Merge branch 'main' of https://github.com/MicrosoftDocs/azure-security-docs-pr into wi564984-update-to-SQL-plan

Author: ElazarK

articles/defender-for-cloud/defender-for-apis-prepare.md

@@ -5,7 +5,7 @@ author: dlanger
 ms.author: dlanger
 ms.service: defender-for-cloud
 ms.topic: checklist
-ms.date: 07/15/2025
+ms.date: 03/31/2026
 ms.custom: references_regions
 ---
 # Support and prerequisites for Defender for APIs deployment
@@ -21,8 +21,15 @@ Defender for APIs is available in the Azure commercial cloud, in these regions:
 - Brazil (Brazil South, Brazil Southeast)
 - Canada (Canada Central, Canada East)
 - Europe (West Europe, North Europe)
+- France (France Central, France South)
+- Germany (Germany West Central, Germany North)
 - India (Central India, South India, West India)
+- Italy (Italy North)
 - Japan (Japan East, Japan West)
+- Korea (Korea Central, Korea South)
+- Norway (Norway East, Norway West)
+- Sweden (Sweden Central, Sweden South)
+- Switzerland (Switzerland North, Switzerland West)
 - UK (UK South, UK West)
 - US (East US, East US 2, West US, West US 2, West US 3, Central US, North Central US, South Central US, West Central US, East US 2 EUAP, Central US EUAP)
 

articles/defender-for-cloud/enable-api-security-posture.md

@@ -4,7 +4,7 @@ description: Learn how to enable API security posture management in Microsoft De
 ms.author: elkrieger
 author: Elazark
 ms.topic: how-to
-ms.date: 01/04/2026
+ms.date: 03/31/2026
 ms.custom: sfi-image-nochange, references_regions
 #customer intent: As a cloud administrator, I want to learn how to enable API security posture management to protect my APIs in Azure API Management, Function Apps, and Logic Apps.
 ---
@@ -34,8 +34,15 @@ API Security Posture Management within Defender CSPM is available in the Azure c
 - Brazil (Brazil South, Brazil Southeast)
 - Canada (Canada Central, Canada East)
 - Europe (West Europe, North Europe)
+- France (France Central, France South)
+- Germany (Germany West Central, Germany North)
 - India (Central India, South India, West India)
+- Italy (Italy North)
 - Japan (Japan East, Japan West)
+- Korea (Korea Central, Korea South)
+- Norway (Norway East, Norway West)
+- Sweden (Sweden Central, Sweden South)
+- Switzerland (Switzerland North, Switzerland West)
 - UK (UK South, UK West)
 - US (East US, East US 2, West US, West US 2, West US 3, Central US, North Central US, South Central US, West Central US, East US 2 EUAP, Central US EUAP)
 

articles/defender-for-cloud/recommendations-reference-data.md

@@ -1925,6 +1925,28 @@ Even with key owner precautions, keys can be easily leaked by less than optimum
 
 **Severity**: High
 
+### Geo-redundant backups should be enabled for PostgreSQL Servers
+
+**Description**:   
+__What is geo-redundant backup?__ Geo-redundant backup replicates server backups to a paired Azure region, providing resilience against regional failures.
+
+__Why is it a security concern?__ If geo-redundant backups are disabled, a regional outage could result in data loss and extended downtime, impacting availability and compliance.
+
+__How could attackers exploit it or how could it lead to data breaches?__ While not directly exploitable, lack of geo-redundancy increases the impact of disasters or targeted attacks on a single region.
+
+**Severity**: Low
+
+### require_secure_transport should be set to “on” for Azure Database for PostgreSQL Servers
+
+**Description**:   
+__What is require_secure_transport?__ require_secure_transport is a server-level parameter that enforces the use of SSL/TLS for all client connections to PostgreSQL. When set to on, clients must connect using encrypted channels.
+
+__Why is it a security concern?__ If this setting is disabled (off), clients may connect over unencrypted channels, exposing sensitive data such as credentials, queries, and results to interception or manipulation.
+
+__How could attackers exploit it or how could it lead to data breaches?__ An attacker on the network could perform a man-in-the-middle attack, intercepting or altering data exchanged between the client and server if encryption is not enforced.
+
+**Severity**: High
+
 ## Related content
 
 - [Learn about security recommendations](security-policy-concept.md)

