missing section

cephalin · cephalin · commit 8ba966a86378 · 2019-09-03T14:45:31.000+02:00
diff --git a/articles/app-service/app-service-authentication-how-to.md b/articles/app-service/app-service-authentication-how-to.md
@@ -127,7 +127,7 @@ When using fully qualified URLs, the URL must be either hosted in the same domai
 GET /.auth/logout?post_logout_redirect_uri=https%3A%2F%2Fmyexternalurl.com
 ```
 
-You must run the following command in the [Azure Cloud Shell](../cloud-shell/quickstart.md):
+Run the following command in the [Azure Cloud Shell](../cloud-shell/quickstart.md):
 
 ```azurecli-interactive
 az webapp auth update --name <app_name> --resource-group <group_name> --allowed-external-redirect-urls "https://myexternalurl.com"
@@ -194,7 +194,7 @@ When your provider's access token (not the [session token](#extend-session-token
 
 Once your provider is configured, you can [find the refresh token and the expiration time for the access token](#retrieve-tokens-in-app-code) in the token store. 
 
-To refresh your access token at anytime, just call `/.auth/refresh` in any language. The following snippet uses jQuery to refresh your access tokens from a JavaScript client.
+To refresh your access token at any time, just call `/.auth/refresh` in any language. The following snippet uses jQuery to refresh your access tokens from a JavaScript client.
 
 ```JavaScript
 function refreshTokens() {
@@ -247,6 +247,10 @@ This setting appends the `domain_hint` query string parameter to the login redir
 
 While App Service takes care of the simplest authorization case (i.e. reject unauthenticated requests), your app may require more fine-grained authorization behavior, such as limiting access to only a specific group of users. In certain cases, you need to write custom application code to allow or deny access to the signed-in user. In other cases, App Service or your identity provider may be able to help without requiring code changes.
 
+- [Server level](#server-level-windows-apps-only)
+- [Identity provider level](#identity-provider-level)
+- [Application level](#application-level)
+
 ### Server level (Windows apps only)
 
 For any Windows app, you can define authorization behavior of the IIS web server, by editing the *Web.config* file. Linux apps don't use IIS and can't be configured through *Web.config*.
@@ -278,7 +282,7 @@ The identity provider may provide certain turn-key authorization. For example:
 
 ### Application level
 
-
+If either of the other levels don't provide the authorization you need, or if your platform or identity provider isn't supported, you must write custom code to authorize users based on the [user claims](#access-user-claims).
 
 ## Next steps
 
diff --git a/articles/app-service/configure-authentication-provider-aad.md b/articles/app-service/configure-authentication-provider-aad.md
@@ -28,7 +28,7 @@ ms.custom: seodec18
 
 This article shows you how to configure Azure App Service to use Azure Active Directory as an authentication provider.
 
-You should configure each App Service app with its own registration, so it has its own permissions and consent. Also, consider using separate app registrations for separate deployment slots. This avoids permission sharing between environments, so that a bug in new code you are testing does not affect production.
+It's recommended that you configure each App Service app with its own registration, so it has its own permissions and consent. Also, consider using separate app registrations for separate deployment slots. This avoids permission sharing between environments, so that an issue in new code you're testing does not affect production.
 
 ## <a name="express"> </a>Configure with express settings
 
@@ -39,7 +39,7 @@ You should configure each App Service app with its own registration, so it has i
    app registration instead, click **Select an existing app** and then search for the name of a previously created app registration within your tenant.
    Click the app registration to select it and click **OK**. Then click **OK** on the Azure Active Directory settings page.
    By default, App Service provides authentication but does not restrict authorized access to your site content and APIs. You must authorize users in your app code.
-5. (Optional) To restrict access to your site to only users authenticated by Azure Active Directory, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. This requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.
+5. (Optional) To restrict access to your app to only users authenticated by Azure Active Directory, set **Action to take when request is not authenticated** to **Log in with Azure Active Directory**. This requires that all requests be authenticated, and all unauthenticated requests are redirected to Azure Active Directory for authentication.
 
 > [!CAUTION]
 > Restricting access in this way applies to all calls to your app, which may not be desirable for apps wanting a publicly available home page, as in many single-page applications. For such applications, **Allow anonymous requests (no action)** may be preferred, with the app manually starting login itself, as described [here](overview-authentication-authorization.md#authentication-flow).
@@ -48,13 +48,13 @@ You should configure each App Service app with its own registration, so it has i
 
 ## <a name="advanced"> </a>Configure with advanced settings
 
-You can also provide configuration settings manually. This is the preferred solution if the Azure Active Directory tenant you wish to use is different from the tenant with which you sign into Azure. To complete the configuration, you must first create a registration in Azure Active Directory, and then you must provide some of the registration details to App Service.
+You can also provide configuration settings manually, if the Azure Active Directory tenant you want to use is different from the tenant with which you sign into Azure. To complete the configuration, you must first create a registration in Azure Active Directory, and then you must provide some of the registration details to App Service.
 
 ### <a name="register"> </a>Create an app registration in Azure AD for your App Service app
 
-When creating an app registration, note three pieces of information that you will need later when configuring your App Service app: the client ID, the tenant ID, and optionally the client secret and the app ID URI.
+When creating an app registration manually, note three pieces of information that you will need later when configuring your App Service app: the client ID, the tenant ID, and optionally the client secret and the application ID URI.
 
-1. In the [Azure portal], navigate to your App Service app and note your app's **URL**. You will use this to configure your Azure Active Directory app registration.
+1. In the [Azure portal], navigate to your App Service app and note your app's **URL**. You will use it to configure your Azure Active Directory app registration.
 2. In the [Azure portal], from the left menu, select **Active Directory** > **App registrations** > **New registration**. 
 3. In the **Register an application** page, enter a **Name** for your app registration.
 1. In **Redirect URI**, select **Web** and type the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/aad/callback`. Then select **Create**.
@@ -80,13 +80,13 @@ When creating an app registration, note three pieces of information that you wil
     |Client ID| Use the **Application (client) ID** of the app registration. |
     |Issuer ID| Use `https://login.microsoftonline.com/<tenant-id>`, and replace *\<tenant-id>* with the **Directory (tenant) ID** of the app registration. |
     |Client Secret (Optional)| Use the client secret you generated in the app registration.|
-    |Allowed Token Audiences| If this is a *back end* app and you want to allow authentication tokens from a front end app, add the **Application ID URI** of the *front end* here. |
+    |Allowed Token Audiences| If this is a *back-end* app and you want to allow authentication tokens from a front-end app, add the **Application ID URI** of the *front end* here. |
 1. Select **OK**, then select **Save**.
 
 You are now ready to use Azure Active Directory for authentication in your App Service app.
 
 ## Configure a native client application
-You can register native clients, which provides greater control over permissions mapping. You need this if you wish to perform sign-ins using a client library such as the **Active Directory Authentication Library**.
+You can register native clients if you wish to perform sign-ins using a client library such as the **Active Directory Authentication Library**.
 
 2. In the [Azure portal], from the left menu, select **Active Directory** > **App registrations** > **New registration**. 
 3. In the **Register an application** page, enter a **Name** for your app registration.
diff --git a/articles/app-service/configure-authentication-provider-facebook.md b/articles/app-service/configure-authentication-provider-facebook.md
@@ -27,23 +27,23 @@ To complete the procedure in this topic, you must have a Facebook account that h
 
 ## <a name="register"> </a>Register your application with Facebook
 1. Navigate to the [Facebook Developers] website and sign-in with your Facebook account credentials.
-3. (Optional) If you don't have a Facebook for Developers account, click **Get Started** and follow the registration steps.
+3. (Optional) If you don't have a Facebook for Developers account, click **Get Started**, and follow the registration steps.
 4. Click **My Apps** > **Add New App**.
-5. In **Display Name**, type a unique name for your app. Also provide your **Contact Email**, and then click **Create App ID** and complete the security check. This takes you to the developer dashboard for your new Facebook app.
+5. In **Display Name**, type a unique name for your app. Also provide your **Contact Email**, and then click **Create App ID** and complete the security check. The developer dashboard for your new Facebook app is opened.
 6. Click **Dashboard** > **Facebook Login** > **Set up** > **Web**.
 1. In the left-hand navigation under **Facebook Login**, click **Settings**.
 1. In **Valid OAuth redirect URIs**, type `https://<app-name>.azurewebsites.net/.auth/login/facebook/callback` and replace *\<app-name>* with the name of your Azure App Service app. Click **Save Changes**.
-8. In the left-hand navigation, click **Settings** > **Basic**. On the **App Secret** field, click **Show**. Copy the values of **App ID** and **App Secret**. You use these later to configure your App Service app in Azure.
+8. In the left-hand navigation, click **Settings** > **Basic**. On the **App Secret** field, click **Show**. Copy the values of **App ID** and **App Secret**. You use them later to configure your App Service app in Azure.
    
    > [!IMPORTANT]
    > The app secret is an important security credential. Do not share this secret with anyone or distribute it within a client application.
    > 
    > 
-9. The Facebook account which was used to register the application is an administrator of the app. At this point, only administrators can sign into this application. To authenticate other Facebook accounts, click **App Review** and enable **Make \<your-app-name> public** to enable general public access using Facebook authentication.
+9. The Facebook account that you used to register the application is an administrator of the app. At this point, only administrators can sign into this application. To authenticate other Facebook accounts, click **App Review** and enable **Make \<your-app-name> public** to enable general public access using Facebook authentication.
 
 ## <a name="secrets"> </a>Add Facebook information to your application
 1. Sign in to the [Azure portal] and navigate to your App Service app. Click **Settings** > **Authentication / Authorization**, and make sure that **App Service Authentication** is **On**.
