Merge pull request #306412 from v-albemi/credentials-providers

Freshness Edit: Azure API

Author: JamesJBarnett

articles/api-management/credentials-configure-common-providers.md

@@ -1,70 +1,70 @@
 ---
-title: Configure credential providers - Azure API Management | Microsoft Docs
-description: Learn how to configure common credential providers in Azure API Management's credential manager. Example providers are Microsoft Entra and generic OAuth 2.0.  
+title: Configure Credential Providers - Azure API Management | Microsoft Docs
+description: Learn how to configure common credential providers in the Azure API Management credential manager. Providers include Microsoft Entra and generic OAuth.  
 services: api-management
 author: dlepow
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 11/10/2023
+ms.date: 10/03/2025
 ms.author: danlep
 ms.custom: sfi-image-nochange
+# Customer intent: As an Azure service administrator, I want to learn how to configure common credential providers in the API Management credential manager.
 ---
 
 # Configure common credential providers in credential manager
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
-In this article, you learn about configuring identity providers for managed [connections](credentials-overview.md) in your API Management instance. Settings for the following common providers are shown:
+In this article, you learn about configuring identity providers for managed [connections](credentials-overview.md) in your Azure API Management instance. Settings for the following common providers are shown:
 
-* Microsoft Entra provider
-* Generic OAuth 2.0 provider
+* Microsoft Entra 
+* Generic OAuth 2
 
-You configure a credential provider in your API Management instance's credential manager. For a step-by-step example of configuring a Microsoft Entra provider and connection, see:
-
-* [Configure credential manager - Microsoft Graph API](authorizations-how-to-azure-ad.md)
+You configure a credential provider in the credential manager in your API Management instance. For a step-by-step example of configuring a Microsoft Entra provider and connection, see [Configure credential manager - Microsoft Graph API](authorizations-how-to-azure-ad.md).
 
 ## Prerequisites
 
 To configure any of the supported providers in API Management, first configure an OAuth 2.0 app in the identity provider that will be used to authorize API access. For configuration details, see the provider's developer documentation.
 
-* If you're creating a credential provider that uses the authorization code grant type, configure a **Redirect URL** (sometimes called Authorization Callback URL or a similar name) in the app. For the value, enter `https://authorization-manager.consent.azure-apim.net/redirect/apim/<YOUR-APIM-SERVICENAME>`.
+* If you're creating a credential provider that uses the authorization code grant type, configure a redirect URL (sometimes called an Authorization Callback URL or a similar name) in the app. For the value, enter `https://authorization-manager.consent.azure-apim.net/redirect/apim/<API-management-instance-name>`.
 
-* Depending on your scenario, configure app settings such as scopes (API permissions).
+* Depending on your scenario, configure app settings like scopes (API permissions).
 
 * Minimally, retrieve the following app credentials that will be configured in API Management: the app's **client ID** and **client secret**.
 
-* Depending on the provider and your scenario, you might need to retrieve other settings such as authorization endpoint URLs or scopes.
+* Depending on the provider and your scenario, you might need to retrieve other settings, like authorization endpoint URLs or scopes.
 
 * The provider's authorization endpoints must be reachable over the internet from your API Management instance. If your API Management instance is secured in a virtual network, configure network or firewall rules to allow access to the provider's endpoints.
 
 ## Microsoft Entra provider
 
-API credential manager supports the Microsoft Entra identity provider, which is the identity service in Microsoft Azure that provides identity management and access control capabilities. It allows users to securely sign in using industry-standard protocols.
+API Management credential manager supports the Microsoft Entra identity provider, which is the identity service in Azure that provides identity management and access control capabilities. It enables users to securely sign in via industry-standard protocols.
 
-* **Supported grant types**: authorization code, client credentials
+**Supported grant types**: authorization code, client credentials
 
 > [!NOTE]
->  Currently, the Microsoft Entra credential provider supports only the Azure AD v1.0 endpoints.
+>  Currently, the Microsoft Entra credential provider supports only Azure Active Directory v1.0 endpoints.
  
 
 ### Microsoft Entra provider settings
 
 [!INCLUDE [api-management-authorization-azure-ad-provider](../../includes/api-management-authorization-azure-ad-provider.md)]
 
 
-## Generic OAuth 2.0 providers
+## Generic OAuth providers
 
-You can use two generic providers for configuring connections:
+You can use three generic providers for configuring connections:
 
 * Generic OAuth 2.0
 * Generic OAuth 2.0 with PKCE 
+* Generic OAuth 2.1 with PKCE with DCR
 
-A generic provider allows you to use your own OAuth 2.0 identity provider based on your specific needs. 
+A generic provider enables you to use your own OAuth identity provider, based on your specific needs. 
 
 > [!NOTE]
-> We recommend using the generic OAuth 2.0 with PKCE provider for improved security if your identity provider supports it. [Learn more](https://oauth.net/2/pkce/)
+> We recommend using a PKCE provider for improved security if your identity provider supports it. For more information, see [Proof Key for Code Exchange](https://oauth.net/2/pkce/).
 
-* **Supported grant types**: authorization code, client credentials
+**Supported grant types**: authorization code, client credentials (depends on provider)
 
 ### Generic credential provider settings
 
@@ -76,9 +76,9 @@ API Management supports several providers for popular SaaS offerings, including
 
 :::image type="content" source="media/credentials-configure-common-providers/saas-providers.png" alt-text="Screenshot of identity providers listed in the portal.":::
 
-**Supported grant types**: authorization code, client credentials (depends on provider)
+**Supported grant types**: authorization code 
 
-Required settings for these providers differ from provider to provider but are similar to those for the [generic OAuth 2.0 providers](#generic-oauth-20-providers). Consult the developer documentation for each provider.
+Required settings for these providers differ, depending on the provider, but are similar to those for the [generic OAuth providers](#generic-oauth-providers). Consult the developer documentation for each provider.
 
