123

terencefan · web-flow · commit 397564a27e2d · 2025-03-15T04:34:04.000+08:00
diff --git a/articles/azure-signalr/includes/signalr-add-role-assignments.md b/articles/azure-signalr/includes/signalr-add-role-assignments.md
@@ -9,7 +9,7 @@ ms.author: tefa
 ms.custom: include file
 ---
 
-The following steps describe how to assign a **SignalR App Server** role to a service principal or a managed identity for an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal.yml).
+The following steps describe how to assign a **SignalR App Server** role to a service principal or a managed identity for an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml).
 
 > [!NOTE]
 > A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
@@ -20,16 +20,16 @@ The following steps describe how to assign a **SignalR App Server** role to a se
 
 1. Select **Add** > **Add role assignment**.
 
-   :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
+   :::image type="content" source="~/reusable-content/ce-skilling../../media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
 
 1. On the **Role** tab, select **SignalR App Server** or other SignalR built-in roles depends on your scenario.
 
    | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
    | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-   | [SignalR App Server](/azure/role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
-   | [SignalR Service Owner](/azure/role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
-   | [SignalR REST API Owner](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
-   | [SignalR REST API Reader](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.                                      |
+   | [SignalR App Server](../../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+   | [SignalR Service Owner](../../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+   | [SignalR REST API Owner](../../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+   | [SignalR REST API Reader](../../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.                                      |
 
 1. click Next.
 
@@ -52,8 +52,8 @@ The following steps describe how to assign a **SignalR App Server** role to a se
 
 To learn more about how to assign and manage Azure roles, see these articles:
 
-- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal.yml)
-- [Assign Azure roles using the REST API](/azure/role-based-access-control/role-assignments-rest.md)
-- [Assign Azure roles using Azure PowerShell](/azure/role-based-access-control/role-assignments-powershell.md)
-- [Assign Azure roles using the Azure CLI](/azure/role-based-access-control/role-assignments-cli.md)
-- [Assign Azure roles using Azure Resource Manager templates](/azure/role-based-access-control/role-assignments-template.md)
+- [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.yml)
+- [Assign Azure roles using the REST API](../../role-based-access-control/role-assignments-rest.md)
+- [Assign Azure roles using Azure PowerShell](../../role-based-access-control/role-assignments-powershell.md)
+- [Assign Azure roles using the Azure CLI](../../role-based-access-control/role-assignments-cli.md)
+- [Assign Azure roles using Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md)
diff --git a/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md b/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md
@@ -50,6 +50,14 @@ In some cases, your server and your Azure SignalR resource may not in the same t
 
 A [Multi-tenant applications](/entra/identity-platform/single-and-multi-tenant-apps#best-practices-for-multitenant-apps) could help you in this scenario.
 
+If you've already registered a single-tenant app, see [convert your single-tenant app to multitenant](/entra/identity-platform/howto-convert-app-to-be-multi-tenant).
+
+Once you have registered the multi-tenant application in your `tenantA`, you should provision it as an enterprise application in your `tenantB`.
+
+[Create an enterprise application from a multitenant application in Microsoft Entra ID](/entra/identity/enterprise-apps/create-service-principal-cross-tenant?pivots=msgraph-powershell)
+
+The application registered in your `tenantA` and the enterprise application provisioned in your `tenantB` share the same Application (client) id.
+
 ## Assign Azure roles for access rights
 
 Microsoft Entra ID authorizes access rights to secured resources through [Azure RBAC](../role-based-access-control/overview.md). Azure SignalR Service defines a set of Azure built-in roles that encompass common sets of permissions for accessing Azure SignalR Service resources. You can also define custom roles for access to Azure SignalR Service resources.
@@ -71,19 +79,19 @@ You can scope access to Azure SignalR Service resources at the following levels,
 
 | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
 | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-| [SignalR App Server](/azure/role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
-| [SignalR Service Owner](/azure/role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
-| [SignalR REST API Owner](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
-| [SignalR REST API Reader](/azure/role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.
+| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](./signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.
 
 ## Next steps
 
 - To learn how to create an Azure application and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra applications](./signalr-howto-authorize-application.md).
 
 - To learn how to configure a managed identity and use Microsoft Entra authorization, see [Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities](./signalr-howto-authorize-managed-identity.md).
 
-- To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview.md).
+- To learn more about roles and role assignments, see [What is Azure role-based access control (Azure RBAC)?](../role-based-access-control/overview.md).
 
-- To learn how to create custom roles, see [Steps to create a custom role](/azure/role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
+- To learn how to create custom roles, see [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role).
 
 - To learn how to use only Microsoft Entra authentication, see [Disable local authentication](./howto-disable-local-auth.md).
diff --git a/articles/azure-signalr/signalr-howto-authorize-application.md b/articles/azure-signalr/signalr-howto-authorize-application.md
@@ -44,6 +44,9 @@ After registering an app, you can add **certificates, client secrets (a string),
 The Azure SignalR server SDK leverages the [Azure.Identity library](/dotnet/api/overview/azure/identity-readme) to generate tokens for connecting to resources.
 Click to explore detailed usages.
 
+> [!NOTE]
+> The tenantId must match the tenantId of the tenant where your SignalR resource is in.
+
 ### Use Microsoft Entra application with certificate
 ```csharp
 services.AddSignalR().AddAzureSignalR(option =>
@@ -71,9 +74,12 @@ services.AddSignalR().AddAzureSignalR(option =>
 
 ### Use Microsoft Entra application with Federated identity
 
+In the case of your organization disabled the usage of client secret/certificate, you can configure the application to trust a managed identity for authentication.
+
+To learn more about it, see [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
+
 > [!NOTE]
 > Configure an application to trust a managed identity is a preview feature. 
-> To learn more about it, see [Configure an application to trust a managed identity (preview)](/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
 
 ```csharp
 services.AddSignalR().AddAzureSignalR(option =>
@@ -90,11 +96,15 @@ services.AddSignalR().AddAzureSignalR(option =>
     });
 
     option.Endpoints = [
-      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+        new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
     ];
 });
 ```
 
+This credential will use the user-assigned managed identity to generate a `clientAssertion` and use it to exchange for a `clientToken` for authentication.
+
+The `appClientId` and `tenantId` should be the enterprise application that you provisioned in the tenant of SignalR resource.
+
 ### Use multiple endpoints
 
 Credentials can be different for different endpoints.
@@ -115,6 +125,8 @@ services.AddSignalR().AddAzureSignalR(option =>
 });
 ```
 
+More sample can be found in this [Sample link](https://github.com/Azure/azure-signalr/blob/dev/samples/ChatSample/ChatSample/Startup.cs)
+
 ## Azure SignalR Service bindings in Azure Functions
 
 Azure SignalR Service bindings in Azure Functions use [application settings](../azure-functions/functions-how-to-use-azure-function-app-settings.md) in the portal or [local.settings.json](../azure-functions/functions-develop-local.md#local-settings-file) locally to configure Microsoft Entra application identities to access your Azure SignalR Service resources.
diff --git a/articles/azure-signalr/signalr-howto-authorize-managed-identity.md b/articles/azure-signalr/signalr-howto-authorize-managed-identity.md
@@ -62,6 +62,8 @@ services.AddSignalR().AddAzureSignalR(option =>
 });
 ```
 
+More sample can be found in this [Sample link](https://github.com/Azure/azure-signalr/blob/dev/samples/ChatSample/ChatSample/Startup.cs)
+
 ### Use multiple endpoints
 
 Credentials can be different for different endpoints.
