Merge pull request #9380 from MicrosoftDocs/main

Update to Purview article provided by Sathyana

Author: Cloud-Writer

.openpublishing.redirection.json

@@ -13765,6 +13765,41 @@
     {
       "source_path": "support/power-platform/power-automate/desktop-flows/office-automation/excel/launch-excel-action-failures.md",
       "redirect_url": "/troubleshoot/power-platform/power-automate/desktop-flows/office-automation/excel/troubleshoot-excel-errors"
+    },
+    {
+      "source_path": "support/sql/database-engine/install/windows/install-reporting-service.md",
+      "redirect_url": "/previous-versions/troubleshoot/sql/install/install-reporting-service",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "support/sql/database-engine/install/windows/issues-install-sql-server.md",
+      "redirect_url": "/previous-versions/troubleshoot/sql/install/issues-install-sql-server",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "support/sql/database-engine/install/windows/sql-server-2008-setup-issues.md",
+      "redirect_url": "/previous-versions/troubleshoot/sql/install/sql-server-2008-setup-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "support/sql/database-engine/install/windows/sql-server-2012-setup-issues.md",
+      "redirect_url": "/previous-versions/troubleshoot/sql/install/sql-server-2012-setup-issues",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "support/sql/database-engine/security/instructions-in-fips-140-2-compliant-mode.md",
+      "redirect_url": "/previous-versions/troubleshoot/sql/security/instructions-in-fips-140-2-compliant-mode",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "support/sql/database-engine/security/sql-2014-fips-140-2-compliant-mode.md",
+      "redirect_url": "/previous-versions/troubleshoot/sql/security/sql-2014-fips-140-2-compliant-mode",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "support/sql/tools/error-you-run-sqlmaint-utility.md",
+      "redirect_url": "/previous-versions/troubleshoot/sql/tools/error-you-run-sqlmaint-utility",
+      "redirect_document_id": false
     }
   ]
 }

Microsoft365/purview/diagnostics/purview-compliance-diagnostics.md

@@ -15,13 +15,11 @@ ms.reviewer: shadans, sathyana, meerak, v-shorestris
 appliesto:
   - Microsoft Purview
 search.appverid: MET150
-ms.date: 05/05/2025
+ms.date: 07/21/2025
 ---
 
 # Self-help diagnostics for Microsoft Purview
 
-<!-- This article has been reviewed and approved for the specific use of global admin perms. -->
-
 You can run diagnostics to identify and resolve issues in Microsoft Purview. The diagnostics offer insights into known issues and provide instructions to fix them. Although the diagnostics can fix some configuration issues, they don't make changes to your tenant without your consent.
 
 Self-help diagnostics that relate to Microsoft Purview are available in the following locations:
@@ -55,7 +53,7 @@ You can find these diagnostics on the following portal pages:
 
 The following table lists the available diagnostics on **Solutions** pages. You can access the diagnostics by selecting the associated link in the third column. When you're prompted, sign in to the Microsoft Purview portal.
 
-**Note**: To run these diagnostics, you must be a Microsoft 365 global administrator.
+**Note**: To run these diagnostics, the minimum requirement is that you're an administrator with the Organization Configuration role assigned to you.
 
 | **Issue** | **Checks performed** | **Solutions page** |
 |-|-|-|

support/azure/app-service/connection-issues-with-ssl-or-tls/use-azure-app-service-certificate-with-application-gateway.md

