[APIC] Managed API Center portal

Author: gitName

articles/api-center/TOC.yml

@@ -68,12 +68,14 @@
         href: set-up-notification-workflow.md
 - name: API discovery and consumption
   items:
+      - name: Enable API Center portal
+        href: Set up-api-center-portal.md
+      - name: Self-host Azure API Center portal
+        href: enable-api-center-portal.md
       - name: Discover and consume APIs - VS Code extension
         href: discover-apis-vscode-extension.md
       - name: Enable platform API catalog - VS Code extension
         href: enable-platform-api-catalog-vscode-extension.md
-      - name: Self-host Azure API Center portal
-        href: enable-api-center-portal.md
       - name: Check API calls use minimal permissions with Dev Proxy
         href: check-minimal-api-permissions-dev-proxy.md
 - name: API center management and operations

articles/api-center/enable-api-center-portal.md

@@ -0,0 +1,40 @@
+---
+title: Include file
+description: Include file
+services: api-center
+author: dlepow
+
+ms.service: azure-api-center
+ms.topic: include
+ms.date: 03/04/2025
+ms.author: danlep
+ms.custom: Include file
+---
+
+## Create Microsoft Entra app registration
+
+First configure an app registration in your Microsoft Entra ID tenant. The app registration enables the API Center portal to access data from your API center on behalf of a signed-in user.
+
+1. In the [Azure portal](https://portal.azure.com), navigate to **Microsoft Entra ID** > **App registrations**.
+1. Select **+ New registration**. 
+1. On the **Register an application** page, set the values as follows:
+    
+    * Set **Name** to a meaningful name such as *api-center-portal*
+    * Under **Supported account types**, select **Accounts in this organizational directory (Single tenant)**. 
+    * In **Redirect URI**, select **Single-page application (SPA)** and set the URI. 
+        Set the URI to the URI of your API Center portal deployment, in the following form: `https://<service-name>.portal.location>.azure-api-center.ms`. Replace `<service name>` and `<location>` with the name of your API center and the location where it's deployed, Example: `https://myapicenter.portal.eastus.azure-api-center`.
+
+        > [!TIP]
+        > If you are self-hosting the portal, for local testing, you can set the URI to `https://localhost:5173`. This URI is not used for the production deployment of the portal.
+
+    * Select **Register**.
+1. On the **Overview** page, copy the **Application (client) ID** and the **Directory (tenant) ID**. You set these values when you build the portal.
+      
+1. On the **API permissions** page, select **+ Add a permission**. 
+    1. On the **Request API permissions** page, select the **APIs my organization uses** tab. Search for and select **Azure API Center**. You can also search for and select application ID `c3ca1a77-7a87-4dba-b8f8-eea115ae4573`. 
+    1. On the **Request permissions** page, select **user_impersonation**.
+    1. Select **Add permissions**. 
+
+    The Azure API Center permissions appear under **Configured permissions**.
+
+    :::image type="content" source="media/api-center-portal-app-registration/configure-app-permissions.png" alt-text="Screenshot of required permissions in Microsoft Entra ID app registration in the portal." lightbox="media/api-center-portal-app-registration/configure-app-permissions.png":::

articles/api-center/includes/api-center-portal-app-registration.md

@@ -0,0 +1,18 @@
+---
+title: Include file
+description: Include file
+services: api-center
+author: dlepow
+
+ms.service: azure-api-center
+ms.topic: include
+ms.date: 03/04/2025
+ms.author: danlep
+ms.custom: Include file
+---
+
+## Prerequisites
+
+* An API center in your Azure subscription. If you haven't created one already, see [Quickstart: Create your API center](set-up-api-center.md).
+
+* Permissions to create an app registration in a Microsoft Entra tenant associated with your Azure subscription, and permissions to grant access to data in your API center. 

articles/api-center/includes/api-center-portal-prerequisites.md

@@ -0,0 +1,37 @@
+---
+title: Include file
+description: Include file
+services: api-center
+author: dlepow
+
+ms.service: azure-api-center
+ms.topic: include
+ms.date: 03/04/2025
+ms.author: danlep
+ms.custom: Include file
+---
+
+## Enable sign-in to portal by Microsoft Entra users and groups 
+
+Users must sign in to see the APIs in your API center. To enable sign-in, assign the **Azure API Center Data Reader** role to users or groups in your organization, scoped to your API center.
+
+> [!IMPORTANT]
+> By default, you and other administrators of the API center don't have access to APIs in the API Center portal. Be sure to assign the **Azure API Center Data Reader** role to yourself and other administrators.  
+
+For detailed prerequisites and steps to assign a role to users and groups, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml). Brief steps follow:
+
+1. In the [Azure portal](https://portal.azure.com), navigate to your API center.
+1. In the left menu, select **Access control (IAM)** > **+ Add role assignment**.
+1. In the **Add role assignment** pane, set the values as follows:
+    * On the **Role** page, search for and select **Azure API Center Data Reader**. Select **Next**.
+    * On the **Members** page, In **Assign access to**, select **User, group, or service principal** > **+ Select members**.
+    * On the **Select members** page, search for and select the users or groups to assign the role to. Click **Select** and then **Next**.
+    * Review the role assignment, and select **Review + assign**.
+
+> [!NOTE]
+> To streamline access configuration for new users, we recommend that you assign the role to a Microsoft Entra group and configure a dynamic group membership rule. To learn more, see [Create or update a dynamic group in Microsoft Entra ID](/entra/identity/users/groups-create-rule).
+
+After you configure access to the portal, configured users can sign in to the portal and view the APIs in your API center.
+
+> [!NOTE]
+> The first user to sign in to the portal is prompted to consent to the permissions requested by the API Center portal app registration. Thereafter, other configured users aren't prompted to consent.