tls policy updates

Author: halkazwini

articles/frontdoor/end-to-end-tls.md

@@ -1,11 +1,12 @@
 ---
-title: TLS encryption with Azure Front Door
+title: TLS encryption
+titleSuffix: Azure Front Door
 description: Learn about end-to-end TLS encryption, supported TLS versions, and supported cipher suites with Azure Front Door.
 author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: concept-article
-ms.date: 03/18/2025
+ms.date: 03/26/2025
 zone_pivot_groups: front-door-tiers
 ---
 
@@ -109,7 +110,7 @@ For your own custom TLS/SSL certificate:
 
 ## Supported cipher suites
 
-For TLS 1.2/1.3 the following cipher suites are supported:
+For TLS 1.2/1.3, the following cipher suites are supported:
 
 - TLS_AES_256_GCM_SHA384 (TLS 1.3 only)
 - TLS_AES_128_GCM_SHA256 (TLS 1.3 only)
@@ -120,7 +121,7 @@ For TLS 1.2/1.3 the following cipher suites are supported:
 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 
-Azure Front Door doesn’t support disabling or configuring specific cipher suites for your profile.
+To configure specific cipher suites for your profile, use TLS policy. Azure Front Door Standard and Premium offer two mechanisms for controlling TLS policy. You can use either a predefined policy or a custom policy per your own needs. For more information, see [Configure TLS policy on a Front Door custom domain](standard-premium/tls-policy-configure.md).
 
 > [!NOTE]
 > For Windows 10 and later versions, we recommend enabling one or both of the ECDHE_GCM cipher suites for better security. Windows 8.1, 8, and 7 aren't compatible with these ECDHE_GCM cipher suites. The ECDHE_CBC and DHE cipher suites have been provided for compatibility with those operating systems. 
@@ -129,6 +130,7 @@ Azure Front Door doesn’t support disabling or configuring specific cipher suit
 
 ::: zone pivot="front-door-standard-premium"
 
+- [Azure Front Door TLS policy](standard-premium/tls-policy.md)
 - [Domains in Azure Front Door](domain.md)
 - [Configure a custom domain on Azure Front Door](standard-premium/how-to-add-custom-domain.md)
 

articles/frontdoor/media/tls-policy-configure/tls-policy.png renamed to articles/frontdoor/media/add-domain.png

@@ -1,11 +1,13 @@
 ---
-title: 'How to add a custom domain - Azure Front Door'
+title: How to add a custom domain
+titleSuffix: Azure Front Door
 description: In this article, you learn how to onboard a custom domain to an Azure Front Door profile by using the Azure portal.
 author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: how-to
-ms.date: 11/12/2024
+ms.date: 03/26/2025
+
 #Customer intent: As a website owner, I want to add a custom domain to my Azure Front Door configuration so that my users can use my custom domain to access my content.
 ---
 
@@ -35,11 +37,11 @@ To configure a custom domain, go to the **Domains** pane of your Azure Front Doo
 
     * **Non-Azure validated domain**: The domain requires ownership validation. We recommend using the Azure-managed DNS option. You can also use your own DNS provider. If you choose Azure-managed DNS, select an existing DNS zone and either select an existing custom subdomain or create a new one. If you're using another DNS provider, manually enter the custom domain name. Then select **Add** to add your custom domain.
 
-        :::image type="content" source="../media/how-to-add-custom-domain/add-domain-page.png" alt-text="Screenshot that shows the Add a domain pane.":::
+        :::image type="content" source="../media/add-domain.png" alt-text="Screenshot that shows the Add a domain pane." lightbox="../media/add-domain.png":::
 
     * **Azure pre-validated domain**: The domain is already validated by another Azure service, so domain ownership validation isn't required from Azure Front Door. A dropdown list of validated domains by different Azure services appear.
 
-        :::image type="content" source="../media/how-to-add-custom-domain/pre-validated-custom-domain.png" alt-text="Screenshot that shows Prevalidated custom domains on the Add a domain pane.":::
+        :::image type="content" source="../media/pre-validated-custom-domain.png" alt-text="Screenshot that shows Prevalidated custom domains on the Add a domain pane.":::
 
     > [!NOTE]
     > * Azure Front Door supports both Azure-managed certificates and Bring Your Own Certificates (BYOCs). For non-Azure validated domains, Azure-managed certificates are issued and managed by Azure Front Door. For Azure prevalidated domains, the Azure-managed certificate is issued and managed by the Azure service that validates the domain. To use your own certificate, see [Configure HTTPS on a custom domain](how-to-configure-https-custom-domain.md).
@@ -87,7 +89,7 @@ After validating your custom domain, you can associate it with your Azure Front
 
     > [!NOTE]
     > * If HTTPS is enabled, certificate provisioning and propagation might take a few minutes as it propagates to all edge locations.
-    > * If your domain CNAME is indirectly pointed to an Azure Front Door endpoint, such as through Azure Traffic Manager for multi-CDN failover, the **DNS state** column may show **CNAME/Alias record currently not detected**. Azure Front Door can't guarantee 100% detection of the CNAME record in this scenario. If you configured an Azure Front Door endpoint to Traffic Manager and still see this message, it doesn't necessarily mean there is an issue with your setup. No further action is required.
+    > * If your domain CNAME is indirectly pointed to an Azure Front Door endpoint, such as through Azure Traffic Manager for multi-CDN failover, the **DNS state** column may show **CNAME/Alias record currently not detected**. Azure Front Door can't guarantee 100% detection of the CNAME record in this scenario. If you configured an Azure Front Door endpoint to Traffic Manager and still see this message, it doesn't necessarily mean there's an issue with your setup. No further action is required.
 
