Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into mongodbatlas-public-preview

Author: ShawnJackson

articles/active-directory-b2c/billing.md

@@ -5,7 +5,7 @@ author: kengaderdus
 manager: CelesteDG
 ms.service: azure-active-directory
 ms.topic: reference
-ms.date: 03/10/2025
+ms.date: 05/20/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 ms.custom: fasttrack-edit
@@ -36,18 +36,6 @@ Also, if you choose to provide higher levels of assurance by using multifactor a
 > [!IMPORTANT]
 > This article does not contain pricing details. For the latest information about usage billing and pricing, see [Azure Active Directory B2C pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/). See also [Azure AD B2C region availability and data residency](data-residency.md) for details about where the Azure AD B2C service is available and where user data is stored.
 
-## What do I need to do?
-
-To take advantage of MAU billing, your Azure AD B2C tenant must be linked to an Azure subscription. You might also need to switch your Azure AD B2C tenant to another pricing tier if you want to use Azure AD B2C Premium P2 features, like risk-based Conditional Access policies.
-
-|If your tenant is:  |You need to:  |
-|---------|---------|
-| An Azure AD B2C tenant already billed on a per-MAU basis     | Do nothing. When users authenticate to your Azure AD B2C tenant, you'll be automatically billed using the MAU-based billing model.        |
-| An Azure AD B2C tenant not yet linked to a subscription     |  [Link your Azure AD B2C tenant to a subscription](#link-an-azure-ad-b2c-tenant-to-a-subscription) to activate MAU billing.     |
-| An Azure AD B2C tenant that was linked to a subscription before November 1, 2019    | [Switch to MAU billing (recommended)](#switch-to-mau-billing-pre-november-2019-azure-ad-b2c-tenants), or stay on the per-authentication billing model.     |
-| An Azure AD B2C tenant and you want to use premium features  (like risk-based Conditional Access policies)    | [Change to a Microsoft Entra pricing tier](#change-your-azure-ad-pricing-tier) that supports the features you want to use.        |
-|  |  |
-
 ## About the monthly active users (MAU) billing model
 
 MAU billing went into effect for Azure AD B2C tenants on **November 1, 2019**. Any Azure AD B2C tenants that you created and linked to a subscription on or after that date have been billed on a per-MAU basis. 

articles/active-directory-b2c/conditional-access-identity-protection-overview.md

@@ -4,10 +4,10 @@ description: Learn how Identity Protection gives you visibility into risky sign-
 ms.service: azure-active-directory
 ms.subservice: b2c
 ms.topic: overview
-ms.date: 01/11/2024
+ms.date: 05/20/2025
 ms.author: kengaderdus
 author: kengaderdus
-manager: CelesteDG
+manager: mwongerapk
 ms.collection: M365-identity-device-management
 
 #Customer intent: As an Azure AD B2C application owner, I want to enhance the security of my applications by using Identity Protection and Conditional Access, so that I can detect and respond to risky authentications and enforce organizational policies.

articles/active-directory-b2c/find-help-open-support-ticket.md

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: azure-active-directory
 
 ms.topic: troubleshooting
-ms.date: 01/11/2024
+ms.date: 05/20/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 

articles/active-directory-b2c/identity-protection-investigate-risk.md

@@ -4,7 +4,7 @@ description: Learn how to investigate risky users, and detections in Azure AD B2
 ms.service: entra-id
 ms.subservice: conditional-access
 ms.topic: overview
-ms.date: 01/24/2025
+ms.date: 05/24/2025
 ms.author: godonnell
 author: garrodonnell
 manager: CelesteDG

articles/active-directory-b2c/supported-azure-ad-features.md

@@ -3,12 +3,12 @@ title: Supported Microsoft Entra ID features
 description: Learn about Microsoft Entra ID features, which are still supported in Azure AD B2C.
 
 author: kengaderdus
-manager: CelesteDG
+manager: mwongerapk
 
 ms.service: azure-active-directory
 
 ms.topic: overview
-ms.date: 01/11/2024
+ms.date: 05/20/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 
@@ -36,4 +36,4 @@ An Azure Active Directory B2C (Azure AD B2C) tenant is different than a Microsof
 | [Go-Local add-on](data-residency.md#go-local-add-on) | Microsoft Entra Go-Local add-on enables you to store data in the country/region you choose when your Microsoft Entra tenant.| Just like Microsoft Entra ID, Azure AD B2C supports [Go-Local add-on](data-residency.md#go-local-add-on). |
 
