From 57088dc10436cf1ad11cdc45e03d8b3b325ccf2c Mon Sep 17 00:00:00 2001
From: Heath Stewart <heaths@microsoft.com>
Date: Mon, 19 Sep 2022 14:11:29 -0700
Subject: [PATCH] Link to blog for DisableChallengeResourceVerification

---
 .../Azure.Security.KeyVault.Administration/CHANGELOG.md         | 1 +
 .../tests/ChallengeBasedAuthenticationPolicyTests.cs            | 2 +-
 sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md  | 1 +
 sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md          | 1 +
 sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md       | 1 +
 .../src/ChallengeBasedAuthenticationPolicy.cs                   | 2 +-
 6 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
index 896534a76236..dbf9af787df3 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `KeyVaultAdministrationClientOptions.DisableChallengeResourceVerification` to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.1.0 (2022-03-24)
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/ChallengeBasedAuthenticationPolicyTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/ChallengeBasedAuthenticationPolicyTests.cs
index d68b70813db2..30f406117ac9 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/ChallengeBasedAuthenticationPolicyTests.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Administration/tests/ChallengeBasedAuthenticationPolicyTests.cs
@@ -61,7 +61,7 @@ public async Task VerifyChallengeResource(Uri uri, bool disableVerification)
             if (!disableVerification)
             {
                 InvalidOperationException ex = Assert.ThrowsAsync<InvalidOperationException>(async () => await SendGetRequest(transport, policy, uri: uri));
-                Assert.That(ex.Message, Is.EqualTo("The challenge resource 'vault.azure.net' does not match the requested domain."));
+                Assert.That(ex.Message, Is.EqualTo("The challenge resource 'vault.azure.net' does not match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information."));
             }
             else
             {
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md
index 6c804382bdd8..552d808f99cc 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Certificates/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `CertificateClientOptions.DisableChallengeResourceVerification` to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.3.0 (2022-03-24)
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md
index 51ae791a28ed..1dd326f0d633 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `KeyClientOptions.DisableChallengeResourceVerification` or `CryptographyClientOptions.DisableChallengeResourceVerification` to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.3.0 (2022-03-24)
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md
index 5bdd2d0c01ba..e15ba5d39cb8 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md
+++ b/sdk/keyvault/Azure.Security.KeyVault.Secrets/CHANGELOG.md
@@ -6,6 +6,7 @@
 
 - Verify the challenge resource matches the vault domain.
   This should affect few customers who can set `SecretClientOptions.DisableChallengeResourceVerification` to `true` to disable.
+  See https://aka.ms/azsdk/blog/vault-uri for more information.
 
 ## 4.3.0 (2022-03-24)
 
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs b/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs
index 2c1a5a371a54..ec82ee2c1d63 100644
--- a/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs
+++ b/sdk/keyvault/Azure.Security.KeyVault.Shared/src/ChallengeBasedAuthenticationPolicy.cs
@@ -121,7 +121,7 @@ private async ValueTask<bool> AuthorizeRequestOnChallengeAsyncInternal(HttpMessa
 
                     if (!message.Request.Uri.Host.EndsWith($".{scopeUri.Host}", StringComparison.OrdinalIgnoreCase))
                     {
-                        throw new InvalidOperationException($"The challenge resource '{scopeUri.Host}' does not match the requested domain.");
+                        throw new InvalidOperationException($"The challenge resource '{scopeUri.Host}' does not match the requested domain. Set DisableChallengeResourceVerification to true in your client options to disable. See https://aka.ms/azsdk/blog/vault-uri for more information.");
                     }
                 }