Merge pull request #294057 from MicrosoftDocs/main

02/04/2025 AM Publishing

Author: v-alje

articles/api-management/validate-client-certificate-policy.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: article
-ms.date: 07/23/2024
+ms.date: 01/30/2025
 ms.author: danlep
 ---
 
@@ -73,9 +73,9 @@ For more information about custom CA certificates and certificate authorities, s
 | thumbprint | Certificate thumbprint. | No | N/A |
 | serial-number | Certificate serial number. | No | N/A |
 | common-name | Certificate common name (part of Subject string). | No | N/A |
-| subject | Subject string. Must follow format of Distinguished Name. | No | N/A |
+| subject | Subject string. Must follow format of Distinguished Name, which consists of comma-separated name attributes, for example, *"CN=MyName, OU=MyOrgUnit, C=US..."*.| No | N/A |
 | dns-name | Value of dnsName entry inside Subject Alternative Name claim. | No | N/A |
-| issuer-subject | Issuer's subject. Must follow format of Distinguished Name. | No | N/A |
+| issuer-subject | Issuer's subject. Must follow format of Distinguished Name, which consists of comma-separated name attributes, for example, *"CN=MyName, OU=MyOrgUnit, C=US..."*. | No | N/A |
 | issuer-thumbprint | Issuer thumbprint. | No | N/A |
 | issuer-certificate-id | Identifier of existing certificate entity representing the issuer's public key. Mutually exclusive with other issuer attributes.  | No | N/A |
 
@@ -85,6 +85,11 @@ For more information about custom CA certificates and certificate authorities, s
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation
 - [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
+
+### Usage notes
+
+* You must use double quotes to enclose values of name attributes in the `subject` and `issuer-subject` attributes when they contain certain special characters such as ",". For example, specify `O="Contoso, Inc."` instead of `O=Contoso, Inc.` for the organization name. [Learn more](/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks)
+
 ## Example
 
 The following example validates a client certificate to match the policy's default validation rules and checks whether the subject and issuer name match specified values.
@@ -98,7 +103,7 @@ The following example validates a client certificate to match the policy's defau
     ignore-error="false">
     <identities>
         <identity
-            subject="C=US, ST=Illinois, L=Chicago, O=Contoso Corp., CN=*.contoso.com"
+            subject="C=US, ST=Illinois, L=Chicago, O="Contoso, Inc.", CN=*.contoso.com"
             issuer-subject="C=BE, O=FabrikamSign nv-sa, OU=Root CA, CN=FabrikamSign Root CA" />
     </identities>
 </validate-client-certificate> 

articles/app-service/configure-basic-auth-disable.md

@@ -74,7 +74,7 @@ The following table shows how various deployment methods behave when basic authe
 | [GitHub Actions](deploy-continuous-deployment.md?tabs=github) | - An existing GitHub Actions workflow that uses **basic authentication** can't authenticate. In the Deployment Center, disconnect the existing GitHub configuration and create a new GitHub Actions configuration with the **user-assigned identity** option instead. <br/> - If the existing GitHub Actions deployment is [manually configured](deploy-github-actions.md), try using a service principal or OpenID Connect instead. <br/> - For new GitHub Actions configuration in the Deployment Center, use the **user-assigned identity** option. |
 | Deployment in [create wizard](https://portal.azure.com/#create/Microsoft.WebSite) | When **Basic authentication** is set to **Disable** and **Continuous deployment** set to **Enable**, GitHub Actions is configured with the **user-assigned identity** option (OpenID Connect). |
 | [Azure Repos with App Service Build Service](deploy-continuous-deployment.md?tabs=github) | Doesn't work. |
-| [BitBucket](deploy-continuous-deployment.md?tabs=bitbucket) | Doesn't work. |
+| [Bitbucket](deploy-continuous-deployment.md?tabs=bitbucket) | Doesn't work. |
 | [Azure Pipelines](deploy-azure-pipelines.md) with [AzureWebApp](/azure/devops/pipelines/tasks/reference/azure-web-app-v1) task | Works. |
 | [Azure Pipelines](deploy-azure-pipelines.md) with [AzureRmWebAppDeployment](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment) task | - Use the latest AzureRmWebAppDeployment task to get fallback behavior. <br/> - The **Publish Profile (`PublishProfile`)** connection type doesn't work, because it uses basic authentication. Change the connection type to **Azure Resource Manager (`AzureRM`)**. <br/> - On non-Windows Pipelines agents, authentication works. <br/> - On Windows agents, the [deployment method used by the task](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4#deployment-methods) might need to be modified. When Web Deploy is used (`DeploymentType: 'webDeploy'`) and basic authentication is disabled, the task authenticates with a Microsoft Entra token. There are additional requirements if you're not using the `windows-latest` agent or if you're using a self-hosted agent. For more information, see [I can't Web Deploy to my Azure App Service using Microsoft Entra authentication from my Windows agent](/azure/devops/pipelines/tasks/reference/azure-rm-web-app-deployment-v4#i-cant-web-deploy-to-my-azure-app-service-using-microsoft-entra-id-authentication-from-my-windows-agent).<br/> - Other deployment methods work, such as **zip deploy** or **run from package**. |
 

