update signalr howto-authorize-application

Author: terencefan

articles/azure-signalr/signalr-howto-authorize-application.md

@@ -10,54 +10,28 @@ ms.devlang: csharp
 ms.custom: subject-rbac-steps
 ---
 
-# Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
+# Authorize requests to Azure SignalR Service resources with Azure applications
 
-Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](../active-directory/develop/app-objects-and-service-principals.md).
+Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](../entra/identity-platform/app-objects-and-service-principals.md).
 
 This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
 
-## Register an application
+## Register an application in Microsoft Entra ID
 
-The first step is to register a Microsoft Entra application:
-
-1. In the [Azure portal](https://portal.azure.com/), search for and select **Microsoft Entra ID**.
-2. Under **Manage**, select **App registrations**.
-3. Select **New registration**. The **Register an application** pane opens.
-
-   ![Screenshot of the pane for registering an application.](./media/signalr-howto-authorize-application/register-an-application.png)
-5. For **Name**, enter a display name for your application.
-6. Select **Register** to confirm the registration.
+The first step is to [Register an application in Microsoft Entra ID](../entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api):
 
 After you register your application, you can find the **Application (client) ID** and **Directory (tenant) ID** values on the application's overview page. These GUIDs can be useful in the following steps.
 
 ![Screenshot of overview information for a registered application.](./media/signalr-howto-authorize-application/application-overview.png)
 
-To learn more about registering an application, see [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
-
 ## Add credentials
 
-You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
-
-### Client secret
-
-The application requires a client secret to prove its identity when it's requesting a token. To create a client secret, follow these steps:
-
-1. Under **Manage**, select **Certificates & secrets**.
-1. On the **Client secrets** tab, select **New client secret**.
-
-   ![Screenshot of selections for creating a client secret.](./media/signalr-howto-authorize-application/new-client-secret.png)
-1. Enter a description for the client secret, and choose an expiration time.
-1. Copy the value of the client secret and then paste it in a secure location.
-   > [!NOTE]
-   > The secret appears only once.
+After registering an app, you can add **certificates, client secrets (a string), or federated identity credentials** as credentials to your confidential client app registration. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime, and are used by confidential client applications that access a web API.
 
-### Certificate
+- [Add a certificate](../entra/identity-platform/quickstart-register-app?tabs=certificate%2Cexpose-a-web-api)
+- [Add a client secret](../entra/identity-platform/quickstart-register-app?tabs=client-secret%2Cexpose-a-web-api)
+- [Add a federated credential](../entra/identity-platform/quickstart-register-app?tabs=federated-credential%2Cexpose-a-web-api)
 
-You can upload a certificate instead of creating a client secret.
-
-![Screenshot of selections for uploading a certificate.](./media/signalr-howto-authorize-application/upload-certificate.png)
-
-To learn more about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).
 
 ## Add role assignments in the Azure portal
 
@@ -93,58 +67,72 @@ To learn more about how to assign and manage Azure roles, see these articles:
 - [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
 - [Assign Azure roles using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md)
 
-## Configure your app
+## Microsoft.Azure.SignalR app server SDK for C#
 
-### App server
+[Azure SignalR server SDK for C#](https://github.com/Azure/azure-signalr)
 
-The best practice is to configure identity and credentials in your environment variables:
+### Use Microsoft Entra application with certificate
+```csharp
+services.AddSignalR().AddAzureSignalR(option =>
+{
+    var credential = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
 
-| Variable                        | Description                                                                                                     |
-| ------------------------------- | --------------------------------------------------------------------------------------------------------------- |
-| `AZURE_TENANT_ID`               | The Microsoft Entra tenant ID.                                                                                  |
-| `AZURE_CLIENT_ID`               | The client (application) ID of an app registration in the tenant.                                                |
-| `AZURE_CLIENT_SECRET`           | A client secret that was generated for the app registration.                                                    |
-| `AZURE_CLIENT_CERTIFICATE_PATH` | A path to a certificate and private key pair in PEM or PFX format, which can authenticate the app registration. |
-| `AZURE_USERNAME`                | The username, also known as User Principal Name (UPN), of a Microsoft Entra user account.                                            |
-| `AZURE_PASSWORD`                | The password of the Microsoft Entra user account. A password isn't supported for accounts with multifactor authentication enabled.       |
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
+});
+```
 
-You can use either [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) or [EnvironmentCredential](/dotnet/api/azure.identity.environmentcredential) to configure your Azure SignalR Service endpoints. Here's the code for `DefaultAzureCredential`:
+### Use Microsoft Entra application with client secret
 
-```C#
+```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
-    option.Endpoints = new ServiceEndpoint[]
-    {
-        new ServiceEndpoint(new Uri("https://<resource-name>.service.signalr.net"), new DefaultAzureCredential())
-    };
+    var credential = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
+
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
 });
 ```
 
-Here's the code for `EnvironmentCredential`:
+### Use Microsoft Entra application with Federated identity
 
-```C#
+> [!NOTE]
+> Configure an application to trust a managed identity is a preview feature. 
+> To learn more about it, see [Configure an application to trust a managed identity (preview)](../entra/workload-id/workload-identity-federation-config-app-trust-managed-identity).
+
+```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
-    option.Endpoints = new ServiceEndpoint[]
+    var msiCredential = new ManagedIdentityCredential("msiClientId");
+
+    var credential = new ClientAssertionCredential("tenantId", "appClientId", async (ctoken) =>
     {
-        new ServiceEndpoint(new Uri("https://<resource-name>.service.signalr.net"), new EnvironmentCredential())
-    };
+        // Entra ID US Government: api://AzureADTokenExchangeUSGov
+        // Entra ID China operated by 21Vianet: api://AzureADTokenExchangeChina
+        var request = new TokenRequestContext([$"api://AzureADTokenExchange/.default"]);
+        var response = await msiCredential.GetTokenAsync(request, ctoken).ConfigureAwait(false);
+        return response.Token;
+    });
+
+    option.Endpoints = [
+      new ServiceEndpoint(new Uri(), "https://<resource>.service.signalr.net"), credential);
+    ];
 });
 ```
 
-To learn how `DefaultAzureCredential` works, see [DefaultAzureCredential class](/dotnet/api/overview/azure/identity-readme#defaultazurecredential).
-
-#### Use endpoint-specific credentials
+### Use multiple endpoints
 
-In your organization, you might want to use different credentials for different endpoints.
+Credentials can be different for different endpoints.
 
-In this scenario, you can use [ClientSecretCredential](/dotnet/api/azure.identity.clientsecretcredential) or [ClientCertificateCredential](/dotnet/api/azure.identity.clientcertificatecredential):
+In this sample, the Azure SignalR SDK will connect to `resource1` with client secret and connect to `resource2` with certificate.
 
 ```csharp
 services.AddSignalR().AddAzureSignalR(option =>
 {
     var credential1 = new ClientSecretCredential("tenantId", "clientId", "clientSecret");
-    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "pathToCert");
+    var credential2 = new ClientCertificateCredential("tenantId", "clientId", "path-to-cert");
 
     option.Endpoints = new ServiceEndpoint[]
     {
@@ -154,7 +142,7 @@ services.AddSignalR().AddAzureSignalR(option =>
 });
 ```
 
-### Azure SignalR Service bindings in Azure Functions
+## Azure SignalR Service bindings in Azure Functions
 
 Azure SignalR Service bindings in Azure Functions use [application settings](../azure-functions/functions-how-to-use-azure-function-app-settings.md) in the portal or [local.settings.json](../azure-functions/functions-develop-local.md#local-settings-file) locally to configure Microsoft Entra application identities to access your Azure SignalR Service resources.