articles/defender-for-cloud/release-notes-recommendations-alerts.md

@@ -49,6 +49,7 @@ New and updated recommendations, alerts, and incidents are added to the table in
 | **Date announced**     | **Type**       | **State**            | **Name**                                                     |
 | ------------ | -------------- | -------------------- | ------------------------------------------------------------ |
 | March 30, 2026 | Alert | Preview | The following alert is now in Preview: <br> * Malicious content detected in uploaded AI model | 
+| March 29, 2026 | Recommendation | Preview | The following recommendations are now available in preview for Azure Database for PostgreSQL Flexible Servers as part of Defender CSPM:<br/>* Geo-redundant backups should be enabled for PostgreSQL Servers <br/>* require_secure_transport should be set to "on" for Azure Database for PostgreSQL Servers |
 | March 29, 2026 | Recommendation | Deprecation | Following the announcement from December 3, 2025, The recommendation `Microsoft Defender for SQL status should be protected for Arc-enabled SQL Servers` for Defender for SQL Servers on Machines plan, is now deprecated. |
 | March 04, 2026 | Recommendation | Upcoming deprecation | The following grouped container vulnerability recommendations are set for deprecation on April 13, 2026:<br/>**Container recommendations:**<br/>\* [Preview] Containers running in Azure should have vulnerability findings resolved<br/>\* [Preview] Containers running in AWS should have vulnerability findings resolved<br/>\* [Preview] Containers running in GCP should have vulnerability findings resolved<br/>**Container image recommendations:**<br/>\* [Preview] Container images in Azure registry should have vulnerability findings resolved<br/>\* [Preview] Container images in AWS registry should have vulnerability findings resolved<br/>\* [Preview] Container images in GCP registry should have vulnerability findings resolved<br/><br/>These grouped recommendations are being replaced by individual recommendations that provide more granular visibility, better prioritization, and improved governance. Learn more in [Deprecation of preview of container and container images vulnerability recommendations](release-notes.md#deprecation-of-preview-of-container-and-container-images-vulnerability-recommendations). |
 | February 24, 2026 | Recommendation | GA | The following data recommendations are GA: <br><br> - [Storage accounts should restrict network access using virtual network rules](recommendations-reference-data.md#storage-accounts-should-restrict-network-access-using-virtual-network-rules). <br><br> - [Storage account should use a private link connection](recommendations-reference-data.md#storage-account-should-use-a-private-link-connection). <br><br> - [Storage accounts should prevent shared key access](recommendations-reference-data.md#storage-accounts-should-prevent-shared-key-access). |

articles/defender-for-cloud/release-notes.md

@@ -2,7 +2,8 @@
 title: What's new in Microsoft Defender for Cloud features
 description: What's new and updated in Microsoft Defender for Cloud features
 ms.topic: overview
-ms.date: 03/30/2026
+ms.custom: references_regions
+ms.date: 03/31/2026
 ---
 
 # What's new in Defender for Cloud features
@@ -31,6 +32,7 @@ This article summarizes what's new in Microsoft Defender for Cloud. It includes
 
 | Date | Category | Update |
 | -------- | -------- | -------- |
+| March 31, 2026| Update | [Support for additional Azure regions for Defender for APIs and API security posture management with Defender CSPM](#support-for-additional-azure-regions-for-defender-for-apis-and-api-security-posture-management-with-defender-cspm) |
 | March 30, 2026 | Upcoming change | [Update to Defender for SQL servers on machines plan for Fairfax customers](#update-to-defender-for-sql-servers-on-machines-plan-for-fairfax-customers) |
 | March 30, 2026 | Preview | [AI model security for Azure Machine Learning (Preview)](#ai-model-security-for-azure-machine-learning-preview) |
 | March 29, 2026 | Preview | [Expanded multicloud coverage for AWS and GCP (Preview)](#expanded-multicloud-coverage-for-aws-and-gcp-preview) |
@@ -55,9 +57,31 @@ To simplify onboarding and improve protection coverage, we're releasing an enhan
 - [Update Defender for SQL Servers on Machines plan configuration](update-sql-machine-configuration.md): If you enabled the Defender for SQL Server on machines plan before April 2026, follow these instructions to update your configuration.
 - [Verify SQL Server instances protection status](verify-machine-protection.md): With an estimated starting date of May 2026, you must verify the protection status of your SQL Server instances across your environments. Learn how to [troubleshoot deployment issues for Defender for SQL on machines configuration](troubleshoot-sql-machines-guide.md).
 
+### Support for additional Azure regions for Defender for APIs and API security posture management with Defender CSPM
+
+
+Microsoft Defender for APIs and API security posture management with Defender CSPM has expanded to provide its capabilities in the following Azure regions:
+- Sweden Central
+- Sweden South
+- Germany West Central
+- Germany North
+- Italy North
+- France Central
+- France South
+- Norway East
+- Norway West
+- Switzerland North
+- Switzerland West
+- Korea Central
+- Korea South
+
+Customers who have Azure API Management services in these regions can now use the capabilities offered by Microsoft Defender for APIs and API security posture management with Defender CSPM.
+API discovery and security posture capabilities in Defender CSPM for Azure Function Apps and Azure Logic Apps have also been expanded to these regions. This feature is still in Preview.
+
+Learn more about [Microsoft Defender for APIs](defender-for-apis-introduction.md) and [API security posture management with Defender CSPM](api-security-posture-overview.md).
+
 ### AI model security for Azure Machine Learning (Preview)
 
-March 30, 2026
 
 Microsoft Defender for Cloud now offers AI model security in preview for Azure Machine Learning registries and workspaces. AI model security helps security teams discover and scan custom AI models for risks before deployment, and review findings in Defender for Cloud.
 
@@ -92,7 +116,6 @@ Learn more about [security recommendations](review-security-recommendations.md).
 
