update

Author: mumian

articles/active-directory-b2c/external-identities-videos.md

@@ -15,6 +15,7 @@ ms.subservice: b2c
 ---
 
 # Microsoft Azure Active Directory B2C external identity video series
+
 [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
 
 Learn the basics of External Identities - Azure Active Directory B2C (Azure AD B2C) and Microsoft Entra B2B in the Microsoft identity platform.

articles/active-directory-b2c/faq.yml

@@ -14,6 +14,8 @@ metadata:
   ms.custom: b2c-support, has-azure-ad-ps-ref,azure-ad-ref-level-one-done
 title: 'Azure AD B2C: Frequently asked questions (FAQ)'
 summary: | 
+  [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+  
   This page answers frequently asked questions about the Azure Active Directory B2C (Azure AD B2C). Keep checking back for updates.
   
 sections:
@@ -22,7 +24,7 @@ sections:
       - question: |
           Azure AD B2C end of sale
         answer: |
-          Effective May 1, 2025 Azure AD B2C will no longer be available to purchase for new customers, but current Azure AD B2C customers can continue using the product. The product experience, including creating new tenants or user flows, will remain unchanged. The operational commitments, including service level agreements (SLAs), security updates, and compliance, will also remain unchanged. We'll continue supporting Azure AD B2C until at least May 2030. More information, including migration plans will be made available. Contact your account representative for more information and to learn more about Microsoft Entra External ID.
+          Effective **May 1, 2025** Azure AD B2C will no longer be available to purchase for new customers, but current Azure AD B2C customers can continue using the product. The product experience, including creating new tenants or user flows, will remain unchanged. The operational commitments, including service level agreements (SLAs), security updates, and compliance, will also remain unchanged. We'll continue supporting Azure AD B2C until at least May 2030. More information, including migration plans will be made available. Contact your account representative for more information and to learn more about Microsoft Entra External ID.
       - question: |
           What is Microsoft Entra External ID?
         answer: |

articles/active-directory-b2c/tutorial-create-user-flows.md

@@ -211,8 +211,8 @@ Next, specify that the application should be treated as a public client:
 1. In the left menu, under **Manage**, select **Authentication**.
 1. Under **Advanced settings**, in the **Allow public client flows** section, set **Enable the following mobile and desktop flows** to **Yes**. 
 1. Select **Save**.
-1. Ensure that **"isFallbackPublicClient": true** is set in the application manifest:
-    1. In the left menu, under **Manage**, select **Manifest** to open application manifest.
+1. Ensure that **"isFallbackPublicClient": true** is set in the Microsoft Graph App Manifest(New):
+    1. In the left menu, under **Manage**, select **Manifest** to open Microsoft Graph App Manifest(New)
     1. Switch from the **Microsoft Graph App Manifest (New)** tab to the **AAD Graph App Manifest (Deprecating Soon)** tab.
     1. Find **isFallbackPublicClient** key and ensure its value is set to **true**.
 

articles/api-management/api-management-howto-aad-b2c.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 01/07/2025
+ms.date: 05/20/2025
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
@@ -16,6 +16,8 @@ ms.custom: engagement-fy23
 
 [!INCLUDE [premium-dev-standard-premiumv2-standardv2-basicv2.md](../../includes/api-management-availability-premium-dev-standard-premiumv2-standardv2-basicv2.md)]
 
+[!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+
 Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your API Management developer portal. 
 
 In this tutorial, you'll learn the configuration required in your API Management service to integrate with Azure Active Directory B2C. 

articles/api-management/breaking-changes/identity-provider-adal-retirement-sep-2025.md

@@ -5,14 +5,16 @@ services: api-management
 author: mikebudzynski
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 09/06/2022
+ms.date: 05/21/2025
 ms.author: mibudz
 ---
 
 # ADAL-based Microsoft Entra ID or Azure AD B2C identity provider retirement (September 2025)
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2](../../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
 
+[!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+
 On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're removing the support for the previous library for user authentication and authorization in the developer portal (AD Authentication Library, or ADAL). You need to migrate your Microsoft Entra ID or Azure AD B2C applications, change identity provider configuration to use the Microsoft Authentication Library (MSAL), and republish your developer portal.
 
