tweaks

halkazwini · halkazwini · commit c5db97e660b8 · 2025-03-26T15:57:41.000-05:00
diff --git a/articles/frontdoor/end-to-end-tls.md b/articles/frontdoor/end-to-end-tls.md
@@ -35,7 +35,7 @@ Azure Front Door supports two versions of the TLS protocol: TLS versions 1.2 a
 > [!IMPORTANT]
 > As of March 1, 2025, TLS 1.0 and 1.1 are not allowed on new Azure Front Door profiles. If you didn't disable TLS 1.0 and 1.1 on legacy settings before this date, they'll still work temporarily but will be updated to TLS 1.2 in the future.
 
-You can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or the [Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). For a minimum TLS version 1.2, the negotiation will attempt to establish TLS 1.3 and then TLS 1.2. When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.2 and TLS 1.3.
+You can configure the minimum TLS version in Azure Front Door in the custom domain HTTPS settings using the Azure portal or the  [Azure REST API](/rest/api/frontdoorservice/frontdoor/frontdoors/createorupdate#minimumtlsversion). For a minimum TLS version 1.2, the negotiation will attempt to establish TLS 1.3 and then TLS 1.2. When Azure Front Door initiates TLS traffic to the origin, it will attempt to negotiate the best TLS version that the origin can reliably and consistently accept. Supported TLS versions for origin connections are TLS 1.2 and TLS 1.3.
 
 > [!NOTE]
 > - Clients with TLS 1.3 enabled are required to support one of the Microsoft SDL compliant EC Curves, including Secp384r1, Secp256r1, and Secp521, in order to successfully make requests with Azure Front Door using TLS 1.3.
@@ -121,7 +121,7 @@ For TLS 1.2/1.3, the following cipher suites are supported:
 - TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
 - TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 
-To configure specific cipher suites for your profile, use TLS policy. Azure Front Door Standard and Premium offer two mechanisms for controlling TLS policy. You can use either a predefined policy or a custom policy per your own needs. For more information, see [Configure TLS policy on a Front Door custom domain](standard-premium/tls-policy-configure.md).
+Use *TLS policy* to configure specific cipher suites. Azure Front Door Standard and Premium offer two mechanisms for controlling TLS policy: you can use either a predefined policy or a custom policy per your own needs. For more information, see [Configure TLS policy on a Front Door custom domain](standard-premium/tls-policy-configure.md).
 
 > [!NOTE]
 > For Windows 10 and later versions, we recommend enabling one or both of the ECDHE_GCM cipher suites for better security. Windows 8.1, 8, and 7 aren't compatible with these ECDHE_GCM cipher suites. The ECDHE_CBC and DHE cipher suites have been provided for compatibility with those operating systems. 
diff --git a/articles/frontdoor/standard-premium/how-to-add-custom-domain.md b/articles/frontdoor/standard-premium/how-to-add-custom-domain.md
@@ -12,6 +12,7 @@ ms.date: 03/26/2025
 ---
 
 # Configure a custom domain on Azure Front Door by using the Azure portal
+
 When using Azure Front Door for application delivery, a custom domain allows your own domain name to appear in user requests. This visibility can enhance customer convenience and support branding efforts.
 
 By default, after creating an Azure Front Door Standard/Premium profile and endpoint, the endpoint host is a subdomain of `azurefd.net`. For example, the URL might look like `https://contoso-frontend-mdjf2jfgjf82mnzx.z01.azurefd.net/activeusers.htm`.
@@ -20,9 +21,9 @@ To make your URLs more user-friendly and branded, Azure Front Door allows you to
 
 ## Prerequisites
 
-* Ensure you have an Azure Front Door profile set up. For guidance, refer to [Quickstart: Create an Azure Front Door Standard/Premium](create-front-door-portal.md).
-* Obtain a custom domain if you don't have one. You can purchase one from a domain provider. For example, see [Buy a custom domain name](../../app-service/manage-custom-dns-buy-domain.md).
-* If your DNS domains are hosted on Azure, delegate the domain provider's DNS to Azure DNS. For instructions, see [Delegate a domain to Azure DNS](../../dns/dns-delegate-domain-azure-dns.md). If you use another domain provider for DNS, manually validate the domain by entering the required DNS TXT records.
+- An Azure Front Door profile. For more information, see [Quickstart: Create an Azure Front Door Standard/Premium](create-front-door-portal.md).
+- A custom domain. If you don't have a custom domain, you must first purchase one from a domain provider. For more information, see [Buy a custom domain name](/azure/app-service/manage-custom-dns-buy-domain?toc=/azure/frontdoor/TOC.json).
+- If you're using Azure to host your DNS domains, you must delegate the domain provider's domain name system (DNS) to an Azure DNS. For more information, see [Delegate a domain to Azure DNS](/azure/dns/dns-delegate-domain-azure-dns?toc=/azure/frontdoor/TOC.json). Otherwise, if you're using a domain provider to handle your DNS domain, you must manually validate the domain by entering prompted DNS TXT records.
 
