MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions b/‎.openpublishing.publish.config.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
Lines changed: 23 additions & 26 deletions b/‎articles/active-directory/develop/scenario-web-api-call-api-app-configuration.md
Lines changed: 23 additions & 26 deletions
diff --git a/‎articles/aks/TOC.yml
Lines changed: 4 additions & 4 deletions b/‎articles/aks/TOC.yml
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/aks/dapr-migration.md
Lines changed: 6 additions & 8 deletions b/‎articles/aks/dapr-migration.md
Lines changed: 6 additions & 8 deletions
diff --git a/‎articles/automation/troubleshoot/update-management.md
Lines changed: 1 addition & 1 deletion b/‎articles/automation/troubleshoot/update-management.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-arc/kubernetes/azure-rbac.md
Lines changed: 37 additions & 37 deletions b/‎articles/azure-arc/kubernetes/azure-rbac.md
Lines changed: 37 additions & 37 deletions
diff --git a/‎articles/azure-arc/kubernetes/quickstart-connect-cluster.md
Lines changed: 1 addition & 0 deletions b/‎articles/azure-arc/kubernetes/quickstart-connect-cluster.md
Lines changed: 1 addition & 0 deletions
@@ -950,6 +950,7 @@
     "articles/iot-accelerators/.openpublishing.redirection.iot-accelerators.json",
     "articles/iot-develop/.openpublishing.redirection.iot-develop.json",
     "articles/iot-edge/.openpublishing.redirection.iot-edge.json",
+    "articles/iot-fundamentals/.openpublishing.redirection.iot-fundamentals.json",
     "articles/mariadb/.openpublishing.redirection.mariadb.json",
     "articles/marketplace/.openpublishing.redirection.marketplace.json",
     "articles/mysql/.openpublishing.redirection.mysql.json",
 
@@ -4,22 +4,19 @@ description: Learn how to build a web API that calls web APIs (app's code config
 services: active-directory
 author: jmprieur
 manager: CelesteDG
-
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 09/26/2020
+ms.date: 08/12/2022
 ms.author: jmprieur
 ms.custom: aaddev
 #Customer intent: As an application developer, I want to know how to write a web API that calls web APIs by using the Microsoft identity platform.
 ---
 
 # A web API that calls web APIs: Code configuration
 
-After you've registered your web API, you can configure the code for the application.
-
-The code that you use to configure your web API so that it calls downstream web APIs builds on top of the code that's used to protect a web API. For more information, see [Protected web API: App configuration](scenario-protected-web-api-app-configuration.md).
+Once registration for a Web API is complete, the application code can be configured. Configuring a web API to call a downstream web API builds on the code that's used in protecting a web API. For more information, see [Protected web API: App configuration](scenario-protected-web-api-app-configuration.md).
 
 # [ASP.NET Core](#tab/aspnetcore)
 
@@ -29,22 +26,21 @@ Microsoft recommends that you use the [Microsoft.Identity.Web](https://www.nuget
 
 ## Client secrets or client certificates
 
-Given that your web API now calls a downstream web API, provide a client secret or client certificate in the *appsettings.json* file. You can also add a section that specifies:
+Given that the web API now calls a downstream web API, a client secret or client certificate in *appsettings.json* can be used for authentication. A section can be added to specify:
 
 - The URL of the downstream web API
 - The scopes required for calling the API
 
 In the following example, the `GraphBeta` section specifies these settings.
 
-```JSON
+```json
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
+    "ClientId": "Enter_the_Application_(client)_ID_here",
     "TenantId": "common",
-    
-    // To call an API
-    "ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
+
+    "ClientSecret": "Enter_the_Application_Client_Secret_Value_here",
     "ClientCertificates": []
   },
   "GraphBeta": {
@@ -54,16 +50,15 @@ In the following example, the `GraphBeta` section specifies these settings.
 }
 ```
 
-Instead of a client secret, you can provide a client certificate. The following code snippet shows using a certificate stored in Azure Key Vault.
+Instead of a client secret, a client certificate can be provided. The following code snippet demonstrates a certificate stored in Azure Key Vault.
 
-```JSON
+```json
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
+    "ClientId": "Enter_the_Application_(client)_ID_here",
     "TenantId": "common",
 
-    // To call an API
     "ClientCertificates": [
       {
         "SourceType": "KeyVault",
@@ -79,11 +74,13 @@ Instead of a client secret, you can provide a client certificate. The following
 }
 ```
 
-Microsoft.Identity.Web provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web wiki - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates) on GitHub.
+*Microsoft.Identity.Web* provides several ways to describe certificates, both by configuration or by code. For details, see [Microsoft.Identity.Web wiki - Using certificates](https://github.com/AzureAD/microsoft-identity-web/wiki/Using-certificates).
 