 ### File Integrity Monitoring requires MDE agent version 10.8799+ for legacy Windows machines
 
-March 22, 2026
 
 Due to a pipeline change in Microsoft Defender for Endpoint (MDE), File Integrity Monitoring now requires the **Defender for Servers Windows client (Microsoft Defender for Endpoint agent) version 10.8799 or above** for proper functionality on legacy Windows machines (downlevel clients).
 

articles/key-vault/certificates/quick-create-go.md

@@ -3,7 +3,7 @@ title: Quickstart – Azure Key Vault Go client library - Manage certificates
 description: Learn how to create, retrieve, and delete certificates from an Azure key vault using the Go client library
 author: Duffney
 ms.author: jduffney
-ms.date: 03/26/2026
+ms.date: 03/30/2026
 ms.service: azure-key-vault
 ms.subservice: certificates
 ms.topic: quickstart
@@ -217,7 +217,7 @@ For more examples, see the [module documentation](https://aka.ms/azsdk/go/keyvau
 Run the following command to delete the resource group and all its remaining resources:
 
 ```azurecli
-az group delete --resource-group <resource-group>
+az group delete --resource-group "myResourceGroup"
 ```
 
 ## Next steps

articles/key-vault/certificates/quick-create-java.md

@@ -4,7 +4,7 @@ description: Learn about the Azure Key Vault Certificate client library for Java
 author: msmbaldwin
 ms.custom: devx-track-java, devx-track-azurecli, devx-track-azurepowershell, mode-api, passwordless-java, devx-track-extended-java
 ms.author: mbaldwin
-ms.date: 03/26/2026
+ms.date: 03/30/2026
 
 ms.service: azure-key-vault
 ms.subservice: certificates
@@ -229,11 +229,11 @@ deletionPoller.waitForCompletion();
 When no longer needed, you can use the Azure CLI or Azure PowerShell to remove your key vault and the corresponding resource group.
 
 ```azurecli
-az group delete -g "<resource-group>"
+az group delete -g "myResourceGroup"
 ```
 
 ```azurepowershell
-Remove-AzResourceGroup -Name "<resource-group>"
+Remove-AzResourceGroup -Name "myResourceGroup"
 ```
 
 ## Sample code

articles/key-vault/certificates/quick-create-python.md

@@ -3,7 +3,7 @@ title: Quickstart – Azure Key Vault Python client library – manage certifica
 description: Learn how to create, retrieve, and delete certificates from an Azure key vault using the Python client library
 author: msmbaldwin
 ms.author: mbaldwin
-ms.date: 03/26/2026
+ms.date: 03/30/2026
 
 ms.service: azure-key-vault
 ms.subservice: certificates
@@ -87,7 +87,7 @@ This quickstart uses the Azure Identity library with Azure CLI or Azure PowerShe
 
 ### Set the KEY_VAULT_NAME environmental variable
 
-[!INCLUDE [Set the KEY_VAULT_NAME environmental variable](../includes/key-vault-set-environmental-variables.md)]
+[!INCLUDE [Set the KEY_VAULT_NAME environmental variable](~/reusable-content/ce-skilling/azure/includes/key-vault/set-environmental-variables.md)]
 
 ### Grant access to your key vault
 
@@ -210,13 +210,13 @@ Otherwise, when you're finished with the resources created in this article, use
 ### [Azure CLI](#tab/azure-cli)
 
 ```azurecli
-az group delete --resource-group <resource-group>
+az group delete --resource-group "myResourceGroup"
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
 ```azurepowershell
-Remove-AzResourceGroup -Name "<resource-group>"
+Remove-AzResourceGroup -Name "myResourceGroup"
 ```
 
 ---

articles/key-vault/general/tutorial-javascript-virtual-machine.md

@@ -5,7 +5,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: tutorial
-ms.date: 03/26/2026
+ms.date: 03/30/2026
 ms.author: mbaldwin
 ms.devlang: javascript
 ms.custom: mvc, devx-track-js, devx-track-azurecli, devx-track-azurepowershell
@@ -197,7 +197,7 @@ The value of secret 'mySecret' in '<vault-name>' is: 'Success!'
 When they are no longer needed, delete the virtual machine and your key vault.  You can do this quickly by simply deleting the resource group to which they belong:
 
 ```azurecli
-az group delete -g <resource-group>
+az group delete -g "myResourceGroup"
 ```
 
 ## Next steps

articles/key-vault/general/tutorial-net-virtual-machine.md

@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: azure-key-vault
 ms.subservice: general
 ms.topic: tutorial
-ms.date: 03/26/2026
+ms.date: 03/30/2026
 ms.author: mbaldwin
 ms.devlang: csharp
 ms.custom: mvc, devx-track-csharp, devx-track-azurepowershell, devx-track-azurecli, devx-track-dotnet
@@ -65,7 +65,7 @@ Connect-AzAccount
 
 ## Populate your key vault with a secret
 
-[!INCLUDE [Create a secret](../includes/key-vault-create-secret.md)]
+[!INCLUDE [Create a secret](~/reusable-content/ce-skilling/azure/includes/key-vault/create-secret.md)]
 
 ## Create a virtual machine
 Create a Windows or Linux virtual machine using one of the following methods: