From 26eb2f8e8b5109cc655037c84833eba9372bb4c2 Mon Sep 17 00:00:00 2001
From: Daniel Wang <danielwang@microsoft.com>
Date: Thu, 30 Apr 2026 18:11:07 -0700
Subject: [PATCH 1/2] add SiteScopedCertificatesEnabled to create/update webapp

---
 .../azure/cli/command_modules/appservice/_params.py    |  8 ++++++++
 .../azure/cli/command_modules/appservice/custom.py     | 10 +++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/azure-cli/azure/cli/command_modules/appservice/_params.py b/src/azure-cli/azure/cli/command_modules/appservice/_params.py
index 45351d7a2d4..2aeedff9c7a 100644
--- a/src/azure-cli/azure/cli/command_modules/appservice/_params.py
+++ b/src/azure-cli/azure/cli/command_modules/appservice/_params.py
@@ -339,6 +339,10 @@ def load_arguments(self, _):
         c.argument('end_to_end_encryption_enabled', options_list=['--end-to-end-encryption-enabled', '-e'],
                    help='Enable or disable end-to-end encryption between the Front End and the Workers.',
                    arg_type=get_three_state_flag(return_label=True))
+        c.argument('site_scoped_certificates_enabled',
+                   options_list=['--site-scoped-certificates-enabled'],
+                   help='True if site scoped certificates are enabled; otherwise, false.',
+                   arg_type=get_three_state_flag(return_label=True))
         c.argument('min_tls_version',
                    help="The minimum version of TLS required for SSL requests, e.g., '1.0', '1.1', '1.2'")
         c.argument('min_tls_cipher_suite', options_list=['--min-tls-cipher-suite'],
@@ -471,6 +475,10 @@ def load_arguments(self, _):
         c.argument('platform_release_channel', options_list=['--platform-release-channel'],
                    help='Set the platform release channel for the web app. Possible values: Latest, Standard, Extended.',
                    arg_type=get_enum_type(PLATFORM_RELEASE_CHANNEL_TYPES))
+        c.argument('site_scoped_certificates_enabled',
+                   options_list=['--site-scoped-certificates-enabled'],
+                   help='True if site scoped certificates are enabled; otherwise, false.',
+                   arg_type=get_three_state_flag(return_label=True))
 
     with self.argument_context('webapp browse') as c:
         c.argument('logs', options_list=['--logs', '-l'], action='store_true',
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/custom.py b/src/azure-cli/azure/cli/command_modules/appservice/custom.py
index 99d473c4b7d..35267e26092 100644
--- a/src/azure-cli/azure/cli/command_modules/appservice/custom.py
+++ b/src/azure-cli/azure/cli/command_modules/appservice/custom.py
@@ -130,7 +130,7 @@ def create_webapp(cmd, resource_group_name, name, plan, runtime=None, startup_fi
                   role='Contributor', scope=None, vnet=None, subnet=None, https_only=False,
                   public_network_access=None, acr_use_identity=False, acr_identity=None, basic_auth="",
                   auto_generated_domain_name_label_scope=None, end_to_end_encryption_enabled=None,
-                  min_tls_version=None, min_tls_cipher_suite=None):
+                  min_tls_version=None, min_tls_cipher_suite=None, site_scoped_certificates_enabled=None):
     from azure.mgmt.web.models import Site, OutboundVnetRouting
     from azure.core.exceptions import ResourceNotFoundError as _ResourceNotFoundError
     SiteConfig, SkuDescription, NameValuePair = cmd.get_models(
@@ -260,7 +260,8 @@ def create_webapp(cmd, resource_group_name, name, plan, runtime=None, startup_fi
                       https_only=https_only, virtual_network_subnet_id=subnet_resource_id,
                       public_network_access=public_network_access, outbound_vnet_routing=outbound_vnet_routing,
                       auto_generated_domain_name_label_scope=auto_generated_domain_name_label_scope,
-                      end_to_end_encryption_enabled=end_to_end_encryption_enabled)
+                      end_to_end_encryption_enabled=end_to_end_encryption_enabled,
+                      site_scoped_certificates_enabled=site_scoped_certificates_enabled)
     if runtime:
         runtime = _StackRuntimeHelper.remove_delimiters(runtime)
 
@@ -2234,7 +2235,7 @@ def set_webapp(cmd, resource_group_name, name, slot=None, skip_dns_registration=
 
 def update_webapp(cmd, instance, client_affinity_enabled=None, https_only=None, minimum_elastic_instance_count=None,
                   prewarmed_instance_count=None, end_to_end_encryption_enabled=None,
-                  platform_release_channel=None):
+                  platform_release_channel=None, site_scoped_certificates_enabled=None):
     if 'function' in instance.kind:
         raise ValidationError("please use 'az functionapp update' to update this function app")
     if minimum_elastic_instance_count or prewarmed_instance_count:
@@ -2261,6 +2262,9 @@ def update_webapp(cmd, instance, client_affinity_enabled=None, https_only=None,
     if end_to_end_encryption_enabled is not None:
         instance.end_to_end_encryption_enabled = end_to_end_encryption_enabled == 'true'
 
+    if site_scoped_certificates_enabled is not None:
+        instance.site_scoped_certificates_enabled = site_scoped_certificates_enabled == 'true'
+
     if minimum_elastic_instance_count is not None:
         from azure.mgmt.web.models import SiteConfig
         # Need to create a new SiteConfig object to ensure that the new property is included in request body

From fff2b3ad091cd9e5f5b1b7361da964eca8d75d83 Mon Sep 17 00:00:00 2001
From: Daniel Wang <danielwang@microsoft.com>
Date: Thu, 30 Apr 2026 18:25:15 -0700
Subject: [PATCH 2/2] refine help text

---
 src/azure-cli/azure/cli/command_modules/appservice/_params.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/azure-cli/azure/cli/command_modules/appservice/_params.py b/src/azure-cli/azure/cli/command_modules/appservice/_params.py
index 2aeedff9c7a..63fa56dab06 100644
--- a/src/azure-cli/azure/cli/command_modules/appservice/_params.py
+++ b/src/azure-cli/azure/cli/command_modules/appservice/_params.py
@@ -341,7 +341,7 @@ def load_arguments(self, _):
                    arg_type=get_three_state_flag(return_label=True))
         c.argument('site_scoped_certificates_enabled',
                    options_list=['--site-scoped-certificates-enabled'],
-                   help='True if site scoped certificates are enabled; otherwise, false.',
+                   help='Enable or disable site-scoped certificates.',
                    arg_type=get_three_state_flag(return_label=True))
         c.argument('min_tls_version',
                    help="The minimum version of TLS required for SSL requests, e.g., '1.0', '1.1', '1.2'")
@@ -477,7 +477,7 @@ def load_arguments(self, _):
                    arg_type=get_enum_type(PLATFORM_RELEASE_CHANNEL_TYPES))
         c.argument('site_scoped_certificates_enabled',
                    options_list=['--site-scoped-certificates-enabled'],
-                   help='True if site scoped certificates are enabled; otherwise, false.',
+                   help='Enable or disable site-scoped certificates.',
                    arg_type=get_three_state_flag(return_label=True))
 
     with self.argument_context('webapp browse') as c: