Merge branch 'main' into udr-remove-preview-11-6

Author: mbender-ms

articles/app-service/app-service-web-configure-tls-mutual-auth.md

@@ -15,8 +15,9 @@ ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js, devx-trac
 You can restrict access to your Azure App Service app by enabling different types of authentication for it. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication. This article shows how to set up your app to use client certificate authentication.
 
 > [!NOTE]
+> Your app code is responsible for validating the client certificate. App Service doesn't do anything with this client certificate other than forwarding it to your app.
+> 
 > If you access your site over HTTP and not HTTPS, you will not receive any client certificate. So if your application requires client certificates, you should not allow requests to your application over HTTP.
->
 
 [!INCLUDE [Prepare your web app](../../includes/app-service-ssl-prepare-app.md)]
 
@@ -26,7 +27,13 @@ To set up your app to require client certificates:
 
 1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
 
-1. Set **Client certificate mode** to **Require**. Select **Save** at the top of the page.
+1. Select **Client certificate mode** of choice. Select **Save** at the top of the page.
+
+|Client certificate modes|Description|
+|-|-|
+|Required|All requests require a client certificate.|
+|Optional|Requests may or may not use a client certificate. Clients will be prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|
+|Optional Interactive User|Requests may or may not use a client certificate. Clients will not be prompted for a certificate by default. For example, browser clients will not show a prompt to select a certificate for authentication.|
 
 ### [Azure CLI](#tab/azurecli)
 To do the same with Azure CLI, run the following command in the [Cloud Shell](https://shell.azure.com):

articles/app-service/configure-ssl-app-service-certificate.md

@@ -110,7 +110,7 @@ Once your certificate is domain-verified, [you're ready to import it into an App
 By default, App Service certificates have a one-year validity period. Before the expiration date, you can automatically or manually renew App Service certificates in one-year increments. The renewal process effectively gives you a new App Service certificate with the expiration date extended to one year from the existing certificate's expiration date.
 
 > [!NOTE]
-> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew or rekey process. The new certificate order remains in "pending issuance" mode during the renew or rekey process until you complete the domain verification.
+> Starting September 23 2021, if you haven't verified the domain in the last 395 days, App Service certificates require domain verification during a renew, auto-renew, or rekey process. The new certificate order remains in "pending issuance" mode during the renew, auto-renew, or rekey process until you complete the domain verification.
 > 
 > Unlike the free App Service managed certificate, purchased App Service certificates don't have automated domain re-verification. Failure to verify domain ownership results in failed renewals. For more information about how to verify your App Service certificate, review [Confirm domain ownership](#confirm-domain-ownership).
 >
@@ -207,6 +207,38 @@ Set-Content -Path appservicecertificate.pfx -Value $CertBytes -AsByteStream
 
 The downloaded PFX file is a raw PKCS12 file that contains both the public and private certificates and has an import password that's an empty string. You can locally install the file by leaving the password field empty. You can't [upload the file as-is into App Service](configure-ssl-certificate.md#upload-a-private-certificate) because the file isn't [password protected](configure-ssl-certificate.md#private-certificate-requirements).
 
+## Use Azure Advisor for App Service certificate
+
+App Service certificate is integrated with [Azure Advisor](/azure/advisor/advisor-overview) to provide reliability recommendations for when your certificate requires domain verification. You must verify domain ownership for your certificate during renew, auto-renew, or rekey process if you haven't verified the domain in the last 395 days. To ensure you do not miss any certificate that requires verification or risk any certificate from expiring, you can utlize Azure Advisor to view and set up alerts for App Service certificate.
+
+### View Advisor recommendation
+
+To view Advisor recommendation for App Service certificate:
+
+1. Navigate to the [Azure Advisor page](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/overview).
+
+1. From the left menu, select **Recommendations** > **Reliability**
+
+1. Select the filter option **Type equals** and search for **App Service Certificates** from the dropdown list. If the value does not exist on the dropdown menu, then that means no recommendation has been generated for your App Service certificate resources because none of them requires domain ownership verification.
+
+### Create Advisor Alerts
+
+You [create Azure Advisor alerts on new recommendations] using different configurations. To set up Advisor Alerts specifically for App Serivice certificate so you can get notifications when your certificate requires domain ownership validation:
+
+1. Navigate to the [Azure Advisor page](https://portal.azure.com/#view/Microsoft_Azure_Expert/AdvisorMenuBlade/~/overview).
+
+1. From the left menu, select **Monitoring** > **Alerts (Preview)**
+
+1. Click on **+ New Advisor Alert** on the action bar at the top. This will open a new blade called "Create Advisor Alerts".
+
+1. Under **Condition** select the following:
+
+   |Configured by| Recommendation Type|
+   |-|-|
+   |Recommendation Type|Domain verification required to issue your App Service Certificate|
+
+1. Fill out the rest of the required fields, then select the **Create alert** button at the bottom.
+   
 ## Delete an App Service certificate
 
