Merge branch 'main' into partners-kendrick-batch2

Author: cdpark

.openpublishing.publish.config.json

@@ -506,6 +506,18 @@
             "branch": "dev",
             "branch_mapping": {}
         },
+        {
+            "path_to_root": "functions-nodejs-extensions",
+            "url": "https://github.com/Azure/azure-functions-nodejs-extensions",
+            "branch": "main",
+            "branch_mapping": {}
+        },        
+        {
+            "path_to_root": "functions-node-sdk-bindings-blob",
+            "url": "https://github.com/Azure-Samples/azure-functions-blob-sdk-bindings-nodejs",
+            "branch": "main",
+            "branch_mapping": {}
+        },
         {
             "path_to_root": "functions-python-tensorflow-tutorial",
             "url": "https://github.com/Azure-Samples/functions-python-tensorflow-tutorial",
@@ -543,7 +555,24 @@
             "branch_mapping": {}
         },        
         {
-            "path_to_root": "functions-sql-todo-sample",
+            "path_to_root": "functions-scenarios-durable-dotnet",
+            "url": "https://github.com/Azure-Samples/durable-functions-quickstart-dotnet-azd",
+            "branch": "main",
+            "branch_mapping": {}
+        },          
+        {
+            "path_to_root": "functions-scenarios-durable-typescript",
+            "url": "https://github.com/Azure-Samples/durable-functions-quickstart-typescript-azd",
+            "branch": "main",
+            "branch_mapping": {}
+        },         
+        {
+            "path_to_root": "functions-scenarios-durable-python",
+            "url": "https://github.com/Azure-Samples/durable-functions-quickstart-python-azd",
+            "branch": "main",
+            "branch_mapping": {}
+        }, 
+        {    "path_to_root": "functions-sql-todo-sample",
             "url": "https://github.com/Azure-Samples/azure-sql-binding-func-dotnet-todo",
             "branch": "docs-snippets",
             "branch_mapping": {}

.openpublishing.redirection.json

@@ -5064,6 +5064,16 @@
       "redirect_url": "/azure/role-based-access-control/quickstart-role-assignments-template",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/role-based-access-control/built-in-roles/mixed-reality.md",
+      "redirect_url": "/azure/role-based-access-control/built-in-roles",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/role-based-access-control/permissions/mixed-reality.md",
+      "redirect_url": "/azure/role-based-access-control/resource-provider-operations",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/scheduler/get-started-portal.md",
       "redirect_url": "/azure/scheduler/migrate-from-scheduler-to-logic-apps",
@@ -6559,6 +6569,11 @@
       "source_path": "articles/dns/dns-sdk.md",
       "redirect_url": "https://learn.microsoft.com/dotnet/api/overview/azure/resourcemanager.dns-readme",
       "redirect_document_id": false
+    },
+    { 
+      "source_path": "articles/oracle/oracle-db/exadata-vm-clusters.md",
+      "redirect_url": "/azure/oracle/oracle-db/database-overview",
+      "redirect_document_id": false
     }
 
   ]

articles/active-directory-b2c/partner-asignio.md

@@ -76,7 +76,7 @@ The following diagram illustrates the implementation.
 
 ## Configure an application with Asignio
 
-Configurating an application with Asignio is with the Asignio Partner Administration site. 
+Configuring an application with Asignio is with the Asignio Partner Administration site. 
 
 1. To request access for your organization, go to asignio.com [Asignio Partner Administration](https://partner.asignio.com) page. 
 2. With credentials, sign into Asignio Partner Administration.

articles/api-management/TOC.yml

@@ -260,8 +260,8 @@
       href: amazon-bedrock-passthrough-llm-api.md
     - name: Semantic caching for LLM API requests
       href: azure-openai-enable-semantic-caching.md
-    - name: Authenticate and authorize to Azure OpenAI
-      href: api-management-authenticate-authorize-azure-openai.md
+    - name: Authenticate and authorize to LLM APIs
+      href: api-management-authenticate-authorize-ai-apis.md
     - name: Log LLM tokens, requests, and responses
       href: api-management-howto-llm-logs.md
   - name: Manage AI tools and agents

