Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into apimrel

Author: gitName

.openpublishing.publish.config.json

@@ -620,6 +620,12 @@
             "branch": "main",
             "branch_mapping": {}
         },
+        {
+            "path_to_root": "app-service-agentic-semantic-kernel-ai-foundry-agent",
+            "url": "https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-ai-foundry-agent",
+            "branch": "main",
+            "branch_mapping": {}
+        },
         {
             "path_to_root": "playwright-testing-service",
             "url": "https://github.com/microsoft/playwright-testing-service",
@@ -751,6 +757,12 @@
             "url": "https://github.com/AzureADQuickStarts/WebApp-OpenIdConnect-DotNet",
             "branch": "GuidedSetup",
             "branch_mapping": {}
+        },
+        {
+            "path_to_root": "azure-policy-autogen-docs",
+            "url": "https://github.com/MicrosoftDocs/azure-policy-autogen-docs",
+            "branch": "main",
+            "branch_mapping": {}
         }
     ],
     "branch_target_mapping": {

articles/active-directory-b2c/add-password-reset-policy.md

@@ -157,7 +157,7 @@ A claims transformation technical profile accesses the `isForgotPassword` claim.
 
 The **SelfAsserted-LocalAccountSignin-Email** technical profile **setting.forgotPasswordLinkOverride** defines the password reset claims exchange that executes in your user journey.
 
-The **LocalAccountWritePasswordUsingObjectId** technical profile **UseTechnicalProfileForSessionManagement** `SM-AAD` session manager is required for the user to preform subsequent logins successfully under [SSO](./custom-policy-reference-sso.md) conditions.
+The **LocalAccountWritePasswordUsingObjectId** technical profile **UseTechnicalProfileForSessionManagement** `SM-AAD` session manager is required for the user to perform subsequent logins successfully under [SSO](./custom-policy-reference-sso.md) conditions.
 
 ### Add the password reset sub journey
 

articles/active-directory-b2c/media/partner-nok-nok/nok-nok-id-token-hint-architecture-diagram.png

@@ -7,7 +7,7 @@ manager: martinco
 ms.reviewer: kengaderdus
 ms.service: azure-active-directory
 ms.topic: how-to
-ms.date: 01/26/2024
+ms.date: 06/30/2025
 ms.author: gasinh
 ms.subservice: b2c
 
@@ -21,20 +21,19 @@ In this article, you can learn how to configure the [Cloudflare Web Application
 
 ## Prerequisites
 
-To get started, you'll need:
+To get started, you need:
 
-- An Azure subscription 
-  - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/)
-- [An Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription
-- A [Cloudflare](https://dash.cloudflare.com/sign-up) account
+- An Azure subscription. If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/).
+- [An Azure AD B2C tenant](tutorial-create-tenant.md) linked to your Azure subscription.
+- A [Cloudflare](https://dash.cloudflare.com/sign-up) account.
 
 ## Scenario description
 
 Cloudflare WAF integration includes the following components:
 
-- **Azure AD B2C tenant** – The authorization server that verifies user credentials using the custom policies defined in the tenant. It's known as the identity provider
+- **Azure AD B2C tenant** – The authorization server that verifies user credentials using the custom policies defined in the tenant, known as the identity provider.
 - [**Azure Front Door**](../frontdoor/front-door-overview.md) – Enables custom domains for Azure B2C tenant. Traffic from Cloudflare WAF is routed to Azure Front Door before arriving at Azure AD B2C tenant.
-- **Cloudflare** – The web application firewall that manages traffic sent to the authorization server
+- **Cloudflare** – The web application firewall that manages traffic sent to the authorization server.
 
 ## Integrate with Azure AD B2C
 
@@ -58,6 +57,9 @@ The settings appear in the following image.
 
    ![Screenshot of proxied status.](./media/partner-cloudflare/select-proxied.png)
 
+> [!NOTE]
+> Azure Front Door-managed certificates aren't automatically renewed if your custom domain’s CNAME record points to a DNS record other than the Azure Front Door endpoint’s domain (for example, when using a third-party DNS service like Cloudflare). To renew the certificate in such cases, follow the instructions in the [Renew Azure Front Door-managed certificates](../frontdoor/domain.md#renew-azure-front-door-managed-certificates) article.
+
 ### Configure the Web Application Firewall
 
 Go to your Cloudflare settings, and use the Cloudflare content to [configure the WAF](https://www.cloudflare.com/application-services/products/waf/) and learn about other security tools. 

articles/active-directory-b2c/partner-cloudflare.md

@@ -40,7 +40,7 @@ To enable passkey authentication for your users, enable Nok Nok as an identity p
 
 The following diagram illustrates the Nok Nok solution as an IdP for Azure AD B2C by using OpenID Connect (OIDC) for passkey authentication.
 
