copyedits

dlepow · dlepow · commit ca5ce809d593 · 2022-11-14T11:49:19.000-08:00
diff --git a/articles/api-management/api-management-howto-oauth2.md b/articles/api-management/api-management-howto-oauth2.md
@@ -98,14 +98,10 @@ Throughout this tutorial you'll be asked to record key information to reference
 
 You'll need to register two applications with your OAuth 2.0 provider: one represents the backend API to be protected, and a second represents the client application that calls the API - in this case, the test console of the developer portal.
 
-The following are example steps using Azure AD as the OAuth 2.0 provider.
+The following are example steps using Azure AD as the OAuth 2.0 provider. For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md).
 
 ### Register an application in Azure AD to represent the API
 
-Using the Azure portal, register an application that represents the backend API in Azure AD. 
-
-For details about app registration, see [Quickstart: Configure an application to expose a web API](../active-directory/develop/quickstart-configure-app-expose-web-apis.md).
-
 1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.
 
 1. Select **New registration**. 
@@ -137,9 +133,7 @@ For details about app registration, see [Quickstart: Configure an application to
 
 ### Register another application in Azure AD to represent a client application
 
-Register every client application that calls the API as an application in Azure AD. In this example, the client application is the **test console** in the API Management developer portal. 
-
-To register an application in Azure AD to represent the client application:
+Register every client application that calls the API as an application in Azure AD.
 
 1. In the [Azure portal](https://portal.azure.com), search for and select **App registrations**.
 
@@ -248,18 +242,18 @@ Optionally:
 
     - `/signin-oauth/code/callback/{authServerName}` for authorization code grant flow
     - `/signin-oauth/implicit/callback` for implicit grant flow
-    
-    Copy the appropriate Redirect URI to the **Authentication** page of your client-app registration. In the app registration, select **Authentication** > **+ Add a platform** > **Web**, and then enter the Redirect URI.
 
     :::image type="content" source="media/api-management-howto-oauth2/oauth-04.png" alt-text="Add client credentials for the OAuth 2.0 service":::
 
+    Copy the appropriate Redirect URI to the **Authentication** page of your client-app registration. In the app registration, select **Authentication** > **+ Add a platform** > **Web**, and then enter the Redirect URI.
+
 1. If **Authorization grant types** is set to **Resource owner password**, the **Resource owner password credentials** section is used to specify those credentials; otherwise you can leave it blank.
 
 1. Select **Create** to save the API Management OAuth 2.0 authorization server configuration. 
 
 1. [Republish](api-management-howto-developer-portal-customize.md#publish) the developer portal.
 
-    > [!NOTE]
+    > [!IMPORTANT]
     > When making OAuth 2.0-related changes, be sure to to republish the developer portal after every modification as relevant changes (for example, scope change) otherwise cannot propagate into the portal and subsequently be used in trying out the APIs.
 
 After saving the OAuth 2.0 server configuration, configure an API or APIs to use this configuration, as shown in the next section.
@@ -274,17 +268,18 @@ After saving the OAuth 2.0 server configuration, configure an API or APIs to use
 
     :::image type="content" source="./media/api-management-howto-oauth2/oauth-07.png" alt-text="Configure OAuth 2.0 authorization server":::
 
+## Developer portal - test the OAuth 2.0 user authorization
+
+[!INCLUDE [api-management-test-oauth-authorization](../../includes/api-management-test-oauth-authorization.md)]
+
 ## Configure a JWT validation policy to pre-authorize requests
 
-In the preceding section, API Management doesn't validate the access token. It only passes the token in the authorization header to the backend API.
+In the configuration so far, API Management doesn't validate the access token. It only passes the token in the authorization header to the backend API.
 
 To pre-authorize requests, configure a [validate-jwt](api-management-access-restriction-policies.md#ValidateJWT) policy to validate the access token of each incoming request. If a request doesn't have a valid token, API Management blocks it.
 
 [!INCLUDE [api-management-configure-validate-jwt](../../includes/api-management-configure-validate-jwt.md)]
 
-## Developer portal - test the OAuth 2.0 user authorization
-
-[!INCLUDE [api-management-test-oauth-authorization](../../includes/api-management-test-oauth-authorization.md)]
 
 ## Legacy developer portal - test the OAuth 2.0 user authorization
 
@@ -316,7 +311,6 @@ Once you've signed in, the **Request headers** are populated with an `Authorizat
 
 At this point you can configure the desired values for the remaining parameters, and submit the request.
 
-
 ## Next steps
 
 For more information about using OAuth 2.0 and API Management, see [Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory](api-management-howto-protect-backend-with-aad.md).
diff --git a/includes/api-management-configure-validate-jwt.md b/includes/api-management-configure-validate-jwt.md
@@ -8,7 +8,7 @@ ms.author: danlep
 
 The following example policy, when added to the `<inbound>` policy section, checks the value of the audience claim in an access token obtained from Azure AD that is presented in the Authorization header. It returns an error message if the token is not valid. Configure this policy at a policy scope that's appropriate for your scenario.
 
-* In `openid-config`, the `aad-tenant` is the tenant ID in Azure AD. Find this value in the Azure portal, for example, on the **Overview** page of your Azure AD resource. The example shown assumes a single-tenant Azure AD app and a v2 configuration endpoint.
+* In the `openid-config` URL, the `aad-tenant` is the tenant ID in Azure AD. Find this value in the Azure portal, for example, on the **Overview** page of your Azure AD resource. The example shown assumes a single-tenant Azure AD app and a v2 configuration endpoint.
 * The value of the `claim` is the client ID of the backend-app you registered in Azure AD.
 
 
@@ -24,6 +24,6 @@ The following example policy, when added to the `<inbound>` policy section, chec
 ```
 
 > [!NOTE]
-> The preceding `openid-config` URL corresponds to the v2 endpoint. For the v1 `openid-config`endpoint, use `https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration`.
+> The preceding `openid-config` URL corresponds to the v2 endpoint. For the v1 `openid-config` endpoint, use `https://login.microsoftonline.com/{aad-tenant}/.well-known/openid-configuration`.
 
 For information on how to configure policies, see [Set or edit policies](../articles/api-management/set-edit-policies.md).
diff --git a/includes/api-management-test-oauth-authorization.md b/includes/api-management-test-oauth-authorization.md
@@ -32,4 +32,4 @@ Once you've configured your OAuth 2.0 authorization server and configured your A
    Authorization: Bearer eyJ0eXAiOi[...]3pkCfvEOyA
    ```
 
-1. Select **Send** to call the API successfully.
+1. Configure the desired values for the remaining parameters, and select **Send** to call the API.