…t-authenticate-authorize-azure-openai.md …gement-authenticate-authorize-ai-apis.mdarticles/api-management/api-management-authenticate-authorize-azure-openai.md renamed to articles/api-management/api-management-authenticate-authorize-ai-apis.md articles/api-management/api-management-authenticate-authorize-azure-openai.md renamed to articles/api-management/api-management-authenticate-authorize-ai-apis.md

@@ -1,59 +1,59 @@
 ---
-title: Authenticate to Azure OpenAI API - Azure API Management
+title: Authenticate and Authorize to LLM APIs - Azure API Management
 titleSuffix: Azure API Management
-description: Options to authenticate and authorize to Azure OpenAI APIs using Azure API Management. Includes API key, managed identity, and OAuth 2.0 authorization.
+description: Options to authenticate and authorize to LLM APIs using Azure API Management. Includes API key, managed identity, and OAuth 2.0 authorization.
 author: dlepow
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 04/01/2025
+ms.date: 12/19/2025
 ms.update-cycle: 180-days
 ms.author: danlep
 ms.collection: ce-skilling-ai-copilot
 ---
 
-# Authenticate and authorize access to Azure OpenAI APIs using Azure API Management 
+# Authenticate and authorize access to LLM APIs by using Azure API Management 
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
-In this article, you learn about ways to authenticate and authorize to Azure OpenAI API endpoints that are managed using Azure API Management. This article shows the following common methods:
+In this article, you learn how to authenticate and authorize access to AI API endpoints that Azure API Management manages. This article shows the following common methods:
 
-* **Authentication** - Authenticate to an Azure OpenAI API using policies that authenticate using either an API key or a Microsoft Entra ID managed identity.
+* **Authentication** - Authenticate to an AI API by using policies that use either an API key or a Microsoft Entra ID managed identity.
 
 * **Authorization** - For more fine-grained access control, preauthorize requests that pass OAuth 2.0 tokens generated by an identity provider such as Microsoft Entra ID.
 
 For background, see:
 
-* [Azure OpenAI Service REST API reference](/azure/ai-foundry/openai/reference)
-
 * [Authentication and authorization to APIs in API Management](authentication-authorization-overview.md).
 
 ## Prerequisites
 
-Before following the steps in this article, you must have:
+To follow the examples in this article, you must have:
 
 - An API Management instance. For example steps, see [Create an Azure API Management instance](get-started-create-service-instance.md).
-- An Azure OpenAI resource and model added to your API Management instance. For example steps, see [Import an Azure OpenAI API as a REST API](azure-openai-api-from-specification.md).
-- Permissions to create an app registration in an identity provider such as a Microsoft Entra tenant associated with your Azure subscription (for OAuth 2.0 authorization).
+- An AI model deployment added to your API Management instance as an AI. For example steps, see [Import a Microsoft Foundry API](azure-ai-foundry-api.md) or [Import a language model API](openai-compatible-llm-api.md).
+- (For OAuth 2.0 authorization) Permissions to create an app registration in an identity provider such as a Microsoft Entra ID tenant associated with your Azure subscription.
 
-## Authenticate with API key
+## Authenticate by using API key
 
-A default way to authenticate to an Azure OpenAI API is by using an API key. For this type of authentication, all API requests must include a valid API key in the `api-key` HTTP header.
+A default way to authenticate to an AI API is by using an API key. For this type of authentication, all API requests must include a valid API key in an HTTP header. The header name depends on the API. For example, Azure OpenAI in Microsoft Foundry APIs use the `api-key` header.
 
