Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: bandersmsft

articles/active-directory-b2c/external-identities-videos.md

@@ -15,6 +15,7 @@ ms.subservice: b2c
 ---
 
 # Microsoft Azure Active Directory B2C external identity video series
+
 [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
 
 Learn the basics of External Identities - Azure Active Directory B2C (Azure AD B2C) and Microsoft Entra B2B in the Microsoft identity platform.

articles/active-directory-b2c/faq.yml

@@ -14,6 +14,8 @@ metadata:
   ms.custom: b2c-support, has-azure-ad-ps-ref,azure-ad-ref-level-one-done
 title: 'Azure AD B2C: Frequently asked questions (FAQ)'
 summary: | 
+  [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+  
   This page answers frequently asked questions about the Azure Active Directory B2C (Azure AD B2C). Keep checking back for updates.
   
 sections:
@@ -22,7 +24,7 @@ sections:
       - question: |
           Azure AD B2C end of sale
         answer: |
-          Effective May 1, 2025 Azure AD B2C will no longer be available to purchase for new customers, but current Azure AD B2C customers can continue using the product. The product experience, including creating new tenants or user flows, will remain unchanged. The operational commitments, including service level agreements (SLAs), security updates, and compliance, will also remain unchanged. We'll continue supporting Azure AD B2C until at least May 2030. More information, including migration plans will be made available. Contact your account representative for more information and to learn more about Microsoft Entra External ID.
+          Effective **May 1, 2025** Azure AD B2C will no longer be available to purchase for new customers, but current Azure AD B2C customers can continue using the product. The product experience, including creating new tenants or user flows, will remain unchanged. The operational commitments, including service level agreements (SLAs), security updates, and compliance, will also remain unchanged. We'll continue supporting Azure AD B2C until at least May 2030. More information, including migration plans will be made available. Contact your account representative for more information and to learn more about Microsoft Entra External ID.
       - question: |
           What is Microsoft Entra External ID?
         answer: |

articles/active-directory-b2c/string-transformations.md

@@ -446,7 +446,7 @@ The following example generates an error message when an account is already in t
 </Localization>
 ```
 
-The claims transformation creates a response message based on the localized string. The message contains the user's email address embedded into the localized sting *ResponseMessage_EmailExists*.
+The claims transformation creates a response message based on the localized string. The message contains the user's email address embedded into the localized string *ResponseMessage_EmailExists*.
 
 ```xml
 <ClaimsTransformation Id="SetResponseMessageForEmailAlreadyExists" TransformationMethod="FormatLocalizedString">

articles/active-directory-b2c/tutorial-create-user-flows.md

@@ -211,8 +211,8 @@ Next, specify that the application should be treated as a public client:
 1. In the left menu, under **Manage**, select **Authentication**.
 1. Under **Advanced settings**, in the **Allow public client flows** section, set **Enable the following mobile and desktop flows** to **Yes**. 
 1. Select **Save**.
-1. Ensure that **"isFallbackPublicClient": true** is set in the application manifest:
-    1. In the left menu, under **Manage**, select **Manifest** to open application manifest.
+1. Ensure that **"isFallbackPublicClient": true** is set in the Microsoft Graph App Manifest(New):
+    1. In the left menu, under **Manage**, select **Manifest** to open Microsoft Graph App Manifest(New)
     1. Switch from the **Microsoft Graph App Manifest (New)** tab to the **AAD Graph App Manifest (Deprecating Soon)** tab.
     1. Find **isFallbackPublicClient** key and ensure its value is set to **true**.
 

articles/api-management/api-management-howto-aad-b2c.md

@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 01/07/2025
+ms.date: 05/20/2025
 ms.author: danlep
 ms.custom: engagement-fy23
 ---
@@ -16,6 +16,8 @@ ms.custom: engagement-fy23
 
 [!INCLUDE [premium-dev-standard-premiumv2-standardv2-basicv2.md](../../includes/api-management-availability-premium-dev-standard-premiumv2-standardv2-basicv2.md)]
 
+[!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+
 Azure Active Directory B2C is a cloud identity management solution for consumer-facing web and mobile applications. You can use it to manage access to your API Management developer portal. 
 
 In this tutorial, you'll learn the configuration required in your API Management service to integrate with Azure Active Directory B2C. 

articles/api-management/applications.md

@@ -1,5 +1,5 @@
 ---
-title: Protect Access to Product APIs with Microsoft Entra Application - Azure API Management
+title: Securely Access Products and APIs - Microsoft Entra Applications - Azure API Management
 titleSuffix: Azure API Management
 description: Configure OAuth 2.0 access to product APIs in Azure API Management with Microsoft Entra ID applications.
 services: api-management
@@ -11,7 +11,7 @@ ms.date: 05/19/2025
 ms.author: danlep
 ms.custom: 
 ---
-# Secure product API access with Microsoft Entra applications
+# Securely access products and APIs with Microsoft Entra applications
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic](../../includes/api-management-availability-premium-dev-standard-basic.md)]
 
@@ -64,14 +64,14 @@ The following example uses the **Starter** product, but choose any published pro
 1. In the left menu, under **APIs**, select **Products**.
 1. Choose the product that you want to configure, such as the **Starter** product.
 1. In the left menu, under **Product**, select **Properties**.
-1. Enable the **Application based access** setting.
-1. Optionally, enable the **Requires subscription** setting. If you enable both application based access and a subscription requirement, the API Management gateway can accept either OAuth 2.0 authorization or a subscription key for access to the product's APIs.
+1. In the **Application based access** section, enable the **OAuth 2.0 token (most secure)** setting.
+1. Optionally, enable the **Subscription key** setting. If you enable both application based access and a subscription requirement, the API Management gateway can accept either an OAuth 2.0 token or a subscription key for access to the product's APIs.
 1. Select **Save**.
 
