties.thumbprint), 
+        canonicalName = tostring(properties.canonicalName) // Only ASMC uses the "canonicalName" property 
+    | where isnotempty(canonicalName) 
+    | project certName = name, certId = id, certResourceGroup = tostring(properties.resourceGroup), certExpiration = properties.expirationDate, certThumbprint, canonicalName 
+) on $left.thumbprint == $right.certThumbprint 
+// Final output: sites with restricted public access and using ASMC for custom hostname SSL bindings 
+| project siteName, siteId, siteResourceGroup, publicNetworkAccess, clientCertEnabled, thumbprint, certName, certId, certResourceGroup, certExpiration, canonicalName
+```
+
+
+### Scenario 2: Site is an Azure Traffic Manager "nested" or "external" endpoint
+If your App Service uses custom domains routed through **Azure Traffic Manager**, you may be impacted if your profile includes **external** or **nested endpoints**. These endpoint types are not supported for certificate issuance or renewal under the new validation.
+
+To help identify affected Traffic Manager profiles across your subscriptions, we recommend using [this PowerShell script](https://github.com/nimccoll/NonAzureTrafficManagerEndpoints) developed by the Microsoft team. It scans for profiles with non-Azure endpoints and outputs a list of potentially impacted resources.
+
+> [!NOTE]
+> You need at least Reader access to all subscriptions to run the script successfully.
+> 
+
+To run the script:
+1. Download the [PowerShell script from GitHub](https://github.com/nimccoll/NonAzureTrafficManagerEndpoints).
+1. Open PowerShell and navigate to the script location.
+1. Run the script.
+   ```
+   .\TrafficManagerNonAzureEndpoints.ps1
+   ```
+
+### Scenario 3: Site relies on _*.trafficmanager.net_ domains
+This ARG query helps you identify App Service Managed Certificates (ASMC) that were issued to _*.trafficmanager.net domains_. In addition, it also checks whether any web apps are currently using those certificates for custom domain SSL bindings. You can copy this query, paste it into [ARG Explorer](https://portal.azure.com/?feature.customPortal=false#view/HubsExtension/ArgQueryBlade), and then click "Run query" to view the results for your environment. 
+
+```kql
+// ARG Query: Identify App Service Managed Certificates (ASMC) issued to *.trafficmanager.net domains 
+// Also checks if any web apps are currently using those certificates for custom domain SSL bindings 
+resources 
+| where type == "microsoft.web/certificates" 
+// Extract the certificate thumbprint and canonicalName (ASMCs have a canonicalName property) 
+| extend  
+    certThumbprint = tostring(properties.thumbprint), 
+    canonicalName = tostring(properties.canonicalName) // Only ASMC uses the "canonicalName" property 
+// Filter for certificates issued to *.trafficmanager.net domains 
+| where canonicalName endswith "trafficmanager.net" 
+// Select key certificate properties for output 
+| project certName = name, certId = id, certResourceGroup = tostring(properties.resourceGroup), certExpiration = properties.expirationDate, certThumbprint, canonicalName 
+// Join with web apps to see if any are using these certificates for SSL bindings 
+| join kind=leftouter ( 
+    resources 
+    | where type == "microsoft.web/sites" 
+    // Expand the list of SSL bindings for each site 
+    | mv-expand hostNameSslState = properties.hostNameSslStates 
+    | extend  
+        hostName = tostring(hostNameSslState.name), 
+        thumbprint = tostring(hostNameSslState.thumbprint) 
+    // Only consider bindings for *.trafficmanager.net custom domains with a certificate bound 
+    | where tolower(hostName) endswith "trafficmanager.net" and isnotempty(thumbprint) 
+    // Select key site properties for output 
+    | project siteName = name, siteId = id, siteResourceGroup = resourceGroup, thumbprint 
+) on $left.certThumbprint == $right.thumbprint 
+// Final output: ASMCs for *.trafficmanager.net domains and any web apps using them 
+| project certName, certId, certResourceGroup, certExpiration, canonicalName, siteName, siteId, siteResourceGroup
+```
 
 ## Mitigation guidance
 
 ### Scenario 1: Site is not publicly accessible
 
-Apps that are not accessible from the public internet will not be able to create or renew ASMCs. This includes restrictions via private endpoints, firewalls, IP restrictions, client certificates, authentication gateways, or custom access policies.
+Apps that are not accessible from the public internet cannot create or renew ASMCs. These configurations may include restrictions enforced through private endpoints, firewalls, IP filtering, client certificates, authentication gateways, or custom access policies.
 
