Skip to content

Commit 371239c

Browse files
committed
Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into erfreshness4
2 parents b3e7976 + 639482c commit 371239c

File tree

714 files changed

+1669
-20549
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

714 files changed

+1669
-20549
lines changed

.openpublishing.redirection.json

Lines changed: 600 additions & 5 deletions
Large diffs are not rendered by default.

articles/api-management/validate-azure-ad-token-policy.md

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ author: dlepow
66

77
ms.service: azure-api-management
88
ms.topic: article
9-
ms.date: 07/23/2024
9+
ms.date: 01/29/2025
1010
ms.author: danlep
1111
---
1212

@@ -17,7 +17,7 @@ ms.author: danlep
1717
The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Microsoft Entra (formerly called Azure Active Directory) service for a specified set of principals in the directory. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.
1818

1919
> [!NOTE]
20-
> To validate a JWT that was provided by an identity provider other than Microsoft Entra, API Management also provides the generic [`validate-jwt`](validate-jwt-policy.md) policy.
20+
> Use the generic [`validate-jwt`](validate-jwt-policy.md) policy to validate a JWT that was provided by an identity provider other than Microsoft Entra.
2121
2222
[!INCLUDE [api-management-policy-generic-alert](../../includes/api-management-policy-generic-alert.md)]
2323

@@ -33,24 +33,23 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
3333
failed-validation-httpcode="HTTP status code to return on failure"
3434
failed-validation-error-message="error message to return on failure"
3535
output-token-variable-name="name of a variable to receive a JWT object representing successfully validated token">
36-
<client-application-ids>
37-
<application-id>Client application ID from Microsoft Entra</application-id>
38-
<!-- If there are multiple client application IDs, then add additional application-id elements -->
39-
</client-application-ids>
4036
<backend-application-ids>
4137
<application-id>Backend application ID from Microsoft Entra</application-id>
4238
<!-- If there are multiple backend application IDs, then add additional application-id elements -->
4339
</backend-application-ids>
40+
<client-application-ids>
41+
<application-id>Client application ID from Microsoft Entra</application-id>
42+
<!-- If there are multiple client application IDs, then add additional application-id elements -->
43+
</client-application-ids>
4444
<audiences>
4545
<audience>audience string</audience>
4646
<!-- if there are multiple possible audiences, then add additional audience elements -->
4747
</audiences>
4848
<required-claims>
49-
<claim name="name of the claim as it appears in the token" match="all|any" separator="separator character in a multi-valued claim">
49+
<claim name="name of the claim as it appears in the token" match="all | any" separator="separator character in a multi-valued claim">
5050
<value>claim value as it is expected to appear in the token</value>
5151
<!-- if there is more than one allowed value, then add additional value elements -->
5252
</claim>
53-
<!-- if there are multiple possible allowed values, then add additional value elements -->
5453
</required-claims>
5554
<decryption-keys>
5655
<key certificate-id="mycertificate"/>
@@ -75,9 +74,9 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
7574

7675
| Element | Description | Required |
7776
| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
78-
| audiences | Contains a list of acceptable audience claims that can be present on the token. If multiple `audience` values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. Policy expressions are allowed. | No |
7977
| backend-application-ids | Contains a list of acceptable backend application IDs. This is only required in advanced cases for the configuration of options and can generally be removed. Policy expressions aren't allowed. | No |
8078
| client-application-ids | Contains a list of acceptable client application IDs. If multiple `application-id` elements are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. If a client application ID isn't provided, one or more `audience` claims should be specified. Policy expressions aren't allowed. | No |
79+
| audiences | Contains a list of acceptable audience claims that can be present on the token. If multiple `audience` values are present, then each value is tried until either all are exhausted (in which case validation fails) or until one succeeds. Policy expressions are allowed. | No |
8180
| required-claims | Contains a list of `claim` elements for claim values expected to be present on the token for it to be considered valid. When the `match` attribute is set to `all`, every claim value in the policy must be present in the token for validation to succeed. When the `match` attribute is set to `any`, at least one claim must be present in the token for validation to succeed. Policy expressions are allowed. | No |
8281
| decryption-keys | A list of [`key`](#key-attributes) subelements, used to decrypt a token signed with an asymmetric key. If multiple keys are present, then each key is tried until either all keys are exhausted (in which case validation fails) or a key succeeds.<br/><br/>Specify the public key using a `certificate-id` attribute with value set to the identifier of a certificate uploaded to API Management. | No |
8382

@@ -109,7 +108,7 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
109108

110109
### Simple token validation
111110

112-
The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the default `Authorization` header using the `Bearer` scheme. In this example, the Microsoft Entra tenant ID and client application ID are provided using named values.
111+
The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the default `Authorization` header using the `Bearer` scheme. In this example, the Microsoft Entra tenant ID and client application ID are provided using named values.
113112

114113
```xml
115114
<validate-azure-ad-token tenant-id="{{aad-tenant-id}}">
@@ -119,6 +118,21 @@ The following policy is the minimal form of the `validate-azure-ad-token` policy
119118
</validate-azure-ad-token>
120119
```
121120

121+
### Token validation using decryption key
122+
123+
This example shows how to use the `validate-azure-ad-token` policy to validate a token that is decrypted using a decryption key. The Microsoft Entra tenant ID and client application ID are provided using named values. The key is specified using the ID of an uploaded certificate (in PFX format) that contains the public key.
124+
125+
```xml
126+
<validate-azure-ad-token tenant-id="{{aad-tenant-id}}">
127+
<client-application-ids>
128+
<application-id>{{aad-client-application-id}}</application-id>
129+
</client-application-ids>
130+
<decryption-keys>
131+
<key certificate-id="mycertificate"/>
132+
</decryption-keys>
133+
</validate-azure-ad-token>
134+
```
135+
122136
### Validate that audience and claim are correct
123137

124138
The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The Microsoft tenant ID is the well-known `organizations` tenant, which allows tokens from accounts in any organizational directory. The hostname is provided using a policy expression, and the client application ID is provided using a named value. The decoded JWT is provided in the `jwt` variable after validation.

articles/api-management/validate-jwt-policy.md

Lines changed: 29 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,18 +6,18 @@ author: dlepow
66

77
ms.service: azure-api-management
88
ms.topic: article
9-
ms.date: 09/27/2024
9+
ms.date: 01/27/2025
1010
ms.author: danlep
1111
---
1212

1313
# Validate JWT
1414

1515
[!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
1616

17-
The `validate-jwt` policy enforces existence and validity of a supported JSON web token (JWT) extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value.
17+
The `validate-jwt` policy enforces existence and validity of a supported JSON web token (JWT) that was provided by an identity provider. The JWT can be extracted from a specified HTTP header, extracted from a specified query parameter, or matching a specific value.
1818

1919
> [!NOTE]
20-
> To validate a JWT that was provided by the Microsoft Entra service, API Management also provides the [`validate-azure-ad-token`](validate-azure-ad-token-policy.md) policy.
20+
> Use the [`validate-azure-ad-token`](validate-azure-ad-token-policy.md) policy to validate a JWT that was provided by Microsoft Entra.
2121
2222
[!INCLUDE [api-management-policy-form-alert](../../includes/api-management-policy-form-alert.md)]
2323

@@ -206,6 +206,32 @@ The `validate-jwt` policy enforces existence and validity of a supported JSON we
206206
</validate-jwt>
207207
```
208208

209+
### Token validation using decryption key
210+
211+
This example shows how to use the `validate-jwt` policy to validate a token that is decrypted using a decryption key. The key is specified using the ID of an uploaded certificate (in PFX format) that contains the public key.
212+
213+
```xml
214+
<validate-jwt header-name="Authorization" require-scheme="Bearer" output-token-variable-name="jwt">
215+
<issuer-signing-keys>
216+
<key>{{jwt-signing-key}}</key> <!-- signing key is stored in a named value -->
217+
</issuer-signing-keys>
218+
<audiences>
219+
<audience>@(context.Request.OriginalUrl.Host)</audience>
220+
</audiences>
221+
<issuers>
222+
<issuer>contoso.com</issuer>
223+
</issuers>
224+
<required-claims>
225+
<claim name="group" match="any">
226+
<value>finance</value>
227+
<value>logistics</value>
228+
</claim>
229+
</required-claims>
230+
<decryption-keys>
231+
<key certificate-id="my-certificate-in-api-management" /> <!-- decryption key specified as certificate ID -->
232+
</decryption-keys>
233+
</validate-jwt>
234+
```
209235

210236
### Authorize access to operations based on token claims
211237

articles/app-service/configure-language-python.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ Existing web applications can be redeployed to Azure as follows:
115115
116116
1. **Continuous deployment**: Set up continuous deployment from GitHub Actions, Bitbucket, or Azure Repos as described in the article [Continuous deployment to Azure App Service](deploy-continuous-deployment.md). Or, set up continuous deployment from Local Git as described in the article [Local Git deployment to Azure App Service](deploy-local-git.md).
117117
118-
1. **Custom actions**: To perform actions within the App Service container that hosts your app, such as Django database migrations, you can [connect to the container through SSH](configure-linux-open-ssh-session.md). For an example of running Django database migrations, see [Tutorial: Deploy a Django web app with PostgreSQL - generate database schema](tutorial-python-postgresql-app-django.md#4-generate-database-schema).
118+
1. **Custom actions**: To perform actions within the App Service container that hosts your app, such as Django database migrations, you can [connect to the container through SSH](configure-linux-open-ssh-session.md). For an example of running Django database migrations, see [Tutorial: Deploy a Django web app with PostgreSQL - generate database schema](tutorial-python-postgresql-app-django.md#5-generate-database-schema).
119119
- When using continuous deployment, you can perform those actions using post-build commands as described earlier under [Customize build automation](#customize-build-automation).
120120
121121
With these steps completed, you should be able to commit changes to your source repository and have those updates automatically deployed to App Service.

articles/app-service/deploy-intelligent-apps.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ title: 'Deploy an application that uses OpenAI on Azure App Service'
33
description: Get started with OpenAI on Azure App Service
44
author: jefmarti
55
ms.author: jefmarti
6-
ms.date: 04/10/2024
6+
ms.date: 01/31/2025
77
ms.topic: article
88
ms.custom: devx-track-dotnet, devx-track-extended-java, devx-track-python, linux-related-content
99
ms.collection: ce-skilling-ai-copilot

articles/app-service/overview-tls.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ title: Transport Layer Security (TLS) overview
33
description: Learn about Transport Layer Security (TLS) on App Service.
44
keywords: app service, azure app service, tls, transport layer security, support, web app, troubleshooting,
55
ms.topic: article
6-
ms.date: 07/29/2024
6+
ms.date: 01/31/2025
77
ms.author: msangapu
88
author: msangapu-msft
99
ms.custom: UpdateFrequency3

0 commit comments

Comments
 (0)