Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into nw-grafana-sfi

Author: halkazwini

articles/app-service/configure-authentication-provider-aad.md

@@ -74,7 +74,7 @@ Either:
 - Select **Provide the details of an existing app registration** and provide:
     - Application (client) ID.
     - Client secret (recommended). A secret value that the application uses to prove its identity when requesting a token. This value is saved in your app's configuration as a slot-sticky application setting named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. If the client secret isn't set, sign-in operations from the service use the OAuth 2.0 implicit grant flow, which *isn't* recommended.
-    - Issuer URL, which takes the form `<authentication-endpoint>/<tenant-id>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint [value specific to the cloud environment](/entra/identity-platform/authentication-national-cloud#azure-ad-authentication-endpoints).  For example, a workforce tenant in global Azure would use "https://login.microsoftonline.com" as its authentication endpoint.
+    - Issuer URL, which takes the form `<authentication-endpoint>/<tenant-id>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint [value specific to the cloud environment](/entra/identity-platform/authentication-national-cloud#azure-ad-authentication-endpoints).  For example, a workforce tenant in global Azure would use "https://sts.windows.net" as its authentication endpoint.
 
 If you need to manually create an app registration in a workforce tenant, follow the [register an application](/entra/identity-platform/quickstart-register-app) quickstart.  As you go through the registration process, be sure to note the application (client) ID and client secret values.
 

articles/app-service/configure-ssl-certificate.md

@@ -136,9 +136,6 @@ If you use Azure Key Vault to manage your certificates, you can import a PKCS12
 
 By default, the App Service resource provider doesn't have access to your key vault. To use a key vault for a certificate deployment, you must authorize read access for the resource provider (App Service) to the key vault. You can grant access either with access policy or RBAC. 
 
-> [!NOTE]
-> Currently, the Azure portal does not allow you to configure an App Service certificate in Key Vault to use the RBAC model. You can, however, use Azure CLI, Azure PowerShell, or an ARM template deployment to perform this configuration.
-
 ### [RBAC permissions](#tab/RBAC)
 | Resource provider | Service principal app ID / assignee | Key vault RBAC role |
 |--|--|--|

articles/app-service/deploy-staging-slots.md

@@ -108,13 +108,13 @@ When you swap two slots (usually from a staging slot *as the source* into the pr
     - [Continuous deployment](deploy-continuous-deployment.md) settings, if enabled.
     - [App Service authentication](overview-authentication-authorization.md) settings, if enabled.
 
-    Any of these cases trigger all instances in the source slot to restart. During [swap with preview](#Multi-Phase), this marks the end of the first phase. The swap operation is paused, and you can validate that the source slot works correctly with the target slot's settings.
+    When any of the settings is applied to the source slot, the change triggers all instances in the source slot to restart. During [swap with preview](#Multi-Phase), this marks the end of the first phase. The swap operation is paused, and you can validate that the source slot works correctly with the target slot's settings.
 
 1. Wait for every instance in the source slot to complete its restart. If any instance fails to restart, the swap operation reverts all changes to the source slot and stops the operation.
 
 1. If [local cache](overview-local-cache.md) is enabled, trigger local cache initialization by making an HTTP request to the application root ("/") on each instance of the source slot. Wait until each instance returns any HTTP response. Local cache initialization causes another restart on each instance.
 
-1. If [auto swap](#Auto-Swap) is enabled with [custom warm-up](#Warm-up), trigger [Application Initiation](/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) by making an HTTP request to the application root ("/") on each instance of the source slot.
+1. If [auto swap](#Auto-Swap) is enabled with [custom warm-up](#Warm-up), trigger the custom [Application Initiation](/iis/get-started/whats-new-in-iis-8/iis-80-application-initialization) on each instance of the source slot.
 
     If `applicationInitialization` isn't specified, trigger an HTTP request to the application root of the source slot on each instance. 
 

articles/app-service/overview-authentication-authorization.md

@@ -157,19 +157,30 @@ If you don't need to work with tokens in your app, you can disable the token sto
 
 If you [enable application logging](troubleshoot-diagnostic-logs.md), you will see authentication and authorization traces directly in your log files. If you see an authentication error that you didn't expect, you can conveniently find all the details by looking in your existing application logs. If you enable [failed request tracing](troubleshoot-diagnostic-logs.md), you can see exactly what role the authentication and authorization module may have played in a failed request. In the trace logs, look for references to a module named `EasyAuthModule_32/64`.
 
-### Considerations when using Azure Front Door
+### Cross-site request forgery mitigation
 
-When using Azure App Service with Easy Auth behind Azure Front Door or other reverse proxies, a few additional things have to be taken into consideration.
+App Service authentication mitigates CSRF by inspecting client requests for the following conditions:
 
-1) Disable Caching for the authentication workflow
+- It's a POST request that authenticated using a session cookie.
+- The request came from a known browser (as determined by the HTTP `User-Agent` header).
+- The HTTP `Origin` or HTTP `Referer` header is missing or is not in the configured list of approved external domains for redirection.
+- The HTTP `Origin` header is missing or is not in the configured list of CORS origins.
+
+When a request fulfills all these conditions, App Service authentication automatically rejects it. You can workaround this mitigation logic by adding your external domain to the redirect list to **Authentication** > **Edit authentication settings** > **Allowed external redirect URLs**. 
+
+## Considerations when using Azure Front Door
+
+When using Azure App Service with authentication behind Azure Front Door or other reverse proxies, a few additional things have to be taken into consideration.
+
+- Disable caching for the authentication workflow.
 
     See [Disable cache for auth workflow](../static-web-apps/front-door-manual.md#disable-cache-for-auth-workflow) to learn more on how to configure rules in Azure Front Door to disable caching for authentication and authorization-related pages.
 
-2) Use the Front Door endpoint for redirects
+- Use the Front Door endpoint for redirects.
 
     App Service is usually not accessible directly when exposed via Azure Front Door. This can be prevented, for example, by exposing App Service via Private Link in Azure Front Door Premium. To prevent the authentication workflow to redirect traffic back to App Service directly, it is important to configure the application to redirect back to `https://<front-door-endpoint>/.auth/login/<provider>/callback`.
 
-3) Ensure that App Service is using the right redirect URI
+- Ensure that App Service is using the right redirect URI
 
     In some configurations, the App Service is using the App Service FQDN as the redirect URI instead of the Front Door FQDN. This will lead to an issue when the client is being redirected to App Service instead of Front Door. To change that, the `forwardProxy` setting needs to be set to `Standard` to make App Service respect the `X-Forwarded-Host` header set by Azure Front Door.
 

articles/app-service/overview-managed-identity.md

@@ -259,7 +259,7 @@ The principalId is a unique identifier for the identity that's used for Microsof
 You may need to configure the target resource to allow access from your app or function. For example, if you [request a token](#connect-to-azure-services-in-app-code) to access Key Vault, you must also add an access policy that includes the managed identity of your app or function. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).
 
 > [!IMPORTANT]
-> The back-end services for managed identities maintain a cache per resource URI for around 24 hours. If you update the access policy of a particular target resource and immediately retrieve a token for that resource, you may continue to get a cached token with outdated permissions until that token expires. There's currently no way to force a token refresh.
+> The back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identity’s group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access. For alternatives to groups or role memberships, see [Limitation of using managed identities for authorization](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations).
 
 ## Connect to Azure services in app code
 
@@ -269,12 +269,12 @@ App Service and Azure Functions provide an internally accessible [REST endpoint]
 
 # [HTTP GET](#tab/http)
 
-A raw HTTP GET request looks like the following example:
+A raw HTTP GET request uses the [two supplied environment variables](#rest-endpoint-reference) and looks like the following example:
 
 ```http
 GET /MSI/token?resource=https://vault.azure.net&api-version=2019-08-01 HTTP/1.1
-Host: localhost:4141
-X-IDENTITY-HEADER: 853b9a84-5bfa-4b22-a3f3-0b9a43d9ad8a
+Host: <ip-address-:-port-in-IDENTITY_ENDPOINT>
+X-IDENTITY-HEADER: <value-of-IDENTITY_HEADER>
 ```
 
 And a sample response might look like the following:

articles/app-service/reference-app-settings.md

@@ -2,7 +2,7 @@
 title: Environment variables and app settings reference
 description: Describes the commonly used environment variables, and which ones can be modified with app settings.
 ms.topic: article
-ms.date: 09/27/2024
+ms.date: 10/16/2024
 author: cephalin
 ms.author: cephalin
 ---
@@ -375,7 +375,7 @@ WEBSITE_DISABLE_PRELOAD_HANG_MITIGATION
 | Setting name| Description | Example |
 |-|-|-|
 | `WEBSITE_HTTPLOGGING_ENABLED` | Read-only. Shows whether the web server logging for Windows native apps is enabled (`1`) or not (`0`). ||
-| `WEBSITE_HTTPLOGGING_RETENTION_DAYS` | Retention period in days of web server logs for Windows native apps, if web server logs are enabled. | `10` |
+| `WEBSITE_HTTPLOGGING_RETENTION_DAYS` | Retention period in days of web server logs, if web server logs are enabled for a Windows native or Linux app. | `10` |
 | `WEBSITE_HTTPLOGGING_CONTAINER_URL` | SAS URL of the blob storage container to store web server logs for Windows native apps, if web server logs are enabled. If not set, web server logs are stored in the app's file system (default shared storage). | |
 | `DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS` | Retention period in days of application logs for Windows native apps, if application logs are enabled. | `10` |
 | `DIAGNOSTICS_AZUREBLOBCONTAINERSASURL` | SAS URL of the blob storage container to store application logs for Windows native apps, if application logs are enabled. | |

