update

terencefan · web-flow · commit 01258838bb08 · 2025-03-15T02:48:26.000+08:00
diff --git a/articles/azure-signalr/includes/signalr-add-role-assignments.md b/articles/azure-signalr/includes/signalr-add-role-assignments.md
@@ -9,7 +9,7 @@ ms.author: tefa
 ms.custom: include file
 ---
 
-The following steps describe how to assign a SignalR App Server role to a service principal (application) over an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).
+The following steps describe how to assign a SignalR App Server role to a service principal over an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal.yml).
 
 > [!NOTE]
 > A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
@@ -26,10 +26,10 @@ The following steps describe how to assign a SignalR App Server role to a servic
 
    | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
    | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-   | [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
-   | [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
-   | [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
-   | [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.                                      |
+   | [SignalR App Server](/azure/role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+   | [SignalR Service Owner](/azure/role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+   | [SignalR REST API Owner](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+   | [SignalR REST API Reader](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.                                      |
 
 
 1. On the **Members** tab, select **User, group, or service principal**, and then choose **Select members**.
@@ -43,8 +43,8 @@ The following steps describe how to assign a SignalR App Server role to a servic
 
 To learn more about how to assign and manage Azure roles, see these articles:
 
-- [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml)
-- [Assign Azure roles using the REST API](../role-based-access-control/role-assignments-rest.md)
-- [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
-- [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
-- [Assign Azure roles using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md)
+- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal.yml)
+- [Assign Azure roles using the REST API](/azure/role-based-access-control/role-assignments-rest.md)
+- [Assign Azure roles using Azure PowerShell](/azure/role-based-access-control/role-assignments-powershell.md)
+- [Assign Azure roles using the Azure CLI](/azure/role-based-access-control/role-assignments-cli.md)
+- [Assign Azure roles using Azure Resource Manager templates](/azure/role-based-access-control/role-assignments-template.md)
diff --git a/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md b/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md
@@ -44,6 +44,12 @@ The temporary access key expires in 90 minutes. We recommend that you get a new
 
 The workflow is built in the [Azure SignalR Service SDK for app servers](https://github.com/Azure/azure-signalr).
 
+### Cross tenant access when using Microsoft Entra ID
+
+In some cases, your server and your Azure SignalR resource may not in the same tenant for security concerns.
+
+A [Multi-tenant applications](/entra/identity-platform/single-and-multi-tenant-apps#best-practices-for-multitenant-apps) could help you in this scenario.
+
 ## Assign Azure roles for access rights
 
 Microsoft Entra ID authorizes access rights to secured resources through [Azure RBAC](../role-based-access-control/overview.md). Azure SignalR Service defines a set of Azure built-in roles that encompass common sets of permissions for accessing Azure SignalR Service resources. You can also define custom roles for access to Azure SignalR Service resources.
@@ -65,19 +71,19 @@ You can scope access to Azure SignalR Service resources at the following levels,
 
 | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
 | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
-| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
-| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
-| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.
+| [SignalR App Server](/azure/role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+| [SignalR Service Owner](/azure/role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+| [SignalR REST API Owner](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+| [SignalR REST API Reader](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.
 
 ## Next steps
 
-- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](signalr-howto-authorize-application.md).
+- To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
 
-- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](signalr-howto-authorize-managed-identity.md).
+- To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](./signalr-howto-authorize-managed-identity.md).
 
-- To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).
+- To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview.md).
 
-- To learn how to create custom roles, see [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
+- To learn how to create custom roles, see [Steps to create a custom role](/azure/role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
 
 - To learn how to use only Microsoft Entra authentication, see [Disable local authentication](./howto-disable-local-auth.md).
diff --git a/articles/azure-signalr/signalr-howto-authorize-managed-identity.md b/articles/azure-signalr/signalr-howto-authorize-managed-identity.md
@@ -62,6 +62,24 @@ services.AddSignalR().AddAzureSignalR(option =>
 });
 ```
 
+### Use multiple endpoints
+
+Credentials can be different for different endpoints.
+
+In this sample, the Azure SignalR SDK will connect to `resource1` with system-assigned managed identity and connect to `resource2` with user-assigned managed identity.
+
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    option.Endpoints = new ServiceEndpoint[]
+    {
+        var clientId = "<your-user-assigned-identity-client-id>";
+        new ServiceEndpoint(new Uri("https://<resource1>.service.signalr.net"), new ManagedIdentityCredential()),
+        new ServiceEndpoint(new Uri("https://<resource2>.service.signalr.net"), new ManagedIdentityCredential(clientId)),
+    };
+});
+```
+
 
 ### Azure SignalR Service bindings in Azure Functions
 
