Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into files-dev-docs

Author: pauljewellmsft

.github/policies/disallow-edits.yml

@@ -153,18 +153,19 @@ configuration:
 
       - description: Disallow sign-off for articles in the /articles/reliability folder.
         if:
-          # If a 'sign-off' comment is added to a PR in the articles/reliability folder , and the PR author isn't Anastasia or John...
-          - payloadType: Issue_Comment
-          - filesMatchPattern:
-              matchAny: true
-              pattern: articles/reliability/*
+          # If a 'sign-off' comment is added to a PR that's assigned to anaharris-ms, and the PR author isn't Anastasia or John...
           - or:
-              - commentContains:
-                  pattern: ^(#sign-off)$
-                  isRegex: True
-              - commentContains:
-                  pattern: ^(\#sign-off)$
-                  isRegex: True
+            - payloadType: Issue_Comment
+            - payloadType: Pull_Request_Review_Comment
+          - isAction:
+              action: Created
+          - isActivitySender:
+              issueAuthor: True
+          - isAssignedToUser:
+              user: anaharris-ms
+          - commentContains:
+              pattern: '#sign-off'
+              isRegex: False
           - not:
               or:
                 - isActivitySender:

.openpublishing.redirection.json

@@ -89,7 +89,7 @@ The technical profile also returns claims that aren't returned by the identity p
 | HttpBinding | No | The expected HTTP binding to the access token and claims token endpoints. Possible values: `GET` or `POST`.  |
 | ValidTokenIssuerPrefixes | No | A key that can be used to sign in to each of the tenants when using a multi-tenant identity provider such as Microsoft Entra ID. |
 | UsePolicyInRedirectUri | No | Indicates whether to use a policy when constructing the redirect URI. When you configure your application in the identity provider, you need to specify the redirect URI. The redirect URI points to Azure AD B2C, `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/oauth2/authresp`.  If you specify `true`, you need to add a redirect URI for each policy you use. For example: `https://{your-tenant-name}.b2clogin.com/{your-tenant-name}.onmicrosoft.com/{policy-name}/oauth2/authresp`. |
-| MarkAsFailureOnStatusCode5xx | No | Indicates whether a request to an external service should be marked as a failure if the Http status code is in the 5xx range. The default is `false`. |
+| MarkAsFailureOnStatusCode5xx | No | Indicates whether a request to an external service should be marked as a failure if the HTTP status code is in the 5xx range. The default is `false`. |
 | DiscoverMetadataByTokenIssuer | No | Indicates whether the OIDC metadata should be discovered by using the issuer in the JWT.If you need to build the metadata endpoint URL based on Issuer, set this to `true`.|
 | IncludeClaimResolvingInClaimsHandling  | No | For input and output claims, specifies whether [claims resolution](claim-resolver-overview.md) is included in the technical profile. Possible values: `true`, or `false` (default). If you want to use a claims resolver in the technical profile, set this to `true`. |
 |token_endpoint_auth_method| No | Specifies how Azure AD B2C sends the authentication header to the token endpoint. Possible values: `client_secret_post` (default), and `client_secret_basic`, `private_key_jwt`. For more information, see [OpenID Connect client authentication section](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication). |

articles/active-directory-b2c/openid-connect-technical-profile.md

@@ -85,7 +85,7 @@ Azure AD B2C directory user profile supports the [user resource type](/graph/api
 |usageLocation   |String|Required for users that are assigned licenses due to legal requirement to check for availability of services in countries/regions. Not nullable. A two letter country/region code (ISO standard 3166). For examples, *US*, *JP*, and *GB*.|Yes|No|Persisted, Output|
 |userType        |String|A string value that can be used to classify user types in your directory. Value must be Member. Read-only.|Read only|No|Persisted, Output|
 |userState (externalUserState)<sup>3</sup>|String|For Microsoft Entra B2B account only, and it indicates whether the invitation is PendingAcceptance or Accepted.|No|No|Persisted, Output|
-|userStateChangedOn (externalUserStateChangeDateTime)<sup>2</sup>|DateTime|Shows the timestamp for the latest change to the UserState property.|No|No|Persisted, Output|
+|userStateChangedOn (externalUserStateChangeDateTime)<sup>3</sup>|DateTime|Shows the timestamp for the latest change to the UserState property.|No|No|Persisted, Output|
 
 <sup>1 </sup>Not supported by Microsoft Graph<br><sup>2 </sup>For more information, see [MFA phone number attribute](#mfa-phone-number-attribute)<br><sup>3 </sup>Shouldn't be used with Azure AD B2C
 

articles/active-directory-b2c/user-profile-attributes.md

@@ -22,7 +22,7 @@ To recover from availability problems that affect your API Management service, b
 
 Backup and restore operations can also be used for replicating API Management service configuration between operational environments, for example, development and staging. Beware that runtime data such as users and subscriptions will be copied as well, which might not always be desirable.
 
-This article shows how to automate backup and restore operations of your API Management instance using an external storage account. The steps shown here use either the [Backup-AzApiManagement](/powershell/module/az.apimanagement/backup-azapimanagement) and [Restore-AzApiManagement](/powershell/module/az.apimanagement/restore-azapimanagement) Azure PowerShell cmdlets, or the [Api Management Service - Backup](/rest/api/apimanagement/current-ga/api-management-service/backup) and [Api Management Service - Restore](/rest/api/apimanagement/current-ga/api-management-service/restore) REST APIs.
+This article shows how to automate backup and restore operations of your API Management instance using an external storage account. The steps shown here use either the [Backup-AzApiManagement](/powershell/module/az.apimanagement/backup-azapimanagement) and [Restore-AzApiManagement](/powershell/module/az.apimanagement/restore-azapimanagement) Azure PowerShell cmdlets, or the [API Management Service - Backup](/rest/api/apimanagement/current-ga/api-management-service/backup) and [API Management Service - Restore](/rest/api/apimanagement/current-ga/api-management-service/restore) REST APIs.
 
 
 > [!WARNING]

articles/api-management/api-management-howto-disaster-recovery-backup-restore.md

@@ -16,6 +16,8 @@ ms.author: danlep
 
 The `retry` policy executes its child policies once and then retries their execution until the retry `condition` becomes `false` or retry `count` is exhausted.
 
+The `retry` policy may contain any other policies as its child elements, except for `wait` policy.
+
 [!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
 
 
@@ -55,7 +57,7 @@ The `retry` policy executes its child policies once and then retries their execu
 
 ## Elements
 
-The `retry` policy may contain any other policies as its child elements.
+The `retry` policy may contain any other policies as its child elements, except for `wait` policy.
 
 ## Usage
 

articles/api-management/retry-policy.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 10/18/2023
+ms.date: 03/06/2025
 ms.author: danlep
 ---
 

articles/api-management/set-edit-policies.md

@@ -32,7 +32,7 @@ Recovery and other operations on a soft-deleted instance are enabled through [RE
 | [Create or Update](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) | Creates or updates an API Management service.  | API Management Service | Any |
 | [Create or Update](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) with `restore` property set to **true** | Recovers (undeletes) an API Management Service if it was previously soft-deleted. If `restore` is specified and set to `true` all other properties will be ignored.  | API Management Service |  2020-06-01-preview |
 | [Delete](/rest/api/apimanagement/current-ga/api-management-service/delete) | Deletes an existing API Management service. | API Management Service | 2020-06-01-preview|
-| [Get By Name](/rest/api/apimanagement/current-ga/deleted-services/get-by-name) | Get soft-deleted Api Management Service by name. | Deleted Services | 2020-06-01-preview |
+| [Get By Name](/rest/api/apimanagement/current-ga/deleted-services/get-by-name) | Get soft-deleted API Management service by name. | Deleted Services | 2020-06-01-preview |
 | [List By Subscription](/rest/api/apimanagement/current-ga/deleted-services/list-by-subscription) | Lists all soft-deleted services available for undelete for the given subscription. | Deleted Services | 2020-06-01-preview
 | [Purge](/rest/api/apimanagement/current-ga/deleted-services/purge) | Purges API Management Service (permanently deletes it with no option to undelete). | Deleted Services | 2020-06-01-preview
 

articles/api-management/soft-delete.md

@@ -155,6 +155,8 @@ The rest of this section tests policy transformations that you set in this artic
 
