Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into waf-crs

Author: halkazwini

.openpublishing.publish.config.json

@@ -506,6 +506,18 @@
             "branch": "dev",
             "branch_mapping": {}
         },
+        {
+            "path_to_root": "functions-nodejs-extensions",
+            "url": "https://github.com/Azure/azure-functions-nodejs-extensions",
+            "branch": "main",
+            "branch_mapping": {}
+        },        
+        {
+            "path_to_root": "functions-node-sdk-bindings-blob",
+            "url": "https://github.com/Azure-Samples/azure-functions-blob-sdk-bindings-nodejs",
+            "branch": "main",
+            "branch_mapping": {}
+        },
         {
             "path_to_root": "functions-python-tensorflow-tutorial",
             "url": "https://github.com/Azure-Samples/functions-python-tensorflow-tutorial",

.openpublishing.redirection.json

@@ -6559,6 +6559,11 @@
       "source_path": "articles/dns/dns-sdk.md",
       "redirect_url": "https://learn.microsoft.com/dotnet/api/overview/azure/resourcemanager.dns-readme",
       "redirect_document_id": false
+    },
+    { 
+      "source_path": "articles/oracle/oracle-db/exadata-vm-clusters.md",
+      "redirect_url": "/azure/oracle/oracle-db/database-overview",
+      "redirect_document_id": false
     }
 
   ]

articles/api-management/api-management-howto-aad.md

@@ -173,8 +173,10 @@ To help automate these steps with the [Visual Studio Code REST Client](https://m
 @apiEndPoint = // API URL
 @requestBody = // Data to send
 @tenantId = // Tenant ID
- 
-POST https://login.microsoftonline.com/{tenantId}/oauth2/token
+@apiId = // Api Id for which trace log is to be generated.
+
+# @name login 
+POST https://login.microsoftonline.com/{{tenantId}}/oauth2/token
 content-type: application/x-www-form-urlencoded
  
 grant_type=client_credentials&client_id={{clientId}}&client_secret={{clientSecret}}&resource=https%3A%2F%2Fmanagement.azure.com%2F
@@ -185,6 +187,7 @@ grant_type=client_credentials&client_id={{clientId}}&client_secret={{clientSecre
 # @name listDebugCredentials
 POST https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/{{resourceGroup}}/providers/Microsoft.ApiManagement/service/{{apimName}}/gateways/managed/listDebugCredentials?api-version=2023-05-01-preview
 Authorization: Bearer {{authToken}}
+
 Content-Type: application/json
 {
     "credentialsExpireAfter": "PT1H",
@@ -197,7 +200,13 @@ Content-Type: application/json
  
 ###
 # @name callApi
-curl -k -H "Apim-Debug-Authorization: {{debugToken}}" -H 'Host: {{externalHost}}' -H 'Ocp-Apim-Subscription-Key: {{subscriptionKey}}' -H 'Content-Type: application/json' '{{apiEndPoint}}' -d '{{requestBody}}'
+POST {{apiEndPoint}} HTTP/1.1
+Host: {{externalHost}}
+Apim-Debug-Authorization: {{debugToken}}
+Ocp-Apim-Subscription-Key: {{subscriptionKey}}
+Content-Type: application/json
+
+{{requestBody}}
  
 ###
 @traceId = {{callApi.response.headers.Apim-Trace-Id}}

articles/api-management/api-management-howto-api-inspector.md

@@ -6,34 +6,41 @@ author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 09/30/2025
+ms.date: 12/09/2025
 ms.author: danlep
 ---
+
 # Create subscriptions in Azure API Management
 
 [!INCLUDE [api-management-availability-all-tiers](../../includes/api-management-availability-all-tiers.md)]
 
-When you publish APIs through Azure API Management, it's easy and common to secure access to those APIs by using subscription keys. Client applications that need to consume the published APIs must include a valid subscription key in HTTP requests when they make calls to those APIs. To get a subscription key for accessing APIs, a subscription is required. For more information about subscriptions, see [Subscriptions in Azure API Management](api-management-subscriptions.md).
+When you publish APIs through Azure API Management, you can secure access to those APIs by using subscription keys. Client applications that need to consume the published APIs must then include a valid subscription key in HTTP requests when they make calls to those APIs. To get a subscription key for accessing APIs, you need a subscription. For more information about subscriptions, see [Subscriptions in Azure API Management](api-management-subscriptions.md).
 
-This article walks through the steps for creating subscriptions in the Azure portal.
+This article walks you through the steps for creating subscriptions in the Azure portal.
 
 > [!IMPORTANT]
-> The **Allow tracing** setting in subscriptions to enable debug traces is deprecated. To improve security, tracing can now be enabled for specific API requests to API Management. To learn more, see [Enable tracing for an API](api-management-howto-api-inspector.md#enable-tracing-for-an-api).
+> The **Allow tracing** setting in subscriptions to enable debug traces is deprecated. To improve security, you can now enable tracing for specific API requests to API Management. To learn more, see [Enable tracing for an API](api-management-howto-api-inspector.md#enable-tracing-for-an-api).
 
 ## Prerequisites
 
-To take the steps in this article, the prerequisites are as follows:
+To complete the steps in this article, you need the following prerequisites:
 
 * [Create an API Management instance](get-started-create-service-instance.md).
 * Understand [subscriptions in API Management](api-management-subscriptions.md).
 
 ## Create a new subscription
 
-1. Navigate to your API Management instance in the [Azure portal](https://portal.azure.com).
+> [!NOTE]
+> API publishers (administrators or users with appropriate permissions to the API Management instance) create and manage subscriptions. API consumers typically request subscriptions through the developer portal or receive them directly from API publishers.
+
+1. Go to your API Management instance in the [Azure portal](https://portal.azure.com).
 1. Under **APIs** in the sidebar menu, select **Subscriptions**, then choose **Add subscription**.
-1. Provide a **Name** and optional **Display name** for the subscription.
-1. Select a **Scope** of the subscription from the dropdown list. To learn more, see [Scope of subscriptions](api-management-subscriptions.md#scope-of-subscriptions).
-1. Optionally, choose if the subscription should be associated with a **User** and whether to send a notification for use with the developer portal.
+1. Enter a **Name** and optional **Display name** for the subscription.
+1. Select a **Scope** of the subscription from the dropdown list. For more information, see [Scope of subscriptions](api-management-subscriptions.md#scope-of-subscriptions).
+1. Optionally, choose if the subscription should be associated with a **User**. 
+    * If you don't associate the subscription with a specific user, it becomes a standalone subscription that can be shared among multiple developers or teams.
+    * You can't directly assign subscriptions to Microsoft Entra ID security groups. To provide access to group members, create a standalone subscription and distribute the keys, or use Microsoft Entra ID authentication with policies for group-based access control.
+1. Optionally, choose whether to send a notification for use with the developer portal.
 1. Select **Create**.
 
 :::image type="content" source="media/api-management-howto-create-subscriptions/create-subscription.png" alt-text="Screenshot showing how to create an API Management subscription in the portal." lightbox="media/api-management-howto-create-subscriptions/create-subscription.png":::
@@ -45,3 +52,4 @@ After you create the subscription, it appears in the list on the **Subscriptions
 * [Azure API Management terminology](api-management-terminology.md)
 * [Tutorial: Import and publish your first API](import-and-publish.md)
 * [Azure API Management FAQs](api-management-faq.yml)
+* [Securely access products and APIs with Microsoft Entra applications](applications.md)

articles/api-management/api-management-howto-create-subscriptions.md

@@ -1,120 +1,79 @@
 ---
 title: Authorize Access to API Management Developer Portal by using Microsoft Entra External ID
 titleSuffix: Azure API Management
-description: Learn how to authorize users of the developer portal in Azure API Management by using Microsoft Entra External ID
+description: Learn how to authorize external users of the developer portal in Azure API Management by using Microsoft Entra External ID
 services: api-management
 author: dlepow
 
 ms.service: azure-api-management
 ms.topic: how-to
-ms.date: 09/30/2025
+ms.date: 12/08/2025
 ms.author: danlep
 ms.custom:
 
 ---
 
-# How to authorize developer accounts by using Microsoft Entra External ID
+# How to authorize developer accounts by using external identity providers in Microsoft Entra External ID
 
 [!INCLUDE [premium-dev-standard-premiumv2-standardv2-basicv2.md](../../includes/api-management-availability-premium-dev-standard-premiumv2-standardv2-basicv2.md)]
 
 [Microsoft Entra External ID](/entra/external-id/external-identities-overview) is a cloud identity management solution that allows external identities to securely access your apps and resources. You can use it to manage access to your API Management developer portal by external identities. 
 
-In this article, you learn the configuration of the Microsoft Entra ID identity provider for the following scenarios that are supported by the API Management developer portal: 
-
-* Integration with Microsoft Entra External ID in your *workforce tenant*. For example, if your workforce tenant is for the Contoso organization, you might want to configure Google or Facebook as an external identity provider so that these external users can also sign in using their accounts. 
-* Integration with Microsoft Entra External ID in a separate *external tenant*. This configuration only allows external users from that tenant to sign in to the developer portal. 
+For an overview of options to secure access to the developer portal, see [Secure access to the API Management developer portal](secure-developer-portal-access.md).
 
-> [!NOTE]
-> Currently, you can't configure more than one Microsoft Entra ID identity provider for the developer portal. 
+Currently, API Management supports external identity providers in Microsoft Entra External ID when configured in a Microsoft Entra ID *workforce tenant*. For example, if you're enabling access to the developer portal by users in your workforce tenant, such as the Contoso organization, you might want to configure Google or Facebook as an external identity provider so that these external users can also sign in using their accounts. [Learn more about workforce and external tenant configurations in Microsoft External ID](/entra/external-id/tenant-configurations).
 
-For an overview of options to secure access to the developer portal, see [Secure access to the API Management developer portal](secure-developer-portal-access.md).
+[!INCLUDE [api-management-developer-portal-entra-tenants.md](../../includes/api-management-developer-portal-entra-tenants.md)]
 
 [!INCLUDE [api-management-active-directory-b2c-support](../../includes/api-management-active-directory-b2c-support.md)]
 
 [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)]
 
 ## Prerequisites
 
-* A Microsoft Entra ID tenant (workforce tenant) in which to enable external access, or a separate [external tenant](/entra/external-id/customers/how-to-create-external-tenant-portal)
+* A Microsoft Entra ID tenant (workforce tenant) in which to enable external access.
 * Permissions to create an application and configure user flows in the workforce tenant.
 * An API Management instance. If you don't already have one, [create an Azure API Management instance](get-started-create-service-instance.md).
 * If you created your instance in a v2 tier, enable the developer portal. For more information, see [Tutorial: Access and customize the developer portal](api-management-howto-developer-portal-customize.md).
 
 ## Add external identity provider to your tenant
 
-If you're using a workforce tenant, an external identity provider must be enabled in your workforce tenant. Configuring the external identity provider is outside the scope of this article. For more information, see [Identity providers for External ID in workforce tenant](/entra/external-id/identity-providers).
-
-## Create Microsoft Entra app registration
-
-Create an app registration in your Microsoft Entra ID tenant. The app registration represents the developer portal application in Microsoft Entra and enables the portal to sign in users by using Microsoft Entra ID.
-
-1. In the Azure portal, go to Microsoft Entra ID. 
-1. In the sidebar menu, under **Manage**, select **App registrations** >  **+ New registration**.
-1. In the **Register an application** page, enter your application's registration information.
-    * In the **Name** section, enter an application name of your choosing.
-    * In the **Supported account types** section, select **Accounts in this organizational directory only**.
-    * In **Redirect URI**, select **Single-page application (SPA)** and enter the following URL: `https://{your-api-management-service-name}.developer.azure-api.net/signin`, where `{your-api-management-service-name}` is the name of your API Management instance.
-    * Select **Register** to create the application.
-1.On the app **Overview** page, find the **Application (client) ID** and **Directory (tenant) ID** and copy these values to a safe location. You need them later.
-1. In the sidebar menu, under **Manage**, select **Certificates & secrets**. 
-1. From the **Certificates & secrets** page, on the **Client secrets** tab, select **+ New client secret**. 
-    * Enter a **Description**.
-    * Select any option for **Expires**.
-    * Choose **Add**. 
-1. Copy the client **Secret value** to a safe location before leaving the page. You need it later. 
-1. In the sidebar menu, under **Manage**, select **Token configuration** > **+ Add optional claim**.
-    1. In **Token type**, select **ID**.
-    1. Select (check) the following claims: **email**, **family_name**, **given_name**.
-    1. Select **Add**. If prompted, select **Turn on the Microsoft Graph email, profile permission**.
+For this scenario, you must enable an identity provider for External ID in your workforce tenant. Configuring the external identity provider depends on the specific provider and is outside the scope of this article. For options and links to steps, see [Identity providers for External ID in workforce tenants](/entra/external-id/identity-providers).
+
+[!INCLUDE [api-management-developer-portal-entra-app.md](../../includes/api-management-developer-portal-entra-app.md)]
 
 ## Enable self-service sign-up for your tenant
 
-For external users to sign up for access to the developer portal, you must complete these steps:
+To allow external users to register for access to the developer portal, complete the following steps:
 
-* Enable self-service sign-up for your tenant. 
+* Enable self-service sign-up for the external tenant. 
 * Add your app to the self-service sign-up user flow. 
 
-For more information and detailed steps, see the following articles, depending on whether you're using a workforce or an external tenant:
-
-- Workforce tenant: [Add self-service sign-up user flows for B2B collaboration](/entra/external-id/self-service-sign-up-user-flow) 
-- External tenant: [Create a sign-up and sign-in user flow for an external tenant app](/entra/external-id/customers/how-to-user-flow-sign-up-sign-in-customers) and [Add an app to the user flow](/entra/external-id/customers/how-to-user-flow-add-application)
-
-## Configure Microsoft Entra ID as an identity provider for developer portal
-
-In your API Management instance, configure the Microsoft Entra ID identity provider. You need the values you copied from your app registration in a previous section.
+For more information and detailed steps, see [Add self-service sign-up user flows for B2B collaboration](/entra/external-id/self-service-sign-up-user-flow).
 
-1. In the [Azure portal](https://portal.azure.com) tab, navigate to your API Management instance.
-1. In the sidebar menu, under **Developer portal**, select **Identities** > **+ Add**.
-1. In the **Add identity provider** page, select **Microsoft Entra ID**. Once selected, you're able to enter other necessary information. 
-    1. In **client id**, enter the **Application (client) ID** from your app registration.
-    1. In **Client secret**, enter the **Secret value** from your app registration.
-    1. In **Signin tenant**, enter the **Directory (tenant) ID** from your app registration.
-    * In the **Client library** dropdown, select **MSAL**.
-1. Select **Add**.
 
-    :::image type="content" source="media/api-management-howto-external-id/entra-id-identity-provider.png" alt-text="Screenshot of the Microsoft Entra ID identity provider configuration in the portal.":::
-1. Republish the developer portal for the Microsoft Entra configuration to take effect. In the sidebar menu, under **Developer portal**, select **Portal overview** > **Publish**.   
+## <a id="log_in_to_dev_portal"></a> Sign in to developer portal with Microsoft Entra External ID
 
-> [!IMPORTANT]
-> You need to [republish the developer portal](developer-portal-overview.md#publish-the-portal) when you create or update the identity provider's configuration settings for the changes to take effect.
+In the developer portal, you can enable sign in with Microsoft Entra External ID by using the **Sign-in button: OAuth** widget. The widget is already included on the sign-in page of the default developer portal content.
 
-## Sign in to developer portal with Microsoft Entra External ID
+A user can then sign in with Microsoft Entra External ID as follows:
 
-In the developer portal, sign-in with Microsoft Entra External ID is possible with the **Sign-in button: OAuth** widget. The widget is already included on the sign-in page of the default developer portal content.
+1. Go to the developer portal. Select **Sign in**.
 
-1. To sign in by using Microsoft Entra External ID, open a new browser window and go to the developer portal. Select **Sign in**.
+1. On the **Sign in** page, select **Microsoft Entra ID**.
 
-1. On the **Sign in** page, select **Azure Active Directory**.
+    :::image type="content" source="media/api-management-howto-external-id/developer-portal-sign-in.png" alt-text="Screenshot of selecting Microsoft Entra ID on Sign in page in developer portal.":::
 
-    :::image type="content" source="media/api-management-howto-external-id/developer-portal-sign-in.png" alt-text="Screenshot of select Azure Active Directory on Sign in page in developer portal.":::
+    > [!TIP]
+    > If you configure more than one Microsoft Entra tenant for access, more than one Microsoft Entra ID button appears on the sign-in page. Each button is labeled with the tenant name.
 
-1. In the sign-in window for your Microsoft Entra tenant, select **Sign-in options**. Select the identity provider you configured in your Microsoft Entra tenant to sign in. For example, if you configured Google as an identity provider, select **Sign in with Google**.
+1. In the sign-in window for your Microsoft Entra tenant, select **Sign-in options**. Select the external identity provider configured in your Microsoft Entra tenant to sign in. For example, if you configured Google as an identity provider, select **Sign in with Google**.
 
     :::image type="content" source="media/api-management-howto-external-id/sign-in-options.png" alt-text="Screenshot of select external identity provider in Microsoft Entra.":::
 
-To continue sign-in, respond to the prompts. After sign-in is complete, you're redirected back to the developer portal. 
+1. To continue sign-in, respond to the prompts. After sign-in is complete, the user is redirected back to the developer portal. 
 
-You're now signed in to the developer portal for your API Management service instance. You're added as a new API Management user identity in Users, and a new external tenant user in Microsoft Entra ID.
+The user is now signed in to the developer portal, added as a new API Management user identity in **Users**, and added as a new external tenant user in Microsoft Entra ID.
 
 ## Related content