edits

Author: ktoliver

articles/azure-web-pubsub/howto-client-certificate.md

@@ -11,7 +11,7 @@ ms.author: dayshen
 
 # Enable client certificate authentication for Azure Web PubSub (Preview)
 
-You can restrict access to your instance of Azure Web PubSub by enabling different types of authentication for it. One way to do it is to request a client certificate and validate the certificate in event handlers. This mechanism is called *client certificate authentication* or *Transport Layer Security (TLS) mutual authentication*. This article shows you how to set up your Web PubSub instance to use client certificate authentication.
+You can restrict access to your instance of Azure Web PubSub by enabling different types of authentication for it. One authentication method is to request a client certificate and validate the certificate in event handlers. This mechanism is called *client certificate authentication* or *Transport Layer Security (TLS) mutual authentication*. This article shows you how to set up your Web PubSub instance to use client certificate authentication.
 
 > [!NOTE]
 > Enabling client certificate authentication in a browser scenario generally is not recommended. Different browsers have different behaviors when they process a client certificate request, and you have little control in a JavaScript application. If you want to enable client certificate authentication, we recommend that you use it in scenarios in which you have strong control over TLS settings. An example is in a native application.

articles/azure-web-pubsub/howto-develop-eventhandler.md

@@ -46,7 +46,7 @@ Note URL domain name should not contain parameter syntax, for example, `http://{
 |--|--|--|--|
 | Hub parameter | `{hub}` | The value is the hub that the client connects to. | When a client connects to `client/hubs/chat`, a URL template `http://host.com/api/{hub}` evaluates to `http://host.com/api/chat` because for this client, hub is `chat`. |
 | Event parameter | `{event}` | The value of the triggered event. `event` values are listed [here](#events).The event value for abuse protection requests is `validate` as explained [here](#upstream-and-validation). | If there is a URL template `http://host.com/api/{hub}/{event}` configured for event `connect`, When a client connects to `client/hubs/chat`, Web PubSub initiates a POST request to the evaluated URL `http://host.com/api/chat/connect` when the client is connecting, since for this client event, hub is `chat` and the event triggering this event handler setting is `connect`.  |
-| KeyVault reference parameter | `{@Microsoft.KeyVault(SecretUri=<secretUri>)}` | The **SecretUri** should be the full data-plane URI of a secret in the vault, optionally including a version, e.g., `https://myvault.vault.azure.net/secrets/mysecret/` or `https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931`. When using KeyVault reference, you also need to configure the authentication between your Web PubSub service and your KeyVault service, check [here](howto-use-managed-identity.md#use-a-managed-identity-for-key-vault-reference) for detailed steps. | `@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)` |
+| KeyVault reference parameter | `{@Microsoft.KeyVault(SecretUri=<secretUri>)}` | The **SecretUri** should be the full data-plane URI of a secret in the vault, optionally including a version, e.g., `https://myvault.vault.azure.net/secrets/mysecret/` or `https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931`. When using KeyVault reference, you also need to configure the authentication between your Web PubSub service and your KeyVault service, check [here](howto-use-managed-identity.md#use-a-managed-identity-for-a-key-vault-reference) for detailed steps. | `@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)` |
 
 ### Authentication between service and webhook
 

articles/azure-web-pubsub/howto-disable-local-auth.md

@@ -35,7 +35,7 @@ To disable local authentication by using the Azure portal:
 
 ![Screenshot that shows disabling local authentication.](./media/howto-disable-local-auth/disable-local-auth.png)
 
-## Use a Azure Resource Manager template
+## Use an Azure Resource Manager template
 
 You can disable local authentication by setting `disableLocalAuth` property to `true` as shown in the following Azure Resource Manager template:
 

articles/azure-web-pubsub/howto-secure-network-access-control.md

@@ -12,7 +12,7 @@ ms.date: 08/16/2024
 
 Azure Web PubSub enables you to secure and control the level of access to your service endpoint, based on the request type and subset of networks used. When network rules are configured, only applications that request data over the specified set of networks can access your Web PubSub resource.
 
-Azure Web PubSub service has a public endpoint that is accessible through the internet. You can also create a [private endpoint for your Web PubSub resource](howto-secure-private-endpoints.md). A private endpoint assigns a private IP address from your virtual network to the Web PubSub resource. It also secures all traffic between your virtual network and the Web PubSub resource over a private link. The Web PubSub network access control provides access control for both a public endpoint and for private endpoints.
+Azure Web PubSub has a public endpoint that is accessible through the internet. You can also create a [private endpoint for your Web PubSub resource](howto-secure-private-endpoints.md). A private endpoint assigns a private IP address from your virtual network to the Web PubSub resource. It also secures all traffic between your virtual network and the Web PubSub resource over a private link. The Web PubSub network access control provides access control for both a public endpoint and for private endpoints.
 
 Optionally, you can choose to allow or deny certain types of requests for a public endpoint and for each private endpoint.
 
@@ -43,7 +43,7 @@ You can manage network access control for Azure Web PubSub by using the Azure po
 
 1. To edit a public network rule, under **Public network**, select allowed types of requests.
 
-    :::image type="content" source="./media/howto-secure-network-access-control/portal-public-network.png" alt-text="Edit s public network ACL in the Azure portal.":::
+    :::image type="content" source="./media/howto-secure-network-access-control/portal-public-network.png" alt-text="Edit a public network access control list in the Azure portal.":::
 
 1. To edit private endpoint network rules, under **Private endpoint connections**, select the allowed types of requests in each row.
 

articles/azure-web-pubsub/howto-secure-shared-private-endpoints-key-vault.md

@@ -183,7 +183,7 @@ When `properties.provisioningState` is `Succeeded` and `properties.status` (conn
 
 -----
 
-Now you can configure features like a custom domain as you typically would. You don't have to use a special domain for your key vault. Web PubSub automatically handles DNS resolution.
+Now you can configure features like a custom domain as you typically would. You don't have to use a special domain for your key vault. Web PubSub automatically handles Domain Name System (DNS) resolution.
 
 ## Related conte
 

articles/azure-web-pubsub/howto-service-tags.md

@@ -48,16 +48,16 @@ az network nsg rule create -n <rule-name> --nsg-name <nsg-name> -g <resource-gro
 
 ## Inbound traffic
 
-In the following scenarios, Azure Web PubSub can generate network traffic to your resource. The source of traffic is guaranteed to be within IP ranges of the the `AzureWebPubSub` service tag.
+In the following scenarios, Azure Web PubSub can generate network traffic to your resource. The source of traffic is guaranteed to be within IP ranges of the `AzureWebPubSub` service tag.
 
 * Use [event handlers](howto-develop-eventhandler.md).
 * Use [event listeners](howto-develop-event-listener.md).
-* Use a [Key Vault secret reference](howto-use-managed-identity.md#use-a-managed-identity-for-key-vault-reference) in URL template settings.
+* Use a [Key Vault secret reference](howto-use-managed-identity.md#use-a-managed-identity-for-a-key-vault-reference) in URL template settings.
 * Use a [custom certificate](howto-custom-domain.md#add-a-custom-certificate).
 
 ### Event handler endpoints in a virtual network
 
-You can configure a *network security group* to allow inbound traffic to virtual network.
+You can configure a *network security group* to allow inbound traffic to a virtual network.
 
 #### [Azure portal](#tab/azure-portal)
 

articles/azure-web-pubsub/howto-use-managed-identity.md

@@ -8,7 +8,7 @@ ms.date: 08/16/2024
 ms.author: lianwei
 ---
 
-# Managed identities for Azure Web PubSub Service
+# Managed identities for Azure Web PubSub
 
 This article shows you how to create a managed identity for Azure Web PubSub and how to use it.
 
@@ -57,7 +57,7 @@ Azure Web PubSub is a fully managed service, so you can't use a managed identity
 
 1. Under **Authentication**, select **Use Authentication**, and then select **Specify the issued token audience**. The audience becomes the `aud` claim in the access token. It can be part of validation in your event handler.
 
-   You can choose one of the following:
+   You can choose one of these options:
 
    - Select from existing Microsoft Entra applications. The application ID of the application you choose is used.
    - The Application ID URI of the service principal.
@@ -89,7 +89,7 @@ If you're not using Web Apps or Azure Functions, you also can validate the token
 
 The token in the `Authorization` header is a [Microsoft identity platform access token](../active-directory/develop/access-tokens.md).
 
-To validate access tokens, your app should also validate the audience and the signing tokens. These need to be validated against the values in the OpenID discovery document. For example, see the [tenant-independent version of the document](https://login.microsoftonline.com/common/.well-known/openid-configuration).
+To validate access tokens, your app should also validate the audience and the signing tokens. Signing tokens must be validated against the values in the OpenID discovery document. For example, see the [tenant-independent version of the document](https://login.microsoftonline.com/common/.well-known/openid-configuration).
 
 The Microsoft Entra middleware has built-in capabilities for validating access tokens. You can browse our [samples](../active-directory/develop/sample-v2-code.md) to find one in the language you want to use.
 

articles/azure-web-pubsub/reference-rest-api-data-plane.md

@@ -59,7 +59,7 @@ The credential scope used should be `https://webpubsub.azure.com/.default`.
 
 You could also use **Role Based Access Control (RBAC)** to authorize the request from your server to Azure Web PubSub Service.
 
-[Learn how to configure Role Based Access Control roles for your resource](./howto-authorize-from-application.md#add-role-assignments-on-azure-portal)
+[Learn how to configure Role Based Access Control roles for your resource](./howto-authorize-from-application.md#add-role-assignments-in-the-azure-portal)
 
 ## APIs