@@ -0,0 +1,119 @@
+---
+title: Use Azure App Service Certificate with Application Gateway
+description: Provides detailed steps to use Azure App Service Certificate together with Application Gateway.
+author: JarrettRenshaw
+ms.author: jarrettr
+ms.service: azure-app-service
+ms.date: 07/21/2025
+ms.reviewer: v-liuamson; v-gsitser
+ms.custom: Connection issues with SSL or TLS
+---
+
+# Use Azure App Service Certificate with Application Gateway
+
+Microsoft Azure provides various tools and services to secure your web applications by using SSL/TLS certificates. One such offering, the **Azure App Service Certificate**, is tightly integrated with Azure App Services. However, many organizations use **Azure Application Gateway** as a reverse proxy, load balancer, and Web Application Firewall (WAF). Understandably, such organizations want to use the same certificate across all services.
+
+This article provides a comprehensive guide for using App Service Certificates in Application Gateway, including usage steps, restrictions, and best practices. By understanding the limitations and using the Azure Key Vault service effectively, you can build a robust certificate management workflow across both App Services and Application Gateway.
+
+## About App Service Certificate
+
+Azure App Service Certificate is a first-party SSL certificate that's issued by DigiCert or GoDaddy and is designed for use together with Azure App Services. The certificate is stored securely in Azure Key Vault and supports autorenewal if it's integrated correctly.
+
+Key Characteristics:
+
+- Domain-validated SSL certificate
+- Designed primarily for Azure App Services
+- Stored in a key vault for secure usage
+- Autorenewal supported if linked correctly
+
+However, App Service Certificates aren't directly usable in Application Gateway unless you take additional steps.
+
+## How to use App Service Certificate in Application Gateway
+
+You can use App Service Certificate in Azure Application Gateway, but not directly. Application Gateway requires a certificate in `.pfx` format (having a private key) to configure HTTPS listeners. App Service Certificates aren't exposed as downloadable PFXs by default. Therefore, you have to follow specific steps to extract and configure them.
+
+### Option 1: Manual export and upload
+
+1. **Purchase and configure the certificate**: Buy and verify an App Service Certificate through Azure App Service.
+
+2. **Import into Key Vault**: Navigate to the App Service Certificate resource. Then, use the **Key Vault** blade to store the certificate in a key vault of your choice.
+
+3. **Export as .pfx from Key Vault**: Use Azure PowerShell or Azure CLI to download the certificate as a `.pfx` file that has a private key.
+
+    - Example that uses Azure CLI:
+
+    ```bash
+        az keyvault secret download \
+        --vault-name `YourKeyVaultName` \
+        --name `CertificateName` \
+        --file cert.pfx \
+        --encoding base64
+    ```
+
+4. **Upload to Application Gateway**: Go to Application Gateway \> Listeners \> + Add Listener. Select **HTTPS**, upload the `.pfx` file, and then enter the password.
+
+5. **Associate with a rule**: Create a routing rule, and link it to the HTTPS listener. For detailed steps, see [Create a routing rule in Application Gateway](/azure/application-gateway/configuration-request-routing-rules)
+
+### Option 2: Use Key Vault reference (recommended)
+
+1. **Store App Service Certificate in Key Vault**: Navigate to the App Service Certificate resource. Then, use the **Key Vault** blade to store the certificate in a key vault of your choice.
+
+2. **Enable Managed Identity for Application Gateway**: Enable user-assigned or system-assigned managed identity.
+
+3. **Grant Access to key vault**: In the key vault, go to **Access Policies**, and add a policy for Application Gateway identity that has `get`, `list`,
+      and `secret management` permissions.
+
+4. **Reference Certificate from Key Vault**: Go to **Application Gateway** \> **Listeners** \> **+ Add Listener**, select **HTTPS**, and then select **Key Vault certificate**.
+
+> [!NOTE]
+> Currently, Key Vault integration supports only certificates that have the private key in `.pfx` format.
+
+## Limitations and considerations
+
+1. **Direct use not supported:**
+
+    - You can't bind an App Service Certificate to Application Gateway directly in the same manner as you can for App Services.
+
+2. **Export required for manual use:**
+
+    - You must extract the `.pfx` format from Key Vault before you can use it in Application Gateway (if you're not using a Key Vault reference).
+
+3. **Autorenewal challenges:**
+
+    - App Service Certificates support autorenewal only for App Services.
+    - When used in Application Gateway, autorenewal doesn't automatically propagate.
+    - You must manually update the certificate in Application Gateway after you renew it.
+    - We recommend that you use **Azure Automation** or **Logic App** to automate this update process. See [Renew certificates in Application Gateway](/azure/application-gateway/renew-certificates).
+
+4. **Certificate format restrictions:**
+
+    - Application Gateway accepts only `.pfx` files.
+    - Application Gateway rejects `.cer` and `.pem` files.
+    - Self-signed certificates are supported but must be uploaded as `.pfx`.
+    - See [Self-signed certificates for Application Gateway](/azure/application-gateway/self-signed-certificates).
+
+## Best practices
+
+- Use Key Vault-based integration for better security and easier management.
+- Automate certificate renewal by using scripts or Azure Automation.
+- Regularly audit access policies in Key Vault.
+- Keep secure backup copies of your exported `.pfx` files.
+
+## Summary
+
+| Feature | App Service | Application Gateway
+| --- | --- | ---
+| Certificate Format | Managed by platform | Requires `.pfx`
+| Autorenewal | Supported | Manual (requires automation)
+| Key Vault Integration | Built in | Supported (requires setup)
+| Direct Use of App Service Certificate | ✅ App Service only | ❌ Not supported
+
+## Useful links
+
+- [Renew certificates in Application Gateway](/azure/application-gateway/renew-certificates)
+- [SSL certificates overview - Application Gateway](/azure/application-gateway/ssl-overview)
+- [Use self-signed certificates in Application Gateway](/azure/application-gateway/self-signed-certificates)
+- [Configure App Service Certificate](/azure/app-service/configure-ssl-app-service-certificate?tabs=portal)
+- [Create a routing rule in Application Gateway](/azure/application-gateway/configuration-request-routing-rules)
+
+[!INCLUDE [third-party-information-disclaimer](../../../../includes/third-party-information-disclaimer.md)]

