Merge pull request #306794 from MicrosoftDocs/main

Auto Publish – main to live - 2025-10-10 17:00 UTC

Author: learn-build-service-prod[bot]

articles/api-management/media/protect-with-defender-for-apis/defender-for-apis-recommendations.png

@@ -6,24 +6,25 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 07/11/2024
+ms.date: 10/10/2025
 ms.author: danlep
 ms.custom: sfi-image-nochange
+# Customer intent: As an API admin, I want to enable advanced API security features in API Management by using Defender for Cloud.
 ---
-# Enable advanced API security features using Microsoft Defender for Cloud 
+# Enable advanced API security features by using Microsoft Defender for Cloud 
 
 [!INCLUDE [api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2](../../includes/api-management-availability-premium-dev-standard-basic-premiumv2-standardv2-basicv2.md)]
 
-[Defender for APIs](/azure/defender-for-cloud/defender-for-apis-introduction), a capability of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), offers full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service empowers security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes. 
+[Defender for APIs](/azure/defender-for-cloud/defender-for-apis-introduction), a capability of [Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction), provides full lifecycle protection, detection, and response coverage for APIs that are managed in Azure API Management. The service enables security practitioners to gain visibility into their business-critical APIs, understand their security posture, prioritize vulnerability fixes, and detect active runtime threats within minutes. 
 
 [!INCLUDE [api-management-workspace-availability](../../includes/api-management-workspace-availability.md)]
 
 Capabilities of Defender for APIs include:
 
 * Identify external, unused, or unauthenticated APIs
 * Classify APIs that receive or respond with sensitive data
-* Apply configuration recommendations to strengthen the security posture of APIs and API Management services
-* Detect anomalous and suspicious API traffic patterns and exploits of OWASP API top 10 vulnerabilities
+* Apply configuration recommendations to strengthen the security posture of APIs and API Management instances
+* Detect anomalous and suspicious API traffic patterns and exploits of OWASP API Top 10 vulnerabilities
 * Prioritize threat remediation
 * Integrate with SIEM systems and Defender Cloud Security Posture Management
 
@@ -32,14 +33,13 @@ This article shows how to use the Azure portal to enable Defender for APIs from
 ## Plan limitations
 
 * Currently, Defender for APIs discovers and analyzes REST APIs only. 
-* Defender for APIs currently doesn't onboard APIs that are exposed using the API Management [self-hosted gateway](self-hosted-gateway-overview.md) or managed using API Management [workspaces](workspaces-overview.md).
-* Some ML-based detections and security insights (data classification, authentication check, unused and external APIs) aren't supported in secondary regions in [multi-region](api-management-howto-deploy-multi-region.md) deployments. Defender for APIs relies on local data pipelines to ensure regional data residency and improved performance in such deployments. 
+* Defender for APIs currently doesn't onboard APIs that are exposed via the API Management [self-hosted gateway](self-hosted-gateway-overview.md) or managed via API Management [workspaces](workspaces-overview.md).
+* Some machine-learning-based detections and security insights (data classification, authentication check, unused and external APIs) aren't supported in secondary regions in [multi-region](api-management-howto-deploy-multi-region.md) deployments. Defender for APIs relies on local data pipelines to ensure regional data residency and improved performance in such deployments. 
 
-
 ## Prerequisites
 
 * At least one API Management instance in an Azure subscription. Defender for APIs is enabled at the level of an Azure subscription. 
-* One or more supported APIs must be imported to the API Management instance.
+* One or more supported APIs imported to the API Management instance.
 * Role assignment to [enable the Defender for APIs plan](/azure/defender-for-cloud/permissions).
 * Contributor or Owner role assignment on relevant Azure subscriptions, resource groups, or API Management instances that you want to secure. 
 
@@ -50,68 +50,71 @@ Onboarding APIs to Defender for APIs is a two-step process: enabling the Defende
 > [!TIP]
 > You can also onboard to Defender for APIs directly in the [Defender for Cloud interface](/azure/defender-for-cloud/defender-for-apis-deploy), where more API security insights and inventory experiences are available.
 
-
 ### Enable the Defender for APIs plan for a subscription
 
 1. Sign in to the [portal](https://portal.azure.com), and go to your API Management instance.
 
-1. In the left menu, select **Microsoft Defender for Cloud**.
+1. In the left pane, under **Security**, select **Defender for Cloud**.
 
-1. Select **Enable Defender on the subscription**.
+1. Select **Enable Defender on the subscription (recommended)**.
 
