You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/phone-based-mfa.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,13 @@
1
1
---
2
-
title: Securing phone-based MFA in Azure AD B2C
2
+
title: Secure phone-based MFA in Azure AD B2C
3
3
titleSuffix: Azure AD B2C
4
4
description: Learn tips for securing phone-based multifactor authentication in your Azure AD B2C tenant by using Azure Monitor Log Analytics reports and alerts. Use our workbook to identify fraudulent phone authentications and mitigate fraudulent sign-ups. =
5
5
6
6
author: kengaderdus
7
7
manager: CelesteDG
8
8
ms.service: azure-active-directory
9
9
ms.topic: how-to
10
-
ms.date: 1/23/2025
10
+
ms.date: 02/03/2026
11
11
ms.author: kengaderdus
12
12
ms.subservice: b2c
13
13
ms.custom: sfi-image-nochange
@@ -17,7 +17,7 @@ ms.custom: sfi-image-nochange
17
17
#Customer intent: As an Azure AD B2C administrator, I want to monitor phone authentication failures and mitigate fraudulent sign-ups, so that I can protect against malicious use of the telephony service and ensure a secure authentication process.
With Microsoft Entra multifactor authentication, users can choose to receive an automated voice call at a phone number they register for verification. Malicious users could take advantage of this method by creating multiple accounts and placing phone calls without completing the MFA registration process. These numerous failed sign-ups could exhaust the allowed sign-up attempts, preventing other users from signing up for new accounts in your Azure AD B2C tenant. To help protect against these attacks, you can use Azure Monitor to monitor phone authentication failures and mitigate fraudulent sign-ups.
@@ -144,8 +144,8 @@ To help prevent fraudulent sign-ups, remove any country/region codes that do not
144
144
</RelyingParty>
145
145
</TrustFrameworkPolicy>
146
146
```
147
-
> [!IMPORTANT]
148
-
>Add the code in step 2 to the _relying party policy_ to enforce country/region code restrictions on the server side. You must not define these elements only in parent policies; put them in the relying party policy.
147
+
> [!IMPORTANT]
148
+
>Add the code in step 2 to the _relying party policy_ to enforce country/region code restrictions on the server side. You must not define these elements only in parent policies; put them in the relying party policy.
149
149
150
150
1. In the `BuildingBlocks` section of this policy file, add the following code. Make sure to include only the country/region codes relevant to your organization:
|<aid="ref-context-request"></a>`context.Request`|`Body`: [`IMessageBody`](#ref-imessagebody) or `null` if request doesn't have a body.<br /><br /> `Certificate`: `System.Security.Cryptography.X509Certificates.X509Certificate2`<br /><br /> [`Headers`](#ref-context-request-headers): `IReadOnlyDictionary<string, string[]>`<br /><br /> `IpAddress`: `string`<br /><br /> `MatchedParameters`: `IReadOnlyDictionary<string, string>`<br /><br /> `Method`: `string`<br /><br /> `OriginalUrl`: [`IUrl`](#ref-iurl)<br /><br /> `Url`: [`IUrl`](#ref-iurl)<br /><br /> `PrivateEndpointConnection`: [`IPrivateEndpointConnection`](#ref-iprivateendpointconnection) or `null` if request doesn't come from a private endpoint connection.|
215
+
|<aid="ref-context-request"></a>`context.Request`|`Body`: [`IMessageBody`](#ref-imessagebody) or `null` if request doesn't have a body.<br /><br /> `Certificate`: `System.Security.Cryptography.X509Certificates.X509Certificate2`<br /><br /> [`Foundry`](#ref-context-request-foundry)<br /><br /> [`Headers`](#ref-context-request-headers): `IReadOnlyDictionary<string, string[]>`<br /><br /> `IpAddress`: `string`<br /><br /> `MatchedParameters`: `IReadOnlyDictionary<string, string>`<br /><br /> `Method`: `string`<br /><br /> `OriginalUrl`: [`IUrl`](#ref-iurl)<br /><br /> `Url`: [`IUrl`](#ref-iurl)<br /><br /> `PrivateEndpointConnection`: [`IPrivateEndpointConnection`](#ref-iprivateendpointconnection) or `null` if request doesn't come from a private endpoint connection.|
216
+
|<aid="ref-context-request-foundry"></a>`context.Request.Foundry`|`Deployment`: `string` - The model deployment ID in Microsoft Foundry associated with the request.|
215
217
|<aid="ref-context-request-headers"></a>`string context.Request.Headers.GetValueOrDefault(headerName: string, defaultValue: string)`|`headerName`: `string`<br /><br /> `defaultValue`: `string`<br /><br /> Returns comma-separated request header values or `defaultValue` if the header isn't found.|
Copy file name to clipboardExpand all lines: articles/api-management/backends.md
+44-20Lines changed: 44 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,11 @@
1
1
---
2
-
title: Azure API Management backends | Microsoft Docs
2
+
title: Azure API Management Backends | Microsoft Docs
3
3
description: Learn about backends in Azure API Management. Backend entities encapsulate information about backend services, promoting reusability across APIs and governance.