support/azure/app-service/connection-issues-with-ssl-or-tls/use-azure-app-service-certificate-with-azure-front-door.md

@@ -0,0 +1,127 @@
+---
+title: Use Azure App Service Certificate with Azure Front Door
+description: Provides detailed steps to use Azure App Service Certificate together with Azure Front Door.
+author: JarrettRenshaw
+ms.author: jarrettr
+ms.service: azure-app-service
+ms.date: 07/21/2025
+ms.reviewer: v-liuamson; v-gsitser
+ms.custom: Connection issues with SSL or TLS
+---
+
+# Use Azure App Service Certificate with Azure Front Door
+
+Microsoft Azure Front Door (Standard and Premium) is a modern global load balancer and application delivery network that supports custom TLS certificates through Azure Key Vault. This article discusses how to use an Azure App Service Certificate securely together with Microsoft Azure Front Door by using managed identities and Bring Your Own Certificate (BYOC) support. This integration enables you to deliver encrypted traffic that has automatic renewal, enterprise-grade performance, and global scale.
+
+## Overview
+
+Azure App Service Certificates provide a simple, integrated way to purchase, provision, and manage SSL/TLS certificates. These certificates are issued by trusted Certificate Authorities (such as DigiCert) and work together with App Services. They can also be extended to secure traffic that's routed through Azure Front Door.
+
+To purchase a certificate, see [Buy and configure an App Service Certificate](/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#buy-and-configure-an-app-service-certificate).
+
+> [!IMPORTANT]
+> After you purchase a certificate, you must manually complete the **Store** step in the **Certificate Configuration** blade to import the certificate into Azure Key Vault. This step is required before the certificate can be used together with other Azure services.
+
+### Step 1: Enable managed identity on Azure Front Door
+
+A managed identity enables Azure Front Door to securely retrieve the certificate from Azure Key Vault:
+
+1. Navigate to your Azure Front Door profile.
+2. Under **Security**, select **Identity**, and then enable a managed identity:
+   - **System-assigned** (Recommended): Tied to the Front Door
+     lifecycle
+   - **User-assigned** (Optional): For reuse across multiple services
+3. Select **Save**.
+
+For more information, see [Use managed identities to access Azure Key Vault certificates](/azure/frontdoor/managed-identity).
+
+### Step 2: Configure Key Vault Access for Front Door
+
+Grant permission to Azure Front Door to access the certificate by using one of the following methods:
+
+#### Method A: Azure RBAC (recommended)
+
+1. Open **Key Vault** > **Access control (IAM)** > **+ Add** > **Add role assignment**.
+2. Assign the **Key Vault Secrets User** role.
+3. Select **Managed identity**, then select the system-assigned identity of Azure Front Door.
+4. Select **Review + assign**.
+
+    ```bash
+        az role assignment create \
+          --assignee-object-id <frontdoor-identity-object-id> \
+          --role "Key Vault Secrets User" \
+          --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault-name>"
+    ```
+
+To retrieve the identity object ID:
+
+```bash
+    az front-door show \
+      --name <frontdoor-name> \
+      --resource-group <rg> \
+      --query identity.principalId -o tsv
+```
+
+> [!NOTE]
+> Make sure that the Key Vault firewall allows trusted services or specific Front Door IP ranges.
+
+#### Method B: Key Vault Access Policy
+
+1. Navigate to your key vault > **Access policies**.
+2. Select **+ Add Access Policy**.
+3. Grant **Get** and **List** permissions for **Secrets** and **Certificates**.
+4. Assign the policy to the managed identity for Azure Front Door.
+5. Save the access policy.
+
+> [!NOTE]
+> This method is suitable for legacy scenarios or if RBAC isn't enabled.
+
+### Step 3: Add certificate as a secret in Azure Front Door
+
+Before you do this step, make sure that the App Service Certificate is successfully stored in Azure Key Vault through the App Service Certificate blade. For more information, see [Buy and configure an App Service Certificate](/azure/app-service/configure-ssl-app-service-certificate?tabs=portal#buy-and-configure-an-app-service-certificate).
+
+To add the certificate:
+
+1. Go to your Azure Front Door (Standard/Premium) profile.
+2. Under **Security**, select **Secrets** > **+ Add**.
+3. Select your key vault, and then select the stored App Service Certificate.
+4. Select the version. (Use `Latest` to enable automatic certificate rotation.)
+5. Select **Add**.
+
+> [!NOTE]
+> Azure Front Door supports automatic certificate renewal when you reference the `Latest` version. Updates in Key Vault are reflected in Front Door within 72 hours. For more information, see [Renew customer-managed TLS certificates](/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#renew-customer-managed-tls-certificates).
+> [!IMPORTANT]
+> Certificates must be stored in a Key Vault within the same subscription and must include a complete certificate chain that uses supported algorithms. For more information, see [Use your own certificate with Azure Front Door](/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell#use-your-own-certificate).
+
+### Step 4: Configure a custom domain with BYOC
+
+1. In your Front Door profile, go to **Domains** > **+ Add**.
+2. Provide the domain details:
+    - **Custom domain**: for example, `www.contoso.com`
+    - **DNS zone**: Choose Azure DNS, if applicable.
+    - **DNS management**: Azure-managed (recommended) or external
+3. Verify domain ownership:
+    - Use **TXT record** if you use custom DNS provider
+4. Under **HTTPS Configuration**:
+    - **Certificate type**: `Bring Your Own Certificate (BYOC)`
+    - **Secret**: Select the secret that you added in Step 3 (for example, `certname-latest`).
+    - **TLS policy**: Select a supported policy (for example, `TLS 1.2_2023`)
+5. Select **Add** to finish the setup.
+
+After verification is made, Front Door serves traffic securely by using the certificate from Azure Key Vault. For more information, see [Add a custom domain in Azure Front Door](/azure/frontdoor/standard-premium/how-to-add-custom-domain).
+
+## Summary
+
+| Task | Tool | Notes
+| --- | --- | ---
+| Enable identity | Azure portal or CLI | System-assigned identity is recommended
+| Grant access | IAM Role or Access Policy | Use `Key Vault Secrets User` or equivalent
+| Add secret | Azure portal | Reference `-latest` to enable autorotation
+| Bind domain | Azure portal | Validate domain and configure HTTPS
+
+## References
+
+- [Configure HTTPS custom domain (Front Door)](/azure/frontdoor/standard-premium/how-to-configure-https-custom-domain?tabs=powershell)
+- [Add custom domain in Front Door](/azure/frontdoor/standard-premium/how-to-add-custom-domain)
+- [Azure Front Door managed identity access](/azure/frontdoor/managed-identity)
+- [Buy and configure an App Service Certificate](/azure/app-service/configure-ssl-app-service-certificate?tabs=portal)

support/azure/app-service/toc.yml

@@ -1,5 +1,11 @@
 - name: Azure App Service
   items:
+  - name: Connection issues with SSL or TLS
+    items:
+    - name: Use Azure App Service Certificate with Azure Front Door
+      href: ./connection-issues-with-ssl-or-tls/use-azure-app-service-certificate-with-azure-front-door.md
+    - name: Use Azure App Service Certificate with Application Gateway
+      href: ./connection-issues-with-ssl-or-tls/use-azure-app-service-certificate-with-application-gateway.md
   - name: Troubleshoot Azure App Service
     href: ./welcome-app-service.yml
   - name: Capture memory dumps in Azure App Service