Merge pull request #286580 from dlepow/ropc2

AnnaMHuff · web-flow · commit 0e58c96a1607 · 2024-09-16T16:42:00.000-06:00
[APIM] Credential guidance in policies
diff --git a/articles/api-management/authentication-basic-policy.md b/articles/api-management/authentication-basic-policy.md
@@ -16,6 +16,8 @@ ms.author: danlep
 
 Use the `authentication-basic` policy to authenticate with a backend service using Basic authentication. This policy effectively sets the HTTP Authorization header to the value corresponding to the credentials provided in the policy.
 
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
+
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 
diff --git a/articles/api-management/authentication-certificate-policy.md b/articles/api-management/authentication-certificate-policy.md
@@ -14,7 +14,9 @@ ms.author: danlep
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
- Use the `authentication-certificate` policy to authenticate with a backend service using a client certificate. When the certificate is [installed into API Management](./api-management-howto-mutual-certificates.md) first, identify it first by its thumbprint or certificate ID (resource name). 
+ Use the `authentication-certificate` policy to authenticate with a backend service using a client certificate. When the certificate is [installed into API Management](./api-management-howto-mutual-certificates.md) first, identify it first by its thumbprint or certificate ID (resourcename). 
+
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
 
 > [!CAUTION]
 > If the certificate references a certificate stored in Azure Key Vault, identify it using the certificate ID. When a key vault certificate is rotated, its thumbprint in API Management will change, and the policy will not resolve the new certificate if it is identified by thumbprint.
@@ -43,6 +45,12 @@ ms.author: danlep
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation
 - [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
+### Usage notes
+
+- We recommend configuring [key vault certificates](api-management-howto-mutual-certificates.md) to manage certificates used to secure access to backend services.
+- If you configure a certificate password in this policy, we recommend using a [named value](api-management-howto-properties.md).
+
+
 ## Examples
 
 ### Client certificate identified by the certificate ID
diff --git a/articles/api-management/proxy-policy.md b/articles/api-management/proxy-policy.md
@@ -16,6 +16,8 @@ ms.author: danlep
 
 The `proxy` policy allows you to route requests forwarded to backends via an HTTP proxy. Only HTTP (not HTTPS) is supported between the gateway and the proxy. Basic and NTLM authentication only. 
 
+[!INCLUDE [api-management-credentials-caution](../../includes/api-management-credentials-caution.md)]
+
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 
@@ -39,6 +41,11 @@ The `proxy` policy allows you to route requests forwarded to backends via an HTT
 - [**Policy scopes:**](./api-management-howto-policies.md#scopes) global, workspace, product, API, operation
 -  [**Gateways:**](api-management-gateways-overview.md) classic, v2, consumption, self-hosted, workspace
 
+### Usage notes
+
+- We recommend using [named values](api-management-howto-properties.md) to provide credentials, with secrets protected in a key vault.
+
+
 ## Example
 
 In this example, [named values](api-management-howto-properties.md) are used for the username and password to avoid storing sensitive information in the policy document.
diff --git a/includes/api-management-credentials-caution.md b/includes/api-management-credentials-caution.md
@@ -0,0 +1,9 @@
+---
+author: vladvino
+ms.service: azure-api-management
+ms.topic: include
+ms.date: 09/11/2024
+ms.author: danlep
+---
+> [!CAUTION]
+> Minimize risks of credential exposure when configuring this policy. Microsoft recommends that you use more secure authentication methods if supported by your backend, such as [managed identity authentication](../articles/api-management/authentication-managed-identity-policy.md) or [credential manager](../articles/api-management/credentials-overview.md). If you configure sensitive information in policy definitions, we recommend using [named values](../articles/api-management/api-management-howto-properties.md) and storing secrets in Azure Key Vault. 
