Merge pull request #292730 from MicrosoftDocs/main

1/7/2025 PM Publish

Author: Taojunshen

.openpublishing.redirection.json

@@ -4492,6 +4492,11 @@
       "redirect_url": "/azure/virtual-network/tutorial-create-route-table",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/logic-apps/business-continuity-disaster-recovery-guidance.md",
+      "redirect_url": "/azure/logic-apps/multi-region-disaster-recovery",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/virtual-network/tutorial-connect-virtual-networks-portal.md",
       "redirect_url": "/azure/virtual-network/tutorial-connect-virtual-networks",

articles/api-management/api-management-error-handling-policies.md

@@ -2,11 +2,9 @@
 title: Error handling in Azure API Management policies | Microsoft Docs
 description: Learn how to respond to error conditions that may occur during the processing of requests in Azure API Management.
 author: dlepow
-manager: erikre
-ms.assetid: 3c777964-02b2-4f55-8731-8c3bd3c0ae27
 ms.service: azure-api-management
 ms.topic: article
-ms.date: 01/10/2020
+ms.date: 01/06/2025
 ms.author: danlep
 ---
 
@@ -77,9 +75,9 @@ When an error occurs and control jumps to the `on-error` policy section, the err
 | `Source`   | string | Names the element where the error occurred. Could be either policy or a built-in pipeline step name.      | Yes      |
 | `Reason`   | string | Machine-friendly error code, which could be used in error handling.                                       | No       |
 | `Message`  | string | Human-readable error description.                                                                         | Yes      |
-| `Scope`    | string | Name of the scope where the error occurred and could be one of "global", "product", "api", or "operation" | No       |
+| `Scope`    | string | Name of the [scope](api-management-howto-policies.md#scopes) where the error occurred. | No       |
 | `Section`  | string | Section name where error occurred. Possible values: "inbound", "backend", "outbound", or "on-error".      | No       |
-| `Path`     | string | Specifies nested policy, for example "choose[3]/when[2]".                                                 | No       |
+| `Path`     | string | Specifies nested policy hierarchy, for example "choose[3]\\when[2]". Multiple instances of a nested policy are indexed from 1.                                         | No       |
 | `PolicyId` | string | Value of the `id` attribute, if specified by the customer, on the policy where error occurred             | No       |
 
 > [!TIP]
@@ -175,11 +173,4 @@ and sending an unauthorized request will result in the following response:
 
 ![Unauthorized error response](media/api-management-error-handling-policies/error-response.png)
 
-## Next steps
-
-For more information working with policies, see:
-
--   [Policies in API Management](api-management-howto-policies.md)
--   [Transform APIs](transform-api.md)
--   [Policy Reference](./api-management-policies.md) for a full list of policy statements and their settings
--   [Policy samples](./policy-reference.md)
+[!INCLUDE [api-management-policy-ref-next-steps](../../includes/api-management-policy-ref-next-steps.md)]

articles/api-management/api-management-howto-aad-b2c.md

@@ -1,13 +1,13 @@
 ---
-title: Authorize developer accounts by using Azure Active Directory B2C
+title: Authorize access to API Management developer portal by using Azure Active Directory B2C
 titleSuffix: Azure API Management
 description: Learn how to authorize users of the developer portal in Azure API Management by using Azure Active Directory B2C
 services: api-management
 author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 06/28/2023
+ms.date: 01/07/2025
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
@@ -31,18 +31,21 @@ For an overview of options to secure the developer portal, see [Secure access to
 
 * An Azure Active Directory B2C tenant in which to create an application. For more information, see [Azure Active Directory B2C overview](../active-directory-b2c/overview.md).
 * An API Management instance. If you don't already have one, [create an Azure API Management instance](get-started-create-service-instance.md).
+* If you created your instance in a v2 tier, enable the developer portal. For more information, see [Tutorial: Access and customize the developer portal](api-management-howto-developer-portal-customize.md).
+
 
 ## Configure sign up and sign in user flow
 
-In this section, you'll create a user flow in your Azure Active Directory B2C tenant containing both sign up and sign in policies. For detailed steps, see [Create user flows and custom policies in Azure Active Directory B2C](../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-us).
+In this section, you'll configure a user flow in your Azure Active Directory B2C tenant that enables users to sign up or sign in to the developer portal. Users are led down the right path depending on the context. For detailed steps, see [Create user flows and custom policies in Azure Active Directory B2C](../active-directory-b2c/tutorial-create-user-flows.md?pivots=b2c-us).
 