 1. Wait for 15 seconds or more and then select **Send** again. This time you should get a **200 OK** response.
 
+[!INCLUDE [api-management-policies-azure-copilot](../../includes/api-management-policies-azure-copilot.md)]
+
 ## Summary
 
 In this tutorial, you learned how to:

articles/api-management/transform-api.md

@@ -41,7 +41,7 @@ Create a new app registration automatically, unless you need to create an app re
 The following situations are the most common cases to use an existing app registration:
 
 - Your account doesn't have permissions to create app registrations in your Microsoft Entra tenant.
-- You want to use an app registration from a different Microsoft Entra tenant than the one your app is in.
+- You want to use an app registration from a different Microsoft Entra tenant than the one your app is in. This is always the case if you have chosen **External configuration** in the previous step.
 - The option to create a new registration isn't available for government clouds.
 
 # [Workforce configuration](#tab/workforce-configuration)
@@ -68,7 +68,7 @@ Use this option unless you need to create an app registration separately. You ca
 
 You can change the name of the registration or the supported account types later if you want.
 
-A client secret is created as a slot-sticky [application setting] named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. If you want to manage the secret in Azure Key Vault, you can update that setting later to use [Key Vault references](./app-service-key-vault-references.md).
+A client secret is created as a slot-sticky [application setting] named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. If you want to manage the secret in Azure Key Vault, you can update that setting later to use [Key Vault references](./app-service-key-vault-references.md). Alternatively, you can change this to [use an identity instead of a client secret][fic-config]. Support for using identity is currently in preview.
 
 ### <a name="advanced"> </a>Option 2: Use an existing registration created separately
 
@@ -79,6 +79,9 @@ Select either:
 
   - **Application (client) ID**.
   - **Client secret (recommended)**. A secret value that the application uses to prove its identity when requesting a token. This value is saved in your app's configuration as a slot-sticky application setting named `MICROSOFT_PROVIDER_AUTHENTICATION_SECRET`. If the client secret isn't set, sign-in operations from the service use the OAuth 2.0 implicit grant flow, which *isn't* recommended.
+    
+    You can also configure the application to [use an identity instead of a client secret][fic-config]. Support for using identity is currently in preview.
+
   - **Issuer URL**, which takes the form `<authentication-endpoint>/<tenant-id>/v2.0`. Replace `<authentication-endpoint>` with the authentication endpoint [value specific to the cloud environment](/entra/identity-platform/authentication-national-cloud#azure-ad-authentication-endpoints). For example, a workforce tenant in global Azure would use "https://sts.windows.net" as its authentication endpoint.
 
 If you need to manually create an app registration in a workforce tenant, see [Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app). As you go through the registration process, be sure to note the application (client) ID and client secret values.
@@ -98,12 +101,14 @@ After creation, modify the app registration:
    1. Enter the consent scope name. Enter a description you want users to see on the consent page. For example, enter *Access &lt;application-name&gt;*.
    1. Select **Add scope**.
 
-1. (Recommended) To create a client secret:
+1. (Recommended) Create a client assertion for the app. To create a client secret:
 
-    1. From the left navigation, select **Certificates & secrets** > **Client secrets** > **New client secret**.
-    1. Enter a description and expiration and select **Add**.
+    1. From the left navigation, select **Certificates & secrets** > **Client secrets** > **New client secret**. 
+    1. Enter a description and expiration and select **Add**. 
     1. In the **Value** field, copy the client secret value. After you navigate away from this page, it doesn't appear again.
-
+    
+    You can also configure the application to [use an identity instead of a client secret][fic-config]. Support for using identity is currently in preview.
+    
 1. (Optional) To add multiple **Reply URLs**, select **Authentication**.
 