     :::image type="content" source="media/protect-with-defender-for-apis/enable-defender-for-apis.png" alt-text="Screenshot showing how to enable Defender for APIs in the portal." lightbox="media/protect-with-defender-for-apis/enable-defender-for-apis.png":::
 
 1. On the **Defender plan** page, select **On** for the **APIs** plan.
 
-1. Select **Save**.
+1. Choose a plan, select **Save**, and then select **Save** again at the top of the page.
 
 ### Onboard unprotected APIs to Defender for APIs 
 
 > [!CAUTION]
-> Onboarding APIs to Defender for APIs may increase compute, memory, and network utilization of your API Management instance, which in extreme cases may cause an outage of the API Management instance. Do not onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs, while monitoring the utilization of your instance (for example, using [the capacity metric](api-management-capacity.md)) and scaling out as needed. 
+> Onboarding APIs to Defender for APIs can increase compute, memory, and network utilization of your API Management instance, which in extreme cases can cause an outage of the API Management instance. Don't onboard all APIs at one time if your API Management instance is running at high utilization. Use caution by gradually onboarding APIs while monitoring the utilization of your instance (for example, by using [the capacity metric](api-management-capacity.md)) and scaling out as needed. 
 
 1. In the portal, go back to your API Management instance.
-1. In the left menu, select **Microsoft Defender for Cloud**.
+1. In the left pane, under **Security**, select **Defender for Cloud**.
 1. Under **Recommendations**, select **Azure API Management APIs should be onboarded to Defender for APIs**.
+
     :::image type="content" source="media/protect-with-defender-for-apis/defender-for-apis-recommendations.png" alt-text="Screenshot of Defender for APIs recommendations in the portal." lightbox="media/protect-with-defender-for-apis/defender-for-apis-recommendations.png":::
-1. On the next screen, review details about the recommendation:
+1. On the **Azure API Management APIs should be onboarded to Defender for APIs** page, in the **View recommendations** column, select the **View** button for one of the listed APIs.
+1. On the resulting page, review the details of the recommendation:
     * Severity  
-    * Refresh interval for security findings 
+    * Freshness interval for security findings 
     * Description and remediation steps
     * Affected resources, classified as **Healthy** (onboarded to Defender for APIs), **Unhealthy** (not onboarded), or **Not applicable**, along with associated metadata from API Management
 
    > [!NOTE]
    > Affected resources include API collections (APIs) from all API Management instances under the subscription. 
 
-1. From the list of **Unhealthy** resources, select the API(s) that you wish to onboard to Defender for APIs.
-1. Select **Fix**, and then select **Fix resources**.
-    :::image type="content" source="media/protect-with-defender-for-apis/fix-unhealthy-resources.png" alt-text="Screenshot of onboarding unhealthy APIs in the portal." lightbox="media/protect-with-defender-for-apis/fix-unhealthy-resources.png":::
-1.  Track the status of onboarded resources under **Notifications**. 
+1. Select the APIs that you want to onboard to Defender for APIs.
+1. Select **Fix**, and then select **Fix *x* resources**.
+
+    :::image type="content" source="media/protect-with-defender-for-apis/fix-unhealthy-resources.png" alt-text="Screenshot that shows how to onboard unhealthy APIs in the portal." lightbox="media/protect-with-defender-for-apis/fix-unhealthy-resources.png":::
+1.  Track the status of onboarded resources in the **Notifications** pane. 
 
 > [!NOTE]
-> Defender for APIs takes 30 minutes to generate its first security insights after onboarding an API. Thereafter, security insights are refreshed every 30 minutes. 
+> Defender for APIs takes 30 minutes to generate its first security insights after you onboard an API. Thereafter, security insights are refreshed every 30 minutes. 
 > 
 
 ## View security coverage
 
-After you onboard the APIs from API Management, Defender for APIs receives API traffic that will be used to build security insights and monitor for threats. Defender for APIs generates security recommendations for risky and vulnerable APIs.  
+After you onboard the APIs from API Management, Defender for APIs receives API traffic that's used to build security insights and monitor for threats. Defender for APIs generates security recommendations for risky and vulnerable APIs.  
 
