Merge branch 'main' into release-qumolo

Author: v-alje

.openpublishing.redirection.azure-productivity.json

@@ -84,6 +84,11 @@
       "source_path": "articles/lab-services/how-to-manage-vm-pool-within-canvas.md",
       "redirect_url": "/azure/lab-services/how-to-manage-labs-within-canvas",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/lab-services/how-to-enable-nested-virtualization-template-vm.md",
+      "redirect_url": "/azure/lab-services/concept-nested-virtualization-template-vm",
+      "redirect_document_id": true
     }
   ]
 }

articles/active-directory/external-identities/media/self-service-sign-up-user-flow/assign-app-to-user-flow.png

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 01/06/2023
+ms.date: 01/16/2023
 
 ms.author: mimart
 author: msmimart
@@ -52,7 +52,8 @@ Before you can add a self-service sign-up user flow to your applications, you ne
 1. Select **User settings**, and then under **External users**, select **Manage external collaboration settings**.
 1. Set the **Enable guest self-service sign up via user flows** toggle to **Yes**.
 
-   ![Enable guest self-service sign-up](media/self-service-sign-up-user-flow/enable-self-service-sign-up.png)
+   :::image type="content" source="media/self-service-sign-up-user-flow/enable-self-service-sign-up.png" alt-text="Screenshot of the enable guest self-service sign up toggle.":::
+
 5. Select **Save**.
 ## Create the user flow for self-service sign-up
 
@@ -63,17 +64,17 @@ Next, you'll create the user flow for self-service sign-up and add it to an appl
 3. In the left menu, select **External Identities**.
 4. Select **User flows**, and then select **New user flow**.
 
-   ![Add a new user flow button](media/self-service-sign-up-user-flow/new-user-flow.png)
+   :::image type="content" source="media/self-service-sign-up-user-flow/new-user-flow.png" alt-text="Screenshot of the new user flow button.":::
 
 5. Select the user flow type (for example, **Sign up and sign in**), and then select the version (**Recommended** or **Preview**).
-6. On the **Create** page, enter a **Name** for the user flow. Note that the name is automatically prefixed with **B2X_1_**.
+6. On the **Create** page, enter a **Name** for the user flow. The name is automatically prefixed with **B2X_1_**.
 7. In the **Identity providers** list, select one or more identity providers that your external users can use to log into your application. **Azure Active Directory Sign up** is selected by default. (See [Before you begin](#before-you-begin) earlier in this article to learn how to add identity providers.)
-8. Under **User attributes**, choose the attributes you want to collect from the user. For additional attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**.
+8. Under **User attributes**, choose the attributes you want to collect from the user. For more attributes, select **Show more**. For example, select **Show more**, and then choose attributes and claims for **Country/Region**, **Display Name**, and **Postal Code**. Select **OK**.
 
-   ![Create a new user flow page](media/self-service-sign-up-user-flow/create-user-flow.png)
+   :::image type="content" source="media/self-service-sign-up-user-flow/create-user-flow.png" alt-text="Screenshot of the new user flow creation page. ":::
 
-> [!NOTE]
-> You can only collect attributes when a user signs up for the first time. After a user signs up, they will no longer be prompted to collect attribute information, even if you change the user flow.
+   > [!NOTE]
+   > You can only collect attributes when a user signs up for the first time. After a user signs up, they will no longer be prompted to collect attribute information, even if you change the user flow.
 
 8. Select **Create**.
 9. The new user flow appears in the **User flows** list. If necessary, refresh the page.
@@ -86,7 +87,7 @@ You can choose order in which the attributes are displayed on the sign-up page.
 2. Select **External Identities**, select **User flows**.
 3. Select the self-service sign-up user flow from the list.
 4. Under **Customize**, select **Page layouts**.
-5. The attributes you chose to collect are listed. To change the order of display, select an attribute, and then select **Move up**, **Move down**, **Move to the top**, or **Move to the bottom**.
+5. The attributes you chose to collect are listed. To change the order of display, select an attribute, and then select **Move up**, **Move down**, **Move to top**, or **Move to bottom**.
 6. Select **Save**.
 
 ## Add applications to the self-service sign-up user flow
@@ -101,7 +102,7 @@ Now you'll associate applications with the user flow to enable sign-up for those
 6. In the left menu, under **Use**, select **Applications**.
 7. Select **Add application**.
 
-   ![Assign an application to the user flow](media/self-service-sign-up-user-flow/assign-app-to-user-flow.png)
+   :::image type="content" source="media/self-service-sign-up-user-flow/assign-app-to-user-flow.png" alt-text="Screenshot of adding an application to the user flow.":::
 
 8. Select the application from the list. Or use the search box to find the application, and then select it.
 9. Click **Select**.
@@ -112,4 +113,3 @@ Now you'll associate applications with the user flow to enable sign-up for those
 - [Add Facebook to your list of social identity providers](facebook-federation.md)
 - [Use API connectors to customize and extend your user flows via web APIs](api-connectors-overview.md)
 - [Add custom approval workflow to your user flow](self-service-sign-up-add-approvals.md)
-- [Learn more about initiating an OAuth 2.0 authorization code flow](../develop/v2-oauth2-auth-code-flow.md#request-an-authorization-code)

articles/active-directory/external-identities/media/self-service-sign-up-user-flow/create-user-flow.png

@@ -5,33 +5,57 @@ description: Learn how to secure access to APIs by using client certificates. Yo
 services: api-management
 documentationcenter: ''
 author: dlepow
-manager: erikre
-editor: ''
 
 ms.service: api-management
-ms.workload: mobile
-ms.tgt_pltfrm: na
 ms.topic: article
-ms.date: 06/01/2021
+ms.date: 01/12/2023
 ms.author: danlep
+ms.custom: engagement-fy23
 ---
 
 # How to secure APIs using client certificate authentication in API Management
 
-API Management provides the capability to secure access to APIs (i.e., client to API Management) using client certificates. You can validate certificates presented by the connecting client and check certificate properties against desired values using policy expressions.
+API Management provides the capability to secure access to APIs (that is, client to API Management) using client certificates and mutual TLS authentication. You can validate certificates presented by the connecting client and check certificate properties against desired values using policy expressions.
 
