Clarity updates

Esther Fan · Esther Fan · commit 9516d45fb1bd · 2023-07-18T23:03:35.000-07:00
diff --git a/articles/logic-apps/logic-apps-securing-a-logic-app.md b/articles/logic-apps/logic-apps-securing-a-logic-app.md
@@ -725,29 +725,7 @@ In a Standard logic app workflow that starts with the Request trigger (but not a
 
 * An inbound call to the request endpoint can use only one authorization scheme, either Azure AD OAuth or [Shared Access Signature (SAS)](#sas). Although using one scheme doesn't disable the other scheme, using both schemes at the same time causes an error because Azure Logic Apps doesn't know which scheme to choose.
 
-* Azure Logic Apps supports either [bearer type](../active-directory/develop/active-directory-v2-protocols.md#tokens) or [proof-of-possession type (Consumption logic app only)](/entra/msal/dotnet/advanced/proof-of-possession-tokens) authorization schemes for Azure AD OAuth access tokens. So, the `Authorization` header for the access token must specify either the `Bearer` type or `PoP` type. For more information about how to get and use a PoP token, see [Get a Proof of Possession (PoP) token](#get-pop).
-
-  To enable Azure AD OAuth so that this option is the only way to call the request endpoint, use the following steps:
-
-  1. To enable the capability to check the OAuth access token, [follow the steps to include 'Authorization' header in the Request or HTTP webhook trigger outputs](#include-auth-header).
-
-     > [!NOTE]
-     >
-     > This step makes the `Authorization` header visible in the workflow's run history 
-     > and in the trigger's outputs.
-
-  1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app workflow in the designer.
-
-  1. On the trigger, in the upper right corner, select the ellipses (**...**) button, and then select **Settings**.
-
-  1. Under **Trigger Conditions**, select **Add**. In the trigger condition box, enter the following expression, and select **Done**.
-
-     `@startsWith(triggerOutputs()?['headers']?['Authorization'], 'Bearer')`
-
-  > [!NOTE]
-  > If you call the trigger endpoint without the correct authorization, 
-  > the run history just shows the trigger as `Skipped` without any 
-  > message that the trigger condition has failed.
+* Azure Logic Apps supports either the [bearer type](../active-directory/develop/active-directory-v2-protocols.md#tokens) or [proof-of-possession type (Consumption logic app only)](/entra/msal/dotnet/advanced/proof-of-possession-tokens) authorization schemes for Azure AD OAuth access tokens. However, the `Authorization` header for the access token must specify either the `Bearer` type or `PoP` type. For more information about how to get and use a PoP token, see [Get a Proof of Possession (PoP) token](#get-pop).
 
 * Your logic app resource is limited to a maximum number of authorization policies. Each authorization policy also has a maximum number of [claims](../active-directory/develop/developer-glossary.md#claim). For more information, review [Limits and configuration for Azure Logic Apps](../logic-apps/logic-apps-limits-and-config.md#authentication-limits).
 
@@ -796,13 +774,40 @@ In a Standard logic app workflow that starts with the Request trigger (but not a
    }
    ```
 
+#### Enable Azure AD OAuth as the only option to call a request endpoint
+
+1. Set up your Request or HTTP webhook trigger with the capability to check the OAuth access token by [following the steps to include the 'Authorization' header in the Request or HTTP webhook trigger outputs](#include-auth-header).
+
+   > [!NOTE]
+   >
+   > This step makes the `Authorization` header visible in the 
+   > workflow's run history and in the trigger's outputs.
+
+1. In the [Azure portal](https://portal.azure.com), open your Consumption logic app workflow in the designer.
+
+1. On the trigger, in the upper right corner, select the ellipses (**...**) button, and then select **Settings**.
+
+1. Under **Trigger Conditions**, select **Add**. In the trigger condition box, enter either of the following expressions, based on the token type you want to use, and select **Done**.
+
+   `@startsWith(triggerOutputs()?['headers']?['Authorization'], 'Bearer')`
+
+   -or-
+
+   `@startsWith(triggerOutputs()?['headers']?['Authorization'], 'PoP')`
+
+If you call the trigger endpoint without the correct authorization, the run history just shows the trigger as `Skipped` without any message that the trigger condition has failed.
+
 <a name="get-pop"></a>
 
-### Get a Proof-of-Possession (PoP) token
+#### Get a Proof-of-Possession (PoP) token
+
+The Microsoft Authentication Library (MSAL) libraries provide PoP tokens for you to use. If the logic app workflow that you want to call requires a PoP token, you can get this token using the MSAL libraries. The following samples show how to acquire PoP tokens:
+
+* [A .NET Core daemon console application calling a protected Web API with its own identity](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/tree/master/2-Call-OwnApi)
 
-PoP tokens are now available in the MSAL libraries. If the logic app workflow that you want to call requires the Proof-of-Possession token, you can use MSAL to get the token.
+* [SignedHttpRequest aka PoP (Proof of Possession)](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/SignedHttpRequest-aka-PoP-(Proof-of-Possession))
 
-To use the PoP token with your Consumption logic app, follow the next section to [enable Azure AD OAuth](#enable-azure-ad-inbound).
+To use the PoP token with your Consumption logic app, follow the next section to [set up Azure AD OAuth](#enable-azure-ad-inbound).
 
 <a name="enable-azure-ad-inbound"></a>
 