 We recognize that making applications publicly accessible may conflict with customer security policies or introduce risk. The recommended mitigation is to replace ASMC with a custom certificate and update the TLS/SSL binding for your custom domain.
 
@@ -91,17 +191,17 @@ Some customers may choose to allowlist [DigiCert’s domain validation IPs](http
 For guidance on configuring access restrictions, refer to [set up Azure App Service access restrictions](app-service-ip-restrictions.md).
 
 
-### Scenario 2: Azure Traffic Manager with nested or external endpoints
+### Scenario 2: Site is an Azure Traffic Manager "nested" or "external" endpoint
 
-Only “Azure Endpoints” are supported. “Nested” and “External” endpoints are not supported for ASMC validation.
+Only "Azure Endpoints" are supported. "Nested" and "External" endpoints are not supported for ASMC validation.
 
 **Recommended mitigation:**
 
 - Switch to Azure Endpoints or use a custom domain secured with a custom certificate.
 - For guidance on using App Service as an Azure Traffic Manager endpoint, refer to [App Service and Traffic Manager Profiles](web-sites-traffic-manager.md#app-service-and-traffic-manager-profiles).
 
 
-### Scenario 3: Use of trafficmanager.net domains
+### Scenario 3: Site relies on _*.trafficmanager.net_ domains
 
 Certificates for `*.trafficmanager.net` domains are not supported. If your app relies on this domain and uses ASMC, you need to remove that dependency and secure your app using a custom domain and certificate.
 

articles/app-service/includes/configure-azure-storage/azure-storage-linux-container-pivot.md

@@ -225,6 +225,7 @@ To validate that the Azure Storage is mounted successfully for the app:
 ### Troubleshooting
 
 - The mount directory in the custom container should be empty. Any content stored at this path is deleted when the Azure Storage is mounted, if you specify a directory under */home*, for example. If you migrate files for an existing app, make a backup of the app and its content before you begin.
+- When mounting an NFS share, you'll need to ensure that Secure Transfer Required is disabled on the storage account. App Service doesn't support mounting NFS shares when this is enabled. It uses port 2409 and virtual network integration and private endpoints as the security measure.
 - If you delete an Azure Storage account, container, or share, remove the corresponding storage mount configuration in the app to avoid possible error scenarios.
 - We don't recommend that you use storage mounts for local databases, such as SQLite, or for any other applications and components that rely on file handles and locks.
 - Ensure the following ports are open when using virtual network integration: Azure Files: 80 and 445. Azure Blobs: 80 and 443.

articles/app-service/overview-tls.md

@@ -44,7 +44,7 @@ Azure App Service supports the following TLS versions for incoming requests to y
 
 You can configure the *minimum TLS version* for incoming requests to your web app and its Source Control Manager (SCM) site. By default, the minimum is set to **TLS 1.2**.
 
-You can use Azure Policy to help audit your resources and minimum TLS version. Go to [App Service apps should use the latest TLS version policy definition](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) and change the values to the minimum TLS version you want your web apps to use. For related policy definitions for other App Service resources, see [List of built-in policy definitions - Azure Policy for App Service](../governance/policy/samples/built-in-policies.md#app-service).
+You can use Azure Policy to help audit your resources and minimum TLS version. Go to [App Service apps should use the latest TLS version policy definition](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b) and change the values to the minimum TLS version you want your web apps to use. For related policy definitions for other App Service resources, see [List of built-in policy definitions - Azure Policy for App Service](/azure/governance/policy/samples/built-in-policies#app-service).
 