-![Diagram of Nok Nok as IdP for Azure AD B2C using OpenID Connect (OIDC) for passkey authentication.](./media/partner-nok-nok/nok-nok-architecture-diagram.png)
+![Diagram for passkey authentication with Nok Nok as an IdP.](./media/partner-nok-nok/nok-nok-architecture-diagram.png)
 
 ### Scenario 1: Passkey registration
 1. The user navigates to the Nok Nok tutorial web app using the link provided by Nok Nok.
@@ -52,9 +52,11 @@ The following diagram illustrates the Nok Nok solution as an IdP for Azure AD B2
 ### Scenario 2: Passkey authentication
 1. The user selects the sign-in with Nok Nok Cloud button on the Azure AD B2C sign-in page.
 2. Azure AD B2C redirects the user to the Nok Nok sign-in app.
-3. The user authenticates with their passkey.
-4. The Nok Nok server validates the passkey assertion and sends an OIDC authentication response to Azure AD B2C.
-5. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
+3. The user requests passkey authentication
+4. The user authenticates with their passkey.
+5. The Nok Nok Cloud validates the passkey assertion
+6. The Nok Nok Cloud sends an OIDC authentication response to Azure AD B2C.
+7. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
 
 ## Get started with Nok Nok
 
@@ -125,6 +127,22 @@ For the following instructions, Nok Nok is a new OIDC IdP in the B2C identity pr
 
 If the flow is incomplete, confirm the user is or isn't saved in the directory.
 
+## Alternate flow for Authentication
+
+The following diagram illustrates an alternate passkey sign in or sign up flow using the ID Token Hint feature of Azure AD B2C. With this approach, an Azure custom policy verifies the ID Token Hint produced by the Nok Nok Cloud. For more details, please refer to the article, [Define an ID token hint technical profile in an Azure Active Directory B2C custom policy](./id-token-hint.md). Please contact Nok Nok support for help with integrated the required Azure custom policy.
+
+![Diagram for passkey authentication using ID Token Hint from Nok Nok.](./media/partner-nok-nok/nok-nok-id-token-hint-architecture-diagram.png)
+
+The following are the steps
+1. The user selects the sign-in with Nok Nok Cloud button.
+2. The Nok Nok Cloud request passkey authentication.
+3. The user authenticates with their passkey.
+4. The Nok Nok Cloud validates the passkey assertion.
+5. The ID Token Hint is returned.
+6. The App posts an OIDC request with the ID Token Hint to Azure AD B2C.
+7. Azure AD B2C Custom Policy verifies the ID Token Hint.
+8. Based on the authentication result, Azure AD B2C either grants or denies access to the target application.
+
 ## Next steps
 
 * [Azure AD B2C custom policy overview](./custom-policy-overview.md)

articles/active-directory-b2c/partner-nok-nok.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory business-to-customer (B2C)"
 description: "New and updated documentation for the Azure Active Directory business-to-customer (B2C)."
-ms.date: 04/01/2025
+ms.date: 07/03/2025
 ms.service: azure-active-directory
 ms.subservice: b2c
 ms.topic: whats-new
@@ -18,6 +18,15 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory B2C documentation. This article lists new and significantly updated docs from the past three months. To learn what's new with the B2C service, see [What's new in Microsoft Entra ID](../active-directory/fundamentals/whats-new.md), [Azure AD B2C developer release notes](custom-policy-developer-notes.md) and [What's new in Microsoft Entra External ID](/entra/external-id/whats-new-docs).
 
+## June 2025
+
+### Updated articles
+
+- [Configure Cloudflare Web Application Firewall with Azure Active Directory B2C](partner-cloudflare.md) - Added a note about Azure Front Door-managed certificates
+- [Azure AD B2C: Frequently asked questions (FAQ)](faq.yml) - Updated the note in the Azure AD B2C end-of-sale section
+- [Page layout versions](page-layout.md) - Added updates related to CAPTCHA
+- [Securing phone-based multifactor authentication](phone-based-mfa.md) - Added information on preventing fraudulent sign-ups 
+
 ## April 2025
 
 ### Updated articles
@@ -32,12 +41,3 @@ This month, we added an important note to our articles stating that starting May
 ### Updated articles
 - [Error codes: Azure Active Directory B2C](error-codes.md) - Updated error messages
 
-## February 2025
-
-### Updated articles
-
-- [Enable multifactor authentication in Azure Active Directory B2C](multi-factor-authentication.md) - Added SMS pricing
-- [Page layout versions](page-layout.md) - Updated the latest versions of the self-asserted and MFA pages
-- [Azure AD B2C: Frequently asked questions (FAQ)](faq.yml) - Added billing name change for SMS phone
-- [Enable CAPTCHA in Azure Active Directory B2C](add-captcha.md) - Added CAPTCHA feature flag
-

articles/active-directory-b2c/whats-new-docs.md

@@ -35,7 +35,7 @@ If you want to create the app registration manually, follow these steps:
     1. Set **Name** to a meaningful name such as *api-center-portal*
     1. Under **Supported account types**, select **Accounts in this organizational directory (Single tenant)**. 
     1. In **Redirect URI**, select **Single-page application (SPA)** and set the URI. 
-        Enter the URI of your API Center portal deployment, in the following form: `https://<service-name>.portal.<location>.azure-api-center.ms`. Replace `<service name>` and `<location>` with the name of your API center and the location where it's deployed, Example: `https://myapicenter.portal.eastus.azure-api-center.ms`.
+        Enter the URI of your API Center portal deployment, in the following form: `https://<service-name>.portal.<location>.azure-apicenter.ms`. Replace `<service name>` and `<location>` with the name of your API center and the location where it's deployed, Example: `https://myapicenter.portal.eastus.azure-apicenter.ms`.
     1. Select **Register**.
 
 #### Configure additional redirect URIs for VS Code extension
@@ -49,4 +49,4 @@ When enabling the API Center portal view in the Visual Studio Code extension for
     `http://localhost`<br/>
     `ms-appx-web://Microsoft.AAD.BrokerPlugin/<application-client-id>`<br/>
 
-    Replace `<application-client-id>` with the application (client) ID of this app. You can find this value on the **Overview** page of the app registration. 
+    Replace `<application-client-id>` with the application (client) ID of this app. You can find this value on the **Overview** page of the app registration. 

articles/api-center/includes/api-center-portal-app-registration.md

@@ -48,7 +48,7 @@ After you create the API Center portal app registration, you need to configure a
 You can now access the API Center portal:
 * On the **Portal settings** page, select **View API Center portal** to open the portal in a new tab. 
 * Or, enter the following URL in your browser, replacing `<service-name>` and `<location>` with the name of your API center and the location where it's deployed:<br/>
-    `https://<service-name>.portal.<location>.azure-api-center.ms`
+    `https://<service-name>.portal.<location>.azure-apicenter.ms`
 
 ### API visibility
 
@@ -96,4 +96,4 @@ To use AI-assisted search when signed in to the API Center portal, click in the
 
 ## Related content
 
-* [Enable and view Azure API Center portal in Visual Studio Code](enable-api-center-portal-vs-code-extension.md)
+* [Enable and view Azure API Center portal in Visual Studio Code](enable-api-center-portal-vs-code-extension.md)

articles/api-center/set-up-api-center-portal.md

@@ -103,7 +103,7 @@ Following are steps to configure your API Management instance to use a managed i
     ```
 
 > [!TIP]
-> An alternative to using the `authentication-managed-identity` and `set-header` policies shown in this example is to configure a [backend](backends.md) resource that directs API requests to the Azure OpenAI Service endpoint. In the backend configuration, enable managed identity authentication to the Azure OpenAI Service. Azure API Management automates these steps when importing an API directly from Azure OpenAI Service. For more information, see [Import API from Azure OpenAI Service](azure-openai-api-from-specification.md#option-1-import-api-from-azure-openai-service). 
+> An alternative to using the `authentication-managed-identity` and `set-header` policies shown in this example is to configure a [backend](backends.md) resource that directs API requests to the Azure OpenAI Service endpoint. In the backend configuration, enable managed identity authentication to the Azure OpenAI Service. Azure API Management automates these steps when importing an API directly from Azure OpenAI Service. For more information, see [Import API from Azure OpenAI Service](azure-openai-api-from-specification.md#option-1-import-api-from-azure-openai). 
 
 ## OAuth 2.0 authorization using identity provider
 

articles/api-management/api-management-authenticate-authorize-azure-openai.md

@@ -81,7 +81,7 @@ The following tables compare features available in the following API Management
 | [Outbound virtual network integration](integrate-vnet-outbound.md)  | ❌ | Standard  v2, Premium v2  |  ❌ | ❌ | ✔️ |
 | [Availability zones](zone-redundancy.md)  |  Premium | ✔️<sup>3</sup>  | ❌ | ✔️<sup>1</sup> | ✔️<sup>3</sup> |
 | [Multi-region deployment](api-management-howto-deploy-multi-region.md) |  Premium | ❌ |  ❌ | ✔️<sup>1</sup> | ❌ |
-| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation |  ✔️ | ✔️ | ❌ | ✔️<sup>4</sup> |  ❌ |
+| [CA root certificates](api-management-howto-ca-certificates.md) for certificate validation |  ✔️ | ❌ | ❌ | ✔️<sup>4</sup> |  ❌ |
 | [Managed domain certificates](configure-custom-domain.md?tabs=managed#domain-certificate-options) |  Developer, Basic, Standard, Premium | ❌ | ✔️ | ❌ | ❌ |
 | [TLS settings](api-management-howto-manage-protocols-ciphers.md) |  ✔️ | ✔️ | ✔️ | ✔️ | ❌ |
 | **HTTP/2** (Client-to-gateway) | ✔️<sup>5</sup> | ✔️<sup>5</sup> |❌ | ✔️ | ❌ |