Merge pull request #107430 from jelledruyts/jelledruyts-1589

Clarified that EasyAuth also applies to Functions

Author: PRMerger7

articles/app-service/configure-authentication-provider-aad.md

@@ -1,17 +1,21 @@
 ---
 title: Configure Azure AD authentication
-description: Learn how to configure Azure Active Directory authentication as an identity provider for your App Service app.
+description: Learn how to configure Azure Active Directory authentication as an identity provider for your App Service or Azure Functions app.
 ms.assetid: 6ec6a46c-bce4-47aa-b8a3-e133baef22eb
 ms.topic: article
 ms.date: 09/03/2019
 ms.custom: seodec18, fasttrack-edit
 ---
 
-# Configure your App Service app to use Azure AD login
+# Configure your App Service or Azure Functions app to use Azure AD login
 
 [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
 
-This article shows you how to configure Azure App Service to use Azure Active Directory (Azure AD) as an authentication provider.
+This article shows you how to configure Azure App Service or Azure Functions to use Azure Active Directory (Azure AD) as an authentication provider.
+
+> [!NOTE]
+> At this time, [Azure Active Directory v2.0](../active-directory/develop/v2-overview.md) (including [MSAL](../active-directory/develop/msal-overview.md)) is not supported for Azure App Service and Azure Functions. Please check back for updates.
+>
 
 Follow these best practices when setting up your app and authentication:
 
@@ -67,7 +71,8 @@ Perform the following steps:
 1. In **Redirect URI**, select **Web** and type `<app-url>/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. 
 1. Select **Create**.
 1. After the app registration is created, copy the **Application (client) ID** and the **Directory (tenant) ID** for later.
-1. Select **Branding**. In **Home page URL**, enter the URL of your App Service app and select **Save**.
+1. Select **Authentication**. Under **Implicit grant**, enable **ID tokens** to allow OpenID Connect user sign-ins from App Service.
+1. (Optional) Select **Branding**. In **Home page URL**, enter the URL of your App Service app and select **Save**.
 1. Select **Expose an API** > **Set**. Paste in the URL of your App Service app and select **Save**.
 
    > [!NOTE]
@@ -91,7 +96,7 @@ Perform the following steps:
     |Field|Description|
     |-|-|
     |Client ID| Use the **Application (client) ID** of the app registration. |
-    |Issuer ID| Use `https://login.microsoftonline.com/<tenant-id>`, and replace *\<tenant-id>* with the **Directory (tenant) ID** of the app registration. |
+    |Issuer Url| Use `https://login.microsoftonline.com/<tenant-id>`, and replace *\<tenant-id>* with the **Directory (tenant) ID** of the app registration. This value is used to redirect users to the correct Azure AD tenant, as well as to download the appropriate metadata to determine the appropriate token signing keys and token issuer claim value for example. |
     |Client Secret (Optional)| Use the client secret you generated in the app registration.|
     |Allowed Token Audiences| If this is a cloud or server app and you want to allow authentication tokens from a web app, add the **Application ID URI** of the web app here. The configured **Client ID** is *always* implicitly considered to be an allowed audience. |
 
@@ -101,21 +106,21 @@ You're now ready to use Azure Active Directory for authentication in your App Se
 
 ## Configure a native client application
 
-You can register native clients to allow authentication using a client library such as the **Active Directory Authentication Library**.
+You can register native clients to allow authentication to Web API's hosted in your app using a client library such as the **Active Directory Authentication Library**.
 
 1. In the [Azure portal], select **Active Directory** > **App registrations** > **New registration**.
 1. In the **Register an application** page, enter a **Name** for your app registration.
 1. In **Redirect URI**, select **Public client (mobile & desktop)** and type the URL `<app-url>/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`.
 
     > [!NOTE]
-    > For a Windows application, use the [package SID](../app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library.md#package-sid) as the URI instead.
+    > For a Microsoft Store application, use the [package SID](../app-service-mobile/app-service-mobile-dotnet-how-to-use-client-library.md#package-sid) as the URI instead.
 1. Select **Create**.
 1. After the app registration is created, copy the value of **Application (client) ID**.
 1. Select **API permissions** > **Add a permission** > **My APIs**.
 1. Select the app registration you created earlier for your App Service app. If you don't see the app registration, make sure that you've added the **user_impersonation** scope in [Create an app registration in Azure AD for your App Service app](#register).
 1. Select **user_impersonation**, and then select **Add permissions**.
 
