Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into wscon

Author: gitName

.openpublishing.redirection.json

@@ -1,5 +1,45 @@
 {
   "redirections": [
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/legacy-air-gapped-deploy.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/legacy-air-gapped-deploy",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/prepare-management-appliance.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/prepare-management-appliance",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/install-software-on-premises-management-console.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/install-software-on-premises-management-console",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/activate-deploy-management.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/activate-deploy-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/connect-sensors-to-management.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/connect-sensors-to-management",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/sites-and-zones-on-premises.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/sites-and-zones-on-premises",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/defender-for-iot/organizations/legacy-central-management/how-to-work-with-alerts-on-premises-management-console.md",
+      "redirect_url": "/previous-versions/azure/defender-for-iot/organizations/legacy-central-management/how-to-work-with-alerts-on-premises-management-console",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cdn/akamai-retirement-faq.md",
       "redirect_url": "/previous-versions/azure/cdn/akamai-retirement-faq",

articles/active-directory-b2c/custom-policies-series-collect-user-input.md

@@ -508,6 +508,6 @@ After the policy finishes execution, you're redirected to `https://jwt.ms`, and
 
 Next, learn:
 
-- About [types of Technical Profiles](technicalprofiles.md#types-of-technical-profiles) in Azure AD B2C's custom policies. 
+- About the [types of Technical Profiles](technicalprofiles.md#types-of-technical-profiles) in Azure AD B2C's custom policies. 
 
-- How to [Validate user inputs by using custom policy](custom-policies-series-validate-user-input.md).
+- How to [Validate user inputs by using custom policy](custom-policies-series-validate-user-input.md).

articles/app-service/app-service-web-configure-tls-mutual-auth.md

@@ -12,7 +12,7 @@ ms.custom: devx-track-csharp, devx-track-extended-java, devx-track-js, devx-trac
 ---
 # Configure TLS mutual authentication for Azure App Service
 
-You can restrict access to your Azure App Service app by enabling different types of authentication for it. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called TLS mutual authentication or client certificate authentication. This article shows how to set up your app to use client certificate authentication.
+You can restrict access to your Azure App Service app by enabling different types of authentication for it. One way to do it is to request a client certificate when the client request is over TLS/SSL and validate the certificate. This mechanism is called Transport Layer Security (TLS) mutual authentication or client certificate authentication. This article shows how to set up your app to use client certificate authentication.
 
 > [!NOTE]
 > Your app code is responsible for validating the client certificate. App Service doesn't do anything with this client certificate other than forwarding it to your app.
@@ -22,27 +22,28 @@ You can restrict access to your Azure App Service app by enabling different type
 [!INCLUDE [Prepare your web app](../../includes/app-service-ssl-prepare-app.md)]
 
 ## Enable client certificates
-
-To set up your app to require client certificates:
-
-1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
-
-1. Select **Client certificate mode** of choice. Select **Save** at the top of the page.
+When you enable client certificate for your app, you should select your choice of client certificate mode. Each mode defines how your app handles incoming client certificates:
 
 |Client certificate modes|Description|
 |-|-|
 |Required|All requests require a client certificate.|
-|Optional|Requests may or may not use a client certificate. Clients will be prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|
-|Optional Interactive User|Requests may or may not use a client certificate. Clients will not be prompted for a certificate by default. For example, browser clients will not show a prompt to select a certificate for authentication.|
+|Optional|Requests may or may not use a client certificate and clients are prompted for a certificate by default. For example, browser clients will show a prompt to select a certificate for authentication.|
+|Optional Interactive User|Requests may or may not use a client certificate and clients are not prompted for a certificate by default. For example, browser clients won't show a prompt to select a certificate for authentication.|
+
+### [Azure portal](#tab/azureportal)
+To set up your app to require client certificates in Azure portal:
+1. Navigate to your app's management page.
+1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
+1. Select **Client certificate mode** of choice. Select **Save** at the top of the page.
 
 ### [Azure CLI](#tab/azurecli)
-To do the same with Azure CLI, run the following command in the [Cloud Shell](https://shell.azure.com):
+With Azure CLI, run the following command in the [Cloud Shell](https://shell.azure.com):
 
 ```azurecli-interactive
 az webapp update --set clientCertEnabled=true --name <app-name> --resource-group <group-name>
 ```
-### [Bicep](#tab/bicep)
 
+### [Bicep](#tab/bicep)
 For Bicep, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample Bicep snippet is provided for you:
 
 ```bicep
@@ -63,7 +64,6 @@ resource appService 'Microsoft.Web/sites@2020-06-01' = {
 ```
 
