Merge pull request #208548 from mmacy/patch-15

prmerger-automator[bot] · web-flow · commit d00aa891d471 · 2022-08-19T22:45:03.000Z
[msid][usability-clarity] App roles section
diff --git a/articles/active-directory/develop/custom-rbac-for-developers.md b/articles/active-directory/develop/custom-rbac-for-developers.md
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity 
-ms.date: 06/16/2022
+ms.date: 08/19/2022
 ms.custom: template-concept
 ms.author: davidmu
 ms.reviewer: john.garland, maggie.marxen, ian.bennett, marsma
@@ -43,7 +43,9 @@ Developers have the flexibility to provide their own implementation for how role
 
 ### App roles
 
-Azure AD supports declaring app roles for an application. When a user signs into an application, Azure AD includes a [roles claim](./access-tokens.md#payload-claims) for each role that the user has been granted for that application. Applications receive the tokens that contain the role claims and then can use the information for permission assignments. The roles assigned to the user determine the level of access to resources and functionality.
+Azure AD allows you to [define app roles](./howto-add-app-roles-in-azure-ad-apps.md) for your application and assign those roles to users and other applications. The roles you assign to a user or application define their level of access to the resources and operations in your application.
+
+When Azure AD issues an access token for an authenticated user or application, it includes the names of the roles you've assigned the entity (the user or application) in the access token's [`roles`](./access-tokens.md#payload-claims) claim. An application like a web API that receives that access token in a request can then make authorization decisions based on the values in the `roles` claim.
 
 ### Groups
 
@@ -79,5 +81,5 @@ Although either app roles or groups can be used for authorization, key differenc
 
 ## Next steps
 
-- [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-azure-ad-apps.md).
-- [Azure Identity Management and access control security best practices](../../security/fundamentals/identity-management-best-practices.md).
+- [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-azure-ad-apps.md)
+- [Azure Identity Management and access control security best practices](../../security/fundamentals/identity-management-best-practices.md)
