MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json‎
Lines changed: 16 additions & 4 deletions b/‎.openpublishing.publish.config.json‎
Lines changed: 16 additions & 4 deletions
diff --git a/‎articles/active-directory-b2c/partner-asignio.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory-b2c/partner-asignio.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/api-management/api-management-howto-api-inspector.md‎
Lines changed: 12 additions & 3 deletions b/‎articles/api-management/api-management-howto-api-inspector.md‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎articles/api-management/api-management-howto-disaster-recovery-backup-restore.md‎
Lines changed: 3 additions & 14 deletions b/‎articles/api-management/api-management-howto-disaster-recovery-backup-restore.md‎
Lines changed: 3 additions & 14 deletions
diff --git a/‎articles/api-management/api-management-howto-use-managed-service-identity.md‎
Lines changed: 7 additions & 17 deletions b/‎articles/api-management/api-management-howto-use-managed-service-identity.md‎
Lines changed: 7 additions & 17 deletions
diff --git a/‎articles/api-management/backends.md‎
Lines changed: 3 additions & 0 deletions b/‎articles/api-management/backends.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/api-management/breaking-changes/trusted-service-connectivity-retirement-march-2026.md‎
Lines changed: 17 additions & 17 deletions b/‎articles/api-management/breaking-changes/trusted-service-connectivity-retirement-march-2026.md‎
Lines changed: 17 additions & 17 deletions
@@ -506,6 +506,18 @@
             "branch": "dev",
             "branch_mapping": {}
         },
+        {
+            "path_to_root": "functions-nodejs-extensions",
+            "url": "https://github.com/Azure/azure-functions-nodejs-extensions",
+            "branch": "main",
+            "branch_mapping": {}
+        },        
+        {
+            "path_to_root": "functions-node-sdk-bindings-blob",
+            "url": "https://github.com/Azure-Samples/azure-functions-blob-sdk-bindings-nodejs",
+            "branch": "main",
+            "branch_mapping": {}
+        },
         {
             "path_to_root": "functions-python-tensorflow-tutorial",
             "url": "https://github.com/Azure-Samples/functions-python-tensorflow-tutorial",
@@ -688,25 +700,25 @@
         {
             "path_to_root": "app-service-agentic-semantic-kernel-ai-foundry-agent",
             "url": "https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-ai-foundry-agent",
-            "branch": "agentfx",
+            "branch": "main",
             "branch_mapping": {}
         },
         {
             "path_to_root": "app-service-agentic-langgraph-foundry-node",
             "url": "https://github.com/Azure-Samples/app-service-agentic-langgraph-foundry-node",
-            "branch": "agentfx",
+            "branch": "main",
             "branch_mapping": {}
         },
         {
             "path_to_root": "app-service-agentic-langgraph-foundry-python",
             "url": "https://github.com/Azure-Samples/app-service-agentic-langgraph-foundry-python",
-            "branch": "agentfx",
+            "branch": "main",
             "branch_mapping": {}
         },
         {
             "path_to_root": "app-service-agentic-semantic-kernel-java",
             "url": "https://github.com/Azure-Samples/app-service-agentic-semantic-kernel-java",
-            "branch": "agentfx",
+            "branch": "main",
             "branch_mapping": {}
         },
         {
 
@@ -76,7 +76,7 @@ The following diagram illustrates the implementation.
 
 ## Configure an application with Asignio
 
-Configurating an application with Asignio is with the Asignio Partner Administration site. 
+Configuring an application with Asignio is with the Asignio Partner Administration site. 
 
 1. To request access for your organization, go to asignio.com [Asignio Partner Administration](https://partner.asignio.com) page. 
 2. With credentials, sign into Asignio Partner Administration.
 
@@ -173,8 +173,10 @@ To help automate these steps with the [Visual Studio Code REST Client](https://m
 @apiEndPoint = // API URL
 @requestBody = // Data to send
 @tenantId = // Tenant ID
- 
-POST https://login.microsoftonline.com/{tenantId}/oauth2/token
+@apiId = // Api Id for which trace log is to be generated.
+
+# @name login 
+POST https://login.microsoftonline.com/{{tenantId}}/oauth2/token
 content-type: application/x-www-form-urlencoded
  
 grant_type=client_credentials&client_id={{clientId}}&client_secret={{clientSecret}}&resource=https%3A%2F%2Fmanagement.azure.com%2F
@@ -185,6 +187,7 @@ grant_type=client_credentials&client_id={{clientId}}&client_secret={{clientSecre
 # @name listDebugCredentials
 POST https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.ApiManagement/service/{{apimName}}/gateways/managed/listDebugCredentials?api-version=2023-05-01-preview
 Authorization: Bearer {{authToken}}
+
 Content-Type: application/json
 {
     "credentialsExpireAfter": "PT1H",
@@ -197,7 +200,13 @@ Content-Type: application/json
  