-You can view a summary of all security recommendations and alerts for onboarded APIs by selecting **Microsoft Defender for Cloud** in the menu for your API Management instance:
+You can view a summary of all security recommendations and alerts for onboarded APIs by selecting **Defender for Cloud** in the navigation menu for your API Management instance:
 
-1. In the portal, go to your API Management instance and select **Microsoft Defender for Cloud** from the left menu.
-1. Review **Recommendations** and **Security insights and alerts**.
+1. In the portal, go to your API Management instance. 
+1. Under **Security**, select **Defender for Cloud** in the left pane.
+1. Review **Recommendations** and **Security incidents and alerts**.
 
     :::image type="content" source="media/protect-with-defender-for-apis/view-security-insights.png" alt-text="Screenshot of API security insights in the portal." lightbox="media/protect-with-defender-for-apis/view-security-insights.png":::
 
-For the security alerts received, Defender for APIs suggests necessary steps to perform the required analysis and validate the potential exploit or anomaly associated with the APIs. Follow the steps in the security alert to fix and return the APIs to healthy status. 
+For the security alerts that you receive, Defender for APIs suggests necessary steps to perform the required analysis and validate the potential exploit or anomaly associated with the APIs. Follow the steps in the security alert to fix and return the APIs to healthy status.
 
 ## Offboard protected APIs from Defender for APIs
 
 You can remove APIs from protection by Defender for APIs by using Defender for Cloud in the portal. For more information, see [Manage your Defender for APIs deployment](/azure/defender-for-cloud/defender-for-apis-manage).
 
 ## Related content
 
-* Learn more about [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
-* Learn more about [API findings, recommendations, and alerts](/azure/defender-for-cloud/defender-for-apis-posture) in Defender for APIs
-Learn how to [build a comprehensive API security strategy](https://aka.ms/API-Security-EBook)
-* Learn how to [upgrade and scale](upgrade-and-scale.md) an API Management instance
+* [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction)
+* [API findings, recommendations, and alerts](/azure/defender-for-cloud/defender-for-apis-posture) 
+* [Build a comprehensive API security strategy](https://aka.ms/API-Security-EBook)
+* [Upgrade and scale an API Management instance](upgrade-and-scale.md) 

articles/api-management/media/protect-with-defender-for-apis/enable-defender-for-apis.png

@@ -5,7 +5,7 @@ services: azure-netapp-files
 author: b-hchen
 ms.service: azure-netapp-files
 ms.topic: how-to
-ms.date: 07/30/2025
+ms.date: 10/01/2025
 ms.author: anfdocs
 ms.custom:
   - devx-track-azurepowershell
@@ -248,7 +248,6 @@ For more information about the relationship between NetApp accounts and subscrip
         > Using the Security privilege users feature relies on the [SMB Continuous Availability Shares feature](azure-netapp-files-create-volumes-smb.md#continuous-availability). SMB Continuous Availability is **not** supported on custom applications. It's only supported for workloads using Citrix App Layering, [FSLogix user profile containers](/azure/virtual-desktop/create-fslogix-profile-container), and Microsoft SQL Server (not Linux SQL Server).
 
         > [!IMPORTANT]
-        > Using the **Security privilege users** feature requires that you submit a waitlist request through the **[Azure NetApp Files SMB Continuous Availability Shares Public Preview waitlist submission page](https://aka.ms/anfsmbcasharespreviewsignup)**. Wait for an official confirmation email from the Azure NetApp Files team before using this feature.  
         >This feature is optional and supported only with SQL server. The AD DS domain account used for installing SQL server must already exist before you add it to the **Security privilege users** option. When you add the SQL Server installer account to **Security privilege users** option, the Azure NetApp Files service might validate the account by contacting an AD DS domain controller. This action might fail if Azure NetApp Files can't contact the AD DS domain controller.
         
         For more information about `SeSecurityPrivilege` and SQL Server, see [SQL Server installation fails if the Setup account doesn't have certain user rights](/troubleshoot/sql/install/installation-fails-if-remove-user-right).

articles/api-management/media/protect-with-defender-for-apis/fix-unhealthy-resources.png

@@ -162,6 +162,10 @@ BitLocker can only be enabled after you add the disk the storage pool. Don't ena
 
 Network-attached storage (NAS) isn't supported for use in the DPM storage pool.
 
+>[!NOTE]
+>Microsoft Azure Backup Server (MABS)/DPM supports a maximum total replica (protected data) size of 75 TB per server. Exceeding this threshold can lead to missed backup SLAs and may render the server unresponsive. 
+>In case consider to add another MABS Server.
+
 **Storage** | **Details**
 --- | ---
 **MBS** | Modern backup storage (MBS) is supported from DPM 2016/MABS v2 and later. It isn't available for MABS v1.