diff --git a/articles/active-directory-b2c/access-tokens.md b/articles/active-directory-b2c/access-tokens.md index 8902d4e8e9826..f1410861fe61e 100644 --- a/articles/active-directory-b2c/access-tokens.md +++ b/articles/active-directory-b2c/access-tokens.md @@ -6,65 +6,111 @@ author: kengaderdus manager: CelesteDG ms.service: azure-active-directory - ms.topic: concept-article ms.date: 02/17/2025 ms.author: kengaderdus ms.subservice: b2c - -#Customer intent: As a developer integrating Azure Active Directory B2C with a web application and web API, I want to understand how to request an access token, so that I can authenticate and authorize users to access my APIs securely. - +# Customer intent: +# As a developer integrating Azure Active Directory B2C into a web application and web API, +# I want to understand how to request and use access tokens so that I can securely +# authenticate users and authorize API access. --- + # Request an access token in Azure Active Directory B2C [!INCLUDE [active-directory-b2c-end-of-sale-notice-b](../../includes/active-directory-b2c-end-of-sale-notice-b.md)] -An *access token* contains claims that you can use in Azure Active Directory B2C (Azure AD B2C) to identify the granted permissions to your APIs. To call a resource server, the HTTP request must include an access token. An access token is denoted as **access_token** in the responses from Azure AD B2C. +An *access token* contains claims that can be used in Azure Active Directory B2C (Azure AD B2C) to identify permissions granted to an application or API. To call a protected API or resource server, the HTTP request must include a valid access token. -This article shows you how to request an access token for a web application and web API. For more information about tokens in Azure AD B2C, see the [overview of tokens in Azure Active Directory B2C](tokens-overview.md). +In Azure AD B2C responses, the access token is returned as **access_token**. + +This article explains how to request and use access tokens for web applications and web APIs. + +For more information about tokens, see [Overview of tokens in Azure Active Directory B2C](tokens-overview.md). > [!NOTE] -> **Web API chains (On-Behalf-Of) is not supported by Azure AD B2C** - Many architectures include a web API that needs to call another downstream web API, both secured by Azure AD B2C. This scenario is common in clients that have a web API back end, which in turn calls another service. This chained web API scenario can be supported by using the OAuth 2.0 JWT Bearer Credential grant, otherwise known as the On-Behalf-Of flow. However, the On-Behalf-Of flow is not currently implemented in Azure AD B2C. Although On-Behalf-Of works for applications registered in Microsoft Entra ID, it does not work for applications registered in Azure AD B2C, regardless of the tenant (Microsoft Entra ID or Azure AD B2C) that is issuing the tokens. +> **Web API chains (On-Behalf-Of) are not supported in Azure AD B2C** +> +> Some architectures include a web API that calls another downstream web API secured by Azure AD B2C. This scenario is commonly known as the *On-Behalf-Of* (OBO) flow or OAuth 2.0 JWT Bearer Credential grant. +> +> Although the OBO flow is supported in Microsoft Entra ID, it is currently **not supported** for applications registered in Azure AD B2C tenants. + +--- ## Prerequisites -- [Create a user flow](tutorial-create-user-flows.md) to enable users to sign up and sign in to your application. -- If you haven't already done so, [add a web API application to your Azure Active Directory B2C tenant](add-web-api-application.md). +Before requesting an access token, complete the following setup steps: + +- [Create a user flow](tutorial-create-user-flows.md) to enable user sign-up and sign-in. +- [Add a web API application to your Azure AD B2C tenant](add-web-api-application.md). + +--- ## Scopes -Scopes provide a way to manage permissions to protected resources. When an access token is requested, the client application needs to specify the desired permissions in the **scope** parameter of the request. For example, to specify the **Scope Value** of `read` for the API that has the **App ID URI** of `https://contoso.onmicrosoft.com/api`, the scope would be `https://contoso.onmicrosoft.com/api/read`. +Scopes define the permissions that a client application requests for accessing protected resources. -Scopes are used by the web API to implement scope-based access control. For example, users of the web API could have both read and write access, or users of the web API might have only read access. To acquire multiple permissions in the same request, you can add multiple entries in the single **scope** parameter of the request, separated by spaces. +When requesting an access token, the client application specifies the required permissions in the `scope` parameter. -The following example shows scopes decoded in a URL: +For example, if the API exposes a scope named `read` and has the App ID URI: +```text +https://contoso.onmicrosoft.com/api ``` -scope=https://contoso.onmicrosoft.com/api/read openid offline_access + +Then the full scope value becomes: + +```text +https://contoso.onmicrosoft.com/api/read ``` -The following example shows scopes encoded in a URL: +Scopes are used by APIs to implement scope-based authorization. For example: + +- Some users may only have **read** access +- Other users may have both **read** and **write** access + +To request multiple scopes, separate them with spaces. +### Example: Decoded scope value + +```text +scope=https://contoso.onmicrosoft.com/api/read openid offline_access ``` + +### Example: URL-encoded scope value + +```text scope=https%3A%2F%2Fcontoso.onmicrosoft.com%2Fapi%2Fread%20openid%20offline_access ``` -If you request more scopes than what is granted for your client application, the call succeeds if at least one permission is granted. The **scp** claim in the resulting access token is populated with only the permissions that were successfully granted. +If multiple scopes are requested, Azure AD B2C grants any valid scopes that the application is allowed to use. + +The resulting access token contains the granted permissions in the `scp` claim. + +--- + +## OpenID Connect scopes + +OpenID Connect defines several special scopes. -### OpenID Connect scopes +| Scope | Description | +|---|---| +| `openid` | Requests an ID token | +| `offline_access` | Requests a refresh token | +| `00000000-0000-0000-0000-000000000000` | Requests an access token for the application's own API | -The OpenID Connect standard specifies several special scope values. The following scopes represent the permission to access the user's profile: +> [!IMPORTANT] +> If the `response_type` parameter includes `token`, the `scope` parameter must contain at least one API scope in addition to `openid` or `offline_access`. -- **openid** - Requests an ID token. -- **offline_access** - Requests a refresh token using [Auth Code flows](authorization-code-flow.md). -- **00000000-0000-0000-0000-000000000000** - Using the client ID as the scope indicates that your app needs an access token that can be used against your own service or web API, represented by the same client ID. +--- + +## Request an authorization code -If the **response_type** parameter in an `/authorize` request includes `token`, the **scope** parameter must include at least one resource scope other than `openid` and `offline_access` that will be granted. Otherwise, the `/authorize` request fails. +To request an access token, first obtain an authorization code. -## Request a token +Example request to the `/authorize` endpoint: -To request an access token, you need an authorization code. The following is an example of a request to the `/authorize` endpoint for an authorization code: ```http GET https://.b2clogin.com/.onmicrosoft.com//oauth2/v2.0/authorize? client_id= @@ -74,64 +120,94 @@ client_id= &response_type=code ``` -Replace the values in the query string as follows: +### Replace the placeholders -- `` - The name of your [Azure AD B2C tenant](tenant-management-read-tenant-name.md#get-your-tenant-name). If you're using a custom domain, replace `tenant-name.b2clogin.com` with your domain, such as `contoso.com`. -- `` - The name of your custom policy or user flow. -- `` - The application identifier of the web application that you registered to support the user flow. -- `` - The application identifier URI that you set under **Expose an API** blade of the client application. -- `` - The name of the scope that you added under **Expose an API** blade of the client application. -- `` - The **Redirect URI** that you entered when you registered the client application. +| Placeholder | Description | +|---|---| +| `` | Azure AD B2C tenant name | +| `` | User flow or custom policy name | +| `` | Client application ID | +| `` | API Application ID URI | +| `` | API scope name | +| `` | Registered redirect URI | -To get a feel of how the request works, paste the request into your browser and run it. +--- -This is the interactive part of the flow, where you take action. You're asked to complete the user flow's workflow. This might involve entering your username and password in a sign in form or any other number of steps. The steps you complete depend on how the user flow is defined. +## Sign in and complete the user flow -The response with the authorization code should be similar to this example: +When the request runs: -``` +1. The user is redirected to the Azure AD B2C sign-in experience +2. The configured user flow executes +3. The user signs in or completes any required steps +4. Azure AD B2C returns an authorization code + +Example response: + +```text https://jwt.ms/?code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC... ``` -After successfully receiving the authorization code, you can use it to request an access token. The parameters are in the body of the HTTP POST request: +--- + +## Exchange the authorization code for an access token + +After receiving the authorization code, exchange it for an access token using the `/token` endpoint. + +Example request: ```http -POST .b2clogin.com/.onmicrosoft.com//oauth2/v2.0/token HTTP/1.1 +POST https://.b2clogin.com/.onmicrosoft.com//oauth2/v2.0/token HTTP/1.1 Host: .b2clogin.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &client_id= &scope=/ -&code=eyJraWQiOiJjcGltY29yZV8wOTI1MjAxNSIsInZlciI6IjEuMC... +&code= &redirect_uri=https://jwt.ms -&client_secret=2hMG2-_:y12n10vwH... +&client_secret= ``` -If you want to test this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview). +--- + +## Successful token response + +A successful response returns an access token. -A successful token response looks like this: +Example: ```json { - "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN...", - "token_type": "Bearer", - "not_before": 1549647431, - "expires_in": 3600, - "expires_on": 1549651031, - "resource": "f2a76e08-93f2-4350-833c-965c02483b11", - "profile_info": "eyJ2ZXIiOiIxLjAiLCJ0aWQiOiJjNjRhNGY3ZC0zMDkxLTRjNzMtYTcyMi1hM2YwNjk0Z..." + "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ilg1ZVhrN...", + "token_type": "Bearer", + "not_before": 1549647431, + "expires_in": 3600, + "expires_on": 1549651031, + "resource": "f2a76e08-93f2-4350-833c-965c02483b11", + "profile_info": "eyJ2ZXIiOiIxLjAiLCJ0aWQiOiJjNjRhNGY3ZC0zMDkxLTRjNzMtYTcyMi1hM2YwNjk0Z..." } ``` -When using https://jwt.ms to examine the access token that was returned, you should see something similar to the following example: +--- + +## Decode and inspect the access token + +You can inspect the returned JWT access token using: + +```text +https://jwt.ms +``` + +Example decoded token: ```json { "typ": "JWT", "alg": "RS256", "kid": "X5eXk4xyojNFum1kl2Ytv8dl..." -}.{ +}. +{ "iss": "https://contoso0926tenant.b2clogin.com/c64a4f7d-3091-4c73-a7.../v2.0/", "exp": 1549651031, "nbf": 1549647431, @@ -145,9 +221,25 @@ When using https://jwt.ms to examine the access token that was returned, you sho "azp": "38307aee-303c-4fff-8087-d8d2...", "ver": "1.0", "iat": 1549647431 -}.[Signature] +} +.[Signature] ``` +### Important claims + +| Claim | Description | +|---|---| +| `iss` | Token issuer | +| `aud` | Intended audience | +| `scp` | Granted scopes | +| `exp` | Expiration time | +| `tfp` | User flow or policy | +| `sub` | User identifier | + +--- + ## Next steps -- Learn about how to [configure tokens in Azure AD B2C](configure-tokens.md) +- Learn how to [configure tokens in Azure AD B2C](configure-tokens.md) +- Learn about [token overview in Azure AD B2C](tokens-overview.md) +- Learn how to [add a web API application](add-web-api-application.md) diff --git a/articles/api-center/agent-to-agent-overview.md b/articles/api-center/agent-to-agent-overview.md index 7bab9a51ac339..3d6bbc953ab45 100644 --- a/articles/api-center/agent-to-agent-overview.md +++ b/articles/api-center/agent-to-agent-overview.md @@ -1,48 +1,129 @@ --- title: Agent registry in Azure API Center -description: "Overview of the agent registry for discovering, registering, and managing A2A agents in API Center." - - +description: Overview of the agent registry for discovering, registering, and managing A2A agents. ms.service: azure-api-center ms.topic: overview ms.date: 02/24/2026 ms.update-cycle: 180-days ms.collection: ce-skilling-ai-copilot -#customer intent: As an API platform owner, I want to understand how to use the agent registry to discover, register, and manage AI agents. - +# Customer intent: As an API platform owner, I want to understand how to use the agent registry to discover, register, and manage AI agents. --- # Agent registry in Azure API Center -Azure API Center provides a centralized platform for discovering, registering, and managing AI agents. It supports first-party and third-party agents, integrates with API Management for private endpoints, and stores customizable metadata to improve discoverability and governance. +Azure API Center provides a centralized platform for discovering, registering, and managing AI agents across an organization. It supports both first-party and third-party agents, integrates with Azure API Management for secure access, and enables organizations to improve governance, discoverability, and operational control of AI-driven systems. + +--- ## Key features -**Centralized Discovery and Management**: A single location to register and manage both first-party and third-party AI agents, including those exposed in API Management or hosted externally. +### Centralized discovery and management + +API Center provides a single location to register and manage AI agents, including: + +- First-party enterprise agents +- Third-party AI agents +- Agents exposed through Azure API Management +- Externally hosted agents + +This centralized registry improves visibility and simplifies operational management. + +--- + +### Enhanced discoverability -**Enhanced Discoverability**: Enables developers and other stakeholders to easily find and access approved AI agents through a curated catalog, either via the built-in API Center portal or a custom UI. +Developers and platform teams can easily discover approved AI agents through: + +- The built-in Azure API Center portal +- Custom developer portals or internal UIs +- Metadata-based filtering and search + +This helps teams quickly identify and use the right agents for specific business scenarios. + +--- + +### Governance and security + +The agent registry helps organizations reduce shadow IT and unmanaged AI adoption by providing: + +- A governed catalog of approved AI agents +- Centralized visibility into agent usage +- Improved compliance and security oversight +- Controlled enterprise-wide access patterns + +This creates a more secure and manageable AI ecosystem. + +--- -**Governance and Security**: Addresses shadow IT and uncontrolled AI tool adoption by providing a governed channel for accessing AI agents, improving security and compliance. +### Integration with API Management -**Integration with API Management**: AI agents can be placed behind an API Management gateway for private endpoints, enhanced security, and controlled access. A2A agent APIs in a linked API Management instance synchronize automatically to API Center. +AI agents can be integrated with Azure API Management to enable: -**Customizable Metadata**: Organizations can define and store relevant metadata for each registered AI agent, facilitating filtering and searching. +- Private endpoints +- Secure gateway access +- Authentication and authorization policies +- Traffic control and observability + +A2A agent APIs published in a connected API Management instance automatically synchronize with API Center. + +--- + +### Customizable metadata + +Organizations can define and store custom metadata for AI agents, including: + +- Provider details +- Capabilities +- Skills +- Ownership information +- Environment classification + +This metadata improves discoverability, governance, and lifecycle management. + +--- ## Register an AI agent -You can register AI agents in API Center similar to how you register other assets such as APIs and MCP servers. During registration, fill in details for **Agent Card**, **Agent Skills**, and **Agent Capabilities**. +You can register AI agents in API Center similarly to other assets such as APIs and MCP servers. + +During registration, provide details for: -For detailed steps, see [Register agent](register-manage-agents.md#register-agent). +- **Agent Card** +- **Agent Skills** +- **Agent Capabilities** + +These details help make the agent discoverable and usable across the organization. + +For detailed instructions, see [Register agent](register-manage-agents.md#register-agent). + +--- ## Manage your AI agent -After registering an A2A agent, you can update its metadata, add skills, configure capabilities, and manage provider information. Skills define the specific actions your agent can perform, making it discoverable and invokable by other agents. +After registering an A2A agent, you can: + +- Update metadata +- Add or modify skills +- Configure capabilities +- Manage provider information +- Maintain governance details + +Skills define the actions an agent can perform, enabling other agents and applications to discover and invoke them effectively. + +For more information, see [Manage agents in Azure API Center](register-manage-agents.md). + +--- + +## View dependency maps for A2A agents (Preview) -For step-by-step instructions, see [Manage agents in Azure API Center](register-manage-agents.md). +API platform administrators can use the dependency tracking feature to create and visualize relationships between agents and APIs. -## View dependency maps for A2A agents (preview) +This capability helps API Center: -API platform administrators can now create relationships feature using the dependency tracker feature. This capability allows API Center to identify the right agent to call and enable communication across agents in an enterprise. +- Identify the correct agent for a request +- Enable communication across enterprise agents +- Visualize dependencies between resources +- Improve operational understanding of agent ecosystems For detailed steps, see [Track API resource dependencies in your API center](track-resource-dependencies.md). diff --git a/articles/app-service/app-service-asp-net-migration.md b/articles/app-service/app-service-asp-net-migration.md index 2076c5b166af5..4d244f27fdbe5 100644 --- a/articles/app-service/app-service-asp-net-migration.md +++ b/articles/app-service/app-service-asp-net-migration.md @@ -1,3 +1,4 @@ +```md --- title: Migrate .NET Apps to Azure App Service description: Learn about .NET migration resources available to help you assess and migrate web apps to Azure App Service. @@ -10,38 +11,57 @@ ms.devlang: csharp ms.custom: devx-track-dotnet ms.service: azure-app-service --- + # .NET migration cases for Azure App Service Azure App Service provides easy-to-use tools to quickly discover on-premises .NET web apps, assess them for readiness, and migrate both the content and supported configurations to App Service. -These tools are developed to support different kinds of scenarios, focused on discovery, assessment, and migration. Following is list of .NET migration tools and use cases. +These tools are developed to support different kinds of scenarios focused on discovery, assessment, and migration. The following is a list of .NET migration tools and use cases. ## Migrate from multiple servers at-scale > [!NOTE] > To learn how to migrate .NET apps to App Service using the .NET migration tutorial, see [Modernize ASP.NET web apps to Azure App Service code](../migrate/tutorial-modernize-asp-net-appservice-code.md) -> -[Azure Migrate](../migrate/migrate-services-overview.md) recently announced at-scale, agentless discovery, and assessment of ASP.NET web apps. You can now easily discover ASP.NET web apps running on Internet Information Services (IIS) servers in a VMware environment, and assess them for migration to Azure App Service. Assessments help you determine the web app migration readiness, migration blockers, remediation guidance, recommended products, and hosting costs. +[Azure Migrate](../migrate/migrate-services-overview.md) recently announced at-scale, agentless discovery, and assessment of ASP.NET web apps. You can now easily discover ASP.NET web apps running on Internet Information Services (IIS) servers in a VMware environment and assess them for migration to Azure App Service. Assessments help you determine web app migration readiness, migration blockers, remediation guidance, recommended products, and hosting costs. + +After you finish assessing readiness, you can proceed with migrating ASP.NET web apps to Azure App Service. -After you finish assessing readiness, you should proceed with migration of ASP.NET web apps to Azure App Services. +There are existing tools that enable migration of a standalone ASP.NET web app or multiple ASP.NET web apps hosted on a single IIS server. To learn more, see [Modernize ASP.NET web apps to Azure App Service code](../migrate/tutorial-modernize-asp-net-appservice-code.md). -There are existing tools that enable migration of a standalone ASP.NET web app or multiple ASP.NET web apps hosted on a single IIS server. To learn more, see [Modernize ASP.NET web apps to Azure App Service code](../migrate/tutorial-modernize-asp-net-appservice-code.md). With the introduction of at-scale or bulk migration integrated with Azure Migrate, you can migrate multiple ASP.NET applications hosted on multiple on-premises IIS servers. +With the introduction of at-scale or bulk migration integrated with Azure Migrate, you can migrate multiple ASP.NET web apps hosted on multiple on-premises IIS servers. Bulk migration provides the following key capabilities: -- Bulk migration of ASP.NET web apps to Azure App Services multitenant or App services environment -- Migrate ASP.NET web apps assessed as *Ready* & *Ready with conditions* -- Migrate up to five App Service plans (and associated web apps) as part of a single E2E migration flow -- Ability to change suggested SKU for the target App Service plan (for example, change suggested Pv3 to Standard PV2) -- Ability to change suggested web apps packing density for target app service plan (add or remove web apps associated with an App Service plan) -- Change target name for App Service plans or web apps -- Bulk edit migration settings or attributes -- Download CSV with details of target web app and app service plan name -- Track progress of migration using ARM template deployment experience +- Bulk migration of ASP.NET web apps to Azure App Service multitenant or App Service Environment +- Migrate ASP.NET web apps assessed as *Ready* and *Ready with conditions* +- Migrate up to five App Service plans (and associated web apps) as part of a single E2E migration flow +- Ability to change the suggested SKU for the target App Service plan (for example, change the suggested Pv3 SKU to Standard Pv2) +- Ability to change the suggested web app packing density for the target App Service plan (add or remove web apps associated with an App Service plan) +- Change target names for App Service plans or web apps +- Bulk edit migration settings or attributes +- Download a CSV file with details of the target web app and App Service plan names +- Track migration progress using the ARM template deployment experience ## App Service migration tools and resources +__App Service Migration Assistant and App Service Migration Assistant PowerShell scripts are governed by the terms and conditions in the EULA.pdf file packaged with the respective tools.__ + +| Migration tools | Description | Documentation | +|-----------------|-------------|---------------| +| [App Service Migration Assistant](https://appmigration.microsoft.com/api/download/windowspreview/AppServiceMigrationAssistant.msi) | Migrate .NET web apps from Windows OS to App Service. | [App Service Migration Assistant documentation](https://github.com/Azure/App-Service-Migration-Assistant/wiki) | +| [App Service Migration Assistant for Java on Apache Tomcat (Windows—preview)](https://appmigration.microsoft.com/api/download/windowspreview/AppServiceMigrationAssistant.msi) | Download prerelease software for migrating Java web applications on Apache Tomcat running on Windows servers. | [App Service Migration Assistant documentation](https://github.com/Azure/App-Service-Migration-Assistant/wiki) | +| [App Service Migration Assistant PowerShell scripts](https://appmigration.microsoft.com/api/download/psscripts/AppServiceMigrationScripts.zip) | Download PowerShell scripts for discovering and assessing all Microsoft Internet Information Services (IIS) web apps on a single server in bulk and migrating .NET web apps from Windows OS to App Service. | [App Service Migration Assistant PowerShell documentation](https://github.com/Azure/App-Service-Migration-Assistant/wiki/PowerShell-Scripts)
[SHA256 Identifier](https://github.com/Azure/App-Service-Migration-Assistant/wiki/Release-Notes) | + +## More resources to migrate .NET apps to the cloud + +### Video + +- [.NET on Azure for Beginners](https://www.youtube.com/playlist?list=PLdo4fOcmZ0oVSBX3Lde8owu6dSgZLIXfu) +- [Start Your Cloud Journey with Azure App Service](https://aka.ms/cloudjourney/start/video) + +### Blog +======= __App Service Migration Assistant tool and App Service migration assistant for PowerShell scripts are governed by the terms and conditions in the EULA.pdf packaged with the respective tools.__ |Migration tools| Description | Documentation | @@ -65,39 +85,72 @@ __App Service Migration Assistant tool and App Service migration assistant for P | [Host a web application with Azure App Service](/training/modules/host-a-web-app-with-azure-app-service/) | | [Publish a web app to Azure with Visual Studio](/training/modules/publish-azure-web-app-with-visual-studio/) | +- [Reliable web app pattern for .NET](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-the-reliable-web-app-pattern-for-net/ba-p/3745270) +- [Start your cloud journey with Azure App Service - Part 1](https://aka.ms/cloudjourney/start/part1) +- [Start your cloud journey with Azure App Service - Part 2](https://aka.ms/cloudjourney/start/part2) +- [Learn how to modernize your .NET apps from the pros](https://devblogs.microsoft.com/dotnet/learn-how-to-modernize-your-dotnet-apps/) + +### Learning path + +- [Migrate ASP.NET Apps to Azure](/training/paths/migrate-dotnet-apps-azure/) +- [Host a web application with Azure App Service](/training/modules/host-a-web-app-with-azure-app-service/) +- [Publish a web app to Azure with Visual Studio](/training/modules/publish-azure-web-app-with-visual-studio/) ### At-scale migration resources -| How-tos | -|----------------| -| [Discover web apps and SQL Server instances](../migrate/how-to-discover-sql-existing-project.md) | -| [Create an Azure App Service assessment](../migrate/how-to-create-azure-app-service-assessment.md) | -| [Tutorial to assess web apps for migration to Azure App Service](../migrate/tutorial-assess-webapps.md) | -| [Discover software inventory on on-premises servers with Azure Migrate](../migrate/how-to-discover-applications.md) | -| [Migrate .NET apps to App Service](../migrate/tutorial-modernize-asp-net-appservice-code.md) | -| **Blog** | -| [Discover and assess ASP.NET apps at-scale with Azure Migrate](https://azure.microsoft.com/blog/discover-and-assess-aspnet-apps-atscale-with-azure-migrate/) | -| **FAQ** | -| [Azure App Service assessments in Azure Migrate Discovery and assessment tool](../migrate/concepts-azure-webapps-assessment-calculation.md) | -| **Best practices** | -| [Assessment best practices in Azure Migrate Discovery and assessment tool](../migrate/best-practices-assessment.md) | -| **Video** | -| [At scale discovery and assessment for ASP.NET app migration with Azure Migrate](/Shows/Inside-Azure-for-IT/At-scale-discovery-and-assessment-for-ASPNET-app-migration-with-Azure-Migrate) | +#### How-tos + +- [Discover web apps and SQL Server instances](../migrate/how-to-discover-sql-existing-project.md) +- [Create an Azure App Service assessment](../migrate/how-to-create-azure-app-service-assessment.md) +- [Tutorial to assess web apps for migration to Azure App Service](../migrate/tutorial-assess-webapps.md) +- [Discover software inventory on on-premises servers with Azure Migrate](../migrate/how-to-discover-applications.md) +- [Migrate .NET apps to App Service](../migrate/tutorial-modernize-asp-net-appservice-code.md) + +#### Blog + +- [Discover and assess ASP.NET apps at-scale with Azure Migrate](https://azure.microsoft.com/blog/discover-and-assess-aspnet-apps-atscale-with-azure-migrate/) + +#### FAQ + +- [Azure App Service assessments in Azure Migrate Discovery and assessment tool](../migrate/concepts-azure-webapps-assessment-calculation.md) + +#### Best practices + +- [Assessment best practices in Azure Migrate Discovery and assessment tool](../migrate/best-practices-assessment.md) + +#### Video + +- [At-scale discovery and assessment for ASP.NET app migration with Azure Migrate](/Shows/Inside-Azure-for-IT/At-scale-discovery-and-assessment-for-ASPNET-app-migration-with-Azure-Migrate) ## Migrate from an IIS server -You can migrate ASP.NET web apps from a single IIS server discovered through Azure Migrate's at-scale discovery experience using [PowerShell scripts](https://github.com/Azure/App-Service-Migration-Assistant/wiki/PowerShell-Scripts). You can [download the scripts](https://appmigration.microsoft.com/api/download/psscriptpreview/AppServiceMigrationScripts.zip). Watch the video for [updates on migrating to Azure App Service](/Shows/The-Launch-Space/Updates-on-Migrating-to-Azure-App-Service). +You can migrate ASP.NET web apps from a single IIS server discovered through Azure Migrate's at-scale discovery experience using [PowerShell scripts](https://github.com/Azure/App-Service-Migration-Assistant/wiki/PowerShell-Scripts). + +You can also [download the scripts](https://appmigration.microsoft.com/api/download/psscriptpreview/AppServiceMigrationScripts.zip). + +Watch the video for [updates on migrating to Azure App Service](/Shows/The-Launch-Space/Updates-on-Migrating-to-Azure-App-Service). ## ASP.NET web app migration -Using App Service Migration Assistant, you can [migrate your standalone on-premises ASP.NET web app onto Azure App Service](https://www.youtube.com/watch?v=9LBUmkUhmXU). App Service Migration Assistant is designed to simplify your journey to the cloud through a free, simple, and fast solution to migrate applications from on-premises to the cloud. For more information about the migration assistant tool, see the [FAQ](https://github.com/Azure/App-Service-Migration-Assistant/wiki#faqs). +Using App Service Migration Assistant, you can [migrate your standalone on-premises ASP.NET web app to Azure App Service](https://www.youtube.com/watch?v=9LBUmkUhmXU). + +App Service Migration Assistant is designed to simplify your journey to the cloud with a free, simple, and fast migration solution for moving applications from on-premises environments to Azure. + +For more information about the migration assistant tool, see the [FAQ](https://github.com/Azure/App-Service-Migration-Assistant/wiki#faqs). ## Containerize an ASP.NET web app -Some .NET Framework web applications might have dependencies to libraries and other capabilities not available in Azure App Service. These apps might rely on other components in the Global Assembly Cache. Previously, you could only run these applications on virtual machines. However, now you can run them in Azure App Service Windows Containers. +Some .NET Framework web applications might have dependencies on libraries and other capabilities not available in Azure App Service. These apps might also rely on other components in the Global Assembly Cache. + +Previously, you could only run these applications on virtual machines. However, you can now run them in Azure App Service Windows Containers. + +The [app containerization tool](https://azure.microsoft.com/blog/accelerate-application-modernization-with-azure-migrate-app-containerization/) can repackage applications as containers with minimal changes. + +The tool currently supports containerizing ASP.NET applications and Apache Tomcat Java applications. -The [app containerization tool](https://azure.microsoft.com/blog/accelerate-application-modernization-with-azure-migrate-app-containerization/) can repackage applications as containers with minimal changes. The tool currently supports containerizing ASP.NET applications and Apache Tomcat Java applications. For more information about containerization and migration, see [ASP.NET app containerization and migration to Azure App Service](../migrate/tutorial-app-containerization-aspnet-app-service.md). +For more information about containerization and migration, see [ASP.NET app containerization and migration to Azure App Service](../migrate/tutorial-app-containerization-aspnet-app-service.md). ## Related content -- [Migrate an on-premises web application to Azure App Service](/training/modules/migrate-app-service-migration-assistant/) \ No newline at end of file +- [Migrate an on-premises web application to Azure App Service](/training/modules/migrate-app-service-migration-assistant/) +``` diff --git a/articles/app-service/app-service-key-vault-references.md b/articles/app-service/app-service-key-vault-references.md index 8f82f65fd110d..2cb65133a81f6 100644 --- a/articles/app-service/app-service-key-vault-references.md +++ b/articles/app-service/app-service-key-vault-references.md @@ -5,7 +5,6 @@ author: cephalin ms.topic: how-to ms.date: 04/09/2026 ms.author: cephalin -#customer intent: As an app developer, I want to implement Azure Key Vault as part of my approach to apps in Azure App Service. ms.service: azure-app-service ms.custom: - AppServiceConnectivity @@ -14,266 +13,383 @@ ms.custom: # Use Key Vault references as app settings in Azure App Service, Azure Functions, and Azure Logic Apps (Standard) -This article shows how to use secrets from Azure Key Vault as values in [app settings](configure-common.md#configure-app-settings) or [connection strings](configure-common.md#configure-connection-strings) for apps created with Azure App Service, Azure Functions, or Azure Logic Apps (Standard). +This article explains how to use secrets stored in Azure Key Vault as values for: -[Key Vault](/azure/key-vault/general/overview) is a service that provides centralized secrets management, with full control over access policies and audit history. When an app setting or connection string is a Key Vault reference, your application code can use it like any other app setting or connection string. This way, you can maintain secrets apart from your app's configuration. App settings are securely encrypted at rest, but if you need capabilities for managing secrets, they should go into a key vault. +- App settings +- Connection strings -## Grant your app access to a key vault +This applies to: -To read secrets from a key vault, you first need to create a vault and give your app permission to access it: +- Azure App Service +- Azure Functions +- Azure Logic Apps (Standard) -1. Create a key vault by following the [Key Vault quickstart](/azure/key-vault/secrets/quick-create-cli). +Azure Key Vault provides centralized secret management with: -1. Create a [managed identity](overview-managed-identity.md) for your application. +- Access control +- Auditing +- Secure storage - Key vault references use the app's system-assigned identity by default, but you can [specify a user-assigned identity](#access-vaults-with-a-user-assigned-identity). +Applications can consume Key Vault references exactly like normal environment variables without requiring code changes. -1. Authorize [read access to secrets in your key vault](/azure/key-vault/general/secure-key-vault#privileged-access) for the managed identity that you created. How you do it depends on the permissions model of your key vault: +--- - - **Azure role-based access control**: Assign the **Key Vault Secrets User** role to the managed identity. See [Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control](/azure/key-vault/general/rbac-guide). - - **Vault access policy**: Assign the **Get** secrets permission to the managed identity. See [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy). +# Grant your app access to a key vault -### Access network-restricted vaults +To read secrets from Key Vault: -If your vault is configured with [network restrictions](/azure/key-vault/general/overview-vnet-service-endpoints), ensure that the application has network access. Vaults shouldn't depend on the app's public outbound IP addresses because the origin IP address of the secret request could be different. Instead, the vault should be configured to accept traffic from a virtual network that the app uses. +1. Create a Key Vault +2. Create a managed identity +3. Grant the identity access to secrets -1. Make sure that the application has outbound networking capabilities configured, as described in [App Service networking features](./networking-features.md) and [Azure Functions networking options](../azure-functions/functions-networking-options.md). +## Step 1: Create a Key Vault - With the exception of function apps running in the Flex Consumption plan, Linux applications that connect to private endpoints must be explicitly configured to route all traffic through the virtual network. When running in a Flex Consumption plan, this routing is done automatically, and additional configuration isn't required. Run the following command to configure virtual network routing by setting [vnetRouteAllEnabled](../azure-functions/functions-app-settings.md#vnetrouteallenabled) to `true`: +Follow the Azure Key Vault quickstart. - # [Azure CLI](#tab/azure-cli) +--- - ```azurecli - az webapp config set --resource-group --subscription --name --generic-configurations '{"vnetRouteAllEnabled": true}' - ``` +## Step 2: Create a managed identity - # [Azure PowerShell](#tab/azure-powershell) +Enable either: - ```azurepowershell - Update-AzFunctionAppSetting -Name -ResourceGroupName -AppSetting @{vnetRouteAllEnabled = $true} - ``` +- System-assigned managed identity +- User-assigned managed identity - --- +Key Vault references use the system-assigned identity by default. -1. Make sure that the vault's configuration allows the network or subnet that your app uses to access it. +--- -Even if you've correctly configured the vault to accept traffic from your virtual network, the vault's audit logs may still show a failed (403 - Forbidden) SecretGet event from the app's public outbound IP. A successful SecretGet event from the app's private IP will follow and is by design. +## Step 3: Grant secret access -### Access vaults with a user-assigned identity +Depending on the permission model: -Some apps need to refer to secrets at creation time, when a system-assigned identity isn't available yet. In these cases, create a user-assigned identity, and give it access to the vault in advance. +### Azure RBAC -After you grant permissions to the user-assigned identity, follow these steps: +Assign: -1. [Assign the identity](./overview-managed-identity.md#add-a-user-assigned-identity) to your application. +- **Key Vault Secrets User** -1. Configure the app to use this identity for Key Vault reference operations by setting the `keyVaultReferenceIdentity` property to the resource ID of the user-assigned identity: +to the managed identity. - # [Azure CLI](#tab/azure-cli) +### Access Policy model - ```azurecli-interactive - identityResourceId=$(az identity show --resource-group --name --query id -o tsv) - az webapp update --resource-group --name --set keyVaultReferenceIdentity=${identityResourceId} - ``` +Grant: - # [Azure PowerShell](#tab/azure-powershell) +- `Get` permission for secrets - ```azurepowershell-interactive - $identityResourceId = Get-AzUserAssignedIdentity -ResourceGroupName -Name | Select-Object -ExpandProperty Id - $appResourceId = Get-AzFunctionApp -ResourceGroupName -Name | Select-Object -ExpandProperty Id - - $Path = "{0}?api-version=2021-01-01" -f $appResourceId - Invoke-AzRestMethod -Method PATCH -Path $Path -Payload "{'properties':{'keyVaultReferenceIdentity':'$identityResourceId'}}" - ``` +--- - --- +# Access network-restricted vaults -This setting applies to all Key Vault references for the app. +If your vault uses network restrictions: -> [!TIP] -> If you want to revert your app to use the system-assigned identity, set the value to `SystemAssigned` instead of the Resource ID. +- Ensure your app has outbound virtual network connectivity +- Allow the app subnet in the vault firewall + +Do not rely on public outbound IP addresses. + +--- + +## Enable virtual network routing + +### Azure CLI + +```bash +az webapp config set \ + --resource-group \ + --subscription \ + --name \ + --generic-configurations '{"vnetRouteAllEnabled": true}' +``` + +### Azure PowerShell + +```powershell +Update-AzFunctionAppSetting ` + -Name ` + -ResourceGroupName ` + -AppSetting @{vnetRouteAllEnabled = $true} +``` + +--- + +# Access vaults with a user-assigned identity + +Some scenarios require Key Vault access during app creation. + +In these cases: + +1. Create a user-assigned identity +2. Grant Key Vault access +3. Attach identity to the app -## Understand rotation +--- + +## Configure Key Vault reference identity + +### Azure CLI + +```bash +identityResourceId=$(az identity show \ + --resource-group \ + --name \ + --query id -o tsv) -If the secret version isn't specified in the reference, the app uses the latest version that exists in the key vault. When newer versions become available, such as with rotation, the app is automatically updated and begins using the latest version within 24 hours. +az webapp update \ + --resource-group \ + --name \ + --set keyVaultReferenceIdentity=${identityResourceId} +``` + +--- -The delay is because App Service caches the values of the Key Vault references and refetches them every 24 hours. Any configuration change to the app causes an app restart and an immediate refetch of all referenced secrets. +### Azure PowerShell -To force resolution of your app's Key Vault references, make an authenticated POST request to the API endpoint `https://management.azure.com/[Resource ID]/config/configreferences/appsettings/refresh?api-version=2022-03-01`. +```powershell +$identityResourceId = Get-AzUserAssignedIdentity ` + -ResourceGroupName ` + -Name | Select-Object -ExpandProperty Id -## Understand source app settings from Key Vault +$appResourceId = Get-AzFunctionApp ` + -ResourceGroupName ` + -Name | Select-Object -ExpandProperty Id -To use a Key Vault reference, set the reference as the value of the setting. Your app can reference the secret through its key as normal. No code changes are required. +$Path = "{0}?api-version=2021-01-01" -f $appResourceId + +Invoke-AzRestMethod ` + -Method PATCH ` + -Path $Path ` + -Payload "{'properties':{'keyVaultReferenceIdentity':'$identityResourceId'}}" +``` > [!TIP] -> Because you should have separate vaults for each environment, most app settings that use Key Vault references should be marked as slot settings. +> To switch back to the system-assigned identity, set: +> +> ```text +> SystemAssigned +> ``` + +--- + +# Understand rotation + +If the secret version isn't specified: + +- The app automatically uses the latest secret version + +App Service caches Key Vault references for up to: + +- 24 hours + +A configuration change triggers immediate refresh. + +--- + +## Force refresh manually + +Send an authenticated POST request: + +```text +https://management.azure.com/[Resource ID]/config/configreferences/appsettings/refresh?api-version=2022-03-01 +``` + +--- + +# Use Key Vault references in app settings + +Use the following syntax: + +```text +@Microsoft.KeyVault({referenceString}) +``` + +--- + +## Supported formats + +### Secret URI format + +```text +@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret) +``` + +Optional version: + +```text +@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/) +``` + +--- + +### Vault name format -A Key Vault reference is of the form `@Microsoft.KeyVault({referenceString})`, where `{referenceString}` is in one of the following formats: +```text +@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret) +``` -| Reference string | Description | -|:-----------------|:------------| -| `SecretUri=` | The `SecretUri` should be the full data-plane URI of a secret in the vault. For example, `https://myvault.vault.azure.net/secrets/mysecret`. Optionally, include a version, such as `https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931`. | -| `VaultName=;SecretName=`;`SecretVersion=` | The `VaultName` value is required and is the vault name. The `SecretName` value is required and is the secret name. The `SecretVersion` value is optional but, if present, indicates the version of the secret to use. | +Optional version: -For example, a complete reference without a specific version would look like the following string: +```text +@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=) +``` -`@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret)` +--- -Alternatively: +# Considerations for Azure Files mounting -`@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)` +When using: -### Considerations for Azure Files mounting +```text +WEBSITE_CONTENTAZUREFILECONNECTIONSTRING +``` -Apps can use the `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` application setting to mount [Azure Files](../storage/files/storage-files-introduction.md) as the file system. This setting has validation checks to ensure that the app can be properly started. +with Key Vault references, validation may fail. -The platform relies on having a content share within Azure Files. The platform assumes a default name unless one is specified by using the `WEBSITE_CONTENTSHARE` setting. For any requests that modify these settings, the platform validates that this content share exists. If the content share doesn't exist, the platform tries to create it. If the platform can't locate or create the content share, it blocks the request. +To bypass validation: -When you use Key Vault references in this setting, the validation check fails by default, because the secret can't be resolved during processing of the incoming request. To avoid this problem, you can skip the validation by setting `WEBSITE_SKIP_CONTENTSHARE_VALIDATION` to `1`. This setting tells App Service to bypass all checks, and it doesn't create the content share for you. You should ensure that the content share is created in advance. +```text +WEBSITE_SKIP_CONTENTSHARE_VALIDATION=1 +``` > [!CAUTION] -> If you skip validation and either the connection string or the content share is invalid, the app doesn't start properly and creates HTTP 500 errors. +> If the content share or connection string is invalid, the application can fail with HTTP 500 errors. + +--- -As part of creating the app, attempted mounting of the content share could fail because managed identity permissions aren't being propagated or the virtual network integration isn't set up. You can defer setting up Azure Files until later in the deployment template to accommodate this behavior. For more information, see [Azure Resource Manager deployment](#azure-resource-manager-deployment) later in this article. +# Considerations for Application Insights -In this case, App Service uses a default file system until Azure Files is set up, and files aren't copied over. You must ensure that no deployment attempts occur during the interim period before Azure Files is mounted. +Application Insights commonly uses: -### Considerations for Application Insights instrumentation +- `APPINSIGHTS_INSTRUMENTATIONKEY` +- `APPLICATIONINSIGHTS_CONNECTION_STRING` -Apps can use the `APPINSIGHTS_INSTRUMENTATIONKEY` or `APPLICATIONINSIGHTS_CONNECTION_STRING` application settings to integrate with [Application Insights](/azure/azure-monitor/app/app-insights-overview). +If stored in Key Vault: -For App Service and Azure Functions, the Azure portal also uses these settings to surface telemetry data from the resource. If these values are referenced from Key Vault, this approach isn't available. Instead, you need to work directly with the Application Insights resource to view the telemetry. However, these values [aren't considered secrets](/azure/azure-monitor/app/connection-strings#is-the-connection-string-a-secret), so you might consider configuring them directly instead of using Key Vault references. +- Azure portal telemetry integration won't function automatically -### Azure Resource Manager deployment +Since these values are not considered secrets, direct configuration is usually acceptable. -When you automate resource deployments through Azure Resource Manager templates, you might need to sequence your dependencies in a particular order. Be sure to define your app settings as their own resource, rather than using a `siteConfig` property in the app definition. The app needs to be defined first so that the system-assigned identity is created with it and can be used in the access policy. +--- + +# Azure Resource Manager deployment + +When using ARM templates: + +- Create the app first +- Then configure app settings separately + +This ensures: + +- Managed identity exists +- Key Vault access policies can reference the identity + +--- -The following pseudo-template is an example of what a function app might look like: +## Example ARM template structure ```json { - //... - "resources": [ - { - "type": "Microsoft.Storage/storageAccounts", - "name": "[variables('storageAccountName')]", - //... - }, - { - "type": "Microsoft.Insights/components", - "name": "[variables('appInsightsName')]", - //... - }, - { - "type": "Microsoft.Web/sites", - "name": "[variables('functionAppName')]", - "identity": { - "type": "SystemAssigned" - }, - //... - "resources": [ - { - "type": "config", - "name": "appsettings", - //... - "dependsOn": [ - "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]", - "[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('storageConnectionStringName'))]", - "[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('appInsightsKeyName'))]" - ], - "properties": { - "AzureWebJobsStorage": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringName')).secretUriWithVersion, ')')]", - "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringName')).secretUriWithVersion, ')')]", - "APPINSIGHTS_INSTRUMENTATIONKEY": "[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('appInsightsKeyName')).secretUriWithVersion, ')')]", - "WEBSITE_ENABLE_SYNC_UPDATE_SITE": "true" - //... - } - }, - { - "type": "sourcecontrols", - "name": "web", - //... - "dependsOn": [ - "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]", - "[resourceId('Microsoft.Web/sites/config', variables('functionAppName'), 'appsettings')]" - ], - } - ] - }, - { - "type": "Microsoft.KeyVault/vaults", - "name": "[variables('keyVaultName')]", - //... - "dependsOn": [ - "[resourceId('Microsoft.Web/sites', variables('functionAppName'))]" - ], - "properties": { - //... - "accessPolicies": [ - { - "tenantId": "[reference(resourceId('Microsoft.Web/sites/', variables('functionAppName')), '2020-12-01', 'Full').identity.tenantId]", - "objectId": "[reference(resourceId('Microsoft.Web/sites/', variables('functionAppName')), '2020-12-01', 'Full').identity.principalId]", - "permissions": { - "secrets": [ "get" ] - } - } - ] - }, - "resources": [ - { - "type": "secrets", - "name": "[variables('storageConnectionStringName')]", - //... - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]", - "[resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName'))]" - ], - "properties": { - "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountResourceId'),'2019-09-01').key1)]" - } - }, - { - "type": "secrets", - "name": "[variables('appInsightsKeyName')]", - //... - "dependsOn": [ - "[resourceId('Microsoft.KeyVault/vaults/', variables('keyVaultName'))]", - "[resourceId('Microsoft.Insights/components', variables('appInsightsName'))]" - ], - "properties": { - "value": "[reference(resourceId('microsoft.insights/components/', variables('appInsightsName')), '2019-09-01').InstrumentationKey]" - } - } - ] - } - ] + "type": "Microsoft.Web/sites", + "name": "[variables('functionAppName')]", + "identity": { + "type": "SystemAssigned" + } } ``` -> [!NOTE] -> In this example, the source control deployment depends on the application settings. This dependency is normally unsafe behavior, because the app setting update behaves asynchronously. However, because you included the `WEBSITE_ENABLE_SYNC_UPDATE_SITE` application setting, the update is synchronous. The source control deployment begins only after the application settings are fully updated. For more app settings, see [Environment variables and app settings in Azure App Service](reference-app-settings.md). +--- + +## Example Key Vault reference in app settings -## Troubleshoot Key Vault references +```json +"AzureWebJobsStorage": +"[concat('@Microsoft.KeyVault(SecretUri=', reference(variables('storageConnectionStringName')).secretUriWithVersion, ')')]" +``` + +--- -If a reference isn't resolved properly, the reference string is used instead. Here's an example, `@Microsoft.KeyVault(...)`. This situation might cause the application to throw errors, because it's expecting a secret of a different value. +## WEBSITE_ENABLE_SYNC_UPDATE_SITE -Failure to resolve is commonly due to a misconfiguration of the [Key Vault access policy](#grant-your-app-access-to-a-key-vault). However, the reason could also be that a secret no longer exists, or the reference contains a syntax error. +Use: -If the syntax is correct, you can view other causes for an error by checking the current resolution status in the Azure portal. Go to **Application Settings** and select **Edit** for the reference in question. The edit dialog shows status information, including any errors. If you don't see the status message, it means that the syntax is invalid and not recognized as a Key Vault reference. +```json +"WEBSITE_ENABLE_SYNC_UPDATE_SITE": "true" +``` + +This makes application settings updates synchronous. + +--- + +# Troubleshoot Key Vault references + +If a reference cannot be resolved: + +- The literal reference string is returned +- Example: + +```text +@Microsoft.KeyVault(...) +``` + +This usually indicates: + +- Incorrect permissions +- Missing secret +- Invalid syntax + +--- + +# Diagnose issues in Azure portal + +## App Service + +1. Open the app +2. Select **Diagnose and solve problems** +3. Go to: + - **Availability and Performance** + - **Web app down** +4. Search: + - **Key Vault Application Settings Diagnostics** + +--- + +## Azure Functions + +1. Open the function app +2. Select **Diagnose and solve problems** +3. Go to: + - **Availability and Performance** + - **Function app down or reporting errors** +4. Select: + - **Key Vault Application Settings Diagnostics** + +--- + +# Best practices + +- Use separate vaults per environment +- Mark Key Vault-based settings as slot settings +- Prefer managed identities over secrets +- Avoid hardcoding credentials +- Use private networking for production vaults +- Enable secret rotation +- Monitor Key Vault audit logs + +--- -You can also use one of the built-in detectors to get more information. +# Summary -To use the detector for App Service: +Azure Key Vault references provide: -1. In the Azure portal, go to your app. -1. Select **Diagnose and solve problems**. -1. Select **Availability and Performance** > **Web app down**. -1. In the search box, search for and select **Key Vault Application Settings Diagnostics**. +- Secure secret management +- Centralized credential storage +- Automatic secret rotation +- Managed identity integration +- No application code changes -To use the detector for Azure Functions: +They are recommended for: -1. In the Azure portal, go to your app. -1. Select **Diagnose and solve problems**. -1. Select **Availability and Performance** > **Function app down or reporting errors**. -1. Select **Key Vault Application Settings Diagnostics**. +- Production workloads +- Multi-environment deployments +- Enterprise security compliance +- Secret rotation automation diff --git a/articles/app-service/app-service-plan-manage.md b/articles/app-service/app-service-plan-manage.md index 25a8177de013f..5ecff95af6dda 100644 --- a/articles/app-service/app-service-plan-manage.md +++ b/articles/app-service/app-service-plan-manage.md @@ -1,5 +1,5 @@ --- -title: Manage an App Service Plan +title: Manage an App Service plan description: Learn how to perform different tasks to manage an App Service plan, such as create, move, scale, and delete. keywords: app service, azure app service, scale, app service plan, change, create, manage, management ms.assetid: 4859d0d5-3e3c-40cc-96eb-f318b2c51a3d @@ -9,9 +9,9 @@ author: msangapu-msft ms.date: 03/19/2026 ms.update-cycle: 1095-days ms.custom: "UpdateFrequency3" - ms.service: azure-app-service --- + # Manage an App Service plan in Azure An [Azure App Service plan](overview-hosting-plans.md) provides the resources that an App Service app needs to run. This article describes how to manage an App Service plan. @@ -19,19 +19,19 @@ An [Azure App Service plan](overview-hosting-plans.md) provides the resources th ## Create an App Service plan > [!TIP] -> If you want to create a plan in an App Service Environment, you can select it in the **Region** list and follow the rest of the steps as described in this section. +> If you want to create a plan in an App Service Environment, you can select it in the **Region** list and follow the rest of the steps described in this section. You can create an empty App Service plan, or you can create a plan as part of app creation. 1. To start creating an App Service plan, go to [Create App Service Plan](https://ms.portal.azure.com/#create/Microsoft.AppServicePlanCreate) in the Azure portal. - :::image type="content" source="./media/azure-web-sites-web-hosting-plans-in-depth-overview/create-appserviceplan.png" alt-text="Screenshot that shows the Create App Service Plan page in the Azure portal."::: + :::image type="content" source="./media/azure-web-sites-web-hosting-plans-in-depth-overview/create-appserviceplan.png" alt-text="Screenshot showing the Create App Service Plan page in the Azure portal."::: + +1. Configure the **Project Details** section before configuring the App Service plan. -1. Configure the **Project Details** section before configuring the App Service plan. - 1. In the **App Service Plan details** section, name the App Service plan, and then select the **Operating System** and **Region**. The region specifies where your App Service plan is created. -1. When you create a plan, you can select the pricing tier of the new plan. In **Pricing Tier**, select a **Pricing plan**, or select **Explore pricing plans** to view additional details. +1. When you create a plan, you can select the pricing tier of the new plan. In **Pricing Tier**, select a **Pricing plan**, or select **Explore pricing plans** to view additional details. 1. In the **Zone redundancy** section, select **Enabled** or **Disabled**, depending on your needs. @@ -39,56 +39,54 @@ You can create an empty App Service plan, or you can create a plan as part of ap > [!IMPORTANT] > When you create a new App Service plan in an existing resource group, certain conditions with existing apps can trigger these errors: +> > - `The pricing tier is not allowed in this resource group` > - ` workers are not available in resource group ` -> -> These errors can occur due to incompatibilities with pricing tiers, regions, operating systems, availability zones, existing function apps, or existing web apps. If one of these errors occurs, create your App Service plan in a new resource group. > - +> These errors can occur because of incompatibilities with pricing tiers, regions, operating systems, availability zones, existing function apps, or existing web apps. If one of these errors occurs, create your App Service plan in a new resource group. ## Move an app to another App Service plan -You can move an app to another App Service plan, as long as the source plan and the target plan are in the same resource group and geographical region and of the same OS type. Any change in type, such as Windows to Linux or any type that's different from the originating type, isn't supported. - -You must disable any virtual network integration that's configured on the app before you change App Service plans. +You can move an app to another App Service plan as long as the source plan and the target plan are in the same resource group and geographical region and use the same operating system type. Any change in type, such as Windows to Linux or any type different from the originating type, isn't supported. +You must disable any virtual network integration configured on the app before you change App Service plans. > [!NOTE] -> Azure deploys each new App Service plan into a deployment unit, internally called a *webspace*. Each region can have many webspaces, but your app can only move between plans that are created in the same webspace. An App Service Environment can have multiple webspaces, but your app can only move between plans that are created in the same webspace. +> Azure deploys each new App Service plan into a deployment unit, internally called a *webspace*. Each region can have many webspaces, but your app can move only between plans created in the same webspace. An App Service Environment can have multiple webspaces, but your app can move only between plans created in the same webspace. > -> You can't specify the webspace you want when you create a plan, but it's possible to ensure that a plan is created in the same webspace as an existing plan. All plans created with the same resource group, region combination, and operating system are deployed into the same webspace. For example, if you created a plan in resource group A and region B, any plan you subsequently create in resource group A and region B is deployed into the same webspace. Note that plans can't move webspaces after they're created, so you can't move a plan into "the same webspace" as another plan by moving it to another resource group. -> +> You can't specify the webspace you want when you create a plan, but it's possible to ensure that a plan is created in the same webspace as an existing plan. All plans created with the same resource group, region combination, and operating system are deployed into the same webspace. For example, if you created a plan in resource group A and region B, any plan you subsequently create in resource group A and region B is deployed into the same webspace. +> +> Plans can't move webspaces after they're created, so you can't move a plan into the same webspace as another plan by moving it to another resource group. -1. In the [Azure portal](https://portal.azure.com), search for and select **App services**, and then select the app that you want to move. +1. In the [Azure portal](https://portal.azure.com), search for and select **App Services**, and then select the app that you want to move. 1. In the left pane, under **App Service Plan**, select **App Service plan**. 1. On the **App Service plan** page, select **Change plan**. - :::image type="content" source="./media/azure-web-sites-web-hosting-plans-in-depth-overview/change-appserviceplan.png" alt-text="Screenshot of the App Service plan page." lightbox="./media/azure-web-sites-web-hosting-plans-in-depth-overview/change-appserviceplan.png"::: + :::image type="content" source="./media/azure-web-sites-web-hosting-plans-in-depth-overview/change-appserviceplan.png" alt-text="Screenshot showing the App Service plan page." lightbox="./media/azure-web-sites-web-hosting-plans-in-depth-overview/change-appserviceplan.png"::: -1. In the **Change App Service plan** pane, in the **App Service plan** list, select an existing plan to move the app to. The list shows only plans that are in the same resource group and geographical region as the current App Service plan. If no such plan exists, it lets you create a plan by default. You can also create a new plan manually by selecting **New plan** and then selecting **Create new**. +1. In the **Change App Service plan** pane, in the **App Service plan** list, select an existing plan to move the app to. The list shows only plans that are in the same resource group and geographical region as the current App Service plan. If no such plan exists, you can create a plan by default. You can also create a new plan manually by selecting **New plan** and then selecting **Create new**. -1. When you're done, select **Save**. +1. When you're done, select **Save**. -If you create a new plan, you can change its pricing tier. For more information, see the [Scale an App Service plan](#scale-an-app-service-plan) section later in this article. - - > [!IMPORTANT] - > If you move an app from a higher-tiered plan to a lower-tiered plan, such as from **D1** to **F1**, the app might lose certain capabilities in the target plan. For example, if your app uses TLS/SSL certificates, you might see this error message: - > - > `Cannot update the site with hostname '' because its current TLS/SSL configuration 'SNI based SSL enabled' is not allowed in the target compute mode. Allowed TLS/SSL configuration is 'Disabled'.` - > +If you create a new plan, you can change its pricing tier. For more information, see [Scale an App Service plan](#scale-an-app-service-plan). + +> [!IMPORTANT] +> If you move an app from a higher-tiered plan to a lower-tiered plan, such as from **D1** to **F1**, the app might lose certain capabilities in the target plan. For example, if your app uses TLS/SSL certificates, you might see this error message: +> +> `Cannot update the site with hostname '' because its current TLS/SSL configuration 'SNI based SSL enabled' is not allowed in the target compute mode. Allowed TLS/SSL configuration is 'Disabled'.` ## Move an app to a different region -The region in which your app runs is the region of the App Service plan that it's in. However, you can't change the region of an App Service plan. If you want to run your app in a different region, one alternative is app cloning. Cloning makes a copy of your app in a new or existing App Service plan in any region. +The region in which your app runs is determined by the App Service plan that it's in. However, you can't change the region of an App Service plan. If you want to run your app in a different region, one alternative is app cloning. Cloning creates a copy of your app in a new or existing App Service plan in any region. You can find **Clone App** in the **Development Tools** section of the left pane. > [!IMPORTANT] -> Cloning has some limitations. You can read about them in [Azure App Service App cloning](app-service-web-app-cloning.md#current-restrictions). +> Cloning has some limitations. For more information, see [Azure App Service app cloning](app-service-web-app-cloning.md#current-restrictions). ## Scale an App Service plan @@ -96,41 +94,69 @@ For information about scaling up the pricing tier of an App Service plan, see [S For information about scaling out an app's instance count, see [Scale instance count manually or automatically](/azure/azure-monitor/autoscale/autoscale-get-started). -## Scale an App Service Plan Asynchronously (Preview) +## Scale an App Service plan asynchronously (Preview) + +When creating or manually scaling out an App Service plan, you might experience situations where you're advised to retry with lower instance counts than you originally requested. For example, you might request to scale out to 15 instances but be informed that only 6 are currently available. In that case, you must scale to 6 instances first, wait, and then retry to reach your target of 15 instances. -When creating or manually scaling out an App Service Plan you may experience situations where you're advised to retry with lower instance counts than you originally requested, for example potentially you have asked to scale out to 15 instances but are told only 6 are available, so you must scale to 6 then wait and retry to get to your target 15 instances. +The App Service plan asynchronous scaling preview enables you to request your target number of instances, and the platform scales out to the requested target without requiring you to modify and retry the request manually. The platform scales to the number of currently available instances and then provisions additional instances in the background until the target count is reached. -The preview of App Service Plan Asynchronous enables you to request your target number of instances and the platform scales out to the target number, without you having to modify your original request and retrying. The platform scales to the number of available instances and then triggers the underlying platform to make more instances available. You can make use of this functionality during scale-out operations or at plan creation time. This functionality is supported for all Basic, Standard, and Premium pricing plans. +You can use this functionality during scale-out operations or at plan creation time. This functionality is supported for Basic, Standard, and Premium pricing tiers. > [!NOTE] -> This behavior is NOT configurable for App Service Plans created in App Service Environments. App Service Environments create and scale App Service Plans asynchronously by default. +> This behavior isn't configurable for App Service plans created in App Service Environments. App Service Environments create and scale App Service plans asynchronously by default. -### Scaling up or down App Service Plan SKUs +### Scale up or down App Service plan SKUs -When using asynchronous scaling, it's possible to scale up or down to a larger or smaller SKU. During this type of operation, no other properties of the App Service Plan can be changed. Scaling up or down to a new SKU may fail if there aren't enough App Service Plan instances available to fully satisfy the request, this is to prevent your App Service Plan having fewer workers than requested. +When using asynchronous scaling, it's possible to scale up or down to a larger or smaller SKU. During this type of operation, no other properties of the App Service plan can be changed. -If a scale up or down operation fails, you can either scale in or out within the current SKU or perform the operation with the minim number of acceptable workers and then scale out asynchronously to the desired target. +Scaling up or down to a new SKU might fail if there aren't enough App Service plan instances available to fully satisfy the request. This restriction prevents your App Service plan from running with fewer workers than requested. -### Cancelling an asynchronous scaling operation +If a scale-up or scale-down operation fails, you can either: -An in-progress asynchronous scale operation is canceled only when you explicitly change the TargetWorkerCount property. Changes to other App Service Plan properties don't cancel the operation, including changes to the SKU, or App Service Plan instance count. App Service Plan instance count changes that can't be completed synchronously are ignored unless the TargetWorkerCount is also changed. To explicitly cancel the scale operation, set the TargetWorkerCount to 0. +- Scale in or out within the current SKU. +- Perform the operation with the minimum acceptable number of workers and then scale out asynchronously to the desired target. + +### Cancel an asynchronous scaling operation + +An in-progress asynchronous scale operation is canceled only when you explicitly change the `TargetWorkerCount` property. + +Changes to other App Service plan properties don't cancel the operation, including changes to the SKU or App Service plan instance count. + +App Service plan instance count changes that can't be completed synchronously are ignored unless the `TargetWorkerCount` is also changed. + +To explicitly cancel the scale operation, set `TargetWorkerCount` to `0`. + +# [Azure CLI](#tab/azure-cli) + +### Scale-out -### [Scale-out (CLI)](#tab/asyncscaleout) ```azurecli-interactive -az appservice plan update -g -n --async-scaling-enabled true --number-of-workers +az appservice plan update \ + -g \ + -n \ + --async-scaling-enabled true \ + --number-of-workers ``` -### [Create (CLI)](#tab/asynccreate) +### Create + ```azurecli-interactive -az appservice plan create -g asyncasp -n asyncasplinuxexample --number-of-workers 25 --sku p1v3 --async-scaling-enabled true --location northeurope +az appservice plan create \ + -g \ + -n \ + --number-of-workers 25 \ + --sku P1V3 \ + --async-scaling-enabled true \ + --location northeurope ``` + --- ## Delete an App Service plan -To avoid unexpected charges, when you delete the last app in an App Service plan, by default, App Service also deletes the plan. If you choose to keep the plan, you should change the plan to the **Free** tier so that you're not charged. +To avoid unexpected charges, when you delete the last app in an App Service plan, App Service also deletes the plan by default. If you choose to keep the plan, change it to the **Free** tier so that you aren't charged. > [!IMPORTANT] > App Service plans that have no apps associated with them still incur charges because they continue to reserve the configured VM instances. @@ -139,6 +165,3 @@ To avoid unexpected charges, when you delete the last app in an App Service plan > [!div class="nextstepaction"] > [Scale up an app in Azure](manage-scale-up.md) - -[createWebApp]: ./media/azure-web-sites-web-hosting-plans-in-depth-overview/create-web-app.png -[createResource]: ./media/azure-web-sites-web-hosting-plans-in-depth-overview/create-a-resource.png diff --git a/articles/app-service/wordpress-faq.md b/articles/app-service/wordpress-faq.md index 6b9c9fd831f06..3eae30cd7bf03 100644 --- a/articles/app-service/wordpress-faq.md +++ b/articles/app-service/wordpress-faq.md @@ -1,12 +1,12 @@ --- title: 'Frequently asked questions about WordPress on App Service' -description: Use this article to find frequently asked questions and answers about WordPress on Azure App Service. +description: Learn about frequently asked questions, troubleshooting guidance, security, scaling, and performance optimization for WordPress on Azure App Service. keywords: app service, azure app service, wordpress, preview, app service on linux, plugins, mysql flexible server, wordpress on linux, php ai-usage: ai-assisted author: reddyabhishek ms.service: azure-app-service ms.topic: faq -ms.date: 03/13/2026 +ms.date: 05/12/2026 # ms.devlang: wordpress ms.author: tulikac ms.custom: @@ -17,85 +17,110 @@ ms.custom: # WordPress on App Service: Frequently Asked Questions +This article answers common questions about hosting and managing WordPress on Azure App Service, including scaling, security, monitoring, troubleshooting, and performance optimization. + ## Are there limits on the number of sites, visits, storage, or bandwidth? The allocated resources for an App Service plan and database tier determine the hosting capacity. For example: - **App Service B1 Plan:** Includes one core, 1.75-GB RAM, and 10-GB storage. -- **Database B1ms Instance:** Offers 1 vCore, 2-GB RAM, and storage up to 16 GB. +- **Database B1ms Instance:** Offers one vCore, 2-GB RAM, and storage up to 16 GB. -There's no fixed limit on the number of sites you can host, but recommended app limits by pricing tier are: +There's no fixed limit on the number of sites you can host, but recommended application limits by pricing tier are: -| **Pricing tier** | **Recommended Max Apps** | -|----------------------|---------------------------| -| B1, S1, P1v2, I1v1 | 8 | -| B2, S2, P2v2, I2v1 | 16 | -| B3, S3, P3v2, I3v1 | 32 | -| P1v3, I1v2 | 16 | -| P2v3, I2v2 | 32 | -| P3v3, I3v2 | 64 | +| Pricing tier | Recommended maximum apps | +|---|---| +| B1, S1, P1v2, I1v1 | 8 | +| B2, S2, P2v2, I2v1 | 16 | +| B3, S3, P3v2, I3v1 | 32 | +| P1v3, I1v2 | 16 | +| P2v3, I2v2 | 32 | +| P3v3, I3v2 | 64 | -Bandwidth is unlimited, but [charges apply for internet egress](https://azure.microsoft.com/pricing/details/bandwidth/). +Bandwidth is unlimited, but [internet egress charges apply](https://azure.microsoft.com/pricing/details/bandwidth/). ## How are security patches updated? -Azure manages security patches for core technologies, while WordPress-specific updates might require manual or semi-automated steps: +Azure manages security patches for core platform technologies, while WordPress-specific updates might require manual or semi-automated actions. -- **PHP Major Versions:** Update manually under **App Service > Settings > Configuration**. -- **WordPress Core:** Minor updates are automatic, while major updates need manual configuration. -- **Plugins and Themes:** Perform manual updates after backing up your site to avoid issues. WordPress also offers auto update options. +- **PHP major versions:** Update manually under **App Service > Settings > Configuration**. +- **WordPress core:** Minor updates are automatic, while major updates require manual configuration. +- **Plugins and themes:** Perform updates manually after backing up your site to avoid compatibility issues. WordPress also supports automatic updates. For more information, see [How to keep your WordPress website stack on Azure App Service up to date](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-keep-your-wordpress-website-stack-on-azure-app-service-up-to-date/3832193). ## What security features are available to protect my website? -Azure App Service integrates robust security features to safeguard WordPress sites: +Azure App Service integrates multiple security features to help protect WordPress sites. -- **[App Service Security](overview-security.md):** HTTPS, IP restrictions, certificates, authentication, and network isolation. -- **[Easy Authentication](overview-authentication-authorization.md):** Built-in identity provider integration with minimal effort. -- **[Azure Database for MySQL](/security/benchmark/azure/baselines/azure-database-for-mysql-flexible-server-security-baseline):** Advanced protections for Azure MySQL servers, including encryption and backup capabilities. -- **[Virtual Network (VNET)](/azure/virtual-network/virtual-networks-overview):** Secure communication between Azure resources, the internet, and on-premises networks. -- **[Managed Identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities):** Credential-free access to resources using Microsoft Entra tokens. -- **[Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction):** Proactive threat detection with DevSecOps integration. -- **[Azure Key Vault](/azure/key-vault/):** Secure storage for keys, secrets, and certificates. -- **[Microsoft Entra ID](/entra/identity/):** Single sign-On (SSO) for seamless authentication. +- **[App Service security](overview-security.md):** HTTPS, IP restrictions, certificates, authentication, and network isolation. +- **[Easy Authentication](overview-authentication-authorization.md):** Built-in identity provider integration with minimal configuration. +- **[Azure Database for MySQL](/security/benchmark/azure/baselines/azure-database-for-mysql-flexible-server-security-baseline):** Encryption, backup, and advanced database protection capabilities. +- **[Virtual Network (VNet)](/azure/virtual-network/virtual-networks-overview):** Secure communication between Azure resources, the internet, and on-premises networks. +- **[Managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities):** Credential-free access to Azure resources using Microsoft Entra tokens. +- **[Microsoft Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction):** Threat detection and DevSecOps integration. +- **[Azure Key Vault](/azure/key-vault/):** Secure storage for secrets, certificates, and encryption keys. +- **[Microsoft Entra ID](/entra/identity/):** Single sign-on (SSO) and identity management capabilities. ## How can I set up WordPress Multisite? -WordPress Multisite allows managing multiple sites from a single installation. To enable: -Set up a **[subdirectory-based Multisite](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-set-up-subdirectory-multisite-in-wordpress-on-azure-app/ba-p/3791071)** or **[subdomain-based Multisite](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-set-up-subdomain-multisite-in-wordpress-on-app-service/ba-p/3886283)**. +WordPress Multisite enables you to manage multiple websites from a single WordPress installation. + +You can configure either: + +- A [subdirectory-based Multisite](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-set-up-subdirectory-multisite-in-wordpress-on-azure-app/ba-p/3791071) +- A [subdomain-based Multisite](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-set-up-subdomain-multisite-in-wordpress-on-app-service/ba-p/3886283) > [!NOTE] -> - Conversion to Multisite is permanent; reverting to a single site is unsupported. -> - Switching between subdirectory and subdomain setups isn't allowed. +> - Converting a WordPress installation to Multisite is permanent and isn't reversible. +> - Switching between subdirectory and subdomain configurations isn't supported. + +## How do I access my WordPress website database? + +You can access the database by using **phpMyAdmin** at: -## How do I access my WordPress website's database? +`https:///phpmyadmin` -The database can be accessed using **phpMyAdmin** at: `https:///phpmyadmin`. -Use the `DATABASE_USERNAME` as the username and a generated token as the password (tokens can be retrieved via **Kudu SSH**). +Use the `DATABASE_USERNAME` environment variable as the username and a generated token as the password. You can retrieve the token by using Kudu SSH. ## How do I enable a custom domain for my WordPress website? -Custom domains can be set up with these resources: +You can configure a custom domain by using these resources: -- [Using custom domains with WordPress on Azure App Service](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-use-custom-domains-with-wordpress-on-app-service/ba-p/3886247) -- [Configuring custom domains with Azure Front Door](/azure/frontdoor/front-door-custom-domain) +- [Use custom domains with WordPress on Azure App Service](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-use-custom-domains-with-wordpress-on-app-service/ba-p/3886247) +- [Configure custom domains with Azure Front Door](/azure/frontdoor/front-door-custom-domain) -## Does WordPress on App Service have email functionality? +## Does WordPress on App Service support email functionality? -Yes, email functionality is supported through **[Azure Communication Services](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/wordpress-on-azure-appservice-email-integration/ba-p/3890486)**. [Custom email domains can be also be configured](/azure/communication-services/quickstarts/email/add-custom-verified-domains). +Yes. Email functionality is supported through **[Azure Communication Services](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/wordpress-on-azure-appservice-email-integration/ba-p/3890486)**. + +You can also configure [custom email domains](/azure/communication-services/quickstarts/email/add-custom-verified-domains). ## How can I update NGINX configurations for my WordPress website? -NGINX configurations can be updated using a **startup script**. Detailed instructions are available in the [startup script guide](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/updating-nginx-default-configurations-on-azure-app-services/ba-p/3710146). +You can update NGINX configurations by using a startup script. + +For detailed instructions, see the [startup script guide](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/updating-nginx-default-configurations-on-azure-app-services/ba-p/3710146). ## How can I access error logs for my WordPress website? -Access error logs for debugging via **App Service logs** or the **Kudu dashboard**. Refer to the [documentation](troubleshoot-diagnostic-logs.md) for detailed steps. +You can access logs for troubleshooting and debugging by using: + +- **App Service logs** +- **Kudu dashboard** + +For more information, see [Enable diagnostic logging in App Service](troubleshoot-diagnostic-logs.md). ## How do I estimate pricing for hosting a WordPress site on Azure? -Use the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/) to estimate hosting costs, considering App Service, MySQL, Azure Front Door, Blob Storage, and other components. For more information, use this [pricing estimate guide](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-estimate-pricing-for-wordpress-on-app-service/ba-p/4029262). +Use the [Azure Pricing Calculator](https://azure.microsoft.com/pricing/) to estimate hosting costs for services such as: + +- Azure App Service +- Azure Database for MySQL +- Azure Front Door +- Azure Blob Storage + +For more information, see the [pricing estimate guide](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/how-to-estimate-pricing-for-wordpress-on-app-service/ba-p/4029262). ## How can I debug and monitor my WordPress site? @@ -105,55 +130,68 @@ Key tools for debugging and monitoring WordPress sites include: - **[Kudu](https://techcommunity.microsoft.com/blog/appsonazureblog/kudu-dashboard-explained---wordpress-on-app-service/4030035)** - **[SSH Access](configure-linux-open-ssh-session.md?pivots=container-linux)** -### PhpMyAdmin +### phpMyAdmin + +WordPress on App Service uses Azure Database for MySQL Flexible Server, which is integrated into a virtual network. This setup restricts database access to within the virtual network. + +phpMyAdmin is included by default and can be accessed at: + +`https:///phpmyadmin` + +If you're using managed identities, you can sign in to phpMyAdmin by using: -WordPress on App Service utilizes an Azure Database for MySQL Flexible Server, which is integrated into a virtual network. This setup restricts database access to within the virtual network. WordPress on App Service includes phpMyAdmin by default. You can access it at: https://``/phpmyadmin. - -If you're using Managed Identities, you can sign in to phpMyAdmin by using the value from the `DATABASE_USERNAME` environment variable as the username and the token as the password. To find the token, use your Kudu SSH to run the following command: - -`/usr/local/bin/fetch-mysql-access-token.sh` - -Or you can find the database username and password from App Service environment variables. +- The `DATABASE_USERNAME` environment variable as the username +- A generated access token as the password -## What features can I use to boost my WordPress site's performance? +To retrieve the token, connect through Kudu SSH and run: -Enhance performance with these features / plugins: +```bash +/usr/local/bin/fetch-mysql-access-token.sh +``` + +You can also find the database username and password in App Service environment variables. + +## What features can I use to improve my WordPress site's performance? + +You can improve performance by using the following Azure services and WordPress features: - **[Azure Front Door (AFD)](/azure/frontdoor/)** -- **[Blob Storage](/azure/storage/blobs/)** -- **Dynamic Caching** -- **[Image Compression (Smush)](https://wordpress.org/plugins/wp-smushit/)** -- **[Scaling Up](/azure/app-service/manage-scale-up) and [Out](/azure/app-service/manage-automatic-scaling)** -- **[Redis Cache](https://techcommunity.microsoft.com/blog/appsonazureblog/distributed-caching-with-azure-redis-to-boost-your-wordpress-sites-performance/3974605)** +- **[Azure Blob Storage](/azure/storage/blobs/)** +- **Dynamic caching** +- **[Image compression with Smush](https://wordpress.org/plugins/wp-smushit/)** +- **[Scale up](/azure/app-service/manage-scale-up)** and **[scale out](/azure/app-service/manage-automatic-scaling)** +- **[Azure Cache for Redis](https://techcommunity.microsoft.com/blog/appsonazureblog/distributed-caching-with-azure-redis-to-boost-your-wordpress-sites-performance/3974605)** -## What are the options for configuring and setting up my WordPress site? +## What configuration and setup options are available for WordPress on App Service? -Options for setting up WordPress include: +You can configure and manage WordPress on App Service by using: -- **[FTP File Transfers](/azure/app-service/deploy-ftp)** -- **[NGINX Configuration Updates](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/updating-nginx-default-configurations-on-azure-app-services/ba-p/3710146)** +- **[FTP file transfers](/azure/app-service/deploy-ftp)** +- **[NGINX configuration updates](https://techcommunity.microsoft.com/t5/apps-on-azure-blog/updating-nginx-default-configurations-on-azure-app-services/ba-p/3710146)** - **[App Service settings](/azure/app-service/configure-common)** ## How can I build a headless WordPress site? -Enable **WP REST APIs** and integrate with **Static Web Apps** to create a decoupled front-end experience. Learn more [here](https://techcommunity.microsoft.com/blog/appsonazureblog/integrating-wordpress-on-app-service-with-azure-static-web-apps/4004955). +You can create a headless WordPress architecture by enabling **WP REST APIs** and integrating with **Azure Static Web Apps** for a decoupled front-end experience. + +For more information, see [Integrate WordPress on App Service with Azure Static Web Apps](https://techcommunity.microsoft.com/blog/appsonazureblog/integrating-wordpress-on-app-service-with-azure-static-web-apps/4004955). ## What features are available for creating an enterprise-grade production website? -Key features include: +Enterprise deployment capabilities include: -- [Staging slots](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-set-up-staging-slots-in-wordpress-on-app-service/4144847) for safe testing. -- [Custom domains](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-use-custom-domains-with-wordpress-on-app-service/3886247). -- [CI/CD](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-integrate-continuous-integration-and-deployment-with-wordpress-on-app-ser/4144886) pipelines for automated deployments. -- [Startup scripts](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-run-bash-scripts-in-wordpress-on-azure-app-service/3625692) for configuration. -- [Emails with custom domain](/azure/communication-services/quickstarts/email/add-custom-verified-domains). -- [Scaling](/azure/app-service/manage-scale-up) and [load testing](/azure/load-testing/concept-load-test-app-service) capabilities. +- [Deployment slots](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-set-up-staging-slots-in-wordpress-on-app-service/4144847) for testing and staged deployments +- [Custom domains](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-use-custom-domains-with-wordpress-on-app-service/3886247) +- [CI/CD pipelines](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-integrate-continuous-integration-and-deployment-with-wordpress-on-app-ser/4144886) for automated deployments +- [Startup scripts](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-run-bash-scripts-in-wordpress-on-azure-app-service/3625692) for configuration automation +- [Custom email domains](/azure/communication-services/quickstarts/email/add-custom-verified-domains) +- [Scaling](/azure/app-service/manage-scale-up) and [load testing](/azure/load-testing/concept-load-test-app-service) capabilities -## What are common errors for WordPress on App Service, and how can I troubleshoot? +## What are common WordPress on App Service errors, and how can I troubleshoot them? -Typical issues and resolutions: +Common issues and troubleshooting resources include: -- **[Debug Logs](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/enabling_debug_logs_for_wordpress.md):** Enable for troubleshooting. -- **[CORS Issues](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/cors_issue_with_azure_cdn_frontdoor_blob.md):** Adjust settings in Azure Front Door. -- **[Existing WordPress Detected Warning](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/troubleshooting-guides/tsg_existing_wordpress_installation_detected.md):** -- **[Intl Extension issues](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-install-intl-extension-on-wordpress-on-azure-app-service/4138353):** Install via the configuration panel. +- **[Enable debug logs](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/enabling_debug_logs_for_wordpress.md)** for troubleshooting WordPress issues +- **[Resolve CORS issues](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/cors_issue_with_azure_cdn_frontdoor_blob.md)** when using Azure Front Door or CDN integrations +- **[Troubleshoot existing WordPress installation warnings](https://github.com/Azure/wordpress-linux-appservice/blob/main/WordPress/troubleshooting-guides/tsg_existing_wordpress_installation_detected.md)** +- **[Install the Intl PHP extension](https://techcommunity.microsoft.com/blog/appsonazureblog/how-to-install-intl-extension-on-wordpress-on-azure-app-service/4138353)** through the App Service configuration panel diff --git a/articles/app-testing/index.yml b/articles/app-testing/index.yml index 062f692b803f1..935a4b7fd3343 100644 --- a/articles/app-testing/index.yml +++ b/articles/app-testing/index.yml @@ -1,20 +1,21 @@ ### YamlMime:Landing title: Azure App Testing documentation -summary: Improve your app performance at scale. Run end-to-end Playwright tests, or run automated load tests on the cloud using JMeter or Locust scripts with Azure App Testing. +summary: Improve application quality and performance at scale by running end-to-end Playwright tests and automated cloud-based load tests using JMeter or Locust scripts with Azure App Testing. metadata: title: Azure App Testing documentation - description: Improve your app performance at scale. Run end-to-end Playwright tests, or run automated load tests on the cloud using JMeter or Locust scripts with Azure App Testing. + description: Learn how to improve application quality and performance at scale with Azure App Testing by running Playwright end-to-end tests and automated load tests using JMeter or Locust scripts. ms.service: azure-app-testing ms.topic: landing-page ms.author: nandinim author: nandinimurali - ms.date: 07/24/2025 + ms.date: 05/12/2026 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new landingContent: + # Card - title: About Azure App Testing linkLists: @@ -32,6 +33,7 @@ landingContent: url: load-testing/overview-what-is-azure-load-testing.md - text: Key concepts url: load-testing/concept-load-testing-concepts.md + - linkListType: quickstart links: - text: Create a URL-based load test @@ -52,6 +54,7 @@ landingContent: url: playwright-workspaces/overview-what-is-microsoft-playwright-workspaces.md - text: Try Playwright Workspaces for free url: playwright-workspaces/how-to-try-playwright-workspaces-free.md + - linkListType: quickstart links: - text: Run end-to-end tests at scale @@ -68,8 +71,9 @@ landingContent: links: - text: Load test Azure App Service apps url: load-testing/concept-load-test-app-service.md - - text: Scenarios for VNET deployment + - text: Scenarios for virtual network deployment url: load-testing/concept-azure-load-testing-vnet-injection.md + - linkListType: how-to-guide links: - text: Test App Service web apps @@ -78,7 +82,7 @@ landingContent: url: load-testing/how-to-create-load-test-function-app.md - text: Test private endpoints url: load-testing/how-to-test-private-endpoint.md - - text: Test secure endpoints + - text: Test secured endpoints url: load-testing/how-to-test-secured-endpoints.md # Card @@ -88,11 +92,11 @@ landingContent: links: - text: Add HTTP requests to URL-based tests url: load-testing/how-to-add-requests-to-url-based-test.md - - text: Configure for high scale loads + - text: Configure tests for high-scale loads url: load-testing/how-to-high-scale-load.md - text: Parameterize load tests url: load-testing/how-to-parameterize-load-tests.md - - text: Define test fail criteria + - text: Define test failure criteria url: load-testing/how-to-define-test-criteria.md - text: Read data from a CSV file url: load-testing/how-to-read-csv-data.md @@ -106,11 +110,12 @@ landingContent: links: - text: Determine optimal test suite configuration url: playwright-workspaces/concept-determine-optimal-configuration.md + - linkListType: how-to-guide links: - text: Optimize regional latency url: playwright-workspaces/how-to-optimize-regional-latency.md - - text: Run tests for local and private apps + - text: Run tests for local and private applications url: playwright-workspaces/how-to-test-local-applications.md - text: Configure visual comparisons url: playwright-workspaces/how-to-configure-visual-comparisons.md @@ -134,17 +139,18 @@ landingContent: url: load-testing/how-to-export-test-results.md - text: Diagnose failing load tests url: load-testing/how-to-diagnose-failing-load-test.md + - linkListType: tutorial links: - text: Identify performance bottlenecks url: load-testing/tutorial-identify-bottlenecks-azure-portal.md # Card - - title: Automation & CI/CD + - title: Automation and CI/CD linkLists: - linkListType: how-to-guide links: - - text: Run load tests in CI/CD + - text: Run load tests in CI/CD pipelines url: load-testing/how-to-configure-load-test-cicd.md - text: Set up continuous end-to-end testing url: playwright-workspaces/quickstart-automate-end-to-end-testing.md @@ -152,17 +158,17 @@ landingContent: url: load-testing/quickstart-create-run-load-tests-from-visual-studio-code.md # Card - - title: Security & access management + - title: Security and access management linkLists: - linkListType: how-to-guide links: - - text: Manage users and roles (Load Testing) + - text: Manage users and roles for Azure Load Testing url: load-testing/how-to-assign-roles.md - text: Use a managed identity url: load-testing/how-to-use-a-managed-identity.md - - text: Manage workspace access (Playwright) + - text: Manage Playwright workspace access url: playwright-workspaces/how-to-manage-workspace-access.md - - text: Manage access tokens (Playwright) + - text: Manage Playwright access tokens url: playwright-workspaces/how-to-manage-access-tokens.md # Card @@ -170,7 +176,7 @@ landingContent: linkLists: - linkListType: how-to-guide links: - - text: Create & manage load tests + - text: Create and manage load tests url: load-testing/how-to-create-manage-test.md - text: Manage Playwright workspaces url: playwright-workspaces/how-to-manage-playwright-workspace.md @@ -178,5 +184,3 @@ landingContent: url: load-testing/monitor-load-testing.md - text: Move resources between regions url: load-testing/how-to-move-between-regions.md - - diff --git a/articles/app-testing/overview-what-is-azure-app-testing.md b/articles/app-testing/overview-what-is-azure-app-testing.md index fbb8f00b78819..38f8879267672 100644 --- a/articles/app-testing/overview-what-is-azure-app-testing.md +++ b/articles/app-testing/overview-what-is-azure-app-testing.md @@ -1,6 +1,6 @@ --- title: What is Azure App Testing? -description: 'Improve your app performance at scale. Run end-to-end Playwright tests, or run automated load tests on the cloud using JMeter or Locust scripts with Azure App Testing.' +description: Improve application quality and performance at scale with Azure App Testing. Run end-to-end Playwright tests and automated load tests using JMeter or Locust in the cloud. ms.service: azure-app-testing ms.topic: overview ms.author: nandinim @@ -11,64 +11,172 @@ adobe-target: true # What is Azure App Testing? -Azure App Testing lets developers and QA teams run large-scale functional and performance tests to identify issues in their applications. Azure App Testing allows you to run functional tests with [Playwright Workspaces](playwright-workspaces\overview-what-is-microsoft-playwright-workspaces.md) and performance tests using [Azure Load Testing](load-testing\overview-what-is-azure-load-testing.md). Spend less time managing infrastructure and less effort harnessing AI-driven test automation to boost quality and innovation. +Azure App Testing helps developers and QA teams run large-scale functional and performance tests to identify issues in applications before deployment. The service combines: -Azure Load Testing enables you to generate high-scale load and simulate traffic for your applications, regardless of where they're hosted. It supports running Apache JMeter-based tests or Locust-based tests. It also enables generating load from multiple regions and enables you to test private application endpoints. It provides detailed metrics and insights into the performance of your application under load, helping you identify bottlenecks and optimize performance. +- **Playwright Workspaces** for end-to-end UI testing +- **Azure Load Testing** for large-scale performance and load testing -Playwright Workspaces enables you to run end-to-end tests with high parallelization. It supports running tests in parallel across multiple browsers and devices, enabling you to validate the functionality and performance of your applications at scale. It also provides detailed test results and insights, helping you identify issues and optimize your tests. +By using Azure App Testing, teams can spend less time managing test infrastructure and more time improving software quality with scalable and AI-assisted testing workflows. -The following diagram shows an overview of how Azure App Testing integrates these capabilities: +--- + +## Core capabilities -:::image type="content" source="media/overview-what-is-azure-app-testing/azure-app-testing-overview.png" lightbox="media/overview-what-is-azure-app-testing/azure-app-testing-overview.png" alt-text="Diagram that shows an overview of Azure App Testing."::: +Azure App Testing supports two major testing scenarios: + +### Playwright Workspaces -## Usage scenarios +Playwright Workspaces enables teams to run highly parallelized end-to-end tests across browsers and devices using Microsoft Playwright. -Azure App Testing is designed to help you with the following scenarios: +Key capabilities include: -- **Load testing**: Generate high-scale loads to simulate real-world traffic and identify performance bottlenecks in your applications. You can run tests using JMeter or Locust scripts, or create URL-based tests. +- Cross-browser testing +- Parallel test execution +- Device simulation +- CI/CD integration +- Secure access controls +- Test insights and reporting -- **End-to-end UI testing**: Run end-to-end tests with high parallelization using Playwright Workspaces. Validate the functionality and performance of your applications across multiple browsers and devices. +For more information, see: -## Key features +- [What is Playwright Workspaces?](playwright-workspaces/overview-what-is-microsoft-playwright-workspaces.md) -Here are some of the key features of Azure App Testing: +--- ### Azure Load Testing -- **High-scale load generation**: Generate load from multiple regions to simulate real-world traffic patterns and identify performance bottlenecks. +Azure Load Testing enables you to simulate real-world traffic against applications hosted anywhere. -- **AI-powered test authoring and insights**: Easily create load tests using VS Code with GitHub Copilot Agent mode and get AI-driven insights in test results that detect issues and recommend fixes. +Supported test types include: -- **Support for JMeter and Locust**: Run tests using Apache JMeter or Locust scripts, enabling you to leverage existing test scripts and tools. +- Apache JMeter tests +- Locust tests +- URL-based load tests -- **Private endpoint testing**: Test private application endpoints by securely connecting to your applications hosted in virtual networks or on-premises environments. +The service helps identify bottlenecks, validate scalability, and monitor application behavior under stress. -- **Detailed metrics and insights**: Get detailed metrics and insights into the performance of your application under load, helping you identify bottlenecks and optimize performance. +For more information, see: -### Playwright Workspaces +- [What is Azure Load Testing?](load-testing/overview-what-is-azure-load-testing.md) -- **High parallelization**: Run end-to-end tests in parallel across multiple browsers and devices, enabling you to speed up end-to-end validation of your applications. +--- +## Architecture overview -- **Cross-browser and cross-device testing**: Validate your applications across different browsers and devices, ensuring consistent functionality and performance. +The following diagram shows how Azure App Testing integrates Playwright Workspaces and Azure Load Testing: -- **Seamless integration with CI/CD**: Integrate Playwright Workspaces with your existing CI/CD pipelines to automate end-to-end testing and ensure quality at every stage of development. +:::image type="content" source="media/overview-what-is-azure-app-testing/azure-app-testing-overview.png" lightbox="media/overview-what-is-azure-app-testing/azure-app-testing-overview.png" alt-text="Overview diagram of Azure App Testing integrating Playwright Workspaces and Azure Load Testing."::: -- **Security and access control**: Support for managed identities, private link access, and RBAC (role-based access control) ensures secure and controlled access to workspace resources. +--- -## In-region data residency & data at rest +# Usage scenarios -### Azure Load Testing +Azure App Testing is designed for the following scenarios. -Azure Load Testing doesn't store or process customer data outside the region you deploy the service instance in. +## Load testing -### Playwright Workspaces +Generate large-scale traffic to validate application scalability and performance under real-world conditions. + +You can: + +- Run JMeter or Locust scripts +- Create URL-based load tests +- Test applications hosted publicly or privately +- Simulate traffic from multiple Azure regions + +--- + +## End-to-end UI testing + +Run automated browser-based tests using Playwright Workspaces. + +You can: + +- Validate user workflows +- Test across multiple browsers and devices +- Execute tests in parallel +- Integrate testing into CI/CD pipelines + +--- + +# Key features + +## Azure Load Testing features + +### High-scale load generation + +Generate load from multiple regions to simulate realistic traffic patterns and identify performance bottlenecks. + +### AI-powered test authoring and insights + +Use GitHub Copilot Agent mode in Visual Studio Code to help create load tests and receive AI-driven recommendations from test results. + +### Support for JMeter and Locust + +Reuse existing Apache JMeter and Locust scripts without major modifications. + +### Private endpoint testing + +Securely test private applications hosted inside virtual networks or on-premises environments. -Playwright Workspaces doesn't store or process customer data outside the region you deploy the workspace in. When you use the regional affinity feature, the metadata is transferred from the cloud hosted browser region to the workspace region in a secure and compliant manner. +### Detailed performance insights -Playwright Workspaces automatically encrypts all data stored in your workspace with keys managed by Microsoft (service-managed keys). For example, this data includes workspace details, Playwright test run metadata like test start and end time, test minutes, who ran the test, and test results which are published to the service. +Analyze latency, throughput, failures, and resource utilization with built-in metrics and reporting. + +--- + +## Playwright Workspaces features + +### High parallelization + +Run multiple end-to-end tests simultaneously across browsers and devices to reduce execution time. + +### Cross-browser and cross-device testing + +Validate application behavior consistently across supported browsers and device configurations. + +### CI/CD integration + +Integrate Playwright Workspaces into automated deployment pipelines to ensure continuous quality validation. + +### Security and access control + +Use managed identities, private networking, and Azure RBAC for secure and controlled access. + +--- + +# In-region data residency and encryption + +## Azure Load Testing + +Azure Load Testing stores and processes customer data only within the region where the service instance is deployed. + +--- + +## Playwright Workspaces + +Playwright Workspaces stores and processes customer data only within the workspace deployment region. + +When regional affinity is enabled, metadata transfers between regions occur securely and compliantly. + +All workspace data is encrypted using Microsoft-managed keys. Examples of stored data include: + +- Workspace configuration +- Test metadata +- Test execution details +- Test results +- Usage metrics + +--- + +# Getting started + +## Run Playwright tests + +- [Run end-to-end tests with Playwright Workspaces](playwright-workspaces/quickstart-run-end-to-end-tests.md) + +--- -## Getting started +## Create a load test -- [Run end-to-end tests with Playwright Workspaces](playwright-workspaces\quickstart-run-end-to-end-tests.md) -- [Create and run a load test](load-testing\quickstart-create-and-run-load-test.md) +- [Create and run a load test](load-testing/quickstart-create-and-run-load-test.md)