Merge pull request #113757 from spelluru/egridauth0504-2

PRMerger10 · web-flow · commit 030266b79a4e · 2020-05-04T11:21:24.000-07:00
more updates
diff --git a/articles/event-grid/security-authentication.md b/articles/event-grid/security-authentication.md
@@ -81,15 +81,15 @@ The following sections describe how to authenticate event delivery to webhook en
 ### Using Azure Active Directory (Azure AD)
 You can secure your webhook endpoint by using Azure Active Directory (Azure AD) to authenticate and authorize Event Grid to deliver events to your endpoints. You'll need to create an Azure AD Application, create a role and service principle in your application authorizing Event Grid, and configure the event subscription to use the Azure AD Application. [Learn how to configure Azure Active Directory with Event Grid](secure-webhook-delivery.md).
 
-### Using query parameters for the URL
-You can secure your webhook endpoint by adding query parameters to the webhook URL when creating an Event Subscription. Set one of these query parameters to be a secret such as an [access token](https://en.wikipedia.org/wiki/Access_token). The webhook can use the secret to recognize the event is coming from Event Grid with valid permissions. Event Grid will include these query parameters in every event delivery to the webhook.
+### Using client secret as a query parameter
+You can secure your webhook endpoint by adding query parameters to the webhook URL when creating an Event Subscription. Set one of these query parameters to be a client secret such as an [access token](https://en.wikipedia.org/wiki/Access_token) or a shared secret. The webhook can use the secret to recognize the event is coming from Event Grid with valid permissions. Event Grid will include these query parameters in every event delivery to the webhook. If the client secret is updated, event subscription also needs to be updated. To avoid delivery failures during this secret rotation, make the webhook accept both old and new secrets for a limited duration. 
 
-When editing the Event Subscription, the query parameters aren't displayed or returned unless the [--include-full-endpoint-url](https://docs.microsoft.com/cli/azure/eventgrid/event-subscription?view=azure-cli-latest#az-eventgrid-event-subscription-show) parameter is used in Azure [CLI](https://docs.microsoft.com/cli/azure?view=azure-cli-latest).
+As query parameters could contain client secrets, they are handled with extra care. They are stored as encrypted and not accessible to service operators. They are not logged as part of the service logs/traces. When editing the Event Subscription, the query parameters aren't displayed or returned unless the [--include-full-endpoint-url](https://docs.microsoft.com/cli/azure/eventgrid/event-subscription?view=azure-cli-latest#az-eventgrid-event-subscription-show) parameter is used in Azure [CLI](https://docs.microsoft.com/cli/azure?view=azure-cli-latest).
 
-Finally, it's important to note that Azure Event Grid only supports HTTPS webhook endpoints. 
+For more information on delivering events to webhooks, see [Webhook event delivery](webhook-event-delivery.md)
 
-> [!NOTE]
-> For more information on delivering events to webhooks, see [Webhook event delivery](webhook-event-delivery.md)
+> [!IMPORTANT]
+Azure Event Grid only supports **HTTPS** webhook endpoints. 
 
 ## Next steps
 