articles/app-service/deploy-best-practices.md

@@ -23,7 +23,7 @@ This section describes the three main components for deploying to App Service.
 
 ### Deployment source
 
-A *deployment source* is the location of your application code. For production apps, the deployment source is usually a repository hosted by version control software such as [GitHub, BitBucket, or Azure Repos](deploy-continuous-deployment.md). For development and test scenarios, the deployment source might be [a project on your local machine](deploy-local-git.md).
+A *deployment source* is the location of your application code. For production apps, the deployment source is usually a repository hosted by version control software such as [GitHub, Bitbucket, or Azure Repos](deploy-continuous-deployment.md). For development and test scenarios, the deployment source might be [a project on your local machine](deploy-local-git.md).
 
 ### Build pipeline
 

articles/app-service/manage-backup.md

@@ -182,6 +182,11 @@ To back up and restore over Azure Virtual Network:
 1. When configuring [custom backups](#create-a-custom-backup), select **Backup/restore over virtual network integration**. 
 1. Save your settings by selecting **Configure**.
 
+To enable backup/restore over virtual network for deployment slots, you need to complete the necessary steps specifically for each slot:
+
+- Virtual network integration is enabled for the deployment slots, or the slot is in a v3 [App Service Environment](environment/overview.md). 
+- The option for backup/restore over virtual network integration is selected for deployment slots.
+
 If you don't see the checkbox, or if the checkbox is disabled, verify that your resources fulfill the requirements. 
 
 Once the configuration is saved, any manual backup, scheduled backup, or restore is made through the virtual network. If you make changes to the app, the virtual network, or the storage account that prevent the app from accessing the storage account through the virtual network, the backup or restore operations fail.

articles/app-service/migrate-wordpress.md

@@ -71,7 +71,7 @@ The prerequisite is that the WordPress on Linux Azure App Service must have been
 
 ### Manually import the data at destination site
 
-1. Create a new Wordpress app using our [WordPress on Linux App Service template](https://aka.ms/linux-wordpress)
+1. Create a new WordPress app using our [WordPress on Linux App Service template](https://aka.ms/linux-wordpress)
 
 2. Open an SSH session using **WebSSH** from the Azure portal.
 ![Web SSH](./media/app-service-migrate-wordpress/post-startup-script-1.png)

articles/app-service/overview-vnet-integration.md

@@ -154,7 +154,7 @@ App settings using Key Vault references attempt to get secrets over the public r
 
 > [!NOTE]
 > * Configure SSL/TLS certificates from private Key Vaults is currently not supported.
-> * App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.
+
 
 ### Routing app settings
 
@@ -221,6 +221,7 @@ There are some limitations with using virtual network integration:
 * You can't delete a virtual network with an integrated app. Remove the integration before you delete the virtual network.
 * You can't have more than two virtual network integrations per App Service plan. Multiple apps in the same App Service plan can use the same virtual network integration.
 * You can't change the subscription of an app or a plan while there's an app that's using virtual network integration.
+* App Service Logs to private storage accounts is currently not supported. We recommend using Diagnostics Logging and allowing Trusted Services for the storage account.
 
