Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into sre/incedent-management

Author: craigshoemaker

articles/api-management/TOC.yml

@@ -680,6 +680,8 @@
       href: breaking-changes/git-configuration-retirement-march-2025.md
     - name: Direct management API retirement (March 2025)
       href: breaking-changes/direct-management-api-retirement-march-2025.md
+    - name: Managed certificates suspension (August 2025)
+      href: breaking-changes/managed-certificates-suspension-august-2025.md
     - name: ADAL-based identity provider retirement (September 2025)
       href: breaking-changes/identity-provider-adal-retirement-sep-2025.md
     - name: CAPTCHA endpoint update (September 2025)

articles/api-management/api-management-capacity.md

@@ -42,9 +42,6 @@ In the v2 tiers, the following metrics are available:
 
 * **Memory Percentage of Gateway** - The percentage of memory capacity used by the gateway units.
 
-    > [!NOTE]
-    > Currently, the Memory Percentage of Gateway metric isn't supported in the Premium v2 tier.
-
 Available aggregations for these metrics are as follows.
 
 * **Avg** - Average percentage of capacity used across gateway processes in every [unit](upgrade-and-scale.md) of an API Management instance. 

articles/api-management/api-management-howto-deploy-multi-region.md

@@ -168,7 +168,7 @@ This section provides considerations for multi-region deployments when the API M
 * Configure each regional network independently. The [connectivity requirements](virtual-network-reference.md) such as required network security group rules for a virtual network in an added region are generally the same as those for a network in the primary region.
 * Virtual networks in the different regions don't need to be peered.
 > [!IMPORTANT]
-> When configured in internal virtual network mode, each regional gateway must also have outbound connectivity on port 1433 to the Azure SQL database configured for your API Management instance, which is only in the *primary* region. Ensure that you allow connectivity to the FQDN or IP address of this Azure SQL database in any routes or firewall rules you configure for networks in your secondary regions; the Azure SQL service tag can't be used in this scenario. To find the Azure SQL database name in the primary region, go to the **Network** > **Network status** page of your API Management instance in the portal. 
+> When configured in internal virtual network mode, each regional gateway must also have outbound connectivity on port 1433 to the Azure SQL database configured for your API Management instance, which is only in the *primary* region. Ensure that you allow connectivity to the FQDN or IP address of this Azure SQL database in any routes or firewall rules you configure for networks in your secondary regions; the Azure SQL service endpoint can't be used in this scenario. To find the Azure SQL database name in the primary region, go to the **Network** > **Network status** page of your API Management instance in the portal. 
 
 ### IP addresses
 

articles/api-management/api-management-region-availability.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 06/17/2025
+ms.date: 07/21/2025
 ms.author: danlep
 ms.custom:
   - references_regions
@@ -32,6 +32,7 @@ Information in the following table is updated regularly. Capacity availability i
 | Australia Southeast | ✅ | ✅ | | |
 | Brazil South | ✅ | ✅ | |  |
 | Central India  | ✅ | ✅ | |  |
+| Central US  | ✅ | ✅ | |  |
 | East Asia | ✅ | ✅ | | ✅ |
 | East US  | ✅ | ✅ |  |  |
 | East US 2 | ✅ | ✅ | ✅ | ✅ |
@@ -49,6 +50,7 @@ Information in the following table is updated regularly. Capacity availability i
 | Sweden Central | ✅ | ✅ | | |
 | South India | ✅ | ✅ |  |  |
 | Switzerland North | ✅ |✅ |  | |
+| UAE North | ✅ | ✅ | |  |
 | UK South | ✅  | ✅ | ✅ | ✅ |
 | UK West | ✅  | ✅ | | |
 | West Europe  | ✅ | ✅ | | ✅ |

articles/api-management/breaking-changes/managed-certificates-suspension-august-2025.md

