Merge pull request #2713 from MicrosoftDocs/main

Auto Publish – main to live - 2026-04-09 22:06 UTC

Author: learn-build-service-prod[bot]

articles/defender-for-cloud/introduction-malware-scanning.md

@@ -163,7 +163,7 @@ These resources are required for malware scanning to function. If any of them ar
 
 * **Unsupported protocols:** Blobs uploaded using the Network File System (NFS) 3.0 protocol aren’t scanned.  
 
-* **Blob index tags:** Index tags for storage accounts with hierarchical namespaces enabled (Azure Data Lake Storage Gen2) are supported in public preview. You can opt in to this pre-release feature - "Blob Tags for Hierarchical Namespace".
+* **Blob index tags:** Index tags for storage accounts with hierarchical namespaces enabled (Azure Data Lake Storage Gen2) are available in public preview. To use this feature, opt in to "Blob Tags for Hierarchical Namespace".
 
 * **Unsupported regions:** Not all regions currently support malware scanning. For the latest list, see [Defender for Cloud availability](https://azure.microsoft.com/pricing/details/defender-for-cloud/).  
 

articles/defender-for-cloud/recommendations-reference-data.md

@@ -25,9 +25,6 @@ To learn about actions that you can take in response to these recommendations, s
 > For example, the recommendation *Endpoint protection health failures should be remediated* relies on the recommendation that checks whether an endpoint protection solution is installed (*Endpoint protection solution should be installed*). The underlying recommendation *does* have a policy.
 > Limiting policies to only foundational recommendations simplifies policy management.
 
-
-
-
 ## Azure data recommendations
 
 ### Azure Cosmos DB should disable public network access
@@ -1936,7 +1933,7 @@ __How could attackers exploit it or how could it lead to data breaches?__ While
 
 **Severity**: Low
 
-### require_secure_transport should be set to “on” for Azure Database for PostgreSQL Servers
+### require_secure_transport should be set to **on** for Azure Database for PostgreSQL servers
 
 **Description**:   
 __What is require_secure_transport?__ require_secure_transport is a server-level parameter that enforces the use of SSL/TLS for all client connections to PostgreSQL. When set to on, clients must connect using encrypted channels.

articles/defender-for-cloud/release-notes.md

@@ -64,7 +64,7 @@ To simplify onboarding and improve protection coverage, we're releasing an enhan
 
 | Date | Category | Update |
 | -------- | -------- | -------- |
-| March 31, 2026 | GA | [Malware automated remediation in Defender for Storage](#malware-automated-remediation-in-defender-for-storage)|
+| March 31, 2026 | GA | [Malware automated remediation in Defender for Storage](#automated-malware-remediation-in-defender-for-storage)|
 | March 31, 2026| Update | [Support for additional Azure regions for Defender for APIs and API security posture management with Defender CSPM](#support-for-additional-azure-regions-for-defender-for-apis-and-api-security-posture-management-with-defender-cspm) |
 | March 30, 2026 | Preview | [AI model security for Azure Machine Learning (Preview)](#ai-model-security-for-azure-machine-learning-preview) |
 | March 29, 2026 | Preview | [Expanded multicloud coverage for AWS and GCP (Preview)](#expanded-multicloud-coverage-for-aws-and-gcp-preview) |
@@ -77,20 +77,21 @@ To simplify onboarding and improve protection coverage, we're releasing an enhan
 | March 04, 2026 | Preview |[New individual recommendations format in Azure portal (Preview)](#new-individual-recommendations-format-in-azure-portal-preview)|
 
 
-### Malware automated remediation in Defender for Storage
+### Automated malware remediation in Defender for Storage
 
 March 31, 2026
 
-Malware automated remediation in Defender for Storage malware scanning is now generally available. 
+Automated malware remediation in Defender for Storage is now generally available.
 
-Defender for Cloud now lets you configure automatic soft deletion of detected malicious blobs during on-upload or on-demand scanning. Auto-deletion keeps harmful content in quarantine and makes it recoverable for further investigation.
+Defender for Cloud now lets you automatically soft-delete malicious blobs detected during on-upload or on-demand malware scanning. Soft-deleted blobs are quarantined and can be recovered for further investigation.
 
-You can enable or disable automated malware remediation at the subscription level or the storage account level in Microsoft Defender for Cloud in the Azure portal or with an application programming interface (API).
+You can enable or disable automated malware remediation at the subscription or storage account level in Microsoft Defender for Cloud in the Azure portal or through the API.
 
-Learn how to use [built-in automated malware remediation for malicious blobs](/azure/defender-for-cloud/defender-for-storage-configure-malware-scan#built-in-automated-malware-remediation-for-malicious-blobs).  
+Learn how to use [built-in automated malware remediation for malicious blobs](defender-for-storage-configure-malware-scan.md#built-in-automated-malware-remediation-for-malicious-blobs).
 
