Updates

Author: guardrex

aspnetcore/blazor/call-web-api.md

@@ -5,7 +5,7 @@ description: Learn how to call a web API from Blazor apps.
 monikerRange: '>= aspnetcore-3.1'
 ms.author: wpickett
 ms.custom: mvc
-ms.date: 06/06/2025
+ms.date: 06/09/2025
 uid: blazor/call-web-api
 ---
 # Call a web API from ASP.NET Core Blazor
@@ -138,7 +138,7 @@ Use a shared Data Protection key ring in production so that instances of the app
 >
 > Later in the development and testing period, enable token encryption and adopt a shared Data Protection key ring.
 
-The following example shows how to use [Azure Blob Storage and Azure Key Vault (`PersistKeysToAzureBlobStorage`/`ProtectKeysWithAzureKeyVault`)](xref:security/data-protection/configuration/overview#protect-keys-with-azure-key-vault-protectkeyswithazurekeyvault) for the shared key ring. The service configurations are base case scenarios for demonstration purposes. Before deploying production apps, familiarize yourself with the Azure services and adopt best practices using their dedicated documentation sets, which are listed at the end of this section.
+The following example shows how to use [Azure Blob Storage and Azure Key Vault (`PersistKeysToAzureBlobStorage`/`ProtectKeysWithAzureKeyVault`)](xref:security/data-protection/configuration/overview#protect-keys-with-azure-key-vault-protectkeyswithazurekeyvault) for the shared key ring. The service configurations are base case scenarios for demonstration purposes. Before deploying production apps, familiarize yourself with the Azure services and adopt best practices using the Azure services' dedicated documentation sets, which are cross-linked at the end of this section.
 
 Add the following packages to the server project of the Blazor Web App:
 
@@ -175,7 +175,7 @@ builder.Services.AddDataProtection()
     .PersistKeysToAzureBlobStorage(new Uri("{BLOB URI}"), credential)
     .ProtectKeysWithAzureKeyVault(new Uri("{KEY IDENTIFIER}"), credential);
 
-/* Blob URI with SAS approach
+/* Alternative without using an Azure Managed Identity: SAS approach
 builder.Services.AddDataProtection()
     .SetApplicationName("BlazorWebAppEntra")
     .PersistKeysToAzureBlobStorage(new Uri("{BLOB URI WITH SAS}"))
@@ -187,7 +187,7 @@ builder.Services.AddDataProtection()
 
 `{BLOB URI}`: Full URI to the key file. The URI is generated by Azure Storage when you create the key file. Do not use a SAS.
 
-`{BLOB URI WITH SAS}`: The full URI where the key file should be stored with the SAS token as a query string parameter. The URI is generated by Azure Storage when you request a SAS for the uploaded key file.
+`{BLOB URI WITH SAS}`: *This approach only applies if you opt not to use an Azure Managed Identity.* The full URI where the key file should be stored with the SAS token as a query string parameter. The URI is generated by Azure Storage when you request a SAS for the uploaded key file.
 
 `{KEY IDENTIFIER}`: Azure Key Vault key identifier used for key encryption. An access policy allows the application to access the key vault with `Get`, `Unwrap Key`, and `Wrap Key` permissions. The key identifier is obtained from the key in the Entra or Azure portal after it's created. If you enable autorotation of the key vault key, make sure that you use a versionless key identifier in the app's key vault configuration, where no key GUID is placed at the end of the identifier (example: `https://contoso.vault.azure.net/keys/data-protection`).
 
