Highlights
Since the last update, we've added:
- MCP support (public preview), enabling you to expose APIs in API Management or external MCP servers as AI agent tools with stronger authentication, governance, and observability.
- Workspace support for federated logging, metrics and autoscale, and the Premium v2 tier.
- Applications (public preview), offering built-in OAuth 2.0–based access to products.
New features and improvements
- You can now enable content-safety checks on chat completions for final redaction, logging, and response validation using the
enforce-on-completions
attribute of thellm-content-safety
policy. This setting is off by default. - Model logging now supports the Azure OpenAI Realtime API.
- Product resource names can now include dots (
.
). - Email notifications are now supported in v2 tiers.
- OpenAPI imports are now safer, result in cleaner API definitions, and fail with clearer error messages.
- Imports are blocked if a path placeholder (e.g.,
/orders/{id}
) has no matching parameter, with a clear validation error shown. - Imports from
localhost
URLs are now blocked. You can use file upload or an accessible non-localhost URL instead. - If a response object doesn't include a description, API Management now defaults it to an empty string.
- Imports are blocked if a path placeholder (e.g.,
- The policy engine now blocks embedding scripts using the
XsltSettings.EnableScript
setting. - Policy parsing is now consistent across locales, ensuring numbers are interpreted reliably regardless of browser language or region (comma vs. dot), preventing save errors.
- The
validate-azure-ad-token
policy now returns more detailed error messages when token validation fails. - API inspector now provides better visibility into authentication, showing when OAuth or OIDC settings were last refreshed, whether refresh succeeded, and any error details.
- The self-hosted gateway now produces cleaner JSON logs, applies configuration updates more reliably, and starts successfully even when the OpenTelemetry monitoring isn't configured.
Bug fixes
- Resolved issue where prolonged cache outages could cause gateway data plane downtime.
⚠️ Changes
- We are working on reintroducing support for workspaces on the gateway built into Azure API Management service, effectively rescinding parts of the previously announced breaking changes. For now, newly created workspaces are not accessible via the built-in gateway, as announced in the March 2025 breaking changes.
- API versions prior to
2019-12-01
no longer return secrets via GET operations. The Azure Policy definition enforcing a minimum API version has been deprecated. Newer API versions remain unchanged, returning secrets only through POST operations. Learn more about API version retirement.