Update auth section

Author: anthonychu

articles/container-apps/sessions.md

@@ -95,11 +95,11 @@ Example strategies include:
 > [!IMPORTANT]
 > Failure to secure access to sessions may result in misuse or unauthorized access to data stored in your users' sessions.
 
-### Authentication
+### <a name="authentication"></a>Authentication and authorization
 
-When you send HTTP requests to a session, authentication is handled using Microsoft Entra (formerly Azure Active Directory) tokens. Valid Microsoft Entra tokens are generated by an identity belonging to the *Azure ContainerApps Session Executor* role on the session pool.
+When you send HTTP requests to a session, authentication is handled using Microsoft Entra (formerly Azure Active Directory) tokens. Only Microsoft Entra tokens from an identity belonging to the *Azure ContainerApps Session Executor* role on the session pool are authorized to call the pool management API.
 
-To assign the roles to an identity, use the following Azure CLI commands:
+To assign the role to an identity, use the following Azure CLI command:
 
 ```bash
 az role assignment create \
@@ -178,7 +178,7 @@ access_token = token.token
 ---
 
 > [!IMPORTANT]
-> A valid token can be used to create and access any session in the pool. Keep your tokens secure and don't share them with untrusted parties. End users should access sessions through your application, not directly.
+> A valid token can be used to create and access any session in the pool. Keep your tokens secure and don't share them with untrusted parties. End users should access sessions through your application, not directly. They should never have access to the tokens used to authenticate requests to the session pool.
 
 #### Lifecycle