Acrolynx

Author: spelluru

articles/event-hubs/authenticate-shared-access-signature.md

@@ -9,7 +9,7 @@ ms.custom: devx-track-js, devx-track-csharp
 # Authenticate access to Event Hubs resources using shared access signatures (SAS)
 Shared access signature (SAS) gives you granular control over the type of access you grant to the clients who has the shared access signature. Here are some of the controls you can set in a SAS: 
 
-- The interval over which the SAS is valid, including the start time and expiry time.
+- The interval over which the SAS is valid, which includes the start time and expiry time.
 - The permissions granted by the SAS. For example, a SAS for an Event Hubs namespace might grant the listen permission, but not the send permission.
 - Only clients that present valid credentials can send data to an event hub.
 - A client can't impersonate another client.
@@ -24,7 +24,7 @@ This article covers authenticating the access to Event Hubs resources using SAS.
 
 
 ## Configuring for SAS authentication
-You can configure the EventHubs shared access authorization rule on an Event Hubs namespace, or an entity (event hub instance or Kafka Topic in an event hub). Configuring a shared access authorization rule on a consumer group is currently not supported, but you can use rules configured on a namespace or entity to secure access to consumer group. 
+You can configure a shared access authorization rule on an Event Hubs namespace, or an entity (event hub instance or Kafka Topic in an event hub). Configuring a shared access authorization rule on a consumer group is currently not supported, but you can use rules configured on a namespace or entity to secure access to consumer group. 
 
 The following image shows how the authorization rules apply on sample entities. 
 
@@ -34,13 +34,13 @@ In this example, the sample Event Hubs namespace (ExampleNamespace) has two enti
 
 The manageRuleNS, sendRuleNS, and listenRuleNS authorization rules apply to both event hub instance eh1 and topic t1. The listenRule-eh and sendRule-eh authorization rules apply only to event hub instance eh1 and sendRuleT authorization rule applies only to topic topic1. 
 
-When using sendRuleNS authorization rule, client applications can send to both eh1 and topic1. When sendRuleT authorization rule is used, it enforces granular access to topic1 only and hence client applications using this rule for access  now cannot send to eh1, but only to topic1.
+When you use sendRuleNS authorization rule, client applications can send to both eh1 and topic1. When sendRuleT authorization rule is used, it enforces granular access to topic1 only and hence client applications using this rule for access  now can't send to eh1, but only to topic1.
 
 ## Generate a Shared Access Signature token 
 Any client that has access to name of an authorization rule name and one of its signing keys can generate a SAS token. The token is generated by crafting a string in the following format:
 
 - `se`  – Token expiry instant. Integer reflecting seconds since epoch 00:00:00 UTC on 1 January 1970 (UNIX epoch) when the token expires
-- `skn` – Name of the authorization rule, that is the SAS key name.
+- `skn` – Name of the authorization rule, which is the SAS key name.
 - `sr` – URI of the resource being accessed.
 - `sig` – Signature.
 
@@ -92,7 +92,7 @@ To use a policy name and a key value to connect to an event hub, use the `EventH
 const producer = new EventHubProducerClient("NAMESPACE NAME.servicebus.windows.net", eventHubName, new AzureNamedKeyCredential("POLICYNAME", "KEYVALUE"));
 ```
 
-You'll need to add a reference to `AzureNamedKeyCredential`.
+You need to add a reference to `AzureNamedKeyCredential`.
 
 ```javascript
 const { AzureNamedKeyCredential } = require("@azure/core-auth");
@@ -105,7 +105,7 @@ var token = createSharedAccessToken("https://NAMESPACENAME.servicebus.windows.ne
 const producer = new EventHubProducerClient("NAMESPACENAME.servicebus.windows.net", eventHubName, new AzureSASCredential(token));
 ```
 
-You'll need to add a reference to `AzureSASCredential`.
+You need to add a reference to `AzureSASCredential`.
 
 ```javascript
 const { AzureSASCredential } = require("@azure/core-auth");
@@ -269,7 +269,7 @@ For example, to define authorization rules scoped down to only sending/publishin
 To authenticate back-end applications that consume from the data generated by Event Hubs producers, Event Hubs token authentication requires its clients to either have the **manage** rights or the **listen** privileges assigned to its Event Hubs namespace or event hub instance or topic. Data is consumed from Event Hubs using consumer groups. While SAS policy gives you granular scope, this scope is defined only at the entity level and not at the consumer level. It means that the privileges defined at the namespace level or the event hub instance or topic level will be applied to the consumer groups of that entity.
 
 ## Disabling Local/SAS Key authentication  
-For certain organizational security requirements, you may have to disable local/SAS key authentication completely and rely on the Azure Active Directory (Azure AD) based authentication which is the recommended way to connect with Azure Event Hubs. You can disable local/SAS key authentication at the Event Hubs namespace level using Azure portal or Azure Resource Manager template. 
+For certain organizational security requirements, you may have to disable local/SAS key authentication completely and rely on the Azure Active Directory (Azure AD) based authentication, which is the recommended way to connect with Azure Event Hubs. You can disable local/SAS key authentication at the Event Hubs namespace level using Azure portal or Azure Resource Manager template. 
 
 ### Disabling Local/SAS Key authentication via the portal 
 You can disable local/SAS key authentication for a given Event Hubs namespace using the Azure portal.