Merge pull request #270612 from garrodonnell/remove-postman-b2c

[B2C] Removing Postman recommendations from Azure AD B2C content.

Author: PMEds28

articles/active-directory-b2c/access-tokens.md

@@ -106,7 +106,7 @@ grant_type=authorization_code
 &client_secret=2hMG2-_:y12n10vwH...
 ```
 
-If you want to test this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/).
+If you want to test this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview).
 
 A successful token response looks like this:
 

articles/active-directory-b2c/authorization-code-flow.md

@@ -106,7 +106,7 @@ error=access_denied
 | state |See the full description in the preceding table. If a `state` parameter is included in the request, the same value should appear in the response. The app should verify that the `state` values in the request and response are identical. |
 
 ## 2. Get an access token
-Now that you've acquired an authorization code, you can redeem the `code` for a token to the intended resource by sending a POST request to the `/token` endpoint. In Azure AD B2C, you can [request access tokens for other API's](access-tokens.md#request-a-token) as usual by specifying their scope(s) in the request.
+Now that you've acquired an authorization code, you can redeem the `code` for a token to the intended resource by sending a POST request to the `/token` endpoint. In Azure AD B2C, you can [request access tokens for other APIs](access-tokens.md#request-a-token) as usual by specifying their scope(s) in the request.
 
 You can also request an access token for your app's own back-end Web API by convention of using the app's client ID as the requested scope (which will result in an access token with that client ID as the "audience"):
 
@@ -135,7 +135,7 @@ grant_type=authorization_code
 | redirect_uri |Required |The redirect URI of the application where you received the authorization code. |
 | code_verifier | recommended | The same `code_verifier` used to obtain the authorization code. Required if PKCE was used in the authorization code grant request. For more information, see the [PKCE RFC](https://tools.ietf.org/html/rfc7636). |
 
-If you're testing this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/).
+If you're testing this POST HTTP request, you can use any HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview).
 
 A successful token response looks like this:
 

articles/active-directory-b2c/custom-policies-series-call-rest-api.md

@@ -108,7 +108,7 @@ You need to deploy an app, which serves as your external app. Your custom policy
 
 1. To test the app works as expected, use the following steps:
     1. In your terminal, run the `node index.js` command to start your app server. 
-    1. To make a POST request similar to the one shown in this example, you can use an HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/):
+    1. To make a POST request similar to the one shown in this example, you can use an HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview).
 
     ```http
         POST http://localhost/validate-accesscode HTTP/1.1
@@ -147,15 +147,15 @@ At this point, you're ready to deploy your Node.js app.
 
 ### Step 1.2 - Deploy the Node.js app in Azure App Service
 
-For your custom policy to reach your Node.js app, it needs to be reachable, so, you need deploy it. In this article, you deploy the app by using [Azure App Service](../app-service/overview-vnet-integration.md), but you use an alternative hosting approach. 
+For your custom policy to reach your Node.js app, it needs to be reachable, so, you need to deploy it. In this article, you deploy the app by using [Azure App Service](../app-service/overview-vnet-integration.md), but you use an alternative hosting approach. 
 
 Follow the steps in [Deploy your app to Azure](../app-service/quickstart-nodejs.md#deploy-to-azure) to deploy your Node.js app to Azure. For the **Name** of the app, use a descriptive name such as `custompolicyapi`. Hence:
 
 - App URL looks similar to `https://custompolicyapi.azurewebsites.net`.
 
 - Service endpoint looks similar to `https://custompolicyapi.azurewebsites.net/validate-accesscode`.
 
-You can test the app you've deployed by using an HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview) or [Postman](https://www.postman.com/). This time, use `https://custompolicyapi.azurewebsites.net/validate-accesscode` URL as the endpoint. 
+You can test the app you've deployed by using an HTTP client such as [Microsoft PowerShell](/powershell/scripting/overview). This time, use `https://custompolicyapi.azurewebsites.net/validate-accesscode` URL as the endpoint. 
 
 ## Step 2 - Call the REST API
 

articles/active-directory-b2c/secure-api-management.md

@@ -29,7 +29,6 @@ Before you begin, make sure that you have the following resources in place:
 * An [application that's registered in your tenant](tutorial-register-applications.md)
 * [User flows that are created in your tenant](tutorial-create-user-flows.md)
 * A [published API](../api-management/import-and-publish.md) in Azure API Management
-* (Optional) A [Postman platform](https://www.postman.com/) to test secured access
 
 ## Get Azure AD B2C application ID
 
@@ -114,108 +113,6 @@ You're now ready to add the inbound policy in Azure API Management that validate
         <on-error> <base /> </on-error>
     </policies>
     ```
-
-## Validate secure API access
-
