Merge branch 'main' into release-preview-sentinel-lake

Author: v-alje

articles/api-management/TOC.yml

@@ -680,6 +680,8 @@
       href: breaking-changes/git-configuration-retirement-march-2025.md
     - name: Direct management API retirement (March 2025)
       href: breaking-changes/direct-management-api-retirement-march-2025.md
+    - name: Managed certificates suspension (August 2025)
+      href: breaking-changes/managed-certificates-suspension-august-2025.md
     - name: ADAL-based identity provider retirement (September 2025)
       href: breaking-changes/identity-provider-adal-retirement-sep-2025.md
     - name: CAPTCHA endpoint update (September 2025)

articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md

@@ -0,0 +1,39 @@
+---
+title: Azure API Management - Managed certificates suspension for new custom domains (August 2025)
+description: Azure API Management is temporarily suspending managed certificates for new custom domains from August 15, 2025 to March 15, 2026 due to industry-wide changes in domain validation.
+services: api-management
+author: dlepow
+ms.service: azure-api-management
+ms.topic: reference
+ai-usage: ai-assisted
+ms.date: 07/18/2025
+ms.author: danlep
+---
+
+# Managed certificates suspension for new custom domains (August 2025)
+
+[!INCLUDE [premium-dev-standard-basic.md](../../../includes/api-management-availability-premium-dev-standard-basic.md)]
+
+Azure managed certificates for new custom domains in API Management will be temporarily turned off from August 15, 2025 to March 15, 2026. Existing managed certificates will be autorenewed and remain unaffected.
+
+In the classic service tiers, Azure API Management offers [free, managed TLS certificates for custom domains](../configure-custom-domain.md#domain-certificate-options), allowing customers to secure their endpoints without purchasing and managing their own certificates. Because of an industry-wide deprecation of CNAME-based Domain Control Validation (DCV), our Certificate Authority (CA), DigiCert, will migrate to a new validation platform to meet Multi-Perspective Issuance Corroboration (MPIC) requirements. This migration requires a temporary suspension of managed certificates for new custom domains.
+
+## Is my service affected by this?
+
+You're affected if you plan to create new managed certificates for new custom domains in Azure API Management between August 15, 2025 and March 15, 2026. Existing managed certificates will be autorenewed before August 15, 2025 and will continue to function normally. There's no impact to existing managed certificates or custom domains already using them.
+
+## What is the deadline for the change?
+
+The suspension of managed certificates for new custom domains will be enforced from August 15, 2025 to March 15, 2026. The capability to create managed certificates will resume after the migration to the new validation platform is complete.
+
+## What do I need to do?
+
+No action is required if you already have managed certificates for your custom domains. If you need to add new managed certificates, plan to do so before August 15, 2025 or after March 15, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
+
+## Help and support
+
+If you have questions, get answers from community experts in [Microsoft Q&A](https://aka.ms/apim/azureqa/change/captcha-2022). If you have a support plan and need technical help, create a [support request](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).
+
+## Related content
+
+See all [upcoming breaking changes and feature retirements](overview.md).

articles/api-management/breaking-changes/overview.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 05/30/2025
+ms.date: 07/17/2025
 ms.author: danlep
 ---
 
@@ -30,6 +30,7 @@ The following table lists all the upcoming breaking changes and feature retireme
 | [Git repository retirement][git2025] | March 15, 2025 |
 | [Direct management API retirement][mgmtapi2025] | March 15, 2025 |
 | [Workspaces preview breaking changes, part 2][workspaces2025march] | March 31, 2025 |
+| [Managed certificates suspension][managed-certificates-suspension-august-2025] | August 15, 2025 |
 | [ADAL-based Microsoft Entra ID identity provider retirement][msal2025] | September 30, 2025 |
 | [CAPTCHA endpoint update][captcha2025] | September 30, 2025 |
 | [Built-in analytics dashboard retirement][analytics2027] | March 15, 2027 |
@@ -50,3 +51,4 @@ The following table lists all the upcoming breaking changes and feature retireme
 [mgmtapi2025]: ./direct-management-api-retirement-march-2025.md
 [workspaces2024]: ./workspaces-breaking-changes-june-2024.md
 [workspaces2025march]: ./workspaces-breaking-changes-march-2025.md
+[managed-certificates-suspension-august-2025]: ./managed-certificates-suspension-august-2025.md

articles/app-service/app-service-web-configure-tls-mutual-auth.md

@@ -15,6 +15,8 @@ ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js, devx-trac
 
 # Configure TLS mutual authentication in Azure App Service
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 You can restrict access to your Azure App Service app by enabling various types of authentication for the app. One way to set up authentication is to request a client certificate when the client request is sent by using Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and to validate the certificate. This mechanism is called *mutual authentication* or *client certificate authentication*. This article shows how to set up your app to use client certificate authentication.
 
