MicrosoftDocs
diff --git a/‎articles/azure-app-configuration/TOC.yml
Lines changed: 12 additions & 12 deletions b/‎articles/azure-app-configuration/TOC.yml
Lines changed: 12 additions & 12 deletions
diff --git a/‎articles/azure-app-configuration/concept-enable-rbac.md
Lines changed: 43 additions & 21 deletions b/‎articles/azure-app-configuration/concept-enable-rbac.md
Lines changed: 43 additions & 21 deletions
diff --git a/‎articles/azure-app-configuration/howto-disable-access-key-authentication.md
Lines changed: 11 additions & 11 deletions b/‎articles/azure-app-configuration/howto-disable-access-key-authentication.md
Lines changed: 11 additions & 11 deletions
diff --git a/‎articles/azure-app-configuration/overview-managed-identity.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-app-configuration/overview-managed-identity.md
Lines changed: 1 addition & 1 deletion
@@ -204,19 +204,21 @@
       href: concept-disaster-recovery.md
   - name: Security
     items:
-    - name: Encrypt using customer-managed keys
-      href: concept-customer-managed-keys.md
-    - name: Secure your config store using Private Endpoints
-      href: concept-private-endpoint.md
-    - name: Enable access using Microsoft Entra ID
+    - name: Authenticate using Microsoft Entra ID
       href: concept-enable-rbac.md
-    - name: Assign an Azure Managed Identity
-      href: overview-managed-identity.md
-    - name: Manage access key authentication
+    - name: Authenticate using access keys
       href: howto-disable-access-key-authentication.md
-    - name: Security controls by Azure Policy
+    - name: Secure your store using Private Endpoints
+      href: concept-private-endpoint.md
+    - name: Disable public network access
+      href: howto-disable-public-access.md
+    - name: Encrypt data using customer-managed keys
+      href: concept-customer-managed-keys.md
+    - name: Add Managed Identities to your store
+      href: overview-managed-identity.md
+    - name: Enforce security controls by Azure Policies
       href: ./security-controls-policy.md
-    - name: Security baseline
+    - name: Understand the security baselines
       href: /security/benchmark/azure/baselines/azure-app-configuration-security-baseline?toc=/azure/azure-app-configuration/TOC.json
 - name: How-to guides
   items:
@@ -240,8 +242,6 @@
     href: howto-recover-deleted-stores-in-azure-app-configuration.md
   - name: Enable geo-replication
     href: howto-geo-replication.md
-  - name: Disable public access
-    href: howto-disable-public-access.md
   - name: Set up private access
     href: howto-set-up-private-access.md
 - name: Reference
 
@@ -1,40 +1,62 @@
 ---
-title: Authorize access to Azure App Configuration using Microsoft Entra ID
-description: Enable Azure RBAC to authorize access to your Azure App Configuration instance.
-author: maud-lv
-ms.author: malev
-ms.date: 04/05/2024
+title: Access Azure App Configuration using Microsoft Entra ID
+description: Use Microsoft Entra ID and Azure role-based access control (RBAC) to access your Azure App Configuration store.
+author: zhenlan
+ms.author: zhenlwa
+ms.date: 10/05/2024
 ms.topic: conceptual
 ms.service: azure-app-configuration
 
 ---
-# Authorize access to Azure App Configuration using Microsoft Entra ID
-Besides using Hash-based Message Authentication Code (HMAC), Azure App Configuration supports using Microsoft Entra ID to authorize requests to App Configuration instances. Microsoft Entra ID allows you to use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. A security principal may be a user, a [managed identity](../active-directory/managed-identities-azure-resources/overview.md), or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md). To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md).
+# Access Azure App Configuration using Microsoft Entra ID
+Azure App Configuration supports authorization of requests to App Configuration stores using Microsoft Entra ID. With Microsoft Entra ID, you can leverage Azure role-based access control ([Azure RBAC](../role-based-access-control/overview.md)) to grant permissions to security principals, which can be user principals, [managed identities](../active-directory/managed-identities-azure-resources/overview.md), or [service principals](../active-directory/develop/app-objects-and-service-principals.md).
 
