dotnet · maddymontaquila · Jul 3, 2025 · Jul 4, 2025 · Jul 4, 2025 · Jul 8, 2025
diff --git a/docs/app-host/configuration.md b/docs/app-host/configuration.md
@@ -55,6 +55,7 @@ For more information, see [.NET Aspire and launch profiles](../fundamentals/laun
 |--|--|--|
 | `ASPIRE_ALLOW_UNSECURED_TRANSPORT` | `false` | Allows communication with the app host without https. `ASPNETCORE_URLS` (dashboard address) and `ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL` (app host resource service address) must be secured with HTTPS unless true. |
 | `ASPIRE_CONTAINER_RUNTIME` | `docker` | Allows the user of alternative container runtimes for resources backed by containers. Possible values are `docker` (default) or `podman`. See [Setup and tooling overview for more details](../fundamentals/setup-tooling.md).  |
+| `ASPIRE_VERSION_CHECK_DISABLED` | `false` | When set to `true`, .NET Aspire doesn't check for newer versions on startup. |
 
 ## Resource service
 

diff --git a/docs/compatibility/9.4/azure-bicep-parameters-deprecated.md b/docs/compatibility/9.4/azure-bicep-parameters-deprecated.md
@@ -0,0 +1,116 @@
+---
+title: "Breaking change - Deprecating various known parameters in AzureBicepResource"
+description: "Learn about the breaking change in Aspire where known parameter injection in AzureBicepResource has been deprecated."
+ms.date: 7/4/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs-aspire/issues/3675
+---
+
+# Deprecating various known parameters in AzureBicepResource
+
+Known parameter injection in `AzureBicepResource` has been deprecated. The parameters `AzureBicepResource.KnownParameters.KeyVaultName`, `AzureBicepResource.KnownParameters.LogAnalyticsWorkspaceId`, `containerAppEnvironmentId`, and `containerAppEnvironmentName` are now marked as `[Obsolete]` and ignored during infrastructure generation. Developers must explicitly model these resources or use new helper APIs to ensure proper configuration.
+
+## Version introduced
+
+This change applies to Aspire starting from version 7.4.2025.
+
+## Previous behavior
+
+Previously, Aspire automatically injected the following known parameters into Bicep templates at build time without requiring explicit assignment:
+
+| Bicep parameter name | Known parameter constant | Typical use |
+|--|--|--|
+| `keyVaultName` | `KeyVaultName` | Reference a Key Vault for secrets mapped to `AzureBicepResource.GetSecretOutput`. |
+| `logAnalyticsWorkspaceId` | `LogAnalyticsWorkspaceId` | Reference the Log Analytics Workspace ID associated with the environment. |
+| `containerAppEnvironmentId` | N/A | Reference the container app environment ID. |
+| `containerAppEnvironmentName` | N/A | Reference the container app environment name. |
+
+For example:
+
+```bicep
+// keyvault.bicep
+param keyVaultName string
+resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
+  name: keyVaultName
+  ...
+}
+```
+
+```csharp
+builder.AddBicepTemplateFile("kv", "keyvault.bicep"); // No parameter assignment needed
+builder.AddContainer("api", "image");
+```
+
+.NET Aspire resolved these parameters automatically, allowing templates to deploy without explicit wiring.
+
+## New behavior
+
+.NET Aspire no longer pre-populates the deprecated parameters. If a Bicep template declares any of these parameters without explicit assignment, deployment fails with an "undefined parameter" error. Developers must now explicitly model resources and pass their values to templates.
+
+For example:
+
+```csharp
+var env = builder.AddAzureContainerAppEnvironment("env");
+var kv  = builder.AddAzureKeyVault("kv");
+var la  = builder.AddAzureLogAnalyticsWorkspace("la");
+
+builder.AddBicepTemplateFile("kvTemplate", "keyvault.bicep")
+       .WithParameter("keyVaultName", kv.NameOutputReference);
+
+builder.AddBicepTemplateFile("apiTemplate", "api.bicep")
+       .WithParameter("containerAppEnvironmentName", env.NameOutputReference);
+```
+
+Inside the Bicep template:
+
+```bicep
+param containerAppEnvironmentName string
+
+resource env 'Microsoft.App/managedEnvironments@2024-03-01' existing = {
+  name: containerAppEnvironmentName
+}
+
+var environmentId = env.id
+```
+
+## Type of breaking change
+
+This is both a [source incompatible](../categories.md#source-compatibility) and [behavioral](../categories.md#behavioral-change) change.
+
+## Reason for change
+
+.NET Aspire now supports modeling multiple compute environments in a single application graph. Automatically injecting global parameters created ambiguity, hid dependencies, and complicated debugging. This change enforces explicit wiring, ensuring predictable behavior and enabling future scenarios where resources target specific environments.
+
+## Recommended action
+
+1. **Stop using obsolete constants**
+
+   Remove any code that relies on `AzureBicepResource.KnownParameters.KeyVaultName`, `AzureBicepResource.KnownParameters.LogAnalyticsWorkspaceId`, `containerAppEnvironmentId`, or `containerAppEnvironmentName`.
+
+1. **Model resources explicitly**
+
+   Define resources like Key Vaults, Log Analytics Workspaces, and Container App Environments explicitly in your code.
+
+   ```csharp
+   var env = builder.AddAzureContainerAppEnvironment("env");
+   var kv = builder.AddAzureKeyVault("kv");
+   var la = builder.AddAzureLogAnalyticsWorkspace("la");
+   ```
+
+1. **Pass parameters explicitly**
+
+   Use strongly-typed properties like `NameOutputReference` to pass resource values to templates.
+
+   ```csharp
+   builder.AddBicepTemplateFile("template", "file.bicep")
+          .WithParameter("keyVaultName", kv.NameOutputReference);
+   ```
+
+1. **Address warnings**
+
+   Update code to resolve `[Obsolete]` warnings by replacing deprecated constants with explicit resource definitions.
+
+## Affected APIs
+
+- `AzureBicepResource.KnownParameters.KeyVaultName`: Obsolete.
+- `AzureBicepResource.KnownParameters.LogAnalyticsWorkspaceId`: Obsolete.
diff --git a/docs/compatibility/9.4/azure-storage-apis-renamed.md b/docs/compatibility/9.4/azure-storage-apis-renamed.md
@@ -0,0 +1,123 @@
+---
+title: "Breaking change - Azure Storage APIs renamed and refactored"
+description: "Learn about the breaking changes in .NET Aspire 9.4 where Azure Storage APIs were renamed and refactored for clarity and consistency."
+ms.date: 07/08/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs-aspire/issues/3930
+---
+
+# Azure Storage APIs renamed and refactored
+
+In .NET Aspire 9.4, several Azure Storage APIs were renamed and refactored for clarity and consistency. These changes affect how you add and configure Azure Blob, Queue, and Table storage resources and clients in your Aspire applications. The new API names better align with Azure resource naming and reduce confusion.
+
+## Version introduced
+
+.NET Aspire 9.4
+
+## Previous behavior
+
+Previously, you used methods like `AddBlobs`, `AddBlobContainer`, `AddQueues`, and `AddTables` to add Azure Storage resources.
+
+**Hosting integration example:**
+
+```csharp
+var builder = DistributedApplication.CreateBuilder(args);
+
+var storage = builder.AddAzureStorage("storage");
+
+var blobs = storage.AddBlobs("blobs");
+var blobContainer = blobs.AddBlobContainer("container");
+
+var queues = storage.AddQueues("queues");
+var tables = storage.AddTables("tables");
+```
+
+Client registration methods also used names like `AddAzureBlobClient`, `AddAzureQueueClient`, and `AddAzureTableClient`.
+
+**Client integration example:**
+
+```csharp
+var builder = WebApplication.CreateBuilder(args);
+
+builder.AddAzureBlobClient("storage");
+builder.AddAzureQueueClient("storage");
+builder.AddAzureTableClient("storage");
+```
+
+## New behavior
+
+Now, the API uses more explicit names that match Azure resource types. For example, use `AddBlobService`, `AddBlobContainer`, `AddQueueService`, `AddQueue`, `AddTableService`, and `AddTable`.
+
+**Hosting integration example:**
+
+```csharp
+var builder = DistributedApplication.CreateBuilder(args);
+
+var storage = builder.AddAzureStorage("storage");
+
+var blobs = storage.AddBlobService("blobService");
+blobs.AddBlobContainer("container");
+
+var queues = storage.AddQueueService("queueService");
+queues.AddQueue("queue");
+
+var tables = storage.AddTableService("tableService");
+```
+
+Client registration methods now use names like `AddAzureBlobServiceClient`, `AddAzureQueueServiceClient`, and `AddAzureTableServiceClient`.
+
+**Client integration example:**
+
+```csharp
+var builder = WebApplication.CreateBuilder(args);
+
+builder.AddAzureBlobServiceClient("storage");
+builder.AddAzureQueueServiceClient("storage");
+builder.AddAzureTableServiceClient("storage");
+```
+
+### API changes summary
+
+The following table summarizes the key hosting integration API changes:
+
+| Obsolete API | New API | Notes |
+|--|--|--|
+| `AddBlobs` | `AddBlobService` | — |
+| `AddBlobContainer` | `AddBlobContainer` | New API uses `IResourceBuilder<AzureStorageResource>` overload. |
+| `AddTables` | `AddTableService` | — |
+| `AddQueues` | `AddQueueService` | — |
+| N/A | `AddQueue` | — |
+
+The following table summarizes the key client registration API changes:
+
+| Obsolete API | New API |
+|--|--|
+| `AddAzureBlobClient` | `AddAzureBlobServiceClient` |
+| `AddAzureQueueClient` | `AddAzureQueueServiceClient` |
+| `AddAzureTableClient` | `AddAzureTableServiceClient` |
+
+## Type of breaking change
+
+This change is a [binary incompatible](../categories.md#binary-compatibility) and [source incompatible](../categories.md#source-compatibility) change.
+
+## Reason for change
+
+The new API names provide consistency with Azure client libraries and resource granularity. This reduces confusion and makes it easier to understand and maintain Aspire applications that use Azure Storage resources. For more information, see the [GitHub issue](https://github.com/dotnet/docs-aspire/issues/3930).
+
+## Recommended action
+
+1. Update your code to use the new method names for adding and configuring Azure Storage resources and clients.
+1. Replace any obsolete method calls with their new equivalents as shown in the examples above.
+1. Recompile your application to ensure compatibility with .NET Aspire 9.4.
+
+## Affected APIs
+
+- `AddBlobs`
+- `AddBlobContainer`
+- `AddTables`
+- `AddQueues`
+- `AddAzureBlobClient`
+- `AddAzureQueueClient`
+- `AddAzureTableClient`
+
+For a complete list of changes, see the [pull request](https://github.com/dotnet/aspire/pull/10241).
diff --git a/docs/compatibility/9.4/getsecretoutput-deprecated.md b/docs/compatibility/9.4/getsecretoutput-deprecated.md
@@ -0,0 +1,76 @@
+---
+title: "Breaking change - BicepSecretOutputReference and GetSecretOutput are now obsolete"
+description: "Learn about the breaking change in .NET Aspire 9.4 where BicepSecretOutputReference, GetSecretOutput, and related automatic Key Vault logic are deprecated."
+ms.date: 07/08/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs-aspire/issues/3670
+---
+
+# BicepSecretOutputReference and GetSecretOutput are now obsolete
+
+In .NET Aspire 9.4, the `BicepSecretOutputReference` type, the `GetSecretOutput(...)` helper method, and the overload of `WithEnvironment` that accepted a `BicepSecretOutputReference` are now obsolete. Automatic Key Vault generation and secret wiring logic were removed. Projects that relied on these APIs for automatic secret management must migrate to explicit Key Vault resource modeling and secret references.
+
+## Version introduced
+
+.NET Aspire 9.4
+
+## Previous behavior
+
+Previously, you could use `GetSecretOutput(...)` to obtain a `BicepSecretOutputReference` from a resource, and pass it to `WithEnvironment`. Aspire would automatically generate a Key Vault and wire up the secret URI for you.
+
+Example:
+
+```csharp
+var db = builder.AddAzureCosmosDB("mydb").WithAccessKeyAuthentication();
+
+builder.AddContainer("api", "image")
+       .WithEnvironment("ConnStr", db.GetSecretOutput("connectionString"));
+```
+
+## New behavior
+
+Now, Aspire no longer creates Key Vaults or secrets automatically. You must explicitly create or reference a Key Vault and use an explicit secret reference.
+
+Example:
+
+```csharp
+var kv = builder.AddAzureKeyVault("kv");
+builder.AddContainer("api", "image")
+       .WithEnvironment("ConnStr", kv.GetSecret("connectionString"));
+```
+
+`GetSecretOutput(...)` is now obsolete and will be removed in a future release. The overload of `WithEnvironment` that accepted a `BicepSecretOutputReference` is also obsolete.
+
+## Type of breaking change
+
+This change is a [binary incompatible](../categories.md#binary-compatibility) and [source incompatible](../categories.md#source-compatibility) change.
+
+## Reason for change
+
+Implicit Key Vault creation made deployments opaque and fragile. Removing the secret-output shortcut aligns Aspire with its explicit-resource philosophy, giving you full control over secret management and simplifying infrastructure generation. For more information, see the [GitHub issue](https://github.com/dotnet/docs-aspire/issues/3670).
+
+## Recommended action
+
+1. Create or reference a Key Vault in your Aspire graph:
+
+   ```csharp
+   var kv = builder.AddAzureKeyVault("kv");
+   ```
+
+1. Replace `GetSecretOutput` usage with an explicit secret reference:
+
+   ```csharp
+   builder.AddContainer("api", "image")
+          .WithEnvironment("ConnStr", kv.GetSecret("connectionString"));
+   ```
+
+1. Remove obsolete `WithEnvironment(string, BicepSecretOutputReference)` overloads and switch to `WithEnvironment(string, IAzureKeyVaultSecretReference)` (or another appropriate overload).
+
+Aspire's resources with support for keys were updated to handle this new change.
+
+## Affected APIs
+
+- <xref:Aspire.Hosting.Azure.BicepSecretOutputReference?displayProperty=fullName>
+- <xref:Aspire.Hosting.AzureBicepResourceExtensions.GetSecretOutput(Aspire.Hosting.ApplicationModel.IResourceBuilder{Aspire.Hosting.Azure.AzureBicepResource},System.String)?displayProperty=fullName>
+- <xref:Aspire.Hosting.AzureBicepResourceExtensions.WithEnvironment``1(Aspire.Hosting.ApplicationModel.IResourceBuilder{``0},System.String,Aspire.Hosting.Azure.BicepSecretOutputReference)?displayProperty=fullName>
+- Automatic Key Vault generation and secret wiring logic (removed)
diff --git a/docs/compatibility/9.4/index.md b/docs/compatibility/9.4/index.md
@@ -0,0 +1,24 @@
+---
+title: Breaking changes in .NET Aspire 9.4
+titleSuffix: ""
+description: Navigate to the breaking changes in .NET Aspire 9.4.
+ms.date: 07/08/2025
+---
+
+# Breaking changes in .NET Aspire 9.4
+
+If you're migrating an app to .NET Aspire 9.4, the breaking changes listed here might affect you.
+
+[!INCLUDE [binary-source-behavioral](../includes/binary-source-behavioral.md)]
+
+> [!NOTE]
+> This article is a work in progress. It's not a complete list of breaking changes in .NET Aspire 9.4.
+
+## Breaking changes
+
+| Title | Type of change | Introduced version |
+|--|--|--|
+| [Azure Storage APIs renamed and refactored](azure-storage-apis-renamed.md) | Binary incompatible, source incompatible | 9.4 |
+| [BicepSecretOutputReference and GetSecretOutput are now obsolete](getsecretoutput-deprecated.md) | Binary incompatible, source incompatible | 9.4 |
+| [Deprecating various known parameters in AzureBicepResource](azure-bicep-parameters-deprecated.md) | Source incompatible, behavioral change | 9.4 |
+| [Local auth is disabled by default on Azure resources](local-auth-disabled-for-azure-resources.md) | Behavioral change | 9.4 |