 > [!NOTE]

articles/app-service/app-service-web-tutorial-custom-domain.md

@@ -13,6 +13,8 @@ author: msangapu-msft
 
 # Set up an existing custom domain in Azure App Service
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 [Azure App Service](overview.md) provides a highly scalable, self-patching web hosting service. This guide shows you how to map an existing custom Domain Name System (DNS) name to App Service. To migrate a live site and its DNS domain name to App Service with no downtime, see [Migrate an active DNS name to Azure App Service](manage-custom-dns-migrate-domain.md).
 
 The DNS record type you need to add with your domain provider depends on the domain you want to add to App Service.

articles/app-service/configure-domain-traffic-manager.md

@@ -12,9 +12,7 @@ ms.author: msangapu
 
 [!INCLUDE [web-selector](../../includes/websites-custom-domain-selector.md)]
 
-> [!NOTE]
-> For Cloud Services, see 
-[Configuring a custom domain name for an Azure cloud service](../cloud-services/cloud-services-custom-domain-name-portal.md).
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
 
 When you use [Azure Traffic Manager](../traffic-manager/index.yml) to load balance traffic to [Azure App Service](overview.md), the App Service app can be accessed using **\<traffic-manager-endpoint>.trafficmanager.net**. You can assign a custom domain name, such as www\.contoso.com, with your App Service app in order to provide a more recognizable domain name for your users.
 

articles/app-service/configure-ssl-app-service-certificate.md

@@ -13,6 +13,8 @@ author: msangapu-msft
 
 # Buy and manage App Service certificates
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 This article shows you how to create an Azure App Service certificate and perform management tasks like renewing, synchronizing, and deleting certificates. After you have an App Service certificate, you can then import it into an App Service app. An App Service certificate is a private certificate that Azure manages. It combines the simplicity of automated certificate management and the flexibility of renewal and export options.
 
 If you purchase an App Service certificate from Azure, Azure manages the following tasks:

articles/app-service/configure-ssl-bindings.md

@@ -13,6 +13,8 @@ author: msangapu-msft
 ---
 # Enable HTTPS for a custom domain in Azure App Service
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 This article shows you how to provide security for the [custom domain](app-service-web-tutorial-custom-domain.md) in your [Azure App Service app](./index.yml) or [function app](../azure-functions/index.yml) by creating a certificate binding. When you're finished, you can access your App Service app at the `https://` endpoint for your custom Domain Name System (DNS) name. An example is `https://www.contoso.com`.
 
 ![Screenshot that shows a web app with a custom TLS/SSL certificate.](./media/configure-ssl-bindings/app-with-custom-ssl.png)

articles/app-service/configure-ssl-certificate-in-code.md

@@ -12,6 +12,8 @@ author: msangapu-msft
 
 # Use TLS/SSL certificates in your application code
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 In your application code, you can access the [public or private certificates that you add to Azure App Service](configure-ssl-certificate.md). Your app code might act as a client and access an external service that requires certificate authentication. It might also need to perform cryptographic tasks. This article shows how to use public or private certificates in your application code.
 
 This approach to using certificates in your code makes use of the Transport Layer Security (TLS) functionality in App Service, which requires your app to be in the Basic tier or higher. If your app is in the Free or Shared tier, you can [include the certificate file in your app repository](#load-a-certificate-from-a-file).

articles/app-service/configure-ssl-certificate.md

@@ -13,6 +13,8 @@ author: msangapu-msft
 
 # Add and manage TLS/SSL certificates in Azure App Service
 
+[!INCLUDE [app-service-managed-certificate](./includes/managed-certs/managed-certs-note.md)]
+
 You can add digital security certificates to [use in your application code](configure-ssl-certificate-in-code.md) or to [help secure custom Domain Name System (DNS) names](configure-ssl-bindings.md) in [Azure App Service](overview.md). App Service provides a highly scalable, self-patching web hosting service. The certificates are currently called Transport Layer Security (TLS) certificates. They were previously known as Secure Sockets Layer (SSL) certificates. These private or public certificates help you to secure internet connections. The certificates encrypt data sent between your browser, websites that you visit, and the website server.
 
 The following table lists the options for you to add certificates in App Service.