Merge pull request #288539 from MicrosoftDocs/main

10/16/2024 AM Publish

Author: Taojunshen

articles/app-service/configure-authentication-provider-aad.md

@@ -74,7 +74,7 @@ Either:
 - Select **Provide the details of an existing app registration** and provide:
     - Application (client) ID.
     - Client secret (recommended). A secret value that the application uses to prove its identity when requesting a token. This value is saved in your app's configuration as a slot-sticky application setting named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. If the client secret isn't set, sign-in operations from the service use the OAuth 2.0 implicit grant flow, which *isn't* recommended.
-    - Issuer URL, which takes the form `<authentication-endpoint>/<tenant-id>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint [value specific to the cloud environment](/entra/identity-platform/authentication-national-cloud#azure-ad-authentication-endpoints).  For example, a workforce tenant in global Azure would use "https://login.microsoftonline.com" as its authentication endpoint.
+    - Issuer URL, which takes the form `<authentication-endpoint>/<tenant-id>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint [value specific to the cloud environment](/entra/identity-platform/authentication-national-cloud#azure-ad-authentication-endpoints).  For example, a workforce tenant in global Azure would use "https://sts.windows.net" as its authentication endpoint.
 
 If you need to manually create an app registration in a workforce tenant, follow the [register an application](/entra/identity-platform/quickstart-register-app) quickstart.  As you go through the registration process, be sure to note the application (client) ID and client secret values.
 

articles/app-service/deploy-staging-slots.md

@@ -114,7 +114,7 @@ When you swap two slots (usually from a staging slot *as the source* into the pr
 
 1. If [local cache](overview-local-cache.md) is enabled, trigger local cache initialization by making an HTTP request to the application root ("/") on each instance of the source slot. Wait until each instance returns any HTTP response. Local cache initialization causes another restart on each instance.
 
-1. If [auto swap](#Auto-Swap) is enabled with [custom warm-up](#Warm-up), trigger [Application Initiation](/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) by making an HTTP request to the application root ("/") on each instance of the source slot.
+1. If [auto swap](#Auto-Swap) is enabled with [custom warm-up](#Warm-up), trigger the custom [Application Initiation](/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) on each instance of the source slot.
 
     If `applicationInitialization` isn't specified, trigger an HTTP request to the application root of the source slot on each instance. 
 

articles/app-service/overview-authentication-authorization.md

@@ -157,19 +157,30 @@ If you don't need to work with tokens in your app, you can disable the token sto
 
 If you [enable application logging](troubleshoot-diagnostic-logs.md), you will see authentication and authorization traces directly in your log files. If you see an authentication error that you didn't expect, you can conveniently find all the details by looking in your existing application logs. If you enable [failed request tracing](troubleshoot-diagnostic-logs.md), you can see exactly what role the authentication and authorization module may have played in a failed request. In the trace logs, look for references to a module named `EasyAuthModule_32/64`.
 
-### Considerations when using Azure Front Door
+### Cross-site request forgery mitigation
 
-When using Azure App Service with Easy Auth behind Azure Front Door or other reverse proxies, a few additional things have to be taken into consideration.
+App Service authentication mitigates CSRF by inspecting client requests for the following conditions:
 
-1) Disable Caching for the authentication workflow
+- It's a POST request that authenticated using a session cookie.
+- The request came from a known browser (as determined by the HTTP `User-Agent` header).
+- The HTTP `Origin` or HTTP `Referer` header is missing or is not in the configured list of approved external domains for redirection.
+- The HTTP `Origin` header is missing or is not in the configured list of CORS origins.
+
+When a request fulfills all these conditions, App Service authentication automatically rejects it. You can workaround this mitigation logic by adding your external domain to the redirect list to **Authentication** > **Edit authentication settings** > **Allowed external redirect URLs**. 
+
+## Considerations when using Azure Front Door
+
+When using Azure App Service with authentication behind Azure Front Door or other reverse proxies, a few additional things have to be taken into consideration.
+
+- Disable caching for the authentication workflow.
 
     See [Disable cache for auth workflow](../static-web-apps/front-door-manual.md#disable-cache-for-auth-workflow) to learn more on how to configure rules in Azure Front Door to disable caching for authentication and authorization-related pages.
 
-2) Use the Front Door endpoint for redirects
+- Use the Front Door endpoint for redirects.
 
     App Service is usually not accessible directly when exposed via Azure Front Door. This can be prevented, for example, by exposing App Service via Private Link in Azure Front Door Premium. To prevent the authentication workflow to redirect traffic back to App Service directly, it is important to configure the application to redirect back to `https://<front-door-endpoint>/.auth/login/<provider>/callback`.
 