 ###
 # @name callApi
-curl -k -H "Apim-Debug-Authorization: {{debugToken}}" -H 'Host: {{externalHost}}' -H 'Ocp-Apim-Subscription-Key: {{subscriptionKey}}' -H 'Content-Type: application/json' '{{apiEndPoint}}' -d '{{requestBody}}'
+POST {{apiEndPoint}} HTTP/1.1
+Host: {{externalHost}}
+Apim-Debug-Authorization: {{debugToken}}
+Ocp-Apim-Subscription-Key: {{subscriptionKey}}
+Content-Type: application/json
+
+{{requestBody}}
  
 ###
 @traceId = {{callApi.response.headers.Apim-Trace-Id}}
 
@@ -7,7 +7,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 12/05/2025
+ms.date: 12/18/2025
 ms.author: danlep 
 ms.custom: devx-track-azurepowershell
 ---
@@ -29,7 +29,7 @@ This article shows how to automate backup and restore operations of your API Man
 > Each backup expires after 30 days. If you attempt to restore a backup after the 30-day expiration period has expired, the restore will fail with a `Cannot restore: backup expired` message.
 
 > [!IMPORTANT]
-> Restore operation doesn't change custom hostname configuration of the target service. We recommend to use the same custom hostname and TLS certificate for both active and standby services, so that, after restore operation completes, the traffic can be re-directed to the standby instance by a simple DNS CNAME change.
+> Restore operation doesn't change custom hostname configuration of the target service. We recommend using the same custom hostname and TLS certificate for both active and standby services, so that, after restore operation completes, the traffic can be re-directed to the standby instance by a simple DNS CNAME change.
 
 
 [!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
@@ -399,18 +399,7 @@ Restore is a long-running operation that may take several minutes to complete. I
 ## Storage networking constraints
 
 
-If the storage account is **[firewall][azure-storage-ip-firewall] enabled**, it's recommended to use the API Management instance's system-assigned managed identity for access to the account. Ensure that you have networking line of sight from API Management. Configure one of the following network access options on the resource:
-
-- Allow public access from all networks.
-
-- Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.
-
-- Secure traffic from API Management with Private Link connectivity.
-
-- Use a [network security perimeter](/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources) to secure the resource and allow traffic from API Management. 
-
-> [!IMPORTANT]
-> Starting March 2026, trusted service connectivity to Azure services from API Management by enabling the **Allow Trusted Microsoft Services to bypass this firewall** firewall setting will no longer be supported. To continue accessing these services from API Management after this change, ensure that you choose a supported network access option as described above. [Learn more](breaking-changes/trusted-service-connectivity-retirement-march-2026.md)
+If the storage account is **[firewall][azure-storage-ip-firewall] enabled**, it's recommended to use the API Management instance's system-assigned managed identity for access to the account. Ensure that the storage account [grants access to trusted Azure services](../storage/common/storage-network-security.md?tabs=azure-portal#grant-access-to-trusted-azure-services).
 
 ## What is not backed up
 -   **Usage data** used for creating analytics reports **isn't included** in the backup. Use [Azure API Management REST API][azure api management rest api] to periodically retrieve analytics reports for safekeeping.
 
@@ -6,7 +6,7 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 05/19/2025
+ms.date: 12/18/2025
 ms.author: danlep
 ms.custom:
   - devx-track-azurepowershell
@@ -314,27 +314,17 @@ You can use the system-assigned identity to authenticate to a backend service vi
 
 ### Connect to Azure resources behind an IP firewall by using a system-assigned managed identity
 
-For certain scenarios, API Management can communicate with resources in the following services using a system-assigned managed identity configured with an appropriate role assignment:
+API Management is a trusted Microsoft service to the following resources. This trusted status enables the service to connect to the following resources behind a firewall when the firewall enables a setting to **Allow Trusted Microsoft Services to bypass this firewall**. After you explicitly assign the appropriate Azure role to the [system-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) for a resource instance, the scope of access for the instance corresponds to the Azure role that's assigned to the managed identity.
 
