MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/active-directory/develop/delegated-access-primer.md
Lines changed: 2 additions & 1 deletion b/‎articles/active-directory/develop/delegated-access-primer.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
Lines changed: 23 additions & 26 deletions b/‎articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
Lines changed: 23 additions & 26 deletions
diff --git a/‎articles/active-directory/develop/workload-identity-federation-considerations.md
Lines changed: 0 additions & 1 deletion b/‎articles/active-directory/develop/workload-identity-federation-considerations.md
Lines changed: 0 additions & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/active-directory-ops-guide-auth.md
Lines changed: 1 addition & 0 deletions b/‎articles/active-directory/fundamentals/active-directory-ops-guide-auth.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/active-directory/fundamentals/service-accounts-governing-azure.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/service-accounts-governing-azure.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/governance/entitlement-management-catalog-create.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/governance/entitlement-management-catalog-create.md
Lines changed: 1 addition & 1 deletion
@@ -950,6 +950,7 @@
     "articles/iot-accelerators/.openpublishing.redirection.iot-accelerators.json",
     "articles/iot-develop/.openpublishing.redirection.iot-develop.json",
     "articles/iot-edge/.openpublishing.redirection.iot-edge.json",
+    "articles/iot-fundamentals/.openpublishing.redirection.iot-fundamentals.json",
     "articles/mariadb/.openpublishing.redirection.mariadb.json",
     "articles/marketplace/.openpublishing.redirection.marketplace.json",
     "articles/mysql/.openpublishing.redirection.mysql.json",
 
@@ -63,8 +63,9 @@ For client app authorization, OneDrive will check whether the client making the
 
 The example given is simplified to illustrate delegated authorization. The production OneDrive service supports many other access scenarios, such as shared files.
 
-## Next steps
+## See also
 
 - [Open connect scopes](scopes-oidc.md)
 - [RBAC roles](custom-rbac-for-developers.md)
+- [Overview of permissions in Microsoft Graph](/graph/permissions-overview)
 - [Microsoft Graph permissions reference](/graph/permissions-reference)
@@ -4,22 +4,19 @@ description: Learn how to build a web API that calls web APIs (app's code config
 services: active-directory
 author: jmprieur
 manager: CelesteDG
-
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/26/2020
+ms.date: 08/12/2022
 ms.author: jmprieur
 ms.custom: aaddev
 #Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform.
 ---
 
 # A web API that calls web APIs: Code configuration
 
-After you've registered your web API, you can configure the code for the application.
-
-The code that you use to configure your web API so that it calls downstream web APIs builds on top of the code that's used to protect a web API. For more information, see [Protected web API: App configuration](scenario-protected-web-api-app-configuration.md).
+Once registration for a Web API is complete, the application code can be configured. Configuring a web API to call a downstream web API builds on the code that's used in protecting a web API. For more information, see [Protected web API: App configuration](scenario-protected-web-api-app-configuration.md).
 
 # [ASP.NET Core](#tab/aspnetcore)
 
@@ -29,22 +26,21 @@ Microsoft recommends that you use the [Microsoft.Identity.Web](https://www.nuget
 
 ## Client secrets or client certificates
 
-Given that your web API now calls a downstream web API, provide a client secret or client certificate in the *appsettings.json* file. You can also add a section that specifies:
+Given that the web API now calls a downstream web API, a client secret or client certificate in *appsettings.json* can be used for authentication. A section can be added to specify:
 
 - The URL of the downstream web API
 - The scopes required for calling the API
 
 In the following example, the `GraphBeta` section specifies these settings.
 
-```JSON
+```json
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
+    "ClientId": "Enter_the_Application_(client)_ID_here",
     "TenantId": "common",
-    
-    // To call an API
-    "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
+
+    "ClientSecret": "Enter_the_Application_Client_Secret_Value_here",
     "ClientCertificates": []
   },
   "GraphBeta": {
@@ -54,16 +50,15 @@ In the following example, the `GraphBeta` section specifies these settings.
 }
 ```
 
-Instead of a client secret, you can provide a client certificate. The following code snippet shows using a certificate stored in Azure Key Vault.
+Instead of a client secret, a client certificate can be provided. The following code snippet demonstrates a certificate stored in Azure Key Vault.
 
-```JSON
+```json
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
+    "ClientId": "Enter_the_Application_(client)_ID_here",
     "TenantId": "common",
 
-    // To call an API
     "ClientCertificates": [
       {
         "SourceType": "KeyVault",
@@ -79,11 +74,13 @@ Instead of a client secret, you can provide a client certificate. The following
 }
 ```
 
-Microsoft.Identity.Web provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web wiki - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.
+*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web wiki - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates).
 
 ## Program.cs
 
-Your web API will need to acquire a token for the downstream API. You specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApi(Configuration)`. This line exposes the `ITokenAcquisition` service, that you can use in your controller/pages actions. However, as you'll see in the next two bullet points, you can do even simpler. You'll also need to choose a token cache implementation, for example `.AddInMemoryTokenCaches()`, in *Program.cs*. If you use ASP.NET Core 3.1 or 5.0 the code will be similar but in the *Startup.cs* file.
+A web API will need to acquire a token for the downstream API. Specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApi(Configuration)`. This line exposes the `ITokenAcquisition` service that can be used in the controller/pages actions.
+
+However, an alternative method is to implement a token cache. For example, adding `.AddInMemoryTokenCaches()`, to *Program.cs* will allow the token to be cached in memory.
 
 ```csharp
 using Microsoft.Identity.Web;
@@ -96,14 +93,14 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 // ...
 ```
 
-If you don't want to acquire the token yourself, *Microsoft.Identity.Web* provides two mechanisms for calling a downstream web API from another API. The option you choose depends on whether you want to call Microsoft Graph or another API.
+*Microsoft.Identity.Web* provides two mechanisms for calling a downstream web API from another API. The option you choose depends on whether you want to call Microsoft Graph or another API.
 