4
4
services: api-management
5
5
author: dlepow
6
6
ms.service: azure-api-management
7
7
ms.topic: concept-article
8
-
ms.date: 11/20/2025
8
+
ms.date: 01/15/2026
9
9
ms.author: danlep
10
10
ms.custom:
11
11
- build-2024
@@ -23,28 +23,28 @@ When you import certain APIs, API Management automatically configures the API ba
23
23
* A [SOAP API](import-soap-api.md).
24
24
25
25
For other APIs, such as APIs from Azure services, you import an Azure resource without specifying the backend service explicitly. Examples include:
26
-
* An HTTP-triggered [Azure Function App](import-function-app-as-api.md)
26
+
* An HTTP-triggered [Azure Function App](import-function-app-as-api.md).
27
27
* A [Logic App](import-logic-app-as-api.md).
28
28
29
29
API Management also supports using other resources as an API backend, such as:
30
30
* A [Service Fabric cluster](how-to-configure-service-fabric-backend.yml).
31
-
* AI services
32
-
* A custom service
31
+
* AI services.
32
+
* A custom service.
33
33
34
34
For these backends, you can create a *backend entity* in API Management and reference it in your APIs.
35
35
36
36
## Benefits of backends
37
37
38
-
API Management supports backend entities so you can manage the backend services of your API. A backend entity encapsulates information about the backend service, promoting reusability across APIs and improved governance.
38
+
API Management supports backend entities so you can manage the backend services of your API. A backend entity encapsulates information about the backend service, which promotes reusability across APIs and improves governance.
39
39
40
-
Use backends for one or more of the following:
40
+
Use backends for one or more of the following tasks:
41
41
42
-
* Authorize the credentials of requests to the backend service
43
-
* Take advantage of API Management functionality to maintain secrets in Azure Key Vault if [named values](api-management-howto-properties.md) are configured for header or query parameter authentication
44
-
* Define circuit breaker rules to protect your backend from too many requests
45
-
* Route or load-balance requests to multiple backends
42
+
* Authorize the credentials of requests to the backend service.
43
+
* Take advantage of API Management functionality to maintain secrets in Azure Key Vault if [named values](api-management-howto-properties.md) are configured for header or query parameter authentication.
44
+
* Define circuit breaker rules to protect your backend from too many requests.
45
+
* Route or load-balance requests to multiple backends.
46
46
47
-
Configure and manage backend entities in the Azure portal, or by using Azure APIs or tools.
47
+
You can configure and manage backend entities in the Azure portal, or by using Azure APIs or tools.
48
48
49
49
## Create a backend
50
50
@@ -98,7 +98,7 @@ If the backend service is secured with a certificate issued by a well-known CA,
98
98
99
99
### Configure CA certificate
100
100
101
-
If the backend service uses a custom CA certificate, you can reference the custom CA certificate in the backend entity. You might need to do this step to establish trust for the backend server certificate - for example, with self-signed certificates, untrusted root certificates, or partial certificate chains.
101
+
If the backend service uses a custom CA certificate, you can reference the custom CA certificate in the backend entity. You might need to add a custom CA certificate to establish trust for the backend server certificate - for example, with self-signed certificates, untrusted root certificates, or partial certificate chains.
102
102
103
103
> [!NOTE]
104
104
> Currently, you can only configure CA certificate details in a backend entity in the [v2 tiers](v2-service-tiers-overview.md).
@@ -123,7 +123,7 @@ To add CA certificate details, follow these steps:
123
123
124
124
## Reference backend using set-backend-service policy
125
125
126
-
After creating a backend, you can reference the backend identifier (name) in your APIs. Use the [`set-backend-service`](set-backend-service-policy.md) policy to direct an incoming API request to the backend. If you already configured a backend web service for an API, you can use the `set-backend-service` policy to redirect the request to a backend entity instead. For example:
126
+
After creating a backend, reference the backend identifier (name) in your APIs. Use the [`set-backend-service`](set-backend-service-policy.md) policy to direct an incoming API request to the backend. If you already configured a backend web service for an API, use the `set-backend-service` policy to redirect the request to a backend entity instead. For example:
127
127
128
128
```xml
129
129
<policies>
@@ -135,11 +135,11 @@ After creating a backend, you can reference the backend identifier (name) in you
135
135
<policies/>
136
136
```
137
137
> [!NOTE]
138
-
> Alternatively, you can use `base-url`. Usually, the format is `https://backend.com/api`. Avoid adding a slash at the end to prevent misconfigurations. Typically, the `base-url` and HTTP(S) endpoint value in the backend should match to enable seamless integration between frontend and backend. Note that API Management instances append the backend service name to the `base-url`.
