Merge pull request #294426 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 2/11

Author: ttorble

articles/app-service/configure-authentication-oauth-tokens.md

@@ -37,7 +37,7 @@ From your client code (such as a mobile app or in-browser JavaScript), send an H
 When your provider's access token (not the [session token](#extend-session-token-expiration-grace-period)) expires, you need to reauthenticate the user before you use that token again. You can avoid token expiration by making a `GET` call to the `/.auth/refresh` endpoint of your application. When called, App Service automatically refreshes the access tokens in the [token store](overview-authentication-authorization.md#token-store) for the authenticated user. Subsequent requests for tokens by your app code get the refreshed tokens. However, for token refresh to work, the token store must contain [refresh tokens](/entra/identity-platform/refresh-tokens) for your provider. The way to get refresh tokens are documented by each provider, but the following list is a brief summary:
 
 - **Google**: Append an `access_type=offline` query string parameter to your `/.auth/login/google` API call. For more information, see [Google Refresh Tokens](https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens).
-- **Facebook**: Doesn't provide refresh tokens. Long-lived tokens expire in 60 days (see [Facebook Expiration and Extension of Access Tokens](https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension)).
+- **Facebook**: Doesn't provide refresh tokens. Long-lived tokens expire in 60 days (see [Long-Lived Access Tokens](https://developers.facebook.com/docs/facebook-login/guides/access-tokens/get-long-lived/)).
 - **X**: Access tokens don't expire (see [OAuth FAQ](https://developer.x.com/en/docs/authentication/faq)).
 - **Microsoft**: In [https://resources.azure.com](https://resources.azure.com), do the following steps:
     1. At the top of the page, select **Read/Write**.

articles/app-service/environment/zone-redundancy.md

@@ -89,7 +89,7 @@ To make your apps zone redundant, you need to deploy two zonal ILB ASEs. The two
 
 ILB ASEs deployed in an availability zone will only store customer data within the region where the zonal ILB ASE has been deployed. Both website file content and customer supplied settings and secrets stored in App Service remain within the region where the zonal ILB ASE is deployed.
 
-Customers ensure single region data residency by following the steps outlined earlier in the section "How to Deploy an App Service Environment in an Availability Zone". By configuring an App Service Environment according to these steps, an App Service Environment deployed in an availability zone satisfies in region data residency requirements including those specified in the [Azure Trust Center](https://azuredatacentermap.azurewebsites.net/).
+Customers ensure single region data residency by following the steps outlined earlier in the section "How to Deploy an App Service Environment in an Availability Zone". By configuring an App Service Environment according to these steps, an App Service Environment deployed in an availability zone satisfies in region data residency requirements including those specified in the [Microsoft Datacenters Explorer](https://datacenters.microsoft.com/globe/explore).
 
 Customers can validate that an App Service Environment is properly configured to store data in a single region by following these steps:
 

articles/iot-central/core/concepts-quotas-limits.md

@@ -4,7 +4,7 @@ description: This article lists the key quotas and limits that apply to an IoT C
 author: dominicbetts
 ms.author: dobett
 ms.date: 06/17/2024
-ms.topic: conceptual
+ms.topic: reference
 ms.service: azure-iot-central
 services: iot-central
 

articles/reliability/availability-zones-overview.md

@@ -80,6 +80,9 @@ $locations = ($response.Content | ConvertFrom-Json).value
 
 For each region, Microsoft aims to deploy updates to Azure services within a single availability zone at a time. This approach reduces the impact that updates might have on an active workload, allowing the workload to continue to run in other zones while the update is in process. To take advantage of sequenced zone updates, your workload must be already configured to run across multiple zones. For more information about how Azure deploys updates, see [Advancing safe deployment practices](https://azure.microsoft.com/blog/advancing-safe-deployment-practices/).
 
+> [!NOTE]
+> As reported on [Azure Updates Blog](https://azure.microsoft.com/updates?id=update-on-interavailability-zone-data-transfer-pricing) Azure will not charge for the data transfer across availability zones regardless of using private or public IPs on your Azure resources. With this change, Azure will further encourage and support customers’ efforts in building more resilient and efficient applications and solutions on Azure
+
 ## Inter-zone latency
 
 Within each region, availability zones are connected through a high-performance network. Microsoft strives to achieve an inter-zone communication with round-trip latency of less than approximately 2 milliseconds. Low latency allows for high-performance communication within a region, and for synchronous replication of data across multiple availability zones.

articles/site-recovery/azure-to-azure-tutorial-failback.md

@@ -3,7 +3,7 @@ title: Tutorial to fail back Azure VMs to a primary region during disaster recov
 description: Tutorial to learn about failing back Azure VMs to a primary region with Azure Site Recovery.
 ms.topic: tutorial
 ms.service: azure-site-recovery
-ms.date: 03/29/2024
+ms.date: 02/11/2025
 ms.custom: mvc
 ms.author: ankitadutta
 author: ankitaduttaMSFT
@@ -32,6 +32,7 @@ Before you start this tutorial, you should have:
 1. [Set up replication](azure-to-azure-tutorial-enable-replication.md) for at least one Azure VM, and tried out a [disaster recovery drill](azure-to-azure-tutorial-dr-drill.md) for it.
 2. [Failed over the VM](azure-to-azure-tutorial-failover-failback.md) from the primary region to a secondary region, and reprotected it so that it replicates from the secondary region to the primary. 
 3. Check that the primary region is available, and that you're able to create and access new resources in it.
+1. Source region VM must be shut down before attempting a failback since, changes are synced from failover VM disks to the source region disks during failback. If the source VM is powered on then it fails and thus fails the failback operation.
 
 ## Fail back to the primary region
 

articles/virtual-wan/point-to-site-entra-gateway-update.md

@@ -5,7 +5,7 @@ description: Learn how to update Audience values for User VPN (P2S) gateway conn
 author: cherylmc
 ms.service: azure-virtual-wan
 ms.topic: how-to
-ms.date: 02/07/2025
+ms.date: 02/10/2025
 ms.author: cherylmc
 
 # Customer intent: As an VPN Gateway administrator, I want to update point-to-site Audience values for Microsoft Entra ID authentication.
@@ -19,7 +19,7 @@ The following table shows the available supported Audience values.
 
 [!INCLUDE [Audience values](../../includes/vpn-gateway-entra-audience-values.md)]
 
-The examples in this article use the new Audience value for Azure Public. This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
+This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
 
 ## Workflow
 
@@ -38,7 +38,7 @@ When you update audience values on an existing gateway, you incur fewer than 5 m
 
 1. On the **User VPN configurations** page, select the configuration, then click **Edit configuration**.
 
-1. On the **Edit configuration** page, go to the **Azure Active Directory** page, which is used to configure the Microsoft Entra ID values. Change the **Audience** value to the new version. For example, the new Azure Public aduence value for the Microsoft-registerd Azure VPN Client is: **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
+1. On the **Edit configuration** page, go to the **Azure Active Directory** page, which is used to configure the Microsoft Entra ID values. Change the **Audience** value to:  **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
 
 1. Leave the other settings the same, unless you have changed tenants and need to change the tenant IDs. If you update the Issuer field, take care to include the trailing slash at the end. For more information about each of the fields, see [User configuration](point-to-site-entra-gateway.md#user-config) values.
 1. Once you finish configuring settings, click **Review + create** to save your settings.

articles/vpn-gateway/point-to-site-about.md

@@ -6,7 +6,7 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: concept-article
-ms.date: 09/18/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 ---
 # About Point-to-Site VPN

articles/vpn-gateway/point-to-site-entra-gateway-update.md

@@ -5,7 +5,7 @@ description: Learn how to update Audience values for P2S VPN gateway connections
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: how-to
-ms.date: 08/06/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 
 # Customer intent: As an VPN Gateway administrator, I want to update point-to-site Audience values for Microsoft Entra ID authentication.
@@ -19,7 +19,7 @@ The following table shows the available supported Audience values.
 
 [!INCLUDE [Audience values](../../includes/vpn-gateway-entra-audience-values.md)]
 
-The examples in this article use the new Audience value for Azure Public. This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
+This article doesn't apply to **custom Audience** value configurations. To modify a custom audience app ID, see [Create or modify a custom audience app ID for P2S VPN Microsoft Entra ID authentication](point-to-site-entra-register-custom-app.md#change).
 
 ## Workflow
 
@@ -38,7 +38,7 @@ When you update audience values on an existing gateway, you incur fewer than 5 m
 
    :::image type="content" source="./media/update-entra-audience/audience.png" alt-text="Screenshot showing settings for Tunnel type, Authentication type, and Microsoft Entra settings." lightbox="././media/update-entra-audience/audience.png":::
 
-1. Change the **Audience** value. For this example, we changed the Audience value to the Azure Public value for the Microsoft-registered Azure VPN Client; **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
+1. Change the **Audience** value to: **c632b3df-fb67-4d84-bdcf-b95ad541b5c8**.
 1. Leave the other settings the same, unless you have changed tenants and need to change the tenant IDs. If you update the Issuer field, take care to include the trailing slash at the end. For more information about each of the fields, see [Microsoft Entra ID](point-to-site-entra-gateway.md#configure-vpn) values.
 1. Once you finish configuring settings, click **Save** at the top of the page.
 1. The new settings save to the P2S gateway and the gateway updates. This takes about 5 minutes to complete.

articles/vpn-gateway/point-to-site-entra-gateway.md

@@ -6,14 +6,14 @@ author: cherylmc
 ms.service: azure-vpn-gateway
 ms.custom: linux-related-content
 ms.topic: how-to
-ms.date: 11/04/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 # Customer intent: As an VPN Gateway administrator, I want to configure point-to-site to allow Microsoft Entra ID authentication using the Microsoft-registered Azure VPN Client APP ID.
 ---
 
 # Configure P2S VPN Gateway for Microsoft Entra ID authentication – Microsoft-registered app
 
-This article helps you configure your point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID. 
+This article helps you configure your point-to-site (P2S) VPN gateway for Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID.
 
 > [!NOTE]
 > The steps in this article apply to Microsoft Entra ID authentication using the new Microsoft-registered Azure VPN Client App ID and associated Audience values. This article doesn't apply to the older, manually registered Azure VPN Client app for your tenant. For the manually registered Azure VPN Client steps, see [Configure P2S using manually registered VPN client](openvpn-azure-ad-tenant.md).
@@ -75,11 +75,14 @@ This article assumes the following prerequisites:
 
    * **Tenant:** TenantID for the Microsoft Entra ID tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL doesn't have a `\` (backslash) at the end. Forward slash is permissible.
 
-      * Azure Public: `https://login.microsoftonline.com/{Microsoft ID Entra Tenant ID}`
+     * Azure Public: `https://login.microsoftonline.com/{TenantID}`
+     * Azure Government: `https://login.microsoftonline.us/{TenantID}`
+     * Azure Germany: `https://login-us.microsoftonline.de/{TenantID}`
+     * China 21Vianet: `https://login.chinacloudapi.cn/{TenantID}`
 
    * **Audience**: The corresponding value for the Microsoft-registered Azure VPN Client App ID. [Custom audience](point-to-site-entra-register-custom-app.md) is also supported for this field.
 
-     * Azure Public: `c632b3df-fb67-4d84-bdcf-b95ad541b5c8`
+     * `c632b3df-fb67-4d84-bdcf-b95ad541b5c8`
 
    * **Issuer**: URL of the Secure Token Service. Include a trailing slash at the end of the **Issuer** value. Otherwise, the connection might fail. Example:
 

articles/vpn-gateway/point-to-site-entra-vpn-client-mac.md

@@ -4,7 +4,7 @@ description: Learn how to configure macOS client computers to connect to Azure u
 author: cherylmc
 ms.service: azure-vpn-gateway
 ms.topic: how-to
-ms.date: 10/15/2024
+ms.date: 02/10/2025
 ms.author: cherylmc
 ---
 
@@ -58,7 +58,7 @@ Locate and unzip the VPN client profile configuration package you generated and
 1. On this screen, notice the connection values are populated using the values in the imported VPN client configuration file.
 
    * Verify that the **Certificate Information** value shows **DigiCert Global Root G2**, rather than the default or blank. Adjust the value if necessary.
-   * Notice the Client Authentication values align with the values that were used to configure the VPN gateway for Microsoft Entra ID authentication. The Audience value in this example aligns with the Microsoft-registered App ID for Azure Public. If your P2S gateway is configured for a different Audience value, this field must reflect that value.
+   * Notice the Client Authentication values align with the values that were used to configure the VPN gateway for Microsoft Entra ID authentication. This field must reflect the same value that your gateway is configured to use.
 
    :::image type="content" source="media/point-to-site-entra-vpn-client-mac/values.png" alt-text="Screenshot of Azure VPN Client saving the imported profile settings." lightbox="media/point-to-site-entra-vpn-client-mac/values.png":::
 
@@ -94,7 +94,7 @@ You can remove the VPN connection profile from your computer.
 1. Open the Azure VPN Client.
 1. Select the VPN connection that you want to remove, then click **Remove**.
 
-## Optional Azure VPN Client configuration settings
+## Optional client configuration settings
 
 You can configure the Azure VPN Client with optional configuration settings such as additional DNS servers, custom DNS, forced tunneling, custom routes, and other additional settings. For a description of the available optional settings and configuration steps, see [Azure VPN Client optional settings](azure-vpn-client-optional-configurations.md).