 ## Overview
-Requests made by a security principal to access an App Configuration resource must be authorized. With Microsoft Entra ID, access to a resource is a two-step process:
-1. The security principal's identity is authenticated and an OAuth 2.0 token is returned. The resource name to request a token is `https://login.microsoftonline.com/{tenantID}` where `{tenantID}` matches the Microsoft Entra tenant ID to which the service principal belongs.
-2. The token is passed as part of a request to the App Configuration service to authorize access to the specified resource.
+Accessing an App Configuration store using Microsoft Entra ID involves two steps:
 
-The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity, such as an Azure Functions app, an Azure Web App, or an Azure VM, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Azure App Configuration, see [Authenticate access to Azure App Configuration resources with Microsoft Entra ID and managed identities for Azure Resources](howto-integrate-azure-managed-service-identity.md).
+1. **Authentication**: Acquire a token of the security principal from Microsoft Entra ID for App Configuration. For more information, see [Microsoft Entra authentication](./rest-api-authentication-azure-ad.md) in App Configuration.
 
-The authorization step requires that one or more Azure roles be assigned to the security principal. Azure App Configuration provides Azure roles that encompass sets of permissions for App Configuration resources. The roles that are assigned to a security principal determine the permissions provided to the principal. For more information about Azure roles, see [Azure built-in roles for Azure App Configuration](#azure-built-in-roles-for-azure-app-configuration). 
-
-## Assign Azure roles for access rights
-Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md).
-
-When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access is scoped to the App Configuration resource. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
+1. **Authorization**: Pass the token as part of a request to an App Configuration store. To authorize access to the specified App Configuration store, the security principal must be assigned the appropriate roles in advance. For more information, see [Microsoft Entra authorization](./rest-api-authorization-azure-ad.md) in App Configuration.
 
 ## Azure built-in roles for Azure App Configuration
-Azure provides the following Azure built-in roles for authorizing access to App Configuration data using Microsoft Entra ID:
+Azure provides the following built-in roles for authorizing access to App Configuration using Microsoft Entra ID:
 
-- **App Configuration Data Owner**: Use this role to give read/write/delete access to App Configuration data. This role doesn't grant access to the App Configuration resource.
+### Data plane access
+Requests for [data plane](../azure-resource-manager/management/control-plane-and-data-plane.md#data-plane) operations are sent to the endpoint of your App Configuration store. These requests pertain to App Configuration data.
+
+- **App Configuration Data Owner**: Use this role to give read, write, and delete access to App Configuration data. This role doesn't grant access to the App Configuration resource.
 - **App Configuration Data Reader**: Use this role to give read access to App Configuration data. This role doesn't grant access to the App Configuration resource.
-- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role doesn't grant direct access to the data using Microsoft Entra ID. This role is required if you access the App Configuration data via ARM template, Bicep, or Terraform during deployment. For more information, see [deployment](quickstart-deployment-overview.md).
+
+### Control plane access
+All requests for [control plane](../azure-resource-manager/management/control-plane-and-data-plane.md#control-plane) operations are sent to the Azure Resource Manager URL. These requests pertain to the App Configuration resource.
+
+- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role doesn't grant direct access to the data using Microsoft Entra ID.
 - **Reader**: Use this role to give read access to the App Configuration resource. This role doesn't grant access to the resource's access keys, nor to the data stored in App Configuration.
 
 > [!NOTE]
 > After a role assignment is made for an identity, allow up to 15 minutes for the permission to propagate before accessing data stored in App Configuration using this identity.
 
+## Authentication with token credentials
+
+To enable your application to authenticate with Microsoft Entra ID, the Azure Identity library supports various token credentials for Microsoft Entra ID authentication. For example, you might choose Visual Studio Credential when developing your application in Visual Studio, Workload Identity Credential when your application runs on Kubernetes, or Managed Identity Credential when your application is deployed in Azure services like Azure Functions.
+
+### Use DefaultAzureCredential
+
+The `DefaultAzureCredential` is a preconfigured [chain of token credentials](/dotnet/azure/sdk/authentication/credential-chains#defaultazurecredential-overview) that automatically attempts an ordered sequence of the most common authentication methods. Using the `DefaultAzureCredential` allows you to keep the same code in both local development and Azure environments. However, it's important to know which credential is being used in each environment, as you need to grant the appropriate roles for authorization to work. For example, authorize your own account when you expect the `DefaultAzureCredential` to fall back to your user identity during local development. Similarly, enable managed identity in Azure Functions and assign it the necessary role when you expect the `DefaultAzureCredential` to fall back to the `ManagedIdentityCredential` when your Function App runs in Azure.
+
+### Assign App Configuration data roles
+
+Regardless of which credential you use, you must assign it the appropriate roles before it can access your App Configuration store. If your application only needs to read data from your App Configuration store, assign it the *App Configuration Data Reader* role. If your application also needs to write data to your App Configuration store, assign it the *App Configuration Data Owner* role.
+
+Follow these steps to assign App Configuration Data roles to your credential.
+
+1. In the Azure portal, navigate to your App Configuration store and select **Access control (IAM)**.
+1. Select **Add** -> **Add role assignment**.
+   
+   If you don't have permission to assign roles, the **Add role assignment** option will be disabled. Only users with *Owner* or *User Access Administrator* roles can make role assignments.
+2. On the **Role** tab, select the **App Configuration Data Reader** role (or another App Configuration role as appropriate) and then select **Next**.
+3. On the **Members** tab, follow the wizard to select the credential you're granting access to and then select **Next**.
+4. Finally, on the **Review + assign** tab, select **Review + assign** to assign the role.
+
 ## Next steps
-Learn more about using [managed identities](howto-integrate-azure-managed-service-identity.md) to administer your App Configuration service.
+Learn how to [use managed identities to access your App Configuration store](howto-integrate-azure-managed-service-identity.md).
@@ -1,21 +1,21 @@
 ---
-title: Manage access key authentication for an Azure App Configuration instance
+title: Access Azure App Configuration using access keys
 titleSuffix: Azure App Configuration
 description: Learn how to manage access key authentication for an Azure App Configuration instance.
 ms.service: azure-app-configuration
 author: maud-lv
 ms.author: malev
 ms.topic: how-to
-ms.date: 04/05/2024
+ms.date: 10/05/2024
 ---
 
-# Manage access key authentication for an Azure App Configuration instance
+# Access Azure App Configuration using access keys
 
 Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Microsoft Entra credentials, or by using an access key. Of these two types of authentication schemes, Microsoft Entra ID provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Microsoft Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. If you want to use access keys to authenticate the request, it's recommended to rotate access keys periodically to enhance security. See [recommendations for protecting application secrets](/azure/well-architected/security/application-secrets) to learn more.
 
 ## Enable access key authentication
 
-Access key is enabled by default, you can use access keys in your code to authenticate requests.
+Access key is enabled by default. You can use access keys in your code to authenticate requests.
 
 # [Azure portal](#tab/portal)
 
@@ -62,8 +62,8 @@ To check if access key authentication is enabled for an Azure App Configuration
 