 :::image type="content" source="media/applications/enable-application-based-access.png" alt-text="Screenshot of enabling application based access in the portal.":::
 
 > [!TIP]
-> You can also enable the **Application based access** setting when creating a new product.
+> You can also enable the **OAuth 2.0 token** setting when creating a new product.
 
  Enabling application based access creates a backend enterprise application in Microsoft Entra ID to represent the product. The backend application ID is displayed in the product's **Properties** page.
 

articles/api-management/breaking-changes/identity-provider-adal-retirement-sep-2025.md

@@ -5,14 +5,16 @@ services: api-management
 author: mikebudzynski
 ms.service: azure-api-management
 ms.topic: reference
-ms.date: 09/06/2022
+ms.date: 05/21/2025
 ms.author: mibudz
 ---
 
 # ADAL-based Microsoft Entra ID or Azure AD B2C identity provider retirement (September 2025)
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2](../../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
 
+[!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+
 On 30 September, 2025 as part of our continuing work to increase the resiliency of API Management services, we're removing the support for the previous library for user authentication and authorization in the developer portal (AD Authentication Library, or ADAL). You need to migrate your Microsoft Entra ID or Azure AD B2C applications, change identity provider configuration to use the Microsoft Authentication Library (MSAL), and republish your developer portal.
 
 This change will have no effect on the availability of your API Management service. However, you have to take steps described below to configure your API Management service if you wish to continue using Microsoft Entra ID or Azure AD B2C identity providers beyond 30 September, 2025.
@@ -68,4 +70,4 @@ If you have questions, get answers from community experts in [Microsoft Q&A](htt
 
 ## Next steps
 
-See all [upcoming breaking changes and feature retirements](overview.md).
+See all [upcoming breaking changes and feature retirements](overview.md).

articles/api-management/howto-protect-backend-frontend-azure-ad-b2c.md

@@ -7,7 +7,7 @@ author: WillEastbury
 manager: alberts
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 02/18/2021
+ms.date: 05/20/2025
 ms.author: wieastbu
 ms.custom: fasttrack-new, fasttrack-update, devx-track-js
 ---
@@ -16,6 +16,8 @@ ms.custom: fasttrack-new, fasttrack-update, devx-track-js
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
+[!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
+
 This scenario shows you how to configure your Azure API Management instance to protect an API.
 We'll use the Azure AD B2C SPA (Auth Code + PKCE) flow to acquire a token, alongside API Management to secure an Azure Functions backend using EasyAuth.
 
@@ -36,7 +38,7 @@ For defense in depth, we then use EasyAuth to validate the token again inside th
 > * Import of an Azure Functions API into Azure API Management
 > * Securing the API in Azure API Management
 > * Calling the Azure Active Directory B2C Authorization Endpoints via the Microsoft identity platform Libraries (MSAL.js)
-> * Storing a HTML / Vanilla JS Single Page Application and serving it from an Azure Blob Storage Endpoint
+> * Storing an HTML / Vanilla JS Single Page Application and serving it from an Azure Blob Storage Endpoint
 
 ## Prerequisites
 
@@ -70,7 +72,7 @@ Here's a quick overview of the steps:
 1. Test the Client Application
 
    > [!TIP]
-   > We're going to capture quite a few pieces of information and keys etc as we walk this document, you might find it handy to have a text editor open to store the following items of configuration temporarily.
+   > We're going to capture quite a few pieces of information and keys etc. as we walk this document, you might find it handy to have a text editor open to store the following items of configuration temporarily.
    >
    > B2C BACKEND CLIENT ID:
    > B2C BACKEND CLIENT SECRET KEY:
@@ -174,7 +176,7 @@ Open the Azure AD B2C blade in the portal and do the following steps.
 1. Switch back to the Code + Test tab, click 'Get Function URL', then copy the URL that appears and save it for later.
 
    > [!NOTE]
-   > The bindings you just created simply tell Functions to respond on anonymous http GET requests to the URL you just copied (`https://yourfunctionappname.azurewebsites.net/api/hello?code=secretkey`). Now we have a scalable serverless https API, that is capable of returning a very simple payload.
+   > The bindings you just created simply tell Functions to respond on anonymous http GET requests to the URL you just copied (`https://yourfunctionappname.azurewebsites.net/api/hello?code=secretkey`). Now we have a scalable serverless https API that is capable of returning a very simple payload.
    >
    > You can now test calling this API from a web browser using your version of the URL above that you just copied and saved. You can also remove the query string parameters "?code=secretkey" portion of the URL , and test again, to prove that Azure Functions will return a 401 error.