-You have now configured a native client application that can access your App Service app.
+You have now configured a native client application that can access your App Service app on behalf of a user.
 
 ## <a name="related-content"> </a>Next steps
 

articles/app-service/configure-authentication-provider-facebook.md

@@ -1,19 +1,20 @@
 ---
 title: Configure Facebook authentication
-description: Learn how to configure Facebook authentication as an identity provider for your App Service app.
+description: Learn how to configure Facebook authentication as an identity provider for your App Service or Azure Functions app.
 
 ms.assetid: b6b4f062-fcb4-47b3-b75a-ec4cb51a62fd
 ms.topic: article
 ms.date: 06/06/2019
 ms.custom: seodec18
+ms.custom: fasttrack-edit
 
 ---
 
-# Configure your App Service app to use Facebook login
+# Configure your App Service or Azure Functions app to use Facebook login
 
 [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
 
-This article shows how to configure Azure App Service to use Facebook as an authentication provider.
+This article shows how to configure Azure App Service or Azure Functions to use Facebook as an authentication provider.
 
 To complete the procedure in this article, you need a Facebook account that has a verified email address and a mobile phone number. To create a new Facebook account, go to [facebook.com].
 

articles/app-service/configure-authentication-provider-google.md

@@ -1,18 +1,19 @@
 ---
 title: Configure Google authentication
-description: Learn how to configure Google authentication as an identity provider for your App Service app.
+description: Learn how to configure Google authentication as an identity provider for your App Service or Azure Functions app.
 ms.assetid: 2b2f9abf-9120-4aac-ac5b-4a268d9b6e2b
 ms.topic: article
 ms.date: 09/02/2019
 ms.custom: seodec18
+ms.custom: fasttrack-edit
 
 ---
 
-# Configure your App Service app to use Google login
+# Configure your App Service or Azure Functions app to use Google login
 
 [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
 
-This topic shows you how to configure Azure App Service to use Google as an authentication provider.
+This topic shows you how to configure Azure App Service or Azure Functions to use Google as an authentication provider.
 
 To complete the procedure in this topic, you must have a Google account that has a verified email address. To create a new Google account, go to [accounts.google.com](https://go.microsoft.com/fwlink/p/?LinkId=268302).
 

articles/app-service/configure-authentication-provider-microsoft.md

@@ -1,19 +1,20 @@
 ---
 title: Configure Microsoft authentication
-description: Learn how to configure Microsoft Account authentication as an identity provider for your App Service app.
+description: Learn how to configure Microsoft Account authentication as an identity provider for your App Service or Azure Functions app.
 
 ms.assetid: ffbc6064-edf6-474d-971c-695598fd08bf
 ms.topic: article
 ms.date: 08/08/2019
 ms.custom: seodec18
+ms.custom: fasttrack-edit
 
 ---
 
-# Configure your App Service app to use Microsoft Account login
+# Configure your App Service or Azure Functions app to use Microsoft Account login
 
 [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
 
-This topic shows you how to configure Azure App Service to use AAD to support personal Microsoft account logins.
+This topic shows you how to configure Azure App Service or Azure Functions to use AAD to support personal Microsoft account logins.
 
 > [!NOTE]
 > Both personal Microsoft accounts and organizational accounts use the AAD identity provider. At this time, is not possible to configure this identity provider to support both types of log-ins.

articles/app-service/configure-authentication-provider-twitter.md

@@ -1,19 +1,20 @@
 ---
 title: Configure Twitter authentication
-description: Learn how to configure Twitter authentication as an identity provider for your App Service app.
+description: Learn how to configure Twitter authentication as an identity provider for your App Service or Azure Functions app.
 
 ms.assetid: c6dc91d7-30f6-448c-9f2d-8e91104cde73
 ms.topic: article
 ms.date: 02/28/2020
 ms.custom: seodec18
+ms.custom: fasttrack-edit
 
 ---
 
-# Configure your App Service app to use Twitter login
+# Configure your App Service or Azure Functions app to use Twitter login
 
 [!INCLUDE [app-service-mobile-selector-authentication](../../includes/app-service-mobile-selector-authentication.md)]
 
-This article shows how to configure Azure App Service to use Twitter as an authentication provider.
+This article shows how to configure Azure App Service or Azure Functions to use Twitter as an authentication provider.
 
