MicrosoftDocs
diff --git a/‎articles/app-service/app-service-undelete.md
Lines changed: 17 additions & 2 deletions b/‎articles/app-service/app-service-undelete.md
Lines changed: 17 additions & 2 deletions
diff --git a/‎articles/automation/TOC.yml
Lines changed: 0 additions & 6 deletions b/‎articles/automation/TOC.yml
Lines changed: 0 additions & 6 deletions
diff --git a/‎articles/azure-app-configuration/concept-customer-managed-keys.md
Lines changed: 52 additions & 9 deletions b/‎articles/azure-app-configuration/concept-customer-managed-keys.md
Lines changed: 52 additions & 9 deletions
diff --git a/‎articles/azure-health-insights/radiology-insights/overview.md
Lines changed: 13 additions & 1 deletion b/‎articles/azure-health-insights/radiology-insights/overview.md
Lines changed: 13 additions & 1 deletion
@@ -7,10 +7,25 @@ ms.date: 10/4/2023
 ms.topic: article 
 ms.custom: devx-track-azurepowershell
 ---
+# Restore deleted App Service app
 
-# Restore Deleted App Service App Using PowerShell
+If you happened to accidentally delete your app in Azure App Service, you can now restore it by using the Azure portal or PowerShell.
 
-If you happened to accidentally delete your app in Azure App Service, you can restore it using the commands from the [Az PowerShell module](/powershell/azure/).
+## Restore deleted App Service app by using the portal
+
+If you deleted your app in Azure App Service, you can now restore it from the portal by using following steps:
+
+1. Navigate to App Services in the portal.
+1. Click on **Manage Deleted Apps**.
+1. Select **Subscription**.
+1. From the dropdown, select the deleted app. Apps deleted in last 30 days will show up in the drop down list.
+1. Select destination app from the dropdown where you want to restore your app. 
+1. If you would like to restore the deleted app to a slot of destination app, check the slot checkbox and select available slots from the dropdown.
+1. By default only app content is restored. If you want app configuration also to be restored, check **Restore App configuration**.
+
+## Restore deleted App Service app by using PowerShell
+
+If you deleted your app in Azure App Service, you can restore it using the commands from the [Az PowerShell module](/powershell/azure/).
 
 > [!NOTE]
 > - Deleted apps are purged from the system 30 days after the initial deletion. After an app is purged, it can't be recovered.
 
@@ -273,12 +273,6 @@
     items:
     - name: Migration from Log Analytics to Azure Monitoring Agent version
       href: change-tracking/guidance-migration-log-analytics-monitoring-agent.md
-  - name: Update Management (Retired)
-    items:
-    - name: Enable
-    - name: Manage updates for your VMs
-    - name: Disable
-    - name: Troubleshoot
   - name: Scenarios
     items:
     - name: Send an email from a runbook
 
@@ -17,12 +17,7 @@ Azure App Configuration [encrypts sensitive information at rest](../security/fun
 Azure App Configuration encrypts sensitive information at rest by using a 256-bit AES encryption key provided by Microsoft. Every App Configuration instance has its own encryption key managed by the service and used to encrypt sensitive information. Sensitive information includes the values found in key-value pairs. When the customer-managed key capability is enabled, App Configuration uses a managed identity assigned to the App Configuration instance to authenticate with Microsoft Entra ID. The managed identity then calls Azure Key Vault and wraps the App Configuration instance's encryption key. The wrapped encryption key is then stored, and the unwrapped encryption key is cached within App Configuration for one hour. Every hour, the App Configuration refreshes the unwrapped version of the App Configuration instance's encryption key. This process ensures availability under normal operating conditions.
 
 > [!IMPORTANT]
-> If the identity assigned to the App Configuration instance is no longer authorized to unwrap the instance's encryption key, or if the managed key is permanently deleted, then it will no longer be possible to decrypt sensitive information stored in the App Configuration instance. By using Azure Key Vault's [soft delete](/azure/key-vault/general/soft-delete-overview) function, you mitigate the chance of accidentally deleting your encryption key.
-
-When users enable the customer-managed key capability on their Azure App Configuration instance, they control the service’s ability to access their sensitive information. The managed key serves as a root encryption key. Users can revoke their App Configuration instance’s access to their managed key by changing their key vault access policy. When this access is revoked, App Configuration will lose the ability to decrypt user data within one hour. At this point, the App Configuration instance will forbid all access attempts. This situation is recoverable by granting the service access to the managed key once again. Within one hour, App Configuration will be able to decrypt user data and operate under normal conditions.
-
-> [!NOTE]
-> All Azure App Configuration data is stored for up to 24 hours in an isolated backup. This includes the unwrapped encryption key. This data isn't immediately available to the service or service team. In the event of an emergency restore, Azure App Configuration will revoke itself again from the managed key data.
+> If the identity assigned to the App Configuration instance is no longer authorized to unwrap the instance's encryption key, or if the managed key is permanently deleted, or if the managed key version in use becomes expired, then it will no longer be possible to decrypt sensitive information stored in the App Configuration instance. By using Azure Key Vault's [soft delete](/azure/key-vault/general/soft-delete-overview) function, you mitigate the chance of accidentally deleting your encryption key. By omitting key version when configuring managed key encryption and setting up [key auto-rotation](/azure/key-vault/keys/how-to-configure-key-rotation) in key vault, you mitigate the possibility of the underlying managed key expiring.
 
 ## Requirements
 
@@ -40,7 +35,7 @@ After these resources are configured, use the following steps so that the Azure
     * For Key Vault's with [Azure RBAC](/azure/key-vault/general/rbac-guide) enabled, assign the identity the `Key Vault Crypto Service Encryption User` role on the target Key Vault.
     * For Key Vault's using access policy authorization, grant the identity `GET`, `WRAP`, and `UNWRAP` permissions in the target Key Vault's access policy.
 
-## Enable customer-managed key encryption for your App Configuration store
+## Enable customer-managed key encryption
 
 1. [Create an App Configuration store](./quickstart-azure-app-configuration-create.md) in the Standard or Premium tier if you don't have one.
 
@@ -102,16 +97,64 @@ After these resources are configured, use the following steps so that the Azure
 1. Now that the Azure App Configuration instance can access the managed key, we can enable the customer-managed key capability in the service by using the Azure CLI. Recall the following properties recorded during the key creation steps: `key name` `key vault URI`.
 
     ```azurecli
-    az appconfig update -g contoso-resource-group -n contoso-app-config --encryption-key-name key-name --encryption-key-version key-version --encryption-key-vault key-vault-Uri
+    az appconfig update -g contoso-resource-group -n contoso-app-config --encryption-key-name key-name --encryption-key-vault key-vault-Uri
     ```
 
     The command uses system-assigned managed identity to authenticate with the key vault by default. 
 
     > [!NOTE]
-    > When using a user-assigned managed identity to access the customer managed key, you can specify its client ID explicitly by adding `--identity-client-id <client ID of your user assigned identity>` to the command.
+    > When using a user-assigned managed identity to access the customer-managed key, you can specify its client ID explicitly by adding `--identity-client-id <client ID of your user assigned identity>` to the command.
 
 Your Azure App Configuration instance is now configured to use a customer-managed key stored in Azure Key Vault.
 
+## Disable customer-managed key encryption
+
+1. Ensure the current customer-managed key is valid and operational. App Configuration needs to decrypt existing data with the current key before reverting to Microsoft-managed keys. If the current key has expired or its access has been revoked, you must first restore access to that key.
+
+2. Use the Azure CLI to update your App Configuration instance and remove the customer-managed key configuration. Replace `contoso-resource-group` and `contoso-app-config` with the appropriate values for your setup.
+
+    ```azurecli
+    az appconfig update -g contoso-resource-group -n contoso-app-config --encryption-key-name ""
+    ```
+
+    This command removes the customer-managed key configuration from your App Configuration instance.
+
+3. Verify that the customer-managed key configuration has been removed by checking the properties of your App Configuration instance.
+
+    ```azurecli
+    az appconfig show -g contoso-resource-group -n contoso-app-config --query "encryption"
+    ```
+
+    The output should show that the `encryption.keyVaultProperties` property is set to `null`.
+
+Your Azure App Configuration instance is now configured to use Microsoft managed keys for encryption.
+
+> [!NOTE]
+> Disabling customer-managed key encryption will revert your App Configuration instance to use Microsoft managed keys. Ensure that this change aligns with your organization's security policies and compliance requirements.
+
+## Access Revocation
+
+When users enable the customer-managed key capability on their Azure App Configuration instance, they control the service’s ability to access their sensitive information. The managed key serves as a root encryption key. Users can revoke their App Configuration instance’s access to their managed key by changing their key vault access policy. When this access is revoked, App Configuration will lose the ability to decrypt user data within one hour. At this point, the App Configuration instance will forbid all access attempts. This situation is recoverable by granting the service access to the managed key once again. Within one hour, App Configuration will be able to decrypt user data and operate under normal conditions.
+
+> [!NOTE]
+> All Azure App Configuration data is stored for up to 24 hours in an isolated backup. This includes the unwrapped encryption key. This data isn't immediately available to the service or service team. In the event of an emergency restore, Azure App Configuration will revoke itself again from the managed key data.
+
+## Key Rotation
+
+When customer-managed key is configured on an App Configuration instance it is necessary to periodically rotate the managed key to ensure that it never expires. It's important to note that for a successful key rotation, the current key must be valid and operational. If the current key has already expired or App Configuration's access to it has been revoked, the App Configuration instance will not be able to decrypt data, making rotation impossible. [Key vault key auto-rotation](/azure/key-vault/keys/how-to-configure-key-rotation) can be configured to avoid the need to manually rotate encryption keys, and thus ensure that the latest version of a key remains valid. When relying on key vault key auto-rotation, you should ensure your App Configuration instance's managed key configuration does not reference a specific key version. Omitting the version allows App Configuration to always move to the latest version of the key vault key when an auto-rotation is performed. Failure to rotate the managed key can be considered a security concern, but additionally a lack of rotation can result in loss of access to the App Configuration instance. This is due to the fact that if the managed key version in use expires, then App Configuration will not be able to decrypt data.
+
+To recap, the following best practices are encouraged:
+
+* Enable [key vault key auto-rotation](/azure/key-vault/keys/how-to-configure-key-rotation) for your managed key.
+* Omit using a specific version of a key vault key when setting up customer-managed key encryption.
+
+### Versioned vs versionless keys
+
+Setting up customer-managed key encryption requires passing an identifier of a key in key vault. A key vault key identifier may or may not contain a version. Our recommendation is to omit version when configuring customer-managed key encryption to enable auto-rotation. Using a versioned key should be considered carefully as failure to manually rotate will result in loss of access to the App Configuration instance if the key version in question expires.
+
+* Versionless key identifier example: `https://{my key vault}.vault.azure.net/keys/{key-name}`
+* Versioned key identifier example (not recommended): `https://{my key vault}.vault.azure.net/keys/{key-name}/{key-version}`
+
 ## Next Steps
 
 In this article, you configured your Azure App Configuration instance to use a customer-managed key for encryption. To learn more about how to integrate your app service with Azure managed identities, continue to the next step.
 
