Merge pull request #275631 from rwike77/quickstartupdate

Update quickstart for External ID

Author: JamesJBarnett

articles/app-service/configure-authentication-oauth-tokens.md

@@ -18,7 +18,7 @@ From your server code, the provider-specific tokens are injected into the reques
 
 | Provider | Header names |
 |-|-|
-| Microsoft Entra ID | `X-MS-TOKEN-AAD-ID-TOKEN` <br/> `X-MS-TOKEN-AAD-ACCESS-TOKEN` <br/> `X-MS-TOKEN-AAD-EXPIRES-ON`  <br/> `X-MS-TOKEN-AAD-REFRESH-TOKEN` |
+| Microsoft Entra | `X-MS-TOKEN-AAD-ID-TOKEN` <br/> `X-MS-TOKEN-AAD-ACCESS-TOKEN` <br/> `X-MS-TOKEN-AAD-EXPIRES-ON`  <br/> `X-MS-TOKEN-AAD-REFRESH-TOKEN` |
 | Facebook Token | `X-MS-TOKEN-FACEBOOK-ACCESS-TOKEN` <br/> `X-MS-TOKEN-FACEBOOK-EXPIRES-ON` |
 | Google | `X-MS-TOKEN-GOOGLE-ID-TOKEN` <br/> `X-MS-TOKEN-GOOGLE-ACCESS-TOKEN` <br/> `X-MS-TOKEN-GOOGLE-EXPIRES-ON` <br/> `X-MS-TOKEN-GOOGLE-REFRESH-TOKEN` |
 | Twitter | `X-MS-TOKEN-TWITTER-ACCESS-TOKEN` <br/> `X-MS-TOKEN-TWITTER-ACCESS-TOKEN-SECRET` |
@@ -34,7 +34,7 @@ From your client code (such as a mobile app or in-browser JavaScript), send an H
 
 ## Refresh auth tokens
 
-When your provider's access token (not the [session token](#extend-session-token-expiration-grace-period)) expires, you need to reauthenticate the user before you use that token again. You can avoid token expiration by making a `GET` call to the `/.auth/refresh` endpoint of your application. When called, App Service automatically refreshes the access tokens in the [token store](overview-authentication-authorization.md#token-store) for the authenticated user. Subsequent requests for tokens by your app code get the refreshed tokens. However, for token refresh to work, the token store must contain [refresh tokens](https://auth0.com/learn/refresh-tokens/) for your provider. The way to get refresh tokens are documented by each provider, but the following list is a brief summary:
+When your provider's access token (not the [session token](#extend-session-token-expiration-grace-period)) expires, you need to reauthenticate the user before you use that token again. You can avoid token expiration by making a `GET` call to the `/.auth/refresh` endpoint of your application. When called, App Service automatically refreshes the access tokens in the [token store](overview-authentication-authorization.md#token-store) for the authenticated user. Subsequent requests for tokens by your app code get the refreshed tokens. However, for token refresh to work, the token store must contain [refresh tokens](/entra/identity-platform/refresh-tokens) for your provider. The way to get refresh tokens are documented by each provider, but the following list is a brief summary:
 
 - **Google**: Append an `access_type=offline` query string parameter to your `/.auth/login/google` API call. For more information, see [Google Refresh Tokens](https://developers.google.com/identity/protocols/OpenIDConnect#refresh-tokens).
 - **Facebook**: Doesn't provide refresh tokens. Long-lived tokens expire in 60 days (see [Facebook Expiration and Extension of Access Tokens](https://developers.facebook.com/docs/facebook-login/access-tokens/expiration-and-extension)).

articles/app-service/configure-authentication-provider-aad.md

@@ -23,7 +23,7 @@ For all language frameworks, App Service makes the claims in the incoming token
 | `X-MS-CLIENT-PRINCIPAL-NAME` | A human-readable name for the caller set by the identity provider, e.g. Email Address, User Principal Name.   |
 | `X-MS-CLIENT-PRINCIPAL-IDP`  | The name of the identity provider used by App Service Authentication. |
 
-Provider tokens are also exposed through similar headers. For example, the Microsoft Identity Provider also sets `X-MS-TOKEN-AAD-ACCESS-TOKEN` and `X-MS-TOKEN-AAD-ID-TOKEN` as appropriate.
+Provider tokens are also exposed through similar headers. For example, Microsoft Entra also sets `X-MS-TOKEN-AAD-ACCESS-TOKEN` and `X-MS-TOKEN-AAD-ID-TOKEN` as appropriate.
 
 > [!NOTE]
 > Different language frameworks may present these headers to the app code in different formats, such as lowercase or title case.

articles/app-service/configure-authentication-user-identities.md

@@ -15,7 +15,7 @@ ms.subservice: web-apps
 #Customer intent: As an application developer, I want to learn how to access Azure Storage for an app using managed identities.
 ---
 
-If you completed all the steps in this multipart tutorial, you created an app service, app service hosting plan, and a storage account in a resource group. You also created an app registration in Microsoft Entra ID. When no longer needed, delete these resources and app registration so that you don't continue to accrue charges.
+If you completed all the steps in this multipart tutorial, you created an App Service, App Service hosting plan, and a storage account in a resource group. You also created an app registration in Microsoft Entra ID. If you chose external configuration, you may have created a new external tenant.  When no longer needed, delete these resources and app registration so that you don't continue to accrue charges.
 
 In this tutorial, you learn how to:
 
@@ -25,7 +25,7 @@ In this tutorial, you learn how to:
 
 ### Delete the resource group
 
-In the [Azure portal](https://portal.azure.com), select **Resource groups** from the portal menu and select the resource group that contains your app service and app service plan.
+In the [Azure portal](https://portal.azure.com), select **Resource groups** from the portal menu and select the resource group that contains your App Service and App Service plan.
 
 Select **Delete resource group** to delete the resource group and all the resources.
 
@@ -40,3 +40,13 @@ In the [Microsoft Entra admin center](https://entra.microsoft.com), select **App
 
 In the app registration overview, select **Delete**.
 :::image type="content" alt-text="Screenshot that shows deleting the app registration." source="../media/scenario-secure-app-clean-up-resources/delete-app-registration.png":::
+
+### Delete the external tenant
+
+If you created a new external tenant, you can [delete it](/entra/external-id/customers/how-to-delete-external-tenant-portal).  In to the [Microsoft Entra admin center](https://entra.microsoft.com), browse to **Identity** > **Overview** > **Manage tenants**.
+
+Select the tenant you want to delete, and then select **Delete**.
+
+You might need to complete required actions before you can delete the tenant. For example, you might need to delete all user flows and app registrations in the tenant. 
+
+If you're ready to delete the tenant, select **Delete**.

articles/app-service/includes/scenario-secure-app-clean-up-resources.md

@@ -7,7 +7,7 @@ manager: CelesteDG
 
 ms.service: app-service
 ms.topic: include
-ms.date: 03/12/2024
+ms.date: 05/16/2024
 ms.author: ryanwi
 ms.reviewer: stsoneff
 ms.custom: azureday1
@@ -55,11 +55,20 @@ Now that you have a web app running on App Service, enable authentication and au
 
 1. For **App registration** > **App registration type**, select **Create new app registration** to create a new app registration in Microsoft Entra.
 
-1. Add a **Name** for the app registration, a public facing display name.
+1. Enter a display **Name** for your application. Users of your application might see the display name when they use the app, for example during sign-in.
 
 1. For **App registration** > **Supported account types**, select **Current tenant-single tenant** so only users in your organization can sign in to the web app.
 
-1. In the **App Service authentication settings** section, leave **Authentication** set to **Require authentication** and **Unauthenticated requests** set to **HTTP 302 Found redirect: recommended for websites**.
+1. In the **Additional checks** section, select:
+
+    - **Allow requests only from this application itself** for **Client application requirement**
+    - **Allow requests from any identity** for **Identity requirement**
+    - **Allow requests only from the issuer tenant** for **Tenant requirement** 
+
+1. In the **App Service authentication settings** section, set:
+    - **Require authentication** for **Authentication**
+    - **HTTP 302 Found redirect: recommended for websites** for **Unauthenticated requests**
+    - **Token store** box
 
 1. At the bottom of the **Add an identity provider** page, select **Add** to enable authentication for your web app.
 
@@ -85,11 +94,17 @@ Now that you have a web app running on App Service, enable authentication and au
 
 1. For **Tenant type**, select **External configuration** for external users.
 
-1. Select **Create new app registration** to create a new app registration and select the [customer (external) tenant](/entra/external-id/customers/quickstart-tenant-setup) you want to use.
+1. Select **Create new app registration** to create a new app registration.
 
-1. Select **Configure** to configure external authentication.
+1. Select an existing tenant to use from the drop-down, or select **Create new** to create a new [external tenant](/entra/external-id/customers/quickstart-tenant-setup).
+
+    :::image type="content" alt-text="Screenshot that shows the Select a tenent dropdown." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-external-select.png":::
 
-    :::image type="content" alt-text="Screenshot that shows the Add an identity provider page." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-external.png":::
+1. (Optional) In the **Create a tenant** page, add the *Tenant Name** and **Domain Name**.  Select a **Location** and select **Review and create** and then **Create**.
+
+    :::image type="content" alt-text="Screenshot the Create a tenant page." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-external-create-tenant.png":::
+
+1. Select **Configure** to configure external authentication.
 
 1. The browser opens **Configure customer authentication**.  In **Setup sign-in**, select **Create new** to create a sign-in experience for your external users.
 
@@ -105,15 +120,15 @@ Now that you have a web app running on App Service, enable authentication and au
 
 1. Add your company logo, select a background color, and select a sign-in layout.
 
-    :::image type="content" alt-text="Screenshot that shows the customize branding tab." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-branding.png":::
+    :::image type="content" alt-text="Screenshot that shows the customized branding tab." source="../../media/scenario-secure-app-authentication-app-service/configure-authentication-branding.png":::
 
-1. Select **Next** and **Yes, update the changes** to accept the branding changes.
+1. Select **Next**.  If the tenant you selected already has a branding configuration you will need to confirm that you want to override it.
 
-1. Select **Configure** in the **Review** tab to confirm External ID (CIAM) tenant update. 
+1. Select **Configure** in the **Review** tab to confirm external tenant update. 
 
-1. The browser opens **Add an identity provider**.
+1. The browser returns to the **Add an identity provider** page.
 
-1. In the **App Service authentication settings** section, select:
+1. In the **Additional checks** section, select:
 
     - **Allow requests only from this application itself** for **Client application requirement**
     - **Allow requests from any identity** for **Identity requirement**
@@ -131,9 +146,9 @@ Now that you have a web app running on App Service, enable authentication and au
 
 ## 4. Verify limited access to the web app
 
-When you enabled the App Service authentication/authorization module in the previous section, an app registration was created in your workforce or customer (external) tenant. The app registration has the same display name as your web app. 
+When you enabled the App Service authentication/authorization module in the previous section, an app registration was created in your workforce or external tenant. The app registration has the display name you created in a previous step. 
 
-1. To check the settings, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](/entra/identity/role-based-access-control/permissions-reference#application-developer).  If necessary, use the **Settings** icon  in the top menu to switch to the customer (external) tenant with your web app from the **Directories** + **subscriptions** menu.   When you are in the correct tenant:
+1. To check the settings, sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](/entra/identity/role-based-access-control/permissions-reference#application-developer).  If you chose external configuration, use the **Settings** icon  in the top menu to switch to the external tenant with your web app from the **Directories** + **subscriptions** menu.   When you are in the correct tenant:
 
 1. Browse to **Identity** > **Applications** > **App registrations** and select **Applications** > **App registrations** from the menu. 
 1. Select the app registration that was created. 

articles/app-service/includes/tutorial-set-up-app-service-authentication/after.md

@@ -31,7 +31,7 @@ App Service uses [federated identity](https://en.wikipedia.org/wiki/Federated_id
 
 | Provider | Sign-in endpoint | How-To guidance |
 | - | - | - |
-| [Microsoft identity platform](../active-directory/fundamentals/active-directory-whatis.md) | `/.auth/login/aad` | [App Service Microsoft identity platform login](configure-authentication-provider-aad.md) |
+| [Microsoft Entra](/entra/index) | `/.auth/login/aad` | [App Service Microsoft Entra platform login](configure-authentication-provider-aad.md) |
 | [Facebook](https://developers.facebook.com/docs/facebook-login) | `/.auth/login/facebook` | [App Service Facebook login](configure-authentication-provider-facebook.md) |
 | [Google](https://developers.google.com/identity/choose-auth) | `/.auth/login/google` | [App Service Google login](configure-authentication-provider-google.md) |
 | [Twitter](https://developer.twitter.com/en/docs/basics/authentication) | `/.auth/login/twitter` | [App Service Twitter login](configure-authentication-provider-twitter.md) |