MicrosoftDocs
diff --git a/‎articles/connectors/connectors-native-reqres.md
Lines changed: 7 additions & 3 deletions b/‎articles/connectors/connectors-native-reqres.md
Lines changed: 7 additions & 3 deletions
diff --git a/‎articles/logic-apps/logic-apps-securing-a-logic-app.md
Lines changed: 33 additions & 2 deletions b/‎articles/logic-apps/logic-apps-securing-a-logic-app.md
Lines changed: 33 additions & 2 deletions
diff --git a/‎articles/logic-apps/media/logic-apps-securing-a-logic-app/add-azure-active-directory-authorization-policies.png
74.8 KB b/‎articles/logic-apps/media/logic-apps-securing-a-logic-app/add-azure-active-directory-authorization-policies.png
74.8 KB
diff --git a/‎articles/logic-apps/media/logic-apps-securing-a-logic-app/set-up-authorization-policy.png
74.8 KB b/‎articles/logic-apps/media/logic-apps-securing-a-logic-app/set-up-authorization-policy.png
74.8 KB
@@ -5,7 +5,7 @@ services: logic-apps
 ms.suite: integration
 ms.reviewers: klam, logicappspm
 ms.topic: conceptual
-ms.date: 01/14/2020
+ms.date: 02/20/2020
 tags: connectors
 ---
 
@@ -42,7 +42,7 @@ With [Azure Logic Apps](../logic-apps/logic-apps-overview.md) and the built-in R
 
 ## Add Request trigger
 
-This built-in trigger creates a manually callable HTTPS endpoint that can receive *only* incoming HTTPS requests. When this event happens, the trigger fires and runs the logic app. For more information about the trigger's underlying JSON definition and how to call this trigger, see the [Request trigger type](../logic-apps/logic-apps-workflow-actions-triggers.md#request-trigger) and [Call, trigger, or nest workflows with HTTP endpoints in Azure Logic Apps](../logic-apps/logic-apps-http-endpoint.md).
+This built-in trigger creates a manually callable HTTPS endpoint that can receive *only* incoming HTTPS requests. When this event happens, the trigger fires and runs the logic app.
 
 1. Sign in to the [Azure portal](https://portal.azure.com). Create a blank logic app.
 
@@ -173,14 +173,18 @@ This built-in trigger creates a manually callable HTTPS endpoint that can receiv
 
    Your logic app keeps the incoming request open only for one minute. Assuming that your logic app workflow includes a Response action, if the logic app doesn't return a response after this time passes, your logic app returns a `504 GATEWAY TIMEOUT` to the caller. Otherwise, if your logic app doesn't include a Response action, your logic app immediately returns a `202 ACCEPTED` response to the caller.
 
-1. When you're done, save your logic app. On the designer toolbar, select **Save**. 
+1. When you're done, save your logic app. On the designer toolbar, select **Save**.
 
    This step generates the URL to use for sending the request that triggers the logic app. To copy this URL, select the copy icon next to the URL.
 
    ![URL to use triggering your logic app](./media/connectors-native-reqres/generated-url.png)
 
 1. To trigger your logic app, send an HTTP POST to the generated URL. For example, you can use a tool such as [Postman](https://www.getpostman.com/).
 
+For more information about the trigger's underlying JSON definition and how to call this trigger, see these topics, [Request trigger type](../logic-apps/logic-apps-workflow-actions-triggers.md#request-trigger) and [Call, trigger, or nest workflows with HTTP endpoints in Azure Logic Apps](../logic-apps/logic-apps-http-endpoint.md).
+
+Request triggers support using [Azure Active Directory OAuth](../active-directory/develop/about-microsoft-identity-platform.md) for authenticating incoming calls. For more information about enabling this support, see [Securing logic apps - Enable Azure AD OAuth authentication](../logic-apps/logic-apps-securing-a-logic-app.md#enable-oauth).
+
 ### Trigger outputs
 
 Here's more information about the outputs from the Request trigger:
 
@@ -615,7 +615,7 @@ HTTP and HTTPS endpoints support various kinds of authentication. Based on the t
 |---------------------|--------------|
 | [Basic](#basic-authentication) | Azure API Management, Azure App Services, HTTP, HTTP + Swagger, HTTP Webhook |
 | [Client Certificate](#client-certificate-authentication) | Azure API Management, Azure App Services, HTTP, HTTP + Swagger, HTTP Webhook |
-| [Active Directory OAuth](#azure-active-directory-oauth-authentication) | Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook |
+| [Active Directory OAuth](#azure-active-directory-oauth-authentication) | Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook, Request |
 | [Raw](#raw-authentication) | Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook |
 | [Managed identity](#managed-identity-authentication) | Azure API Management, Azure App Services, Azure Functions, HTTP, HTTP + Swagger, HTTP Webhook |
 |||
@@ -694,7 +694,7 @@ For more information about securing services by using client certificate authent
 
 ### Azure Active Directory OAuth authentication
 
-If the [Active Directory OAuth](../active-directory/develop/about-microsoft-identity-platform.md) option is available, specify these property values:
+On Request triggers, you can use [Azure Active Directory OAuth](../active-directory/develop/about-microsoft-identity-platform.md) for authenticating incoming calls after you [set up Azure Active Directory authorization policies](#enable-oauth) for your logic app. For all other triggers and actions that provide the **Active Directory OAuth** authentication type for you to select, specify these property values:
 
 | Property (designer) | Property (JSON) | Required | Value | Description |
 |---------------------|-----------------|----------|-------|-------------|
@@ -730,6 +730,37 @@ When you use [secured parameters](#secure-action-parameters) to handle and prote
 }
 ```
 
+<a name="enable-oauth"></a>
+
+### Enable Azure AD OAuth authentication on Request triggers
+
+To enable [Azure Active Directory OAuth](../active-directory/develop/about-microsoft-identity-platform.md) authentication for incoming calls to Request triggers, follow these steps to set up an authorization policy. Here are some considerations for enabling this authentication support:
+
+* Your logic app can have up to five authorization policies. Each authorization policy can have up to 10 claims.
+
+* An authorization policy must include the **Issuer** claim, which starts with the Azure Active Directory issuer ID, `https://sts.windows.net/`.
+
+* Your logic app can't use both [Shared Access Signatures (SAS)](#sas) and Azure AD OAuth.
+
+* Currently, open authentication tokens are supported only for workflow trigger requests.
+
+* Only Bearer-type authorization schemes are supported for OAuth tokens.
+
+1. In the [Azure portal](https://portal.microsoft.com), find and open your logic app in the Logic App Designer.
+
+1. On the logic app menu, under **Settings**, select **Authorization**. After the Authorization pane opens, select **Add policy**.
+
+   ![Select "Authorization" > "Add policy"](./media/logic-apps-securing-a-logic-app/add-azure-active-directory-authorization-policies.png)
+
+1. Provide this information for the claims in your policy:
+
+   ![Provide information about the authorization policy](./media/logic-apps-securing-a-logic-app/set-up-authorization-policy.png)
+
+   | Property | Required | Description |
+   |----------|----------|-------------|
+   | 
+   |||
+
 <a name="raw-authentication"></a>
 
 ### Raw authentication