Merge branch 'main' into US544916_FIM

Author: DebLanger

.github/copilot-instructions.md

@@ -0,0 +1,57 @@
+# Copilot Instructions for Microsoft Learn
+
+These instructions define a unified style and process standard for authoring and maintaining learn.microsoft.com documentation with GitHub Copilot or other AI assistance.
+
+## Learn-wide Instructions
+
+Below are instructions that apply to all Microsoft Learn documentation authored with AI assistance. Learn product team will update this periodically as needed. Each repository SHOULD NOT update this to avoid being overwritten, but update the repository-specific instructions below as needed.
+
+### AI Usage & Disclosure
+All Markdown content created or substantially modified with AI assistance must include an `ai-usage` front matter entry:
+- `ai-usage: ai-generated` – AI produced the initial draft with minimal human authorship
+- `ai-usage: ai-assisted` – Human-directed, reviewed, and edited with AI support
+- Omit only for purely human-authored legacy content
+
+If missing, **add it**. However, do not add or update the ai-usage tag if the changes proposed are confined solely to:
+- Links (link text and/or URLs)
+- Single words or short phrases, such as entries in table cells
+- Less than 5% of the article's word count
+
+### Writing Style
+
+Follow [Microsoft Writing Style Guide](https://learn.microsoft.com/style-guide/welcome/) with these specifics:
+
+#### Voice and Tone
+
+- Active voice, second person addressing reader directly
+- Conversational tone with contractions
+- Present tense for instructions/descriptions
+- Imperative mood for instructions ("Call the method" not "You should call the method")
+- Use "might" instead of "may" for possibility
+- Avoid "we"/"our" referring to documentation authors
+
+#### Structure and Format
+
+- Sentence case headings (no gerunds in titles)
+- Be concise, break up long sentences
+- Oxford comma in lists
+- Number all ordered list items as "1." (not sequential numbering like "1.", "2.", "3.", etc.)
+- Complete sentences with proper punctuation in all list items
+- Avoid "etc." or "and so on" - provide complete lists or use "for example"
+- No consecutive headings without content between them
+
+#### Formatting Conventions
+
+- **Bold** for UI elements
+- `Code style` for file names, folders, custom types, non-localizable text
+- Raw URLs in angle brackets
+- Use relative links for files in this repo
+- Remove `https://learn.microsoft.com/en-us` from learn.microsoft.com links
+
+## Repository-Specific Instructions
+
+Below are instructions specific to this repository. These may be updated by repository maintainers as needed.
+
+<!--- Add additional repository level instructions below. Do NOT update this line or above. --->
+
+

.openpublishing.redirection.key-vault.json

@@ -1,5 +1,10 @@
 {
   "redirections": [
+  {
+      "source_path_from_root": "/articles/key-vault/general/how-to-azure-key-vault-network-security.md",
+      "redirect_url": "/azure/key-vault/general/network-security",
+      "redirect_document_id": false
+    },
   {
       "source_path_from_root": "/articles/key-vault/general/soft-delete-change.md",
       "redirect_url": "/azure/key-vault/general/soft-delete-overview",
@@ -42,7 +47,12 @@
   },
   {
     "source_path_from_root": "/articles/key-vault/common-parameters-and-headers.md",
-    "redirect_url": "/azure/key-vault/general/common-parameters-and-headers",
+    "redirect_url": "/azure/key-vault/general/authentication-requests-and-responses",
+    "redirect_document_id": false
+  },
+  {
+    "source_path_from_root": "/articles/key-vault/general/common-parameters-and-headers.md",
+    "redirect_url": "/azure/key-vault/general/authentication-requests-and-responses",
     "redirect_document_id": false
   },
   {
@@ -247,12 +257,17 @@
   },
   {
     "source_path_from_root": "/articles/key-vault/key-vault-manage-with-cli.md",
-    "redirect_url": "/azure/key-vault/key-vault-manage-with-cli2",
+    "redirect_url": "/azure/key-vault/general/quick-create-cli",
     "redirect_document_id": false
   },
   {
     "source_path_from_root": "/articles/key-vault/key-vault-manage-with-cli2.md",
-    "redirect_url": "/azure/key-vault/general/manage-with-cli2",
+    "redirect_url": "/azure/key-vault/general/quick-create-cli",
+    "redirect_document_id": false
+  },
+  {
+    "source_path_from_root": "/articles/key-vault/general/manage-with-cli2.md",
+    "redirect_url": "/azure/key-vault/general/quick-create-cli",
     "redirect_document_id": false
   },
   {
@@ -332,7 +347,12 @@
   },
   {
     "source_path_from_root": "/articles/key-vault/key-vault-versions.md",
-    "redirect_url": "/azure/key-vault",
+    "redirect_url": "/azure/key-vault/general/whats-new",
+    "redirect_document_id": false
+  },
+  {
+    "source_path_from_root": "/articles/key-vault/general/versions.md",
+    "redirect_url": "/azure/key-vault/general/whats-new",
     "redirect_document_id": false
   },
   {