-To ensure that only authenticated callers can access your API, you can validate your Azure API Management configuration by calling the API with [Postman](https://www.postman.com/).
-
-To call the API, you need both an access token that's issued by Azure AD B2C and an Azure API Management subscription key.
-
-### Get an access token
-
-You first need a token that's issued by Azure AD B2C to use in the `Authorization` header in Postman. You can get one by using the *Run now* feature of the sign-up/sign-in user flow you that you created as one of the prerequisites.
-
-1. In the [Azure portal](https://portal.azure.com), go to your Azure AD B2C tenant.
-1. Under **Policies**, select **User flows**.
-1. Select an existing sign-up/sign-in user flow (for example, *B2C_1_signupsignin1*).
-1. For **Application**, select *webapp1*.
-1. For **Reply URL**, select `https://jwt.ms`.
-1. Select **Run user flow**.
-
-    ![Screenshot of the "Run user flow" pane for the sign-up/sign-in user flow in the Azure portal.](media/secure-apim-with-b2c-token/portal-03-user-flow.png)
-
-1. Complete the sign-in process. You should be redirected to `https://jwt.ms`.
-1. Record the encoded token value that's displayed in your browser. You use this token value for the Authorization header in Postman.
-
-    ![Screenshot of the encoded token value displayed on jwt.ms.](media/secure-apim-with-b2c-token/jwt-ms-01-token.png)
-
-### Get an API subscription key
-
-A client application (in this case, Postman) that calls a published API must include a valid API Management subscription key in its HTTP requests to the API. To get a subscription key to include in your Postman HTTP request:
-
-1. In the [Azure portal](https://portal.azure.com), go to your Azure API Management service instance.
-1. Select **Subscriptions**.
-1. Select the ellipsis (**...**) next to **Product: Unlimited**, and then select **Show/hide keys**.
-1. Record the **Primary Key** for the product. You use this key for the `Ocp-Apim-Subscription-Key` header in your HTTP request in Postman.
-
-![Screenshot of the "Subscription key" page in the Azure portal, with "Show/hide keys" selected.](media/secure-apim-with-b2c-token/portal-04-api-subscription-key.png)
-
-### Test a secure API call
-
-With the access token and Azure API Management subscription key recorded, you're now ready to test whether you've correctly configured secure access to the API.
-
-1. Create a new `GET` request in [Postman](https://www.postman.com/). For the request URL, specify the speakers list endpoint of the API you published as one of the prerequisites. For example:
-
-    `https://contosoapim.azure-api.net/conference/speakers`
-
-1. Next, add the following headers:
-
-    | Key | Value |
-    | --- | ----- |
-    | `Authorization` | The encoded token value you recorded earlier, prefixed with `Bearer ` (include the space after "Bearer") |
-    | `Ocp-Apim-Subscription-Key` | The Azure API Management subscription key you recorded earlier. |
-    | | |
-
-    Your **GET** request URL and **Headers** should appear similar to those shown in the following image:
-
-    ![Screenshot of the Postman UI showing the GET request URL and headers.](media/secure-apim-with-b2c-token/postman-01-headers.png)
-
-1. In Postman, select the **Send** button to execute the request. If you've configured everything correctly, you should be given a JSON response with a collection of conference speakers (shown here, truncated):
-
-    ```json
-    {
-      "collection": {
-        "version": "1.0",
-        "href": "https://conferenceapi.azurewebsites.net:443/speakers",
-        "links": [],
-        "items": [
-          {
-            "href": "https://conferenceapi.azurewebsites.net/speaker/1",
-            "data": [
-              {
-                "name": "Name",
-                "value": "Scott Guthrie"
-              }
-            ],
-            "links": [
-              {
-                "rel": "http://tavis.net/rels/sessions",
-                "href": "https://conferenceapi.azurewebsites.net/speaker/1/sessions"
-              }
-            ]
-          },
-    [...]
-    ```
-
-### Test an insecure API call
-
-Now that you've made a successful request, test the failure case to ensure that calls to your API with an *invalid* token are rejected as expected. One way to perform the test is to add or change a few characters in the token value, and then run the same `GET` request as before.
-
-1. Add several characters to the token value to simulate an invalid token. For example, you could add "INVALID" to the token value, as shown here:
-
-    ![Screenshot of the Headers section of Postman UI showing the string INVALID added to token.](media/secure-apim-with-b2c-token/postman-02-invalid-token.png)
-
-1. Select the **Send** button to execute the request. With an invalid token, the expected result is a `401` unauthorized status code:
-
-    ```json
-    {
-        "statusCode": 401,
-        "message": "Unauthorized. Access token is missing or invalid."
-    }
-    ```
-
-If you see a `401` status code, you've verified that only callers with a valid access token issued by Azure AD B2C can make successful requests to your Azure API Management API.
-
 ## Support multiple applications and issuers
 
 Several applications typically interact with a single REST API. To enable your API to accept tokens intended for multiple applications, add their application IDs to the `<audiences>` element in the Azure API Management inbound policy.