Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: reyjordi

.openpublishing.publish.config.json

@@ -70,7 +70,7 @@
         },
         {
             "path_to_root": "azure_cli_scripts",
-            "url": "https://github.com/Azure-Samples/azure-cli-samples",
+            "url": "https://github.com/ggailey777/azure-cli-samples",
             "branch": "master",
             "branch_mapping": {}
         },

articles/active-directory-b2c/partner-whoiam.md

@@ -60,7 +60,7 @@ The following diagram shows the implementation architecture.
 
     * [Key Vault](https://azure.microsoft.com/services/key-vault/): Store passwords
     * [App Service](https://azure.microsoft.com/services/app-service/): Host the BRIMS API and admin portal services
-    * [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/): Authenticate administrative users for the portal
+    * [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id): Authenticate administrative users for the portal
     * [Azure Cosmos DB](https://azure.microsoft.com/services/cosmos-db/): Store and retrieve settings
     * [Application Insights overview](/azure/azure-monitor/app/app-insights-overview) (optional): Sign in to the API and the portal
 

articles/api-management/api-management-howto-use-managed-service-identity.md

@@ -317,7 +317,7 @@ API Management is a trusted Microsoft service to the following resources. This t
 
 
 - [Trusted access for Key Vault](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services)
-- [Trusted access for Azure Storage](../storage/common/storage-network-security.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
+- [Trusted access for Azure Storage](../storage/common/storage-network-security-trusted-azure-services.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
 - [Trusted access for Azure Services Bus](../service-bus-messaging/service-bus-ip-filtering.md#trusted-microsoft-services)
 - [Trusted access for Azure Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)
 

articles/api-management/applications.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 05/19/2025
+ms.date: 07/11/2025
 ms.author: danlep
 ms.custom:
   - build-2025
@@ -22,9 +22,9 @@ API Management now supports built-in OAuth 2.0 application-based access to produ
 > Applications are currently in limited preview. To sign up, fill [this form](https://aka.ms/apimappspreview).
 
 With this feature:
-
 * API managers set a product property to enable application-based access.
 * API managers register client applications in Microsoft Entra ID to limit access to specific products. 
+* Developers can access client application credentials using the API Management developer portal.
 * Using the OAuth 2.0 client credentials flow, developers or apps obtain tokens that they can include in API requests
 * Tokens presented in API requests are validated by the API Management gateway to authorize access to the product's APIs.
 
@@ -61,7 +61,8 @@ Follow these steps to enable **Application based access** for a product. A produ
 
 The following example uses the **Starter** product, but choose any published product that has at least one API assigned to it.
 
-1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+1. Sign in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications)
+1. Navigate to your API Management instance.
 1. In the left menu, under **APIs**, select **Products**.
 1. Choose the product that you want to configure, such as the **Starter** product.
 1. In the left menu, under **Product**, select **Properties**.
@@ -103,10 +104,13 @@ To review application settings in **App registrations**:
 Now register a client application that limits access to one or more products. 
 
 * A product must have **Application based access** enabled to be associated with a client application. 
-* Each client application has a single user (owner) in the API Management instance. One the owner can access product APIs through the application.
+* Each client application has a single user (owner) in the API Management instance. Only the owner can access product APIs through the application.
 * A product can be associated with more than one client application.
 
-1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+To register a client application:
+
+1. Sign in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications)
+1. Navigate to your API Management instance.
 1. In the left menu, under **APIs**, select **Applications** > **+ Register application**.
 1. In the **Register an application** page, enter the following application settings:
     * **Name**: Enter a name for the application. 
@@ -152,6 +156,16 @@ To review application settings in **App registrations**:
 
     :::image type="content" source="media/applications/client-api-permissions.png" alt-text="Screenshot of API permissions in the portal.":::  
 
+## Get application settings in developer portal
+
+Users can sign in to the developer portal to view the client applications that they own.
+
+1. Sign in to the developer portal (`https://<your-apim-instance-name>.developer.azure-api.net`) using a user account that was set as the owner of a client application.
+1. In the top navigation menu, select **Applications**.
+1. Applications that the user owns appear in the list. 
+1. Select an application to view its details, such as the **Client ID**, **Client secret**, and **Scope**. These values are needed to generate a token to call the product APIs.
+
+    :::image type="content" source="media/applications/applications-developer-portal.png" alt-text="Screenshot of client applications in the developer portal.":::
 
 ## Create token and use with API call
 
@@ -204,6 +218,16 @@ Write-Host "Response:"
 $getresponse | ConvertTo-Json -Depth 5
 ```
 
+## Troubleshooting
+
+### Internal server error when registering applications in the portal
+
+If you're unable to list applications, or you receive an internal server error when registering applications in the portal, check the following:    
+
+* The **Application Administrator** role is assigned to the API Management instance's managed identity in Microsoft Entra ID. 
+* You're signed in to the portal at the following custom URL for the applications feature: [https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications](https://portal.azure.com/?feature.customPortal=false&Microsoft_Azure_ApiManagement=applications). This URL is required to access the applications feature in API Management.
+
+
 ## Related content
 
 * [Create and publish a product](api-management-howto-add-products.md)

articles/api-management/inject-vnet-v2.md

@@ -54,6 +54,8 @@ If you want to enable *public* inbound access to an API Management instance in t
 * Minimum: /27 (32 addresses)
 * Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance
 
+### Network security group
+
 [!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
 ### Subnet delegation

articles/api-management/integrate-vnet-outbound.md

@@ -46,8 +46,14 @@ If you want to inject a Premium v2 (preview) API Management instance into a virt
 * Minimum: /27 (32 addresses)
 * Recommended: /24 (256 addresses) - to accommodate scaling of API Management instance
 
+### Network security group
+
 [!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
+> [!IMPORTANT]
+> * Inbound NSG rules do not apply when a v2 tier instance is integrated in a virtual network for private outbound access. To enforce inbound NSG rules, use virtual network injection instead of integration.
+> * This differs from networking in the classic Premium tier, where inbound NSG rules are enforced in both external and internal virtual network injection modes. [Learn more](virtual-network-injection-resources.md)
+
 ### Subnet delegation
 
 The subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.

articles/api-management/media/applications/applications-developer-portal.png

@@ -5,7 +5,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 06/18/2025
+ms.date: 07/08/2025
 ms.author: danlep
 ---
 
@@ -45,7 +45,6 @@ For information about configuring subnet delegation, see [Add or remove a subnet
 
 #### [Virtual network integration](#tab/external)
 
-
 For virtual network integration, the subnet needs to be delegated to the **Microsoft.Web/serverFarms** service.
 
 :::image type="content" source="media/virtual-network-injection-workspaces-resources/delegate-external.png" alt-text="Screenshot showing subnet delegation to Microsoft.Web/serverFarms in the portal.":::
@@ -65,21 +64,20 @@ For virtual network injection, the subnet needs to be delegated to the **Microso
 
 ---
 
+## Network security group
 
-## Network security group (NSG) rules
+#### [Virtual network integration](#tab/external)
 
-A network security group (NSG) must be attached to the subnet to explicitly allow certain inbound or outbound connectivity. Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+[!INCLUDE [api-management-virtual-network-v2-nsg-rules](../../includes/api-management-virtual-network-v2-nsg-rules.md)]
 
-Configure other NSG rules to meet your organization's network access requirements.
 
-#### [Virtual network integration](#tab/external)
+#### [Virtual network injection](#tab/internal)
 
-| Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
-|-------|--------------|----------|---------|------------|-----------|-----|--------|
-| Inbound | AzureLoadBalancer | * | Workspace gateway subnet range  | 80 | TCP | Allow | Allow internal health ping traffic |
-| Inbound | Internet | * | Workspace gateway subnet range  | 80,443 | TCP | Allow | Allow inbound traffic |
+A network security group (NSG) must be associated with the subnet. To set up a network security group, see [Create a network security group](../virtual-network/manage-network-security-group.md). 
 
-#### [Virtual network injection](#tab/internal)
+* Configure the following rules in the NSG. Set the priority of these rules higher than that of the default rules.
+* Configure other outbound rules you need for the gateway to reach your API backends. 
+* Configure other NSG rules to meet your organization’s network access requirements. For example, NSG rules can also be used to block outbound traffic to the internet and allow access only to resources in your virtual network. 
 
 | Direction | Source  | Source port ranges | Destination | Destination port ranges | Protocol |  Action | Purpose | 
 |-------|--------------|----------|---------|------------|-----------|-----|--------|
@@ -89,6 +87,10 @@ Configure other NSG rules to meet your organization's network access requirement
 
 ---
 
+> [!IMPORTANT]
+> * Inbound NSG rules do not apply when you integrate a workspace gateway in a virtual network for private outbound access. To enforce inbound NSG rules, use virtual network injection instead of integration.
+> * This differs from networking in the classic Premium tier, where inbound NSG rules are enforced in both external and internal virtual network injection modes. [Learn more](virtual-network-injection-resources.md)
+
 ## DNS settings for virtual network injection
 
 For virtual network injection, you have to manage your own DNS to enable inbound access to your workspace gateway. 

articles/api-management/media/applications/product-application-settings.png

@@ -38,7 +38,7 @@ The Premium V4 tier is available for source code applications on Windows, and bo
 > [!NOTE]
 > The Premium V4 tier lacks stable outbound IP addresses. This behavior is intentional. Although Premium V4 apps can make outbound calls, the platform doesn't provide stable outbound IPs for this tier. This differs from previous App Service tiers. The portal shows "Dynamic" for outbound IP addresses for Premium V4 apps. ARM and CLI calls return empty strings for *outboundIpAddresses* and *possibleOutboundIpAddresses*. If Premium V4 apps need stable outbound IPs, use [Azure NAT Gateway](overview-nat-gateway-integration.md) for predictable outbound IPs.
 
-Premium V4 and its SKUs are available in select Azure regions. Microsoft continually adds availability to other regions. To check regional availability for a specific Premium V4 offering, run the following Azure CLI command in [Azure Cloud Shell](../cloud-shell/overview.md). Substitute *P1V4* with the desired SKU:
+Premium V4 and its SKUs are available in select Azure regions. Microsoft continually adds availability to other regions. To check regional availability for a specific Premium V4 offering, run the following Azure CLI command in [Azure Cloud Shell](../cloud-shell/overview.md). Use Azure CLI version 2.73.0 or above. Substitute *P1V4* with the desired SKU:
 
 **Windows** SKU availability