MicrosoftDocs
diff --git a/‎articles/azure-monitor/logs/api/access-api.md
Lines changed: 81 additions & 76 deletions b/‎articles/azure-monitor/logs/api/access-api.md
Lines changed: 81 additions & 76 deletions
@@ -1,31 +1,33 @@
 ---
-title:  API Access and Authentication
-description: How to Authenticate and access the Azure Monitor Log Analytics API.
+title: API access and authentication
+description: Learn how to authenticate and access the Azure Monitor Log Analytics API.
 author: AbbyMSFT
 ms.author: abbyweisberg
 ms.date: 11/28/2022
 ms.topic: article
 ---
 # Access the Azure Monitor Log Analytics API
 
-You can submit a query request to a workspace using the Azure Monitor Log Analytics endpoint `https://api.loganalytics.azure.com`. To access the endpoint, you must authenticate through Azure Active Directory (Azure AD). 
+You can submit a query request to a workspace by using the Azure Monitor Log Analytics endpoint `https://api.loganalytics.azure.com`. To access the endpoint, you must authenticate through Azure Active Directory (Azure AD).
+
 >[!Note]
-> The `api.loganalytics.io` endpoint is being replaced by `api.loganalytics.azure.com`. `api.loganalytics.io` will continue to be supported for the forseeable future.
-## Authenticating with a demo API key
+> The `api.loganalytics.io` endpoint is being replaced by `api.loganalytics.azure.com`. The `api.loganalytics.io` endpoint will continue to be supported for the forseeable future.
+
+## Authenticate with a demo API key
 
-To quickly explore the API without Azure Active Directory authentication, use the demonstration workspace with sample data, which supports API key authentication.
+To quickly explore the API without Azure AD authentication, use the demonstration workspace with sample data, which supports API key authentication.
 
 To authenticate and run queries against the sample workspace, use `DEMO_WORKSPACE` as the {workspace-id} and pass in the API key `DEMO_KEY`.
 
-If either the Application ID or the API key is incorrect, the API service will return a [403](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error) (Forbidden) error.
+If either the Application ID or the API key is incorrect, the API service returns a [403](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error) (Forbidden) error.
 
-The API key `DEMO_KEY` can be passed in three different ways, depending on whether you prefer to use the URL, a header, or basic authentication.
+The API key `DEMO_KEY` can be passed in three different ways, depending on whether you want to use a header, the URL, or basic authentication:
 
-1.  **Custom header**: provide the API key in the custom header `X-Api-Key`
-2.  **Query parameter**: provide the API key in the URL parameter `api_key`
-3.  **Basic authentication**: provide the API key as either username or password. If you provide both, the API key must be in the username.
+- **Custom header**: Provide the API key in the custom header `X-Api-Key`.
+- **Query parameter**: Provide the API key in the URL parameter `api_key`.
+- **Basic authentication**: Provide the API key as either username or password. If you provide both, the API key must be in the username.
 
-This example uses the Workspace ID and API key in the header:
+This example uses the workspace ID and API key in the header:
 
 ```
     POST https://api.loganalytics.azure.com/v1/workspaces/DEMO_WORKSPACE/query
@@ -36,6 +38,7 @@ This example uses the Workspace ID and API key in the header:
         "query": "AzureActivity | summarize count() by Category"
     }
 ```
+
 ## Public API endpoint
 
 The public API endpoint is:
@@ -44,12 +47,12 @@ The public API endpoint is:
     https://api.loganalytics.azure.com/{api-version}/workspaces/{workspaceId}
 ```
 where:
- - **api-version**: The API version. The current version is "v1"
- - **workspaceId**: Your workspace ID  
+ - **api-version**: The API version. The current version is "v1."
+ - **workspaceId**: Your workspace ID.
 
 The query is passed in the request body.
 
-For example, 
+For example:
  ```
     https://api.loganalytics.azure.com/v1/workspaces/1234abcd-def89-765a-9abc-def1234abcde
     