 ### Option 1: Call Microsoft Graph
 
-If you want to call Microsoft Graph, Microsoft.Identity.Web enables you to directly use the `GraphServiceClient` (exposed by the Microsoft Graph SDK) in your API actions. To expose Microsoft Graph:
+To call Microsoft Graph, *Microsoft.Identity.Web* enables you to directly use the `GraphServiceClient` (exposed by the Microsoft Graph SDK) in the API actions. To expose Microsoft Graph:
 
-1. Add the [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) NuGet package to your project.
-1. Add `.AddMicrosoftGraph()` after `.EnableTokenAcquisitionToCallDownstreamApi()` in the *Program.cs* file. `.AddMicrosoftGraph()` has several overrides. Using the override that takes a configuration section as a parameter, the code becomes:
+1. Add the [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) NuGet package to the project.
+1. Add `.AddMicrosoftGraph()` after `.EnableTokenAcquisitionToCallDownstreamApi()` in *Program.cs*. `.AddMicrosoftGraph()` has several overrides. Using the override that takes a configuration section as a parameter, the code becomes:
 
 ```csharp
 using Microsoft.Identity.Web;
@@ -119,7 +116,7 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 
 ### Option 2: Call a downstream web API other than Microsoft Graph
 
-To call a downstream API other than Microsoft Graph, *Microsoft.Identity.Web* provides `.AddDownstreamWebApi()`, which requests tokens and calls the downstream web API.
+To call a downstream API other than Microsoft Graph, *Microsoft.Identity.Web* provides `.AddDownstreamWebApi()`, which requests tokens for the downstream API on behalf of the user.
 
 ```csharp
 using Microsoft.Identity.Web;
@@ -133,9 +130,9 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 // ...
 ```
 
-As with web apps, you can choose various token cache implementations. For details, see [Microsoft identity web - Token cache serialization](https://aka.ms/ms-id-web/token-cache-serialization) on GitHub.
-
-The following image shows the various possibilities of *Microsoft.Identity.Web* and their impact on the *Program.cs* file:
+Similar to web apps, various token cache implementations can be chosen. For details, see [Microsoft identity web - Token cache serialization](https://aka.ms/ms-id-web/token-cache-serialization) on GitHub.
+        
+The following image shows the possibilities of *Microsoft.Identity.Web* and the impact on *Program.cs*:
 
 :::image type="content" source="media/scenarios/microsoft-identity-web-startup-cs.svg" alt-text="Block diagram showing service configuration options in startup dot C S for calling a web API and specifying a token cache implementation":::
 
@@ -230,4 +227,4 @@ For more information about the OBO protocol, see the [Microsoft identity platfor
 ## Next steps
 
 Move on to the next article in this scenario,
-[Acquire a token for the app](scenario-web-api-call-api-acquire-token.md).
+[Acquire a token for the app](scenario-web-api-call-api-acquire-token.md).
@@ -45,7 +45,6 @@ The creation of federated identity credentials is available on user-assigned man
 - Brazil Southeast
 - East Asia
 - Southeast Asia
-- Switzerland West
 - South Africa West
 - Qatar Central
 - Australia Central
 
@@ -315,6 +315,7 @@ To avoid this scenario, you should refer to [detect and remediate illicit consen
 
 #### Consent grants recommended reading
 
+- [Overview of Microsoft Graph permissions](/graph/permissions-overview)
 - [Microsoft Graph API permissions](/graph/permissions-reference)
 
 ### User and group settings
 
@@ -61,7 +61,7 @@ We recommend the following practices for service account privileges.
 * [Use OAuth 2.0 scopes](../develop/v2-permissions-and-consent.md) to limit the functionality a service account can access on a resource.
 * Service principals and managed identities can use OAuth 2.0 scopes in either a delegated context that is impersonating a signed-on user, or as service account in the application context. In the application context no is signed-on.
 
-* Check the scopes service accounts request for resources to ensure they're appropriate. For example, if an account is requesting Files.ReadWrite.All, evaluate if it actually needs only File.Read.All. For more information on permissions, see to [Microsoft Graph permission reference](/graph/permissions-reference).
+* Check the scopes service accounts request for resources to ensure they're appropriate. For example, if an account is requesting Files.ReadWrite.All, evaluate if it actually needs only File.Read.All. For more information on permissions, see the [Overview of Microsoft Graph permissions](/graph/permissions-overview).
 
 * Ensure you trust the developer of the application or API with the access requested to your resources.
 
 
@@ -138,7 +138,7 @@ To require attributes for access requests:
 1. If you chose **Built-in**, select an attribute from the dropdown list. If you chose **Directory schema extension**, enter the attribute name in the text box.
 
     > [!NOTE]
-    > The User.mobilePhone attribute can be updated only for non-administrator users. Learn more at [this website](/graph/permissions-reference#remarks-5).
+    > The User.mobilePhone attribute is a sensitive property that can be updated only by some administrators. Learn more at [Who can update sensitive user attributes?](/graph/api/resources/users#who-can-update-sensitive-attributes).
 
 1.	Select the answer format you want requestors to use for their answer. Answer formats include **short text**, **multiple choice**, and **long text**.