update auth docs for wps

Author: terencefan

articles/azure-signalr/signalr-howto-authorize-application.md

@@ -1,6 +1,6 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra applications
-description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra applications.
+description: This article provides information about authorizing requests to Azure SignalR Service resources with Microsoft Entra applications.
 author: terencefan
 ms.author: tefa
 ms.date: 03/14/2023
@@ -14,7 +14,7 @@ ms.custom: subject-rbac-steps
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests with [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
-This article shows how to configure your Azure SignalR Service resource and codes to authorize requests to the resource from a Microsoft Entra application.
+This article explains how to set up your resource and code to authenticate requests to the resource using a Microsoft Entra application.
 
 ## Register an application in Microsoft Entra ID
 
@@ -32,7 +32,6 @@ After registering an app, you can add **certificates, client secrets (a string),
 - [Add a client secret](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials)
 - [Add a federated credential](/entra/identity-platform/quickstart-register-app?tabs=federated-credential#add-credentials)
 
-
 ## Add role assignments in the Azure portal
 
 [!INCLUDE [add role assignments](includes/signalr-add-role-assignments.md)]

articles/azure-signalr/signalr-howto-authorize-managed-identity.md

@@ -1,27 +1,28 @@
 ---
 title: Authorize requests to Azure SignalR Service resources with Microsoft Entra managed identities
-description: This article provides information about authorizing requests to Azure SignalR Service resources by using Microsoft Entra managed identities.
+description: This article provides information about authorizing requests to Azure SignalR resources with Managed identities for Azure resources.
 author: terencefan
 ms.author: tefa
-ms.date: 03/14/2025
+ms.date: 03/11/2025
 ms.service: azure-signalr-service
 ms.topic: how-to
 ms.devlang: csharp
 ms.custom: subject-rbac-steps
 ---
 
-# Authorize requests to Azure SignalR Service resources with Managed identities for Azure resources
+# Authorize requests to Azure SignalR resources with Managed identities for Azure resources
 
 Azure SignalR Service supports Microsoft Entra ID for authorizing requests from [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).
 
-This article shows how to configure your Azure SignalR Service resource and code to authorize requests to the resource from a managed identity.
+This article explains how to set up your resource and code to authorize requests to the resource using a managed identity.
 
 ## Configure managed identities
 
 The first step is to configure managed identities on your app or virtual machine.
 
 - [Configure managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)
-- [Configure managed identities for Azure resources on a virtual machine (VM)](/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access)
+- [Configure managed identities on Azure virtual machines (VMs)](/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities)
+- [Configure managed identities for Azure resources on a virtual machine scale set](/entra/identity/managed-identities-azure-resources/how-to-configure-managed-identities-scale-sets)
 
 ## Add role assignments in the Azure portal
 

articles/azure-web-pubsub/concept-azure-ad-authorization.md

@@ -67,36 +67,27 @@ You can scope access to Azure Web PubSub resources at the following levels, begi
 
 ## Azure built-in roles for Web PubSub resources
 
-- `Web PubSub Service Owner`
+   | Role                                                                                              | Description                                                                                               | Use case                                                                                                                                     |
+   | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+   | [Web PubSub Service Owner](/azure/role-based-access-control/built-in-roles#web-pubsub-service-owner)           | Full access to data-plane APIs, including read/write REST APIs and Auth APIs.                                               | Most commonly used for building a upstream server that handles negotiation requests and client events.                                                                                                             |
+   | [Web PubSub Service Reader](/azure/role-based-access-control/built-in-roles#web-pubsub-service-reader)           | Readonly access to data-plane APIs.                                                | Use it when write a monitoring tool that calls readonly REST APIs.
 
-  Full access to data-plane permissions, including read/write REST APIs and Auth APIs.
 
-  This role is the most common used for building an upstream server.
+Learn how to create a custom role if the built-in roles do not meet your requirements.
 
-- `Web PubSub Service Reader`
-
-  Use to grant read-only REST APIs permissions to Web PubSub resources.
-
-  It's used when you'd like to write a monitoring tool that calling **ONLY** Web PubSub data-plane **READONLY** REST APIs.
+[Azure custom roles: Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
 
 ## Next steps
 
-To learn how to create an Azure application and use Microsoft Entra authorization, see
-
-- [Authorize request to Web PubSub resources with Microsoft Entra ID from applications](howto-authorize-from-application.md)
-
-To learn how to configure a managed identity and use Microsoft Entra auth, see
-
-- [Authorize request to Web PubSub resources with Microsoft Entra ID from managed identities](howto-authorize-from-managed-identity.md)
-
-To learn more about roles and role assignments, see
+To learn how to use Microsoft Entra authentication with role-based access control, see
 
-- [What is Azure role-based access control](../role-based-access-control/overview.md)
+  - [Authorize requests to Azure Web PubSub resources with Microsoft Entra applications](howto-authorize-from-application.md)
+  - [Authorize requests to Azure Web PubSub resources with Managed identities for Azure resources](howto-authorize-from-managed-identity.md)
 
-To learn how to create custom roles, see
+To learn more about roles-based access control, see
 
-- [Steps to create a custom role](../role-based-access-control/custom-roles.md#steps-to-create-a-custom-role)
+  - [What is Azure role-based access control](../role-based-access-control/overview.md)
 
-To learn how to use only Microsoft Entra authorization, see
+To learn how to disable the connection string and use only Microsoft Entra authentication, see
 
-- [Disable local authentication](./howto-disable-local-auth.md)
+- [How to disable local authentication](./howto-disable-local-auth.md)

articles/azure-web-pubsub/howto-authorize-from-application.md

@@ -1,119 +1,43 @@
 ---
 title: Authorize an application request by using Microsoft Entra ID
-description: Learn how to authorize an application request to Web PubSub resources by using Microsoft Entra ID.
+description: This article provides information about authorizing requests to Azure Web PubSub resources with Microsoft Entra applications.
 author: terencefan
 ms.author: tefa
-ms.date: 10/12/2024
+ms.date: 03/11/2025
 ms.service: azure-web-pubsub
 ms.topic: conceptual
 ---
 
-# Authorize an application request by using Microsoft Entra ID
+# Authorize requests to Azure Web PubSub resources with Microsoft Entra applications
 
-Azure Web PubSub supports Microsoft Entra ID for authorizing requests from [applications](../active-directory/develop/app-objects-and-service-principals.md).
+Azure Web PubSub Service supports Microsoft Entra ID for authorizing requests with [Microsoft Entra applications](/entra/identity-platform/app-objects-and-service-principals).
 
-This article shows you how to configure your Web PubSub resource and code to authorize a request to a Web PubSub resource from an Azure application.
 
-## Register an application
+This article explains how to set up your resource and code to authenticate requests to the resource using a Microsoft Entra application.
 
-The first step is to register an Azure application.
+## Register an application in Microsoft Entra ID
 
-1. In the [Azure portal](https://portal.azure.com/), search for and then select **Microsoft Entra ID**.
-1. On the left menu under **Manage**, select **App registrations**.
-1. Select **New registration**.
-1. For **Name**, enter a name to use for your application.
-1. Select **Register** to confirm the application registration.
+The first step is to [Register an application in Microsoft Entra ID](/entra/identity-platform/quickstart-register-app):
 
-:::image type="content" source="media/howto-authorize-from-application/register-an-application.png" alt-text="Screenshot that shows registering an application.":::
+After you register your application, you can find the **Application (client) ID** and **Directory (tenant) ID** values on the application's overview page. These GUIDs can be useful in the following steps.
 
-When your application is registered, go to the application overview to view the values for **Application (client) ID** and **Directory (tenant) ID**. You use these values in the following sections.
-
-:::image type="content" source="media/howto-authorize-from-application/application-overview.png" alt-text="Screenshot that shows an application.":::
-
-For more information about registering an application, see the quickstart [Register an application by using the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
+![Screenshot of overview information for a registered application.](./media/signalr-howto-authorize-application/application-overview.png)
 
 ## Add credentials
 
-You can add both certificates and client secrets (a string) as credentials to your confidential client app registration.
-
-For more information about adding credentials, see [Add credentials](../active-directory/develop/quickstart-register-app.md#add-credentials).
-
-### Add a client secret
-
-The application requires a client secret for a client to prove its identity when it requests a token.
-
-To create a client secret:
-
-1. On the left menu under **Manage**, select **Certificates & secrets**.
-1. On the **Client secrets** tab, select **New client secret**.
-
-   :::image type="content" source="media/howto-authorize-from-application/new-client-secret.png" alt-text="Screenshot that shows creating a client secret.":::
-
-1. Enter a description for the client secret, and then choose an **Expires** time for the secret.
-1. Copy the value of the client secret and paste it in a secure location for later use.
-
-   > [!NOTE]
-   > The secret is visible only when you create the secret. You can't view the client secret in the portal later.
-
-### Add a certificate
-
-You can upload a certificate instead of creating a client secret.
-
-:::image type="content" source="media/howto-authorize-from-application/upload-certificate.png" alt-text="Screenshot that shows uploading a certificate.":::
-
-## Add a role assignment in the Azure portal
-
-This section demonstrates how to assign a Web PubSub Service Owner role to a service principal (application) for a Web PubSub resource.
-
-> [!NOTE]
-> You can assign a role to any scope, including management group, subscription, resource group, and single resource. For more information about scope, see [Understand scope for Azure role-based access control](../role-based-access-control/scope-overview.md).
-
-1. In the [Azure portal](https://portal.azure.com/), go to your Web PubSub resource.
-
-1. On the left menu, select **Access control (IAM)** to display access control settings for the resource.
-
-1. Select the **Role assignments** tab and view the role assignments at this scope.
-
-   The following figure shows an example of the **Access control (IAM)** pane for a Web PubSub resource:
-
-   :::image type="content" source="media/howto-authorize-from-application/access-control.png" alt-text="Screenshot that shows an example of the Access control (IAM) pane.":::
-
-1. Select **Add** > **Add role assignment**.
-
-1. Select the **Roles** tab, and then select **Web PubSub Service Owner**.
-
-1. Select **Next**.
-
-   :::image type="content" source="media/howto-authorize-from-application/add-role-assignment.png" alt-text="Screenshot that shows adding a role assignment.":::
-
-1. Select the **Members** tab. Under **Assign access to**, select **User, group, or service principal**.
-
-1. Choose **Select members**.
-
-1. Search for and select the application to assign the role to.
-
-1. Choose **Select** to confirm the selection.
-
-1. Select **Next**.
-
-   :::image type="content" source="media/howto-authorize-from-application/assign-role-to-service-principals.png" alt-text="Screenshot that shows assigning a role to service principals.":::
-
-1. Select **Review + assign** to confirm the change.
+After registering an app, you can add **certificates, client secrets (a string), or federated identity credentials** as credentials to your confidential client app registration. Credentials allow your application to authenticate as itself, requiring no interaction from a user at runtime, and are used by confidential client applications that access a web API.
 
-> [!IMPORTANT]
-> Azure role assignments might take up to 30 minutes to propagate.
+- [Add a certificate](/entra/identity-platform/quickstart-register-app?tabs=certificate#add-credentials)
+- [Add a client secret](/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials)
+- [Add a federated credential](/entra/identity-platform/quickstart-register-app?tabs=federated-credential#add-credentials)
 
-To learn more about how to assign and manage Azure role assignments, see these articles:
+## Add role assignments in the Azure portal
 
-- [Assign Azure roles by using the Azure portal](../role-based-access-control/role-assignments-portal.yml)
-- [Assign Azure roles by using REST API](../role-based-access-control/role-assignments-rest.md)
-- [Assign Azure roles by using Azure PowerShell](../role-based-access-control/role-assignments-powershell.md)
-- [Assign Azure roles by using the Azure CLI](../role-based-access-control/role-assignments-cli.md)
-- [Assign Azure roles by using an Azure Resource Manager template](../role-based-access-control/role-assignments-template.md)
+[!INCLUDE [add role assignments](includes/web-pubsub-add-role-assignments.md)]
 
-## Code samples that use Microsoft Entra authorization
+## Code samples with Microsoft Entra authorization
 
-Get samples that use Microsoft Entra authorization in our four officially supported programming languages:
+Check out our samples that show how to use Microsoft Entra authorization in programming languages we officially support.
 
 - [C#](./howto-create-serviceclient-with-net-and-azure-identity.md)
 - [Python](./howto-create-serviceclient-with-python-and-azure-identity.md)