MicrosoftDocs
diff --git a/‎articles/active-directory/develop/howto-create-service-principal-portal.md
Lines changed: 61 additions & 107 deletions b/‎articles/active-directory/develop/howto-create-service-principal-portal.md
Lines changed: 61 additions & 107 deletions
diff --git a/‎articles/active-directory/develop/permissions-consent-overview.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/permissions-consent-overview.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/cost-management-billing/manage/assign-roles-azure-service-principals.md
Lines changed: 1 addition & 1 deletion b/‎articles/cost-management-billing/manage/assign-roles-azure-service-principals.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/data-factory/connector-office-365.md
Lines changed: 2 additions & 2 deletions b/‎articles/data-factory/connector-office-365.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/data-factory/quickstart-create-data-factory-dot-net.md
Lines changed: 4 additions & 4 deletions b/‎articles/data-factory/quickstart-create-data-factory-dot-net.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/data-lake-store/data-lake-store-end-user-authenticate-net-sdk.md
Lines changed: 1 addition & 1 deletion b/‎articles/data-lake-store/data-lake-store-end-user-authenticate-net-sdk.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/data-lake-store/data-lake-store-end-user-authenticate-using-active-directory.md
Lines changed: 12 additions & 12 deletions b/‎articles/data-lake-store/data-lake-store-end-user-authenticate-using-active-directory.md
Lines changed: 12 additions & 12 deletions
diff --git a/‎articles/data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md
Lines changed: 2 additions & 2 deletions b/‎articles/data-lake-store/data-lake-store-service-to-service-authenticate-using-active-directory.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/hdinsight/hdinsight-create-non-interactive-authentication-dotnet-applications.md
Lines changed: 3 additions & 3 deletions b/‎articles/hdinsight/hdinsight-create-non-interactive-authentication-dotnet-applications.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/lighthouse/how-to/monitor-delegation-changes.md
Lines changed: 1 addition & 1 deletion b/‎articles/lighthouse/how-to/monitor-delegation-changes.md
Lines changed: 1 addition & 1 deletion
@@ -29,7 +29,7 @@ As an application developer, you must identify how your application will access
 
 In this access scenario, a user has signed into a client application. The client application accesses the resource on behalf of the user. Delegated access requires delegated permissions. Both the client and the user must be authorized separately to make the request. For more information about the delegated access scenario, see [delegated access scenario](delegated-access-primer.md).
 
-For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions for a given resource that represent what a client application can access on behalf of the user. For more information about scopes, see [scopes and permissions](v2-permissions-and-consent.md#scopes-and-permissions).
+For the client app, the correct delegated permissions must be granted. Delegated permissions can also be referred to as scopes. Scopes are permissions for a given resource that represent what a client application can access on behalf of the user. For more information about scopes, see [scopes and permissions](scopes-oidc.md).
 
 For the user, the authorization relies on the privileges that the user has been granted for them to access the resource. For example, the user could be authorized to access directory resources by [Azure Active Directory (Azure AD) role-based access control (RBAC)](../roles/custom-overview.md) or to access mail and calendar resources by Exchange Online RBAC. For more information on RBAC for applications, see [RBAC for applications](custom-rbac-for-developers.md).
 
 
@@ -32,7 +32,7 @@ To automate EA actions by using an SPN, you need to create an Azure Active Direc
 Follow the steps in these articles to create and authenticate your service principal.
 
 - [Create a service principal](../../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal)
-- [Get tenant and app ID values for signing in](../../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in)
+- [Get tenant and app ID values for signing in](../../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application)
 
 Here's an example of the application registration page.
 
 
@@ -51,8 +51,8 @@ To copy and transform data from Microsoft 365 (Office 365) into Azure, you need
 - Your Microsoft 365 (Office 365) tenant admin must complete on-boarding actions as described [here](/events/build-may-2021/microsoft-365-teams/breakouts/od483/).
 - Create and configure an Azure AD web application in Azure Active Directory.  For instructions, see [Create an Azure AD application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal).
 - Make note of the following values, which you will use to define the linked service for Microsoft 365 (Office 365):
-  - Tenant ID. For instructions, see [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
-  - Application ID and Application key.  For instructions, see [Get application ID and authentication key](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
+  - Tenant ID. For instructions, see [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
+  - Application ID and Application key.  For instructions, see [Get application ID and authentication key](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
 - Add the user identity who will be making the data access request as the owner of the Azure AD web application (from the Azure AD web application > Settings > Owners > Add owner).
   - The user identity must be in the Microsoft 365 (Office 365) organization you are getting data from and must not be a Guest user.
 