 ## Access on-premises resources
 

articles/app-service/overview.md

@@ -27,7 +27,7 @@ Azure App Service is a fully managed platform as a service (PaaS) offering for d
 * **Multiple languages and frameworks** - App Service has first-class support for ASP.NET, ASP.NET Core, Java, Node.js, Python, and PHP. You can also run [PowerShell and other scripts or executables](webjobs-create.md) as background services.
 * **Managed production environment** - App Service automatically [patches and maintains the OS and language frameworks](overview-patch-os-runtime.md) for you. Spend time writing great apps and let Azure worry about the platform.
 * **Containerization and Docker** - Dockerize your app and host a custom Windows or Linux container in App Service. Run sidecar containers of your choice. Migrate your Docker skills directly to App Service.
-* **DevOps optimization** - Set up [continuous integration and deployment](deploy-continuous-deployment.md) with Azure DevOps, GitHub, BitBucket, Docker Hub, or Azure Container Registry. Promote updates through [test and staging environments](deploy-staging-slots.md). Manage your apps in App Service by using [Azure PowerShell](/powershell/azure/) or the [cross-platform command-line interface (CLI)](/cli/azure/install-azure-cli).
+* **DevOps optimization** - Set up [continuous integration and deployment](deploy-continuous-deployment.md) with Azure DevOps, GitHub, Bitbucket, Docker Hub, or Azure Container Registry. Promote updates through [test and staging environments](deploy-staging-slots.md). Manage your apps in App Service by using [Azure PowerShell](/powershell/azure/) or the [cross-platform command-line interface (CLI)](/cli/azure/install-azure-cli).
 * **Global scale with high availability** - Scale [up](manage-scale-up.md) or [out](/azure/azure-monitor/autoscale/autoscale-get-started) manually or automatically. Host your apps anywhere in the global Microsoft datacenter infrastructure, and the App Service [SLA](https://azure.microsoft.com/support/legal/sla/app-service/) promises high availability.
 * **Connections to SaaS platforms and on-premises data** - Choose from [many hundreds of  connectors](/connectors/connector-reference/connector-reference-logicapps-connectors) for enterprise systems (such as SAP), SaaS services (such as Salesforce), and internet services (such as Facebook). Access on-premises data using [Hybrid Connections](app-service-hybrid-connections.md) and [Azure Virtual Network](./overview-vnet-integration.md).
 * **Security and compliance** - App Service is [ISO, SOC, and PCI compliant](https://www.microsoft.com/trust-center). Create [IP address restrictions](app-service-ip-restrictions.md) and [managed service identities](overview-managed-identity.md). [Protect against subdomain takeovers](reference-dangling-subdomain-prevention.md).

articles/application-gateway/ingress-controller-install-existing.md

@@ -118,7 +118,7 @@ For this configuration, you need authorization for the AGIC pod to make HTTP req
     ```
 
 > [!NOTE]
-> Make sure the identity that AGIC uses has the **Microsoft.Network/virtualNetworks/subnets/join/action** permission delegated to the subnet where Application Gateway is deployed. If you didn't define a custom role that has this permission, you can use the built-in **Network Contributor** role.
+> Please ensure the identity used by AGIC has the proper permissions. A list of permissions needed by the identity can be found here: [Configure Infrastructure - Permissions](configuration-infrastructure.md#permissions). If a custom role is not defined with the required permissions, you may use the _Network Contributor_ role.
 
 ### Set up a service principal
 

articles/application-gateway/tutorial-ingress-controller-add-on-new.md

@@ -57,7 +57,7 @@ az aks create -n myCluster -g myResourceGroup --network-plugin azure --enable-ma
 ```
 
 > [!NOTE] 
-> Please ensure the identity used by AGIC has the **Microsoft.Network/virtualNetworks/subnets/join/action** permission delegated to the subnet Application Gateway is deployed into. If a custom role is not defined with this permission, you may use the built-in _Network Contributor_ role, which contains the _Microsoft.Network/virtualNetworks/subnets/join/action_ permission.
+> Please ensure the identity used by AGIC has the proper permissions. A list of permissions needed by the identity can be found here: [Configure Infrastructure - Permissions](configuration-infrastructure.md#permissions). If a custom role is not defined with the required permissions, you may use the _Network Contributor_ role.
 
 ```azurecli-interactive
 # Get application gateway id from AKS addon profile