138
+
> Alternatively, you can use `base-url`. Usually, the format is `https://backend.com/api`. Avoid adding a slash at the end to prevent misconfigurations. Typically, the `base-url` and HTTP(S) endpoint value in the backend should match to enable seamless integration between frontend and backend. API Management instances append the backend service name to the `base-url`.
139
139
140
-
You can use conditional logic with the `set-backend-service` policy to change the effective backend based on location, gateway that was called, or other expressions.
140
+
Use conditional logic with the `set-backend-service` policy to change the effective backend based on location, gateway that was called, or other expressions.
141
141
142
-
For example, here is a policy to route traffic to another backend based on the gateway that was called:
142
+
For example, the following policy routes traffic to another backend based on the gateway that was called:
143
143
144
144
```xml
145
145
<policies>
@@ -275,7 +275,7 @@ Include a JSON snippet similar to the following in your ARM template for a backe
275
275
276
276
## Load-balanced pool
277
277
278
-
API Management supports backend *pools* when you want to implement multiple backends for an API and load-balance requests across those backends. A pool is a collection of backends that are treated as a single entity for load balancing.
278
+
API Management supports backend *pools* when you want to implement multiple backends for an API and load-balance requests across those backends. A pool is a collection of backends that the service treats as a single entity for load balancing.
279
279
280
280
Use a backend pool for scenarios such as the following scenarios:
281
281
@@ -303,7 +303,7 @@ API Management supports the following load balancing options for backend pools:
303
303
304
304
### Session awareness
305
305
306
-
With any of the preceding load balancing options, you can enable **session awareness** (session affinity) to ensure that all requests from a specific user during a session go to the same backend in the pool. API Management sets a session ID cookie to maintain session state. This option is useful, for example, in scenarios with backends such as AI chat assistants or other conversational agents to route requests from the same session to the same endpoint.
306
+
By using any of the preceding load balancing options, you can enable **session awareness** (session affinity) to ensure that all requests from a specific user during a session go to the same backend in the pool. API Management sets a session ID cookie to maintain session state. This option is useful, for example, in scenarios with backends such as AI chat assistants or other conversational agents to route requests from the same session to the same endpoint.
307
307
308
308
> [!NOTE]
309
309
> Session awareness in load-balanced pools is being released first to the **AI Gateway Early**[update group](configure-service-update-settings.md).
@@ -312,7 +312,7 @@ With any of the preceding load balancing options, you can enable **session aware
312
312
313
313
When you use session awareness, the client must handle cookies appropriately. The client needs to store the `Set-Cookie` header value and send it with subsequent requests to maintain session state.
314
314
315
-
You can use API Management policies to help set cookies for session awareness. For example, for the case of the Assistants API (a feature of [Azure OpenAI in Microsoft Foundry Models](/azure/ai-services/openai/concepts/models)), the client needs to keep the session ID, extract the thread ID from the body, and keep the pair and send the right cookie for each call. Moreover, the client needs to know when to send a cookie or when not to send a cookie header. These requirements can be handled appropriately by defining the following example policies:
315
+
You can use API Management policies to help set cookies for session awareness. For example, in the case of the Assistants API (a feature of [Azure OpenAI in Microsoft Foundry Models](/azure/ai-services/openai/concepts/models)), the client needs to keep the session ID, extract the thread ID from the body, and keep the pair and send the right cookie for each call. Moreover, the client needs to know when to send a cookie or when not to send a cookie header. These requirements can be handled appropriately by defining the following example policies:
316
316
317
317
318
318
```xml
@@ -440,6 +440,30 @@ This example includes an optional `sessionAffinity` pool configuration for sessi
440
440
441
441
---
442
442
443
+
## Context.Backend variable
444
+
When you configure a backend entity in API Management, you can access backend properties in policies by using the `context.Backend`[context variable](api-management-policy-expressions.md#ContextVariables).
445
+
446
+
The following table lists the properties of the `context.Backend` variable.
447
+
448
+
| Property | Description |
449
+
|----------|-------------|
450
+
|`Id`| The resource identifier of the backend entity. |
451
+
|`Type`| The type of the backend: `Single` or `Pool`.|
452
+
|`AzureRegion`| The backend region, if specified. |
453
+
454
+
### Example
455
+
456
+
The following example shows how to set a custom header with the backend type in an inbound policy:
0 commit comments