MicrosoftDocs
diff --git a/‎articles/migrate/add-server-credentials.md
Lines changed: 12 additions & 12 deletions b/‎articles/migrate/add-server-credentials.md
Lines changed: 12 additions & 12 deletions
diff --git a/‎articles/migrate/common-questions-appliance.md
Lines changed: 20 additions & 1 deletion b/‎articles/migrate/common-questions-appliance.md
Lines changed: 20 additions & 1 deletion
diff --git a/‎articles/migrate/migrate-support-matrix-physical.md
Lines changed: 5 additions & 2 deletions b/‎articles/migrate/migrate-support-matrix-physical.md
Lines changed: 5 additions & 2 deletions
@@ -1,6 +1,6 @@
 ---
 title: Provide server credentials to discover software inventory, dependencies, web apps, and SQL Server instances and databases
-description: Learn how to provide server credentials on appliance configuration manager
+description: Learn how to provide server credentials on appliance configuration manager.
 author: vikram1988
 ms.author: vibansa
 ms.manager: abhemraj
@@ -12,28 +12,28 @@ ms.custom: engagement-fy24
 
 # Provide server credentials to discover software inventory, dependencies, web apps, and SQL Server instances and databases
 
-Follow this article to learn how to add multiple server credentials on the appliance configuration manager to perform software inventory (discover installed applications), agentless dependency analysis, and discover web apps, SQL Server instances and databases.
+Follow this article to learn how to add multiple server credentials on the appliance configuration manager to perform software inventory (discover installed applications), agentless dependency analysis, and discover web apps, SQL Server instances, and databases.
 
 The [Azure Migrate appliance](migrate-appliance.md) is a lightweight appliance used by Azure Migrate: Discovery and assessment to discover on-premises servers and send server configuration and performance metadata to Azure. The appliance can also be used to perform software inventory, agentless dependency analysis and discover of web app, and SQL Server instances and databases.
 
 > [!Note]
 > Currently, the discovery of ASP.NET web apps is only available in the appliance used for discovery and assessment of servers running in a VMware environment.
 
-If you want to use these features, you can provide server credentials by following the steps below. For servers running on vCenter Server(s) and Hyper-V host(s)/cluster(s), the appliance will attempt to automatically map the credentials to the servers to perform the discovery features.
+If you want to use these features, you can provide server credentials by performing the following steps. For servers running on vCenter Server(s) and Hyper-V host(s)/cluster(s), the appliance will attempt to automatically map the credentials to the servers to perform the discovery features.
 
 ## Add server credentials
 
 ### Types of server credentials supported
 
-You can add multiple server credentials on the appliance configuration manager, which can be domain, non-domain (Windows or Linux) or SQL Server authentication credentials.
+You can add multiple server credentials on the appliance configuration manager, which can be domain, nondomain (Windows or Linux) or SQL Server authentication credentials.
 
 The types of server credentials supported are listed in the table below:
 
 Type of credentials | Description
 --- | ---
-**Domain credentials** | You can add **Domain credentials** by selecting the option from the drop-down in the **Add credentials** modal. <br/><br/> To provide domain credentials, you need to specify the **Domain name** which must be provided in the FQDN format (for example, prod.corp.contoso.com). <br/><br/> You also need to specify a friendly name for credentials, username, and password. It's recommended to provide the credentials in the UPN format, for example, [email protected]. <br/><br/> The domain credentials added will be automatically validated for authenticity against the Active Directory of the domain. This is to prevent any account lockouts when the appliance attempts to map the domain credentials against discovered servers. <br/><br/> To validate the domain credentials with the domain controller, the appliance should be able to resolve the domain name. Ensure that you've provided the correct domain name while adding the credentials else the validation will fail.<br/><br/> The appliance won't attempt to map the domain credentials that have failed validation. You need to have at least one successfully validated domain credential or at least one non-domain credential to start the discovery.<br/><br/>The domain credentials mapped automatically against the Windows servers will be used to perform software inventory and can also be used to discover web apps, and SQL Server instances and databases _(if you've configured Windows authentication mode on your SQL Servers)_.<br/> [Learn more](/dotnet/framework/data/adonet/sql/authentication-in-sql-server) about the types of authentication modes supported on SQL Servers.
+**Domain credentials** | You can add **Domain credentials** by selecting the option from the drop-down in the **Add credentials** modal. <br/><br/> To provide domain credentials, you need to specify the **Domain name** which must be provided in the Fully Qualified Domain Name (FQDN) format (for example, prod.corp.contoso.com). <br/><br/> You also need to specify a friendly name for credentials, username, and password. For physical discovery, specify the username in Down level format (domain\username) and UPN format ([email protected]) isn't supported. <br/><br/> The domain credentials added will be automatically validated for authenticity against the Active Directory of the domain. This validatoin is to prevent any account lockouts when the appliance attempts to map the domain credentials against discovered servers. <br/><br/> To validate the domain credentials with the domain controller, the appliance should be able to resolve the domain name. Ensure that you've provided the correct domain name while adding the credentials else the validation will fail.<br/><br/> The appliance won't attempt to map the domain credentials that have failed validation. You need to have at least one successfully validated domain credential or at least one nondomain credential to start the discovery.<br/><br/>The domain credentials mapped automatically against the Windows servers will be used to perform software inventory and can also be used to discover web apps, and SQL Server instances and databases _(if you've configured Windows authentication mode on your SQL Servers)_.<br/> [Learn more](/dotnet/framework/data/adonet/sql/authentication-in-sql-server) about the types of authentication modes supported on SQL Servers.
 **Non-domain credentials (Windows/Linux)** | You can add **Windows (Non-domain)** or **Linux (Non-domain)** by selecting the required option from the drop-down in the **Add credentials** modal. <br/><br/> You need to specify a friendly name for credentials, username, and password.
-**SQL Server Authentication credentials** | You can add **SQL Server Authentication** credentials by selecting the option from the drop-down in the **Add credentials** modal. <br/><br/> You need to specify a friendly name for credentials, username, and password. <br/><br/> You can add this type of credentials to discover SQL Server instances and databases running in your VMware environment, if you've configured SQL Server authentication mode on your SQL Servers.<br/> [Learn more](/dotnet/framework/data/adonet/sql/authentication-in-sql-server) about the types of authentication modes supported on SQL Servers.<br/><br/> You need to provide at least one successfully validated domain credential or at least one Windows (Non-domain) credential so that the appliance can complete the software inventory to discover SQL installed on the servers before it uses the SQL Server authentication credentials to discover the SQL Server instances and databases.
+**SQL Server Authentication credentials** | You can add **SQL Server Authentication** credentials by selecting the option from the drop-down in the **Add credentials** modal. <br/><br/> You need to specify a friendly name for credentials, username, and password. <br/><br/> You can add this type of credentials to discover SQL Server instances and databases running in your VMware environment, if you've configured SQL Server authentication mode on your SQL Servers.<br/> [Learn more](/dotnet/framework/data/adonet/sql/authentication-in-sql-server) about the types of authentication modes supported on SQL Servers.<br/><br/> You need to provide at least one successfully validated domain credential or at least one Windows (Nondomain) credential so that the appliance can complete the software inventory to discover SQL installed on the servers before it uses the SQL Server authentication credentials to discover the SQL Server instances and databases.
 
 Check the permissions required on the Windows/Linux credentials to perform the software inventory, agentless dependency analysis and discover web apps, and SQL Server instances and databases.
 
@@ -43,15 +43,15 @@ The table below lists the permissions required on the server credentials provide
 
 Feature | Windows credentials | Linux credentials
 ---| ---| ---
-**Software inventory** | Guest user account | Regular/normal user account (non-sudo access permissions)
+**Software inventory** | Guest user account | Regular/normal user account (nonsudo access permissions)
 **Discovery of SQL Server instances and databases** | User account that is a member of the sysadmin server role or has [these permissions](migrate-support-matrix-vmware.md?tabs=businesscase&pivots=sql-server-instance-database-discovery-requirements#configure-the-custom-login-for-sql-server-discovery) for each SQL Server instance.| _Not supported currently_
-**Discovery of ASP.NET web apps** | Domain or non-domain (local) account with administrative permissions | _Not supported currently_
-**Agentless dependency analysis** | Domain or non-domain (local) account with administrative permissions | Sudo user account with permissions to execute ls and netstat commands. If you are providing a sudo user account, ensure that you have enabled **NOPASSWD** for the account to run the required commands without prompting for a password every time the sudo command is invoked. <br /><br /> Alternatively, you can create a user account that has the CAP_DAC_READ_SEARCH and CAP_SYS_PTRACE permissions on /bin/netstat and /bin/ls files, set using the following commands:<br /><code>sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/ls<br /> sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/netstat</code>
+**Discovery of ASP.NET web apps** | Domain or nondomain (local) account with administrative permissions | _Not supported currently_
+**Agentless dependency analysis** | Domain or nondomain (local) account with administrative permissions | Sudo user account with permissions to execute ls and netstat commands. When providing a sudo user account, ensure that you have enabled **NOPASSWD** for the account to run the required commands without prompting for a password every time the sudo command is invoked. <br /><br /> Alternatively, you can create a user account that has the CAP_DAC_READ_SEARCH and CAP_SYS_PTRACE permissions on /bin/netstat and /bin/ls files, set using the following commands:<br /><code>sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/ls<br /> sudo setcap CAP_DAC_READ_SEARCH,CAP_SYS_PTRACE=ep /bin/netstat</code>
 
 ### Recommended practices to provide credentials
 
-- It's recommended to create a dedicated domain user account with the [required permissions](add-server-credentials.md#required-permissions), which is scoped to perform software inventory, agentless dependency analysis and discovery of web app, and SQL Server instances and databases on the desired servers.
-- It's recommended to provide at least one successfully validated domain credential or at least one non-domain credential to initiate software inventory.
+- We recommend you to create a dedicated domain user account with the [required permissions](add-server-credentials.md#required-permissions), which is scoped to perform software inventory, agentless dependency analysis and discovery of web app, and SQL Server instances and databases on the desired servers.
+- It's recommended to provide at least one successfully validated domain credential or at least one nondomain credential to initiate software inventory.
 - To discover SQL Server instances and databases, you can provide domain credentials, if you've configured Windows authentication mode on your SQL Servers.
 - You can also provide SQL Server authentication credentials if you've configured SQL Server authentication mode on your SQL Servers but it's recommended to provide at least one successfully validated domain credential or at least one Windows (Non-domain) credential so that the appliance can first complete the software inventory.
 
@@ -62,7 +62,7 @@ Feature | Windows credentials | Linux credentials
 - After you've added credentials, appliance attempts to automatically map the credentials to perform discovery on the respective servers.
 - The appliance uses the credentials automatically mapped on a server for all the subsequent discovery cycles until the credentials are able to fetch the required discovery data. If the credentials stop working, appliance again attempts to map from the list of added credentials and continue the ongoing discovery on the server.
 - The domain credentials added will be automatically validated for authenticity against the Active Directory of the domain. This is to prevent any account lockouts when the appliance attempts to map the domain credentials against discovered servers. The appliance won't attempt to map the domain credentials that have failed validation.
-- If the appliance can't map any domain or non-domain credentials against a server, you'll see "Credentials not available" status against the server in your project.
+- If the appliance can't map any domain or nondomain credentials against a server, you'll see "Credentials not available" status against the server in your project.
 
 ## Next steps
 
 
@@ -7,7 +7,7 @@ ms.manager: abhemraj
 ms.service: azure-migrate
 ms.topic: conceptual
 ms.custom: engagement-fy24
-ms.date: 08/24/2022
+ms.date: 03/13/2024
 ---
 
 # Azure Migrate appliance: Common questions
@@ -165,6 +165,25 @@ Azure Migrate will encrypt the communication between Azure Migrate appliance and
 
 If no certificate has been provisioned on the server when it starts up, SQL Server generates a self-signed certificate that is used to encrypt login packets. [Learn more](/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine).
 
+## How do I extend the validity of Azure Migrate Appliance AD application certificate that’s nearing expiry?
+
+For a newly created Migrate appliance, the default expiry period for the associated AD APP (Entra Application) will be one year.  To extend the validity of the Azure AD app, follow these steps:
+
+1. On the appliance VM, open an elevated privileged PowerShell Command Prompt.
+1. Navigate to the Config Manager installation folder: 
+
+    ```cd C:\’Program Files’\’Microsoft Azure Appliance Configuration Manager’\Scripts\PowerShell\AzureMigrateCertificateRotation ```
+
+1. Execute the following script to rotate the AAD app certificate and extend its validity for an additional 6 months:
+
+    ```PS C:\Program Files\Microsoft Azure Appliance Configuration Manager\Scripts\PowerShell\AzureMigrateCertificateRotation>.\AzureMigrateRotateCertificate.ps1```
+
+1. If you want to further extend the validity, provide the numberOfMonths as a parameter to the script. For example, to extend by 12 months:
+
+    ```PS C:\Program Files\Microsoft Azure Appliance Configuration Manager\Scripts\PowerShell\AzureMigrateCertificateRotation>.\AzureMigrateRotateCertificate.ps1 12``` 
+
+    ```C:\’Program Files’\’Microsoft Azure Appliance Configuration Manager’\Scripts\PowerShell\AzureMigrateCertificateRotation```
+
 ## Next steps
 
 Read the [Azure Migrate overview](migrate-services-overview.md).
@@ -6,7 +6,7 @@ ms.author: vibansa
 ms.manager: abhemraj
 ms.topic: conceptual
 ms.service: azure-migrate
-ms.date: 01/12/2024
+ms.date: 03/13/2024
 ms.custom: engagement-fy23
 ---
 
@@ -41,7 +41,10 @@ Assessment | You can add up to 35,000 servers in a single group.<br/><br/> You c
 
 ## Permissions for Windows servers
 
-For Windows servers, use a domain account for domain-joined servers and a local account for servers that aren't domain joined. You can create the user account in one of the following two ways.
+- For Windows servers, use a domain account for domain-joined servers and a local account for servers that aren't domain joined.
+- For physical discovery, specify the username in Down level format (domain\username) and UPN format ([email protected]) is not supported.
+
+You can create the user account in one of the following two ways.
 
 ### Option 1