articles/attestation/azure-tpm-vbs-attestation-usage.md

@@ -30,7 +30,7 @@ Service endpoint setup is the first step for any attestation to be performed. Se
 
 Here's how you can set up an attestation endpoint using Portal
 
-1. Prerequisite: Access to the Microsoft Entra tenant and subscription under which you want to create the attestation endpoint. For more information, see [Microsoft Entra tenant](/azure/active-directory/develop/quickstart-create-new-tenant).
+1. Prerequisite: Access to the Microsoft Entra tenant and subscription under which you want to create the attestation endpoint. For more information, see [Microsoft Entra tenant](/entra/identity-platform/quickstart-create-new-tenant).
 1. Create an endpoint under the desired resource group, with the desired name.
     > [!VIDEO https://learn-video.azurefd.net/vod/player?id=8d3c6aa5-7712-4b47-b3ea-23c49539cd31]
 1. Add Attestation Contributor Role to the Identity who will be responsible to update the attestation policy.
@@ -48,7 +48,7 @@ Sample policies can be found in the [policy section](tpm-attestation-sample-poli
 
 A client to communicate with the attestation service endpoint needs to ensure it's following the protocol as described in the [protocol documentation](virtualization-based-security-protocol.md). Use the [Attestation Client NuGet](https://www.nuget.org/packages/Microsoft.Attestation.Client) to ease the integration.
 
-1. Prerequisite: a Microsoft Entra identity is needed to access the TPM endpoint. For more information, see [Microsoft Entra identity tokens](/azure/active-directory/develop/v2-overview).
+1. Prerequisite: a Microsoft Entra identity is needed to access the TPM endpoint. For more information, see [Microsoft Entra identity tokens](/entra/identity-platform/v2-overview).
 2. Add Attestation Reader Role to the identity that will be need for authentication against the endpoint.
   > [!VIDEO https://learn-video.azurefd.net/vod/player?id=1c70f4b2-e3e7-4b64-9fb1-ceb2810c669c]
 

articles/attestation/basic-concepts.md

@@ -16,7 +16,7 @@ This article defines some basic concepts related to Microsoft Azure Attestation.
 
 ## JSON Web Token (JWTs)
 
-[JSON Web Token (JWT)](/azure/active-directory/develop/security-tokens#json-web-tokens-and-claims) is an open standard [RFC7519](https://tools.ietf.org/html/rfc7519) method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
+[JSON Web Token (JWT)](/entra/identity-platform/security-tokens#json-web-tokens-and-claims) is an open standard [RFC7519](https://tools.ietf.org/html/rfc7519) method for securely transmitting information between parties as a JavaScript Object Notation (JSON) object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair.
 
 ## JSON Web Key (JWK)
 

articles/cloud-hsm/overview.md

@@ -78,14 +78,11 @@ Azure Cloud HSM doesn't integrate with other platform as a service (PaaS) or sof
 
 Azure Cloud HSM is not a good fit for Microsoft cloud services that require support for encryption with customer-managed keys. These services include Azure Information Protection, Azure Disk Encryption, Azure Data Lake Storage, Azure Storage, and Microsoft Purview Customer Key. For those scenarios, customers should use [Azure Key Vault Managed HSM](../key-vault/managed-hsm/overview.md).
 
-## Related content
+## Next steps
 
 These resources are available to help you facilitate the provisioning and configuration of HSMs into your existing virtual network environment:
 
 - [Azure Cloud HSM SDK](https://github.com/microsoft/MicrosoftAzureCloudHSM)
 - [Key management in Azure](/azure/security/fundamentals/key-management)
 - [Deploy Azure Cloud HSM by using the Azure portal](quickstart-portal.md)
 - [Deploy Azure Cloud HSM by using Azure PowerShell](quickstart-powershell.md)
-- [Key management in Azure](/azure/security/fundamentals/key-management)
-- [Deploy Azure Cloud HSM by using the Azure portal](quickstart-portal.md)
-- [Deploy Azure Cloud HSM by using Azure PowerShell](quickstart-powershell.md)

articles/confidential-ledger/authentication-azure-ad.md

@@ -76,7 +76,7 @@ The Microsoft Entra service endpoint used for authentication is also called *Mic
 
 The easiest way to access Azure confidential ledger with user authentication is to use the Azure confidential ledger SDK and set the `Federated Authentication` property of the Azure confidential ledger connection string to `true`. The first time the SDK is used to send a request to the service the user will be presented with a sign-in form to enter the Microsoft Entra credentials. Following a successful authentication the request will be sent to Azure confidential ledger.
 
-Applications that don't use the Azure confidential ledger SDK can still use the [Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview) instead of implementing the Microsoft Entra service security protocol client. See [Enable your Web Apps to sign-in users and call APIs with the Microsoft identity platform for developers](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2).
+Applications that don't use the Azure confidential ledger SDK can still use the [Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview) instead of implementing the Microsoft Entra service security protocol client. See [Enable your Web Apps to sign-in users and call APIs with the Microsoft identity platform for developers](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2).
 
 If your application is intended to serve as front-end and authenticate users for an Azure confidential ledger cluster, the application must be granted delegated permissions on Azure confidential ledger.
 
@@ -87,7 +87,7 @@ Applications that use Azure confidential ledger authenticate by using a token fr
 For detailed steps on registering an Azure confidential ledger application with Microsoft Entra ID, review these articles:
 
 - [How to register an Azure confidential ledger application with Microsoft Entra ID](register-application.md)
-- [Use portal to create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal)
+- [Use portal to create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal)
 - [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
 
 At the end of registration, the application owner gets the following values:
@@ -113,8 +113,8 @@ This flow is called the[OAuth2 token exchange flow](https://tools.ietf.org/html/
 
 - [How to register an Azure confidential ledger application with Microsoft Entra ID](register-application.md)
 - [Overview of Microsoft Azure confidential ledger](overview.md)
-- [Integrating applications with Microsoft Entra ID](/azure/active-directory/develop/quickstart-register-app)
-- [Use portal to create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal)
+- [Integrating applications with Microsoft Entra ID](/entra/identity-platform/quickstart-register-app)
+- [Use portal to create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal)
 - [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
 - [Authenticating Azure confidential ledger nodes](authenticate-ledger-nodes.md)
 - [User defined functions in Azure confidential ledger](server-side-programming.md)

articles/confidential-ledger/register-application.md

@@ -15,12 +15,12 @@ ms.custom: sfi-image-nochange
 
 In this article you'll learn how to integrate your Azure confidential ledger application with Microsoft Entra ID, by registering it with the Microsoft identity platform.  
 
-The Microsoft identity platform performs identity and access management (IAM) only for registered applications. Whether it's a client application like a web or mobile app, or it's a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform. [Learn more about the Microsoft identity platform](/azure/active-directory/develop/v2-overview).
+The Microsoft identity platform performs identity and access management (IAM) only for registered applications. Whether it's a client application like a web or mobile app, or it's a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform. [Learn more about the Microsoft identity platform](/entra/identity-platform/v2-overview).
 
 ## Prerequisites
 
 - An Azure account with an active subscription and permission to manage applications in Microsoft Entra ID. [Create an account for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn).
-- A Microsoft Entra tenant. [Learn how to set up a tenant](/azure/active-directory/develop/quickstart-create-new-tenant).
+- A Microsoft Entra tenant. [Learn how to set up a tenant](/entra/identity-platform/quickstart-create-new-tenant).
 - An application that calls Azure confidential ledger.
 
 ## Register an application
@@ -90,19 +90,19 @@ To configure application settings based on the platform or device you're targeti
 
 ### Redirect URI restrictions
 
-There are some restrictions on the format of the redirect URIs you add to an app registration. For details about these restrictions, see [Redirect URI (reply URL) restrictions and limitations](/azure/active-directory/develop/reply-url).
+There are some restrictions on the format of the redirect URIs you add to an app registration. For details about these restrictions, see [Redirect URI (reply URL) restrictions and limitations](/entra/identity-platform/reply-url).
 