@@ -229,6 +229,7 @@ For more information, see the following resources:
 * [Host ASP.NET Core in a web farm: Data Protection](xref:host-and-deploy/web-farm#data-protection)
 * [Azure Key Vault documentation](/azure/key-vault/general/)
 * [Azure Storage documentation](/azure/storage/)
+* [Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control](/azure/key-vault/general/rbac-guide?tabs=azure-cli)
 
 ## Sample apps
 

aspnetcore/blazor/security/blazor-web-app-with-entra.md

@@ -5,7 +5,7 @@ description: Learn how to secure a Blazor Web App with Microsoft Entra ID.
 monikerRange: '>= aspnetcore-9.0'
 ms.author: wpickett
 ms.custom: mvc
-ms.date: 06/06/2025
+ms.date: 06/09/2025
 uid: blazor/security/blazor-web-app-entra
 zone_pivot_groups: blazor-web-app-entra-specification
 ---
@@ -763,7 +763,7 @@ Use a shared Data Protection key ring in production so that instances of the app
 >
 > Later in the development and testing period, enable token encryption and adopt a shared Data Protection key ring.
 
-The following example shows how to use [Azure Blob Storage and Azure Key Vault (`PersistKeysToAzureBlobStorage`/`ProtectKeysWithAzureKeyVault`)](xref:security/data-protection/configuration/overview#protect-keys-with-azure-key-vault-protectkeyswithazurekeyvault) for the shared key ring. The service configurations are base case scenarios for demonstration purposes. Before deploying production apps, familiarize yourself with the Azure services and adopt best practices using their dedicated documentation sets, which are listed at the end of this section.
+The following example shows how to use [Azure Blob Storage and Azure Key Vault (`PersistKeysToAzureBlobStorage`/`ProtectKeysWithAzureKeyVault`)](xref:security/data-protection/configuration/overview#protect-keys-with-azure-key-vault-protectkeyswithazurekeyvault) for the shared key ring. The service configurations are base case scenarios for demonstration purposes. Before deploying production apps, familiarize yourself with the Azure services and adopt best practices using the Azure services' dedicated documentation sets, which are cross-linked at the end of this section.
 
 Confirm the presence of the following packages in the server project of the Blazor Web App:
 
@@ -799,12 +799,8 @@ else
 
 builder.Services.AddDataProtection()
     .SetApplicationName("BlazorWebAppEntra")
-    .PersistKeysToAzureBlobStorage(
-        new Uri("{BLOB URI}"),
-        credential)
-    .ProtectKeysWithAzureKeyVault(
-        new Uri("{KEY IDENTIFIER}"),
-        credential);
+    .PersistKeysToAzureBlobStorage(new Uri("{BLOB URI}"), credential)
+    .ProtectKeysWithAzureKeyVault(new Uri("{KEY IDENTIFIER}"), credential);
 
 /* Blob URI with SAS approach
 builder.Services.AddDataProtection()
@@ -818,12 +814,12 @@ builder.Services.AddDataProtection()
 
 `{BLOB URI}`: Full URI to the key file. The URI is generated by Azure Storage when you create the key file. Do not use a SAS.
 
-`{BLOB URI WITH SAS}`: The full URI where the key file should be stored with the SAS token as a query string parameter. The URI is generated by Azure Storage when you request a SAS for the uploaded key file.
+`{BLOB URI WITH SAS}`: *This approach only applies if you opt not to use an Azure Managed Identity.* The full URI where the key file should be stored with the SAS token as a query string parameter. The URI is generated by Azure Storage when you request a SAS for the uploaded key file.
 
 `{KEY IDENTIFIER}`: Azure Key Vault key identifier used for key encryption. An access policy allows the application to access the key vault with `Get`, `Unwrap Key`, and `Wrap Key` permissions. The version of the key is obtained from the key in the Entra or Azure portal after it's created. If you enable autorotation of the key vault key, make sure that you use a versionless key identifier in the app's key vault configuration, where no key GUID is placed at the end of the identifier (example: `https://contoso.vault.azure.net/keys/data-protection`).
 