 ### [ARM template](#tab/arm)
-
 For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`, and `clientCertExclusionPaths`. A sample ARM template snippet is provided for you:
 
 ```ARM
@@ -93,6 +93,9 @@ For ARM templates, modify the properties `clientCertEnabled`, `clientCertMode`,
 
 When you enable mutual auth for your application, all paths under the root of your app require a client certificate for access. To remove this requirement for certain paths, define exclusion paths as part of your application configuration.
 
+> [!NOTE]
+> Using any client certificate exclusion path triggers TLS renegotiation for incoming requests to the app.
+
 1. From the left navigation of your app's management page, select **Configuration** > **General Settings**.
 
 1. Next to **Certificate exclusion paths**, select the edit icon.
@@ -105,6 +108,29 @@ In the following screenshot, any path for your app that starts with `/public` do
 
 ![Certificate Exclusion Paths][exclusion-paths]
 
+## Client certificate and TLS renegotiation
+App Service requires TLS renegotiation to read a request before knowing whether to prompt for a client certificate. Any of the following settings triggers TLS renegotiation:
+1. Using "Optional Interactive User" client certificate mode.
+1. Using [client certificate exclusion path](#exclude-paths-from-requiring-authentication).
+
+> [!NOTE]
+> TLS 1.3 and HTTP 2.0 don't support TLS renegotiation. These protocols will not work if your app is configured with client certificate settings that use TLS renegotiation.
+
+To disable TLS renegotiation and to have the app negotiate client certificates during TLS handshake, you must configure your app with *all* these settings:
+1. Set client certificate mode to "Required" or "Optional"
+2. Remove all client certificate exclusion paths
+
+### Uploading large files with TLS renegotiation
+Client certificate configurations that use TLS renegotiation cannot support incoming requests with large files greater than 100 kb due to buffer size limitations. In this scenario, any POST or PUT requests over 100 kb will fail with a 403 error. This limit isn't configurable and can't be increased.
+
+To address the 100 kb limit, consider these alternative solutions:
+
+1. Disable TLS renegotiation. Update your app's client certificate configurations with _all_ these settings:
+    - Set client certificate mode to either "Required" or "Optional"
+    - Remove all client certificate exclusion paths
+1. Send a HEAD request before the PUT/POST request. The HEAD request handles the client certificate.
+1. Add the header `Expect: 100-Continue` to your request. This causes the client to wait until the server responds with a `100 Continue` before sending the request body, which bypasses the buffers.
+
 ## Access client certificate
 
 In App Service, TLS termination of the request happens at the frontend load balancer. When App Service forwards the request to your app code with [client certificates enabled](#enable-client-certificates), it injects an `X-ARR-ClientCert` request header with the client certificate. App Service doesn't do anything with this client certificate other than forwarding it to your app. Your app code is responsible for validating the client certificate.

articles/app-service/deploy-azure-pipelines.md

@@ -290,51 +290,6 @@ If you want to deploy to multiple web apps, add stages to your release pipeline.
 
 ---
 
-## Example: Make variable substitutions
-
-For most language stacks, [app settings](./configure-common.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#configure-app-settings) and [connection strings](./configure-common.md?toc=%2fazure%2fapp-service%2fcontainers%2ftoc.json#configure-connection-strings) can be set as environment variables at runtime.
-
-But there are other reasons you would want to make variable substitutions to your *Web.config*. In this example, your Web.config file contains a connection string named `connectionString`. You can change its value before deploying to each web app. You can do this either by applying a Web.config transformation or by substituting variables in your Web.config file. 
-
-# [YAML](#tab/yaml/)
-
-The following snippet shows an example of variable substitution by using the Azure App Service Deploy (`AzureRmWebAppDeployment`) task:
-
-```yaml
-jobs:
-- job: test
-  variables:
-    connectionString: <test-stage connection string>
-  steps:
-  - task: AzureRmWebAppDeployment@4
-    inputs:
-      azureSubscription: '<Test stage Azure service connection>'
-      WebAppName: '<name of test stage web app>'
-      enableXmlVariableSubstitution: true
-
-- job: prod
-  dependsOn: test
-  variables:
-    connectionString: <prod-stage connection string>
-  steps:
-  - task: AzureRmWebAppDeployment@4
-    inputs:
-      azureSubscription: '<Prod stage Azure service connection>'
-      WebAppName: '<name of prod stage web app>'
-      enableXmlVariableSubstitution: true
-```
-
-# [Classic](#tab/classic/)
-
-To change `connectionString` by using variable substitution:
-
-1. Create a release pipeline with two stages.
-1. Link the artifact of the release to the build that produces the web package.
-1. Define `connectionString` as a variable in each of the stages. Set the appropriate value.
-1. Select the **XML variable substitution** option under **File Transforms and Variable Substitution Options** for the **Azure App Service Deploy** task.
-
----
-
 ## Example: Deploy conditionally
 
 # [YAML](#tab/yaml/)
@@ -428,7 +383,6 @@ The Azure Web App task (`AzureWebApp`) is the simplest way to deploy to an Azure
 
 The [Azure App Service Deploy task (`AzureRmWebAppDeployment`)](/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment) can handle more custom scenarios, such as:
 
-- [Modify configuration settings](#example-make-variable-substitutions) inside web packages and XML parameters files. 
 - [Deploy with Web Deploy](#example-deploy-using-web-deploy), if you're used to the IIS deployment process.
 - [Deploy to virtual applications](#example-deploy-to-a-virtual-application).
 - Deploy to other app types, like Container apps, Function apps, WebJobs, or API and Mobile apps.

articles/azure-cache-for-redis/.openpublishing.redirection.redis-cache.json

@@ -254,11 +254,16 @@
           "source_path_from_root": "/articles/redis-cache/scripts/delete-cache.md",
           "redirect_url": "/azure/azure-cache-for-redis/scripts/create-manage-cache",
           "redirect_document_id": false
-      },
+       },
         {
             "source_path_from_root": "/articles/redis-cache/scripts/show-cache.md",
             "redirect_url": "/azure/azure-cache-for-redis/scripts/create-manage-cache",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-cache-for-redis/managed-redis/managed-redis-configure-role-based-access-control.md",
+            "redirect_url": "/azure/azure-cache-for-redis/managed-redis/managed-redis-entra-for-authentication",
+            "redirect_document_id": false
         }
     ]
 }

articles/azure-cache-for-redis/TOC.yml

@@ -136,8 +136,6 @@
     items:
     - name: Microsoft Entra ID for authentication
       href: managed-redis/managed-redis-entra-for-authentication.md
-    - name: Role-based access control
-      href: managed-redis/managed-redis-configure-role-based-access-control.md
 
   - name: Security and networking
     items: