Document AZURE_TOKEN_CREDENTIALS breaking change in Aspire 13.0

src/frontend/src/content/docs/integrations/cloud/azure/azure-app-service.mdx

@@ -102,6 +102,19 @@ The preceding code:
 
 During local development (when running with <Kbd windows='F5' mac='F5' />), the project runs locally. When you publish your app, the project is deployed as an Azure App Service website within the provisioned environment.
 
+<Aside type="note">
+  When you publish resources to Azure App Service using the
+  `PublishAsAzureAppServiceWebsite` method, Aspire automatically sets the
+  `AZURE_TOKEN_CREDENTIALS` environment variable to `managedidentity`. This
+  ensures that `DefaultAzureCredential` uses only `ManagedIdentityCredential`
+  for authentication, following [Azure SDK best
+  practices](https://learn.microsoft.com/dotnet/azure/sdk/authentication/best-practices?tabs=aspdotnet#use-deterministic-credentials-in-production-environments).
+  If you need to use a different credential type, you can remove this
+  environment variable in the `PublishAsAzureAppServiceWebsite` callback. For
+  more information, see [DefaultAzureCredential behavior in Azure
+  deployments](/whats-new/aspire-13/#defaultazurecredential-behavior-in-azure-deployments).
+</Aside>
+
 ## Customize the App Service website
 
 The `PublishAsAzureAppServiceWebsite` method accepts a callback that allows you to customize the Azure App Service website configuration using the [Azure.Provisioning](https://learn.microsoft.com/dotnet/api/azure.provisioning) APIs:

src/frontend/src/content/docs/integrations/cloud/azure/configure-container-apps.mdx

@@ -30,6 +30,19 @@ By using the `Azure.Provisioning` APIs (explained in [Customize Azure resources]
 
 This article guides you through the process of tailoring ACA environments for your solutions.
 
+<Aside type="note">
+  When you publish resources to Azure Container Apps using the
+  `PublishAsAzureContainerApp` APIs, Aspire automatically sets the
+  `AZURE_TOKEN_CREDENTIALS` environment variable to `managedidentity`. This
+  ensures that `DefaultAzureCredential` uses only `ManagedIdentityCredential`
+  for authentication, following [Azure SDK best
+  practices](https://learn.microsoft.com/dotnet/azure/sdk/authentication/best-practices?tabs=aspdotnet#use-deterministic-credentials-in-production-environments).
+  If you need to use a different credential type, you can remove this
+  environment variable in the `PublishAsAzureContainerApp` callback. For more
+  information, see [DefaultAzureCredential behavior in Azure
+  deployments](/whats-new/aspire-13/#defaultazurecredential-behavior-in-azure-deployments).
+</Aside>
+
 ## Add an ACA environment
 
 The `AzureContainerAppEnvironmentResource` type models an ACA environment resource. When you call the `AddAzureContainerAppEnvironment` method, it creates an instance of this type (wrapped in the `IResourceBuilder<AzureContainerAppEnvironmentResource>`).