 
@@ -33,9 +33,9 @@ The walkthrough in this article uses Visual Studio 2019. The procedures for Visu
 
 From the sections in *How to: Use the portal to create an Azure AD application and service principal that can access resources*, follow the instructions to do these tasks:
 
-1. In [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal), create an application that represents the .NET application you are creating in this tutorial. For the sign-on URL, you can provide a dummy URL as shown in the article (`https://contoso.org/exampleapp`).
-2. In [Get values for signing in](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in), get the **application ID** and **tenant ID**, and note down these values that you use later in this tutorial. 
-3. In [Certificates and secrets](../active-directory/develop/howto-create-service-principal-portal.md#authentication-two-options), get the **authentication key**, and note down this value that you use later in this tutorial.
+1. In [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal), create an application that represents the .NET application you're creating in this tutorial. For the sign-on URL, you can provide a dummy URL as shown in the article (`https://contoso.org/exampleapp`).
+2. In [Get values for signing in](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application), get the **application ID** and **tenant ID**, and note down these values that you use later in this tutorial. 
+3. In [Certificates and secrets](../active-directory/develop/howto-create-service-principal-portal.md#set-up-authentication), get the **authentication key**, and note down this value that you use later in this tutorial.
 4. In [Assign the application to a role](../active-directory/develop/howto-create-service-principal-portal.md#assign-a-role-to-the-application), assign the application to the **Contributor** role at the subscription level so that the application can create data factories in the subscription.
 
 ## Create a Visual Studio project
@@ -50,7 +50,7 @@ Next, create a C# .NET console application in Visual Studio:
 ## Install NuGet packages
 
 1. Select **Tools** > **NuGet Package Manager** > **Package Manager Console**.
-2. In the **Package Manager Console** pane, run the following commands to install packages. For more information, see the [Microsoft.Azure.Management.DataFactory nuget package](https://www.nuget.org/packages/Microsoft.Azure.Management.DataFactory/).
+2. In the **Package Manager Console** pane, run the following commands to install packages. For more information, see the [Microsoft.Azure.Management.DataFactory NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Management.DataFactory/).
 
     ```powershell
     Install-Package Microsoft.Azure.Management.DataFactory
 
@@ -66,7 +66,7 @@ In this article, you learn about how to use the .NET SDK to do end-user authenti
 ## End-user authentication
 Add this snippet in your .NET client application. Replace the placeholder values with the values retrieved from an Azure AD native application (listed as prerequisite). This snippet lets you authenticate your application **interactively** with Data Lake Storage Gen1, which means you are prompted to enter your Azure credentials.
 
-For ease of use, the following snippet uses default values for client ID and redirect URI that are valid for any Azure subscription. In the following snippet, you only need to provide the value for your tenant ID. You can retrieve the Tenant ID using the instructions provided at [Get the tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
+For ease of use, the following snippet uses default values for client ID and redirect URI that are valid for any Azure subscription. In the following snippet, you only need to provide the value for your tenant ID. You can retrieve the Tenant ID using the instructions provided at [Get the tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
 
 - Replace the Main() function with the following code:
 
 
@@ -28,20 +28,20 @@ This article talks about how to create an **Azure AD native application for end-
 ## Prerequisites
 * An Azure subscription. See [Get Azure free trial](https://azure.microsoft.com/pricing/free-trial/).
 
-* Your subscription ID. You can retrieve it from the Azure portal. For example, it is available from the Data Lake Storage Gen1 account blade.
+* Your subscription ID. You can retrieve it from the Azure portal. For example, it's available from the Data Lake Storage Gen1 account blade.
 
     ![Get subscription ID](./media/data-lake-store-end-user-authenticate-using-active-directory/get-subscription-id.png)
 
 * Your Azure AD domain name. You can retrieve it by hovering the mouse in the top-right corner of the Azure portal. From the screenshot below, the domain name is **contoso.onmicrosoft.com**, and the GUID within brackets is the tenant ID.
 
     ![Get AAD domain](./media/data-lake-store-end-user-authenticate-using-active-directory/get-aad-domain.png)
 
-* Your Azure tenant ID. For instructions on how to retrieve the tenant ID, see [Get the tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
+* Your Azure tenant ID. For instructions on how to retrieve the tenant ID, see [Get the tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
 
 ## End-user authentication
 This authentication mechanism is the recommended approach if you want an end user to sign in to your application via Azure AD. Your application is then able to access Azure resources with the same level of access as the end user that logged in. Your end user needs to provide their credentials periodically in order for your application to maintain access.
 
-The result of having the end-user sign in is that your application is given an access token and a refresh token. The access token gets attached to each request made to Data Lake Storage Gen1 or Data Lake Analytics, and it is valid for one hour by default. The refresh token can be used to obtain a new access token, and it is valid for up to two weeks by default. You can use two different approaches for end-user sign in.
+The result of having the end-user sign-in is that your application is given an access token and a refresh token. The access token gets attached to each request made to Data Lake Storage Gen1 or Data Lake Analytics, and it's valid for one hour by default. The refresh token can be used to obtain a new access token, and it's valid for up to two weeks by default. You can use two different approaches for end-user sign-in.
 
 ### Using the OAuth 2.0 pop-up
 Your application can trigger an OAuth 2.0 authorization pop-up, in which the end user can enter their credentials. This pop-up also works with the Azure AD Two-factor Authentication (2FA) process, if necessary.
@@ -52,7 +52,7 @@ Your application can trigger an OAuth 2.0 authorization pop-up, in which the end
 >
 
 ### Directly passing in user credentials
-Your application can directly provide user credentials to Azure AD. This method only works with organizational ID user accounts; it is not compatible with personal / “live ID” user accounts, including the accounts ending in @outlook.com or @live.com. Furthermore, this method is not compatible with user accounts that require Azure AD Two-factor Authentication (2FA).
+Your application can directly provide user credentials to Azure AD. This method only works with organizational ID user accounts; it isn't compatible with personal / “live ID” user accounts, including the accounts ending in @outlook.com or @live.com. Furthermore, this method isn't compatible with user accounts that require Azure AD Two-factor Authentication (2FA).
 
 ### What do I need for this approach?
 * Azure AD domain name. This requirement is already listed in the prerequisite of this article.
@@ -73,13 +73,13 @@ While following the instructions in the link, make sure you select **Native** fo
 
 ## Step 2: Get application ID and redirect URI
 
-See [Get the application ID](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in) to retrieve the application ID.
+See [Get the application ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application) to retrieve the application ID.
 
 To retrieve the redirect URI, do the following steps.
 
-1. From the Azure portal, select **Azure Active Directory**, click **App registrations**, and then find and click the Azure AD native application that you created.
+1. From the Azure portal, select **Azure Active Directory**, select **App registrations**, and then find and select the Azure AD native application that you created.
 
-2. From the **Settings** blade for the application, click **Redirect URIs**.
+2. From the **Settings** blade for the application, select **Redirect URIs**.
 
 	![Get Redirect URI](./media/data-lake-store-end-user-authenticate-using-active-directory/azure-active-directory-redirect-uri.png)
 
@@ -88,21 +88,21 @@ To retrieve the redirect URI, do the following steps.
 
 ## Step 3: Set permissions
 
-1. From the Azure portal, select **Azure Active Directory**, click **App registrations**, and then find and click the Azure AD native application that you created.
+1. From the Azure portal, select **Azure Active Directory**, select **App registrations**, and then find and select the Azure AD native application that you created.
 
-2. From the **Settings** blade for the application, click **Required permissions**, and then click **Add**.
+2. From the **Settings** blade for the application, select **Required permissions**, and then select **Add**.
 
 	![Screenshot of the Settings blade with the Redirect U R I option called out and the Redirect U R I blade with the actual U R I called out.](./media/data-lake-store-end-user-authenticate-using-active-directory/aad-end-user-auth-set-permission-1.png)
 
-3. In the **Add API Access** blade, click **Select an API**, click **Azure Data Lake**, and then click **Select**.
+3. In the **Add API Access** blade, select **Select an API**, select **Azure Data Lake**, and then select **Select**.
 
 	![Screenshot of the Add API access blade with the Select an API option called out and the Select an API blade with the Azure Data Lake option and the Select option called out.](./media/data-lake-store-end-user-authenticate-using-active-directory/aad-end-user-auth-set-permission-2.png)
 
-4.  In the **Add API Access** blade, click **Select permissions**, select the check box to give **Full access to Data Lake Store**, and then click **Select**.
+4.  In the **Add API Access** blade, select **Select permissions**, select the check box to give **Full access to Data Lake Store**, and then select **Select**.
 
 	![Screenshot of the Add API access blade with the Select permissions option called out and the Enable Access blade with the Have full access to the Azure Data Lake service option and the Select option called out.](./media/data-lake-store-end-user-authenticate-using-active-directory/aad-end-user-auth-set-permission-3.png)
 
-	Click **Done**.
+	Select **Done**.
 
 5. Repeat the last two steps to grant permissions for **Windows Azure Service Management API** as well.
 
 
@@ -39,9 +39,9 @@ While following the instructions at the preceding link, make sure you select **W
 ## Step 2: Get application ID, authentication key, and tenant ID
 When programmatically logging in, you need the ID for your application. If the application runs under its own credentials, you also need an authentication key.
 
-* For instructions on how to retrieve the application ID and authentication key (also called the client secret) for your application, see [Get application ID and authentication key](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
+* For instructions on how to retrieve the application ID and authentication key (also called the client secret) for your application, see [Get application ID and authentication key](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
 
-* For instructions on how to retrieve the tenant ID, see [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
+* For instructions on how to retrieve the tenant ID, see [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
 
 ## Step 3: Assign the Azure AD application to the Azure Data Lake Storage Gen1 account file or folder
 
 
@@ -14,9 +14,9 @@ Run your Microsoft .NET Azure HDInsight application either under the application
 
 From your non-interactive .NET application, you need:
 
-* Your Azure subscription tenant ID (also called a *directory ID*). See [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
-* The Azure Active Directory (Azure AD) application client ID. See [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) and [Get an application ID](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
-* The Azure AD application secret key. See [Get application authentication key](../active-directory/develop/howto-create-service-principal-portal.md#get-tenant-and-app-id-values-for-signing-in).
+* Your Azure subscription tenant ID (also called a *directory ID*). See [Get tenant ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
+* The Azure Active Directory (Azure AD) application client ID. See [Create an Azure Active Directory application](../active-directory/develop/howto-create-service-principal-portal.md#register-an-application-with-azure-ad-and-create-a-service-principal) and [Get an application ID](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
+* The Azure AD application secret key. See [Get application authentication key](../active-directory/develop/howto-create-service-principal-portal.md#sign-in-to-the-application).
 
 ## Prerequisites
 
 
@@ -85,7 +85,7 @@ When using a service principal account to query the activity log, we recommend t
 
 - [Create a new service principal account](../../active-directory/develop/howto-create-service-principal-portal.md) to be used only for this function, rather than assigning this role to an existing service principal used for other automation.
 - Be sure that this service principal does not have access to any delegated customer resources.
-- [Use a certificate to authenticate](../../active-directory/develop/howto-create-service-principal-portal.md#authentication-two-options) and [store it securely in Azure Key Vault](../../key-vault/general/security-features.md).
+- [Use a certificate to authenticate](../../active-directory/develop/howto-create-service-principal-portal.md#set-up-authentication) and [store it securely in Azure Key Vault](../../key-vault/general/security-features.md).
 - Limit the users who have access to act on behalf of the service principal.
 
 Once you've created a new service principal account with Monitoring Reader access to the root scope of your managing tenant, you can use it to query and report on delegation activity in your tenant.