Merge pull request #309627 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-16 18:00 UTC

Author: learn-build-service-prod[bot]

articles/api-management/service-limits.md

@@ -4,7 +4,7 @@ description: Learn about service limits in Azure API Management, including their
 author: dlepow
 ms.service: azure-api-management
 ms.topic: concept-article
-ms.date: 10/22/2025
+ms.date: 12/15/2025
 ms.author: danlep
 ai-usage: ai-assisted
 ---
@@ -27,21 +27,19 @@ Resource limits are interrelated and tuned to work together. They prevent any si
 
 ## Changes to service limits in Classic tiers
 
-Starting March 2026, Azure API Management will apply updated limits to instances in the Classic tiers (Developer, Basic, Standard, and Premium) and the Consumption tier. These updates align with each tier’s capabilities and help customers choose the right option for their needs.
-
-Current limits for Classic tiers are published [here](/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#limits---api-management-classic-tiers). By March 2026, the scope of entities with limits could be reduced.
+Starting March 2026, Azure API Management will publish and apply updated limits to instances in the Classic tiers (Developer, Basic, Standard, and Premium) and the Consumption tier. These updates will align with each tier’s capabilities and help customers choose the right option for their needs.
 
 ### What's changing
 
-* New limits for Classic tier resources are more easily compared with the limits in the [V2 service tiers](/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#limits---api-management-v2-tiers).
-* Previously, limits for certain resources in Classic tiers weren't defined explicitly or enforced. In practice, these resources were always constrained by service configuration, service capacity, number of scale units, policy configuration, and other factors. The new limits make these constraints explicit and predictable.
+* New limits for Classic tier resources will be more easily compared with the limits in the [V2 service tiers](/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fapi-management%2Ftoc.json&bc=%2Fazure%2Fapi-management%2Fbreadcrumb%2Ftoc.json#limits---api-management-v2-tiers).
+* Previously, limits for certain resources in Classic tiers weren't defined explicitly or enforced. In practice, these resources were always constrained by service configuration, service capacity, number of scale units, policy configuration, and other factors. The new limits will make these constraints explicit and predictable.
 
 ### Limits policy for existing customers
 
-If your existing API Management instance already exceeds new Classic tier limits, you can continue using your resources without interruption. This means:
+After the new Classic tier limits take effect, you can continue using your resources without interruption. This means:
 
-* Existing services that already exceed published limits aren't impacted.
-* You're able to make changes to existing resources and add new resources up to a small threshold above your current usage.
+* Existing Classic tier services that already exceed published limits won't be impacted.
+* You'll be able to make changes to existing resources and add new resources up to a small threshold above your current usage.
 
 This approach ensures that existing workloads aren't disrupted while still encouraging alignment with the new limits over time.
 

articles/app-service/configure-authentication-ai-foundry-openapi-tool.md

@@ -2,7 +2,7 @@
 title: Secure OpenAPI tool calls from Foundry Agent Service
 description: Configure Microsoft Entra authentication to secure Microsoft Foundry tool calls with managed identity, step by step.
 ms.topic: how-to
-ms.date: 10/28/2025
+ms.date: 12/04/2025
 author: cephalin
 ms.author: cephalin
 ms.service: azure-app-service
@@ -28,13 +28,38 @@ This article shows you how to secure your App Service OpenAPI endpoints when the
 
 You need both the object ID and the application ID of your Microsoft Foundry project's managed identity to configure App Service authentication. A system-assigned managed identity is automatically created for your Microsoft Foundry project when you create it. This identity is what Foundry Agent Service uses to authenticate with your app.
 
+# [New Foundry portal](#tab/new-foundry)
+
+1. In the [Foundry portal](https://ai.azure.com) make sure you select **New Foundry** in the top right corner. Note the new Foundry portal doesn't show agents created in the classic portal. 
+
+1. From the top right menu, select **Operate** > **Admin**. Then select your project's parent resource in the **Parent resource** column.
+
+1. In the parent resource's details page, select **Manage this resource in the Azure Portal**.
+
+    > [!NOTE]
+    > Before you move on, make sure you're on a Foundry resource page, *not* a Foundry project resource page.
+
+1. In the Foundry resource's left menu, select **Resource Management** > **Identity**.
+
+1. Under **System assigned**, copy the value of **Object (principal) ID** for later.
+
+1. In the Azure portal, search for and select **Microsoft Entra ID**.
+
+1. In the search box, search for the object ID you copied and select it in the search results.
+
+1. On the **Overview** page, copy the value of **Application ID**. 
+
+    Note the **Object ID** is the same as the one shown in the system-assigned managed identity. You need both the application ID and the object ID for configuring App Service authentication.
+
+# [Classic Foundry portal](#tab/classic)
+
 1. In the [Foundry portal](https://ai.azure.com), navigate to your project and select **Overview**.
 
 1. In the **Project details** section on the right, select the link next to **Resource group** to open the resource group in the Azure portal.
 
-1. In the resource group, find and select your Microsoft Foundry project resource.
+1. In the resource group, find and select the Foundry resource (*not* the Foundry project resource).
 
-1. In the project resource's left menu, select **Resource Management** > **Identity**.
+1. In the Foundry resource's left menu, select **Resource Management** > **Identity**.
 
 1. Under **System assigned**, copy the value of **Object (principal) ID** for later.
 
@@ -46,6 +71,8 @@ You need both the object ID and the application ID of your Microsoft Foundry pro
 
     Note the **Object ID** is the same as the one shown in the system-assigned managed identity. You need both the application ID and the object ID for configuring App Service authentication.
 
+---
+
 ## Configure Microsoft Entra authentication for your app
 
 1. In the Azure portal, navigate to your App Service app.
@@ -94,22 +121,38 @@ After enabling authentication, you need to update the app registration's Applica
 > [!NOTE]
 > This section assumes you already completed one of the tutorials in the [Prerequisites](#prerequisites) section, where you added your app as an OpenAPI tool in Microsoft Foundry using anonymous authentication. You now update the tool to use managed identity authentication.
 
+# [New Foundry portal](#tab/new-foundry)
+
+1. Back in the [Foundry portal](https://ai.azure.com), select your agent.
+
+1. Find the OpenAPI tool and select **...** > **Edit**.
+
+1. The **OpenAPI 3.0+ schema** box should have the schema from your App Service app. If not, paste in your OpenAPI schema. For more information, see [How to use OpenAPI with Foundry Agent Service](/azure/ai-services/agents/how-to/tools/openapi-spec).
+
+1. For **Authentication method**, select **Managed identity**.
+
+1. For **Audience**, enter your App Service app's URL. This URL must match the **Application ID URI** that you configured earlier.
+
+1. Select **Update tool**.
+
+# [Classic Foundry portal](#tab/classic)
+
 1. Back in the [Foundry portal](https://ai.azure.com), select your agent.
 
 1. Find the OpenAPI tool and select it to edit.
 
-1. In the **Define the schema for this tool** page:
+1. In the **Define the schema for this tool** page, paste your OpenAPI schema. For more information, see [How to use OpenAPI with Foundry Agent Service](/azure/ai-services/agents/how-to/tools/openapi-spec).
 
-   1. Paste your OpenAPI schema. For more information, see [How to use OpenAPI with Foundry Agent Service](/azure/ai-services/agents/how-to/tools/openapi-spec).
-   
-   1. For **Authentication method**, select **Managed Identity**.
-   
-   1. For **Audience**, enter your App Service app's URL. This URL must match the **Application ID URI** that you configured earlier.
+1. For **Authentication method**, select **Managed Identity**.
 
-   > [!TIP]
-   > Foundry Agent Service uses the system-assigned managed identity to authenticate with your app. Because you added the identity's client ID as an allowed client application and an allowed identity in your app's authentication provider configuration, the agent service is authorized to call your app's APIs.
+1. For **Audience**, enter your App Service app's URL. This URL must match the **Application ID URI** that you configured earlier.
+
+1. Save the tool.
+
+---
 
-1. Review and save the tool.
+> [!TIP]
+> Foundry Agent Service uses the system-assigned managed identity to authenticate with your app. Because you added the identity's client ID as an allowed client application and an allowed identity in your app's authentication provider configuration, the agent service is authorized to call your app's APIs.
 