 > [!NOTE]
-> The preceding example uses <xref:Azure.Identity.DefaultAzureCredential> locally (non-Production environment) to simplify authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development. When moving to production, an alternative is a better choice, such as the <xref:Azure.Identity.ManagedIdentityCredential> shown in the preceding example. For more information, see [Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity](/dotnet/azure/sdk/authentication/system-assigned-managed-identity).
+> The preceding example uses <xref:Azure.Identity.DefaultAzureCredential> locally (non-Production environment) to simplify authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development. For more information, see [Authenticate Azure-hosted .NET apps to Azure resources using a system-assigned managed identity](/dotnet/azure/sdk/authentication/system-assigned-managed-identity).
 
 Alternatively, you can configure the app to supply the values from app settings files using the JSON Configuration Provider. Add the following to the app settings file:
 
@@ -845,10 +841,13 @@ Example `DataProtection` section:
 ```json
 "DataProtection": {
   "BlobUri": "https://contoso.blob.core.windows.net/data-protection/keys.xml",
-  "KeyIdentifier": "https://contoso.vault.azure.net/keys/data-protection/11112222bbbb3333cccc4444dddd5555"
+  "KeyIdentifier": "https://contoso.vault.azure.net/keys/data-protection"
 }
 ```
 
+> [!NOTE]
+> The key identifier in the preceding example is *versionless*. There's no GUID key version on the end of the identifier. This is particularly important if you opt to configure automatic key rotation for the key. For more information, see [Configure cryptographic key auto-rotation in Azure Key Vault: Key rotation policy](/azure/key-vault/keys/how-to-configure-key-rotation#key-rotation-policy).
+
 Make the following changes in the `Program` file:
 
 ```diff
@@ -873,12 +872,8 @@ builder.Services.Configure<MsalDistributedTokenCacheAdapterOptions>(
 
 - builder.Services.AddDataProtection()
 -     .SetApplicationName("BlazorWebAppEntra")
--     .PersistKeysToAzureBlobStorage(
--         new Uri("{BLOB URI}"),
--         credential)
--     .ProtectKeysWithAzureKeyVault(
--         new Uri("{KEY IDENTIFIER}"),
--         credential);
+-     .PersistKeysToAzureBlobStorage(new Uri("{BLOB URI}"), credential)
+-     .ProtectKeysWithAzureKeyVault(new Uri("{KEY IDENTIFIER}"), credential);
 ```
 
 Add the following code where services are configured in the `Program` file:
@@ -908,6 +903,7 @@ For more information on using a shared Data Protection key ring and key storage
 * <xref:security/data-protection/implementation/key-storage-providers>
 * [Azure Key Vault documentation](/azure/key-vault/general/)
 * [Azure Storage documentation](/azure/storage/)
+* [Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control](/azure/key-vault/general/rbac-guide?tabs=azure-cli)
 
 ## Redirect to the home page on logout
 

aspnetcore/release-notes/aspnetcore-9/includes/delete_keys.md

@@ -2,4 +2,4 @@
 
 Prior to .NET 9, data protection keys were ___not___ deletable by design, to prevent data loss. Deleting a key renders its protected data irretrievable. Given their small size, the accumulation of these keys generally posed minimal impact. However, to accommodate extremely long-running services, we have introduced the option to delete keys. Generally, only old keys should be deleted. Only delete keys when you can accept the risk of data loss in exchange for storage savings. We recommend data protection keys should ___not___ be deleted.
 
-:::code language="csharp" source="~/security/data-protection/configuration/samples/9.x/deleteKeys/Program.cs" :::
+:::code language="csharp" source="~/security/data-protection/configuration/samples/9.x/deleteKeys/Program.cs":::

aspnetcore/security/data-protection/configuration/default-settings.md

@@ -58,7 +58,7 @@ Deleting a key makes its protected data permanently inaccessible. To mitigate th
 
 We recommend not deleting data protection keys.
 
-:::code language="csharp" source="~/security/data-protection/configuration/samples/9.x/deleteKeys/Program.cs" :::
+:::code language="csharp" source="~/security/data-protection/configuration/samples/9.x/deleteKeys/Program.cs":::
 
 ## Additional resources