-* API Management can manage the API key in a secure way, by using a [named value](api-management-howto-properties.md). 
-* The named value can then be referenced in an API policy to set the `api-key` header in requests to the Azure OpenAI API. We provide two examples of how to do this: one uses the [`set-backend-service`](set-backend-service-policy.md) policy, and the other uses the [`set-header`](set-header-policy.md) policy.
+* API Management can manage the API key in a secure way by using a [named value](api-management-howto-properties.md). 
+* You can reference the named value in an API policy to set the `api-key` header in requests to the API. The following two examples show how to do this: one uses the [`set-backend-service`](set-backend-service-policy.md) policy, and the other uses the [`set-header`](set-header-policy.md) policy.
 
 ### Store the API key in a named value
 
-1. Obtain an API key from the Azure OpenAI resource. In the Azure portal, find a key on the **Keys and Endpoint** page of the Azure OpenAI resource.
+Here's an example of how to store an Azure OpenAI API key in a named value in API Management:
+
+1. Get an API key from the AI model deployment. For an Azure OpenAI model deployment, find this information on the **Home** page for your project in the Microsoft Foundry portal. 
 1. Go to your API Management instance, and select **Named values** in the left menu.
-1. Select **+ Add**, and add the value as a secret, or optionally for more security, use a [key vault reference](api-management-howto-properties.md#key-vault-secrets).
+1. Select **+ Add**, and add the value as a secret. For more security, optionally use a [key vault reference](api-management-howto-properties.md#key-vault-secrets).
 
 ### Pass the API key in API requests - set-backend-service policy
 
 1. Create a [backend](backends.md) that points to the Azure OpenAI API.
     1. In the left menu of your API Management instance, select **Backends**.
     1. Select **+ Add**, and enter a descriptive name for the backend. Example: *openai-backend*.
-    1. Under **Type**, select **Custom**, and enter the URL of the Azure OpenAI endpoint. Example: `https://contoso.openai.azure.com/openai`.
+    1. Under **Type**, select **Custom**, and enter the URL of the Azure OpenAI endpoint. Example: `https://contoso.services.ai.azure.com/openai`.
     1. Under **Authorization credentials**, select **Headers**, and enter *api-key* as the header name and the named value as the value.
     1. Select **Create**.
 1. Add the following `set-backend-service` policy snippet in the `inbound` policy section to pass the API key in requests to the Azure OpenAI API. 
@@ -76,19 +76,18 @@ In this example, the named value in API Management is *openai-api-key*.
 </set-header>
 ```
 
-
 ## Authenticate with managed identity
 
-An alternative and recommended way to authenticate to an Azure OpenAI API is by using a managed identity in Microsoft Entra ID. For background, see
-[How to configure Azure OpenAI Service with managed identity](/azure/api-management/api-management-authenticate-authorize-azure-openai).
+For Azure OpenAI and other model deployments in Microsoft Foundry, use a managed identity in Microsoft Entra ID to authenticate. For background, see
+[How to configure Azure OpenAI in Microsoft Foundry Models with Microsoft Entra ID authentication](/azure/ai-foundry/openai/how-to/managed-identity).
 
-Following are steps to configure your API Management instance to use a managed identity to authenticate requests to an Azure OpenAI API. 
+Follow these steps to configure your API Management instance to use a managed identity for authentication. 
 
-1. [Enable](api-management-howto-use-managed-service-identity.md) a system-assigned or user-assigned managed identity for your API Management instance. The following example assumes that you've enabled the instance's system-assigned managed identity.
+1. [Enable](api-management-howto-use-managed-service-identity.md) a system-assigned or user-assigned managed identity for your API Management instance. The following example assumes that you enabled the instance's system-assigned managed identity.
 
-1. Assign the managed identity the **Cognitive Services OpenAI User** role, scoped to the appropriate resource. For example, assign the system-assigned managed identity the **Cognitive Services OpenAI User** role on the Azure OpenAI resource. For detailed steps, see [Role-based access control for Azure OpenAI service](/azure/ai-foundry/openai/how-to/role-based-access-control).
+1. Assign the managed identity the **Cognitive Services OpenAI User** role, scoped to the appropriate resource. For example, assign the system-assigned managed identity the **Cognitive Services OpenAI User** role on the Microsoft Foundry resource. For detailed steps, see [Role-based access control for Azure OpenAI service](/azure/ai-foundry/openai/how-to/role-based-access-control).
 
-1. Add the following policy snippet in the `inbound` policy section to authenticate requests to the Azure OpenAI API using the managed identity. 
+1. Add the following policy snippet in the `inbound` policy section to authenticate requests to the API by using the managed identity.  
 
     In this example:
 
@@ -101,22 +100,22 @@ Following are steps to configure your API Management instance to use a managed i
         <value>@("Bearer " + (string)context.Variables["managed-id-access-token"])</value> 
     </set-header> 
     ```
-
+    
 > [!TIP]
-> An alternative to using the `authentication-managed-identity` and `set-header` policies shown in this example is to configure a [backend](backends.md) resource that directs API requests to the Azure OpenAI Service endpoint. In the backend configuration, enable managed identity authentication to the Azure OpenAI Service. Azure API Management automates these steps when importing an API directly from Azure OpenAI Service. For more information, see [Import API from Azure OpenAI Service](azure-openai-api-from-specification.md#option-1-import-api-from-azure-openai). 
+> Instead of using the `authentication-managed-identity` and `set-header` policies shown in this example, you can configure a [backend](backends.md) resource that directs API requests to the AI service endpoint. In the backend configuration, configure managed identity credentials to the `https://cognitiveservices.azure.com/` resource. Azure API Management automates these steps when you [import an API directly from Microsoft Foundry](azure-ai-foundry-api.md).  
 
-## OAuth 2.0 authorization using identity provider
+## OAuth 2.0 authorization by using identity provider
 
-To enable more fine-grained access to OpenAPI APIs by particular users or clients, you can preauthorize access to the Azure OpenAI API using OAuth 2.0 authorization with Microsoft Entra ID or another identity provider. For background, see [Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md).
+To enable more fine-grained access to Azure OpenAPI or other LLM APIs by particular users or clients, preauthorize access to the API by using OAuth 2.0 authorization with Microsoft Entra ID or another identity provider. For background, see [Protect an API in Azure API Management using OAuth 2.0 authorization with Microsoft Entra ID](api-management-howto-protect-backend-with-aad.md).
 
 > [!NOTE]
 > Use OAuth 2.0 authorization as part of a defense-in-depth strategy. It's not a replacement for API key authentication or managed identity authentication to an Azure OpenAI API.
 
-Following are high level steps to restrict API access to users or apps that are authorized using an identity provider.  
+The following steps show how to restrict API access to users or apps that are authorized by using an identity provider.  
 
-1. Create an application in your identity provider to represent the OpenAI API in Azure API Management. If you're using Microsoft Entra ID, [register](api-management-howto-protect-backend-with-aad.md#register-an-application-in-microsoft-entra-id-to-represent-the-api) an application in your Microsoft Entra ID tenant. Record details such as the application ID and the audience URI.
+1. Create an application in your identity provider to represent the AI API in Azure API Management. If you're using Microsoft Entra ID, [register](api-management-howto-protect-backend-with-aad.md#register-an-application-in-microsoft-entra-id-to-represent-the-api) an application in your Microsoft Entra ID tenant. Record details such as the application ID and the audience URI.
 
-    As needed, configure the application to have roles or scopes that represent the fine-grained permissions needed to access the Azure OpenAI API.
+    As needed, configure the application to have roles or scopes that represent the fine-grained permissions needed to access the AI API.
 
 1. Add an `inbound` policy snippet in your API Management instance to validate requests that present a JSON web token (JWT) in the `Authorization` header. Place this snippet *before* other `inbound` policies that you set to authenticate to the Azure OpenAI API. 
 
@@ -164,4 +163,4 @@ Following are high level steps to restrict API access to users or apps that are
 ## Related content
 
 * Learn more about [Microsoft Entra ID and OAuth2.0](/entra/architecture/auth-oauth2).  
-* [Authenticate requests to Azure AI services](/azure/ai-services/authentication)
+* [Authenticate requests to Foundry tools](/azure/ai-services/authentication)