 ## Program.cs
 
-Your web API will need to acquire a token for the downstream API. You specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApi(Configuration)`. This line exposes the `ITokenAcquisition` service, that you can use in your controller/pages actions. However, as you'll see in the next two bullet points, you can do even simpler. You'll also need to choose a token cache implementation, for example `.AddInMemoryTokenCaches()`, in *Program.cs*. If you use ASP.NET Core 3.1 or 5.0 the code will be similar but in the *Startup.cs* file.
+A web API will need to acquire a token for the downstream API. Specify it by adding the `.EnableTokenAcquisitionToCallDownstreamApi()` line after `.AddMicrosoftIdentityWebApi(Configuration)`. This line exposes the `ITokenAcquisition` service that can be used in the controller/pages actions.
+
+However, an alternative method is to implement a token cache. For example, adding `.AddInMemoryTokenCaches()`, to *Program.cs* will allow the token to be cached in memory.
 
 ```csharp
 using Microsoft.Identity.Web;
@@ -96,14 +93,14 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 // ...
 ```
 
-If you don't want to acquire the token yourself, *Microsoft.Identity.Web* provides two mechanisms for calling a downstream web API from another API. The option you choose depends on whether you want to call Microsoft Graph or another API.
+*Microsoft.Identity.Web* provides two mechanisms for calling a downstream web API from another API. The option you choose depends on whether you want to call Microsoft Graph or another API.
 
 ### Option 1: Call Microsoft Graph
 
-If you want to call Microsoft Graph, Microsoft.Identity.Web enables you to directly use the `GraphServiceClient` (exposed by the Microsoft Graph SDK) in your API actions. To expose Microsoft Graph:
+To call Microsoft Graph, *Microsoft.Identity.Web* enables you to directly use the `GraphServiceClient` (exposed by the Microsoft Graph SDK) in the API actions. To expose Microsoft Graph:
 
-1. Add the [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) NuGet package to your project.
-1. Add `.AddMicrosoftGraph()` after `.EnableTokenAcquisitionToCallDownstreamApi()` in the *Program.cs* file. `.AddMicrosoftGraph()` has several overrides. Using the override that takes a configuration section as a parameter, the code becomes:
+1. Add the [Microsoft.Identity.Web.MicrosoftGraph](https://www.nuget.org/packages/Microsoft.Identity.Web.MicrosoftGraph) NuGet package to the project.
+1. Add `.AddMicrosoftGraph()` after `.EnableTokenAcquisitionToCallDownstreamApi()` in *Program.cs*. `.AddMicrosoftGraph()` has several overrides. Using the override that takes a configuration section as a parameter, the code becomes:
 
 ```csharp
 using Microsoft.Identity.Web;
@@ -119,7 +116,7 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 
 ### Option 2: Call a downstream web API other than Microsoft Graph
 
-To call a downstream API other than Microsoft Graph, *Microsoft.Identity.Web* provides `.AddDownstreamWebApi()`, which requests tokens and calls the downstream web API.
+To call a downstream API other than Microsoft Graph, *Microsoft.Identity.Web* provides `.AddDownstreamWebApi()`, which requests tokens for the downstream API on behalf of the user.
 