-2. Click **Facebook**, paste in the App ID and App Secret values which you obtained previously, optionally enable any scopes needed by your application, then click **OK**.
+2. Click **Facebook**, paste in the App ID and App Secret values that you obtained previously, optionally enable any scopes needed by your application, then click **OK**.
    
     ![][0]
    
diff --git a/articles/app-service/configure-authentication-provider-google.md b/articles/app-service/configure-authentication-provider-google.md
@@ -29,16 +29,16 @@ To complete the procedure in this topic, you must have a Google account that has
 2. Follow the Google documentation at [Google Sign-In for server-side apps](https://developers.google.com/identity/sign-in/web/server-side-flow) to create a client ID and client secret, with the following information (no need to make any code changes):
     - For **Authorized JavaScript Origins**, use `https://<app-name>.azurewebsites.net` with the name of your app in *\<app-name>*.
     - For **Authorized Redirect URI**, use `https://<app-name>.azurewebsites.net/.auth/login/google/callback`.
-1. Once the client ID and client secrets are create, copy their values.
+1. Once the client ID and client secrets are created, copy their values.
 
     > [!IMPORTANT]
     > The client secret is an important security credential. Do not share this secret with anyone or distribute it within a client application.
 
 
 ## <a name="secrets"> </a>Add Google information to your application
-1. In to the [Azure portal], navigate to your App Service app. From the left menu, select **Authentication / Authorization**.
+1. In the [Azure portal], navigate to your App Service app. From the left menu, select **Authentication / Authorization**.
 2. If the Authentication / Authorization feature is not enabled, turn the switch to **On**.
-3. Click **Google**. Paste in the App ID and App Secret values which you obtained previously, and optionally enable any scopes your application requires. Then click **OK**.
+3. Click **Google**. Paste in the App ID and App Secret values that you obtained previously, and optionally enable any scopes your application requires. Then click **OK**.
 
    App Service provides authentication but does not restrict authorized access to your site content and APIs. For more information, see [Authorize or deny users](app-service-authentication-how-to.md#authorize-or-deny-users).
 4. (Optional) To restrict access to your site to only users authenticated by Google, set **Action to take when request is not authenticated** to **Google**. This requires that all requests be authenticated, and all unauthenticated requests are redirected to Google for authentication.
diff --git a/articles/app-service/configure-authentication-provider-twitter.md b/articles/app-service/configure-authentication-provider-twitter.md
@@ -26,10 +26,10 @@ This topic shows you how to configure Azure App Service to use Twitter as an aut
 To complete the procedure in this topic, you must have a Twitter account that has a verified email address and phone number. To create a new Twitter account, go to <a href="https://go.microsoft.com/fwlink/p/?LinkID=268287" target="_blank">twitter.com</a>.
 
 ## <a name="register"> </a>Register your application with Twitter
-1. Log on to the [Azure portal], and navigate to your application. Copy your **URL**. You will use this to configure your Twitter app.
+1. Log on to the [Azure portal], and navigate to your application. Copy your **URL**. You will use it to configure your Twitter app.
 2. Navigate to the [Twitter Developers] website, sign in with your Twitter account credentials, and click **Create New App**.
-3. Type in the **Name** and a **Description** for your new app. Paste in your application's **URL** for the **Website** value. Then, for the **Callback URL**, paste the **Callback URL** you copied earlier. This is your Mobile App gateway appended with the path, */.auth/login/twitter/callback*. For example, `https://contoso.azurewebsites.net/.auth/login/twitter/callback`. Make sure that you are using the HTTPS scheme.
-4. At the bottom the page, read and accept the terms. Then click **Create your Twitter application**. This registers the app displays the application details.
+3. Type in the **Name** and a **Description** for your new app. Paste in your application's **URL** for the **Website** value. Then, for the **Callback URL**, type the URL of your App Service app and append the path `/.auth/login/aad/callback`. For example, `https://contoso.azurewebsites.net/.auth/login/twitter/callback`. Make sure that you are using the HTTPS scheme.
+4. At the bottom the page, read and accept the terms. Then click **Create your Twitter application**. The application details are displayed.
 5. Click the **Settings** tab, check **Allow this application to be used to sign in with Twitter**, then click **Update Settings**.
 6. Select the **Keys and Access Tokens** tab. Make a note of the values of **Consumer Key (API Key)** and **Consumer secret (API Secret)**.
    
@@ -41,7 +41,7 @@ To complete the procedure in this topic, you must have a Twitter account that ha
 ## <a name="secrets"> </a>Add Twitter information to your application
 1. Back in the [Azure portal], navigate to your application. Click **Settings**, and then **Authentication / Authorization**.
 2. If the Authentication / Authorization feature is not enabled, turn the switch to **On**.
-3. Click **Twitter**. Paste in the App ID and App Secret values which you obtained previously. Then click **OK**.
+3. Click **Twitter**. Paste in the App ID and App Secret values that you obtained previously. Then click **OK**.
    
    ![][1]
    
