Merge pull request #302742 from MicrosoftDocs/main

Auto Publish – main to live - 2025-07-15 11:00 UTC

Author: learn-build-service-prod[bot]

articles/application-gateway/application-gateway-configure-listener-specific-ssl-policy.md

@@ -12,7 +12,10 @@ ms.author: mbender
 
 # Configure listener-specific SSL policies on Application Gateway through portal
 
-This article describes how to use the Azure portal to configure listener-specific SSL policies on your Application Gateway. Listener-specific SSL policies allow you to configure specific listeners to use different SSL policies from each other. You'll still be able to set a default SSL policy that all listeners will use unless overwritten by the listener-specific SSL policy. 
+This article describes how to use the Azure portal to configure listener-specific SSL policies on your Application Gateway. Listener-specific SSL policies allow you to configure specific listeners to use different SSL policies from each other. You'll still be able to set a default SSL policy that all listeners use unless overwritten by the listener-specific SSL policy. 
+
+> [!IMPORTANT]
+> Starting **August 31, 2025**, all clients and backend servers interacting with Azure Application Gateway must use Transport Layer Security (TLS) 1.2 or higher, as [support for TLS 1.0 and 1.1 will be discontinued](https://azure.microsoft.com/updates/azure-application-gateway-support-for-tls-10-and-tls-11-will-end-by-31-august-2025).
 
 > [!NOTE]
 > Only Standard_v2 and WAF_v2 SKUs support listener specific policies as listener specific policies are part of SSL profiles, and SSL profiles are only supported on v2 gateways. 
@@ -23,19 +26,19 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 ## Create a new Application Gateway
 
-First create a new Application Gateway as you would usually through the portal - there are no additional steps needed in the creation to configure listener-specific SSL policies. For more information on how to create an Application Gateway in portal, check out our [portal quickstart tutorial](./quick-create-portal.md).
+First create a new Application Gateway as you would usually through the portal - there are no extra steps needed in the creation to configure listener-specific SSL policies. For more information on how to create an Application Gateway in portal, check out our [portal quickstart tutorial](./quick-create-portal.md).
 
 ## Set up a listener-specific SSL policy
 
 Before you proceed, here are some important points related to listener-specific SSL policy.
 
 - We recommend using TLS 1.2 as this version will be mandated in the future.
 - You don't have to configure client authentication on an SSL profile to associate it to a listener. You can have only client authentication or listener-specific SSL policy configured, or both configured in your SSL profile.
-- Using a [2022 Predefined](./application-gateway-ssl-policy-overview.md#predefined-tls-policy) or Customv2 policy enhances SSL security and performance for the entire gateway (SSL Policy and SSL Profile). Therefore, you cannot have different listeners on both old as well as new SSL (predefined or custom) policies.
+- Using a [2022 Predefined](./application-gateway-ssl-policy-overview.md#predefined-tls-policy) or Customv2 policy enhances SSL security and performance for the entire gateway (SSL Policy and SSL Profile). Therefore, you cannot have different listeners on both old and new SSL (predefined or custom) policies.
 
   Consider this example, you're currently using SSL Policy and SSL Profile with "older" policies/ciphers. To use a "new" Predefined or Customv2 policy for any one of them will also require you to upgrade the other configuration. You may use the new predefined policies, or customv2 policy, or combination of these across the gateway.
 
-To set up a listener-specific SSL policy, you'll need to first go to the **SSL settings** tab in the Portal and create a new SSL profile. When you create an SSL profile, you'll see two tabs: **Client Authentication** and **SSL Policy**. The **SSL Policy** tab is to configure a listener-specific SSL policy. The **Client Authentication** tab is where to upload a client certificate(s) for mutual authentication - for more information, check out [Configuring a mutual authentication](./mutual-authentication-portal.md).
+To set up a listener-specific SSL policy, you need to first go to the **SSL settings** tab in the Portal and create a new SSL profile. When you create an SSL profile, you see two tabs: **Client Authentication** and **SSL Policy**. The **SSL Policy** tab is to configure a listener-specific SSL policy. The **Client Authentication** tab is where to upload a client certificate for mutual authentication - for more information, check out [Configuring a mutual authentication](./mutual-authentication-portal.md).
 
 1. Search for **Application Gateway** in portal, select **Application gateways**, and click on your existing Application Gateway.
 
@@ -76,7 +79,7 @@ Now that we've created an SSL profile with a listener-specific SSL policy, we ne
     ![Associate SSL profile to new listener](./media/mutual-authentication-portal/mutual-authentication-listener-portal.png)        
 
 ### Limitations
-There is a limitation right now on Application Gateway that different listeners using the same port cannot have SSL policies (predefined or custom) with different TLS protocol versions. Choosing the same TLS version for different listeners will work for configuring cipher suite preference for each listener. However, to use different TLS protocol versions for separate listeners, you will need to use distinct ports for each.
+There is a limitation right now on Application Gateway that different listeners using the same port cannot have SSL policies (predefined or custom) with different TLS protocol versions. Choosing the same TLS version for different listeners work for configuring cipher suite preference for each listener. However, to use different TLS protocol versions for separate listeners, you need to use distinct ports for each.
 