-- Azure Key Vault
-- Azure Storage
-- Azure Service Bus
-- Azure Event Hubs
-- Azure Container Registry
-- Azure Managed HSM
 
-For resources in these services that are protected by an IP firewall, ensure that you have networking line of sight from API Management. Configure one of the following network access options on the resource:
+- [Trusted access for Key Vault](/azure/key-vault/general/overview-vnet-service-endpoints#trusted-services)
+- [Trusted access for Azure Storage](../storage/common/storage-network-security-trusted-azure-services.md?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity)
+- [Trusted access for Azure Service Bus](../service-bus-messaging/service-bus-ip-filtering.md#trusted-microsoft-services)
+- [Trusted access for Azure Event Hubs](../event-hubs/event-hubs-ip-filtering.md#trusted-microsoft-services)
 
-- Allow public access from all networks.
-
-- Set a network security rule to allow API Management traffic based on the IP address or virtual network connectivity.
-
-- Secure traffic from API Management with Private Link connectivity.
-
-- Use a [network security perimeter](/azure/private-link/network-security-perimeter-concepts#onboarded-private-link-resources) to secure the resource and allow traffic from API Management. 
 
 > [!IMPORTANT]
-> Starting March 2026, trusted service connectivity to Azure services from API Management by enabling the **Allow Trusted Microsoft Services to bypass this firewall** firewall setting will no longer be supported. To continue accessing these services from API Management after this change, ensure that you choose a supported network access option as described above. [Learn more](breaking-changes/trusted-service-connectivity-retirement-march-2026.md)
+> Starting March 2026, trusted service connectivity to Azure services from the API Management gateway by enabling the **Allow Trusted Microsoft Services to bypass this firewall** firewall setting will no longer be supported. To continue accessing these services from the API Management gateway after this change, ensure that you choose a different supported network access option. For control-plane operations, you can continue to use trusted service connectivity. [Learn more](breaking-changes/trusted-service-connectivity-retirement-march-2026.md).
 
 ### Log events to an event hub
 
 
@@ -118,6 +118,9 @@ To add CA certificate details, follow these steps:
 > [!NOTE]
 > When you configure details of a custom CA certificate in the backend entity, API Management always validates the certificate name and certificate chain, regardless of whether you enable or disable validation settings in the backend's `backendTlsProperties`.
 
+> [!TIP]
+> You can also configure CA certificate details programmatically by using the API Management REST API. Set the `backendTlsProperties` in the [backend entity](/rest/api/apimanagement/backend/create-or-update?view=rest-apimanagement-2025-03-01-preview&preserve-view=true#backendtlsproperties).
+
 ## Reference backend using set-backend-service policy
 
 After creating a backend, you can reference the backend identifier (name) in your APIs. Use the [`set-backend-service`](set-backend-service-policy.md) policy to direct an incoming API request to the backend. If you already configured a backend web service for an API, you can use the `set-backend-service` policy to redirect the request to a backend entity instead. For example:
 
@@ -1,10 +1,10 @@
 ---
 title: Azure API Management - Trusted service connectivity retirement (March 2026)
-description: Azure API Management is retiring trusted service connectivity to supported Azure services as of March 2026. Use alternative networking options for secure connectivity.
+description: Azure API Management is retiring trusted service connectivity by the gateway to supported Azure services as of March 2026. Use alternative networking options for secure connectivity.
 #customer intent: As an Azure admin, I want to determine if my API Management service is affected by the trusted service connectivity retirement so that I can plan necessary changes.
 author: dlepow
 ms.author: danlep
-ms.date: 12/05/2025
+ms.date: 12/18/2025
 ms.topic: reference
 ms.service: azure-api-management
 ai-usage: ai-assisted
@@ -15,9 +15,9 @@ ai-usage: ai-assisted
 
 [!INCLUDE [api-management-availability-all-tiers](../../../includes/api-management-availability-all-tiers.md)]
 
-Effective 15 March 2026, Azure API Management is retiring trusted service connectivity to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hub, and Container Registry. If your API Management resource relies on this feature to communicate with these services after 15 March 2026, the communication will fail. Use alternative networking options to securely connect to those services.
+Effective 15 March 2026, Azure API Management is retiring trusted service connectivity by the API Management gateway to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hubs, and Container Registry. If your API Management gateway relies on this feature to communicate with these services after 15 March 2026, the communication will fail. Use alternative networking options to securely connect to those services.
 
-API Management services created on or after 1 December 2025 no longer support trusted service connectivity. Contact Azure support if you need to enable trusted service connectivity in those services until the retirement date.
+The gateway in API Management services created on or after 1 December 2025 no longer supports trusted service connectivity. Contact Azure support if you need to enable trusted service connectivity in those services until the retirement date.
 
 ## Is my service affected by this change?
 
@@ -27,19 +27,19 @@ First, check for an Azure Advisor recommendation:
 1. Select the **Recommendations > Operational excellence** category.
 1. Search for "**Disable trusted service connectivity in API Management**".
 
-**If you don't see a recommendation**, your API Management resource isn't affected by the change.
+**If you don't see a recommendation**, your API Management gateway isn't affected by the change.
 
-**If you see a recommendation**, your API Management resource is affected by the breaking change and you need to take action: 
+**If you see a recommendation**, your API Management gateway is affected by the breaking change and you need to take action: 
 
-1. Determine if your API Management resource relies on trusted service connectivity to Azure services. 
+1. Determine if your API Management gateway relies on trusted service connectivity to Azure services. 
 1. If it does, update the networking configuration to eliminate the dependency on trusted service connectivity. If it doesn’t, proceed to the next step. 
-1. Disable trusted service connectivity in API Management. 
+1. Disable trusted service connectivity in your API Management gateway. 
 
-### Step 1: Does my API Management resource rely on trusted service connectivity? 
+### Step 1: Does my API Management gateway rely on trusted service connectivity? 
 
-API Management should no longer rely on trusted service connectivity to Azure services. Instead, it should establish a networking line of sight. 
+Your API Management gateway should no longer rely on trusted service connectivity to Azure services. Instead, it should establish a networking line of sight. 
 
-To verify if API Management relies on trusted connectivity to Azure services, check the networking configuration of all Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hub, and Container Registry resources that API Management connects to: 
+To verify if your API Management gateway relies on trusted connectivity to Azure services, check the networking configuration of all Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hubs, and Container Registry resources that your API Management gateway connects to: 
 
 #### For Storage accounts
 
@@ -72,7 +72,7 @@ To verify if API Management relies on trusted connectivity to Azure services, ch
 
 ### Step 2: Eliminate dependency on trusted service connectivity  
 
-If you verified that API Management relies on trusted connectivity to Azure resources, you need to eliminate this dependency by establishing a networking line of sight for communication from API Management to the listed services. 
+If you verified that your API Management gateway relies on trusted connectivity to Azure resources, you need to eliminate this dependency by establishing a networking line of sight for communication from API Management to the listed services. 
 
 You can configure the networking of target resources to one of the following options:
 
@@ -88,11 +88,11 @@ You can configure the networking of target resources to one of the following opt
 
   - [Transition to a Network Security Perimeter in Azure](/azure/private-link/network-security-perimeter-transition)
 
-### Step 3: Disable trusted service connectivity in API Management 
+### Step 3: Disable trusted service connectivity in API Management gateway
 
-After ensuring that API Management doesn’t access other Azure services using trusted service connectivity, you must explicitly disable trusted connectivity in your API Management service to acknowledge you have verified that the service no longer depends on trusted connectivity.
+After ensuring that your API Management gateway doesn't access other Azure services using trusted service connectivity, you must explicitly disable trusted connectivity in your gateway to acknowledge you have verified that the service no longer depends on trusted connectivity.
 
-To do so, set a custom property `Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess` to `"True"` on the [API Management resource](/rest/api/apimanagement/api-management-service/create-or-update). For example: 
+To do so, set a custom property `Microsoft.WindowsAzure.ApiManagement.Gateway.ManagedIdentity.DisableOverPrivilegedAccess` to `"True"` on the [API Management gateway](/rest/api/apimanagement/api-management-service/create-or-update). For example: 
 
 
 ```json
@@ -116,11 +116,11 @@ To do so, set a custom property `Microsoft.WindowsAzure.ApiManagement.Gateway.Ma
 }
 ```
 
-The Azure Advisor recommendation should disappear within a day or two of disabling the trusted connectivity on the API Management service. 
+The Azure Advisor recommendation should disappear within a day or two of disabling the trusted connectivity on the API Management gateway. 
 
 ## What is the deadline for the change?
 
-After 15 March 2026, the trusted connectivity from API Management to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hubs, and Container Registry - is retired. If your API Management resource relies on this feature to establish communication with these services, the communication will start failing after that date.
+After 15 March 2026, the trusted connectivity from the API Management gateway to supported Azure services - Azure Storage, Key Vault, Key Vault Managed HSM, Service Bus, Event Hubs, and Container Registry - is retired. If your API Management gateway relies on this feature to establish communication with these services, the communication will start failing after that date.
 
 ## Help and support