 ## Add a new custom domain
 
@@ -41,26 +42,26 @@ To configure a custom domain, go to the **Domains** pane of your Azure Front Doo
 
     * **Azure pre-validated domain**: The domain is already validated by another Azure service, so domain ownership validation isn't required from Azure Front Door. A dropdown list of validated domains by different Azure services appear.
 
-        :::image type="content" source="../media/pre-validated-custom-domain.png" alt-text="Screenshot that shows Prevalidated custom domains on the Add a domain pane.":::
+        :::image type="content" source="../media/pre-validated-custom-domain.png" alt-text="Screenshot that shows Prevalidated custom domains on the Add a domain pane." lightbox="../media/pre-validated-custom-domain.png":::
 
     > [!NOTE]
-    > * Azure Front Door supports both Azure-managed certificates and Bring Your Own Certificates (BYOCs). For non-Azure validated domains, Azure-managed certificates are issued and managed by Azure Front Door. For Azure prevalidated domains, the Azure-managed certificate is issued and managed by the Azure service that validates the domain. To use your own certificate, see [Configure HTTPS on a custom domain](how-to-configure-https-custom-domain.md).
-    > * Azure Front Door supports Azure prevalidated domains and Azure DNS zones in different subscriptions.
-    > * Currently, Azure prevalidated domains only support domains validated by Azure Static Web Apps.
+    > - Azure Front Door supports both Azure-managed certificates and Bring Your Own Certificates (BYOCs). For non-Azure validated domains, Azure-managed certificates are issued and managed by Azure Front Door. For Azure prevalidated domains, the Azure-managed certificate is issued and managed by the Azure service that validates the domain. To use your own certificate, see [Configure HTTPS on a custom domain](how-to-configure-https-custom-domain.md).
+    > - Azure Front Door supports Azure prevalidated domains and Azure DNS zones in different subscriptions.
+    > - Currently, Azure prevalidated domains only support domains validated by Azure Static Web Apps.
 
     A new custom domain initially has a validation state of **Submitting**.
 
     > [!NOTE]
-    > * As of September 2023, Azure Front Door supports BYOC-based domain ownership validation. Azure Front Door automatically approves domain ownership if the Certificate Name (CN) or Subject Alternative Name (SAN) of the provided certificate matches the custom domain. When you select **Azure managed certificate**, domain ownership continues to be validated via the DNS TXT record.
-    > * For custom domains created before BYOC-based validation support, if the domain validation status is anything but **Approved**, trigger auto-approval by selecting **Validation State** > **Revalidate** in the portal. If using the command-line tool, trigger domain validation by sending an empty `PATCH` request to the domain API.
-    > * An Azure prevalidated domain will have a validation state of **Pending**. It will automatically change to **Approved** after a few minutes. Once approved, proceed to [Associate the custom domain with your Front Door endpoint](#associate-the-custom-domain-with-your-azure-front-door-endpoint) and complete the remaining steps.
+    > - As of September 2023, Azure Front Door supports BYOC-based domain ownership validation. Azure Front Door automatically approves domain ownership if the Certificate Name (CN) or Subject Alternative Name (SAN) of the provided certificate matches the custom domain. When you select **Azure managed certificate**, domain ownership continues to be validated via the DNS TXT record.
+    > - For custom domains created before BYOC-based validation support, if the domain validation status is anything but **Approved**, trigger auto-approval by selecting **Validation State** > **Revalidate** in the portal. If using the command-line tool, trigger domain validation by sending an empty `PATCH` request to the domain API.
+    > - An Azure prevalidated domain will have a validation state of **Pending**. It will automatically change to **Approved** after a few minutes. Once approved, proceed to [Associate the custom domain with your Front Door endpoint](#associate-the-custom-domain-with-your-azure-front-door-endpoint) and complete the remaining steps.
 
     After a few minutes, the validation state will change to **Pending**.
 
 1. Select the **Pending** validation state. A new pane appears with the DNS TXT record information required to validate the custom domain. The TXT record is in the format `_dnsauth.<your_subdomain>`. 
 
