revise in accordance with comments

nickludwig · iambmelt · web-flow · commit 56b0f19c5505 · 2022-07-07T15:53:59.000-07:00
Co-authored-by: Brian Melton-Grace &lt;iambmelton@gmail.com&gt;
diff --git a/articles/active-directory/develop/access-tokens.md b/articles/active-directory/develop/access-tokens.md
@@ -271,7 +271,7 @@ Your application's business logic will dictate this step, some common authorizat
 
 * Use the `scp` claim to validate that the user has granted the calling app permission to call your API.
 * Ensure the calling client is allowed to call your API using the `appid` claim (for v1.0 tokens) or the `azp` claim (for v2.0 tokens).
-    * You only need to validate these claims if you want your web API to be called by pre-determined applications. For instance, line-of-business applications or web API's called by well-known frontends should validate `appid`/`azp`, but ISV web API's which are called directly by customers should not.
+    * You only need to validate these claims (`appid`, `azp`) if you want to restrict your web API to be called only by pre-determined applications (e.g., line-of-business applications or web APIs called by well-known frontends). APIs intended to allow access from any calling application do not need to validate these claims.
 
 
 ## User and application tokens