@@ -58,64 +61,68 @@ For example,
         "query": "Usage"
     }
 ```
-## Set up Authentication
 
-To access the  API, you need to register a client app with Azure Active Directory and request a token.
-1. [Register an app in Azure Active Directory](./register-app-for-token.md).
+## Set up authentication
+
+To access the API, you register a client app with Azure AD and request a token.
+
+1. [Register an app in Azure AD](./register-app-for-token.md).
+
+1. On the app's overview page, select **API permissions**.
+1. Select **Add a permission**.
+1. On the **APIs my organization uses** tab, search for **Log Analytics** and select **Log Analytics API** from the list.
 
-1. On the app's overview page, select **API permissions**  
-1. Select **Add a permission**
-1. In the **APIs my organization uses** tab search for *log analytics* and select **Log Analytics API** from the list.  
-:::image type="content" source="../media/api-register-app/request-api-permissions.png" alt-text="A screenshot showing the Request API permissions page.":::
+   :::image type="content" source="../media/api-register-app/request-api-permissions.png" alt-text="A screenshot that shows the Request API permissions page.":::
 
-1. Select **Delegated permissions**
-1. Check the checkbox for **Data.Read**
-1. Select **Add permissions**
-:::image type="content" source="../media/api-register-app/add-requested-permissions.png" alt-text="A screenshot showing the continuation of the Request API permissions page.":::  
+1. Select **Delegated permissions**.
+1. Select the **Data.Read** checkbox.
+1. Select **Add permissions**.
 
-Now that your app is registered and has permissions to use the API, grant your app access to your Log Analytics Workspace.
+   :::image type="content" source="../media/api-register-app/add-requested-permissions.png" alt-text="A screenshot that shows the continuation of the Request API permissions page.":::
 
-1. From your Log analytics Workspace overview page, select **Access control (IAM)**.
+Now that your app is registered and has permissions to use the API, grant your app access to your Log Analytics workspace.
+
+1. From your **Log Analytics workspace** overview page, select **Access control (IAM)**.
 1. Select **Add role assignment**.
 
-    :::image type="content" source="../media/api-register-app/workspace-access-control.png" alt-text="A screenshot showing the access control page for a log analytics workspace.":::
+    :::image type="content" source="../media/api-register-app/workspace-access-control.png" alt-text="A screenshot that shows the Access control page for a Log Analytics workspace.":::
 
-1. Select the **Reader** role then select **Members**
-    
-    :::image type="content" source="../media/api-register-app/add-role-assignment.png" alt-text="A screenshot showing the add role assignment page for a log analytics workspace.":::
+1. Select the **Reader** role and then select **Members**.
+
+    :::image type="content" source="../media/api-register-app/add-role-assignment.png" alt-text="A screenshot that shows the Add role assignment page for a Log Analytics workspace.":::
 
-1. In the Members tab, select **Select members**
-1. Enter the name of your app in the **Select** field.
-1. Choose your app and select **Select**
-1. Select **Review and assign**
-     
-    :::image type="content" source="../media/api-register-app/select-members.png" alt-text="A screenshot showing the select members blade on the role assignment page for a log analytics workspace.":::
+1. On the **Members** tab, choose **Select members**.
+1. Enter the name of your app in the **Select** box.
+1. Select your app and choose **Select**.
+1. Select **Review + assign**.
 
-1. After completing the Active Directory setup and workspace permissions, request an authorization token.
+    :::image type="content" source="../media/api-register-app/select-members.png" alt-text="A screenshot that shows the Select members pane on the Add role assignment page for a Log Analytics workspace.":::
+
+1. After you finish the Active Directory setup and workspace permissions, request an authorization token.
 
 >[!Note]
-> For this example we applied the **Reader** role. This role is one of many built-in roles and may include more permissions than you require. More granular roles and permissions can be created. For more information, see [Manage access to Log Analytics workspaces](../../logs/manage-access.md).
+> For this example, we applied the Reader role. This role is one of many built-in roles and might include more permissions than you require. More granular roles and permissions can be created. For more information, see [Manage access to Log Analytics workspaces](../../logs/manage-access.md).
 
-## Request an Authorization Token
+## Request an authorization token
 
-Before beginning, make sure you have all the values required to make the request successfully. All requests require:
-- Your Azure Active Directory tenant ID.
+Before you begin, make sure you have all the values required to make the request successfully. All requests require:
+- Your Azure AD tenant ID.
 - Your workspace ID.
-- Your Azure Active Directory client ID for the app.
-- An Azure Active Directory client secret for the  app.
+- Your Azure AD client ID for the app.
+- An Azure AD client secret for the app.
 
-The Log Analytics API supports Azure Active Directory authentication with three different [Azure AD OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
-- Client credentials 
+The Log Analytics API supports Azure AD authentication with three different [Azure AD OAuth2](/azure/active-directory/develop/active-directory-protocols-oauth-code) flows:
+- Client credentials
 - Authorization code
 - Implicit
 
+### Client credentials flow
 
-### Client Credentials Flow
+In the client credentials flow, the token is used with the Log Analytics endpoint. A single request is made to receive a token by using the credentials provided for your app in the previous step when you [register an app in Azure AD](./register-app-for-token.md).
 
-In the client credentials flow, the token is used with the log analytics endpoint. A single request is made to receive a token, using the credentials provided for your app in the [Register an app for in Azure Active Directory](./register-app-for-token.md) step above.  
-Use the `https://api.loganalytics.azure.com` endpoint. 
+Use the `https://api.loganalytics.azure.com` endpoint.
 
-##### Client Credentials Token URL (POST request)
+#### Client credentials token URL (POST request)
 