-3) Ensure that App Service is using the right redirect URI
+- Ensure that App Service is using the right redirect URI
 
     In some configurations, the App Service is using the App Service FQDN as the redirect URI instead of the Front Door FQDN. This will lead to an issue when the client is being redirected to App Service instead of Front Door. To change that, the `forwardProxy` setting needs to be set to `Standard` to make App Service respect the `X-Forwarded-Host` header set by Azure Front Door.
 

articles/app-service/overview-managed-identity.md

@@ -259,7 +259,7 @@ The principalId is a unique identifier for the identity that's used for Microsof
 You may need to configure the target resource to allow access from your app or function. For example, if you [request a token](#connect-to-azure-services-in-app-code) to access Key Vault, you must also add an access policy that includes the managed identity of your app or function. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).
 
 > [!IMPORTANT]
-> The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh.
+> The back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identity’s group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access. For alternatives to groups or role memberships, see [Limitation of using managed identities for authorization](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations).
 
 ## Connect to Azure services in app code
 
@@ -269,12 +269,12 @@ App Service and Azure Functions provide an internally accessible [REST endpoint]
 
 # [HTTP GET](#tab/http)
 
-A raw HTTP GET request looks like the following example:
+A raw HTTP GET request uses the [two supplied environment variables](#rest-endpoint-reference) and looks like the following example:
 
 ```http
 GET /MSI/token?resource=https://vault.azure.net&api-version=2019-08-01 HTTP/1.1
-Host: localhost:4141
-X-IDENTITY-HEADER: 853b9a84-5bfa-4b22-a3f3-0b9a43d9ad8a
+Host: <ip-address-:-port-in-IDENTITY_ENDPOINT>
+X-IDENTITY-HEADER: <value-of-IDENTITY_HEADER>
 ```
 
 And a sample response might look like the following:

articles/app-service/tutorial-connect-msi-sql-database.md

@@ -209,7 +209,7 @@ The steps you follow for your project depends on whether you're using [Entity Fr
 Next, you configure your App Service app to connect to SQL Database with a system-assigned managed identity.
 
 > [!NOTE]
-> While the instructions in this section are for a system-assigned identity, a user-assigned identity can just as easily be used. To do this. you would need the change the `az webapp identity assign command` to assign the desired user-assigned identity. Then, when creating the SQL user, make sure to use the name of the user-assigned identity resource rather than the site name.
+> The instructions in this section are for a system-assigned identity, To use a user-assigned identity, see [Tutorial: Connect to Azure databases from App Service without secrets using a managed identity](tutorial-connect-msi-azure-database.md).
 
