edits

Author: ktoliver

articles/azure-web-pubsub/howto-authorize-from-application.md

@@ -12,7 +12,7 @@ ms.topic: conceptual
 
 Azure Web PubSub supports Microsoft Entra ID for authorizing requests from [applications](../active-directory/develop/app-objects-and-service-principals.md).
 
-This article shows you how to configure your Web PubSub resource and code to authorize the request to a Web PubSub resource from an Azure application.
+This article shows you how to configure your Web PubSub resource and code to authorize a request to a Web PubSub resource from an Azure application.
 
 ## Register an application
 
@@ -21,11 +21,10 @@ The first step is to register an Azure application.
 1. In the [Azure portal](https://portal.azure.com/), search for and then select **Microsoft Entra ID**
 1. On the left menu under **Manage**, select **App registrations**.
 1. Select **New registration**.
-
-    :::image type="content" source="media/howto-authorize-from-application/register-an-application.png" alt-text="Screenshot that shows registering an application.":::
-
 1. For **Name**, enter a name to use for your application.
-1. Select **Register** to confirm the register.
+1. Select **Register** to confirm the application registration.
+
+:::image type="content" source="media/howto-authorize-from-application/register-an-application.png" alt-text="Screenshot that shows registering an application.":::
 
 When your application is registered, go to the application overview to view the values for **Application (client) ID** and **Directory (tenant) ID**. You use these values in the following sections.
 
@@ -37,6 +36,8 @@ For more information about registering an application, see the quickstart [Regis
 
 You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
 
+For more information about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).
+
 ### Add a client secret
 
 The application requires a client secret for a client to prove its identity when it requests a token.
@@ -48,34 +49,32 @@ To create a client secret:
 
    :::image type="content" source="media/howto-authorize-from-application/new-client-secret.png" alt-text="Screenshot that shows creating a client secret.":::
 
-1. Enter a description for the client secret, and then choose an expire time for the secret.
+1. Enter a description for the client secret, and then choose an **Expires** time for the secret.
 1. Copy the value of the client secret, and then paste it to a secure location to save for later use.
 
    > [!NOTE]
    > The secret is visible only when you create the secret. You can't view the client secret in the portal later.
 
 ### Add a certificate
 
-You can also upload a certificate instead of creating a client secret.
+You can upload a certificate instead of creating a client secret.
 
 :::image type="content" source="media/howto-authorize-from-application/upload-certificate.png" alt-text="Screenshot that shows uploading a certificate.":::
 
-For more information about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).
-
 ## Add a role assignment in the Azure portal
 
 This section demonstrates how to assign a Web PubSub Service Owner role to a service principal (application) for a Web PubSub resource.
 
 > [!NOTE]
-> You can assign a role to any scope, including management group, subscription, resource group, and single resource. For more information about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
+> You can assign a role to any scope, including management group, subscription, resource group, and single resource. For more information about scope, see [Understand scope for Azure role-based access control](../role-based-access-control/scope-overview.md).
 
 1. In the [Azure portal](https://portal.azure.com/), go to your Web PubSub resource.
 
-1. On the left menu, select **Access control (IAM)** to display access control settings for your Web PubSub resource.
+1. On the left menu, select **Access control (IAM)** to display access control settings for the resource.
 
 1. Select the **Role assignments** tab and view the role assignments at this scope.
 
-   The following screenshot shows an example of the Access control (IAM) pane for a Web PubSub resource:
+   The following figure shows an example of the **Access control (IAM)** pane for a Web PubSub resource:
 
    :::image type="content" source="media/howto-authorize-from-application/access-control.png" alt-text="Screenshot that shows an example of the Access control (IAM) pane.":::
 
@@ -89,9 +88,9 @@ This section demonstrates how to assign a Web PubSub Service Owner role to a ser
 
 1. Select the **Members** tab. Under **Assign access to**, select **User, group, or service principal**.
 
-1. Choose **Select Members**
+1. Choose **Select members**.
 
-1. Search for and select the application that you want to assign the role to.
+1. Search for and select the application to assign the role to.
 
 1. Choose **Select** to confirm the selection.
 
@@ -118,7 +117,7 @@ To learn more about how to assign and manage Azure role assignments, see these a
 
 1. For **Method**, select **GET**.
 
-1. For **URI**, enter `https://login.microsoftonline.com/<TENANT ID>/oauth2/token`. Replace `<TENANT ID>` with the value for **Directory (tenant) ID** on the **Overview** tab of the application you created.
+1. For **URI**, enter `https://login.microsoftonline.com/<TENANT ID>/oauth2/token`. Replace `<TENANT ID>` with the value for **Directory (tenant) ID** on the **Overview** pane of the application you created.
 
 1. Select the **Headers** tab, and then add the following keys and values:
 
@@ -132,8 +131,8 @@ To learn more about how to assign and manage Azure role assignments, see these a
 1. Under **Key**, add the following keys and values:
 
    1. Select **grant_type**, and then select the value **client_credentials**.
-   1. Select **client_id**, and then paste the value of **Application (client) ID** from the **Overview** tab of the application you created.
-   1. Select **client_secret**, and then paste the value of client secret you saved.
+   1. Select **client_id**, and then paste the value of **Application (client) ID** from the **Overview** pane of the application you created.
+   1. Select **client_secret**, and then paste the value of the client secret you saved.
    1. Select **resource**, and then enter `https://webpubsub.azure.com` for the value.
 
    :::image type="content" source="media/howto-authorize-from-application/get-azure-ad-token-using-postman-body.png" alt-text="Screenshot that shows the Body tab parameters when you use Postman to get the token.":::

articles/azure-web-pubsub/howto-client-certificate.md

@@ -25,7 +25,7 @@ You can restrict access to your instance of Azure Web PubSub by turning on diffe
 
 ## Deploy Web PubSub
 
-In this example, you use a function called `func-client-cert` as an event handler to process `connect` events. Clients connect to a hub called `echo`. Here are the Bicep and Azure Resource Manager templates you use to deploy an Azure Web PubSub service with client certificate authentication enabled and event handlers configured.
+In this example, you use a function called `func-client-cert` as an event handler to process `connect` events. Clients connect to a hub called `echo`. The next sections have Bicep and Azure Resource Manager templates that you can use to deploy an Azure Web PubSub service with client certificate authentication enabled and event handlers configured.
 
 The templates enable client certificate authentication via the property `tls.clientCertEnabled`.
 
@@ -140,9 +140,9 @@ resource hub 'Microsoft.SignalRService/WebPubSub/hubs@2023-03-01-preview' = {
 
 ## Validate a client certificate in an event handler
 
-You can validate an incoming client certificate via its SHA-1 thumbprint in the `connect` event. The value is available in `clientCertificates` field. For more information, see [CloudEvents HTTP extension for event handler](reference-cloud-events.md#connect).
+You can validate an incoming client certificate via its SHA-1 thumbprint in the `connect` event. The value is available in `clientCertificates`. For more information, see [CloudEvents HTTP extension for event handler](reference-cloud-events.md#connect).
 
-The following code samples have function codes that you can use to implement validation logic.
+The following code sample has function code that you can use to implement validation logic.
 
