Update note placement and add to more files

Author: maud-lv

articles/service-connector/quickstart-cli-aks-connection.md

@@ -40,24 +40,6 @@ This quickstart shows you how to connect Azure Kubernetes Service (AKS) to other
 
 ## Create a service connection
 
-### [Using an access key](#tab/Using-access-key)
-
-Run the following Azure CLI command to create a service connection to an Azure Blob Storage with an access key, providing the following information.
-
-```azurecli
-az aks connection create storage-blob --secret
-```
-
-Provide the following information as prompted:
-
-* **Source compute service resource group name:** the resource group name of the AKS cluster.
-* **AKS cluster name:** the name of your AKS cluster that connects to the target service.
-* **Target service resource group name:** the resource group name of the Blob Storage.
-* **Storage account name:** the account name of your Blob Storage.
-
-> [!NOTE]
-> If you don't have a Blob Storage, you can run `az aks connection create storage-blob --new --secret` to provision a new one and directly get connected to your aks cluster.
-
 ### [Using a workload identity](#tab/Using-Managed-Identity)
 
 > [!IMPORTANT]
@@ -81,6 +63,27 @@ az aks connection create storage-blob \
 
 ---
 
+### [Using an access key](#tab/Using-access-key)
+
+> [!WARNING]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
+Run the following Azure CLI command to create a service connection to an Azure Blob Storage with an access key, providing the following information.
+
+```azurecli
+az aks connection create storage-blob --secret
+```
+
+Provide the following information as prompted:
+
+* **Source compute service resource group name:** the resource group name of the AKS cluster.
+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.
+* **Target service resource group name:** the resource group name of the Blob Storage.
+* **Storage account name:** the account name of your Blob Storage.
+
+> [!NOTE]
+> If you don't have a Blob Storage, you can run `az aks connection create storage-blob --new --secret` to provision a new one and directly get connected to your aks cluster.
+
 ## View connections
 
 Use the Azure CLI [az aks connection list](/cli/azure/functionapp/connection#az-functionapp-connection-list) command to list connections to your AKS Cluster, providing the following information:

articles/service-connector/quickstart-cli-app-service-connection.md

@@ -60,6 +60,9 @@ az webapp connection create storage-blob
 
 #### [Using an access key](#tab/Using-access-key)
 
+> [!WARNING]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 Use the Azure CLI [az webapp connection create](/cli/azure/webapp/connection/create) command to create a service connection to an Azure Blob Storage with an access key, providing the following information:
 
 - **Source compute service resource group name:** the resource group name of the App Service.

articles/service-connector/quickstart-cli-container-apps.md

@@ -77,6 +77,9 @@ Create a connection using a managed identity or an access key.
 
 ### [Access key](#tab/using-access-key)
 
+> [!WARNING]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 1. Run the `az containerapp connection create` command to create a service connection between Container Apps and Azure Blob Storage using an access key.
 
     ```azurecli

articles/service-connector/quickstart-cli-functions-connection.md

@@ -61,6 +61,9 @@ az functionapp connection create storage-blob --system-identity
 
 #### [Using an access key](#tab/Using-access-key)
 
+> [!WARNING]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 Use the Azure CLI [az functionapp connection create](/cli/azure/functionapp/connection/create) command to create a service connection to an Azure Blob Storage with an access key, providing the following information:
 
 - **Source compute service resource group name:** the resource group name of the Function App.

articles/service-connector/quickstart-cli-spring-cloud-connection.md

@@ -78,6 +78,9 @@ Create a connection from Azure Spring Apps using a managed identity or an access
 
 ### [Access key](#tab/Using-access-key)
 
+> [!WARNING]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 1. Run the `az spring connection create` command to create a service connection between Azure Spring Apps and an Azure Blob Storage using an access key.
 
     ```azurecli

articles/service-connector/quickstart-portal-aks-connection.md

@@ -48,15 +48,18 @@ Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.
     ### [Workload identity](#tab/UMI)
 
     Select **Workload identity** to authenticate through [Microsoft Entra workload identity](/entra/workload-id/workload-identities-overview) to one or more instances of an Azure service. Then select a user-assigned managed identity to enable workload identity.
-
-    ### [Connection string](#tab/CS)
-    
-    Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.
 
     ### [Service principal](#tab/SP)
 
     Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application.
 
+    ### [Connection string](#tab/CS)
+    
+    > [!WARNING]
+    > Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
+    Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.
+
     ---
 
 1. Select **Next: Networking** to configure the network access to your target service and select **Configure firewall rules to enable access to your target service**.

articles/service-connector/quickstart-portal-app-service-connection.md

@@ -53,20 +53,25 @@ Sign in to the Azure portal at [https://portal.azure.com/](https://portal.azure.
 
     Select **User-assigned managed identity** to authenticate through a standalone identity assigned to one or more instances of an Azure service.
 
-    ### [Connection string](#tab/CS)
-
-    Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.
-
     ### [Service principal](#tab/SP)
 
     Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application in Microsoft Entra ID.
 
+    ### [Connection string](#tab/CS)
+    
+    > [!WARNING]
+    > Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+    
+    Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.
+    
+    ---
+
 1. Select **Next: Networking** to configure the network access to your target service and select **Configure firewall rules to enable access to your target service**.
 
 1. Select **Next: Review + Create**  to review the provided information. Then select **Create** to create the service connection. This operation might take a minute to complete.
 
 > [!NOTE]
-> You need enough permissions to create connection successfully, for more details, see [Permission requirements](./concept-permission.md).
+> You need enough permissions to create a connection successfully, for more details, see [Permission requirements](./concept-permission.md).
 
 ## View service connections in App Service
 

articles/service-connector/quickstart-portal-container-apps.md

@@ -75,15 +75,18 @@ Use Service Connector to create a new service connection in Container Apps.
 
     For more information, go to [create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp).
 
-    ### [Connection string](#tab/CS)
-
-   Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.
-
     ### [Service principal](#tab/SP)
 
     1. Select **Service principal** to use a service principal that defines the access policy and permissions for the user/application in Microsoft Entra ID.
     1. Select a service principal from the list and enter a **secret**
 
+    ### [Connection string](#tab/CS)
+
+    > [!WARNING]
+    > Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
+   Select **Connection string** to generate or configure one or multiple key-value pairs with pure secrets or tokens.
+
     ---
 
 1. Select **Next: Networking** to select the network configuration and select **Configure firewall rules to enable access to target service** so that your container can reach the Blob Storage.

articles/service-connector/tutorial-connect-web-app-app-configuration.md

@@ -202,6 +202,9 @@ Start by creating your Azure resources.
 
     ### [Connection string](#tab/connectionstring)
 
+    > [!WARNING]
+    > Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
     Import the test configuration file to Azure App Configuration using a connection string.
 
     1. Cd into the folder `ServiceConnectorSample`

articles/service-connector/tutorial-java-spring-confluent-kafka.md

@@ -20,6 +20,9 @@ Learn how to access Apache Kafka on Confluent Cloud for a Spring Boot applicatio
 > * Build and deploy the Spring Boot app
 > * Connect Apache Kafka on Confluent Cloud to Azure Spring Apps using Service Connector
 
+> [!WARNING]
+> Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
+
 ## Prerequisites
 
 * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/).