@@ -34,7 +34,7 @@ Output from the Radiology insights service doesn't reflect the opinions of Micro
 
 
 > [!IMPORTANT]
-> The Radiology Insights model is a capability provided “AS IS” and “WITH ALL FAULTS”. The Radiology insights service is not intended, designed, or made available: (i) as a medical device, (ii) to be used in the diagnosis, cure, mitigation, monitoring, treatment or prevention of a disease, condition or illness, and no license or right is granted by Microsoft to use the healthcare add-on or online services for such purposes, and (iii) to be a substitute for professional medical advice, diagnosis, treatment, or judgment and should not be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. The customer is solely responsible for testing and evaluating whether Radiology Insights is fit for purpose and identifying and mitigating any risks or harms to end users associated with its use. Output from the Radiology insights service does not reflect the opinions of Microsoft. The accuracy and reliability of the information provided by the Radiology insights service may vary and are not guaranteed.
+> The Radiology Insights model is a capability provided “AS IS” and “WITH ALL FAULTS”. The Radiology insights service isn't intended, designed, or made available: (i) as a medical device, (ii) to be used in the diagnosis, cure, mitigation, monitoring, treatment or prevention of a disease, condition or illness, and no license or right is granted by Microsoft to use the healthcare add-on or online services for such purposes, and (iii) to be a substitute for professional medical advice, diagnosis, treatment, or judgment and should not be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. The customer is solely responsible for testing and evaluating whether Radiology Insights is fit for purpose and identifying and mitigating any risks or harms to end users associated with its use. Output from the Radiology insights service does not reflect the opinions of Microsoft. The accuracy and reliability of the information provided by the Radiology insights service may vary and are not guaranteed.
 
 
 <!--- The Radiology Insights model is a capability provided “AS IS” and “WITH ALL FAULTS”. The Radiology Insights model isn't intended or made available for use as a medical device, clinical support, diagnostic tool, or other technology intended to be used in the diagnosis, cure, mitigation, treatment, or prevention of disease or other conditions, and no license or right is granted by Microsoft to use this capability for such purposes. This capability isn't designed or intended to be implemented or deployed as a substitute for professional medical advice or healthcare opinion, diagnosis, treatment, or the clinical judgment of a healthcare professional, and should not be used as such. The customer is solely responsible for any use of the Radiology Insights model. The customer is responsible for ensuring compliance with those license terms, including any geographic or other applicable restrictions.
@@ -75,6 +75,18 @@ The insights can be used to guide improvement efforts, minimize errors, and impr
 
 The Radiology Insights model isn't creating dashboards but delivers extracted information. The information can be aggregated by a user for research and administrative purposes. The model is stateless.
 
+**Quality Measures: Compliance with Reimbursement Criteria in Healthcare Programs**: A healthcare organization needs to ensure compliance with evolving reimbursement programs, such as the Merit-based Incentive Payment System (MIPS) established under the MACRA act. The organization must meet specific performance criteria to qualify for reimbursement incentives or avoid penalties.
+
+The organization aggregates the appropriate Quality Measure criteria from its clinical and administrative data. The organization automates the tracking and reporting of these criteria, the system supports compliance with reimbursement requirements, reducing manual effort and ensuring accurate reporting to Medicare. The RI model is not creating dashboards but delivers extracted information, not deduced, to be aggregated by the customer. The model is stateless.
+
+**Scoring and Assessment: Population Health Management through Radiology Insights**: A healthcare provider seeks to improve population health management by identifying individuals or patient groups in need of additional screening or preventative services. The organization wants to extract valuable insights from radiology reports to improve patient outcomes.
+
+Scores and values are then aggregated to identify trends, establish baselines, and flag individuals or groups that could benefit from further screening or preventative care. The system helps clinicians proactively manage patient populations, improving preventative care while reducing the likelihood of future complications.
+
+**Clinical Guidance for the Radiologist**: Radiologists frequently need to reference specific clinical guidelines when documenting findings in their reports. However, missing or incomplete information can delay access to these guidelines and its recommendations, potentially impacting the accuracy of their reports.
+
+Radiology Insights automatically highlights documented findings in the radiology report that are relevant to the applicable clinical guidelines and its candidate recommendations. If key information is missing, which could affect the recommendation outcome of a clinical guideline, the system flags these gaps. This proactive approach ensures that radiologists have immediate access to the necessary guidelines information, enhancing the accuracy and completeness of their reports.
+
 ## Language support
 
 The service currently supports the English language.