 1. In the [Azure portal](https://portal.azure.com), access your Azure Active Directory B2C tenant.
 1. Under **Policies**, select **User flows** > **+ New user flow**.
 1. On the **Create a user flow** page, select the **Sign up and sign in** user flow. Select the **Recommended** version and then select **Create**.
 1. On the **Create** page, provide the following information:
     1. Enter a unique name for the user flow.
     1. In **Identity providers**, select **Email signup**.
-    1. In **User attributes and token claims**, select the following attributes and claims that are needed for the API Management developer portal.
+    1. Optionally enable a **Multifactor authentication** method or **Conditional access** policies.
+    1. In **User attributes and token claims**, select the following attributes and claims that you want to collect and send from the user during sign-up. Select **Show more** to view all attributes and claims.
         * **Collect attributes**: Given Name, Surname
         * **Return claims**: Given Name, Surname, Email Addresses, User’s ObjectID
 
@@ -89,7 +92,7 @@ In this section, you'll create a user flow in your Azure Active Directory B2C te
 1. After you've specified the desired configuration, select **Add**.
 1. Republish the developer portal for the Azure AD B2C configuration to take effect. In the left menu, under **Developer portal**, select **Portal overview** > **Publish**.
 
-After the changes are saved, developers will be able to create new accounts and sign in to the developer portal by using Azure Active Directory B2C.
+After the changes are saved, developers will be able to sign up for new accounts and sign in to the developer portal by using Azure Active Directory B2C.
 
 ## Migrate to MSAL
 
@@ -130,7 +133,7 @@ Although a new account is automatically created whenever a new user signs in wit
 
 The **Sign-up form: OAuth** widget represents a form used for signing up with OAuth.
 
-## Next steps
+## Related content
 
 *  [Azure Active Directory B2C overview]
 *  [Azure Active Directory B2C: Extensible policy framework]

articles/api-management/api-management-howto-aad.md

@@ -34,6 +34,8 @@ For an overview of options to secure the developer portal, see [Secure access to
 
 - [Import and publish](import-and-publish.md) an API in the Azure API Management instance.
 
+- If you created your instance in a v2 tier, enable the developer portal. For more information, see [Tutorial: Access and customize the developer portal](api-management-howto-developer-portal-customize.md).
+
 [!INCLUDE [azure-cli-prepare-your-environment-no-header.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
 
 [!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)]

articles/api-management/api-management-howto-oauth2.md

@@ -1,13 +1,13 @@
 ---
-title: Authorize test console of API Management developer portal using OAuth 2.0
+title: Authorize test console of API Management developer portal - OAuth 2.0
 titleSuffix: Azure API Management
-description: Set up OAuth 2.0 user authorization for the test console in the Azure API Management developer portal. This example uses Microsoft Entra ID as an OAuth 2.0 provider.
+description: Set up OAuth 2.0 user authorization for the test console in Azure API Management developer portal. This example uses Microsoft Entra ID as OAuth 2.0 provider.
 services: api-management
 author: dlepow
 
 ms.service: azure-api-management
-ms.topic: article
-ms.date: 04/01/2024
+ms.topic: how-to
+ms.date: 01/06/2025
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
@@ -22,6 +22,9 @@ Configuring OAuth 2.0 user authorization in the test console of the developer po
 
 ## Prerequisites
 
+- An API Management instance.
+- An OAuth 2.0 provider.
+
 This article shows you how to configure your API Management service instance to use OAuth 2.0 authorization in the developer portal's test console, but it doesn't show you how to configure an OAuth 2.0 provider. 
 
 If you haven't yet created an API Management service instance, see [Create an API Management service instance][Create an API Management service instance].
@@ -55,7 +58,7 @@ This configuration supports the following OAuth flow:
 
 1. A developer (user of the developer portal) makes an API call with the authorization header.
 
-1. The token gets validated by using the `validate-jwt` policy in API Management by Microsoft Entra ID.
+1. The token gets validated with the OAuth 2.0 provider by using the `validate-jwt` policy. For the Microsoft Entra ID provider, API Management also provides the `validate-azure-ad-token` policy.
 
 1. Based on the validation result, the developer will receive the response in the developer portal.
 
@@ -81,7 +84,7 @@ Consider how the grant type generates a token, the token's [scope](https://oauth
 
 When configuring OAuth 2.0 user authorization in the test console of the developer portal:
 
-* **Limit the token's scope to the minimum** needed for developers to test the APIs. Limit the scope to the test console, or to the affected APIs. The steps to configure token scope depend on your OAuth 2.0 provider.
+* **Limit the token's scope to the minimum** needed for developers to test the APIs. Limit the scope to the test console, or to the affected APIs. The steps to configure token scope depend on your OAuth 2.0 provider. An example is shown later in this article using Microsoft Entra ID.
 