 ## Add credentials
 
-Credentials are used by [confidential client applications](/azure/active-directory/develop/msal-client-applications) that access a web API. Examples of confidential clients are web apps, other web APIs, or service-type and daemon-type applications. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime.
+Credentials are used by [confidential client applications](/entra/identity-platform/msal-client-applications) that access a web API. Examples of confidential clients are web apps, other web APIs, or service-type and daemon-type applications. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime.
 
 You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
 
 :::image type="content" source="./media/portal-05-app-reg-04-credentials.png" alt-text="Screenshot of the Azure portal, showing the Certificates and secrets pane in an app registration.":::
 
 ### Add a certificate
 
-Sometimes called a _public key_, a certificate is the recommended credential type because they're considered more secure than client secrets. For more information about using a certificate as an authentication method in your application, see [Microsoft identity platform application authentication certificate credentials](/azure/active-directory/develop/active-directory-certificate-credentials).
+Sometimes called a _public key_, a certificate is the recommended credential type because they're considered more secure than client secrets. For more information about using a certificate as an authentication method in your application, see [Microsoft identity platform application authentication certificate credentials](/entra/identity-platform/certificate-credentials).
 
 1. In the Azure portal, in **App registrations**, select your application.
 1. Select **Certificates & secrets** > **Certificates** > **Upload certificate**.
@@ -124,14 +124,14 @@ Client secrets are considered less secure than certificate credentials. Applicat
 1. Select **Add**.
 1. _Record the secret's value_ for use in your client application code. This secret value is _never displayed again_ after you leave this page.
 
-For application security recommendations, see [Microsoft identity platform best practices and recommendations](/azure/active-directory/develop/identity-platform-integration-checklist#security).
+For application security recommendations, see [Microsoft identity platform best practices and recommendations](/entra/identity-platform/identity-platform-integration-checklist#security).
 
 ## Next steps
 
 - [Azure confidential ledger authentication with Microsoft Entra ID](authentication-azure-ad.md)
 - [Overview of Microsoft Azure confidential ledger](overview.md)
-- [Integrating applications with Microsoft Entra ID](/azure/active-directory/develop/quickstart-register-app)
-- [Use portal to create a Microsoft Entra application and service principal that can access resources](/azure/active-directory/develop/howto-create-service-principal-portal)
+- [Integrating applications with Microsoft Entra ID](/entra/identity-platform/quickstart-register-app)
+- [Use portal to create a Microsoft Entra application and service principal that can access resources](/entra/identity-platform/howto-create-service-principal-portal)
 - [Create an Azure service principal with the Azure CLI](/cli/azure/create-an-azure-service-principal-azure-cli).
 - [Authenticating Azure confidential ledger nodes](authenticate-ledger-nodes.md)
 - [User defined functions in Azure confidential ledger](server-side-programming.md)

articles/dedicated-hsm/migration-guide.md

@@ -11,7 +11,9 @@ ms.service: azure-dedicated-hsm
 
 # Migrate from Azure Dedicated HSM to Azure Managed HSM or Azure Cloud HSM
 
-Azure Dedicated HSM customers who want to transition to [Azure Cloud HSM](../cloud-hsm/overview.md) or [Azure Managed HSM](../key-vault/managed-hsm/overview.md) can find guidance in this article. This transition involves creating new keys and updating applications to use the new services.
+[Azure Dedicated HSM is being retired](https://azure.microsoft.com/updates?id=499214). Microsoft will fully support existing Dedicated HSM customers until July 31, 2028, but no new customer onboardings are accepted. Customers must transition to [Azure Cloud HSM](../cloud-hsm/overview.md) or [Azure Managed HSM](../key-vault/managed-hsm/overview.md).
+
+This article provides guidance for Azure Dedicated HSM customers who need to transition to Azure Cloud HSM or Azure Managed HSM. This transition involves creating new keys and updating applications to use the new services.
 
 > [!WARNING]
 > Customers cannot migrate existing key materials from Azure Dedicated HSM to Azure Cloud HSM or Azure Managed HSM due to known restrictions of the Thales Luna HSM. You must create new keys in Azure Cloud HSM or Azure Managed HSM when transitioning off Azure Dedicated HSM.