-For information about securing access to the back-end service of an API using client certificates (i.e., API Management to backend), see [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md).
+For information about securing access to the backend service of an API using client certificates (that is, API Management to backend), see [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md).
 
 For a conceptual overview of API authorization, see [Authentication and authorization in API Management](authentication-authorization-overview.md#gateway-data-plane). 
 
+## Certificate options
 
-> [!IMPORTANT]
-> To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers you must turn on the "Negotiate client certificate" setting on the "Custom domains" blade as shown below.
+For certificate validation, API Management can check against certificates managed in your API Management instance. If you choose to use API Management to manage client certificates, you have the following options:
+
+* Reference a certificate managed in [Azure Key Vault](../key-vault/general/overview.md) 
+* Add a certificate file directly in API Management
+
+Using key vault certificates is recommended because it helps improve API Management security:
+
+* Certificates stored in key vaults can be reused across services
+* Granular [access policies](../key-vault/general/security-features.md#privileged-access) can be applied to certificates stored in key vaults
+* Certificates updated in the key vault are automatically rotated in API Management. After update in the key vault, a certificate in API Management is updated within 4 hours. You can also manually refresh the certificate using the Azure portal or via the management REST API.
+
+## Prerequisites
+
+* If you have not created an API Management service instance yet, see [Create an API Management service instance](get-started-create-service-instance.md).
+* You need access to the certificate and the password for management in an Azure key vault or upload to the API Management service. The certificate must be in **PFX** format. Self-signed certificates are allowed. 
+
+    If you use a self-signed certificate, also install trusted root and intermediate [CA certificates](api-management-howto-ca-certificates.md) in your API Management instance.
+    
+    > [!NOTE]
+    > CA certificates for certificate validation are not supported in the Consumption tier.
+
+[!INCLUDE [api-management-client-certificate-key-vault](../../includes/api-management-client-certificate-key-vault.md)]
+
+## Enable API Management instance to receive and verify client certificates
+
+### Developer, Basic, Standard, or Premium tier
+
+To receive and verify client certificates over HTTP/2 in the Developer, Basic, Standard, or Premium tiers, you must enable the **Negotiate client certificate** setting on the **Custom domain** blade as shown below.
 
 ![Negotiate client certificate](./media/api-management-howto-mutual-certificates-for-clients/negotiate-client-certificate.png)
 
-> [!IMPORTANT]
-> To receive and verify client certificates in the Consumption tier you must turn on the "Request client certificate" setting on the "Custom domains" blade as shown below.
+### Consumption tier
+To receive and verify client certificates in the Consumption tier, you must enable the **Request client certificate** setting on the **Custom domains** blade as shown below.
 
 ![Request client certificate](./media/api-management-howto-mutual-certificates-for-clients/request-client-certificate.png)
 
@@ -41,8 +65,6 @@ Use the [validate-client-certificate](validate-client-certificate-policy.md) pol
 
 Configure the policy to validate one or more attributes including certificate issuer, subject, thumbprint, whether the certificate is validated against online revocation list, and others.
 
-For more information, see [API Management access restriction policies](api-management-access-restriction-policies.md).
-
 ## Certificate validation with context variables
 
 You can also create policy expressions with the [`context` variable](api-management-policy-expressions.md#ContextVariables) to check client certificates. Examples in the following sections show expressions using the `context.Request.Certificate` property and other `context` properties.
@@ -66,7 +88,7 @@ Below policies can be configured to check the issuer and subject of a client cer
 ```
 
 > [!NOTE]
-> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
 > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
 
 ### Checking the thumbprint
@@ -84,7 +106,7 @@ Below policies can be configured to check the thumbprint of a client certificate
 ```
 
 > [!NOTE]
-> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
 > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
 
 ### Checking a thumbprint against certificates uploaded to API Management
@@ -103,7 +125,7 @@ The following example shows how to check the thumbprint of a client certificate
 ```
 
 > [!NOTE]
-> To disable checking certificate revocation list use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
+> To disable checking certificate revocation list, use `context.Request.Certificate.VerifyNoRevocation()` instead of `context.Request.Certificate.Verify()`.
 > If client certificate is self-signed, root (or intermediate) CA certificate(s) must be [uploaded](api-management-howto-ca-certificates.md) to API Management for `context.Request.Certificate.Verify()` and `context.Request.Certificate.VerifyNoRevocation()` to work.
 
 > [!TIP]
@@ -112,5 +134,6 @@ The following example shows how to check the thumbprint of a client certificate
 
 ## Next steps
 
--   [How to secure back-end services using client certificate authentication](./api-management-howto-mutual-certificates.md)
--   [How to upload certificates](./api-management-howto-mutual-certificates.md)
+-   [How to secure backend services using client certificate authentication](./api-management-howto-mutual-certificates.md)
+-   [How to add a custom CA certificate in Azure API Management](./api-management-howto-ca-certificates.md)
+-   Learn about [policies in API Management](api-management-howto-policies.md)