   Depending on your scenarios, you may configure more or less restrictive token scopes for other client applications that you create to access backend APIs.
 * **Take extra care if you enable the Client Credentials flow**. The test console in the developer portal, when working with the Client Credentials flow, doesn't ask for credentials. An access token could be inadvertently exposed to developers or anonymous users of the developer console. 
@@ -172,11 +175,11 @@ Now that you've registered two applications to represent the API and the test co
 
 1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.
 
-1. Choose your client app. Then in the side menu, select **API permissions**.
+1. Choose your client-app. Then in the side menu, select **API permissions**.
 
-1. Select **+ Add a Permission**.
+1. Select **+ Add a permission**.
 
-1. Under **Select an API**, select **My APIs**, and then find and select your backend-app.
+1. Under **Select an API**, select **My APIs**, and then find and select your backend-app (the app registration for your backend API).
 
 1. Select **Delegated Permissions**, then select the appropriate permissions to your backend-app.
 
@@ -287,7 +290,7 @@ After saving the OAuth 2.0 server configuration, configure an API or APIs to use
 
 In the configuration so far, API Management doesn't validate the access token. It only passes the token in the authorization header to the backend API.
 
-To pre-authorize requests, configure a [validate-jwt](validate-jwt-policy.md) policy to validate the access token of each incoming request. If a request doesn't have a valid token, API Management blocks it.
+To pre-authorize requests, configure a [validate-jwt](validate-jwt-policy.md) policy to validate the access token of each incoming request. If a request doesn't have a valid token, API Management blocks it. When you use the Microsoft Entra ID provider, you can also use the [validate-azure-ad-token](validate-azure-ad-token-policy.md) policy.
 
 [!INCLUDE [api-management-configure-validate-jwt](../../includes/api-management-configure-validate-jwt.md)]
 

articles/api-management/media/api-management-howto-aad-b2c/add-identity-provider.png

@@ -44,9 +44,9 @@ To understand the difference between rate limits and quotas, [see Rate limits an
 | ------------------- | ----------------------------------------------------------------------------------------------------- | -------- | ------- |
 | calls               | The maximum total number of calls allowed for the key value during the time interval specified in the `renewal-period`. Policy expressions are allowed. | Yes      | N/A     |
 | counter-key         | The key to use for the rate limit policy. For each key value, a single counter is used for all scopes at which the policy is configured. Policy expressions are allowed.         | Yes      | N/A     |
-| increment-condition | The Boolean expression specifying if the request should be counted towards the rate (`true`). Policy expressions are allowed.        | No       | N/A     |
-| increment-count | The number by which the counter is increased per request. Policy expressions are allowed.       | No       | 1     |
-| renewal-period      | The length in seconds of the sliding window during which the number of allowed requests should not exceed the value specified in `calls`. Maximum allowed value: 300 seconds. Policy expressions are allowed.                | Yes      | N/A     |
+| increment-condition | The Boolean expression specifying if the request should be counted towards the rate (`true`). Policy expressions are allowed but will postpone evaluation and counter increment actions to end of outbound pipeline.        | No       | N/A     |
+| increment-count | The number by which the counter is increased per request. Policy expressions are allowed but will postpone evaluation and counter increment to end of outbound pipeline.       | No       | 1     |
+| renewal-period      | The length in seconds of the sliding window during which the number of allowed requests should not exceed the value specified in `calls`. Maximum allowed value: 300 seconds. Policy expressions are allowed.       | Yes      | N/A     |
 | retry-after-header-name    | The name of a custom response header whose value is the recommended retry interval in seconds after the specified call rate is exceeded for the key value. Policy expressions aren't allowed. |  No | `Retry-After`  |
 | retry-after-variable-name    | The name of a policy expression variable that stores the recommended retry interval in seconds after the specified call rate is exceeded for the key value. Policy expressions aren't allowed. |  No | N/A  |
 | remaining-calls-header-name    | The name of a response header whose value after each policy execution is the number of remaining calls allowed for the key value in the time interval specified in the `renewal-period`. Policy expressions aren't allowed. |  No | N/A  |
@@ -63,6 +63,7 @@ To understand the difference between rate limits and quotas, [see Rate limits an
 
 * [!INCLUDE [api-management-rate-limit-key-scope](../../includes/api-management-rate-limit-key-scope.md)]
 * [!INCLUDE [api-management-self-hosted-gateway-rate-limit](../../includes/api-management-self-hosted-gateway-rate-limit.md)] [Learn more](how-to-self-hosted-gateway-on-kubernetes-in-production.md#request-throttling)
+* When `increment-condition` or `increment-count` are defined using expressions, evaluation and increment of rate limit counter are postponed to end of outbound pipeline to allow for policy expressions based on the reponse. Limit exceeded condition is not evaluated at the same time in this case and will be evaluated on next incoming call. This leads to cases where `429 Too Many Requests` status code is returned 1 call later than usual.
 
 
 ## Example