 ## Related content
 

articles/api-management/media/credentials-configure-common-providers/saas-providers.png

@@ -2,17 +2,17 @@
 author: dlepow
 ms.service: azure-api-management
 ms.topic: include
-ms.date: 02/02/2023
+ms.date: 10/03/2025
 ms.author: danlep
 ---
 | Property | Description | Required | Default |
 |---|---|---|---|
-| Provider name | Name of credential provider resource in API Management |Yes | N/A | 
-| Identity provider  | Select **Azure Active Directory v1** |Yes | N/A | 
-| Grant type  | The OAuth 2.0 authorization grant type to use<br/><br/>Depending on your scenario, select either **Authorization code** or **Client credentials**. |Yes | Authorization code | 
-|**Authorization URL** | Authorization URL | No | `https://login.microsoftonline.com` |
-| Client ID | The application (client) ID used to identify the Microsoft Entra app | Yes | N/A |
-| Client secret | The client secret used for the Microsoft Entra app | Yes | N/A |
-| Resource URL | The URL of the resource that requires authorization<br/><br/> Example: `https://graph.microsoft.com` | Yes | N/A |
-| Tenant ID | The tenant ID of your Microsoft Entra app | No | common |  
-| Scopes | One or more API permissions for your Microsoft Entra app, separated by the " " character <br/><br/>Example: `ChannelMessage.Read.All User.Read` | No | API permissions set in Microsoft Entra app | 
+| **Credential provider name** | The name of the credential provider resource in API Management. |Yes | N/A | 
+| **Identity provider**  | Select **Azure Active Directory v1**. |Yes | N/A | 
+| **Grant type**  | The OAuth 2.0 authorization grant type to use.<br/><br/>Depending on your scenario, select either **Authorization code** or **Client credentials**. |Yes | **Authorization code** | 
+|**Authorization URL** | The authorization URL. | No | `https://login.microsoftonline.com` |
+| **Client ID** | The application (client) ID used to identify the Microsoft Entra app. | Yes | N/A |
+| **Client secret** | The client secret used for the Microsoft Entra app. | Yes | N/A |
+| **Resource URL** | The URL of the resource that requires authorization.<br/><br/> Example: `https://graph.microsoft.com` | Yes | N/A |
+| **Tenant ID** | The tenant ID of your Microsoft Entra app. | No | **common** |  
+| **Scopes** | One or more API permissions for your Microsoft Entra app, separated by spaces. <br/><br/>Example: `ChannelMessage.Read.All User.Read` | No | API permissions set in the Microsoft Entra app | 

includes/api-management-authorization-azure-ad-provider.md

@@ -2,17 +2,18 @@
 author: dlepow
 ms.service: azure-api-management
 ms.topic: include
-ms.date: 02/02/2023
+ms.date: 10/03/2025
 ms.author: danlep
 ---
 | Property | Description | Required | Default |
 |---|---|---|---|
-| Provider name | Name of credential provider resource in API Management |Yes | N/A | 
-| Identity provider  | Select **Generic Oauth 2** or **Generic Oauth 2 with PKCE**. |Yes | N/A | 
-| Grant type  | The OAuth 2.0 authorization grant type to use <br/><br/>Depending on your scenario and your identity provider, select either **Authorization code** or **Client credentials**. |Yes | Authorization code | 
-| Authorization URL | The authorization endpoint URL | No | UNUSED | 
-| Client ID | The ID used to identify an app to the identity provider's authorization server | Yes | N/A |
-| Client secret | The secret used by the app to authenticate with the identity provider's authorization server | Yes | N/A |
-| Refresh URL | The URL that your app makes a request to in order to exchange a refresh token for a renewed access token  | No | UNUSED |
-| Token URL | The URL on the identity provider's authorization server that is used to programmatically request tokens | Yes | N/A |
-| Scopes | One or more specific actions the app is allowed to do or information that it can request on a user's behalf from an API, separated by the " " character<br/><br/> Example: `user web api openid` | No | N/A | 
+| **Credential provider name** | The name of credential provider resource in API Management. |Yes | N/A | 
+| **Identity provider**  | Select **OAuth 2.0**, **OAuth 2.0 with PKCE**, or **OAuth 2.1 with PKCE with DCR**. |Yes | N/A | 
+| **Grant type**  | The OAuth 2.0 authorization grant type to use. <br/><br/>Depending on your scenario and your identity provider, select either **Authorization code** or **Client credentials**. |Yes | **Authorization code** | 
+| **Authorization URL** | The authorization endpoint URL. | Yes, for PKCE | UNUSED for OAuth 2.0| 
+| **Client ID** | The ID used to identify an app to the identity provider's authorization server. | Yes | N/A |
+| **Client secret** | The secret used by the app to authenticate with the identity provider's authorization server. | Yes | N/A |
+| **Refresh URL** | The URL that your app makes a request to in order to exchange a refresh token for a renewed access token.  | Yes, for PKCE | UNUSED for OAuth 2.0 |
+|**Server URL**|The base server URL. |Yes, for OAuth 2.1 with PKCE with DCR|N/A|
+| **Token URL** | The URL on the identity provider's authorization server that's used to programmatically request tokens. | Yes | N/A |
+| **Scopes** | One or more specific actions the app is allowed to do or information that it can request on a user's behalf from an API, separated by spaces.<br/><br/> Example: `user web api openid` | No | N/A |