update signalr msi docs

terencefan · web-flow · commit 44431d65ce1c · 2025-03-15T02:01:17.000+08:00
diff --git a/articles/azure-signalr/includes/signalr-add-role-assignments.md b/articles/azure-signalr/includes/signalr-add-role-assignments.md
@@ -0,0 +1,50 @@
+---
+title: include file
+description: include file
+author: terencefan
+ms.service: azure-signalr-service
+ms.topic: include
+ms.date: 03/12/2025
+ms.author: tefa
+ms.custom: include file
+---
+
+The following steps describe how to assign a SignalR App Server role to a service principal (application) over an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).
+
+> [!NOTE]
+> A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
+
+1. In the [Azure portal](https://portal.azure.com/), go to your Azure SignalR Service resource.
+
+1. Select **Access control (IAM)**.
+
+1. Select **Add** > **Add role assignment**.
+
+   :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
+
+1. On the **Role** tab, select **SignalR App Server** or other SignalR built-in roles depends on your scenario.
+
+   | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
+   | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+   | [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+   | [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+   | [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+   | [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.                                      |
+
+
+1. On the **Members** tab, select **User, group, or service principal**, and then choose **Select members**.
+
+1. Search for and select the application to which you want to assign the role.
+
+1. On the **Review + assign** tab, select **Review + assign** to assign the role.
+
+> [!IMPORTANT]
+> Azure role assignments might take up to 30 minutes to propagate.
+
+To learn more about how to assign and manage Azure roles, see these articles:
+
+- [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml)
+- [Assign Azure roles using the REST API](../role-based-access-control/role-assignments-rest.md)
+- [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
+- [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
+- [Assign Azure roles using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md)
diff --git a/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md b/articles/azure-signalr/signalr-concept-authorize-azure-active-directory.md
@@ -50,7 +50,7 @@ Microsoft Entra ID authorizes access rights to secured resources through [Azure
 
 ### Resource scope
 
-You might have to determine the scope of access that the security principal should have before you assign any Azure RBAC role to a security principal. We recommend that you grant only the narrowest possible scope. Azure RBAC roles defined at a broader scope are inherited by the resources beneath them.
+Before assigning Azure RBAC roles to a security principal, it’s essential to define the appropriate scope of access they should have. We advise granting the most limited scope necessary to minimize unnecessary permissions. Keep in mind that Azure RBAC roles assigned at a higher or broader scope are automatically inherited by the resources nested within that scope.
 
 You can scope access to Azure SignalR Service resources at the following levels, beginning with the narrowest scope.
 
@@ -65,10 +65,10 @@ You can scope access to Azure SignalR Service resources at the following levels,
 
 | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
 | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
-| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the WebSocket connection creation API and authentication APIs.                                                | Most commonly used for an app server.                                                                                                             |
-| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the WebSocket connection creation API, and authentication APIs. | Use for *serverless mode* for authorization with Microsoft Entra ID, because it requires both REST API permissions and authentication API permissions. |
-| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | Often used to write a tool that manages connections and groups, but does *not* make connections or call authentication APIs.                          |
-| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Commonly used to write a monitoring tool that calls *only* Azure SignalR Service data-plane read-only REST APIs.                                      |
+| [SignalR App Server](../role-based-access-control/built-in-roles.md#signalr-app-server)           | Access to the server connection creation and key generation APIs.                                                | Most commonly used for app server with Azure SignalR resource run in **Default** mode.                                                                                                             |
+| [SignalR Service Owner](../role-based-access-control/built-in-roles.md#signalr-service-owner)     | Full access to all data-plane APIs, including REST APIs, the server connection creation, and key/token generation APIs. | For negotiation server with Azure SignalR resource run in **Serverless** mode, as it requires both REST API permissions and authentication API permissions. |
+| [SignalR REST API Owner](../role-based-access-control/built-in-roles.md#signalr-rest-api-owner)   | Full access to data-plane REST APIs.                                                                      | For using [Azure SignalR Management SDK](/azure/azure-signalr/signalr-howto-use-management-sdk) to manage connections and groups, but does **NOT** make server connections or handle negotiation requests.                          |
+| [SignalR REST API Reader](../role-based-access-control/built-in-roles.md#signalr-rest-api-reader) | Read-only access to data-plane REST APIs.                                                                 | Use it when write a monitoring tool that calls readonly REST APIs.
 
 ## Next steps
 
diff --git a/articles/azure-signalr/signalr-howto-authorize-application.md b/articles/azure-signalr/signalr-howto-authorize-application.md
@@ -12,7 +12,7 @@ ms.custom: subject-rbac-steps
 
 # Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
 
-Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
+Azure SignalR Service supports Microsoft Entra ID for authorizing requests with [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
 This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
 
@@ -35,42 +35,15 @@ After registering an app, you can add **certificates, client secrets (a string),
 
 ## Add role assignments in the Azure portal
 
-The following steps describe how to assign a SignalR App Server role to a service principal (application) over an Azure SignalR Service resource. For detailed steps, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).
+[!INCLUDE [add role assignments](includes/signalr-add-role-assignments.md)]
 
-> [!NOTE]
-> A role can be assigned to any scope, including management group, subscription, resource group, or single resource. To learn more about scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
-
-1. In the [Azure portal](https://portal.azure.com/), go to your Azure SignalR Service resource.
-
-1. Select **Access control (IAM)**.
-
-1. Select **Add** > **Add role assignment**.
-
-   :::image type="content" source="~/reusable-content/ce-skilling/azure/media/role-based-access-control/add-role-assignment-menu-generic.png" alt-text="Screenshot that shows the page for access control and selections for adding a role assignment.":::
-
-1. On the **Role** tab, select **SignalR App Server**.
-
-1. On the **Members** tab, select **User, group, or service principal**, and then choose **Select members**.
-
-1. Search for and select the application to which you want to assign the role.
-
-1. On the **Review + assign** tab, select **Review + assign** to assign the role.
-
-> [!IMPORTANT]
-> Azure role assignments might take up to 30 minutes to propagate.
-
-To learn more about how to assign and manage Azure roles, see these articles:
-
-- [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml)
-- [Assign Azure roles using the REST API](../role-based-access-control/role-assignments-rest.md)
-- [Assign Azure roles using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
-- [Assign Azure roles using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
-- [Assign Azure roles using Azure Resource Manager templates](../role-based-access-control/role-assignments-template.md)
-
-## Microsoft.Azure.SignalR app server SDK for C#
+## Configure Microsoft.Azure.SignalR app server SDK for C#
 
 [Azure SignalR server SDK for C#](https://github.com/Azure/azure-signalr)
 
+The Azure SignalR server SDK leverages the [Azure.Identity library](/dotnet/api/overview/azure/identity-readme) to generate tokens for connecting to resources.
+Click to explore detailed usages.
+
 ### Use Microsoft Entra application with certificate
 ```csharp
 services.AddSignalR().AddAzureSignalR(option =>
diff --git a/articles/azure-signalr/signalr-howto-authorize-managed-identity.md b/articles/azure-signalr/signalr-howto-authorize-managed-identity.md
