Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into ml-sc-mongo

Author: maud-lv

articles/active-directory-b2c/analytics-with-application-insights.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: azure-active-directory
 ms.topic: how-to
 
-ms.date: 01/26/2024
+ms.date: 04/17/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 zone_pivot_groups: b2c-policy-type
@@ -31,7 +31,7 @@ zone_pivot_groups: b2c-policy-type
 
 ::: zone pivot="b2c-custom-policy"
 
-In Azure Active Directory B2C (Azure AD B2C), you can send event data directly to [Application Insights](/azure/azure-monitor/app/app-insights-overview) by using the instrumentation key provided to Azure AD B2C. With an Application Insights technical profile, you can get detailed and customized event logs for your user journeys to:
+In Azure Active Directory B2C (Azure AD B2C), you can send event data directly to [Application Insights](/azure/azure-monitor/app/app-insights-overview) by using the connection string provided to Azure AD B2C. With an Application Insights technical profile, you can get detailed and customized event logs for your user journeys to:
 
 - Gain insights on user behavior.
 - Troubleshoot your own policies in development or in production.
@@ -42,7 +42,7 @@ In Azure Active Directory B2C (Azure AD B2C), you can send event data directly t
 
 ## Overview
 
-To enable custom event logs, add an Application Insights technical profile. In the technical profile, you define the Application Insights instrumentation key, the event name, and the claims to record. To post an event, add the technical profile as an orchestration step in a [user journey](userjourneys.md).
+To enable custom event logs, add an Application Insights technical profile. In the technical profile, you define the Application Insights connection string, the event name, and the claims to record. To post an event, add the technical profile as an orchestration step in a [user journey](userjourneys.md).
 
 When you use Application Insights, consider the following:
 
@@ -57,7 +57,7 @@ When you use Application Insights, consider the following:
 
 ## Create an Application Insights resource
 
-When you use Application Insights with Azure AD B2C, all you need to do is create a resource and get the instrumentation key. For information, see [Create an Application Insights resource](/previous-versions/azure/azure-monitor/app/create-new-resource).
+When you use Application Insights with Azure AD B2C, all you need to do is create a resource and get the connection string. For information, see [Create an Application Insights resource](/previous-versions/azure/azure-monitor/app/create-new-resource).
 
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Microsoft Entra ID tenant from the **Directories + subscriptions** menu.
@@ -67,9 +67,9 @@ When you use Application Insights with Azure AD B2C, all you need to do is creat
 1. For **Application Type**, select **ASP.NET web application**.
 1. For **Resource Group**, select an existing group or enter a name for a new group.
 1. Select **Create**.
-1. Open the new Application Insights resource, expand **Essentials**, and copy the instrumentation key.
+1. Open the new Application Insights resource, expand **Essentials**, and copy the connection string.
 
-![Screenshot that shows the Instrumentation Key on the Application Insights Overview tab.](./media/analytics-with-application-insights/app-insights.png)
+![Screenshot that shows the connection string on the Application Insights Overview tab.](./media/analytics-with-application-insights/app-insights.png)
 
 ## Define claims
 
@@ -122,7 +122,7 @@ Technical profiles can be considered functions in the custom policy. These funct
 