 ### Support for additional Azure regions for Defender for APIs and API security posture management with Defender CSPM
 
+March 31, 2026
 
 Microsoft Defender for APIs and API security posture management with Defender CSPM has expanded to provide its capabilities in the following Azure regions:
 - Sweden Central
@@ -116,6 +117,7 @@ Learn more about [Microsoft Defender for APIs](defender-for-apis-introduction.md
 
 ### AI model security for Azure Machine Learning (Preview)
 
+March 30, 2026
 
 Microsoft Defender for Cloud now offers AI model security in preview for Azure Machine Learning registries and workspaces. AI model security helps security teams discover and scan custom AI models for risks before deployment, and review findings in Defender for Cloud.
 

articles/key-vault/certificates/how-to-integrate-certificate-authority.md

@@ -87,7 +87,7 @@ DigiCertCA is now in the certificate authority list.
 3.	Select the **Certificate Authorities** tab:
 :::image type="content" source="../media/certificates/how-to-integrate-certificate-authority/select-certificate-authorities.png" alt-text="Screenshot that shows selecting the Certificate Authorities tab.":::
 4.	Select **Add**:
-:::image type="content" source="../media/certificates/how-to-integrate-certificate-authority/add-global-sign-certificate-authority.jpg" alt-text="Screenshot that shows the Add button on the Global Sign Certificate Authorities tab.":::
+:::image type="content" source="../media/certificates/how-to-integrate-certificate-authority/add-globalsign-ca.jpg" alt-text="Screenshot that shows the Add button on the Global Sign Certificate Authorities tab.":::
 5.	Under **Create a certificate authority**, enter these values:
     - 	**Name**: An identifiable issuer name. For example, **GlobalSignCA**.
     - 	**Provider**: **GlobalSign**.

articles/key-vault/general/assign-access-policy.md

@@ -17,7 +17,7 @@ ms.author: mbaldwin
 
 [!INCLUDE [contributor-role-warning.md](~/reusable-content/ce-skilling/azure/includes/key-vault/key-vault-contributor-role-warning.md)]
 
-A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault [secrets](../secrets/index.yml), [keys](../keys/index.yml), and [certificates](../certificates/index.yml). You can assign access policies using the [Azure portal](assign-access-policy-portal.md), the Azure CLI, or [Azure PowerShell](assign-access-policy-powershell.md).
+A Key Vault access policy determines whether a given security principal, namely a user, application or user group, can perform different operations on Key Vault [secrets](../secrets/index.yml), [keys](../keys/index.yml), and [certificates](../certificates/index.yml). You can assign access policies using the Azure portal, the Azure CLI, or Azure PowerShell.
 
 Key vault supports up to 1024 access policy entries, with each entry granting a distinct set of permissions to a particular security principal. Because of this limitation, we recommend assigning access policies to groups of users, where possible, rather than individual users. Using groups makes it much easier to manage permissions for multiple people in your organization. For more information, see [Manage app and resource access using Microsoft Entra groups](/entra/fundamentals/how-to-manage-groups).
 

articles/key-vault/general/authentication.md

@@ -102,7 +102,7 @@ More information about best practices and developer examples, see [Authenticate
 ## Next Steps
 
 - [Key Vault developer's guide](developers-guide.md)
-- [Assign a Key Vault access policy using the Azure portal](assign-access-policy-portal.md)
+- [Assign a Key Vault access policy](assign-access-policy.md)
 - [Assign Azure RBAC role to Key Vault](rbac-guide.md)
 - [Key Vault access policy troubleshooting](troubleshooting-access-issues.md)
 - [Key Vault REST API error codes](rest-error-codes.md)

articles/key-vault/general/move-subscription.md

@@ -101,9 +101,7 @@ az keyvault update -n myvault --set Properties.tenantId=$tenantId          # Upd
 Now that your vault is associated with the correct tenant ID and old access policy entries or role assignments are removed, set new access policy entries or role assignments.
 
 For assigning policies, see:
-- [Assign an access policy using Portal](assign-access-policy-portal.md)
-- [Assign an access policy using Azure CLI](assign-access-policy-cli.md)
-- [Assign an access policy using PowerShell](assign-access-policy-powershell.md)
+- [Assign a Key Vault access policy](assign-access-policy.md)
 
 For adding role assignments, see:
 - [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal)

articles/key-vault/general/rbac-guide.md

@@ -32,7 +32,7 @@ The **control plane** is where you manage Key Vault itself. Operations in this p
 
 The **data plane** is where you work with the data stored in a key vault. You can add, delete, and modify keys, secrets, and certificates.
 
-Both planes use [Microsoft Entra ID](/entra/fundamentals/whatis) for authentication. For authorization, the control plane uses [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) and the data plane uses a [Key Vault access policy](./assign-access-policy-portal.md) (legacy) or [Azure RBAC for Key Vault data plane operations](./rbac-guide.md).
+Both planes use [Microsoft Entra ID](/entra/fundamentals/whatis) for authentication. For authorization, the control plane uses [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview) and the data plane uses a [Key Vault access policy](./assign-access-policy.md) (legacy) or [Azure RBAC for Key Vault data plane operations](./rbac-guide.md).
 
 To access a key vault in either plane, all callers (users or applications) must have proper authentication and authorization. Authentication establishes the identity of the caller. Authorization determines which operations the caller can execute.
 

articles/key-vault/general/troubleshooting-access-issues.md

@@ -15,7 +15,7 @@ ms.topic: how-to
 
 ### I'm not able to list or get secrets/keys/certificate. I'm seeing a "something went wrong" error
 
-If you're having problem with listing/getting/creating or accessing secret, make sure that you have the appropriate Azure RBAC role assigned. See [Azure RBAC for Key Vault](./rbac-guide.md). If you're using the legacy access policy model, see [Key Vault Access Policies](./assign-access-policy-cli.md).
+If you're having problem with listing/getting/creating or accessing secret, make sure that you have the appropriate Azure RBAC role assigned. See [Azure RBAC for Key Vault](./rbac-guide.md). If you're using the legacy access policy model, see [Assign a Key Vault access policy](./assign-access-policy.md).
 
 ### How can I identify how and when key vaults are accessed?
 
@@ -52,7 +52,7 @@ If you're creating an on-premises application, doing local development, or other
 Give the AD group permissions to your key vault using Azure RBAC with the Azure CLI `az role assignment create` command, or the Azure PowerShell `New-AzRoleAssignment` cmdlet. See [Azure RBAC for Key Vault data plane operations](rbac-guide.md).
 
 > [!NOTE]
-> If you are using legacy access policies, you can use the Azure CLI `az keyvault set-policy` command or the Azure PowerShell `Set-AzKeyVaultAccessPolicy` cmdlet. However, Azure RBAC is the recommended authorization model. See [Assign an access policy - CLI](assign-access-policy-cli.md) and [Assign an access policy - PowerShell](assign-access-policy-powershell.md).
+> If you are using legacy access policies, you can use the Azure CLI `az keyvault set-policy` command or the Azure PowerShell `Set-AzKeyVaultAccessPolicy` cmdlet. However, Azure RBAC is the recommended authorization model. See [Assign a Key Vault access policy](assign-access-policy.md).
 
 The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault. Otherwise it will not be able to log in and will fail with insufficient rights to access the subscription. Microsoft Entra groups with Managed Identities may require many hours to refresh tokens and become effective. See [Limitation of using managed identities for authorization](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#limitation-of-using-managed-identities-for-authorization)
 
@@ -67,7 +67,7 @@ Another option that can help for this scenario is using Azure RBAC and roles as
 * HTTP 401: Unauthenticated Request - [Troubleshooting steps](rest-error-codes.md#http-401-unauthenticated-request)
 * HTTP 403: Insufficient Permissions - [Troubleshooting steps](rest-error-codes.md#http-403-insufficient-permissions)
 * HTTP 429: Too Many Requests - [Troubleshooting steps](rest-error-codes.md#http-429-too-many-requests)
-* Check if you've delete access permission to key vault: See [Azure RBAC for Key Vault](./rbac-guide.md). If using legacy access policies, see [Assign an access policy - CLI](assign-access-policy-cli.md), [Assign an access policy - PowerShell](assign-access-policy-powershell.md), or [Assign an access policy - Portal](assign-access-policy-portal.md).
+* Check if you've delete access permission to key vault: See [Azure RBAC for Key Vault](./rbac-guide.md). If using legacy access policies, see [Assign a Key Vault access policy](assign-access-policy.md).
 * If you have problem with authenticate to key vault in code, use [Authentication SDK](https://azure.github.io/azure-sdk/posts/2020-02-25/defaultazurecredentials.html)
 
 ### What are the best practices I should implement when key vault is getting throttled?

articles/key-vault/key-vault-insights-overview.md

@@ -148,7 +148,7 @@ There's a limit of 200 key vaults that can be selected and viewed. Regardless of
 
 We only show subscriptions that contain key vaults, chosen from the selected subscription filter, which are selected in the "Directory + Subscription" in the Azure portal header.
 
-![Screenshot of subscription filter](./media/key-vaults-insights-overview/Subscriptions.png)
+![Screenshot of subscription filter](./media/key-vaults-insights-overview/subscription-filter.png)
 
 ### I want to make changes or add more visualizations to Key Vault Insights, how do I do so