MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json‎
Lines changed: 40 additions & 0 deletions b/‎.openpublishing.redirection.json‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎articles/active-directory-b2c/phone-based-mfa.md‎
Lines changed: 33 additions & 9 deletions b/‎articles/active-directory-b2c/phone-based-mfa.md‎
Lines changed: 33 additions & 9 deletions
diff --git a/‎articles/app-service/app-service-hybrid-connections.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/app-service/app-service-hybrid-connections.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/app-service/configure-authentication-ai-foundry-openapi-tool.md‎
Lines changed: 129 additions & 0 deletions b/‎articles/app-service/configure-authentication-ai-foundry-openapi-tool.md‎
Lines changed: 129 additions & 0 deletions
@@ -15,6 +15,46 @@
       "redirect_url": "/azure/backup/secure-by-default",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/migrate/concepts-azure-spring-apps-assessment-calculation.md",
+      "redirect_url": "/azure/migrate",
+      "redirect_document_id": false,
+      "monikers": [
+        "migrate"
+      ]
+    },
+    {
+      "source_path": "articles/migrate/how-to-create-azure-spring-apps-assessment.md",
+      "redirect_url": "/azure/migrate",
+      "redirect_document_id": false,
+      "monikers": [
+        "migrate"
+      ]
+    },
+    {
+      "source_path": "articles/migrate/troubleshoot-spring-boot-discovery.md",
+      "redirect_url": "/azure/migrate",
+      "redirect_document_id": false,
+      "monikers": [
+        "migrate"
+      ]
+    },
+    {
+      "source_path": "articles/migrate/tutorial-assess-spring-boot.md",
+      "redirect_url": "/azure/migrate",
+      "redirect_document_id": false,
+      "monikers": [
+        "migrate"
+      ]
+    },
+    {
+      "source_path": "articles/migrate/tutorial-discover-spring-boot.md",
+      "redirect_url": "/azure/migrate",
+      "redirect_document_id": false,
+      "monikers": [
+        "migrate"
+      ]
+    },
     {
       "source_path": "articles/azure-functions/functions-proxies.md",
       "redirect_url": "/previous-versions/azure/azure-functions/functions-proxies",
 
@@ -7,7 +7,7 @@ author: kengaderdus
 manager: CelesteDG
 ms.service: azure-active-directory
 ms.topic: how-to
-ms.date: 10/23/2024
+ms.date: 11/05/2025
 ms.author: kengaderdus
 ms.subservice: b2c
 ms.custom: sfi-image-nochange
@@ -93,7 +93,7 @@ Take the following actions to help mitigate fraudulent sign-ups.
    - [Configure a Conditional Access policy](conditional-access-user-flow.md) to block sign-ins based on location (applies to sign-in flows only, not sign-up flows).
    - To prevent automated attacks on your consumer-facing apps, [enable CAPTCHA](add-captcha.md). Azure AD B2C’s CAPTCHA supports both audio and visual CAPTCHA challenges, and applies to both sign-up and sign-in flows for your local accounts.
 
-- Remove country codes that aren't relevant to your organization from the drop-down menu where the user verifies their phone number (this change will apply to future sign-ups):
+- Remove country/region codes that aren't relevant to your organization from the drop-down menu where the user verifies their phone number (this change will apply to future sign-ups):
 
    1. Sign in to the [Azure portal](https://portal.azure.com) as the [External ID User Flow Administrator](/entra/identity/role-based-access-control/permissions-reference#external-id-user-flow-administrator) of your Azure AD B2C tenant.
    1. If you have access to multiple tenants, select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
@@ -104,9 +104,9 @@ Take the following actions to help mitigate fraudulent sign-ups.
 
    1. Open the JSON file that was downloaded in the previous step. In the file, search for `DEFAULT`, and replace the line with `"Value": "{\"DEFAULT\":\"Country/Region\",\"US\":\"United States\"}"`. Be sure to set `Overrides` to `true`.
 