 ### TLS 1.3
 

articles/app-service/policy-reference.md

@@ -11,7 +11,7 @@ ms.author: cephalin
 
 This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy
 definitions for Azure App Service. For additional Azure Policy built-ins for other services, see
-[Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).
+[Azure Policy built-in definitions](/azure/governance/policy/samples/built-in-policies).
 
 The name of each built-in policy definition links to the policy definition in the Azure portal. Use
 the link in the **Version** column to view the source on the

articles/automation/overview.md

@@ -113,7 +113,7 @@ Depending on your requirements, one or more of the following Azure services inte
 * [Azure Arc-enabled servers](/azure/azure-arc/servers/overview) enables simplified onboarding of hybrid machines to Change Tracking and Inventory using AMA, and the Hybrid Runbook Worker role.
 * [Azure Alerts action groups](/azure/azure-monitor/alerts/action-groups) can initiate an Automation runbook when an alert is raised.
 * [Azure Monitor](/azure/azure-monitor/overview) to collect metrics and log data from your Automation account for further analysis and take action on the telemetry. 
-* [Azure Policy](../governance/policy/samples/built-in-policies.md) includes initiative definitions to help establish and maintain  compliance with different security standards for your Automation account.
+* [Azure Policy](/azure/governance/policy/samples/built-in-policies) includes initiative definitions to help establish and maintain  compliance with different security standards for your Automation account.
 * [Azure Site Recovery](../site-recovery/site-recovery-runbook-automation.md) can use Azure Automation runbooks to automate recovery plans.
 
 These Azure services can work with Automation job and runbook resources using an HTTP webhook or API method:

articles/automation/policy-reference.md

@@ -11,7 +11,7 @@ author: jasminemehndir
 
 This page is an index of [Azure Policy](../governance/policy/overview.md) built-in policy
 definitions for Azure Automation. For additional Azure Policy built-ins for other services,
-see [Azure Policy built-in definitions](../governance/policy/samples/built-in-policies.md).
+see [Azure Policy built-in definitions](/azure/governance/policy/samples/built-in-policies).
 
 The name of each built-in policy definition links to the policy definition in the Azure portal. Use
 the link in the **Version** column to view the source on the

articles/azure-app-configuration/configuration-provider-overview.md

@@ -59,8 +59,8 @@ Key Vault References | [GA](./reference-dotnet-provider.md#key-vault-reference)
 Key Vault Secret Refresh | [GA](./reference-dotnet-provider.md#key-vault-secret-refresh) | WIP | GA | WIP | WIP | GA
 Custom Key Vault Secret Resolution | [GA](./reference-dotnet-provider.md#key-vault-reference) | GA | GA | GA | [GA](./reference-javascript-provider.md#key-vault-reference) | GA
 Parallel Secret Resolution | WIP | WIP | WIP | WIP | [GA](./reference-javascript-provider.md#parallel-secret-resolution) | GA
-Feature Flags | [GA](./reference-dotnet-provider.md#feature-flag) | GA | GA | GA | [GA](./reference-javascript-provider.md#feature-flag) | WIP
-Variant Feature Flags | [GA](./reference-dotnet-provider.md#feature-flag) | GA | GA | GA | [GA](./reference-javascript-provider.md#feature-flag) | WIP
+Feature Flags | [GA](./reference-dotnet-provider.md#feature-flag) | GA | GA | GA | [GA](./reference-javascript-provider.md#feature-flag) | GA
+Variant Feature Flags | [GA](./reference-dotnet-provider.md#feature-flag) | GA | GA | GA | [GA](./reference-javascript-provider.md#feature-flag) | GA
 Feature Flag Telemetry | GA | GA | WIP | GA | GA | WIP
 Key Prefix Trim | [GA](./reference-dotnet-provider.md#trim-prefix-from-keys) | GA | GA | GA | [GA](./reference-javascript-provider.md#trim-prefix-from-keys) | GA
 Configurable Startup Time-out | [GA](./reference-dotnet-provider.md#startup-retry) | WIP | N/A | WIP | [GA](./reference-javascript-provider.md#startup-retry) | WIP