 This change will have no effect on the availability of your API Management service. However, you have to take steps described below to configure your API Management service if you wish to continue using Microsoft Entra ID or Azure AD B2C identity providers beyond 30 September, 2025.
@@ -68,4 +70,4 @@ If you have questions, get answers from community experts in [Microsoft Q&A](htt
 
 ## Next steps
 
-See all [upcoming breaking changes and feature retirements](overview.md).
+See all [upcoming breaking changes and feature retirements](overview.md).

articles/api-management/howto-protect-backend-frontend-azure-ad-b2c.md

@@ -7,7 +7,7 @@ author: WillEastbury
 manager: alberts
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 02/18/2021
+ms.date: 05/20/2025
 ms.author: wieastbu
 ms.custom: fasttrack-new, fasttrack-update, devx-track-js
 ---
@@ -16,6 +16,8 @@ ms.custom: fasttrack-new, fasttrack-update, devx-track-js
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
+[!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+
 This scenario shows you how to configure your Azure API Management instance to protect an API.
 We'll use the Azure AD B2C SPA (Auth Code + PKCE) flow to acquire a token, alongside API Management to secure an Azure Functions backend using EasyAuth.
 
@@ -36,7 +38,7 @@ For defense in depth, we then use EasyAuth to validate the token again inside th
 > * Import of an Azure Functions API into Azure API Management
 > * Securing the API in Azure API Management
 > * Calling the Azure Active Directory B2C Authorization Endpoints via the Microsoft identity platform Libraries (MSAL.js)
-> * Storing a HTML / Vanilla JS Single Page Application and serving it from an Azure Blob Storage Endpoint
+> * Storing an HTML / Vanilla JS Single Page Application and serving it from an Azure Blob Storage Endpoint
 
 ## Prerequisites
 
@@ -70,7 +72,7 @@ Here's a quick overview of the steps:
 1. Test the Client Application
 
    > [!TIP]
-   > We're going to capture quite a few pieces of information and keys etc as we walk this document, you might find it handy to have a text editor open to store the following items of configuration temporarily.
+   > We're going to capture quite a few pieces of information and keys etc. as we walk this document, you might find it handy to have a text editor open to store the following items of configuration temporarily.
    >
    > B2C BACKEND CLIENT ID:
    > B2C BACKEND CLIENT SECRET KEY:
@@ -174,7 +176,7 @@ Open the Azure AD B2C blade in the portal and do the following steps.
 1. Switch back to the Code + Test tab, click 'Get Function URL', then copy the URL that appears and save it for later.
 
    > [!NOTE]
-   > The bindings you just created simply tell Functions to respond on anonymous http GET requests to the URL you just copied (`https://yourfunctionappname.azurewebsites.net/api/hello?code=secretkey`). Now we have a scalable serverless https API, that is capable of returning a very simple payload.
+   > The bindings you just created simply tell Functions to respond on anonymous http GET requests to the URL you just copied (`https://yourfunctionappname.azurewebsites.net/api/hello?code=secretkey`). Now we have a scalable serverless https API that is capable of returning a very simple payload.
    >
    > You can now test calling this API from a web browser using your version of the URL above that you just copied and saved. You can also remove the query string parameters "?code=secretkey" portion of the URL , and test again, to prove that Azure Functions will return a 401 error.
 

articles/api-management/secure-developer-portal-access.md

@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 09/12/2023
+ms.date: 05/21/2025
 ms.author: danlep
 ---
 
@@ -21,13 +21,15 @@ API Management has a fully customizable, standalone, managed [developer portal](
 
 ## Authentication options
 
-* **External users** - The preferred option when the developer portal is consumed externally is to enable business-to-consumer access control through Azure Active Directory B2C (Azure AD B2C). 
-    * Azure AD B2C provides the option of using Azure AD B2C native accounts: users sign up to Azure AD B2C and use that identity to access the developer portal. 
-    * Azure AD B2C is also useful if you want users to access the developer portal using existing social media or federated organizational accounts.  
-    * Azure AD B2C provides many features to improve the end user sign-up and sign-in experience, including conditional access and MFA. 
+* **External users** - The preferred option when the developer portal is consumed externally is to enable business-to-consumer access control through Azure Active Directory B2C (Azure AD B2C) or [Microsoft Entra External ID](/entra/external-id/customers/overview-customers-ciam). 
+    * Both Azure AD B2C and Microsoft Entra External ID provides the option of using native accounts: users sign up and use that identity to access the developer portal. 
+    * Both services are also useful if you want users to access the developer portal using existing social media or federated organizational accounts.  
+    * Both services provide many features to improve the end user sign-up and sign-in experience, including conditional access and MFA. 
 
     For steps to enable Azure AD B2C authentication in the developer portal, see [How to authorize developer accounts by using Azure Active Directory B2C in Azure API Management](api-management-howto-aad-b2c.md).
 
+    [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+
 
 * **Internal users** - The preferred option when the developer portal is consumed internally is to leverage your corporate Microsoft Entra ID. Microsoft Entra ID provides a seamless single sign-on (SSO) experience for corporate users who need to access and discover APIs through the developer portal. 
 
@@ -116,4 +118,4 @@ Go a step further by delegating [user registration or product subscription](api-
 
 ## Related content
 * Learn more about [authentication and authorization](../active-directory/develop/authentication-vs-authorization.md) in the Microsoft identity platform.
-* Learn how to [mitigate OWASP API security threats](mitigate-owasp-api-threats.md) using API Management.
+* Learn how to [mitigate OWASP API security threats](mitigate-owasp-api-threats.md) using API Management.

articles/api-management/self-hosted-gateway-overview.md

@@ -95,18 +95,20 @@ Self-hosted gateways require outbound TCP/IP connectivity to Azure on port 443.
 
 To operate properly, each self-hosted gateway needs outbound connectivity on port 443 to the following endpoints associated with its cloud-based API Management instance:
 
-| Description | Required for v1 | Required for v2 | Notes |
-|:------------|:---------------------|:---------------------|:------|
-| Hostname of the configuration endpoint | `<apim-service-name>.management.azure-api.net` | `<apim-service-name>.configuration.azure-api.net`<sup>1</sup> | Custom hostnames are also supported and can be used instead of the default hostname. |
-| Public IP address of the API Management instance | ✔️ | ✔️ | IP address of primary location is sufficient. |
-| Public IP addresses of Azure Storage [service tag](../virtual-network/service-tags-overview.md) | ✔️ | Optional<sup>2</sup> | IP addresses must correspond to primary location of API Management instance. |
-| Hostname of Azure Blob Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<blob-storage-account-name>.blob.core.windows.net`) |
-| Hostname of Azure Table Storage account | ✔️ | Optional<sup>2</sup> | Account associated with instance (`<table-storage-account-name>.table.core.windows.net`) |
-| Endpoints for Azure Resource Manager | ✔️ | Optional<sup>3</sup> | Required endpoints are `management.azure.com`. |
-| Endpoints for Microsoft Entra integration | ✔️ | Optional<sup>4</sup> | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. |
-| Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](/azure/azure-monitor/ip-addresses#outgoing-ports) |
-| Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) |
-| Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional<sup>5</sup> | Optional<sup>5</sup> | This requirement depends on the external cache that is being used |
+
+| Endpoint | Required? | Notes |
+|:------------|:---------------------|:------|
+| Hostname of the configuration endpoint | `<apim-service-name>.configuration.azure-api.net`<sup>1</sup> | Custom hostnames are also supported and can be used instead of the default hostname. |
+| Public IP address of the API Management instance | ✔️ | IP address of primary location is sufficient. |
+| Public IP addresses of Azure Storage [service tag](../virtual-network/service-tags-overview.md) | Optional<sup>2</sup> | IP addresses must correspond to primary location of API Management instance. |
+| Hostname of Azure Blob Storage account | Optional<sup>2</sup> | Account associated with instance (`<blob-storage-account-name>.blob.core.windows.net`) |
+| Hostname of Azure Table Storage account | Optional<sup>2</sup> | Account associated with instance (`<table-storage-account-name>.table.core.windows.net`) |
+| Endpoints for Azure Resource Manager | Optional<sup>3</sup> | Required endpoints are `management.azure.com`. |
+| Endpoints for Microsoft Entra integration | Optional<sup>4</sup> | Required endpoints are `<region>.login.microsoft.com` and `login.microsoftonline.com`. |
+| Endpoints for [Azure Application Insights integration](api-management-howto-app-insights.md) | Optional<sup>5</sup> | Minimal required endpoints are:<ul><li>`rt.services.visualstudio.com:443`</li><li>`dc.services.visualstudio.com:443`</li><li>`{region}.livediagnostics.monitor.azure.com:443`</li></ul>Learn more in [Azure Monitor docs](/azure/azure-monitor/ip-addresses#outgoing-ports) |
+| Endpoints for [Event Hubs integration](api-management-howto-log-event-hubs.md) | Optional<sup>5</sup> | Learn more in [Azure Event Hubs docs](../event-hubs/network-security.md) |
+| Endpoints for [external cache integration](api-management-howto-cache-external.md) | Optional<sup>5</sup> | This requirement depends on the external cache that is being used |
+
 
 <sup>1</sup>For an API Management instance in an internal virtual network, see [Connectivity in an internal virtual network](#connectivity-in-internal-virtual-network).<br/>
 <sup>2</sup>Only required in v2 when API inspector or quotas are used in policies.<br/>
@@ -167,9 +169,6 @@ The following functionality found in the managed gateways is **not available** i
 
 ### Transport Layer Security (TLS)
 
-> [!IMPORTANT]
-> This overview is only applicable to the self-hosted gateway v1 & v2.
-
 #### Supported protocols
 
 The self-hosted gateway provides support for TLS v1.2 by default.
@@ -178,9 +177,6 @@ Customers using custom domains can enable TLS v1.0 and/or v1.1 [in the control p
 
 #### Available cipher suites
 
-> [!IMPORTANT]
-> This overview is only applicable to the self-hosted gateway v2.
-
 The self-hosted gateway uses the following cipher suites for both client and server connections:
 
 - `TLS_AES_256_GCM_SHA384`

articles/api-management/self-hosted-gateway-settings-reference.md

@@ -71,8 +71,8 @@ This guidance helps you provide the required information to define how to authen
 
 | Name                    | Description              | Required | Default           | Availability |
 |-------------------------|------------------------|----------|-------------------| ----|
-| k8s.ingress.enabled     | Enable Kubernetes Ingress integration. | No | `false` | v1.2+ |
-| k8s.ingress.namespace   | Kubernetes namespace to watch Kubernetes Ingress resources in. | No | `default` | v1.2+ |
+| k8s.ingress.enabled     | Enable Kubernetes Ingress integration. | No | `false` | v2.0+ |
+| k8s.ingress.namespace   | Kubernetes namespace to watch Kubernetes Ingress resources in. | No | `default` | v2.0+ |
 | k8s.ingress.dns.suffix  | DNS suffix to build DNS hostname for services to send requests to. | No | `svc.cluster.local` | v2.4+ |
 | k8s.ingress.config.path | Path to Kubernetes configuration (Kubeconfig). | No | N/A | v2.4+ |
 

articles/app-service/monitor-instances-health-check.md

@@ -163,7 +163,7 @@ After providing your application's Health check path, you can monitor the health
 
 ## Limitations
 
-- Health check can be enabled for **Free** and **Shared** App Service plans, so you can have metrics on the site's health and set up alerts. However, because **Free** and **Shared** sites can't scale out, unhealthy instances won't be replaced. You should scale up to the **Basic** tier or higher so you can scale out to two or more instances and get the full benefit of Health check. This is recommended for production-facing applications as it increases your app's availability and performance.
+- Health check can be enabled for **Free** and **Shared** App Service plans, so you can have metrics on the site's health and set up alerts. However, because **Free** and **Shared** sites don't support scale out, unhealthy instances won't be replaced automatically. You should scale up to the **Basic** tier or higher so you can scale out to two or more instances and get the full benefit of Health check. This is recommended for production-facing applications as it increases your app's availability and performance.
 - An App Service plan can have a maximum of one unhealthy instance replaced per hour and, at most, three instances per day.
 - There's a nonconfigurable limit on the total number of instances replaced by Health check per scale unit. If this limit is reached, no unhealthy instances are replaced. This value gets reset every 12 hours.