 ## Test the agent
 

articles/app-service/includes/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet/configure-agent-permissions.md

@@ -0,0 +1,22 @@
+---
+title: Configure permissions for Foundry project resource
+description: Steps to assign the required Azure role for your App Service app to access the Foundry project resource.
+ms.author: cephalin
+ms.topic: include
+ms.date: 12/08/2025
+ms.service: azure-app-service
+---
+
+1. From the top menu of the new Foundry portal, select **Operate**, then select **Admin**. In the row for your Foundry project, you should see two links. The one in the **Name** column is the Foundry project resource, and the one in the **Parent resource** column is the Foundry resource.
+
+    :::image type="content" source="../../media/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet/select-foundry-and-foundry-project.png" alt-text="Screenshot showing how to quickly go to the foundry resource or foundry project resource.":::
+
+1. Select the Foundry project resource in the **Name** column and then select **Manage this resource in the Azure portal**. From the Azure portal, you can assign role-based access for the resource to the deployed web app.
+
+1. Add the following role for the App Service app's managed identity:
+
+    | Target resource                | Required role                       | Needed for              |
+    |--------------------------------|-------------------------------------|-------------------------|
+    | Foundry Project       | Azure AI User                       | Reading and calling the Foundry agent. |
+
+    For instructions, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

articles/app-service/includes/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet/configure-model-permissions.md

@@ -0,0 +1,22 @@
+---
+title: Configure permissions for Microsoft Foundry resource
+description: Steps to assign the required Azure role for your App Service app to access the Microsoft Foundry resource.
+ms.author: cephalin
+ms.topic: include
+ms.date: 12/08/2025
+ms.service: azure-app-service
+---
+
+1. From the top menu of the new Foundry portal, select **Operate**, then select **Admin**. In the row for your Foundry project, you should see two links. The one in the **Name** column is the Foundry project resource, and the one in the **Parent resource** column is the Foundry resource.
+
+    :::image type="content" source="../../media/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet/select-foundry-and-foundry-project.png" alt-text="Screenshot showing how to quickly go to the foundry resource or foundry project resource.":::
+
+1. Select the Foundry resource in the **Parent resource** and then select **Manage this resource in the Azure portal**. From the Azure portal, you can assign role-based access for the resource to the deployed web app.
+
+1. Add the following role for the App Service app's managed identity:
+
+    | Target resource                | Required role                       | Needed for              |
+    |--------------------------------|-------------------------------------|-------------------------|
+    | Foundry               | Cognitive Services OpenAI User      | The chat completion service in Microsoft Agent Framework. |
+
+    For instructions, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).

articles/app-service/includes/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet/create-agent.md

@@ -0,0 +1,24 @@
+---
+title: Create a Foundry agent with OpenAPI tool
+description: Steps to create a Foundry agent in the portal and configure it with an OpenAPI tool to call your web app.
+ms.author: cephalin
+ms.topic: include
+ms.date: 12/08/2025
+ms.service: azure-app-service
+---
+
+1. In the [Foundry portal](https://ai.azure.com), make sure the top **New Foundry** radio button is set to active and create a project. 
+
+1. In the home page, copy the **Project endpoint** for later.
+
+1. Select **Start building** > **Create agent** and follow the prompt.
+
+1. In the new agent's playground, create an OpenAPI tool to call your web app by selecting **Tools** > **Add** > **Custom** > **OpenAPI tool** > **Create**. In the **Setup** pane, add an action with the OpenAPI spec tool. Use the OpenAPI schema that you get from the deployed web app and **anonymous** authentication. For detailed steps, see [How to use the OpenAPI spec tool](/azure/ai-foundry/agents/how-to/tools/openapi?view=foundry&preserve-view=true).
+
+    Your application code is already configured to include the server's `url` and `operationId`, which are needed by the agent. For more information, see [Connect to OpenAPI Specification](/azure/ai-foundry/agents/how-to/tools/openapi?view=foundry&preserve-view=true#prerequisites).
+
+1. Be sure to select **Save**.
+
+1. Select **Try in playground** and test your Foundry agent with prompts like "*Show me all the tasks*" and "*Please add a task.*"
+
+    If you get a valid response, the agent is making tool calls to the OpenAPI endpoint on your deployed web app.

articles/app-service/includes/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet/create-model.md

@@ -0,0 +1,18 @@
+---
+title: Create and deploy a model in Microsoft Foundry
+description: Steps to create a Microsoft Foundry project and deploy a model for use with your agent.
+ms.author: cephalin
+ms.topic: include
+ms.date: 12/08/2025
+ms.service: azure-app-service
+---
+
+1. In the [Foundry portal](https://ai.azure.com), make sure the top **New Foundry** radio button is set to active and create a project. 
+
+1. Deploy a model of your choice (see [Microsoft Foundry Quickstart: Create resources](/azure/ai-foundry/quickstarts/get-started-code?view=foundry&preserve-view=true#create-resources)).
+
+1. From top of the model playground, copy the model name.
+
+1. The easiest way to get the Azure OpenAI endpoint is still from the classic portal. Select the **New Foundry** radio button, then **Azure OpenAI**, and then copy the URL in **Azure OpenAI endpoint** for later.
+
+    :::image type="content" source="../../media/tutorial-ai-agent-web-app-semantic-kernel-foundry-dotnet/foundry-project-openai-endpoint.png" alt-text="Screenshot showing how to copy the OpenAI endpoint and the foundry project endpoint in the foundry portal.":::

articles/app-service/includes/tutorial-ai-integrate-azure-ai-agent-dotnet/create-agent.md

@@ -0,0 +1,27 @@
+---
+title: Create an agent in Microsoft Foundry
+description: Steps to create an agent in the Microsoft Foundry portal and add an OpenAPI tool.
+ms.author: cephalin
+ms.topic: include
+ms.date: 12/03/2025
+ms.service: azure-app-service
+---
+
+> [!NOTE]
+> These steps use the new Foundry portal.
+
+1. In the [Foundry portal](https://ai.azure.com/), in the top right menu, select **New Foundry**.
+1. If this is your first time in the new Foundry portal, select the project name and select **Create new project**.
+1. Give your project a name and select **Create**.
+1. Select **Start building**, then **Create agent**.
+1. Give your agent a name and select **Create**. When the agent is ready, you should see the agent playground.
+
+    Note the [models you can use and the available regions](/azure/ai-foundry/agents/concepts/model-region-support?view=foundry&tabs=global-standard&preserve-view=true). 
+
+1. In the agent playground, expand **Tools** and select **Add** > **Custom** > **OpenAPI tool** > **Create**.
+1. Give the tool a name and a description. In the **OpenAPI 3.0+ schema** box, paste the schema that you copied earlier.
+1. Select **Create tool**.
+1. Select **Save**.
+
+> [!TIP]
+> In this tutorial, the OpenAPI tool is configured to call your app anonymously without authentication. For production scenarios, you should secure the tool with managed identity authentication. For step-by-step instructions, see [Secure OpenAPI endpoints for Foundry Agent Service](../../configure-authentication-ai-foundry-openapi-tool.md).

articles/app-service/includes/tutorial-ai-integrate-azure-ai-agent-dotnet/test-agent.md

@@ -0,0 +1,18 @@
+---
+title: Test the Foundry agent
+description: Test your Foundry agent in the playground with sample prompts to verify the OpenAPI tool integration.
+ms.author: cephalin
+ms.topic: include
+ms.date: 12/03/2025
+ms.service: azure-app-service
+---
+
+1. In **Instructions**, give some simple instructions, like *"Please use the todosApp tool to help manage tasks."*
+
+1. Chat with the agent with the following prompt suggestions:
+
+    - Show me all the tasks.
+    - Create a task called "Come up with three lettuce jokes."
+    - Change that to "Come up with three knock-knock jokes."
+    
+    :::image type="content" source="../../media/tutorial-ai-integrate-azure-ai-agent-dotnet/agents-playground.png" alt-text="Screenshot showing the agents playground in the middle of a conversation that takes actions by using the OpenAPI tool.":::

articles/app-service/index.yml

@@ -72,8 +72,6 @@ landingContent:
             url: tutorial-ai-openai-chatbot-java.md            
           - text: Run a chatbot with a local SLM (Express.js)
             url: tutorial-ai-slm-expressjs.md
-          - text: Invoke a web app from Azure AI Agent
-            url: invoke-openapi-web-app-from-azure-ai-agent-service.md
 
   - title: Secure and deploy  
     linkLists: