Merge pull request #102534 from cephalin/1617934

#1224892

Author: GitHubber17

articles/app-service/configure-authentication-provider-aad.md

@@ -24,29 +24,30 @@ Follow these best practices when setting up your app and authentication:
 ## <a name="express"> </a>Configure with express settings
 
 1. In the [Azure portal], search for and select **App Services**, and then select your app.
-1. In the left pane, under **Settings** select **Authentication / Authorization** and make sure that **App Service Authentication** is **On**.
-1. Select **Azure Active Directory**, and then under **Management Mode** select **Express**.
-1. Select **OK** to register the App Service app in Azure Active Directory. A new app registration is created.
+2. From the left navigation, select **Authentication / Authorization** > **On**.
+3. Select **Azure Active Directory** > **Express**.
 
    If you want to choose an existing app registration instead:
 
-   1. Choose **Select an existing app** and then search for the name of a previously created app registration within your tenant.
-   1. Select the app registration and then select **OK**.
-   1. Then select **OK** on the Azure Active Directory settings page.
+   1. Choose **Select Existing AD app**, then click **Azure AD App**.
+   2. Choose an existing app registration and click **OK**.
 
-   By default, App Service provides authentication but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code.
-1. (Optional) To restrict app access only to users authenticated by Azure Active Directory, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated to Azure Active Directory for authentication.
+3. Select **OK** to register the App Service app in Azure Active Directory. A new app registration is created.
+   
+    ![Express settings in Azure Active Directory](./media/configure-authentication-provider-aad/express-settings.png)
+   
+4. (Optional) By default, App Service provides authentication but doesn't restrict authorized access to your site content and APIs. You must authorize users in your app code. To restrict app access only to users authenticated by Azure Active Directory, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. When you set this functionality, your app requires all requests to be authenticated. It also redirects all unauthenticated to Azure Active Directory for authentication.
 
     > [!CAUTION]
     > Restricting access in this way applies to all calls to your app, which might not be desirable for apps that have a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** might be preferred, with the app manually starting login itself. For more information, see [Authentication flow](overview-authentication-authorization.md#authentication-flow).
-1. Select **Save**.
+5. Select **Save**.
 
 ## <a name="advanced"> </a>Configure with advanced settings
 
-You can configure app settings manually if you want to use an Azure AD tenant that's different from the one you use to sign in to Azure. To complete this custom configuration, you'll need to:
+You can configure app settings manually if you want to use an app registration from a different Azure AD tenant. To complete this custom configuration:
 
 1. Create a registration in Azure AD.
-1. Provide some of the registration details to App Service.
+2. Provide some of the registration details to App Service.
 
 ### <a name="register"> </a>Create an app registration in Azure AD for your App Service app
 
@@ -62,7 +63,7 @@ Perform the following steps:
 1. Sign in to the [Azure portal], search for and select **App Services**, and then select your app. Note your app's **URL**. You'll use it to configure your Azure Active Directory app registration.
 1. Select **Azure Active Directory** > **App registrations** > **New registration**.
 1. In the **Register an application** page, enter a **Name** for your app registration.
-1. In **Redirect URI**, select **Web** and enter the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. 
+1. In **Redirect URI**, select **Web** and type `<app-url>/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. 
 1. Select **Create**.
 1. After the app registration is created, copy the **Application (client) ID** and the **Directory (tenant) ID** for later.
 1. Select **Branding**. In **Home page URL**, enter the URL of your App Service app and select **Save**.
@@ -78,24 +79,22 @@ Perform the following steps:
 1. (Optional) To create a client secret, select **Certificates & secrets** > **New client secret** > **Add**. Copy the client secret value shown in the page. It won't be shown again.
 1. (Optional) To add multiple **Reply URLs**, select **Authentication**.
 
-### <a name="secrets"> </a>Add Azure Active Directory information to your App Service app
+### <a name="secrets"> </a>Enable Azure Active Directory in your App Service app
 
 1. In the [Azure portal], search for and select **App Services**, and then select your app. 
-1. In the left pane, under **Settings**, select **Authentication / Authorization** and make sure that **App Service Authentication** is **On**.
+1. In the left pane, under **Settings**, select **Authentication / Authorization** > **On**.
 1. (Optional) By default, App Service authentication allows unauthenticated access to your app. To enforce user authentication, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**.
-1. Under Authentication Providers, select **Azure Active Directory**.
+1. Under **Authentication Providers**, select **Azure Active Directory**.
 1. In **Management mode**, select **Advanced** and configure App Service authentication according to the following table:
 
     |Field|Description|
     |-|-|
     |Client ID| Use the **Application (client) ID** of the app registration. |
     |Issuer ID| Use `https://login.microsoftonline.com/<tenant-id>`, and replace *\<tenant-id>* with the **Directory (tenant) ID** of the app registration. |
     |Client Secret (Optional)| Use the client secret you generated in the app registration.|
-    |Allowed Token Audiences| If this is a cloud or server app and you want to allow authentication tokens from a web app, add the **Application ID URI** of the web app here. |
+    |Allowed Token Audiences| If this is a cloud or server app and you want to allow authentication tokens from a web app, add the **Application ID URI** of the web app here. The configured **Client ID** is *always* implicitly considered to be an allowed audience. |
 
-    > [!NOTE]
-    > The configured **Client ID** is *always* implicitly considered to be an allowed audience, regardless of how you configured the **Allowed Token Audiences**.
-1. Select **OK**, and then select **Save**.
+2. Select **OK**, and then select **Save**.
 
 You're now ready to use Azure Active Directory for authentication in your App Service app.
 
@@ -105,11 +104,11 @@ You can register native clients to allow authentication using a client library s
 
 1. In the [Azure portal], select **Active Directory** > **App registrations** > **New registration**.
 1. In the **Register an application** page, enter a **Name** for your app registration.
-1. In **Redirect URI**, select **Public client (mobile & desktop)** and enter the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`.
-1. Select **Create**.
+1. In **Redirect URI**, select **Public client (mobile & desktop)** and type the URL `<app-url>/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`.
 
     > [!NOTE]
     > For a Windows application, use the [package SID](../app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library.md#package-sid) as the URI instead.
+1. Select **Create**.
 1. After the app registration is created, copy the value of **Application (client) ID**.
 1. Select **API permissions** > **Add a permission** > **My APIs**.
 1. Select the app registration you created earlier for your App Service app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Azure AD for your App Service app](#register).
@@ -121,21 +120,6 @@ You have now configured a native client application that can access your App Ser
 
 [!INCLUDE [app-service-mobile-related-content-get-started-users](../../includes/app-service-mobile-related-content-get-started-users.md)]
 
-<!-- Images. -->
-
-[0]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-webapp-url.png
-[1]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-aad-app_registration.png
-[2]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-aad-app-registration-create.png
-[3]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-aad-app-registration-config-appidurl.png
-[4]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-aad-app-registration-config-replyurl.png
-[5]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-aad-endpoints.png
-[6]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-aad-endpoints-fedmetadataxml.png
-[7]: ./media/app-service-mobile-how-to-configure-active-directory-authentication/app-service-webapp-auth.png
-[8]: ./media/configure-authentication-provider-aad/app-service-webapp-auth-config.png
-
-
-
 <!-- URLs. -->
 
 [Azure portal]: https://portal.azure.com/
-[alternative method]:#advanced