separated steps for Tenant A & B

spelluru · spelluru · commit 6bf4d1411ccd · 2021-11-02T23:13:13.000-04:00
diff --git a/articles/event-grid/secure-webhook-delivery.md b/articles/event-grid/secure-webhook-delivery.md
@@ -111,60 +111,66 @@ Based on the diagram above, follow the next steps to configure the tenant.
 
 ## Deliver events to a Webhook in a different Azure AD tenant 
 
-To enable a secure webhook subscription across multiple tenants you'll need to do this task by using an Azure AD Application, this process isn't currently available by using the Azure AD user from the portal.
+To secure the connection between your event subscription and your webhook endpoint that are in different Azure AD tenants, you'll need to use an Azure AD application as shown in this section. Currently, it's not possible to secure this connection by using an Azure AD user in the Azure portal. 
 
 ![Multitenant events with Azure AD and Webhooks](./media/secure-webhook-delivery/multitenant-diagram.png)
 
-Based on the diagram above, follow the next steps to configure both tenants.
+Based on the diagram above, follow next steps to configure both tenants.
 
-1. Create an Azure AD Application for the Event Grid subscription writer configured to work with any Azure AD directory (Multitenant) in the **Tenant A**.
+### Tenant A
 
-2. Create a secret for the Azure AD Application previously created in the **Tenant A** and save the value (you'll need this value later).
+Do the following steps in **Tenant A**: 
 
-3. In the **Tenant A**, go to the Access control (IAM) in the Event Grid Topic and add the role assignment of the Azure AD Application of the Event Grid subscription writer as Event Grid Contributor, this step will allow us to have access to the Event Grid resource when we logged-in into Azure with the Azure AD Application by using the Azure CLI.
+1. Create an Azure AD application for the Event Grid subscription writer configured to work with any Azure AD directory (Multitenant).
 
-4. Create an Azure AD Application for the webhook configured to work with the Microsoft directory (Single tenant) in the **Tenant B**.
+2. Create a secret for the Azure AD application previously created in the **Tenant A**, and save the value (you'll need this value later).
 
-5. Open the [Azure Shell](https://portal.azure.com/#cloudshell/) in the **Tenant B** and select the PowerShell environment.
+3. Navigate to the **Access control (IAM)** page for the event grid topic. Add Azure AD application of the Event Grid subscription writer to the **Event Grid Contributor** role. This step allows the application to have access to the Event Grid resource when you log in into Azure with the Azure AD application by using the Azure CLI.
 
-6. Modify the **$webhookAadTenantId** value to connect to the **Tenant B**.
+### Tenant B
+
+Do the following steps in **Tenant B**:
 
+1. Create an Azure AD Application for the webhook configured to work with the Microsoft directory (Single tenant).
+5. Open the [Azure Shell](https://portal.azure.com/#cloudshell/), and select the PowerShell environment.
+6. Modify the **$webhookAadTenantId** value to connect to the **Tenant B**.
     - Variables:
         - **$webhookAadTenantId**: Azure Tenant ID for the **Tenant B**
 
-    ```Shell
-    PS /home/user>$webhookAadTenantId = "[REPLACE_WITH_YOUR_TENANT_ID]"
-    PS /home/user>Connect-AzureAD -TenantId $webhookAadTenantId
-    ```
-
-7. Open the [following script](scripts/event-grid-powershell-webhook-secure-delivery-azure-ad-app.md) and update the values of **$webhookAppObjectId** and **$eventSubscriptionWriterAppId** with your identifiers, then continue to run the script.
+        ```Shell
+        PS /home/user>$webhookAadTenantId = "[REPLACE_WITH_YOUR_TENANT_ID]"
+        PS /home/user>Connect-AzureAD -TenantId $webhookAadTenantId
+        ```
+7. Open the [following script](scripts/event-grid-powershell-webhook-secure-delivery-azure-ad-app.md), and update values of **$webhookAppObjectId** and **$eventSubscriptionWriterAppId** with your identifiers, then continue to run the script.
 
     - Variables:
-        - **$webhookAppObjectId**: Azure AD Application ID created for the webhook
-        - **$eventSubscriptionWriterAppId**: Azure AD Application ID for Event Grid subscription writer
+        - **$webhookAppObjectId**: Azure AD application ID created for the webhook
+        - **$eventSubscriptionWriterAppId**: Azure AD application ID for Event Grid subscription writer
 
-    > [!NOTE]
-    > You don't need to modify the value of **```$eventGridAppId```**, for this script we set **AzureEventGridSecureWebhookSubscriber** as the value for the **```$eventGridRoleName```**. Remember, you must be a member of the [Azure AD Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) to execute this script.
+            > [!NOTE]
+            > You don't need to modify the value of **```$eventGridAppId```**, for this script we set **AzureEventGridSecureWebhookSubscriber** as the value for the **```$eventGridRoleName```**. Remember, you must be a member of the [Azure AD Application Administrator role](../active-directory/roles/permissions-reference.md#all-roles) to execute this script.
 
-8. Open the [Azure Shell](https://portal.azure.com/#cloudshell/) in the **Tenant A** and login as the Event Grid subscription writer Azure AD Application by running the command.
+### Tenant A
+
+Back in **Tenant A**, do the following steps: 
+
+1. Open the [Azure Shell](https://portal.azure.com/#cloudshell/), and login as the Event Grid subscription writer Azure AD Application by running the command.
 
     ```Shell
     PS /home/user>az login --service-principal -u [REPLACE_WITH_APP_ID] -p [REPLACE_WITH_SECRET_VALUE] --tenant [REPLACE_WITH_TENANT_ID]
     ```
-
-9. Create your subscription by running the command.
+2. Create your subscription by running the command.
 
     ```Shell
     PS /home/user>az eventgrid system-topic event-subscription create --name [REPLACE_WITH_SUBSCRIPTION_NAME] -g [REPLACE_WITH_RESOURCE_GROUP] --system-topic-name [REPLACE_WITH_SYSTEM_TOPIC] --endpoint [REPLACE_WITH_WEBHOOK_ENDPOINT] --event-delivery-schema [REPLACE_WITH_WEBHOOK_EVENT_SCHEMA] --azure-active-directory-tenant-id [REPLACE_WITH_TENANT_B_ID] --azure-active-directory-application-id-or-uri [REPLACE_WITH_APPLICATION_ID_FROM_SCRIPT] --endpoint-type webhook
     ```
 
     > [!NOTE]
-    > In this scenario we are using an Event Grid System Topic. See [here](/cli/azure/eventgrid), if you want to create a subscription for Custom Topics or Event Grid Domains by using the Azure CLI.
-
-10. If everything was correctly configured, you can successfully create the webhook subscription in your Event Grid Topic.
+    > In this scenario we are using an Event Grid System Topic. See [here](/cli/azure/eventgrid), if you want to create a subscription for custom topics or Event Grid domains by using the Azure CLI.
+3. If everything was correctly configured, you can successfully create the webhook subscription in your event grid topic.
 
     > [!NOTE]
-    > At this point Event Grid is now passing the Azure AD Bearer token to the webhook client in every message, you'll need to validate the Authorization token in your webhook.
+    > At this point, Event Grid is now passing the Azure AD Bearer token to the webhook client in every message. You'll need to validate the Authorization token in your webhook.
 
 ## Next steps
 