 > [!NOTE]
-> **Other Azure resources in your tenant:** <br>In an Azure AD B2C tenant, you can't provision other Azure resources such as virtual machines, Azure web apps, or Azure functions. You must create these resources in your Microsoft Entra tenant.
+> **Other Azure resources in your tenant:** <br>In an Azure AD B2C tenant, you can't provision other Azure resources such as virtual machines, Azure web apps, or Azure functions. You must create these resources in your Microsoft Entra tenant.

articles/api-center/includes/api-center-service-limits.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-center
 ms.topic: include
-ms.date: 03/ 18/2025
+ms.date: 05/19/2025
 ms.author: danlep
 ms.custom: Include file
 ---
@@ -29,7 +29,7 @@ ms.custom: Include file
 | Maximum number of APIs synchronized from a linked API source | 200 | 2,000<sup>4</sup>  |
 | Semantic search in API Center portal | No | Yes |
 
-<sup>1</sup> Free plan provided for 90 days, then service is soft-deleted. Use of full service features including API analysis is limited.<br/>
+<sup>1</sup> Use of full service features including API analysis is limited.<br/>
 <sup>2</sup> To increase a limit in the Standard plan, contact [support](https://azure.microsoft.com/support/options/).<br/>
 <sup>3</sup> Custom metadata properties assigned to APIs, deployments, and environments.<br/>
 <sup>4</sup> Process can take a few minutes to up to 24 hours to complete.<br/> 

articles/api-management/TOC.yml

@@ -208,8 +208,12 @@
       items:
       - name: AI gateway capabilities in API Management
         href: genai-gateway-capabilities.md
+      - name: Import Azure AI Foundry API
+        href: azure-ai-foundry-api.md
       - name: Import Azure OpenAI API
         href: azure-openai-api-from-specification.md
+      - name: Import OpenAI-compatible LLM API
+        href: openai-compatible-llm-api.md
       - name: Authenticate and authorize to Azure OpenAI
         href: api-management-authenticate-authorize-azure-openai.md
       - name: Expose REST API as MCP server
@@ -320,6 +324,8 @@
   items:
   - name: API authentication and authorization options
     href: authentication-authorization-overview.md
+  - name: Protect product APIs with Microsoft Entra ID applications
+    href: applications.md
   - name: Protect your API with Microsoft Entra ID
     href: api-management-howto-protect-backend-with-aad.md
   - name: Protect your API with Azure AD B2C
@@ -622,10 +628,6 @@
   - name: Azure Policy built-ins
     displayName: samples, policies, definitions
     href: ./policy-reference.md
-  - name: Gateway log schema
-    href: gateway-log-schema-reference.md
-  - name: Developer portal audit log schema
-    href: developer-portal-audit-log-schema-reference.md
   - name: Event Grid events schema
     href: ../event-grid/event-schema-api-management.md?toc=/azure/api-management/toc.json&bc=/azure/api-management/breadcrumb/toc.json
   - name: Virtual network configuration
@@ -634,8 +636,6 @@
     href: self-hosted-gateway-settings-reference.md
   - name: Self-hosted gateway Azure Arc configuration
     href: self-hosted-gateway-arc-reference.md
-  - name: Diagnostic logs settings
-    href: diagnostic-logs-reference.md
 - name: Resources
   items:
   - name: FAQ