 # [Azure CLI](#tab/azure-cli)
 
-To check if access key authentication is enabled for an Azure App Configuration resource, use the following command. The command will list the access keys for an Azure App Configuration resource.
-If access key authentication is enabled, then read-only access keys and read-write access keys will be returned.
+To check if access key authentication is enabled for an Azure App Configuration resource, use the following command. The command lists the access keys for an Azure App Configuration resource.
+If access key authentication is enabled, then read-only access keys and read-write access keys are returned.
 
 ```azurecli-interactive
 az appconfig credential list \
@@ -75,7 +75,7 @@ az appconfig credential list \
 
 ## Disable access key authentication
 
-Disabling access key authentication will delete all access keys. If any running applications are using access keys for authentication, they will begin to fail once access key authentication is disabled. Only requests that are authenticated using Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concept-enable-rbac.md). Enabling access key authentication again will generate a new set of access keys and any applications attempting to use the old access keys will still fail.
+Disabling access key authentication deletes all access keys. If any running applications are using access keys for authentication, they'll begin to fail once access key authentication is disabled. Only requests that are authenticated using Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concept-enable-rbac.md). Enabling access key authentication again generates a new set of access keys and any applications attempting to use the old access keys will still fail.
 
 > [!WARNING]
 > If any clients are currently accessing data in your Azure App Configuration resource with access keys, then Microsoft recommends that you migrate those clients to [Microsoft Entra ID](./concept-enable-rbac.md) before disabling access key authentication.
@@ -125,7 +125,7 @@ To verify access key authentication is disabled for an Azure App Configuration r
 
 # [Azure CLI](#tab/azure-cli)
 
-To verify access key authentication is disabled for an Azure App Configuration resource, use the following command. The command will list the access keys for an Azure App Configuration resource and if access key authentication is disabled the list will be empty.
+To verify access key authentication is disabled for an Azure App Configuration resource, use the following command. The command lists the access keys for an Azure App Configuration resource and if access key authentication is disabled the list will be empty.
 
 ```azurecli-interactive
 az appconfig credential list \
@@ -142,7 +142,7 @@ To modify the state of access key authentication for an Azure App Configuration
 - The Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role
 - The Azure Resource Manager [Contributor](../role-based-access-control/built-in-roles.md#contributor) role
 
-These roles do not provide access to data in an Azure App Configuration resource via Microsoft Entra ID. However, they include the **Microsoft.AppConfiguration/configurationStores/listKeys/action** action permission, which grants access to the resource's access keys. With this permission, a user can use the access keys to access all the data in the resource.
+These roles don't provide access to data in an Azure App Configuration resource via Microsoft Entra ID. However, they include the **Microsoft.AppConfiguration/configurationStores/listKeys/action** action permission, which grants access to the resource's access keys. With this permission, a user can use the access keys to access all the data in the resource.
 
 Role assignments must be scoped to the level of the Azure App Configuration resource or higher to permit a user to allow or disallow access key authentication for the resource. For more information about role scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
 
@@ -160,7 +160,7 @@ Microsoft recommends periodic rotation of access keys to mitigate the risk of at
 You can rotate keys using the following procedure:
 
 1. If you're using both keys in production, change your code so that only one access key is in use. In this example, let's say you decide to keep using your store's primary key.
-You must have only one key in your code, because when you regenerate your secondary key, the older version of that key will stop working immediately, causing clients using the older key to get 401 access denied errors.
+You must have only one key in your code, because when you regenerate your secondary key, the older version of that key stops working immediately, causing clients using the older key to get 401 access denied errors.
 
 1. Once the primary key is the only key in use, you can regenerate the secondary key. 
 
@@ -184,7 +184,7 @@ You must have only one key in your code, because when you regenerate your second
     ---
 
 1. Next, update your code to use the newly generated secondary key.
-It is advisable to review your application logs to confirm that all instances of your application have transitioned from using the primary key to the secondary key before proceeding to the next step.
+It's advisable to review your application logs to confirm that all instances of your application have transitioned from using the primary key to the secondary key before proceeding to the next step.
 
 1. Finally, you can invalidate the primary keys by regenerating them. Next time, you can alternate access keys between the secondary and primary keys using the same process.
 
 
@@ -9,7 +9,7 @@ ms.service: azure-app-configuration
 ms.custom: devx-track-azurecli
 ---
 
-# How to use managed identities for Azure App Configuration
+# Add managed identities for Azure App Configuration
 
 This article shows you how to create a managed identity for Azure App Configuration. A managed identity from Microsoft Entra ID allows Azure App Configuration to easily access other Microsoft Entra protected resources. The identity is managed by the Azure platform. It doesn't require you to provision or rotate any secrets. For more about managed identities in Microsoft Entra ID, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).