updated text per PM feedback

ronmiab · ronmiab · commit 764afa33c998 · 2025-07-30T13:59:26.000-05:00
diff --git a/azure-local/manage/disconnected-operations-deploy.md b/azure-local/manage/disconnected-operations-deploy.md
@@ -173,9 +173,9 @@ To prepare the first machine for the disconnected operations appliance, follow t
 1. Modify your path to correct location. 
 
     If you initialized a data disk or are using a different path than C: modify the `$applianceConfigBasePath`.
-    
+
     Here's an example:
-    
+
     ```powershell
     $applianceConfigBasePath = 'D:\AzureLocalDisconnectedOperations\'
     ```
@@ -711,7 +711,7 @@ To initialize each node, follow these steps. Modify where necessary to match you
     > Nodes appear in the local portal shortly after you run the steps, and the extensions appear on the nodes a few minutes after installation.  
     >
     > You can also use the [Configurator App](../deploy/deployment-arc-register-configurator-app.md?view=azloc-2506&preserve-view=true) to initialize each node.
-    
+
 ### For fully air-gapped or disconnected deployments (where nodes have no line of sight to internet connection)
 
 To enable Azure Local to be air-gapped or deployed fully disconnected, you must do the following on each node:
@@ -757,7 +757,7 @@ Follow these steps to create an Azure Local instance (cluster):
 
   > [!NOTE]
   > If you create Azure Key Vault during deployment, wait about 20 minutes for RBAC permissions to take effect.
-  > 
+  >
   > If you see a validation error, it’s a known issue. Permissions might still be propagating. Wait a bit, refresh your browser, and redeploy the cluster.
 
 ## Tasks after deploying disconnected operations
diff --git a/azure-local/manage/disconnected-operations-identity.md b/azure-local/manage/disconnected-operations-identity.md
@@ -348,8 +348,7 @@ $GroupEntry.CommitChanges()
 ```
 
 > [!NOTE]
-> If the GSMA account for your ADFS farm can't read user properties the sign-in fails. This occurs even if the username and password are correct on the ADFS sign-in page.
-
+> If the GSMA account for your ADFS farm can't read user properties, the sign in fails even if the credentials entered on the ADFS sign in page are correct.
 
 ::: moniker-end
 
diff --git a/azure-local/manage/disconnected-operations-network.md b/azure-local/manage/disconnected-operations-network.md
@@ -118,6 +118,7 @@ Add-DnsServerPrimaryZone -Name $ExternalFqdn -ReplicationScope Domain
 
 Add-DnsServerResourceRecordA -Name "*" -IPv4Address $IngressIpAddress -ZoneName $ExternalFqdn 
 ```
+
 #### Verify your DNS setup
 
 Here's an example:
diff --git a/azure-local/manage/disconnected-operations-on-demand-logs.md b/azure-local/manage/disconnected-operations-on-demand-logs.md
@@ -342,7 +342,7 @@ Trigger log collection for your disconnected environment with the `Invoke-Applia
       
     Mode                LastWriteTime         Length Name  
     ----                -------------         ------ ----  
-    d----               4/10/2025  3:05 PM           LO_06ec98de-c1c4-406f-a5a9-89f2b803c70f_IRVM01  
+    ----                4/10/2025  3:05 PM           LO_06ec98de-c1c4-406f-a5a9-89f2b803c70f_IRVM01  
     ```
 
 1. Send diagnostic data to Microsoft.
diff --git a/azure-local/manage/disconnected-operations-pki.md b/azure-local/manage/disconnected-operations-pki.md
@@ -39,7 +39,7 @@ Mandatory certificates are grouped by area with the appropriate subject alternat
   - Make sure your disconnected operations infrastructure can reach the CRL endpoint specified in the certificates' CRL distribution point (CDP) extension.
   - Don't use a public or external CA. Deployments fail if certificates come from a public CA, because internet connectivity is required to access the CRL and online certificate status protocol (OCSP) services for HTTPS.  
 
-### Ingress endpoints
+### Ingress endpoint certificate requirements
 
 This table lists the mandatory certificates required for disconnected operations on Azure Local.
 
@@ -51,7 +51,7 @@ This table lists the mandatory certificates required for disconnected operations
 | Azure Table storage | *.table.fqdn |
 | Azure Blob storage | *.blob.fqdn |
 | Azure Data Policy | data.policy.fqdn |
-| Arc configuration data plane <br/>Azure Arc-enabled Kubernetes | autonomous.dp.kubernetesconfiguration.fqdn |
+| Arc configuration data plane <br/br> Azure Arc-enabled Kubernetes | autonomous.dp.kubernetesconfiguration.fqdn |
 | Arc for Server Agent data service | agentserviceapi.fqdn |
 | Arc for server | his.fqdn |
 | Arc guest notification service | guestnotificationservice.fqdn |
@@ -66,7 +66,6 @@ This table lists the mandatory certificates required for disconnected operations
 | Public portal     | portal.fqdn <br></br> hosting.fqdn <br></br> portalcontroller.fqdn <br></br> catalogapi.fqdn |
 | Secure token service | login.fqdn |
 
-
 ### Management endpoints
 
 The management endpoint requires two certificates, and you must put them in the same folder, *ManagementEndpointCerts*. The certificates are:
@@ -204,7 +203,7 @@ $AzLCerts = @(
       $cert | Export-PfxCertificate -FilePath "$extCertFilePath\$filePrefix.pfx" -Password $certPassword -Force
       Write-Verbose "Certificate for $certSubject and private key exported to $extCertFilePath" -Verbose
   }
-  ``` 
+  ```
 
 - Copy the original certificates (24 .pfx files / *.pfx) obtained from your CA to the directory structure represented in IngressEndpointCerts.
 
@@ -287,7 +286,7 @@ _continue_ = "DNS=$subject"
 
 ```
 
-- Copy the management certificates (*.pfx) to the directory structure represented in ManagementEndpointCerts.
+Copy the management certificates (*.pfx) to the directory structure represented in ManagementEndpointCerts.
 
 ## Export Root CA certificate
 
@@ -303,8 +302,8 @@ For more information, see [Active Directory Certificate Services](/troubleshoot/
 
 To secure your identity integration, we recommend that you pass these two parameters:
 
-- LdapsCertChainInfo 
-- OidcCertChainInfo 
+- LdapsCertChainInfo
+- OidcCertChainInfo
 
 These checks confirm that the certificates and chain for these endpoints haven’t been changed or tampered with.
 
@@ -319,6 +318,39 @@ $ldapsCertChain = Get-CertChainInfo -endpoint 'https://dc01.azurestack.local'
 
 Here's an example of the output from Get-CertChainInfo
 
+```powershell
+# Returns: System.Security.Cryptography.X509Certificates.X509Certificate2[]
+>> Get-CertChainInfo
+>>
+Thumbprint                                Subject
+----------                                -------
+TESTING580E20618EA15357FC1028622518DDC4D  CN=www.website.com, O=Contoso Corporation, L=Redmond, S=WA, C=US
+TESTINGDAA2345B48E507320B695D386080E5B25  CN=www.website.com, O=Contoso Corporation, L=Redmond, S=WA, C=US
+TESTING9BFD666761B268073FE06D1CC8D4F82A4  CN=www.website.com, O=Contoso Corporation, L=Redmond, S=WA, C=US
+```
+
+## Related content
+
+- [Plan hardware for Azure local with disconnected operations](disconnected-operations-overview.md#preview-participation-criteria)
+- [Plan and understand identity](disconnected-operations-identity.md)
+- [Plan and understand networking](disconnected-operations-network.md)
+- [Set up disconnected operations](disconnected-operations-set-up.md)
+
+::: moniker-end
+
+::: moniker range="<=azloc-2505"
+
+This feature is available only in Azure Local 2506
+
+::: moniker-end
+
+```powershell
+$oidcCertChain = Get-CertChainInfo -endpoint 'https://adfs.azurestack.local'
+$ldapsCertChain = Get-CertChainInfo -endpoint 'https://dc01.azurestack.local'
+```
+
+Here's an example of the output from Get-CertChainInfo
+
 ```powershell
 # Returns: System.Security.Cryptography.X509Certificates.X509Certificate2[]
 >> Get-CertChainInfo
diff --git a/azure-local/manage/disconnected-operations-policy.md b/azure-local/manage/disconnected-operations-policy.md
@@ -71,7 +71,7 @@ You can use Azure Policy to enforce tags on various resources. In this example,
     :::image type="content" source="media/disconnected-operations/azure-policy/tag-name.png" alt-text="Screenshot of the parameters page to set a tag name." lightbox="media/disconnected-operations/azure-policy/tag-name.png":::
 
     After the policy is created, you can't create resource groups without the required tag.
-    
+
     :::image type="content" source="media/disconnected-operations/azure-policy/created-tag.png" alt-text="Screenshot of the tag created and required for resource groups." lightbox="media/disconnected-operations/azure-policy/created-tag.png":::
 
 ## Supported built-in policies
diff --git a/azure-local/manage/disconnected-operations-security.md b/azure-local/manage/disconnected-operations-security.md
@@ -100,7 +100,7 @@ To back up Host Guardian Service certificates from your cluster, run these comma
     ```powershell
     Export-ApplianceHGSCertificates -Path D:\AzureLocal\HGSBackup    
     ```
-    
+
 ## Configure syslog forwarding
 
 You can use the syslog protocol for Azure Local with disconnected operations VM appliance to forward security events to a customer-managed security information and event management (SIEM) system.