articles/api-management/applications.md

@@ -0,0 +1,210 @@
+---
+title: Protect Access to Product APIs with Microsoft Entra Application - Azure API Management
+titleSuffix: Azure API Management
+description: Configure OAuth 2.0 access to product APIs in Azure API Management with Microsoft Entra ID applications.
+services: api-management
+author: dlepow
+
+ms.service: azure-api-management
+ms.topic: how-to
+ms.date: 05/19/2025
+ms.author: danlep
+ms.custom: 
+---
+# Secure product API access with Microsoft Entra applications
+
+[!INCLUDE [api-management-availability-premium-dev-standard-basic](../../includes/api-management-availability-premium-dev-standard-basic.md)]
+
+API Management now supports built-in OAuth 2.0 application-based access to product APIs using the client credentials flow. This feature allows API managers to register Microsoft Entra ID applications, streamlining secure API access for developers through OAuth 2.0 authorization.
+
+> [!NOTE]
+> Applications are currently in limited preview. To sign up, fill [this form](https://aka.ms/apimappspreview).
+
+With this feature:
+
+* API managers set a product property to enable application-based access.
+* API managers register client applications in Microsoft Entra ID to limit access to specific products. 
+* Using the OAuth 2.0 client credentials flow, developers or apps obtain tokens that they can include in API requests
+* Tokens presented in API requests are validated by the API Management gateway to authorize access to the product's APIs.
+
+## Prerequisites
+
+- An API Management instance deployed in the **Premium**, **Standard**, **Basic**, or **Developer** tier. If you need to deploy an instance, see [Create an API Management service instance](get-started-create-service-instance.md).
+
+- At least one product in your API Management instance, with at least one API assigned to it. 
+    * The product should be in the **Published** state so that it can be accessed by developers through the developer portal.
+    * For testing, you can use the default **Starter** product and the **Echo** API that's added to it. 
+    * If you want to create a product, see [Create and publish a product](api-management-howto-add-products.md). 
+
+- Sufficient permissions in your Microsoft Entra tenant to assign the **Application Administrator** role, which requires at least the **Privileged Role Administrator** role.
+
+- Optionally, add one or more [users](api-management-howto-create-or-invite-developers.md) in your API Management instance. 
+
+[!INCLUDE [azure-powershell-requirements-no-header](~/reusable-content/ce-skilling/azure/includes/azure-powershell-requirements-no-header.md)]
+
+## Configure managed identity
+
+ 1. Enable a system-assigned [managed identity for API Management](api-management-howto-use-managed-service-identity.md) in your API Management instance.
+        
+1. Assign the identity the **Application Administrator** RBAC role in Microsoft Entra ID. To assign the role:
+
+    1. Sign in to the [portal](https://portal.azure.com) and navigate to **Microsoft Entra ID**. 
+    1. In the left menu, select **Manage** > **Roles and administrators**.
+    1. Select **Application administrator**.
+    1. In the left menu, select **Manage** > **Assignments** > **+ Add assignments**.
+    1. In the **Add assignments** page, search for the API Management instance's managed identity by name (the name of the API Management instance). Select the managed identity, and then select **Add**.
+
+## Enable application based access for product
+
+Follow these steps to enable **Application based access** for a product. A product must have this setting enabled to be associated with a client application in later steps. 
+
+The following example uses the **Starter** product, but choose any published product that has at least one API assigned to it.
+
+1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+1. In the left menu, under **APIs**, select **Products**.
+1. Choose the product that you want to configure, such as the **Starter** product.
+1. In the left menu, under **Product**, select **Properties**.
+1. Enable the **Application based access** setting.
+1. Optionally, enable the **Requires subscription** setting. If you enable both application based access and a subscription requirement, the API Management gateway can accept either OAuth 2.0 authorization or a subscription key for access to the product's APIs.
+1. Select **Save**.
+
+:::image type="content" source="media/applications/enable-application-based-access.png" alt-text="Screenshot of enabling application based access in the portal.":::
+
+> [!TIP]
+> You can also enable the **Application based access** setting when creating a new product.
+
+ Enabling application based access creates a backend enterprise application in Microsoft Entra ID to represent the product. The backend application ID is displayed in the product's **Properties** page.
+
+:::image type="content" source="media/applications/product-application-settings.png" alt-text="Screenshot of product's application settings in the portal.":::
+
+> [!NOTE]
+> This application ID is set as the **Audience** value when creating a client application to access the product. Also use this value when generating a token to call the product API.
+> 
+
+## (Optional) Review product application settings in Microsoft Entra ID
+
+Optionally review settings of the backend enterprise application created in Microsoft Entra ID to represent the product. 
+
+The application is named with the following format: **APIMProductApplication\<product-name\>**. For example, if the product name is **Starter**, the application name is **APIMProductApplicationStarter**. The application has an **App role** defined.
+
+To review application settings in **App registrations**:
+
+1. Sign in to the [portal](https://portal.azure.com) and navigate to **Microsoft Entra ID** > **Manage** > **App registrations**.
+1. Select **All applications**.
+1. Search for and select the application created by API Management.
+1. In the left menu, under **Manage**, select **App roles**.
+1. Confirm the application role that set by Azure API Management, as shown in the following screenshot:
+
+:::image type="content" source="media/applications/application-roles.png" alt-text="Screenshot of app roles in the portal.":::
+
+## Register client application to access product
+
+Now register a client application that limits access to one or more products. 
+
+* A product must have **Application based access** enabled to be associated with a client application. 
+* Each client application has a single user (owner) in the API Management instance. One the owner can access product APIs through the application.
+* A product can be associated with more than one client application.
+
+1. Sign in to the [portal](https://portal.azure.com) and navigate to your API Management instance.
+1. In the left menu, under **APIs**, select **Applications** > **+ Register application**.
+1. In the **Register an application** page, enter the following application settings:
+    * **Name**: Enter a name for the application. 
+    * **Owner**: Select the owner of the application from the dropdown list of users in the API Management instance. 
+    * **Grant access to selected products**: Select one or more products in the API Management instance that were previously enabled for **Application based access**. 
+    * **Description**: Optionally enter a description.
+
+    :::image type="content" source="media/applications/register-application.png" alt-text="Screenshot of application settings in the portal.":::
+1. Select **Register**.
+
+The application is added to the list of applications on the **Applications** page. Select the application to view details such as the **Client ID**. You need this ID to generate a token to call the product API.
+
+> [!TIP]
+> * After creating an application, optionally associate it with other products. Select the application on the **Applications** page, and then select **Details** > **Products** > **+ Add product**. 
+> * You can also create or associate an application by editing a product from the **Products** page.
+
+## Generate client secret
+
+A client secret must be generated for the client application to use the OAuth 2.0 client credentials flow. The secret is valid for one year but can be regenerated at any time.
+
+1. On the **Applications** page, select the application that you created.
+1. On the application's **Overview** page, next to **Client Secret**, select **Add secret**.
+1. On the **New client secret** page, select **Generate**.
+    
+    A client secret is generated and displayed in the **Client secret** field. Make sure to copy the secret value and store it securely. You won't be able to retrieve it again after you close the page.
+1. Select **Close**.
+
+## (Optional) Review client application settings in Microsoft Entra ID
+
+Optionally review settings of the client application in Microsoft Entra ID. 
+
+The application is named with the following format: **APIMApplication\<product-name\>**. For example, if the product name is **Starter**, the application name is similar to **APIMApplicationStarter**. 
+
+To review application settings in **App registrations**:
+
+1. Sign in to the [portal](https://portal.azure.com) and navigate to **Microsoft Entra ID** > **Manage** > **App registrations**.
+1. Select **All applications**.
+1. Search for and select the client application created by API Management.
+1. In the left menu, under **Manage**, select **API permissions**.
+1. Confirm that the application has permissions to access the backend product application or applications.
+
+    For example, if the client application grants access to the **Starter** product, the application has **Product.Starter.All** permissions to access the **APIMProductApplicationStarter** application. 
+
+    :::image type="content" source="media/applications/client-api-permissions.png" alt-text="Screenshot of API permissions in the portal.":::  
+
+
+## Create token and use with API call
+
+After you enable application-based access for a product and register a client application, a developer or app can generate a token to call the product's APIs. The token must be included in the `Authorization` header of a request.
+
+For example, a developer or app can run the following Azure PowerShell scripts to call the client application to generate a token, and then use the token to call a product API in API Management.
+
+> [!CAUTION]
+> The following scripts are examples for testing purposes only. In production, use a secure method to store and retrieve the client secret. 
+
+### Call client application to generate token
+
+
+```powershell
+# Replace placeholder values with your own values.
+
+$clientId = "00001111-aaaa-2222-bbbb-3333cccc4444" # Client (application) ID of client application
+$clientSecret = "******" # Retrieve secret of client application in developer portal
+$scopeOfOtherApp = "api://55556666-ffff-7777-aaaa-8888bbbb9999/.default" # Value of Audience in product properties
+$tenantId = "aaaabbbb-0000-cccc-1111-dddd2222eeee" # Directory (tenant) ID in Microsoft Entra ID
+
+$body = @{
+    grant_type    = "client_credentials"
+    client_id     = $clientId
+    client_secret = $clientSecret
+    scope         = $scopeOfOtherApp
+}
+$response = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -ContentType "application/x-www-form-urlencoded" -Body $body
+$token = $response.access_token
+```
+
+### Call product API using token
+
+The token generated in the previous step is used to call a product API. The token is passed in the **Authorization** header of the request. The API Management instance validates the token and authorizes access to the API. 
+
+The following script shows an example call to the echo API.
+
+```powershell
+# Gatewate endpoint to call. Update with URI of API operation you want to call.
+$uri = "https://<gateway-hostname>/echo/resource?param1=sample"
+$headers = @{
+   "Authorization" = "Bearer $token"  # $token is the token generated in the previous script.
+}
+$body = @{
+    "hello" = "world"
+} | ConvertTo-Json -Depth 5
+
+$getresponse = Invoke-RestMethod -Method Post -Uri $uri -ContentType "application/x-www-form-urlencoded" -Headers $headers -Body $body
+Write-Host "Response:"
+$getresponse | ConvertTo-Json -Depth 5
+```
+
+## Related content
+
+* [Create and publish a product](api-management-howto-add-products.md)
+* [Authentication and authorization to APIs in API Management](authentication-authorization-overview.md)
+