- To implement SMS blocking effectively, make sure the Overrides setting is enabled (set to true) only for your organization’s primary or default language. Do not enable Overrides for any secondary or non-primary languages, as this can cause unexpected SMS blocking. Since the countryList in the JSON file acts as an allow list, be sure to include all countries that should be permitted to send SMS in this list for the primary language configuration when Overrides is true.
+ To implement SMS blocking effectively, make sure the Overrides setting is enabled (set to true) only for your organization’s primary or default language. Do not enable Overrides for any secondary or non-primary languages, as this can cause unexpected SMS blocking. Since the countryList in the JSON file acts as an allow list, be sure to include all countries/regions that should be permitted to send SMS in this list for the primary language configuration when Overrides is true.
    > [!NOTE]
-   > You can customize the list of allowed country codes in the `countryList` element (see the [Phone factor authentication page example](localization-string-ids.md#phone-factor-authentication-page-example)).
+   > You can customize the list of allowed country/region codes in the `countryList` element (see the [Phone factor authentication page example](localization-string-ids.md#phone-factor-authentication-page-example)).
 
    1. Save the JSON file. In the language details panel, under **Upload new overrides**, select the modified JSON file to upload it.
    1. Close the panel and select **Run user flow**. For this example, confirm that **United States** is the only country code available in the dropdown:
@@ -115,11 +115,32 @@ Take the following actions to help mitigate fraudulent sign-ups.
 
 ## Mitigate fraudulent sign-ups for custom policy
 
-To help prevent fraudulent sign-ups, remove any country codes that do not apply to your organization by following these steps:
+To help prevent fraudulent sign-ups, remove any country/region codes that do not apply to your organization by following these steps:
 
-1. Locate the policy file that defines the `RelyingParty`. For example, in the [Starter Pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack), this is usually the SignUpOrSignin.xml file.
+1. Locate the policy file that defines the `RelyingParty`. For example, in the [Starter Pack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack), this is usually the SignUpOrSignin.xml file. See the following snippet.
 
-1. In the `BuildingBlocks` section of this policy file, add the following code. Make sure to include only the country codes relevant to your organization:
+     ```xml
+    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+    <TrustFrameworkPolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+      xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+      xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" PolicySchemaVersion="0.3.0.0" TenantId="yourtenant.onmicrosoft.com" PolicyId="B2C_1A_signup_signin" PublicPolicyUri="http://yourtenant.onmicrosoft.com/B2C_1A_signup_signin">
+    
+      <BasePolicy>
+        <TenantId>yourtenant.onmicrosoft.com</TenantId>
+        <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
+      </BasePolicy>
+    
+      <BuildingBlocks>
+         <!-- Add the XML code outlined in Step 2 if this section. -->
+      </BuildingBlocks>
+    
+      <RelyingParty>
+        ...
+      </RelyingParty>
+    </TrustFrameworkPolicy>
+    ```
+
+1. In the `BuildingBlocks` section of this policy file, add the following code. Make sure to include only the country/region codes relevant to your organization:
 
    ```xml
     <BuildingBlocks>
@@ -155,10 +176,13 @@ To help prevent fraudulent sign-ups, remove any country codes that do not apply
      </BuildingBlocks>
     ```
 
-The countryList acts as an allow list. Only the countries you specify in this list (for example, Japan, Bulgaria, and the United States) are permitted to use MFA. All other countries are blocked.
+    The countryList acts as an allow list. Only the countries/regions you specify in this list (for example, Japan, Bulgaria, and the United States) are permitted to use MFA. All other countries/regions are blocked.
+
+  > [!IMPORTANT]
+  > This code must be added to the relying party policy to ensure the country/region code restrictions are properly enforced on the server side. 
 
 ## Related content
 
 - Learn about [Identity Protection and Conditional Access for Azure AD B2C](conditional-access-identity-protection-overview.md) 
 
-- Apply [Conditional Access to user flows in Azure Active Directory B2C](conditional-access-user-flow.md)
+- Apply [Conditional Access to user flows in Azure Active Directory B2C](conditional-access-user-flow.md)
@@ -138,7 +138,7 @@ In addition to there being an App Service plan SKU requirement, there's an extra
 
 The Hybrid Connections feature requires a relay agent in the network that hosts your Hybrid Connection endpoint. That relay agent is called the Hybrid Connection Manager (HCM). To download the Hybrid Connection Manager, follow the instructions for your client.
 
-This tool runs on both Windows and Linux. On Windows, the Hybrid Connection Manager requires Windows Server 2012 and later. The Hybrid Connection Manager runs as a service and connects outbound to Azure Relay on port 443.
+This tool runs on both Windows and Linux. The Hybrid Connection Manager runs as a service and connects outbound to Azure Relay on port 443. On Windows, the current version requires Windows Server 2012 or later, but only supports the CLI interface on Windows Server 2012 (the GUI requires Windows Server 2016 or later). A legacy version that supports the GUI on Windows Server 2012 is available but not recommended - see the note in the troubleshooting section for details.
 
 > [!NOTE]
 > As of October 20, 2025, [Azure Service Bus no longer supports TLS 1.0 and TLS 1.1][ServiceBus]. The minimum TLS version is now 1.2 for all Service Bus deployments. Hybrid Connections use Service Bus for connectivity. App Service Hybrid Connection Manager version 0.7.7 and later supports TLS 1.2. If you are on a previous version, **you must update to the new version of the Hybrid Connection Manager as soon as possible to prevent service disruption.**
 
@@ -0,0 +1,129 @@
+---
+title: Secure OpenAPI tool calls from Azure AI Foundry Agent Service
+description: Configure Microsoft Entra authentication to secure Azure AI Foundry tool calls with managed identity, step by step.
+ms.topic: how-to
+ms.date: 10/28/2025
+author: cephalin
+ms.author: cephalin
+ms.service: azure-app-service
+ms.collection: ce-skilling-ai-copilot
+---
+
+# Secure OpenAPI endpoints for Azure AI Foundry Agent Service
+
+This article shows you how to secure your App Service OpenAPI endpoints when they're called by Azure AI Foundry Agent Service. When you add your App Service app as an OpenAPI tool in Azure AI Foundry, you can configure it to call your APIs anonymously without authentication, which is easier for development and testing. However, for production environments, you should use Microsoft Entra authentication with managed identity. This guide walks you through configuring managed identity authentication to enable secure, token-based communication between Azure AI Foundry and your app.
+
+## Prerequisites
+
+- An App Service app with OpenAPI endpoints. If you need to add OpenAPI functionality to your app, see one of the following tutorials:
+  - [Add an App Service app as a tool in Azure AI Foundry Agent Service (.NET)](tutorial-ai-integrate-azure-ai-agent-dotnet.md)
+  - [Add an App Service app as a tool in Azure AI Foundry Agent Service (Java)](tutorial-ai-integrate-azure-ai-agent-java.md)
+  - [Add an App Service app as a tool in Azure AI Foundry Agent Service (Python)](tutorial-ai-integrate-azure-ai-agent-python.md)
+  - [Add an App Service app as a tool in Azure AI Foundry Agent Service (Node.js)](tutorial-ai-integrate-azure-ai-agent-node.md)
+
+- An Azure AI Foundry project where you'll add your app as an OpenAPI tool.
+
+## Find your Azure AI Foundry project's managed identity IDs
+
+You need both the object ID and the application ID of your Azure AI Foundry project's managed identity to configure App Service authentication. A system-assigned managed identity is automatically created for your Azure AI Foundry project when you create it. This identity is what Azure AI Foundry Agent Service uses to authenticate with your app.
+
+1. In the [Azure AI Foundry portal](https://ai.azure.com), navigate to your project and select **Overview**.
+
+1. In the **Project details** section on the right, select the link next to **Resource group** to open the resource group in the Azure portal.
+
+1. In the resource group, find and select your AI Foundry project resource.
+
+1. In the project resource's left menu, select **Resource Management** > **Identity**.
+
+1. Under **System assigned**, copy the value of **Object (principal) ID** for later.
+
+1. In the Azure portal, search for and select **Microsoft Entra ID**.
+
+1. In the search box, search for the object ID you copied and select it in the search results.
+
+1. On the **Overview** page, copy the value of **Application ID**. 
+
+    Note the **Object ID** is the same as the one shown in the system-assigned managed identity. You need both the application ID and the object ID for configuring App Service authentication.
+
+## Configure Microsoft Entra authentication for your app
+
+1. In the Azure portal, navigate to your App Service app.
+
+1. On your app's left menu, select **Settings** > **Authentication**, and then select **Add identity provider**.
+
+1. On the **Add an identity provider** page, select **Microsoft** as the **Identity provider** to create a new app registration.
+
+1. Under **Additional checks**, for **Client application requirement**, select **Allow requests from specific client applications**.
+
+1. Select the pencil widget and add the **application ID** that you copied in [Find your Azure AI Foundry project's managed identity IDs](#find-your-azure-ai-foundry-projects-managed-identity-ids).
+
+1. For **Identity requirement**, select **Allow requests from specific identities**.
+
+1. Select the pencil widget and add the **object ID** that you copied in [Find your Azure AI Foundry project's managed identity IDs](#find-your-azure-ai-foundry-projects-managed-identity-ids).
+
+1. For **Tenant requirement** accept the default value. If not, be sure to select the tenant where your Azure AI Foundry project (or rather its identity) is created.
+
+1. For **Unauthenticated requests**, select **HTTP 401 Unauthorized: recommended for APIs**.
+
+1. Select **Add** to create the identity provider.
+
+   :::image type="content" source="media/configure-authentication-ai-foundry-openapi-tool/entra-auth-configuration.png" alt-text="Screenshot showing the configuration of a new Microsoft authentication provider in the App Service.":::
+
+## Update the app registration Application ID URI
+
+After enabling authentication, you need to update the app registration's Application ID URI to match your App Service app's URL.
+
+1. After the Microsoft provider configuration completes, select it in the **Identity provider** column to open the app registration page.
+
+1. In the left menu, select **Manage** > **Expose an API**.
+
+1. Next to **Application ID URI**, select **Edit**.
+
+1. Change the value to your App Service app's URL in the following format: `https://<suffix>.azurewebsites.net`.
+
+    You can find the app's hostname on the **Overview** page in **Default domain**.
+
+1. Select **Save**.
+
+> [!WARNING]
+> If you delete your App Service app, you must also delete the app registration and clean up any authentication resources that reference the Application ID URI. Failing to do so creates a security vulnerability: if someone else creates an app with the same URL, they could potentially gain unauthorized access to resources that trust the orphaned app registration. Always remove app registrations and their associated permissions when decommissioning an app.
+
+## Configure the OpenAPI tool in Azure AI Foundry
+
+> [!NOTE]
+> This section assumes you already completed one of the tutorials in the [Prerequisites](#prerequisites) section, where you added your app as an OpenAPI tool in Azure AI Foundry using anonymous authentication. You now update the tool to use managed identity authentication.
+
+1. Back in the [Azure AI Foundry portal](https://ai.azure.com), select your agent.
+
+1. Find the OpenAPI tool and select it to edit.
+
+1. In the **Define the schema for this tool** page:
+
+   1. Paste your OpenAPI schema. For more information, see [How to use OpenAPI with Azure AI Foundry Agent Service](/azure/ai-services/agents/how-to/tools/openapi-spec).
+   
+   1. For **Authentication method**, select **Managed Identity**.
+   
+   1. For **Audience**, enter your App Service app's URL. This URL must match the **Application ID URI** that you configured earlier.
+
+   > [!TIP]
+   > Azure AI Foundry Agent Service uses the system-assigned managed identity to authenticate with your app. Because you added the identity's client ID as an allowed client application and an allowed identity in your app's authentication provider configuration, the agent service is authorized to call your app's APIs.
+
+1. Review and save the tool.
+
+## Test the agent
+
+1. In the Azure AI Foundry portal, select your agent and select **Try in playground**.
+
+1. Chat with the agent to test your OpenAPI endpoints. For example:
+
+   - Show me all the tasks.
+   - Create a task called "Buy groceries."
+   - Update that task to "Buy groceries and cook dinner."
+
+If the authentication is configured correctly, the agent successfully calls your app's APIs through the OpenAPI tool.
+
+## Related content
+
+- [Configure your App Service or Azure Functions app to use Microsoft Entra sign-in](configure-authentication-provider-aad.md)
+- [Integrate AI into your Azure App Service applications](overview-ai-integration.md)
+- [What is Azure AI Foundry Agent Service?](/azure/ai-services/agents/overview)