-    * If you're using an Azure DNS-based zone, select **Add** to create a new TXT record with the provided value in the Azure DNS zone.
-    * If you're using another DNS provider, manually create a new TXT record named `_dnsauth.<your_subdomain>` with the value shown on the pane.
+    - If you're using an Azure DNS-based zone, select **Add** to create a new TXT record with the provided value in the Azure DNS zone.
+    - If you're using another DNS provider, manually create a new TXT record named `_dnsauth.<your_subdomain>` with the value shown on the pane.
 
 1. Close the pane to return to the custom domains list. The provisioning state of the custom domain should change to **Provisioned**, and the validation state should change to **Approved**.
 
@@ -78,7 +79,7 @@ After validating your custom domain, you can associate it with your Azure Front
 
 1. Select the **DNS state** link.
 
-    :::image type="content" source="../media/how-to-add-custom-domain/dns-state-link.png" alt-text="Screenshot of the DNS state link.":::
+    :::image type="content" source="../media/how-to-add-custom-domain/dns-state-link.png" alt-text="Screenshot that shows the DNS state link." lightbox="../media/how-to-add-custom-domain/dns-state-link.png":::
 
     > [!NOTE]
     > For an Azure prevalidated domain, manually update the CNAME record from the other Azure service endpoint to the Azure Front Door endpoint in your DNS hosting service. This step is required regardless of whether the domain is hosted with Azure DNS or another DNS service. The link to update the CNAME from the **DNS state** column isn't available for this type of domain.
@@ -88,8 +89,8 @@ After validating your custom domain, you can associate it with your Azure Front
 1. Once the CNAME record is created and the custom domain is associated with the Azure Front Door endpoint, traffic starts flowing.
 
     > [!NOTE]
-    > * If HTTPS is enabled, certificate provisioning and propagation might take a few minutes as it propagates to all edge locations.
-    > * If your domain CNAME is indirectly pointed to an Azure Front Door endpoint, such as through Azure Traffic Manager for multi-CDN failover, the **DNS state** column may show **CNAME/Alias record currently not detected**. Azure Front Door can't guarantee 100% detection of the CNAME record in this scenario. If you configured an Azure Front Door endpoint to Traffic Manager and still see this message, it doesn't necessarily mean there's an issue with your setup. No further action is required.
+    > - If HTTPS is enabled, certificate provisioning and propagation might take a few minutes as it propagates to all edge locations.
+    > - If your domain CNAME is indirectly pointed to an Azure Front Door endpoint, such as through Azure Traffic Manager for multi-CDN failover, the **DNS state** column may show **CNAME/Alias record currently not detected**. Azure Front Door can't guarantee 100% detection of the CNAME record in this scenario. If you configured an Azure Front Door endpoint to Traffic Manager and still see this message, it doesn't necessarily mean there's an issue with your setup. No further action is required.
 
 ## Verify the custom domain
 
diff --git a/articles/frontdoor/standard-premium/how-to-configure-https-custom-domain.md b/articles/frontdoor/standard-premium/how-to-configure-https-custom-domain.md
@@ -19,9 +19,9 @@ Azure Front Door supports Azure-managed certificates and customer-managed certif
 
 ## Prerequisites
 
-* Before you can configure HTTPS for your custom domain, you must first create an Azure Front Door profile. For more information, see [Create an Azure Front Door profile](../create-front-door-portal.md).
-* If you don't already have a custom domain, you must first purchase one with a domain provider. For example, see [Buy a custom domain name](../../app-service/manage-custom-dns-buy-domain.md).
-* If you're using Azure to host your [DNS domains](../../dns/dns-overview.md), you must delegate the domain provider's domain name system (DNS) to an Azure DNS. For more information, see [Delegate a domain to Azure DNS](../../dns/dns-delegate-domain-azure-dns.md). Otherwise, if you're using a domain provider to handle your DNS domain, you must manually validate the domain by entering prompted DNS TXT records.
+- An Azure Front Door profile. For more information, see [Quickstart: Create an Azure Front Door Standard/Premium](create-front-door-portal.md).
+- A custom domain. If you don't have a custom domain, you must first purchase one from a domain provider. For more information, see [Buy a custom domain name](/azure/app-service/manage-custom-dns-buy-domain?toc=/azure/frontdoor/TOC.json).
+- If you're using Azure to host your [DNS domains](../../dns/dns-overview.md), you must delegate the domain provider's domain name system (DNS) to an Azure DNS. For more information, see [Delegate a domain to Azure DNS](../../dns/dns-delegate-domain-azure-dns.md?toc=/azure/frontdoor/TOC.json). Otherwise, if you're using a domain provider to handle your DNS domain, you must manually validate the domain by entering prompted DNS TXT records.
 
 ## Azure Front Door-managed certificates for non-Azure prevalidated domains
 
@@ -77,16 +77,16 @@ There are currently two ways to authenticate Azure Front Door to access your Key
 - **App registration**: Azure Front Door uses an app registration to authenticate to your Key Vault. This method is being deprecated and will be retired in the future. For more information, see [Use app registration in Azure Front Door](#register-azure-front-door).
 
 > [!WARNING]
-> *Azure Front Door currently only supports Key Vault in the same subscription. Selecting Key Vault under a different subscription results in a failure.
-> * Azure Front Door doesn't support certificates with elliptic curve cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates. The root CA also must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).
+> - Azure Front Door currently only supports Key Vault in the same subscription. Selecting Key Vault under a different subscription results in a failure.
+> - Azure Front Door doesn't support certificates with elliptic curve cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates. The root CA also must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).
 
 #### Register Azure Front Door
 
 Register the service principal for Azure Front Door as an app in your Microsoft Entra ID using Microsoft Graph PowerShell or the Azure CLI.
 
 > [!NOTE]
-> * This action requires you to have User Access Administrator permissions in Microsoft Entra ID. The registration only needs to be performed *once per Microsoft Entra tenant*.
-> * The application IDs of **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8** and **d4631ece-daab-479b-be77-ccb713491fc0** are predefined by Azure for Azure Front Door Standard and Premium across all Azure tenants and subscriptions. Azure Front Door (classic) has a different application ID.
+> - This action requires you to have User Access Administrator permissions in Microsoft Entra ID. The registration only needs to be performed *once per Microsoft Entra tenant*.
+> - The application IDs of **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8** and **d4631ece-daab-479b-be77-ccb713491fc0** are predefined by Azure for Azure Front Door Standard and Premium across all Azure tenants and subscriptions. Azure Front Door (classic) has a different application ID.
 
 # [Microsoft Graph PowerShell](#tab/powershell)
 
@@ -187,6 +187,6 @@ You can change a domain between using an Azure Front Door-managed certificate an
 
 ## Related content
 
-- Learn about [caching with Azure Front Door Standard/Premium](../front-door-caching.md)
-- [Understand custom domains](../domain.md) on Azure Front Door
-- Learn about [end-to-end TLS with Azure Front Door](../end-to-end-tls.md)
+- [Caching with Azure Front Door](../front-door-caching.md)
+- [Custom domains in Azure Front Door](../domain.md)
+- [End-to-end TLS with Azure Front Door](../end-to-end-tls.md)
diff --git a/articles/frontdoor/standard-premium/tls-policy-configure.md b/articles/frontdoor/standard-premium/tls-policy-configure.md
@@ -24,10 +24,8 @@ In this article, you learn how to configure TLS policy on a Front Door custom do
 ## Prerequisites
 
 - A Front Door. For more information, see [Quickstart: Create a Front Door using the Azure portal](/azure/frontdoor/quickstart-create-front-door).
-
-- A custom domain. If you don't have a custom domain, you must first purchase one with a domain provider. For more information, see [Buy a custom domain name](/azure/app-service/manage-custom-dns-buy-domain).
-
-- If you're using Azure to host your [DNS domains](/azure/dns/dns-overview), you must delegate the domain provider's domain name system (DNS) to an Azure DNS. For more information, see [Delegate a domain to Azure DNS](/azure/dns/dns-delegate-domain-azure-dns). Otherwise, if you're using a domain provider to handle your DNS domain, see [Create a CNAME DNS record](/azure/frontdoor/front-door-custom-domain).
+- A custom domain. If you don't have a custom domain, you must first purchase one from a domain provider. For more information, see [Buy a custom domain name](/azure/app-service/manage-custom-dns-buy-domain?toc=/azure/frontdoor/TOC.json).
+- If you're using Azure to host your [DNS domains](/azure/dns/dns-overview), you must delegate the domain provider's domain name system (DNS) to an Azure DNS. For more information, see [Delegate a domain to Azure DNS](/azure/dns/dns-delegate-domain-azure-dns?toc=/azure/frontdoor/TOC.json). Otherwise, if you're using a domain provider to handle your DNS domain, see [Create a CNAME DNS record](/azure/frontdoor/front-door-custom-domain).
 
 ## Configure TLS policy
 