 ## Next steps
 

articles/application-gateway/application-gateway-configure-ssl-policy-powershell.md

@@ -16,14 +16,15 @@ ms.custom: devx-track-azurepowershell
 
 Learn how to configure TLS/SSL policy versions and cipher suites on Application Gateway. You can select from a list of predefined policies that contain different configurations of TLS policy versions and enabled cipher suites. You also have the ability to define a [custom TLS policy](#configure-a-custom-tls-policy) based on your requirements.
 
+> [!IMPORTANT]
+> We recommend using TLS 1.2 as your minimum TLS protocol version for better security on your Application Gateway. Starting **August 31, 2025**, all clients and backend servers interacting with Azure Application Gateway must use Transport Layer Security (TLS) 1.2 or higher, as [support for TLS 1.0 and 1.1 will be discontinued](https://azure.microsoft.com/updates/azure-application-gateway-support-for-tls-10-and-tls-11-will-end-by-31-august-2025).
+
 [!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
 
-> [!NOTE]
-> We recommend using TLS 1.2 as your minimum TLS protocol version for better security on your Application Gateway. 
 
 ## Get available TLS options
 
-The `Get-AzApplicationGatewayAvailableSslOptions` cmdlet provides a listing of available pre-defined policies, available cipher suites, and protocol versions that can be configured. The following example shows an example output from running the cmdlet.
+The `Get-AzApplicationGatewayAvailableSslOptions` cmdlet provides a listing of available predefined policies, available cipher suites, and protocol versions that can be configured. The following example shows an example output from running the cmdlet.
 
 > [!IMPORTANT]
 > The default TLS policy is set to AppGwSslPolicy20220101 for API versions 2023-02-01 or higher. Visit [TLS policy overview](./application-gateway-ssl-policy-overview.md#default-tls-policy) to know more.
@@ -81,9 +82,9 @@ AvailableProtocols:
     TLSv1_3
 ```
 
-## List pre-defined TLS Policies
+## List predefined TLS Policies
 
-Application gateway comes with multiple pre-defined policies that can be used. The `Get-AzApplicationGatewaySslPredefinedPolicy` cmdlet retrieves these policies. Each policy has different protocol versions and cipher suites enabled. These pre-defined policies can be used to quickly configure a TLS policy on your application gateway. By default **AppGwSslPolicy20150501** is selected if no specific TLS policy is defined.
+Application gateway comes with multiple predefined policies that can be used. The `Get-AzApplicationGatewaySslPredefinedPolicy` cmdlet retrieves these policies. Each policy has different protocol versions and cipher suites enabled. These predefined policies can be used to quickly configure a TLS policy on your application gateway. By default **AppGwSslPolicy20150501** is selected if no specific TLS policy is defined.
 
 The following output is an example of running `Get-AzApplicationGatewaySslPredefinedPolicy`.
 
@@ -151,11 +152,11 @@ This illustration further explains the usage of CustomV2 policy with minimum pro
 
 :::image type="content" source="media/application-gateway-configure-ssl-policy-powershell/custom-v2-PS-commands.png" alt-text="Diagram that shows use of ciphersuite parameter for the CustomV2 policy.":::
 
-## Create an application gateway with a pre-defined TLS policy
+## Create an application gateway with a predefined TLS policy
 
 When configuring a Predefined TLS policy, you pass the following parameters: PolicyType, PolicyName, and ApplicationGateway. If you attempt to pass other parameters, you get an error when creating or updating the Application Gateway.
 
-The following example creates a new application gateway with a pre-defined TLS policy.
+The following example creates a new application gateway with a predefined TLS policy.
 
 ```powershell
 # Create a resource group
@@ -201,19 +202,19 @@ $rule = New-AzApplicationGatewayRequestRoutingRule -Name rule01 -RuleType Basic
 # Define the size of the application gateway
 $sku = New-AzApplicationGatewaySku -Name Standard_Small -Tier Standard -Capacity 2
 
-# Configure the TLS policy to use a different pre-defined policy
+# Configure the TLS policy to use a different predefined policy
 $policy = New-AzApplicationGatewaySslPolicy -PolicyType Predefined -PolicyName AppGwSslPolicy20170401S
 