articles/app-service/tutorial-connect-msi-sql-database.md

@@ -209,7 +209,7 @@ The steps you follow for your project depends on whether you're using [Entity Fr
 Next, you configure your App Service app to connect to SQL Database with a system-assigned managed identity.
 
 > [!NOTE]
-> While the instructions in this section are for a system-assigned identity, a user-assigned identity can just as easily be used. To do this. you would need the change the `az webapp identity assign command` to assign the desired user-assigned identity. Then, when creating the SQL user, make sure to use the name of the user-assigned identity resource rather than the site name.
+> The instructions in this section are for a system-assigned identity, To use a user-assigned identity, see [Tutorial: Connect to Azure databases from App Service without secrets using a managed identity](tutorial-connect-msi-azure-database.md).
 
 ### Enable managed identity on app
 

articles/application-gateway/application-gateway-backend-health-troubleshooting.md

@@ -48,14 +48,14 @@ BackendAddressPools :
 BackendAddressPoolsText : [
 {
                               "BackendAddressPool": {
-                                "Id": "/subscriptions/536d30b8-665b-40fc-bd7e-68c65f816365/resourceGroups/rgOne/providers/Microsoft.Network/applicationGateways/appgw1/b
+                                "Id": "/subscriptions/aaaa0000-bb11-2222-33cc-444444dddddd/resourceGroups/rgOne/providers/Microsoft.Network/applicationGateways/appgw1/b
                           ackendAddressPools/appGatewayBackendPool"
                               },
                               "BackendHttpSettingsCollection": [
                                 {
                                   "BackendHttpSettings": {
                                     "TrustedRootCertificates": [],
-                                    "Id": "/subscriptions/536d30b8-665b-40fc-bd7e-68c65f816365/resourceGroups/rgOne/providers/Microsoft.Network/applicationGateways/appg
+                                    "Id": "/subscriptions/aaaa0000-bb11-2222-33cc-444444dddddd/resourceGroups/rgOne/providers/Microsoft.Network/applicationGateways/appg
                           w1/backendHttpSettingsCollection/appGatewayBackendHttpSettings"
                                   },
                                   "Servers": [

articles/application-gateway/for-containers/application-gateway-for-containers-components.md

@@ -5,7 +5,7 @@ services: application-gateway
 author: greglin
 ms.service: azure-appgw-for-containers
 ms.topic: conceptual
-ms.date: 5/9/2024
+ms.date: 10/15/2024
 ms.author: greglin
 ---
 
@@ -100,7 +100,7 @@ Application Gateway for Containers inserts three extra headers to all requests b
 
 **x-forwarded-proto** returns the protocol received by Application Gateway for Containers from the client. The value is either http or https.
 
-**x-request-id** is a unique guid generated by Application Gateway for Containers for each client request and presented in the forwarded request to the backend target. The guid consists of 32 alphanumeric characters, separated by dashes (for example: d23387ab-e629-458a-9c93-6108d374bc75). This guid can be used to correlate a request received by Application Gateway for Containers and initiated to a backend target as defined in access logs.
+**x-request-id** is a unique guid generated by Application Gateway for Containers for each client request and presented in the forwarded request to the backend target. The guid consists of 32 alphanumeric characters, separated by dashes (for example: aaaa0000-bb11-2222-33cc-444444dddddd). This guid can be used to correlate a request received by Application Gateway for Containers and initiated to a backend target as defined in access logs.
 
 ## Request timeouts
 

articles/application-gateway/for-containers/quickstart-deploy-application-gateway-for-containers-alb-controller.md

@@ -141,7 +141,7 @@ You need to complete the following tasks before deploying Application Gateway fo
     ALB Controller can be installed by running the following commands:
 
     ```azurecli-interactive
-    HELM_NAMESPACE='<your cluster name>'
+    HELM_NAMESPACE='<namespace for deployment>'
     CONTROLLER_NAMESPACE='azure-alb-system'
     az aks get-credentials --resource-group $RESOURCE_GROUP --name $AKS_NAME
     helm install alb-controller oci://mcr.microsoft.com/application-lb/charts/alb-controller \