 ### Enable managed identity on app
 

articles/azure-boost/includes/azure-boost-series.md

@@ -17,8 +17,8 @@ ms.custom:
 | [Mbdsv3](/azure/virtual-machines/sizes/memory-optimized/mbsv3-mbdsv3-series)    | Memory Optimized | Preview   |
 | [Easv6](/azure/virtual-machines/sizes/memory-optimized/easv6-series)            | Memory Optimized | Preview   |
 | [Eadsv6](/azure/virtual-machines/sizes/memory-optimized/eadsv6-series)          | Memory Optimized | Preview   |
-| [Epdsv6](/azure/virtual-machines/sizes/memory-optimized/epdsv6-series)          | Memory Optimized | Preview   |
-| [Epsv6](/azure/virtual-machines/sizes/memory-optimized/epsv6-series)      | Memory Optimized | Preview   |
+| [Epdsv6](/azure/virtual-machines/sizes/memory-optimized/epdsv6-series)          | Memory Optimized | Production    |
+| [Epsv6](/azure/virtual-machines/sizes/memory-optimized/epsv6-series)      | Memory Optimized | Production    |
 | [ECesv5/ECedsv5](/azure/virtual-machines/ecesv5-ecedsv5-series)                 | Memory Optimized | Preview   |
 | [Dsv6](/azure/virtual-machines/sizes/general-purpose/dsv6-series)               | General Purpose  | Preview   |
 | [Dldsv6](/azure/virtual-machines/sizes/general-purpose/dldsv6-series)           | General Purpose  | Preview   |
@@ -29,12 +29,12 @@ ms.custom:
 | [Dalsv6](/azure/virtual-machines/sizes/general-purpose/dalsv6-series)          | General Purpose  | Preview   |
 | [Daldsv6](/azure/virtual-machines/sizes/general-purpose/daldsv6-series)         | General Purpose  | Preview   |
 | [Dadsv6](/azure/virtual-machines/sizes/general-purpose/dadsv6-series)           | General Purpose  | Preview   |
-| [Dpsv6](/azure/virtual-machines/sizes/general-purpose/dpsv6-series)             | General Purpose  | Preview   |
-| [Dplsv6](/azure/virtual-machines/sizes/general-purpose/dplsv6-series)           | General Purpose  | Preview   |
+| [Dpsv6](/azure/virtual-machines/sizes/general-purpose/dpsv6-series)             | General Purpose  | Production    |
+| [Dplsv6](/azure/virtual-machines/sizes/general-purpose/dplsv6-series)           | General Purpose  | Production    |
 | [Ddsv6](/azure/virtual-machines/sizes/general-purpose/ddsv6-series) | General Purpose | Preview |
 | [Dlsv6](/azure/virtual-machines/sizes/general-purpose/dlsv6-series) | General Purpose | Preview |
-| [Dpdsv6](/azure/virtual-machines/sizes/general-purpose/dpdsv6-series) | General Purpose | Preview |
-| [Dpldsv6](/azure/virtual-machines/sizes/general-purpose/dpldsv6-series) | General Purpose | Preview |
+| [Dpdsv6](/azure/virtual-machines/sizes/general-purpose/dpdsv6-series) | General Purpose | Production  |
+| [Dpldsv6](/azure/virtual-machines/sizes/general-purpose/dpldsv6-series) | General Purpose | Production  |
 | [Nvadsv5](/azure/virtual-machines/sizes/gpu-accelerated/nvadsa10v5-series)      | GPU/AI workload optimized | Production |
 | [Msv3](/azure/virtual-machines/msv3-mdsv3-medium-series)                        | Memory Optimized | Production  |
 | [Mdsv3](/azure/virtual-machines/msv3-mdsv3-medium-series)                       | Memory Optimized | Production  |
@@ -69,4 +69,4 @@ ms.custom:
 | [Ddsv5](/azure/virtual-machines/sizes/general-purpose/ddsv5-series)       | General Purpose |  Production|
 | [DCdsv3](/azure/virtual-machines/sizes/general-purpose/dcdsv3-series)      | General Purpose | Production    |
 | [Bsv2](/azure/virtual-machines/sizes/general-purpose/bsv2-series)        | General Purpose | Production    |
-| [Bpsv2](/azure/virtual-machines/sizes/general-purpose/bpsv2-series)       | General Purpose | Production    |
+| [Bpsv2](/azure/virtual-machines/sizes/general-purpose/bpsv2-series)       | General Purpose | Production    |

articles/azure-web-pubsub/howto-authorize-from-application.md

@@ -3,7 +3,7 @@ title: Authorize an application request by using Microsoft Entra ID
 description: Learn how to authorize an application request to Web PubSub resources by using Microsoft Entra ID.
 author: terencefan
 ms.author: tefa
-ms.date: 09/06/2024
+ms.date: 10/12/2024
 ms.service: azure-web-pubsub
 ms.topic: conceptual
 ---
@@ -50,7 +50,7 @@ To create a client secret:
    :::image type="content" source="media/howto-authorize-from-application/new-client-secret.png" alt-text="Screenshot that shows creating a client secret.":::
 
 1. Enter a description for the client secret, and then choose an **Expires** time for the secret.
-1. Copy the value of the client secret, and then paste it to a secure location to save for later use.
+1. Copy the value of the client secret and paste it in a secure location for later use.
 
    > [!NOTE]
    > The secret is visible only when you create the secret. You can't view the client secret in the portal later.

articles/azure-web-pubsub/resource-faq.md

@@ -5,32 +5,32 @@ author: yjin81
 ms.author: yajin1
 ms.service: azure-web-pubsub
 ms.topic: overview 
-ms.date: 03/21/2023
+ms.date: 09/18/2024
 ---
 
 # Azure Web PubSub service FAQ
 
-This is the FAQ of Azure Web PubSub service. 
+Here are some frequently asked questions (FAQs) for the Azure Web PubSub service. 
 
 ## Is Azure Web PubSub service ready for production use?
 Yes, Azure Web PubSub service is generally available.
 
 ## How do I choose between Azure SignalR Service and Azure Web PubSub service?
 
-Both [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service) and [Azure Web PubSub service](https://azure.microsoft.com/services/web-pubsub) help customers build real-time web applications easily with large scale and high availability and enable customers to focus on their business logic instead of managing the messaging infrastructure. In general, you may choose Azure SignalR Service if you already use SignalR library to build real-time application. Instead, if you're looking for a generic solution to build real-time application based on WebSocket and publish-subscribe pattern, you may choose Azure Web PubSub service. The Azure Web PubSub service is **not** a replacement for Azure SignalR Service. They're targeting different scenarios.
+Both [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service) and [Azure Web PubSub service](https://azure.microsoft.com/services/web-pubsub) help customers build real-time web applications easily with large scale and high availability and enable customers to focus on their business logic instead of managing the messaging infrastructure. In general, you might choose Azure SignalR Service if you already use SignalR library to build real-time application. Instead, if you're looking for a generic solution to build real-time application based on WebSocket and publish-subscribe pattern, you might choose Azure Web PubSub service. The Azure Web PubSub service is **not** a replacement for Azure SignalR Service. They're targeting different scenarios.
 
 Azure SignalR Service is more suitable if:  
 
 - You're already using ASP.NET or ASP.NET Core SignalR, primarily using .NET or need to integrate with .NET ecosystem (like Blazor).
-- There's a SignalR client available for your platform. 
-- You need an established protocol that supports a wide variety of calling patterns (RPC and streaming), transports (WebSocket, server sent events, and long polling) and with a client that manages the connection lifetime on your behalf. 
+- You're having a SignalR client available for your platform. 
+- You're in need of an established protocol that supports a wide variety of calling patterns, such as Remote Procedure Call (RPC) and streaming. It should also support various transports, including WebSocket, server-sent events, and long polling, along with a client that manages the connection lifetime on your behalf.
 
 Azure Web PubSub service is more suitable for situations where:  
 
 - You need to build real-time applications based on WebSocket technology or publish-subscribe over WebSocket.
 - You want to build your own subprotocol or use existing advanced sub-protocols over WebSocket (for example, [GraphQL subscriptions over WebSocket](https://github.com/Azure/azure-webpubsub/tree/main/experimental/sdk/webpubsub-graphql-subscribe)). 
-- You're looking for a lightweight server, for example, sending messages to client without going through the configured backend.  
+- You look for a lightweight server, for example, sending messages to client without going through the configured backend.  
 
 ##  Where does my data reside?
 
-Azure Web PubSub does not store any customer data. If you use Azure Web PubSub service together with other Azure services, like Azure Storage for diagnostics, see [Azure Privacy Overview (white paper)](https://go.microsoft.com/fwlink/p/?linkid=2220836) for guidance about how to keep data residency in Azure regions.
+Azure Web PubSub doesn't store any customer data. If you use Azure Web PubSub service together with other Azure services, like Azure Storage for diagnostics, see [Azure Privacy Overview (white paper)](https://go.microsoft.com/fwlink/p/?linkid=2220836) for guidance about how to keep data residency in Azure regions.

articles/backup/backup-azure-policy-supported-skus.md

@@ -2,7 +2,7 @@
 title: Supported VM SKUs for Azure Policy
 description: 'An article describing the supported VM SKUs (by Publisher, Image Offer and Image SKU) which are supported for the built-in Azure Policies provided by Backup'
 ms.topic: reference
-ms.date: 09/11/2024
+ms.date: 10/16/2024
 ms.service: azure-backup
 author: AbhishekMallick-MS
 ms.author: v-abhmallick
@@ -105,3 +105,6 @@ OpenLogic | CentOS | 6.X, 7.X
 OpenLogic | CentOS–LVM | 6.X, 7.X
 OpenLogic | CentOS–SRIOV | 6.X, 7.X
 cloudera | cloudera-centos-os | 7.X
+
+>[!Caution]
+>CentOS is end-of-life. [Learn more](/azure/virtual-machines/workloads/centos/centos-end-of-life).

articles/backup/backup-azure-restore-files-from-vm.md

@@ -2,7 +2,7 @@
 title: Recover files and folders from Azure VM backup
 description: In this article, learn how to recover files and folders from an Azure virtual machine recovery point.
 ms.topic: how-to
-ms.date: 04/12/2024
+ms.date: 10/16/2024
 ms.custom: references_regions
 ms.service: azure-backup
 author: AbhishekMallick-MS
@@ -117,6 +117,9 @@ In Linux, the OS of the computer used to restore files must support the file sys
 | SLES | 12 and above |
 | openSUSE | 42.2 and above |
 
+>[!Caution]
+>CentOS is end-of-life. [Learn more](/azure/virtual-machines/workloads/centos/centos-end-of-life).
+
 ### Additional components
 
 The script also requires Python and bash components to execute and connect securely to the recovery point.