added boilerplate notes to mitigate SFI issues

KarlErickson · KarlErickson · commit 5d1d77ae8050 · 2024-11-21T16:04:38.000-08:00
diff --git a/articles/azure-functions/functions-event-hub-cosmos-db.md b/articles/azure-functions/functions-event-hub-cosmos-db.md
@@ -244,6 +244,9 @@ Your function app will need to access the other resources to work correctly. The
 
 Use the following commands to retrieve the storage, event hub, and Azure Cosmos DB connection strings and save them in environment variables:
 
+> [!NOTE]
+> Microsoft recommends using the most secure authentication flow available. The authentication flow described in this procedure, such as for databases, caches, messaging, or AI services, requires a very high degree of trust in the application and carries risks not present in other flows. Use this flow only when more secure options, like managed identities for passwordless or keyless connections, are not viable. For local machine operations, prefer user identities for passwordless or keyless connections.
+
 # [Bash](#tab/bash)
 
 ```azurecli-interactive
@@ -417,6 +420,9 @@ rmdir /s /q src\test
 
 For local testing, your function project will need the connection strings that you added to your function app in Azure earlier in this tutorial. Use the following Azure Functions Core Tools command, which retrieves all the function app settings stored in the cloud and adds them to your `local.settings.json` file:
 
+> [!NOTE]
+> Microsoft recommends using the most secure authentication flow available. The authentication flow described in this procedure, such as for databases, caches, messaging, or AI services, requires a very high degree of trust in the application and carries risks not present in other flows. Use this flow only when more secure options, like managed identities for passwordless or keyless connections, are not viable. For local machine operations, prefer user identities for passwordless or keyless connections.
+
 # [Bash](#tab/bash)
 
 ```Bash
@@ -662,6 +668,9 @@ In this tutorial, you learned how to create an Azure Function that handles Event
 
 This tutorial used environment variables and application settings to store secrets such as connection strings. For information on storing these secrets in Azure Key Vault, see [Use Key Vault references for App Service and Azure Functions](../app-service/app-service-key-vault-references.md).
 
+> [!NOTE]
+> Microsoft recommends using the most secure authentication flow available. The authentication flow described in this procedure, such as for databases, caches, messaging, or AI services, requires a very high degree of trust in the application and carries risks not present in other flows. Use this flow only when more secure options, like managed identities for passwordless or keyless connections, are not viable. For local machine operations, prefer user identities for passwordless or keyless connections.
+
 Next, learn how to use Azure Pipelines CI/CD for automated deployment:
 
 > [!div class="nextstepaction"]
diff --git a/articles/spring-apps/basic-standard/how-to-use-grpc.md b/articles/spring-apps/basic-standard/how-to-use-grpc.md
@@ -266,6 +266,8 @@ You can now configure the server and deploy the application.
 
 Use the following command to deploy the newly built JAR file to your Azure Spring Apps instance.
 
+[!INCLUDE [security-note](../includes/security-note.md)]
+
 ```azurecli
 az spring app deploy \
     --name ${CUSTOMERS_SERVICE} \
diff --git a/articles/spring-apps/basic-standard/includes/quickstart-deploy-event-driven-app/deploy-event-driven-app-enterprise-plan.md b/articles/spring-apps/basic-standard/includes/quickstart-deploy-event-driven-app/deploy-event-driven-app-enterprise-plan.md
@@ -86,6 +86,8 @@ Use the following steps to connect your service instances:
 
 1. Configure the **Next: Authentication** tab with the following information:
 
+   [!INCLUDE [security-note](../../../includes/security-note.md)]
+
    - **Select the authentication type you'd like to use between your compute service and target service.**: Select **Connection string**.
 
 1. Select **Next: Networking**. Use the default option **Configure firewall rules to enable access to target service**.
@@ -200,6 +202,8 @@ You've now created both the Service Bus and the app in Azure Spring Apps, but th
 
 1. Get the Service Bus's connection string by using the following command:
 
+   [!INCLUDE [security-note](../../../includes/security-note.md)]
+
    ```azurecli
    export SERVICE_BUS_CONNECTION_STRING=$( \
        az servicebus namespace authorization-rule keys list \
diff --git a/articles/spring-apps/basic-standard/includes/quickstart-deploy-web-app/deploy-enterprise-plan.md b/articles/spring-apps/basic-standard/includes/quickstart-deploy-web-app/deploy-enterprise-plan.md
@@ -85,6 +85,8 @@ Use the following steps to connect your service instances:
 
 1. Configure the **Next: Authentication** tab with the following information:
 
+   [!INCLUDE [security-note](../../../includes/security-note.md)]
+
    - **Select the authentication type you'd like to use between your compute service and target service.**: Select **Connection string**.
    - **Continue with...**: Select **Database credentials**
    - **Username**: *myadmin*
@@ -102,6 +104,8 @@ Use the following steps to connect your service instances:
 
 Create variables to hold the resource names by using the following commands. Be sure to replace the placeholders with your own values.
 
+[!INCLUDE [security-note](../../../includes/security-note.md)]
+
 ```azurecli
 export RESOURCE_GROUP=<resource-group-name>
 export LOCATION=<location>
@@ -178,6 +182,8 @@ The Spring web app uses H2 for the database in localhost, and Azure Database for
 
 Use the following command to create a PostgreSQL instance:
 
+[!INCLUDE [security-note](../../../includes/security-note.md)]
+
 ```azurecli
 az postgres flexible-server create \
     --name ${POSTGRESQL_SERVER} \
@@ -204,6 +210,8 @@ After the application instance and the PostgreSQL instance are created, the appl
 
 1. Use the following command to provide the `spring.datasource.` properties to the app through environment variables:
 
+   [!INCLUDE [security-note](../../../includes/security-note.md)]
+
    ```azurecli
    az spring app update \
        --service ${AZURE_SPRING_APPS_NAME} \
diff --git a/articles/spring-apps/consumption-dedicated/quickstart-apps-autoscale-standard-consumption.md b/articles/spring-apps/consumption-dedicated/quickstart-apps-autoscale-standard-consumption.md
@@ -71,7 +71,9 @@ Use the following steps to define autoscale settings and rules.
 
 ### [Azure CLI](#tab/azure-cli)
 
-Use the following commands to create an application in Azure Spring Apps with an autoscaling rule, based on [Keda Azure Service Bus Scaler](https://keda.sh/docs/2.8/scalers/azure-service-bus/).   
+Use the following commands to create an application in Azure Spring Apps with an autoscaling rule, based on [Keda Azure Service Bus Scaler](https://keda.sh/docs/2.8/scalers/azure-service-bus/).
+
+[!INCLUDE [security-note](../includes/security-note.md)]
 
 ```azurecli-interactive
 az spring app create \
@@ -101,6 +103,8 @@ For information on defining custom rules, see [Keda scalers](https://keda.sh/doc
 
 The following CLI commands show you how to autoscale your Spring application based on [Keda MySQL Scaler](https://keda.sh/docs/2.8/scalers/mysql/). First, create a secret to store your SQL connection string. This secret is used for your scale rule authentication. Then, set up a rule which scales the app based on the rows count of a table.
 
+[!INCLUDE [security-note](../includes/security-note.md)]
+
 ```azurecli-interactive
 az spring app update \
     --resource-group <resource-group-name> \
diff --git a/articles/spring-apps/enterprise/includes/quickstart-deploy-restful-api-app/deploy-restful-api-app-with-enterprise-plan.md b/articles/spring-apps/enterprise/includes/quickstart-deploy-restful-api-app/deploy-restful-api-app-with-enterprise-plan.md
@@ -82,6 +82,8 @@ Use the following steps to connect your service instances:
 
 1. Configure the **Next: Authentication** tab with the following information:
 
+   [!INCLUDE [security-note](../../../includes/security-note.md)]
+
    - **Select the authentication type you'd like to use between your compute service and target service.**: Select **Connection string**.
    - **Continue with...**: Select **Database credentials**
    - **Username**: *myadmin*
@@ -107,6 +109,8 @@ Use the following steps to connect your service instances:
 
 Create variables to hold the resource names by using the following commands. Be sure to replace the placeholders with your own values.
 
+[!INCLUDE [security-note](../../../includes/security-note.md)]
+
 ```azurecli
 export RESOURCE_GROUP=myresourcegroup
 export LOCATION=<location>
@@ -211,6 +215,8 @@ The Spring web app uses H2 for the database in localhost and Azure Database for
 
 Use the following command to create a PostgreSQL instance:
 
+[!INCLUDE [security-note](../../../includes/security-note.md)]
+
 ```azurecli
 az postgres flexible-server create \
     --name ${POSTGRESQL_SERVER} \
@@ -237,6 +243,8 @@ After the application instance and the PostgreSQL instance are created, the appl
 
 1. Use the following command to provide the `spring.datasource.` properties to the app through environment variables:
 
+   [!INCLUDE [security-note](../../../includes/security-note.md)]
+
    ```azurecli
    az spring app update \
        --service ${AZURE_SPRING_APPS_NAME} \
@@ -424,6 +432,8 @@ Use the following steps to register the client application:
 
 Use the following command to create a member user in your Microsoft Entra tenant. Then, the user can manage the data of the `ToDo` application through RESTful APIs:
 
+[!INCLUDE [security-note](../../../includes/security-note.md)]
+
 ```azurecli
 az ad user create \
     --display-name ${NEW_MEMBER_USERNAME} \
diff --git a/articles/spring-apps/enterprise/quickstart-integrate-azure-database-and-redis-enterprise.md b/articles/spring-apps/enterprise/quickstart-integrate-azure-database-and-redis-enterprise.md
@@ -38,6 +38,8 @@ To add persistence to the application, create an Azure Cache for Redis and an Az
 
 The following steps describe how to provision an Azure Cache for Redis instance and an Azure Database for PostgreSQL Flexible Server by using the Azure CLI.
 
+[!INCLUDE [security-note](../includes/security-note.md)]
+
 1. Create variables to hold the resource names by using the following commands. Be sure to replace the placeholders with your own values.
 
    ```azurecli
@@ -66,6 +68,8 @@ The following steps describe how to provision an Azure Cache for Redis instance
 
 1. Use the following command to create an Azure Database for PostgreSQL Flexible Server instance:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    az postgres flexible-server create \
        --resource-group ${RESOURCE_GROUP} \
@@ -131,6 +135,8 @@ To deploy this template, follow these steps:
 
 1. Enter values for the following fields:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    - **Resource Group:** Select **Create new**, enter a unique name for the **resource group**, and then select **OK**.
    - **cacheName:** Enter the name for the Azure Cache for Redis Server.
    - **dbServerName:** Enter the name for the Azure Database for PostgreSQL Flexible Server.
@@ -148,6 +154,8 @@ The following steps show how to bind applications running in the Azure Spring Ap
 
 1. Use the following command to create a service connector to Azure Database for PostgreSQL for the Order Service application:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    az spring connection create postgres-flexible \
        --resource-group ${RESOURCE_GROUP} \
@@ -164,6 +172,8 @@ The following steps show how to bind applications running in the Azure Spring Ap
 
 1. Use the following command to create a service connector to Azure Database for PostgreSQL for the Catalog Service application:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    az spring connection create postgres-flexible \
        --resource-group ${RESOURCE_GROUP} \
@@ -219,6 +229,8 @@ The following steps show how to bind applications running in the Azure Spring Ap
 
 1. Use the following command to update the Order Service application:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    az spring app update \
        --resource-group ${RESOURCE_GROUP} \
@@ -229,6 +241,8 @@ The following steps show how to bind applications running in the Azure Spring Ap
 
 1. Use the following commands to retrieve Redis connection information and update the Cart Service application:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    export REDIS_CONN_STR=$(az spring connection show \
        --resource-group ${RESOURCE_GROUP} \
diff --git a/articles/spring-apps/enterprise/quickstart-key-vault-enterprise.md b/articles/spring-apps/enterprise/quickstart-key-vault-enterprise.md
@@ -38,6 +38,8 @@ The following instructions describe how to create a Key Vault and securely save
 
 1. Create variables to hold the resource names by using the following commands. Be sure to replace the placeholders with your own values.
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    export RESOURCE_GROUP=<resource-group-name>
    export KEY_VAULT_NAME=<key-vault-name>
@@ -76,6 +78,8 @@ The following instructions describe how to create a Key Vault and securely save
 
 1. Use the following commands to store the database login credentials in Key Vault:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    az keyvault secret set \
        --vault-name ${KEY_VAULT_NAME} \
@@ -90,6 +94,8 @@ The following instructions describe how to create a Key Vault and securely save
 
 1. Use the following command to store the database connection string in Key Vault for the Order Service application:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    az keyvault secret set \
        --vault-name ${KEY_VAULT_NAME} \
@@ -99,6 +105,8 @@ The following instructions describe how to create a Key Vault and securely save
 
 1. Use the following commands to retrieve Redis connection properties and store them in Key Vault:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    export REDIS_HOST=$(az redis show \
        --resource-group ${RESOURCE_GROUP} \
@@ -259,6 +267,8 @@ After granting access to read secrets from Key Vault, use the following steps to
 
 1. Use the following command to update the Order Service environment with the URI to access Key Vault:
 
+   [!INCLUDE [security-note](../includes/security-note.md)]
+
    ```azurecli
    az spring app update \
        --resource-group ${RESOURCE_GROUP} \
diff --git a/articles/spring-apps/includes/security-note.md b/articles/spring-apps/includes/security-note.md
@@ -0,0 +1,10 @@
+---
+author: KarlErickson
+ms.author: karler
+ms.service: azure-spring-apps
+ms.topic: include
+ms.date: 11/21/2024
+---
+
+> [!NOTE]
+> Microsoft recommends using the most secure authentication flow available. The authentication flow described in this procedure, such as for databases, caches, messaging, or AI services, requires a very high degree of trust in the application and carries risks not present in other flows. Use this flow only when more secure options, like managed identities for passwordless or keyless connections, are not viable. For local machine operations, prefer user identities for passwordless or keyless connections.