 ```csharp
 using Microsoft.Identity.Web;
@@ -133,9 +130,9 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
 // ...
 ```
 
-As with web apps, you can choose various token cache implementations. For details, see [Microsoft identity web - Token cache serialization](https://aka.ms/ms-id-web/token-cache-serialization) on GitHub.
-
-The following image shows the various possibilities of *Microsoft.Identity.Web* and their impact on the *Program.cs* file:
+Similar to web apps, various token cache implementations can be chosen. For details, see [Microsoft identity web - Token cache serialization](https://aka.ms/ms-id-web/token-cache-serialization) on GitHub.
+        
+The following image shows the possibilities of *Microsoft.Identity.Web* and the impact on *Program.cs*:
 
 :::image type="content" source="media/scenarios/microsoft-identity-web-startup-cs.svg" alt-text="Block diagram showing service configuration options in startup dot C S for calling a web API and specifying a token cache implementation":::
 
@@ -230,4 +227,4 @@ For more information about the OBO protocol, see the [Microsoft identity platfor
 ## Next steps
 
 Move on to the next article in this scenario,
-[Acquire a token for the app](scenario-web-api-call-api-acquire-token.md).
+[Acquire a token for the app](scenario-web-api-call-api-acquire-token.md).
@@ -366,16 +366,16 @@
               href: configure-kubenet.md
             - name: Use kubenet with dual-stack networking
               href: configure-kubenet-dual-stack.md
-            - name: Use Azure-CNI
-              href: configure-azure-cni.md
-            - name: Use Azure-CNI Overlay (Preview)
-              href: azure-cni-overlay.md
         - name: CNI
           items:
             - name: Bring your own CNI
               href: use-byo-cni.md
             - name: Use Azure CNI Powered by Cilium (Preview)
               href: azure-cni-powered-by-cilium.md
+            - name: Use Azure-CNI
+              href: configure-azure-cni.md
+            - name: Use Azure-CNI Overlay (Preview)
+              href: azure-cni-overlay.md
         - name: DNS
           items:
             - name: Use a static IP address and DNS label
 
@@ -12,12 +12,10 @@ ms.custom: devx-track-azurecli
 
 # Migrate from Dapr OSS to the Dapr extension for Azure Kubernetes Service (AKS)
 
-You've installed and configured Dapr OSS on your Kubernetes cluster and want to migrate to the Dapr extension on AKS. In this guide, you'll learn how Dapr moves your managed clusters from using Dapr OSS to the Dapr extension by either:
+You've installed and configured Dapr OSS (using Dapr CLI or Helm) on your Kubernetes cluster, and want to start using the Dapr extension on AKS. In this guide, you'll learn how the Dapr extension for AKS can use the Kubernetes resources created by Dapr OSS and start managing them, by either:
 
-- Checking for an existing Dapr installation via CLI prompts (default method), or
-- Using the Helm release name and namespace configuration settings to manually check for an existing Dapr installation. 
-
-This check allows the Dapr extension to reuse the already existing Kubernetes resources from your previous installation and start managing them. 
+- Checking for an existing Dapr installation via Azure CLI prompts (default method), or
+- Using the release name and namespace from `--configuration-settings` to explicitly point to an existing Dapr installation.
 
 ## Check for an existing Dapr installation
 
@@ -40,11 +38,11 @@ Enter the Helm release name for Dapr, or press Enter to use the default name [da
 Enter the namespace where Dapr is installed, or press Enter to use the default namespace [dapr-system]:
 ```
 
-## Configure the Dapr check using `--configuration-settings` 
+## Configuring the existing Dapr installation using `--configuration-settings`
 
 Alternatively, when creating the Dapr extension, you can configure the above settings via `--configuration-settings`. This method is useful when you are automating the installation via bash scripts, CI pipelines, etc.
 
-If you don't have Dapr already installed on your cluster, set `skipExistingDaprCheck` to `true`:
+If you don't have an existing Dapr installation on your cluster, set `skipExistingDaprCheck` to `true`:
 
 ```azurecli-interactive
 az k8s-extension create --cluster-type managedClusters \
@@ -98,7 +96,7 @@ For more information, see [Dapr Production Guidelines][dapr-prod-guidelines].
 
 ## Next steps
 
-Learn more about [the cluster extension][dapr-overview] and [how to use it][dapr-howto].
+Learn more about [Dapr][dapr-overview] and [how to use it][dapr-howto].
 
 
 <!-- LINKS INTERNAL -->
 
@@ -280,7 +280,7 @@ Use the following procedure if your subscription is configured for the Automatio
 
 2. Check [Update Management history](../update-management/deploy-updates.md#view-results-of-a-completed-update-deployment) to determine the exact time when the update deployment was run.
 
-3. For machines that you suspect to have been missed by Update Management, use Azure Resource Graph (ARG) to [locate machine changes](../../governance/resource-graph/how-to/get-resource-changes.md#find-detected-change-events-and-view-change-details).
+3. For machines that you suspect to have been missed by Update Management, use Azure Resource Graph (ARG) to [locate machine changes](../../governance/resource-graph/how-to/get-resource-changes.md).
 
 4. Search for changes over a considerable period, such as one day, before the update deployment was run.
 
 
@@ -34,7 +34,7 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
   - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to the latest version.
 
 > [!NOTE]
-> You can't set up this feature for managed Kubernetes offerings of cloud providers like Elastic Kubernetes Service or Google Kubernetes Engine where the user doesn't have access to the API server of the cluster. For Azure Kubernetes Service (AKS) clusters, this [feature is available natively](../../aks/manage-azure-rbac.md) and doesn't require the AKS cluster to be connected to Azure Arc. This feature isn't supported on AKS on Azure Stack HCI.
+> You can't set up this feature for managed Kubernetes offerings of cloud providers like Elastic Kubernetes Service or Google Kubernetes Engine where the user doesn't have access to the API server of the cluster. For Azure Kubernetes Service (AKS) clusters, this [feature is available natively](../../aks/manage-azure-rbac.md) and doesn't require the AKS cluster to be connected to Azure Arc. For AKS on Azure Stack HCI, see [Use Azure RBAC for AKS hybrid clusters (preview)](/azure/aks/hybrid/azure-rbac-aks-hybrid).
 
 ## Set up Azure AD applications
 
@@ -44,32 +44,32 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
 
 1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `serverApplicationId`.
 
-   ```azurecli
-   CLUSTER_NAME="<clusterName>"
-   TENANT_ID="<tenant>"
-   SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
-   SERVER_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
-   echo $SERVER_APP_ID
-   ```
+    ```azurecli
+    CLUSTER_NAME="<name-of-arc-connected-cluster>"
+    TENANT_ID="<tenant>"
+    SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
+    SERVER_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
+    echo $SERVER_APP_ID
+    ```
 
 1. To grant "Sign in and read user profile" API permissions to the server application. Copy this JSON and save it in a file called oauth2-permissions.json:
 
-   ```json
-   {
-       "oauth2PermissionScopes": [
-           {
-               "adminConsentDescription": "Sign in and read user profile",
-               "adminConsentDisplayName": "Sign in and read user profile",
-               "id": "<unique_guid>",
-               "isEnabled": true,
-               "type": "User",
-               "userConsentDescription": "Sign in and read user profile",
-               "userConsentDisplayName": "Sign in and read user profile",
-               "value": "User.Read"
-           }
-       ]
-   }
-   ```
+    ```json
+    {
+        "oauth2PermissionScopes": [
+            {
+                "adminConsentDescription": "Sign in and read user profile",
+                "adminConsentDisplayName": "Sign in and read user profile",
+                "id": "<paste_the_SERVER_APP_ID>",
+                "isEnabled": true,
+                "type": "User",
+                "userConsentDescription": "Sign in and read user profile",
+                "userConsentDisplayName": "Sign in and read user profile",
+                "value": "User.Read"
+            }
+        ]
+    }
+    ```
 
 1. Update the application's group membership claims. Run the commands in the same directory as `oauth2-permissions.json` file. RBAC for Azure Arc-enabled Kubernetes requires [`signInAudience` to be set to **AzureADMyOrg**](../../active-directory/develop/supported-accounts-validation.md):
 
@@ -95,10 +95,10 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
    az ad app permission grant --id "${SERVER_APP_ID}" --api 00000003-0000-0000-c000-000000000000 --scope User.Read
    ```
 
-   > [!NOTE]
-   > An Azure tenant administrator has to run this step.
-   >
-   > For usage of this feature in production, we recommend that you  create a different server application for every cluster.  
+    > [!NOTE]
+    > An Azure [application administrator](../../active-directory/roles/permissions-reference.md#application-administrator) has to run this step.
+    > 
+    > For usage of this feature in production, we recommend that you  create a different server application for every cluster.  
 
 #### Create a client application
 
@@ -139,13 +139,13 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
 
 1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `serverApplicationId`.
 
-   ```azurecli
-   CLUSTER_NAME="<clusterName>"
-   TENANT_ID="<tenant>"
-   SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
-   SERVER_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
-   echo $SERVER_APP_ID
-   ```
+    ```azurecli
+    CLUSTER_NAME="<name-of-arc-connected-cluster>"
+    TENANT_ID="<tenant>"
+    SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
+    SERVER_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
+    echo $SERVER_APP_ID
+    ```
 
 1. Update the application's group membership claims:
 
@@ -168,8 +168,8 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
     ```
 
     > [!NOTE]
-    > An Azure tenant administrator has to run this step.
-    >
+    > An Azure [application administrator](../../active-directory/roles/permissions-reference.md#application-administrator) has to run this step.
+    > 
     > For usage of this feature in production, we recommend that you  create a different server application for every cluster.
 
 #### Create a client application
 
@@ -146,6 +146,7 @@ For a conceptual look at connecting clusters to Azure Arc, see [Azure Arc-enable
 |`https://k8connecthelm.azureedge.net` | `az connectedk8s connect` uses Helm 3 to deploy Azure Arc agents on the Kubernetes cluster. This endpoint is needed for Helm client download to facilitate deployment of the agent helm chart. |
 |`guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com`, `sts.windows.net`, `https://k8sconnectcsp.azureedge.net` | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. |
 |`*.servicebus.windows.net` | For [Cluster Connect](cluster-connect.md) and for [Custom Location](custom-locations.md) based scenarios. |
+|`https://graph.microsoft.com/` | Required when [Azure RBAC](azure-rbac.md) is configured |
 
 > [!NOTE]
 > To translate the `*.servicebus.windows.net` wildcard into specific endpoints, use the command `\GET https://guestnotificationservice.azure.com/urls/allowlist?api-version=2020-01-01&location=<location>`. Within this command, the region must be specified for the `<location>` placeholder.