 | Technical profile | Task |
 | ----------------- | -----|
-| AppInsights-Common | The common technical profile with typical configuration. It includes the Application Insights instrumentation key, a collection of claims to record, and developer mode. The other technical profiles include the common technical profile and add more claims, such as the event name. |
+| AppInsights-Common | The common technical profile with typical configuration. It includes the Application Insights connection string, a collection of claims to record, and developer mode. The other technical profiles include the common technical profile and add more claims, such as the event name. |
 | AppInsights-SignInRequest | Records a **SignInRequest** event with a set of claims when a sign-in request has been received. |
 | AppInsights-UserSignUp | Records a **UserSignUp** event when the user triggers the sign-up option in a sign-up or sign-in journey. |
 | AppInsights-SignInComplete | Records a **SignInComplete** event upon successful authentication, when a token has been sent to the relying party application. |
@@ -137,8 +137,8 @@ Open the *TrustFrameworkExtensions.xml* file from the starter pack. Add the tech
       <DisplayName>Application Insights</DisplayName>
       <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.Insights.AzureApplicationInsightsProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
       <Metadata>
-        <!-- The ApplicationInsights instrumentation key, which you use for logging the events -->
-        <Item Key="InstrumentationKey">xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Item>
+        <!-- The ApplicationInsights connection string, which you use for logging the events -->
+        <Item Key="ConnectionString">xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</Item>
         <Item Key="DeveloperMode">false</Item>
         <Item Key="DisableTelemetry ">false</Item>
       </Metadata>
@@ -181,7 +181,7 @@ Open the *TrustFrameworkExtensions.xml* file from the starter pack. Add the tech
 ```
 
 > [!IMPORTANT]
-> Change the instrumentation key in the `AppInsights-Common` technical profile to the GUID that your Application Insights resource provides.
+> Change the connection string in the `AppInsights-Common` technical profile to the GUID that your Application Insights resource provides.
 
 ## Add the technical profiles as orchestration steps
 

articles/app-service/configure-authentication-provider-openid-connect.md

@@ -27,6 +27,9 @@ Your provider requires you to register the details of your application with it.
 
 You need to collect a *client ID* and a *client secret* for your application. The client secret is an important security credential. Don't share this secret with anyone or distribute it in a client application.
 
+> [!NOTE]
+> You only need to provide a client secret to the configuration if you would like to acquire access tokens for the user through interactive login flow using the authorization code flow. If this is not your case, collecting a secret is not required.
+
 You also need the OIDC metadata for the provider. This metadata is often exposed in a [configuration metadata document](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig), which is the provider's issuer URL suffixed with `/.well-known/openid-configuration`. Get this configuration URL.
 
 If you can't use a configuration metadata document, get the following values separately:
@@ -52,7 +55,7 @@ To add provider information for your OpenID Connect provider, follow these steps
 
    Otherwise, select **Provide endpoints separately**. Put each URL from the identity provider in the appropriate field.
 
-1. Provide the values that you collected earlier for **Client ID** and **Client secret**.
+1. Provide the values that you collected earlier for **Client ID**. If the **Client secret** was also collected, provide it as part of the configuration process.
 
 1. Specify an application setting name for your client secret. Your client secret is stored as an app setting to ensure that secrets are stored in a secure fashion. If you want to manage the secret in Azure Key vault, update that setting later to use [Azure Key Vault references](./app-service-key-vault-references.md).
 
@@ -61,6 +64,8 @@ To add provider information for your OpenID Connect provider, follow these steps
 > [!NOTE]
 > The OpenID provider name can't contain a hyphen (-) because an app setting is created based on this name. The app setting doesn't support hyphens. Use an underscore (_) instead.  
 >
+> It also requires that the `aud` scope in your token be the same as the **Client Id** as configured above. It is currently not possible to configure the allowed audiences for this provider at the moment.
+>
 > Azure requires `openid`, `profile`, and `email` scopes. Make sure that you configure your app registration in your ID provider with at least these scopes.
 
 ## <a name="related-content"> </a>Related content

articles/app-service/deploy-container-azure-pipelines.md

@@ -40,7 +40,7 @@ Once your repository is created with your .NET application and supporting docker
 1. Under the Configure tab, choose the **Starter Pipeline** option
 1. Under the next Review tab, click the **Save** button
 
-## Build and push image to Azure container registry
+## Build and push image to Azure Container Registry
 After your pipeline is created and saved, you'll need to edit the pipeline to run the steps for building the container, pushing to a registry, and deploying the image to App Service. To start, navigate to the **Pipelines** menu, choose your pipeline that you created and click the **Edit** button.
 
 First, you need to add the docker task so you can build the image. Add the following code and replace the Dockerfile: app/Dockerfile with the path to your Dockerfile.

articles/app-service/deploy-run-package.md

@@ -15,9 +15,9 @@ ms.author: cephalin
 
 In [Azure App Service](overview.md), you can run your apps directly from a deployment ZIP package file. This article shows how to enable this functionality in your app.
 
-All other deployment methods in App Service have something in common: your files are deployed to *D:\home\site\wwwroot* in your app (or */home/site/wwwroot* for Linux apps). Since the same directory is used by your app at runtime, it's possible for deployment to fail because of file lock conflicts, and for the app to behave unpredictably because some of the files are not yet updated.
+All other deployment methods in App Service have something in common: your unzip files are deployed to *D:\home\site\wwwroot* in your app (or */home/site/wwwroot* for Linux apps). Since the same directory is used by your app at runtime, it's possible for deployment to fail because of file lock conflicts, and for the app to behave unpredictably because some of the files are not yet updated. To enable this setting, you do not need to assign any value to the `WEBSITE_RUN_FROM_PACKAGE` variable or you can remove it entirely.
 
-In contrast, when you run directly from a package, the files in the package are not copied to the *wwwroot* directory. Instead, the ZIP package itself gets mounted directly as the read-only *wwwroot* directory. There are several benefits to running directly from a package:
+In contrast, when you run directly from a ZIP package, the files in the package are not copied to the *wwwroot* directory. Instead, the ZIP package itself gets mounted directly as the read-only *wwwroot* directory. To enable this setting, set `WEBSITE_RUN_FROM_PACKAGE`=1 or provide the URL of the ZIP file. There are several benefits to running directly from a package:
 
 - Eliminates file lock conflicts between deployment and runtime.
 - Ensures only full-deployed apps are running at any time.
@@ -30,36 +30,36 @@ In contrast, when you run directly from a package, the files in the package are
 
 [!INCLUDE [Create a project ZIP file](../../includes/app-service-web-deploy-zip-prepare.md)]
 
-## Enable running from package
+## Enable running from ZIP package
 
-The `WEBSITE_RUN_FROM_PACKAGE` app setting enables running from a package. To set it, run the following command with Azure CLI.
+The `WEBSITE_RUN_FROM_PACKAGE` app setting enables running from a ZIP package. To set it, run the following command with Azure CLI.
 
 ```azurecli-interactive
 az webapp config appsettings set --resource-group <group-name> --name <app-name> --settings WEBSITE_RUN_FROM_PACKAGE="1"
 ```
 
-`WEBSITE_RUN_FROM_PACKAGE="1"` lets you run your app from a package local to your app. You can also [run from a remote package](#run-from-external-url-instead).
+`WEBSITE_RUN_FROM_PACKAGE="1"` lets you run your app from a ZIP package local to your app. You can also [run from a remote package](#run-from-external-url-instead).
 
-## Run the package
+## Run the ZIP package
 
-The easiest way to run a package in your App Service is with the Azure CLI [az webapp deploy](/cli/azure/webapp#az-webapp-deploy) command. For example:
+The easiest way to run a ZIP package in your App Service is with the Azure CLI [az webapp deployment source config-zip](/cli/azure/webapp/deployment/source#az-webapp-deployment-source-config-zip) command. For example:
 
 ```azurecli-interactive
 az webapp deploy --resource-group <group-name> --name <app-name> --src-path <filename>.zip
 ```
 
-Because the `WEBSITE_RUN_FROM_PACKAGE` app setting is set, this command doesn't extract the package content to the *D:\home\site\wwwroot* directory of your app. Instead, it uploads the ZIP file as-is to *D:\home\data\SitePackages*, and creates a *packagename.txt* in the same directory, that contains the name of the ZIP package to load at runtime. If you upload your ZIP package in a different way (such as [FTP](deploy-ftp.md)), you need to create the *D:\home\data\SitePackages* directory and the *packagename.txt* file manually.
+Because the `WEBSITE_RUN_FROM_PACKAGE` app setting is set, this command doesn't extract the ZIP package content to the *D:\home\site\wwwroot* directory of your app. Instead, it uploads the ZIP file as-is to *D:\home\data\SitePackages*, and creates a *packagename.txt* in the same directory, that contains the name of the ZIP package to load at runtime. If you upload your ZIP package in a different way (such as [FTP](deploy-ftp.md)), you need to create the *D:\home\data\SitePackages* directory and the *packagename.txt* file manually.
 
 The command also restarts the app. Because `WEBSITE_RUN_FROM_PACKAGE` is set, App Service mounts the uploaded package as the read-only *wwwroot* directory and runs the app directly from that mounted directory.
 
 ## Run from external URL instead
 
-You can also run a package from an external URL, such as Azure Blob Storage. You can use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload package files to your Blob storage account. You should use a private storage container with a [Shared Access Signature (SAS)](../vs-azure-tools-storage-manage-with-storage-explorer.md#generate-a-sas-in-storage-explorer) or [use a managed identity](#access-a-package-in-azure-blob-storage-using-a-managed-identity) to enable the App Service runtime to access the package securely.
+You can also run a ZIP package from an external URL, such as Azure Blob Storage. You can use the [Azure Storage Explorer](../vs-azure-tools-storage-manage-with-storage-explorer.md) to upload ZIP package files to your Blob storage account. You should use a private storage container with a [Shared Access Signature (SAS)](../vs-azure-tools-storage-manage-with-storage-explorer.md#generate-a-sas-in-storage-explorer) or [use a managed identity](#access-a-package-in-azure-blob-storage-using-a-managed-identity) to enable the App Service runtime to access the ZIP package securely.
 
 > [!NOTE]
-> Currently, an existing App Service resource that runs a local package cannot be migrated to run from a remote package. You will have to create a new App Service resource configured to run from an external URL.
+> Currently, an existing App Service resource that runs a local ZIP package cannot be migrated to run from a remote ZIP package. You will have to create a new App Service resource configured to run from an external URL.
 
-Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` app setting to the URL. The following example does it by using Azure CLI:
+Once you upload your file to Blob storage and have an SAS URL for the file, set the `WEBSITE_RUN_FROM_PACKAGE` app setting to the URL. Make sure the URL ends with `.zip`. The following example does it by using Azure CLI:
 
 ```azurecli-interactive
 az webapp config appsettings set --name <app-name> --resource-group <resource-group-name> --settings WEBSITE_RUN_FROM_PACKAGE="https://myblobstorage.blob.core.windows.net/content/SampleCoreMVCApp.zip?st=2018-02-13T09%3A48%3A00Z&se=2044-06-14T09%3A48%3A00Z&sp=rl&sv=2017-04-17&sr=b&sig=bNrVrEFzRHQB17GFJ7boEanetyJ9DGwBSV8OM3Mdh%2FM%3D"
@@ -73,7 +73,7 @@ If you publish an updated package with the same name to Blob storage, you need t
 
 ## Deploy WebJob files when running from package
 
-There are two ways to deploy [WebJob](webjobs-create.md) files when you [enable running an app from package](#enable-running-from-package):
+There are two ways to deploy [WebJob](webjobs-create.md) files when you [enable running an app from package](#enable-running-from-zip-package):
 
 
 - Deploy in the same ZIP package as your app: include them as you normally would in `<project-root>\app_data\jobs\...` (which maps to the deployment path `\site\wwwroot\app_data\jobs\...` as specified in the [WebJobs quickstart](webjobs-create.md#webjob-types)).

articles/app-service/includes/quickstart-custom-container/quickstart-custom-container-windows-cli-pivot.md

@@ -89,7 +89,7 @@ The App Service app pulls from the container registry each time it starts. If yo
 - [Secure with custom domain and certificate](../../tutorial-secure-domain-certificate.md)
 - [Integrate your app with an Azure virtual network](../../overview-vnet-integration.md)
 - [Use Private Endpoints for App Service apps](../../networking/private-endpoint.md)
-- [Use Azure container registry with Private Link](/azure/container-registry/container-registry-private-link)
+- [Use Azure Container Registry with Private Link](/azure/container-registry/container-registry-private-link)
 - [Migrate to Windows container in Azure](../../tutorial-custom-container.md)
 - [Deploy a container with Azure Pipelines](../../deploy-container-azure-pipelines.md)
 - [Deploy a container with GitHub Actions](../../deploy-container-github-action.md)

articles/app-service/includes/quickstart-custom-container/quickstart-custom-container-windows-powershell-pivot.md

@@ -89,7 +89,7 @@ The App Service app pulls from the container registry each time it starts. If yo
 - [Secure with custom domain and certificate](../../tutorial-secure-domain-certificate.md)
 - [Integrate your app with an Azure virtual network](../../overview-vnet-integration.md)
 - [Use Private Endpoints for App Service apps](../../networking/private-endpoint.md)
-- [Use Azure container registry with Private Link](/azure/container-registry/container-registry-private-link)
+- [Use Azure Container Registry with Private Link](/azure/container-registry/container-registry-private-link)
 - [Migrate to Windows container in Azure](../../tutorial-custom-container.md)
 - [Deploy a container with Azure Pipelines](../../deploy-container-azure-pipelines.md)
 - [Deploy a container with GitHub Actions](../../deploy-container-github-action.md)

articles/app-service/includes/quickstart-custom-container/quickstart-custom-container-windows-visual-studio-pivot.md

@@ -184,7 +184,7 @@ The streamed logs look like this:
 - [Secure with custom domain and certificate](../../tutorial-secure-domain-certificate.md)
 - [Integrate your app with an Azure virtual network](../../overview-vnet-integration.md)
 - [Use Private Endpoints for App Service apps](../../networking/private-endpoint.md)
-- [Use Azure container registry with Private Link](/azure/container-registry/container-registry-private-link)
+- [Use Azure Container Registry with Private Link](/azure/container-registry/container-registry-private-link)
 - [Migrate to Windows container in Azure](../../tutorial-custom-container.md)
 - [Deploy a container with Azure Pipelines](../../deploy-container-azure-pipelines.md)
 - [Deploy a container with GitHub Actions](../../deploy-container-github-action.md)