 # Create the application gateway.
 $appgw = New-AzApplicationGateway -Name appgwtest -ResourceGroupName $rg.ResourceGroupName -Location "East US" -BackendAddressPools $pool -BackendHttpSettingsCollection $poolSetting -FrontendIpConfigurations $fipconfig  -GatewayIpConfigurations $gipconfig -FrontendPorts $fp -HttpListeners $listener -RequestRoutingRules $rule -Sku $sku -SslCertificates $cert -SslPolicy $policy
 ```
 
-## Update an existing application gateway with a pre-defined TLS policy
+## Update an existing application gateway with a predefined TLS policy
 
 To set a custom TLS policy, pass the following parameters: **PolicyType**, **MinProtocolVersion**, **CipherSuite**, and **ApplicationGateway**. To set a Predefined TLS policy, pass the following parameters: **PolicyType**, **PolicyName**, and **ApplicationGateway**. If you attempt to pass other parameters, you get an error when creating or updating the Application Gateway.
 
 > [!NOTE]
-> Using a new Predefined or Customv2 policy enhances SSL security and performance posture of the entire gateway (SSL Policy and SSL Profile). Hence, both old and new policies cannot co-exist. You are required to use any of the older predefined or custom policies across the gateway, in case there are clients requiring older TLS version or ciphers (for example, TLS v1.0).
+> Using a new Predefined or Customv2 policy enhances SSL security and performance posture of the entire gateway (SSL Policy and SSL Profile). Hence, both old and new policies cannot coexist. You are required to use any of the older predefined or custom policies across the gateway, in case there are clients requiring older TLS version or ciphers (for example, TLS v1.0).
 
 In the following example, there are code samples for both Custom Policy and Predefined Policy. Uncomment the policy you want to use.
 

articles/application-gateway/key-vault-certs.md

@@ -12,6 +12,9 @@ ms.author: mbender
 
 # TLS termination with Key Vault certificates
 
+> [!IMPORTANT]
+> Starting **August 31, 2025**, all clients and backend servers interacting with Azure Application Gateway must use Transport Layer Security (TLS) 1.2 or higher, as [support for TLS 1.0 and 1.1 will be discontinued](https://azure.microsoft.com/updates/azure-application-gateway-support-for-tls-10-and-tls-11-will-end-by-31-august-2025).
+
 [Azure Key Vault](/azure/key-vault/general/overview) is a platform-managed secret store that you can use to safeguard secrets, keys, and TLS/SSL certificates. Azure Application Gateway supports integration with Key Vault for server certificates that are attached to HTTPS-enabled listeners. This support is limited to the v2 SKU of Application Gateway.
 
 Application Gateway offers two models for TLS termination:

articles/application-gateway/ssl-overview.md

@@ -14,6 +14,9 @@ ms.author: mbender
 
 Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and encrypted. Application gateway supports both TLS termination at the gateway as well as end to end TLS encryption.
 
+> [!IMPORTANT]
+> Starting **August 31, 2025**, all clients and backend servers interacting with Azure Application Gateway must use Transport Layer Security (TLS) 1.2 or higher, as [support for TLS 1.0 and 1.1 will be discontinued](https://azure.microsoft.com/updates/azure-application-gateway-support-for-tls-10-and-tls-11-will-end-by-31-august-2025).
+
 ## TLS termination
 
 Application Gateway supports TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers. There are a number of advantages of doing TLS termination at the application gateway:

articles/automation/automation-runbook-types.md

@@ -3,7 +3,7 @@ title: Azure Automation Runbook Types
 description: This article describes the types of runbooks that you can use in Azure Automation and considerations for determining which type to use.
 services: automation
 ms.subservice: process-automation
-ms.date: 06/27/2025
+ms.date: 07/15/2025
 ms.topic: overview
 ms.custom: references_regions, devx-track-python, devx-track-azurepowershell
 ms.service: azure-automation
@@ -371,6 +371,9 @@ The limitations of Python runbooks are:
 
 ---
 
+> [!NOTE]
+> Using a webhook to start a Python runbook is not supported.
+
 ### Multiple Python versions
 
 It's applicable for Windows Hybrid workers. For a Windows Runbook Worker, when running a Python 2 runbook it looks for the environment variable `PYTHON_2_PATH` first and validates whether it points to a valid executable file. For example, if the installation folder is `C:\Python2`, it would check if `C:\Python2\python.exe` is a valid path. If not found, then it looks for the `PATH` environment variable to do a similar check.

articles/automation/automation-use-azure-ad.md

@@ -2,7 +2,7 @@
 title: Use Microsoft Entra ID in Azure Automation to authenticate to Azure
 description: This article tells how to use Microsoft Entra ID within Azure Automation as the provider for authentication to Azure. 
 services: automation
-ms.date: 09/09/2024
+ms.date: 07/08/2025
 ms.topic: how-to
 ms.custom: devx-track-azurepowershell, no-azure-ad-ps-ref
 ms.author: v-jasmineme
@@ -19,44 +19,10 @@ The [Microsoft Entra ID](../active-directory/fundamentals/active-directory-whati
 
 You can enable Microsoft Entra ID through the following PowerShell modules:
 
-* Azure Active Directory PowerShell for Graph (AzureRM and Az modules). Azure Automation ships with the AzureRM module and its recent upgrade, the Az module. Functionality includes non-interactive authentication to Azure using Microsoft Entra user (OrgId) credential-based authentication. See [Microsoft Entra ID 2.0.2.76](https://www.powershellgallery.com/packages/AzureAD/2.0.2.76).
+* Azure Active Directory PowerShell for Graph. Azure Automation ships with the Az module. Functionality includes non-interactive authentication to Azure using Microsoft Entra user (OrgId) credential-based authentication. See [Azure AD 2.0.2.182](https://www.powershellgallery.com/packages/AzureAD/2.0.2.182).
 
 * Microsoft Entra ID for Windows PowerShell. This module enables interactions with Microsoft Online, including Microsoft 365.
 
-### Preinstallation
-
-Before installing the Microsoft Entra modules on your computer:
-
-* Uninstall any previous versions of the AzureRM/Az module and the retired MSOnline module.
-
-* Uninstall the Microsoft Online Services Sign-In Assistant to ensure correct operation of the new PowerShell modules.  
-
-### Install the AzureRM and Az modules
-
->[!NOTE]
->To work with these modules, you must use PowerShell version 5.1 or later with a 64-bit version of Windows. 
-
-1. Install Windows Management Framework (WMF) 5.1. See [Install and Configure WMF 5.1](/powershell/scripting/wmf/setup/install-configure).
-
-2. Install AzureRM and/or Az using instructions in [Install Azure PowerShell on Windows with PowerShellGet](/powershell/azure/install-azure-powershell).
-
-### Install the module
-
->[!NOTE]
->To install the module, you must be a member of an admin role. See [About admin roles](/microsoft-365/admin/add-users/about-admin-roles).
-
-1. Ensure that the Microsoft .NET Framework 3.5.x feature is enabled on your computer. It's likely that your computer has a newer version installed, but backward compatibility with older versions of the .NET Framework can be enabled or disabled. 
-
-2. Install the 64-bit version of the [Microsoft Online Services Sign-in Assistant](/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide&preserve-view=true#step-1-install-the-required-software-1).
-
-3. Run Windows PowerShell as an administrator to create an elevated Windows PowerShell command prompt.
-
-4. Deploy Microsoft Entra ID from [Microsoft.Entra](https://www.powershellgallery.com/packages/Microsoft.Entra/1.0.4).
-
-5. If you're prompted to install the NuGet provider, type Y and press ENTER.
-
-6. If you're prompted to install the module from [PSGallery](https://www.powershellgallery.com/), type Y and press ENTER.
-
 ### Install support for PSCredential
 
 Azure Automation uses the [PSCredential](/dotnet/api/system.management.automation.pscredential) class to represent a credential asset. Your scripts retrieve `PSCredential` objects using the `Get-AutomationPSCredential` cmdlet. For more information, see [Credential assets in Azure Automation](shared-resources/credentials.md).
@@ -94,13 +60,12 @@ You can use the Azure portal to create the credential asset. Do this operation f
 To prepare a new credential asset in Windows PowerShell, your script first creates a `PSCredential` object using the assigned user name and password. The script then uses this object to create the asset through a call to the [New-AzureAutomationCredential](/powershell/module/servicemanagement/azure/new-azureautomationcredential) cmdlet. Alternatively, the script can call the [Get-Credential](/powershell/module/microsoft.powershell.security/get-credential) cmdlet to prompt the user to type in a name and password. See [Credential assets in Azure Automation](shared-resources/credentials.md). 
 
 
-
 ## Manage Azure resources from an Azure Automation runbook
 
 You can manage Azure resources from Azure Automation runbooks using the credential asset. Below is an example PowerShell runbook that collects the credential asset to use for stopping and starting virtual machines in an Azure subscription. This runbook first uses `Get-AutomationPSCredential` to retrieve the credential to use to authenticate to Azure. It then calls the [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) cmdlet to connect to Azure using the credential. 
 
 ```powershell
-Workflow Workflow
+Workflow Workflowname
 { 
     Param 
     (    
@@ -173,6 +138,10 @@ Workflow Workflow
 }
 ```  
 
+## Using Microsoft Graph with Powershell
+
+See [Get started with the Microsoft Graph PowerShell SDK](https://learn.microsoft.com/powershell/microsoftgraph/get-started?view=graph-powershell-1.0)
+
 ## Next steps
 
 * For details of credential use, see [Manage credentials in Azure Automation](shared-resources/credentials.md).