 ## Verify the custom domain
 
@@ -97,8 +99,8 @@ After validating and associating the custom domain, ensure that the custom domai
 
 Finally, verify that your application content is being served by using a browser.
 
-## Next steps
+## Related content
 
-* Learn how to [enable HTTPS for your custom domain](how-to-configure-https-custom-domain.md).
-* Learn more about [custom domains in Azure Front Door](../domain.md).
-* Learn about [end-to-end TLS with Azure Front Door](../end-to-end-tls.md).
+- [Enable HTTPS on your custom domain](how-to-configure-https-custom-domain.md)
+- [Custom domains in Azure Front Door](../domain.md)
+- [End-to-end TLS with Azure Front Door](../end-to-end-tls.md)

articles/frontdoor/media/how-to-add-custom-domain/add-domain-page.png

@@ -1,16 +1,17 @@
 ---
-title: 'Configure HTTPS for your custom domain - Azure Front Door'
-description: In this article, you learn how to configure HTTPS on an Azure Front Door custom domain by using the Azure portal.
+title: Configure HTTPS for your custom domain
+titleSuffix: Azure Front Door
+description: In this article, you learn how to configure HTTPS on an Azure Front Door custom domain using the Azure portal.
 author: halkazwini
 ms.author: halkazwini
 ms.service: azure-frontdoor
 ms.topic: how-to
-ms.date: 04/30/2024
+ms.date: 03/26/2025
 
 #Customer intent: As a website owner, I want to add a custom domain to my Azure Front Door configuration so that my users can use my custom domain to access my content.
 ---
 
-# Configure HTTPS on an Azure Front Door custom domain by using the Azure portal
+# Configure HTTPS on an Azure Front Door custom domain using the Azure portal
 
 Azure Front Door enables secure Transport Layer Security (TLS) delivery to your applications by default when you use your own custom domains. To learn more about custom domains, including how custom domains work with HTTPS, see [Domains in Azure Front Door](../domain.md).
 
@@ -50,7 +51,7 @@ If you have your own domain, and the domain is associated with [another Azure se
 
 1. On the **Add a domain** pane, enter or select the following information. Then select **Add** to onboard the custom domain.
 
-    :::image type="content" source="../media/how-to-configure-https-custom-domain/add-pre-validated-domain.png" alt-text="Screenshot that shows the Add a domain pane with a prevalidated domain.":::
+    :::image type="content" source="../media/pre-validated-custom-domain.png" alt-text="Screenshot that shows the Add a domain pane with a prevalidated domain.":::
 
     | Setting | Value |
     |--|--|
@@ -81,7 +82,7 @@ There are currently two ways to authenticate Azure Front Door to access your Key
 
 #### Register Azure Front Door
 
-Register the service principal for Azure Front Door as an app in your Microsoft Entra ID by using Microsoft Graph PowerShell or the Azure CLI.
+Register the service principal for Azure Front Door as an app in your Microsoft Entra ID using Microsoft Graph PowerShell or the Azure CLI.
 
 > [!NOTE]
 > * This action requires you to have User Access Administrator permissions in Microsoft Entra ID. The registration only needs to be performed *once per Microsoft Entra tenant*.
@@ -99,7 +100,7 @@ Register the service principal for Azure Front Door as an app in your Microsoft
      New-MgServicePrincipal -AppId '205478c0-bd83-4e1b-a9d6-db63a3e1e1c8'
      ```
 
-    Azure government cloud:
+    Azure Government cloud:
 
     ```azurepowershell-interactive
      New-MgServicePrincipal -AppId 'd4631ece-daab-479b-be77-ccb713491fc0'
@@ -117,7 +118,7 @@ Register the service principal for Azure Front Door as an app in your Microsoft
     az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
     ```
 
-    Azure government cloud:
+    Azure Government cloud:
 
     ```azurecli-interactive
      az ad sp create --id d4631ece-daab-479b-be77-ccb713491fc0
@@ -184,8 +185,8 @@ You can change a domain between using an Azure Front Door-managed certificate an
 
 1. Select **Update** to change the associated certificate with a domain.
 
-## Next steps
+## Related content
 
-* Learn about [caching with Azure Front Door Standard/Premium](../front-door-caching.md).
-* [Understand custom domains](../domain.md) on Azure Front Door.
-* Learn about [end-to-end TLS with Azure Front Door](../end-to-end-tls.md).
+- Learn about [caching with Azure Front Door Standard/Premium](../front-door-caching.md)
+- [Understand custom domains](../domain.md) on Azure Front Door
+- Learn about [end-to-end TLS with Azure Front Door](../end-to-end-tls.md)

articles/frontdoor/media/how-to-add-custom-domain/pre-validated-custom-domain.png

@@ -39,7 +39,7 @@ In this article, you learn how to configure TLS policy on a Front Door custom do
 
 1. For **TLS policy**, select the predefined policy from the dropdown list or **Custom** to customize the cipher suites per your needs.
 
-    :::image type="content" source="../media/tls-policy-configure/tls-policy.png" alt-text="Screenshot that shows the TLS policy option in Add a domain page." lightbox="../media/tls-policy-configure/tls-policy.png":::
+    :::image type="content" source="../media/add-domain.png" alt-text="Screenshot that shows the TLS policy option in Add a domain page." lightbox="../media/add-domain.png":::
 
     You can view the supported cipher suites by selecting **View policy details**.