Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into nexus-bmm-run-read-samples

Author: robertstarling

.openpublishing.redirection.json

@@ -118,6 +118,21 @@ You need more claims to enable CAPTCHA in your custom policy:
         <DisplayName>Flag indicating that the captcha was successfully solved</DisplayName>
         <DataType>boolean</DataType>
       </ClaimType>
+
+      <ClaimType Id="mfaCaptchaEnabled">
+        <DisplayName>flag used to control captcha enabled in MFA</DisplayName>
+        <DataType>string</DataType>
+      </ClaimType>
+
+      <ClaimType Id="signupCaptchaEnabled">
+        <DisplayName>flag used to control captcha enabled during signup</DisplayName>
+        <DataType>string</DataType>
+      </ClaimType>
+
+      <ClaimType Id="signinCaptchaEnabled">
+        <DisplayName>flag used to control captcha enabled during signin</DisplayName>
+        <DataType>string</DataType>
+      </ClaimType>
       ...
      <!--<ClaimsSchema>-->
     ``` 
@@ -314,6 +329,58 @@ To enable CAPTCHA in MFA flow, you need to make an update in two technical profi
     ...
 </TechnicalProfile>
 ```
+
+### Enable CAPTCHA feature flag
+
+To enforce CAPTCHA during sign-up, sign-in, or MFA, you need to add a technical profile that enables a feature flag for each scenario, then call the technical profile in the user journey.
+
+1. In the *TrustFrameworkBase.XML* file, locate the `ClaimsProviders` element and add the claims provider by using the following code:
+
+```xml
+<!--<ClaimsProvider>-->
+...
+<ClaimsProvider>
+
+    <DisplayName>Set Feature Flags</DisplayName>
+
+    <TechnicalProfiles>
+
+    <TechnicalProfile Id="SetFeatureDefaultValue">
+        <DisplayName>Set Feature Flags</DisplayName>
+        <Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.ClaimsTransformationProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
+        <OutputClaims>
+            <OutputClaim ClaimTypeReferenceId="signupCaptchaEnabled" DefaultValue="true" />
+            <OutputClaim ClaimTypeReferenceId="signinCaptchaEnabled" DefaultValue="true" />
+            <OutputClaim ClaimTypeReferenceId="mfaCaptchaEnabled" DefaultValue="true" />
+        </OutputClaims>
+    </TechnicalProfile>
+    </TechnicalProfiles>
+</ClaimsProvider>
+...
+<!--<ClaimsProviders>-->
+``` 
+
+2. Set `DefaultValue` to true or false depending on the CAPTCHA scenario
+
+3. Add the feature flags technical profile to the user journey then update the order of the rest of the orchestration steps.
+
+```xml
+<!--<UserJourneys>-->
+...
+<UserJourney Id="SignUpOrSignIn">
+    <OrchestrationSteps>
+
+        <!--Add this orchestration step-->
+        <OrchestrationStep Order="1" Type="ClaimsExchange">
+          <ClaimsExchanges>
+            <ClaimsExchange Id="SetFeatureDefaultValue" TechnicalProfileReferenceId="SetFeatureDefaultValue" />
+          </ClaimsExchanges>
+        </OrchestrationStep>
+...
+<!--<UserJourneys>-->
+```
+
+
 ## Upload the custom policy files
 
 Use the steps in [Upload the policies](tutorial-create-user-flows.md?pivots=b2c-custom-policy&branch=pr-en-us-260336#upload-the-policies) to upload your custom policy files.

articles/active-directory-b2c/add-captcha.md

@@ -210,10 +210,12 @@ Next, specify that the application should be treated as a public client:
 1. In the left menu, under **Manage**, select **Authentication**.
 1. Under **Advanced settings**, in the **Allow public client flows** section, set **Enable the following mobile and desktop flows** to **Yes**. 
 1. Select **Save**.
-1. Ensure that **"allowPublicClient": true** is set in the application manifest:
+1. Ensure that **"isFallbackPublicClient": true** is set in the application manifest:
     1. In the left menu, under **Manage**, select **Manifest** to open application manifest.
+    1. Switch from the **Microsoft Graph App Manifest (New)** tab to the **AAD Graph App Manifest (Deprecating Soon)** tab.
     1. Find **allowPublicClient** key and ensure its value is set to **true**.
 
+
 Now, grant permissions to the API scope you exposed earlier in the *IdentityExperienceFramework* registration:
 
 1. In the left menu, under **Manage**, select **API permissions**.

articles/active-directory-b2c/tutorial-create-user-flows.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory business-to-customer (B2C)"
 description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
-ms.date: 01/10/2025
+ms.date: 02/04/2025
 ms.service: azure-active-directory
 ms.subservice: b2c
 ms.topic: whats-new
@@ -17,6 +17,12 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new and significantly updated docs from the past three months. To learn what's new with the B2C service, see [What's new in Microsoft Entra ID](../active-directory/fundamentals/whats-new.md), [Azure AD B2C developer release notes](custom-policy-developer-notes.md) and [What's new in Microsoft Entra External ID](/entra/external-id/whats-new-docs).
 
+## January 2025
+
+### Updated articles
+
+- [Azure Active Directory B2C service limits and restrictions](service-limits.md) - Updated limits
+
 ## December 2024
 
 ### Updated articles
@@ -29,12 +35,3 @@ Welcome to what's new in Azure Active Directory B2C documentation. This article
 
 - [Azure Active Directory B2C: Region availability & data residency](data-residency.md) - Updated data residency location
 
-## October 2024
-
-### Updated articles
-
-- [Secure APIs used for API connectors in Azure AD B2C](secure-rest-api.md) - Flow updates
-- [Application types that can be used in Active Directory B2C](application-types.md) - Implicit grant flow updates
-- [Configure authentication in a sample single-page application by using Azure AD B2C](configure-authentication-sample-spa-app.md) - Implicit grant flow updates
-- [Single-page application sign-in using the OAuth 2.0 implicit flow in Azure Active Directory B2C](implicit-flow-single-page-application.md) - Implicit grant flow updates
-- [Register a single-page application in Azure Active Directory B2C](tutorial-register-spa.md) - Implicit grant flow updates

articles/active-directory-b2c/whats-new-docs.md

@@ -703,3 +703,5 @@
     href: /answers/tags/29/azure-api-management
   - name: Stack Overflow
     href: https://stackoverflow.com/questions/tagged/azure-api-management
+  - name: aka.ms/apimlove
+    href: https://aka.ms/apimlove

articles/api-management/TOC.yml

@@ -13,6 +13,9 @@ ms.author: danlep
 
 [!INCLUDE [premium-dev-standard-basic.md](../../includes/api-management-availability-premium-dev-standard-basic.md)]
 
+> [!IMPORTANT]
+> Starting March 15, 2025, Azure API Management will [retire](breaking-changes/git-configuration-retirement-march-2025.md) the ability to manage the configuration of your service instance using the built-in Git repository. If you plan to continue using a Git repository to manage the configuration of your service instance after the retirement date, update your configuration management to use a different solution such as APIOps and your own Git repository implementation.
+
 Each API Management service instance maintains a configuration database that contains information about the configuration and metadata for the service instance. Changes can be made to the service instance by changing a setting in the Azure portal, using Azure tools such as Azure PowerShell or the Azure CLI, or making a REST API call. In addition to these methods, you can manage your service instance configuration using Git, enabling scenarios such as:
 
 * **Configuration versioning** - Download and store different versions of your service configuration
@@ -42,7 +45,7 @@ This article describes how to enable and use Git to manage your service configur
 
  1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com/).
 
- 1. In the left menu, under **Deployment and infrastructure**, select **Repository**.
+ 1. In the left menu, under **Deployment + infrastructure**, select **Repository**.
 
 :::image type="content" source="media/api-management-configuration-repository-git/api-management-enable-git.png" alt-text="Screenshot showing how to access Git configuration for API Management.":::
 
@@ -67,7 +70,10 @@ For information on saving the service configuration using the REST API, see [Ten
 
 ## Get access credentials
 
-To clone a repository, in addition to the URL to your repository, your need a username and a password. 
+To clone a repository, in addition to the URL to your repository, you need a username and a password. 
+
+> [!CAUTION]
+> Using username and password credentials with a Git repository can pose security risks. Store your password securely and rotate it regularly. Don't store your credentials in plain text in code or configuration files. 
 
 1. On the **Repository** page, select **Access credentials** near the top of the page.
 
@@ -91,19 +97,19 @@ git clone https://{name}.scm.azure-api.net/
 
 Provide the username and password when prompted.
 
-If you receive any errors, try modifying your `git clone` command to include the user name and password, as shown in the following example.
+If you receive any errors, try modifying your `git clone` command to include the username, as shown in the following example. Provide the password when prompted.
 
 ```
-git clone https://username:password@{name}.scm.azure-api.net/
+git clone https://username@{name}.scm.azure-api.net/
 ```
 
-If this provides an error, try URL encoding the password portion of the command. One quick way to do this is to open Visual Studio, and issue the following command in the **Immediate Window**. To open the **Immediate Window**, open any solution or project in Visual Studio (or create a new empty console application), and choose **Windows**, **Immediate** from the **Debug** menu.
+If this provides an error, try URL encoding the password and pass it in the command. One quick way to do this is to open Visual Studio, and issue the following command in the **Immediate Window**. To open the **Immediate Window**, open any solution or project in Visual Studio (or create a new empty console application), and choose **Windows**, **Immediate** from the **Debug** menu.
 
 ```
 ?System.Net.WebUtility.UrlEncode("password from the Azure portal")
 ```
 
-Use the encoded password along with your user name and repository location to construct the git command.
+Use the encoded password along with your username and repository location to construct the git command.
 
 ```
 git clone https://username:url encoded password@{name}.scm.azure-api.net/
@@ -205,7 +211,7 @@ These files can be created, deleted, edited, and managed on your local file syst
 > * [Subscriptions](/rest/api/apimanagement/current-ga/subscription)
 > * Named values
 > * Developer portal entities other than styles and templates
-> * Policy Fragments
+> * Policy fragments
 >
 
 ### Root api-management folder
@@ -305,7 +311,8 @@ The `templates` folder contains configuration for the [email templates](api-mana
 * `<template name>\configuration.json` - Configuration for the email template.
 * `<template name>\body.html` - Body of the email template.
 
-## Next steps
+## Related content
+
 For information on other ways to manage your service instance, see:
 
 * [Azure PowerShell cmdlet reference](/powershell/module/az.apimanagement)

articles/api-management/api-management-configuration-repository-git.md

@@ -74,7 +74,7 @@ Follow these steps to trace an API request in the test console in the portal. Th
 
 The following high level steps are required to enable tracing for a request to API Management when using `curl`, a REST client such as Visual Studio Code with the REST Client extension, or a client app. Currently these steps must be followed using the [API Management REST API](/rest/api/apimanagement):
 
-1. Obtain a token credential for tracing.
+1. Obtain a debug token for tracing.
 1. Add the token value in an `Apim-Debug-Authorization` request header to the API Management gateway.
 1. Obtain a trace ID in the `Apim-Trace-Id` response header.
 1. Retrieve the trace corresponding to the trace ID.
@@ -85,7 +85,7 @@ Detailed steps follow.
 > * These steps require API Management REST API version 2023-05-01-preview or later. You must be assigned the Contributor or higher role on the API Management instance to call the REST API.
 > * For information about authenticating to the REST API, see [Azure REST API reference](/rest/api/azure). 
 
-1. **Obtain a token credential** - Call the API Management gateway's [List debug credentials](/rest/api/apimanagement/gateway/list-debug-credentials) API. In the URI, enter "managed" for the instance's managed gateway in the cloud, or the gateway ID for a self-hosted gateway. For example, to obtain trace credentials for the instance's managed gateway, use a request similar to the following:
+1. **Obtain a debug token** - Call the API Management gateway's [List debug credentials](/rest/api/apimanagement/gateway/list-debug-credentials) API. In the URI, enter "managed" for the instance's managed gateway in the cloud, or the gateway ID for a self-hosted gateway. For example, to obtain trace credentials for the instance's managed gateway, use a request similar to the following:
 
     ```http
     POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/gateways/managed/listDebugCredentials?api-version=2023-05-01-preview
@@ -96,12 +96,22 @@ Detailed steps follow.
     ```json
     {
         "credentialsExpireAfter": PT1H,
-        "apiId": ""/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiName}",
+        "apiId": ""/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiId}",
         "purposes": ["tracing"]
     }
     ```
+
+    > [!NOTE]
+    > The `apiId` can only be pulled from the full resource ID, not the name displayed in the portal.
+
+    Get apiId:
+
+    
+    ```azurecli
+    az apim api list --resource-group <resource-group> --service-name <service-name> -o table
+    ```
         
-    The token credential is returned in the response, similar to the following:
+    The debug credential is returned in the response, similar to the following:
 
     ```json
     {
@@ -112,18 +122,20 @@ Detailed steps follow.
 1. **Add the token value in a request header** - To enable tracing for a request to the API Management gateway, send the token value in an `Apim-Debug-Authorization` header. For example, to trace a call to the Petstore API that you imported in a previous tutorial, you might use a request similar to the following:
 
     ```bash
-    curl -v https://apim-hello-world.azure-api.net/pet/1 HTTP/1.1 -H "Ocp-Apim-Subscription-Key: <subscription-key>" -H "Apim-Debug-Authorization: aid=api-name&......."
+    curl -v https://apim-hello-world.azure-api.net/pet/1 HTTP/1.1 \
+        -H "Ocp-Apim-Subscription-Key: <subscription-key>" \
+        -H "Apim-Debug-Authorization: aid=api-name&......."
     ```
 
-1. Depending on the token, the response contains one of the following headers:
-    * If the token is valid, the response includes an `Apim-Trace-Id` header whose value is the trace ID, similar to the following:
+1. **Evaluate the response** - The response can contain one of the following headers depending on the state of the debug token:
+    * If the debug token is valid, the response includes an `Apim-Trace-Id` header whose value is the trace ID, similar to the following:
 
         ```http
         Apim-Trace-Id: 0123456789abcdef....
         ```
         
-    * If the token is expired, the response includes an `Apim-Debug-Authorization-Expired` header with information about expiration date.
-    * If the token was obtained for a different API, the response includes an `Apim-Debug-Authorization-WrongAPI` header with an error message.
+    * If the debug token is expired, the response includes an `Apim-Debug-Authorization-Expired` header with information about expiration date.
+    * If the debug token was obtained for a different API, the response includes an `Apim-Debug-Authorization-WrongAPI` header with an error message.
 
 1. **Retrieve the trace** - Pass the trace ID obtained in the previous step to the gateway's [List trace](/rest/api/apimanagement/gateway/list-trace) API. For example, to retrieve the trace for the managed gateway, use a request similar to the following:
 
@@ -142,6 +154,61 @@ Detailed steps follow.
     The response body contains the trace data for the previous API request to the gateway. The trace is similar to the trace you can see by tracing a call in the portal's test console.
 
 
+### Example `.http` file for VS Code REST Client extension
+
+To help automate these steps with the [Visual Studio Code REST Client](https://marketplace.visualstudio.com/items?itemName=humao.rest-client) extension, you can use the following example `.http` file:
+
+```http
+@subscriptionId = // Your subscription ID
+@resourceGroup = // Your resource group
+@apimName = // Your API Management service name
+@clientId = // Client ID from an app registration for authentication
+@clientSecret = // Client secret from app registration
+@externalHost = // The host name of the App Gateway or the fully qualified gateway URL
+@subscriptionKey = // API Management subscription key
+@apiEndPoint = // API URL
+@requestBody = // Data to send
+@tenantId = // Tenant ID
+ 
+POST https://login.microsoftonline.com/{{tenandId}}/oauth2/token
+content-type: application/x-www-form-urlencoded
+ 
+grant_type=client_credentials&client_id={{clientId}}&client_secret={{clientSecret}}&resource=https%3A%2F%2Fmanagement.azure.com%2F
+ 
+###
+@authToken = {{login.response.body.$.access_token}}
+###
+# @name listDebugCredentials
+POST https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.ApiManagement/service/{{apimName}}/gateways/managed/listDebugCredentials?api-version=2023-05-01-preview
+Authorization: Bearer {{authToken}}
+Content-Type: application/json
+{
+    "credentialsExpireAfter": "PT1H",
+    "apiId": "/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.ApiManagement/service/{{apimName}}/apis/{{apiId}}",
+    "purposes": ["tracing"]
+}
+ 
+###
+@debugToken = {{listDebugCredentials.response.body.$.token}}
+ 
+###
+# @name callApi
+curl -k -H "Apim-Debug-Authorization: {{debugToken}}" -H 'Host: {{externalHost}}' -H 'Ocp-Apim-Subscription-Key: {{subscriptionKey}}' -H 'Content-Type: application/json' '{{apiEndPoint}}' -d '{{requestBody}}'
+ 
+###
+@traceId = {{callApi.response.headers.Apim-Trace-Id}}
+ 
+###
+# @name getTrace
+POST https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.ApiManagement/service/{{apimName}}/gateways/managed/listTrace?api-version=2024-06-01-preview
+Authorization: Bearer {{authToken}}
+Content-Type: application/json
+ 
+{
+    "traceId": "{{traceId}}"
+}
+```
+
 For information about customizing trace information, see the [trace](trace-policy.md) policy.
 
 ## Next steps