 ### JavaScript
 
@@ -174,15 +174,15 @@ module.exports = async function (context, req) {
 }
 ```
 
-## Certificate rotation
+## Rotate the certificate
 
 If you want to rotate the certificate, you can update your event handler code to accept multiple thumbprints.
 
-## Missing client certificate
+## Handle a missing client certificate
 
 Azure Web PubSub doesn't abort a TLS handshake when a client doesn't provide a client certificate. It's up to the event handler to decide whether to accept or reject a connection without a client certificate.
 
 ## Related content
 
-* [How to configure event handler](howto-develop-eventhandler.md)
+* [How to configure an event handler](howto-develop-eventhandler.md)
 * [Golang sample](https://github.com/Azure/azure-webpubsub/blob/main/samples/golang/clientWithCert/Readme.md)

articles/azure-web-pubsub/howto-custom-domain.md

@@ -201,17 +201,17 @@ $ curl -vvv https://contoso.example.com/api/health
 
 The Health API should return a `200` status code without any certificate errors.
 
-## Private network key vault
+## Configure a private network key vault
 
 If you configure a [private endpoint](../private-link/private-endpoint-overview.md) to your key vault, Web PubSub can't access the key vault by using a public network. You must set up a [shared private endpoint](./howto-secure-shared-private-endpoints-key-vault.md) to give Web PubSub access to your key vault via a private network.
 
 After you create a shared private endpoint, you can create a custom certificate as usual. You *don't have to change the domain in the key vault URI*. For example, if your key vault base URI is `https://contoso.vault.azure.net`, continue to use this URI to configure a custom certificate.
 
 You don't have to explicitly allow Web PubSub IP addresses in your key vault firewall settings. For more information, see [Key vault private link diagnostics](/azure/key-vault/general/private-link-diagnostics).
 
-## Certificate rotation
+## Rotate the certificate
 
-If you don't specify a secret version when you create a custom certificate, Web PubSub periodically checks for the latest version in the key vault. When a new version is detected, it's automatically applied. The delay is usually within an hour.
+If you don't specify a secret version when you create a custom certificate, Web PubSub periodically checks for the latest version in the key vault. When a new version is detected, it's automatically applied. The delay is typically less than an hour.
 
 Alternatively, you can pin a custom certificate to a specific secret version in your key vault. When you need to apply a new certificate, you can edit the secret version, and then update the custom certificate proactively.
 

articles/azure-web-pubsub/howto-secure-network-access-control.md

@@ -23,11 +23,11 @@ The next sections describe your two options to control access to your Web PubSub
 - Deny all requests that originate in a public endpoint.
 - Allow only client connections from a public network.
 
-### Deny all public traffic
+## Deny all public traffic
 
 To completely deny all public traffic, first configure the public network rule to allow no request type. Then, configure rules that grant access to traffic from specific virtual networks. This configuration enables you to build a secure network boundary for your applications.
 
-### Allow only client connections from a public network
+## Allow only client connections from a public network
 
 In this scenario, you configure the public network rule to allow only client connections from a public network. You can then configure private network rules to allow other types of requests that originate from a specific virtual network. This configuration hides your app servers on a public network and establishes secure connections between your app servers and Azure Web PubSub.
 

articles/azure-web-pubsub/howto-secure-rotate-access-key.md

@@ -1,5 +1,5 @@
 ---
-title: Rotate access keys for Azure Web PubSub
+title: Rotate access keys
 description: Learn how and when to rotate Azure Web PubSub access keys by regenerating one key at a time.
 author: yjin81
 ms.author: yajin1
@@ -30,18 +30,16 @@ In some scenarios, Azure Web PubSub might enforce a mandatory access key rotatio
 
 1. Go to the Web PubSub instance that has keys you want to rotate.
 
-1. On the resource menu, select **Keys**.
+1. On the left menu, select **Keys**.
 
-1. Select **Regenerate Primary Key** or **Regenerate Secondary Key**.
-
-   A new key and a corresponding connection string are created. You manage them in your Web PubSub instance.
+1. Select **Regenerate Primary Key** or **Regenerate Secondary Key**. A new key and a corresponding connection string are created. You manage them in your Web PubSub instance.
 
 When the Azure Web PubSub service becomes generally available, you can also regenerate a key by using the Azure CLI.
 
 ## Update configurations with the new connection string
 
 1. Copy the new connection string.
 
-1. Update all configurations to use the new connection string.
+1. Update all existing configurations to use the new connection string.
 
 1. Close the application, and then reopen it.

articles/azure-web-pubsub/howto-secure-shared-private-endpoints.md

@@ -20,7 +20,7 @@ This article shows you how to configure your Web PubSub resource to send upstrea
 
 This outbound method is subject to the following requirements:
 
-- The network endpoint must be deployed by using Azure App Service or Azure Functions.
+- The upstream endpoint must be deployed by using Azure App Service or Azure Functions.
 - The Web PubSub resource must be on the Standard tier or the Premium tier.
 - An Azure App Service or an Azure Functions resource must be created by choosing a specific tier to create the resource. For more information, see [Use private endpoints for Azure Web App](../app-service/networking/private-endpoint.md).
 

articles/azure-web-pubsub/howto-use-managed-identity.md

@@ -1,5 +1,5 @@
 ---
-title: Use a managed identity in Azure Web PubSub
+title: Use a managed identity
 description: Learn how managed identities work in Azure Web PubSub and how to use a managed identity in a serverless scenario.
 author: vicancy
 ms.service: azure-web-pubsub
@@ -8,7 +8,7 @@ ms.date: 08/16/2024
 ms.author: lianwei
 ---
 
-# Use a managed identity in Azure Web PubSub
+# Use a managed identity
 
 This article shows you how to create and use a managed identity for Azure Web PubSub.
 
@@ -51,7 +51,7 @@ Azure Web PubSub is a fully managed service, so you can't use a managed identity
 
 1. Add a system-assigned identity or a user-assigned identity.
 
-1. Go to **Configure hub settings** and add or edit an event handler for the network.
+1. Go to **Configure hub settings** and add or edit an upstream event handler.
 
    :::image type="content" source="media/howto-use-managed-identity/msi-settings.png" alt-text="Screenshot that shows settings to use on the Configure hub settings pane.":::