@@ -0,0 +1,39 @@
+---
+title: Azure API Management - Managed certificates suspension for new custom domains (August 2025)
+description: Azure API Management is temporarily suspending managed certificates for new custom domains from August 15, 2025 to March 15, 2026 due to industry-wide changes in domain validation.
+services: api-management
+author: dlepow
+ms.service: azure-api-management
+ms.topic: reference
+ai-usage: ai-assisted
+ms.date: 07/18/2025
+ms.author: danlep
+---
+
+# Managed certificates suspension for new custom domains (August 2025)
+
+[!INCLUDE [premium-dev-standard-basic.md](../../../includes/api-management-availability-premium-dev-standard-basic.md)]
+
+Azure managed certificates for new custom domains in API Management will be temporarily turned off from August 15, 2025 to March 15, 2026. Existing managed certificates will be autorenewed and remain unaffected.
+
+In the classic service tiers, Azure API Management offers [free, managed TLS certificates for custom domains](../configure-custom-domain.md#domain-certificate-options), allowing customers to secure their endpoints without purchasing and managing their own certificates. Because of an industry-wide deprecation of CNAME-based Domain Control Validation (DCV), our Certificate Authority (CA), DigiCert, will migrate to a new validation platform to meet Multi-Perspective Issuance Corroboration (MPIC) requirements. This migration requires a temporary suspension of managed certificates for new custom domains.
+
+## Is my service affected by this?
+
+You're affected if you plan to create new managed certificates for new custom domains in Azure API Management between August 15, 2025 and March 15, 2026. Existing managed certificates will be autorenewed before August 15, 2025 and will continue to function normally. There's no impact to existing managed certificates or custom domains already using them.
+
+## What is the deadline for the change?
+
+The suspension of managed certificates for new custom domains will be enforced from August 15, 2025 to March 15, 2026. The capability to create managed certificates will resume after the migration to the new validation platform is complete.
+
+## What do I need to do?
+
+No action is required if you already have managed certificates for your custom domains. If you need to add new managed certificates, plan to do so before August 15, 2025 or after March 15, 2026. During the suspension period, you can still configure custom domains with certificates you manage from other sources.
+
+## Help and support
+
+If you have questions, get answers from community experts in [Microsoft Q&A](https://aka.ms/apim/azureqa/change/captcha-2022). If you have a support plan and need technical help, create a [support request](https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade/~/overview).
+
+## Related content
+
+See all [upcoming breaking changes and feature retirements](overview.md).

articles/api-management/breaking-changes/overview.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 05/30/2025
+ms.date: 07/17/2025
 ms.author: danlep
 ---
 
@@ -30,6 +30,7 @@ The following table lists all the upcoming breaking changes and feature retireme
 | [Git repository retirement][git2025] | March 15, 2025 |
 | [Direct management API retirement][mgmtapi2025] | March 15, 2025 |
 | [Workspaces preview breaking changes, part 2][workspaces2025march] | March 31, 2025 |
+| [Managed certificates suspension][managed-certificates-suspension-august-2025] | August 15, 2025 |
 | [ADAL-based Microsoft Entra ID identity provider retirement][msal2025] | September 30, 2025 |
 | [CAPTCHA endpoint update][captcha2025] | September 30, 2025 |
 | [Built-in analytics dashboard retirement][analytics2027] | March 15, 2027 |
@@ -50,3 +51,4 @@ The following table lists all the upcoming breaking changes and feature retireme
 [mgmtapi2025]: ./direct-management-api-retirement-march-2025.md
 [workspaces2024]: ./workspaces-breaking-changes-june-2024.md
 [workspaces2025march]: ./workspaces-breaking-changes-march-2025.md
+[managed-certificates-suspension-august-2025]: ./managed-certificates-suspension-august-2025.md

articles/app-service/configure-authentication-provider-aad.md

@@ -301,7 +301,7 @@ Requests that fail these built-in checks get an HTTP `403 Forbidden` response.
 
 [fic-config]: #use-a-managed-identity-instead-of-a-secret-preview
 
-Instead of configuring a client secret for your app registration, you can [configure an application to trust a managed identity (preview)][entra-fic]. Using an identity instead of a secret means you don't have to manage a secret. You don't have secret expiration events to handle, and you don't have the same level of risk associated with possibly disclosing or leaking that secret.
+Instead of configuring a client secret for your app registration, you can [configure an application to trust a managed identity][entra-fic]. Using an identity instead of a secret means you don't have to manage a secret. You don't have secret expiration events to handle, and you don't have the same level of risk associated with possibly disclosing or leaking that secret.
 
 The identity allows you to create a *federated identity credential*, which can be used instead of a client secret as a *client assertion*. This approach is available only for workforce configurations. The built-in authentication feature currently supports federated identity credentials as a preview.
 
@@ -313,6 +313,7 @@ You can use the steps in this section to configure your App Service or Azure Fun
 
     > [!IMPORTANT]
     > The user-assigned managed identity that you create should only be assigned to the App Service or Azure Functions application through this registration. If you assign the identity to another resource, you're giving that resource unnecessary access to your app registration.
+
 1. Note down the **Object ID** and **Client ID** values of the managed identity. You'll need the object ID to create a federated identity credential in the next step. You'll use the managed identity's client ID in a later step.
 
 1. Follow the Microsoft Entra ID [instructions to configure a federated identity credential on an existing application](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity#configure-a-federated-identity-credential-on-an-existing-application). Those instructions also include sections for updating application code, which you can skip.

articles/app-service/configure-zone-redundancy.md

@@ -0,0 +1,203 @@
+---
+title: Configure App Service plans for zone redundancy
+description: Learn how to configure your App Service plan for zone redundancy. Understand how your App Service plan instances are distributed across availability zones and how to check for zone redundancy support.
+ms.topic: conceptual
+ms.service: azure-app-service
+ms.date: 07/15/2025
+author: anaharris
+ms.author: anaharris
+
+---
+# Configure App Service plans for zone redundancy
+
+Azure App Service provides built-in reliability features to help ensure your applications are available and resilient. This article describes how to create your App Service plan with zone redundancy. It also covers how to disable and enable zone redundancy on existing plans, and how to check for zone redundancy support. To learn more about how App Service supports zone redundancy, see [Reliability in Azure App Service](../reliability/reliability-app-service.md).
+
+## Create a new App Service plan with zone redundancy
+
+To create a new App Service plan with zone redundancy:
+
+# [Azure portal](#tab/portal)
+
+Follow the guidance in [Create an App Service plan](../app-service/app-service-plan-manage.md#create-an-app-service-plan). Make sure to select *Enabled* for **Zone redundancy**.
+
+:::image type="content" source="./media/configure-zone-redundancy/app-service-create-zr-plan.png" alt-text="Screenshot of zone redundancy enablement during App Service plan creation in the Azure portal.":::
+
+# [Azure CLI](#tab/azurecli)
+
+Set the `--zone-redundant` argument. You must also specify the `--number-of-workers` argument, which is the number of instances, and set a value greater than or equal to 2.
+
+```azurecli
+az appservice plan create \
+    -n <app-service-plan-name> \
+    -g <resource-group-name> \
+    --zone-redundant \
+    --number-of-workers 2 \
+    --sku P1V3
+```
+
+# [Bicep](#tab/bicep)
+
+Set the `zoneRedundant` property to `true`. You must also define the `sku.capacity` property to a value of 2 or greater. If you don't define the `sku.capacity` property, the value defaults to 1.
+
+```bicep
+resource appServicePlan 'Microsoft.Web/serverfarms@2024-11-01' = {
+    name: appServicePlanName
+    location: location
+    sku: {
+        name: sku
+        capacity: 2
+    }
+    kind: 'linux'
+    properties: {
+        reserved: true
+        zoneRedundant: true
+    }
+}
+```
+
+---
+
+## Set zone redundancy for an existing App Service plan
+
+1. If you want to enable zone redundancy on an existing App Service plan, [check for zone redundancy support for your App Service plan](#check-for-zone-redundancy-support-on-an-app-service-plan).
+1. If your App Service plan supports zone redundancy, you can enable or disable it by using the Azure portal, Azure CLI, or Bicep/Resource Manager.
+    
+    # [Azure portal](#tab/portal)
+    
+    1. In the [Azure portal](https://portal.azure.com), navigate to  your App Service plan.
+    1. Select **Settings > Scale out (App Service plan)** in the left navigation pane.
+    1. Select **Zone redundancy** if you wish to enable zone redundancy. Deselect if you wish to disable it. 
+    
+        Changing the zone redundancy status of an App Service plan is almost instantaneous. You don't experience downtime or performance problems during the process. 
+    
+        :::image type="content" source="./media/configure-zone-redundancy/app-service-plan-zone-redundancy-portal.png" alt-text="Screenshot of zone redundancy property for an App Service plan in the Azure portal.":::
+
+    > [!IMPORTANT]
+    > If you have *Rules Based* scaling enabled, you can't use the Azure portal to enable zone redundancy. You must use the Azure CLI or Bicep/Resource Manager instead.
+    
+     # [Azure CLI](#tab/azurecli)
+    
+    - To *enable zone redundancy*, set the `zoneRedundant` property to `true`. You must also specify the `sku.capacity` argument, which is the number of instances, and set a value greater than or equal to 2.
+    
+        ```azurecli
+        az appservice plan update \
+            -n <app-service-plan-name> \
+            -g <resource-group-name> \
+            --set zoneRedundant=true sku.capacity=2
+        ```
+    
+    - To *disable zone redundancy*, set the `zoneRedundant` property to `false`.
+    
+        ```azurecli
+        az appservice plan update \
+            -n <app-service-plan-name> \
+            -g <resource-group-name> \
+            --set zoneRedundant=false
+        ```
+    
+    # [Bicep](#tab/bicep)
+    
+    - To *enable zone redundancy*, set the `zoneRedundant` property to `true`. You must also define the `sku.capacity` property to a value of 2 or greater. If you don't define the `sku.capacity` property, the value defaults to 1.
+    
+        ```bicep
+        resource appServicePlan 'Microsoft.Web/serverfarms@2024-11-01' = {
+            name: appServicePlanName
+            location: location
+            sku: {
+                name: sku
+                capacity: 2
+            }
+            kind: 'linux'
+            properties: {
+                reserved: true
+                zoneRedundant: true
+            }
+        }
+        ```
+    
+    - To *disable zone redundancy*, set the `zoneRedundant` property to `false`.
+
+    ---
+
+## Check for zone redundancy support on an App Service plan
+
+To see whether an existing App Service plan supports zone redundancy:
+
+1. Get the maximum number of availability zones that the App Service plan can use by using the Azure portal, Azure CLI, or Bicep/Resource Manager:
+
+    # [Azure portal](#tab/portal)
+    
+    1. In the [Azure portal](https://portal.azure.com), navigate to your App Service plan.
+    
+    1. Select **Scale out (App Service plan)**. 
+    
+        The maximum number of zones that your App Service plan can use is shown in **Maximum available zones**. 
+    
+        :::image type="content" source="./media/configure-zone-redundancy/app-service-plan-max-zones-portal.png" alt-text="Screenshot of maximum available zones property in the Scale out blade in the Azure portal for an App Service plan.":::
+    
+    # [Azure CLI](#tab/azurecli)
+    
+    Query the plan's `maximumNumberOfZones` property:
+    
+    ```azurecli
+    az appservice plan show \
+        -n <app-service-plan-name> \
+        -g <resource-group-name> \
+        --query properties.maximumNumberOfZones
+    ```
+    
+    # [Bicep](#tab/bicep)
+    
+    Query the plan's `maximumNumberOfZones` property:
+    
+    ```bicep
+    resource appServicePlan 'Microsoft.Web/serverfarms@2024-11-01' existing = {
+        name: '<app-service-plan-name>'
+    }
+    
+    #disable-next-line BCP083
+    output maximumNumberOfZones int = appServicePlan.properties.maximumNumberOfZones
+    ```
+    
+    ---
+    
+1. Compare the number with the following table to determine whether your plan supports zone redundancy:
+    
+    | Maximum Number of Zones  | Zone redundancy support |
+    | ------------------------ | ----------------------- |
+    | Greater than 1           | Supported               |
+    | Equal to 1               | Not supported*          |
+
+    \* If you're on a plan or a stamp that doesn't support availability zones, you must create a new App Service plan in a new resource group so that you land on the App Service footprint that supports zones.
+
+## View physical zones for an App Service plan
+
+When you have a zone-redundant App Service plan, the platform automatically places the instances across [physical availability zone](../reliability/availability-zones-overview.md#physical-and-logical-availability-zones). If you want to verify that your instances are spread across zones, you can check which physical availability zones your plan's instances use by using the Azure portal or Azure CLI:
+
+# [Azure portal](#tab/portal)
+
+1. In the [Azure portal](https://portal.azure.com), go to your App Service app. If you have multiple apps in a plan, you can select any app.
+ 
+1. Select the **Health check** blade.
+
+1. Select the **Instances** tab to view the physical zone placement for each of your instances.
+    
+    :::image type="content" source="./media/configure-zone-redundancy/app-service-physical-zones.png" alt-text="Screenshot of the Instances tab in the Health Check blade with the physical zone information in the Azure portal for an App Service app.":::
+
+# [Azure CLI](#tab/azurecli)
+
+Use the [REST API](/rest/api/appservice/web-apps/get-instance-info), which returns the `physicalZone` value for each instance in the App Service plan:
+
+```azurecli
+az rest --method get --url https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Web/sites/{appName}/instances?api-version=2024-04-01
+```
+
+# [Bicep](#tab/bicep)
+
+This operation is not supported in Bicep. Use the Azure CLI or Azure portal instead.
+
+---
+
+## Related content
+- [Reliability in Azure App Service](../reliability/reliability-app-service.md)
+- [Configure App Service Environment for zone redundancy](../app-service/environment/configure-zone-redundancy-environment.md)