Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into comm-services-samples-tutorials

Author: paulth1

.openpublishing.publish.config.json

@@ -70,7 +70,7 @@
         },
         {
             "path_to_root": "azure_cli_scripts",
-            "url": "https://github.com/Azure-Samples/azure-cli-samples",
+            "url": "https://github.com/ggailey777/azure-cli-samples",
             "branch": "master",
             "branch_mapping": {}
         },

articles/api-management/applications.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 05/19/2025
+ms.date: 07/11/2025
 ms.author: danlep
 ms.custom:
   - build-2025
@@ -22,9 +22,9 @@ API Management now supports built-in OAuth 2.0 application-based access to produ
 > Applications are currently in limited preview. To sign up, fill [this form](https://aka.ms/apimappspreview).
 
 With this feature:
-
 * API managers set a product property to enable application-based access.
 * API managers register client applications in Microsoft Entra ID to limit access to specific products. 
+* Developers can access client application credentials using the API Management developer portal.
 * Using the OAuth 2.0 client credentials flow, developers or apps obtain tokens that they can include in API requests
 * Tokens presented in API requests are validated by the API Management gateway to authorize access to the product's APIs.
 
@@ -61,7 +61,8 @@ Follow these steps to enable **Application based access** for a product. A produ
 
 The following example uses the **Starter** product, but choose any published product that has at least one API assigned to it.
 
-1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+1. Sign in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications)
+1. Navigate to your API Management instance.
 1. In the left menu, under **APIs**, select **Products**.
 1. Choose the product that you want to configure, such as the **Starter** product.
 1. In the left menu, under **Product**, select **Properties**.
@@ -103,10 +104,13 @@ To review application settings in **App registrations**:
 Now register a client application that limits access to one or more products. 
 
 * A product must have **Application based access** enabled to be associated with a client application. 
-* Each client application has a single user (owner) in the API Management instance. One the owner can access product APIs through the application.
+* Each client application has a single user (owner) in the API Management instance. Only the owner can access product APIs through the application.
 * A product can be associated with more than one client application.
 
-1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+To register a client application:
+
+1. Sign in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications)
+1. Navigate to your API Management instance.
 1. In the left menu, under **APIs**, select **Applications** > **+ Register application**.
 1. In the **Register an application** page, enter the following application settings:
     * **Name**: Enter a name for the application. 
@@ -152,6 +156,16 @@ To review application settings in **App registrations**:
 
     :::image type="content" source="media/applications/client-api-permissions.png" alt-text="Screenshot of API permissions in the portal.":::  
 
+## Get application settings in developer portal
+
+Users can sign in to the developer portal to view the client applications that they own.
+
+1. Sign in to the developer portal (`https://<your-apim-instance-name>.developer.azure-api.net`) using a user account that was set as the owner of a client application.
+1. In the top navigation menu, select **Applications**.
+1. Applications that the user owns appear in the list. 
+1. Select an application to view its details, such as the **Client ID**, **Client secret**, and **Scope**. These values are needed to generate a token to call the product APIs.
+
+    :::image type="content" source="media/applications/applications-developer-portal.png" alt-text="Screenshot of client applications in the developer portal.":::
 
 ## Create token and use with API call
 
@@ -204,6 +218,16 @@ Write-Host "Response:"
 $getresponse | ConvertTo-Json -Depth 5
 ```
 
+## Troubleshooting
+
+### Internal server error when registering applications in the portal
+
+If you're unable to list applications, or you receive an internal server error when registering applications in the portal, check the following:    
+
+* The **Application Administrator** role is assigned to the API Management instance's managed identity in Microsoft Entra ID. 
+* You're signed in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications). This URL is required to access the applications feature in API Management.
+
+
 ## Related content
 
 * [Create and publish a product](api-management-howto-add-products.md)

articles/api-management/media/applications/applications-developer-portal.png

@@ -38,7 +38,7 @@ The Premium V4 tier is available for source code applications on Windows, and bo
 > [!NOTE]
 > The Premium V4 tier lacks stable outbound IP addresses. This behavior is intentional. Although Premium V4 apps can make outbound calls, the platform doesn't provide stable outbound IPs for this tier. This differs from previous App Service tiers. The portal shows "Dynamic" for outbound IP addresses for Premium V4 apps. ARM and CLI calls return empty strings for *outboundIpAddresses* and *possibleOutboundIpAddresses*. If Premium V4 apps need stable outbound IPs, use [Azure NAT Gateway](overview-nat-gateway-integration.md) for predictable outbound IPs.
 
-Premium V4 and its SKUs are available in select Azure regions. Microsoft continually adds availability to other regions. To check regional availability for a specific Premium V4 offering, run the following Azure CLI command in [Azure Cloud Shell](../cloud-shell/overview.md). Substitute *P1V4* with the desired SKU:
+Premium V4 and its SKUs are available in select Azure regions. Microsoft continually adds availability to other regions. To check regional availability for a specific Premium V4 offering, run the following Azure CLI command in [Azure Cloud Shell](../cloud-shell/overview.md). Use Azure CLI version 2.73.0 or above. Substitute *P1V4* with the desired SKU:
 
 **Windows** SKU availability
 

articles/api-management/media/applications/product-application-settings.png

@@ -55,7 +55,7 @@ You can add up to 1,000 private certificates per webspace.
 
 ## Create a free managed certificate
 
-The free App Service managed certificate is a turnkey solution that helps to secure your custom DNS name in App Service. App Service manages this TLS/SSL server certificate without any action from you.
+The free App Service managed certificate is a turn-key solution for helping to secure your custom DNS name in App Service. Without any action from you, this TLS/SSL server certificate is fully managed by App Service and is automatically renewed continuously in six-month increments, 45 days before expiration, as long as the prerequisites that you set up stay the same. All the associated bindings are updated with the renewed certificate. You create and bind the certificate to a custom domain, and let App Service do the rest.
 
 Before you create a free managed certificate, make sure that you [meet the prerequisites](#prerequisites) for your app.
 

articles/app-service/app-service-configure-premium-v4-tier.md

@@ -35,6 +35,7 @@ Build AI-powered .NET applications with these tutorials:
 - [Build a RAG application with Azure OpenAI and Azure SQL](deploy-intelligent-apps-dotnet-to-azure-sql.md) - Use Azure SQL as a vector database for RAG applications.
 - [Run a chatbot with a local SLM sidecar extension](tutorial-ai-slm-dotnet.md) - Deploy a chatbot that uses a local SLM without requiring an external AI service.
 - [Invoke a web app from Azure AI Foundry Agent](invoke-openapi-web-app-from-azure-ai-agent-service.md) - Make your web API available to AI agents.
+- [Build an agentic web app with Semantic Kernel Agent2Agent (A2A) Protocol integration](https://techcommunity.microsoft.com/blog/appsonazureblog/building-agent-to-agent-a2a-applications-on-azure-app-service/4433114) - Deploy a multi-agent system where a main agent coordinates with specialized agents using [A2A](https://a2aproject.github.io/A2A/latest/).
 
 ## Java applications
 

articles/app-service/configure-ssl-certificate.md

@@ -12,7 +12,10 @@ ms.author: mbender
 
 # Configure listener-specific SSL policies on Application Gateway through portal
 
-This article describes how to use the Azure portal to configure listener-specific SSL policies on your Application Gateway. Listener-specific SSL policies allow you to configure specific listeners to use different SSL policies from each other. You'll still be able to set a default SSL policy that all listeners will use unless overwritten by the listener-specific SSL policy. 
+This article describes how to use the Azure portal to configure listener-specific SSL policies on your Application Gateway. Listener-specific SSL policies allow you to configure specific listeners to use different SSL policies from each other. You'll still be able to set a default SSL policy that all listeners use unless overwritten by the listener-specific SSL policy. 
+
+> [!IMPORTANT]
+> Starting **August 31, 2025**, all clients and backend servers interacting with Azure Application Gateway must use Transport Layer Security (TLS) 1.2 or higher, as [support for TLS 1.0 and 1.1 will be discontinued](https://azure.microsoft.com/updates/azure-application-gateway-support-for-tls-10-and-tls-11-will-end-by-31-august-2025).
 
 > [!NOTE]
 > Only Standard_v2 and WAF_v2 SKUs support listener specific policies as listener specific policies are part of SSL profiles, and SSL profiles are only supported on v2 gateways. 
@@ -23,19 +26,19 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 ## Create a new Application Gateway
 
-First create a new Application Gateway as you would usually through the portal - there are no additional steps needed in the creation to configure listener-specific SSL policies. For more information on how to create an Application Gateway in portal, check out our [portal quickstart tutorial](./quick-create-portal.md).
+First create a new Application Gateway as you would usually through the portal - there are no extra steps needed in the creation to configure listener-specific SSL policies. For more information on how to create an Application Gateway in portal, check out our [portal quickstart tutorial](./quick-create-portal.md).
 
 ## Set up a listener-specific SSL policy
 
 Before you proceed, here are some important points related to listener-specific SSL policy.
 
 - We recommend using TLS 1.2 as this version will be mandated in the future.
 - You don't have to configure client authentication on an SSL profile to associate it to a listener. You can have only client authentication or listener-specific SSL policy configured, or both configured in your SSL profile.
-- Using a [2022 Predefined](./application-gateway-ssl-policy-overview.md#predefined-tls-policy) or Customv2 policy enhances SSL security and performance for the entire gateway (SSL Policy and SSL Profile). Therefore, you cannot have different listeners on both old as well as new SSL (predefined or custom) policies.
+- Using a [2022 Predefined](./application-gateway-ssl-policy-overview.md#predefined-tls-policy) or Customv2 policy enhances SSL security and performance for the entire gateway (SSL Policy and SSL Profile). Therefore, you cannot have different listeners on both old and new SSL (predefined or custom) policies.
 
   Consider this example, you're currently using SSL Policy and SSL Profile with "older" policies/ciphers. To use a "new" Predefined or Customv2 policy for any one of them will also require you to upgrade the other configuration. You may use the new predefined policies, or customv2 policy, or combination of these across the gateway.
 
-To set up a listener-specific SSL policy, you'll need to first go to the **SSL settings** tab in the Portal and create a new SSL profile. When you create an SSL profile, you'll see two tabs: **Client Authentication** and **SSL Policy**. The **SSL Policy** tab is to configure a listener-specific SSL policy. The **Client Authentication** tab is where to upload a client certificate(s) for mutual authentication - for more information, check out [Configuring a mutual authentication](./mutual-authentication-portal.md).
+To set up a listener-specific SSL policy, you need to first go to the **SSL settings** tab in the Portal and create a new SSL profile. When you create an SSL profile, you see two tabs: **Client Authentication** and **SSL Policy**. The **SSL Policy** tab is to configure a listener-specific SSL policy. The **Client Authentication** tab is where to upload a client certificate for mutual authentication - for more information, check out [Configuring a mutual authentication](./mutual-authentication-portal.md).
 
 1. Search for **Application Gateway** in portal, select **Application gateways**, and click on your existing Application Gateway.
 
@@ -76,7 +79,7 @@ Now that we've created an SSL profile with a listener-specific SSL policy, we ne
     ![Associate SSL profile to new listener](./media/mutual-authentication-portal/mutual-authentication-listener-portal.png)        
 
 ### Limitations
-There is a limitation right now on Application Gateway that different listeners using the same port cannot have SSL policies (predefined or custom) with different TLS protocol versions. Choosing the same TLS version for different listeners will work for configuring cipher suite preference for each listener. However, to use different TLS protocol versions for separate listeners, you will need to use distinct ports for each.
+There is a limitation right now on Application Gateway that different listeners using the same port cannot have SSL policies (predefined or custom) with different TLS protocol versions. Choosing the same TLS version for different listeners work for configuring cipher suite preference for each listener. However, to use different TLS protocol versions for separate listeners, you need to use distinct ports for each.
 
 ## Next steps