Merge branch 'MicrosoftDocs:main' into main

Author: MutemwaRMasheke

articles/api-management/api-management-howto-aad.md

@@ -6,7 +6,7 @@ description: Learn how to enable user sign-in to the API Management developer po
 author: dlepow
 ms.service: azure-api-management
 ms.topic: article
-ms.date: 12/08/2023
+ms.date: 09/19/2024
 ms.author: danlep
 ms.custom: engagement-fy23, devx-track-azurecli
 ---
@@ -76,14 +76,7 @@ After the Microsoft Entra provider is enabled:
 1. Save the **Redirect URL** for later.
 
     :::image type="content" source="media/api-management-howto-aad/api-management-with-aad001.png" alt-text="Screenshot of adding identity provider in Azure portal.":::
-
-    > [!NOTE]
-    > There are two redirect URLs:<br/>
-    > * **Redirect URL** points to the latest developer portal of the API Management.
-    > * **Redirect URL (deprecated portal)** points to the deprecated developer portal of API Management.
-    >
-    > We recommended you use the latest developer portal Redirect URL.
-   
+  
 1. In your browser, open the Azure portal in a new tab. 
 1. Navigate to [App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) to register an app in Active Directory.
 1. Select **New registration**. On the **Register an application** page, set the values as follows:
@@ -104,9 +97,6 @@ After the Microsoft Entra provider is enabled:
     * Select any option for **Expires**.
     * Choose **Add**. 
 1. Copy the client **Secret value** before leaving the page. You will need it later. 
-1. Under **Manage** in the side menu, select **Authentication**.
-    1. Under the **Implicit grant and hybrid flows** section, select the **ID tokens** checkbox.
-    1. Select **Save**.
 1. Under **Manage** in the side menu, select **Token configuration** > **+ Add optional claim**.
     1. In **Token type**, select **ID**.
     1. Select (check) the following claims: **email**, **family_name**, **given_name**.
@@ -117,21 +107,14 @@ After the Microsoft Entra provider is enabled:
     > [!IMPORTANT]
     > Update the **Client secret** before the key expires. 
 
-1. In the **Add identity provider** pane's **Allowed tenants** field, specify the Microsoft Entra instance's domains to which you want to grant access to the API Management service instance APIs. 
-    * You can separate multiple domains with newlines, spaces, or commas.
-
-    > [!NOTE]
-    > You can specify multiple domains in the **Allowed Tenants** section. A global administration must grant the application access to directory data before users can sign in from a different domain than the original app registration domain. To grant permission, the global administrator should:
-    > 1. Go to `https://<URL of your developer portal>/aadadminconsent` (for example, `https://contoso.portal.azure-api.net/aadadminconsent`).
-    > 1. Enter the domain name of the Microsoft Entra tenant to which they want to grant access.
-    > 1. Select **Submit**. 
-
+1. In **Signin tenant**, specify a tenant name or ID to use for sign-in to Microsoft Entra. If no value is specified, the Common endpoint is used.
+1. In **Allowed tenants**, add specific Microsoft Entra tenant names or IDs for sign-in to Microsoft Entra. 
 1. After you specify the desired configuration, select **Add**.
 1. Republish the developer portal for the Microsoft Entra configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**. 
 
 After the Microsoft Entra provider is enabled:
 
-* Users in the specified Microsoft Entra instance can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal).
+* Users in the specified Microsoft Entra tenant(s) can [sign into the developer portal by using a Microsoft Entra account](#log_in_to_dev_portal).
 * You can manage the Microsoft Entra configuration on the **Developer portal** > **Identities** page in the portal.
 * Optionally configure other sign-in settings by selecting **Identities** > **Settings**. For example, you might want to redirect anonymous users to the sign-in page.
 * Republish the developer portal after any configuration change.
@@ -160,7 +143,7 @@ For steps, see [Switch redirect URIs to the single-page application type](../act
 ## Add an external Microsoft Entra group
 
 Now that you've enabled access for users in a Microsoft Entra tenant, you can:
-* Add Microsoft Entra groups into API Management. 
+* Add Microsoft Entra groups into API Management. Groups added must be in the tenant where your API Management instance is deployed.
 * Control product visibility using Microsoft Entra groups.
 
 1. Navigate to the App Registration page for the application you registered in [the previous section](#enable-user-sign-in-using-azure-ad---portal). 

articles/api-management/media/api-management-howto-aad/api-management-with-aad001.png

@@ -5,7 +5,7 @@ ms.service: azure-api-management
 author: dlepow
 ms.author: danlep
 ms.topic: how-to
-ms.date: 03/20/2023
+ms.date: 09/19/2024
 ---
 
 # Connect privately to API Management using an inbound private endpoint
@@ -33,10 +33,11 @@ You can configure an inbound [private endpoint](../private-link/private-endpoint
 ## Prerequisites
 
 - An existing API Management instance. [Create one if you haven't already](get-started-create-service-instance.md). 
-    - The API Management instance must be hosted on the [`stv2` compute platform](compute-infrastructure.md). For example, create a new instance or, if you already have an instance in the Premium service tier, enable [zone redundancy](../reliability/migrate-api-mgt.md). 
+    - The API Management instance must be hosted on the [`stv2` compute platform](compute-infrastructure.md). 
     - Do not deploy (inject) the instance into an [external](api-management-using-with-vnet.md) or [internal](api-management-using-with-internal-vnet.md) virtual network.
 - A virtual network and subnet to host the private endpoint. The subnet may contain other Azure resources.
 - (Recommended) A virtual machine in the same or a different subnet in the virtual network, to test the private endpoint.
+[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
 
 ## Approval method for private endpoint
 
@@ -94,11 +95,11 @@ When you use the Azure portal to create a private endpoint, as shown in the next
 
 1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
 
-1. In the left-hand menu, select **Network**.
+1. In the left-hand menu, under **Deployment + infrastructure**, select **Network**.
 
 1. Select **Inbound private endpoint connections** > **+ Add endpoint**.
 
-    :::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Add a private endpoint using Azure portal":::
+    :::image type="content" source="media/private-endpoint/add-endpoint-from-instance.png" alt-text="Screenshot showing how to add a private endpoint using the Azure portal.":::
 
 1. In the **Basics** tab of **Create a private endpoint**, enter or select the following information:
 
@@ -112,16 +113,16 @@ When you use the Azure portal to create a private endpoint, as shown in the next
     | Network Interface Name | Enter a name for the network interface, such as *myInterface* |
     | Region | Select a location for the private endpoint. It must be in the same region as your virtual network. It may differ from the region where your API Management instance is hosted. |
 
-1. Select the **Resource** tab or the **Next: Resource** button at the bottom of the page. The following information about your API Management instance is already populated:
+1. Select the **Next: Resource** button at the bottom of the screen. The following information about your API Management instance is already populated:
     * Subscription
-    * Resource group
+    * Resource type
     * Resource name
 
 1. In **Resource**, in **Target sub-resource**, select **Gateway**.
 
-    :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Create a private endpoint in Azure portal":::
+    :::image type="content" source="media/private-endpoint/create-private-endpoint.png" alt-text="Screenshot showing settings to create a private endpoint in the Azure portal.":::
 
-1. Select the **Virtual Network** tab or the **Next: Virtual Network** button at the bottom of the screen.
+1. Select the **Next: Virtual Network** button at the bottom of the screen.
 
 1. In **Networking**, enter or select this information:
 
@@ -132,7 +133,7 @@ When you use the Azure portal to create a private endpoint, as shown in the next
     | Private IP configuration | In most cases, select **Dynamically allocate IP address.** |
     | Application security group | Optionally select an [application security group](../virtual-network/application-security-groups.md). |
 
-1. Select the **DNS** tab or the **Next: DNS** button at the bottom of the screen.
+1. Select the **Next: DNS** button at the bottom of the screen.
 
 1. In **Private DNS integration**, enter or select this information:
 
@@ -143,18 +144,15 @@ When you use the Azure portal to create a private endpoint, as shown in the next
     | Resource group | Select your resource group. |
     | Private DNS zones | The default value is displayed: **(new) privatelink.azure-api.net**.
 
-1. Select the **Tags** tab or the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
+1. Select the **Next: Tabs** button at the bottom of the screen. If you desire, enter tags to organize your Azure resources.
 
-1.  Select **Review + create**.
+    1. Select the **Next: Review + create** button at the bottom of the screen.
 
 1. Select **Create**.
 
 ### List private endpoint connections to the instance
 
-After the private endpoint is created, it appears in the list on the API Management instance's **Inbound private endpoint connections** page in the portal.
-
-You can also use the [Private Endpoint Connection - List By Service](/rest/api/apimanagement/current-ga/private-endpoint-connection/list-by-service) REST API to list private endpoint connections to the service instance.
-
+After the private endpoint is created and the service updated, it appears in the list on the API Management instance's **Inbound private endpoint connections** page in the portal.
 
 
 Note the endpoint's **Connection status**:
@@ -166,47 +164,34 @@ Note the endpoint's **Connection status**:
 
 If a private endpoint connection is in pending status, an owner of the API Management instance must manually approve it before it can be used.
 
-If you have sufficient permissions, approve a private endpoint connection on the API Management instance's **Private endpoint connections** page in the portal. 
+If you have sufficient permissions, approve a private endpoint connection on the API Management instance's **Private endpoint connections** page in the portal. In the connection's context (...) menu, select **Approve**.
 
-You can also use the API Management [Private Endpoint Connection - Create Or Update](/rest/api/apimanagement/current-ga/private-endpoint-connection/create-or-update) REST API.
-
-```rest
-PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{apimServiceName}privateEndpointConnections/{privateEndpointConnectionName}?api-version=2021-08-01
-```
+You can also use the API Management [Private Endpoint Connection - Create Or Update](/rest/api/apimanagement/private-endpoint-connection/create-or-update) REST API to approve pending private endpoint connectionis.
 
 ### Optionally disable public network access
 
-To optionally limit incoming traffic to the API Management instance only to private endpoints, disable public network access. Use the [API Management Service - Create Or Update](/rest/api/apimanagement/current-ga/api-management-service/create-or-update) REST API to set the `publicNetworkAccess` property to `Disabled`.
+To optionally limit incoming traffic to the API Management instance only to private endpoints, disable public network access. 
 
 > [!NOTE] 
-> The `publicNetworkAccess` property can only be used to disable public access to API Management instances configured with a private endpoint, not with other networking configurations such as VNet injection.
+> Public network access can only be disabled in API Management instances configured with a private endpoint, not with other networking configurations such as VNet injection.
 
-```rest
-PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{apimServiceName}?api-version=2021-08-01
-Authorization: Bearer {{authToken.response.body.access_token}}
-Content-Type: application/json
+To disable public network access using the Azure CLI, run the following [az apim update](/cli/azure/apim#az-apim-update) command, substituting the names of your API Management instance and resource group:
 
+```azurecli
+az apim update --name my-apim-service --resource-group my-resource-group --public-network-access false
 ```
-Use the following JSON body:
-
-```json
-{
-  [...]
-  "properties": {
-    "publicNetworkAccess": "Disabled"
-  }
-}
-```
+
+You can also use the [API Management Service - Update](/rest/api/apimanagement/api-management-service/update) REST API to disable public network access, by setting the `publicNetworkAccess` property to `Disabled`.
 
 ## Validate private endpoint connection
 
 After the private endpoint is created, confirm its DNS settings in the portal:
 
 1. Navigate to your API Management service in the [Azure portal](https://portal.azure.com/).
 
-1. In the left-hand menu, select **Network** > **Inbound private endpoint connections**, and select the private endpoint you created.
+1. In the left-hand menu, under **Deployment + infrastructure**, select **Network** > **Inbound private endpoint connections**, and select the private endpoint you created.
 
-1. In the left-hand navigation, select **DNS configuration**.
+1. In the left-hand navigation, under **Settings**, select **DNS configuration**.
 
 1. Review the DNS records and IP address of the private endpoint. The IP address is a private address in the address space of the subnet where the private endpoint is configured.
 
@@ -226,19 +211,19 @@ API calls initiated within the virtual network to the default Gateway endpoint s
 
 ### Test from internet
 
-From outside the private endpoint path, attempt to call the API Management instance's default Gateway endpoint. If public access is disabled, output will include an error with status code `403` and a message similar to:
+From outside the private endpoint path, attempt to call the API Management instance's default Gateway endpoint. If public access is disabled, output includes an error with status code `403` and a message similar to:
 
 ```
 Request originated from client public IP address xxx.xxx.xxx.xxx, public network access on this 'Microsoft.ApiManagement/service/my-apim-service' is disabled.
        
 To connect to 'Microsoft.ApiManagement/service/my-apim-service', please use the Private Endpoint from inside your virtual network. 
 ```
 
-## Next steps
+## Related content
 
 * Use [policy expressions](api-management-policy-expressions.md#ref-context-request) with the `context.request` variable to identify traffic from the private endpoint.
 * Learn more about [private endpoints](../private-link/private-endpoint-overview.md) and [Private Link](../private-link/private-link-overview.md), including [Private Link pricing](https://azure.microsoft.com/pricing/details/private-link/).
-* Learn more about [managing private endpoint connections](../private-link/manage-private-endpoint.md).
+* [Manage private endpoint connections](../private-link/manage-private-endpoint.md).
 * [Troubleshoot Azure private endpoint connectivity problems](../private-link/troubleshoot-private-endpoint-connectivity.md).
 * Use a [Resource Manager template](https://azure.microsoft.com/resources/templates/api-management-private-endpoint/) to create an API Management instance and a private endpoint with private DNS integration.