 ```http
     POST /<your-tenant-id>/oauth2/token
@@ -139,7 +146,7 @@ A successful request receives an access token in the response:
     }
 ```
 
-Use the token in requests to the log analytics endpoint:
+Use the token in requests to the Log Analytics endpoint:
 
 ```http
     POST /v1/workspaces/your workspace id/query?timespan=P1D
@@ -153,8 +160,7 @@ Use the token in requests to the log analytics endpoint:
     }
 ```
 
-
-Example Response:
+Example response:
 
 ```http
     {
@@ -190,11 +196,11 @@ Example Response:
     }
 ```
 
-### Authorization Code Flow
+### Authorization code flow
 
-The main OAuth2 flow supported is through [authorization codes](/azure/active-directory/develop/active-directory-protocols-oauth-code). This method requires two HTTP requests to acquire a token with which to call the Azure Monitor Log Analytics API. There are two URLs, one endpoint per request. Their formats are:
+The main OAuth2 flow supported is through [authorization codes](/azure/active-directory/develop/active-directory-protocols-oauth-code). This method requires two HTTP requests to acquire a token with which to call the Azure Monitor Log Analytics API. There are two URLs, with one endpoint per request. Their formats are described in the following sections.
 
-#### Authorization Code URL (GET request):
+#### Authorization code URL (GET request)
 
 ```http
     GET https://login.microsoftonline.com/YOUR_Azure AD_TENANT/oauth2/authorize?
@@ -204,15 +210,15 @@ The main OAuth2 flow supported is through [authorization codes](/azure/active-di
     &resource=https://api.loganalytics.io
 ```
 
-When making a request to the Authorize URL, the client\_id is the Application ID from your Azure AD App, copied from the App's properties menu. The redirect\_uri is the home page/login URL from the same Azure AD App. When a request is successful, this endpoint redirects you to the sign-in page you provided at sign-up with the authorization code appended to the URL. See the following example:
+When a request is made to the authorize URL, the client\_id is the application ID from your Azure AD app, copied from the app's properties menu. The redirect\_uri is the homepage/login URL from the same Azure AD app. When a request is successful, this endpoint redirects you to the sign-in page you provided at sign-up with the authorization code appended to the URL. See the following example:
 
 ```http
     http://<app-client-id>/?code=AUTHORIZATION_CODE&session_state=STATE_GUID
 ```
 
-At this point you'll have obtained an authorization code, which you need now to request an access token.
+At this point, you've obtained an authorization code, which you need now to request an access token.
 
-#### Authorization Code Token URL (POST request)
+#### Authorization code token URL (POST request)
 