 # [External configuration](#tab/external-configuration)
@@ -293,6 +298,42 @@ Requests that fail these built-in checks are given an HTTP `403 Forbidden` respo
 
 [Payload claims]: ../active-directory/develop/access-token-claims-reference.md#payload-claims
 
+## Use a managed identity instead of a secret (preview)
+
+[fic-config]: #use-a-managed-identity-instead-of-a-secret-preview
+
+Instead of configuring a client secret for your app registration, you can [configure an application to trust a managed identity (preview)][entra-fic]. Using an identity instead of a secret means you don't have to manage a secret. You don't have secret expiration events to handle, and you don't have the same level of risk associated with possibly disclosing or leaking that secret. The identity allows you to create a _federated identity credential_, which can be used instead of a client secret as a _client assertion_. This approach is only available for workforce configurations. The built-in authentication feature currently only supports federated identity credentials as a preview.
+
+You can use the steps in this section to configure your App Service or Azure Functions resource to use this pattern. The steps here assume that you already set up an app registration using one of the supported methods, and that you have a secret defined already.
+
+1. Create a user-assigned managed identity resource according to [these instructions](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity).
+1. [Assign that identity](./overview-managed-identity.md#add-a-user-assigned-identity) to your App Service or Azure Functions resource.
+ 
+    > [!IMPORTANT]
+    > The user-assigned managed identity that you create should only be assigned to the App Service or Azure Functions application using this registration. If you assign the identity to another resource, you are giving that resource access to your app registration when it doesn't need it.
+
+1. Note down the **Object ID** and **Client ID** of the managed identity. You will need the object ID to created a federated identity credential in the next step. The managed identity's client ID will be used in a later step.
+1. Follow the Entra ID instructions to [configure a federated identity credential on an existing application](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity#configure-a-federated-identity-credential-on-an-existing-application). Those instructions also include sections for updating application code, which you can skip.
+1. Add a new [application setting] named `OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID` and set its value to the managed identity's **client ID** you obtained in a previous step. Don't use the client ID of your app registration. Make sure to mark this application setting as slot-sticky.
+1. In the built-in authentication settings for your app resource, set the **Client secret setting name** to "OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID".
+
+    **To make this change using the Azure portal**, navigate back to your App Service or Azure Functions resource and select the **Authentication** tab. In the **Identity provider** section, you should see a "Microsoft" entry. Select icon in the **Edit** column. On the **Edit identity provider** screen, open the dropdown for **Client secret setting name** and choose "OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID". Click **Save**.
+
+    **To make this change using the REST API**, set the `clientSecretSettingName` property to "OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID". You can find this property under `properties` -> `identityProviders` -> `azureActiveDirectory` -> `registration`.
+
+1. Verify that the application works as you expect. You should be able to successfully perform a new login action.
+
+Once you are satisfied with the behavior using a managed identity, remove the existing secret:
+
+1. Make sure that your app code doesn't take a dependency on the application setting. If it does, follow the instructions to [update your application code to request an access token](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity#update-your-application-code-to-request-an-access-token).
+1. Remove the application setting that previously held your secret. The name of this application setting is the previous **Client secret setting name** value, before you set it to "OVERRIDE_USE_MI_FIC_ASSERTION_CLIENTID".
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/) using the tenant that contains your app registration. Navigate to the app registration again.
+1. Under **Certificates & secrets**, select **Client secrets** and remove the client secret.
+
+Your app is now configured to use Entra ID authentication without secrets.
+
+[entra-fic]: /entra/workload-id/workload-identity-federation-config-app-trust-managed-identity
+
 ## Configure client apps to access your App Service
 
 In the prior sections, you registered your App Service or Azure Function to authenticate users. This section explains how to register native clients or daemon apps in Microsoft Entra. They can request access to APIs exposed by your App Service on behalf of users or themselves, such as in an N-tier architecture.  If you only want to authenticate users, the steps in this section aren't required.