 To complete the procedure in this article, you need a Twitter account that has a verified email address and phone number. To create a new Twitter account, go to [twitter.com].
 

articles/app-service/overview-authentication-authorization.md

@@ -1,25 +1,26 @@
 ---
 title: Authentication and authorization
-description: Find out about the built-in authentication and authorization support in Azure App Service, and how it can help secure your app against unauthorized access.
+description: Find out about the built-in authentication and authorization support in Azure App Service and Azure Functions, and how it can help secure your app against unauthorized access.
 ms.assetid: b7151b57-09e5-4c77-a10c-375a262f17e5
 ms.topic: article
 ms.date: 08/12/2019
 ms.reviewer: mahender
 ms.custom: seodec18
+ms.custom: fasttrack-edit
 
 ---
-# Authentication and authorization in Azure App Service
+# Authentication and authorization in Azure App Service and Azure Functions
 
 > [!NOTE]
-> At this time, AAD V2 (including MSAL) is not supported for Azure App Services and Azure Functions. Please check back for updates.
+> At this time, [Azure Active Directory v2.0](../active-directory/develop/v2-overview.md) (including [MSAL](../active-directory/develop/msal-overview.md)) is not supported for Azure App Service and Azure Functions. Please check back for updates.
 >
 
 Azure App Service provides built-in authentication and authorization support, so you can sign in users and access data by writing minimal or no code in your web app, RESTful API, and mobile back end, and also [Azure Functions](../azure-functions/functions-overview.md). This article describes how App Service helps simplify authentication and authorization for your app.
 
 Secure authentication and authorization require deep understanding of security, including federation, encryption, [JSON web tokens (JWT)](https://wikipedia.org/wiki/JSON_Web_Token) management, [grant types](https://oauth.net/2/grant-types/), and so on. App Service provides these utilities so that you can spend more time and energy on providing business value to your customer.
 
 > [!IMPORTANT]
-> You're not required to use App Service for AuthN/AuthO. You can use the bundled security features in your web framework of choice, or you can write your own utilities. However, keep in mind that [Chrome 80 is making breaking changes to its implementation of SameSite for cookies](https://www.chromestatus.com/feature/5088147346030592) (release date around March 2020), and custom remote authentication or other scenarios that rely on cross-site cookie posting may break when client Chrome browsers are updated. The workaround is complex because it needs to support different SameSite behaviors for different browsers. 
+> You're not required to use this feature for authentication and authorization. You can use the bundled security features in your web framework of choice, or you can write your own utilities. However, keep in mind that [Chrome 80 is making breaking changes to its implementation of SameSite for cookies](https://www.chromestatus.com/feature/5088147346030592) (release date around March 2020), and custom remote authentication or other scenarios that rely on cross-site cookie posting may break when client Chrome browsers are updated. The workaround is complex because it needs to support different SameSite behaviors for different browsers. 
 >
 > The ASP.NET Core 2.1 and above versions hosted by App Service are already patched for this breaking change and handle Chrome 80 and older browsers appropriately. In addition, the same patch for ASP.NET Framework 4.7.2 is being deployed on the App Service instances throughout January 2020. For more information, including how to know if your app has received the patch, see [Azure App Service SameSite cookie update](https://azure.microsoft.com/updates/app-service-samesite-cookie-update/).
 >
@@ -41,11 +42,11 @@ This module handles several things for your app:
 
 The module runs separately from your application code and is configured using app settings. No SDKs, specific languages, or changes to your application code are required. 
 
-### User claims
+### User/Application claims
 
-For all language frameworks, App Service makes the user's claims available to your code by injecting them into the request headers. For ASP.NET 4.6 apps, App Service populates [ClaimsPrincipal.Current](/dotnet/api/system.security.claims.claimsprincipal.current) with the authenticated user's claims, so you can follow the standard .NET code pattern, including the `[Authorize]` attribute. Similarly, for PHP apps, App Service populates the `_SERVER['REMOTE_USER']` variable. For Java apps, the claims are [accessible from the Tomcat servlet](containers/configure-language-java.md#authenticate-users-easy-auth).
+For all language frameworks, App Service makes the claims in the incoming token (whether that be from an authenticated end user or a client application) available to your code by injecting them into the request headers. For ASP.NET 4.6 apps, App Service populates [ClaimsPrincipal.Current](/dotnet/api/system.security.claims.claimsprincipal.current) with the authenticated user's claims, so you can follow the standard .NET code pattern, including the `[Authorize]` attribute. Similarly, for PHP apps, App Service populates the `_SERVER['REMOTE_USER']` variable. For Java apps, the claims are [accessible from the Tomcat servlet](containers/configure-language-java.md#authenticate-users-easy-auth).
 
-For [Azure Functions](../azure-functions/functions-overview.md), `ClaimsPrincipal.Current` is not hydrated for .NET code, but you can still find the user claims in the request headers.
+For [Azure Functions](../azure-functions/functions-overview.md), `ClaimsPrincipal.Current` is not populated for .NET code, but you can still find the user claims in the request headers, or get the `ClaimsPrincipal` object from the request context or even through a binding parameter. See [working with client identities](../azure-functions/functions-bindings-http-webhook-trigger.md#working-with-client-identities) for more information.
 
 For more information, see [Access user claims](app-service-authentication-how-to.md#access-user-claims).
 
@@ -58,13 +59,13 @@ App Service provides a built-in token store, which is a repository of tokens tha
 
 You typically must write code to collect, store, and refresh these tokens in your application. With the token store, you just [retrieve the tokens](app-service-authentication-how-to.md#retrieve-tokens-in-app-code) when you need them and [tell App Service to refresh them](app-service-authentication-how-to.md#refresh-identity-provider-tokens) when they become invalid. 
 
-The id tokens, access tokens, and refresh tokens cached for the authenticated session, and they're accessible only by the associated user.  
+The id tokens, access tokens, and refresh tokens are cached for the authenticated session, and they're accessible only by the associated user.  
 
 If you don't need to work with tokens in your app, you can disable the token store.
 
 ### Logging and tracing
 
-If you [enable application logging](troubleshoot-diagnostic-logs.md), you will see authentication and authorization traces directly in your log files. If you see an authentication error that you didn’t expect, you can conveniently find all the details by looking in your existing application logs. If you enable [failed request tracing](troubleshoot-diagnostic-logs.md), you can see exactly what role the authentication and authorization module may have played in a failed request. In the trace logs, look for references to a module named `EasyAuthModule_32/64`. 
+If you [enable application logging](troubleshoot-diagnostic-logs.md), you will see authentication and authorization traces directly in your log files. If you see an authentication error that you didn't expect, you can conveniently find all the details by looking in your existing application logs. If you enable [failed request tracing](troubleshoot-diagnostic-logs.md), you can see exactly what role the authentication and authorization module may have played in a failed request. In the trace logs, look for references to a module named `EasyAuthModule_32/64`. 
 
 ## Identity providers
 
@@ -88,7 +89,7 @@ The authentication flow is the same for all providers, but differs depending on
 - With provider SDK: The application signs users in to the provider manually and then submits the authentication token to App Service for validation. This is typically the case with browser-less apps, which can't present the provider's sign-in page to the user. The application code manages the sign-in process, so it is also called _client-directed flow_ or _client flow_. This case applies to REST APIs, [Azure Functions](../azure-functions/functions-overview.md), and JavaScript browser clients, as well as browser apps that need more flexibility in the sign-in process. It also applies to native mobile apps that sign users in using the provider's SDK.
 
 > [!NOTE]
-> Calls from a trusted browser app in App Service calls another REST API in App Service or [Azure Functions](../azure-functions/functions-overview.md) can be authenticated using the server-directed flow. For more information, see [Customize authentication and authorization in App Service](app-service-authentication-how-to.md).
+> Calls from a trusted browser app in App Service to another REST API in App Service or [Azure Functions](../azure-functions/functions-overview.md) can be authenticated using the server-directed flow. For more information, see [Customize authentication and authorization in App Service](app-service-authentication-how-to.md).
 >
 
 The table below shows the steps of the authentication flow.