 ```http
     POST /YOUR_Azure AD_TENANT/oauth2/token HTTP/1.1
@@ -227,7 +233,7 @@ At this point you'll have obtained an authorization code, which you need now to
     &client_secret=<app-client-secret>
 ```
 
-All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. The code is combined with the key obtained from the Azure AD App. If you didn't save the key, you can delete it and create a new one from the keys tab of the Azure AD App menu. The response is a JSON string containing the token with the following schema. Types are indicated for the token values.
+All values are the same as before, with some additions. The authorization code is the same code you received in the previous request after a successful redirect. The code is combined with the key obtained from the Azure AD app. If you didn't save the key, you can delete it and create a new one from the keys tab of the Azure AD app menu. The response is a JSON string that contains the token with the following schema. Types are indicated for the token values.
 
 Response example:
 
@@ -245,7 +251,7 @@ Response example:
     }
 ```
 
-The access token portion of this response is what you present to the Log Analytics API in the `Authorization: Bearer` header. You may also use the refresh token in the future to acquire a new access\_token and refresh\_token when yours have gone stale. For this request, the format and endpoint are:
+The access token portion of this response is what you present to the Log Analytics API in the `Authorization: Bearer` header. You can also use the refresh token in the future to acquire a new access\_token and refresh\_token when yours have gone stale. For this request, the format and endpoint are:
 
 ```http
     POST /YOUR_AAD_TENANT/oauth2/token HTTP/1.1
@@ -272,11 +278,11 @@ Response example:
     }
 ```
 
-### Implicit Code Flow
+### Implicit code flow
 
-The Log Analytics API supports the OAuth2 [implicit flow](/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant). For this flow, only a single request is required but no refresh token can be acquired.
+The Log Analytics API supports the OAuth2 [implicit flow](/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant). For this flow, only a single request is required, but no refresh token can be acquired.
 
-#### Implicit Code Authorize URL
+#### Implicit code authorize URL
 
 ```http
     GET https://login.microsoftonline.com/YOUR_AAD_TENANT/oauth2/authorize?
@@ -286,25 +292,24 @@ The Log Analytics API supports the OAuth2 [implicit flow](/azure/active-director
     &resource=https://api.loganalytics.io
 ```
 
-A successful request will produce a redirect to your redirect URI with the token in the URL as follows.
+A successful request produces a redirect to your redirect URI with the token in the URL:
 
 ```http
     http://YOUR_REDIRECT_URI/#access_token=YOUR_ACCESS_TOKEN&token_type=Bearer&expires_in=3600&session_state=STATE_GUID
 ```
 
-This access\_token can be used as the `Authorization: Bearer` header value when passed to the Log Analytics API to authorize requests.
+This access\_token can be used as the `Authorization: Bearer` header value when it's passed to the Log Analytics API to authorize requests.
 
-## More Information
+## More information
 
 You can find documentation about OAuth2 with Azure AD here:
- - [Azure AD Authorization Code flow](/azure/active-directory/develop/active-directory-protocols-oauth-code)
- - [Azure AD Implicit Grant flow](/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant)
- - [Azure AD S2S Client Credentials flow](/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
-
+ - [Azure AD authorization code flow](/azure/active-directory/develop/active-directory-protocols-oauth-code)
+ - [Azure AD implicit grant flow](/azure/active-directory/develop/active-directory-dev-understanding-oauth2-implicit-grant)
+ - [Azure AD S2S client credentials flow](/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service)
 
 ## Next steps
 
-- [Request format](./request-format.md)  
-- [Response format](./response-format.md)  
-- [Querying logs for Azure resources](./azure-resource-queries.md)  
-- [Batch queries](./batch-queries.md)  
+- [Request format](./request-format.md)
+- [Response format](./response-format.md)
+- [Querying logs for Azure resources](./azure-resource-queries.md)
+- [Batch queries](./batch-queries.md)