 If you delete an App Service certificate, the delete operation is irreversible and final. The result is a revoked certificate, and any binding in App Service that uses the certificate becomes invalid.

articles/azure-resource-manager/management/resources-without-resource-group-limit.md

@@ -230,7 +230,6 @@ Some resources have a limit on the number instances per region. This limit is di
 ## Microsoft.Web
 
 * apiManagementAccounts/apis
-* certificates
 * sites
 
 ## Next steps

articles/container-apps/opentelemetry-agents.md

@@ -4,7 +4,7 @@ description: Learn to record and query data collected using OpenTelemetry in Azu
 services: container-apps
 author: craigshoemaker
 ms.service: azure-container-apps
-ms.date: 03/08/2024
+ms.date: 11/01/2024
 ms.author: cshoe
 ms.topic: how-to
 ---
@@ -292,6 +292,7 @@ The following example shows how to use an OTLP endpoint named `customDashboard`.
     }
   }
 }
+```
 
 ## Example OpenTelemetry configuration
 

articles/iot-hub-device-update/import-update.md

@@ -16,6 +16,10 @@ Learn how to obtain a new update and import it into Device Update for IoT Hub. I
 ## Prerequisites
 
 * Access to [an IoT Hub with Device Update for IoT Hub enabled](create-device-update-account.md).
+* An Azure Storage container *without* Private Endpoint enabled.
+
+  - If you're not sure if Private Endpoint is enabled, go to [Private Link Center](https://portal.azure.com/#blade/Microsoft_Azure_Network/PrivateLinkCenterBlade/overview), select "Private endpoints" on the left, then look for your Azure Storage account name in the "Resources" column. 
+    
 * An IoT device (or simulator) [provisioned for Device Update](device-update-agent-provisioning.md) within IoT Hub.
 * Follow the steps in [Prepare an update to import into Device Update for IoT Hub](create-update.md) to create the import manifest for your update files.
 

articles/iot-operations/secure-iot-ops/howto-validate-images.md

@@ -4,7 +4,7 @@ description: Validate that Azure IoT Operations docker and helm images are legit
 author: kgremban
 ms.author: kgremban
 ms.topic: how-to
-ms.date: 09/24/2024
+ms.date: 11/01/2024
 
 #CustomerIntent: As an IT professional, I want to ensure that the images I download for Azure IoT Operations are legitimate.
 ---
@@ -73,10 +73,12 @@ Azure IoT Operations signs its docker and helm images to allow users to verify t
 
 1. Use notation to verify your downloaded images against the trustpolicy.
 
+   Replace the version placeholder with the version number of the image that you want to check. For an existing instance of Azure IoT Operations, you can find the version number on the instance overview page in the Azure portal or by running [az iot ops show](/cli/azure/iot/ops#az-iot-ops-show). For a full list of available versions, see [azure-iot-operations releases](https://github.com/Azure/azure-iot-operations/releases).
+
    ```sh
    notation policy import <TRUSTPOLICY_FILE>.json
    export NOTATION_EXPERIMENTAL=1
-   notation verify --allow-referrers-api mcr.microsoft.com/azureiotoperations/aio-operator:0.8.16
+   notation verify --allow-referrers-api mcr.microsoft.com/azureiotoperations/aio-operator:<AZURE_IOT_OPERATIONS_VERSION>
    ```
 
    The output of the command looks like the following example: