Azure/API-Management release-service-2025-09

Release - API Management service: September, 2025

on GitHub

Highlights

Since the last update, we've added:

• MCP support (public preview), enabling you to expose APIs in API Management or external MCP servers as AI agent tools with stronger authentication, governance, and observability.
• Workspace support for federated logging, metrics and autoscale, and the Premium v2 tier.
• Applications (public preview), offering built-in OAuth 2.0–based access to products.

New features and improvements

• You can now enable content-safety checks on chat completions for final redaction, logging, and response validation using the enforce-on-completions attribute of the llm-content-safety policy. This setting is off by default.
• Model logging now supports the Azure OpenAI Realtime API.
• Product resource names can now include dots (.).
• Email notifications are now supported in v2 tiers.
• OpenAPI imports are now safer, result in cleaner API definitions, and fail with clearer error messages.
  • Imports are blocked if a path placeholder (e.g., /orders/{id}) has no matching parameter, with a clear validation error shown.
  • Imports from localhost URLs are now blocked. You can use file upload or an accessible non-localhost URL instead.
  • If a response object doesn't include a description, API Management now defaults it to an empty string.
• The policy engine now blocks embedding scripts using the XsltSettings.EnableScript setting.
• Policy parsing is now consistent across locales, ensuring numbers are interpreted reliably regardless of browser language or region (comma vs. dot), preventing save errors.
• The validate-azure-ad-token policy now returns more detailed error messages when token validation fails.
• API inspector now provides better visibility into authentication, showing when OAuth or OIDC settings were last refreshed, whether refresh succeeded, and any error details.
• The self-hosted gateway now produces cleaner JSON logs, applies configuration updates more reliably, and starts successfully even when the OpenTelemetry monitoring isn't configured.

Bug fixes

• Resolved issue where prolonged cache outages could cause gateway data plane downtime.

⚠️ Changes

• We are working on reintroducing support for workspaces on the gateway built into Azure API Management service, effectively rescinding parts of the previously announced breaking changes. For now, newly created workspaces are not accessible via the built-in gateway, as announced in the March 2025 breaking changes.
• API versions prior to 2019-12-01 no longer return secrets via GET operations. The Azure Policy definition enforcing a minimum API version has been deprecated. Newer API versions remain unchanged, returning secrets only through POST operations. Learn more about API version retirement.

Self-hosted gateway

• Container image: 2.9.1
• Helm Chart: 1.13.1
• Container image: 2.9.0
• Helm Chart: 1.13.0