Merge pull request #229819 from v-edmckillop/patch-136

v-regandowner · web-flow · commit d032b89a3303 · 2023-03-08T14:50:13.000-05:00
Update partner-azure-web-application-firewall.md
diff --git a/articles/active-directory-b2c/partner-azure-web-application-firewall.md b/articles/active-directory-b2c/partner-azure-web-application-firewall.md
@@ -1,102 +1,104 @@
 ---
 title: Tutorial to configure Azure Active Directory B2C with Azure Web Application Firewall
 titleSuffix: Azure AD B2C
-description: Tutorial to configure Azure Active Directory B2C with Azure Web application firewall to protect your applications from malicious attacks 
+description: Learn to configure Azure AD B2C with Azure Web Application Firewall to protect applications from malicious attacks 
 services: active-directory-b2c
 author: gargi-sinha
-manager: CelesteDG
+manager: martinco
 ms.reviewer: kengaderdus
-
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 08/17/2021
+ms.date: 03/08/2023
 ms.author: gasinh
 ms.subservice: B2C
 ---
 
-# Tutorial: Configure Azure Web Application Firewall with Azure Active Directory B2C
+# Tutorial: Configure Azure Active Directory B2C with Azure Web Application Firewall
 
-In this sample tutorial, learn how to enable [Azure Web Application Firewall (WAF)](https://azure.microsoft.com/services/web-application-firewall/#overview) solution for Azure Active Directory (AD) B2C tenant with custom domain. Azure WAF provides centralized protection of your web applications from common exploits and vulnerabilities.
+Learn how to enable the Azure Web Application Firewall (WAF) service for an Azure Active Directory B2C (Azure AD B2C) tenant, with a custom domain. WAF protects web applications from common exploits and vulnerabilities.
 
->[!NOTE]
->This feature is in public preview.
+See, [What is Azure Web Application Firewall?](../web-application-firewall/overview.md)
 
 ## Prerequisites
 
-To get started, you'll need:
-
-- An Azure subscription – If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-
-- [An Azure AD B2C tenant](tutorial-create-tenant.md) – The authorization server, responsible for verifying the user’s credentials using the custom policies defined in the tenant.  It's also known as the identity provider.
+To get started, you need:
 
-- [Azure Front Door (AFD)](../frontdoor/index.yml) – Responsible for enabling custom domains for Azure AD B2C tenant.  
+* An Azure subscription
+* If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* **An Azure AD B2C tenant** – authorization server that verifies user credentials using custom policies defined in the tenant
+  * Also known as the identity provider (IdP)
+  * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md) 
+* **Azure Front Door (AFD)** – enables custom domains for the Azure AD B2C tenant
+  * See, [Azure Front Door and CDN documentation](../frontdoor/index.yml)
+* **WAF** – manages traffic sent to the authorization server
+  * [Azure Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/#overview)
 
-- [Azure WAF](https://azure.microsoft.com/services/web-application-firewall/#overview) – Manages all traffic that is sent to the authorization server.
+## Custom domains in Azure AD B2C
 
-## Azure AD B2C setup
+To use custom domains in Azure AD B2C, use the custom domain features in AFD. See, [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).  
 
-To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by AFD. Learn how to [enable Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).  
+   > [!IMPORTANT]
+   > After you configure the custom domain, see [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain).  
 
-After custom domain for Azure AD B2C is successfully configured using AFD, [test the custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain) before proceeding further.  
+## Enable WAF
 
-## Onboard with Azure WAF
-
-To enable Azure WAF, configure a WAF policy and associate that policy to the AFD for protection.
+To enable WAF, configure a WAF policy and associate it with the AFD for protection.
 
 ### Create a WAF policy
 
-Create a basic WAF policy with managed Default Rule Set (DRS) in the [Azure portal](https://portal.azure.com).
-
-1. Go to the [Azure portal](https://portal.azure.com). Select **Create a resource** and then search for Azure WAF. Select **Azure Web Application Firewall (WAF)** > **Create**.
+Create a WAF policy with Azure-managed default rule set (DRS). See, [Web Application Firewall DRS rule groups and rules](../web-application-firewall/afds/waf-front-door-drs.md).
 
-2. Go to the **Create a WAF policy** page, select the **Basics** tab. Enter the following information, accept the defaults for the remaining settings.
+1. Go to the [Azure portal](https://portal.azure.com). 
+2. Select **Create a resource**.
+3. Search for Azure WAF. 
+4. Select **Azure Web Application Firewall (WAF)**.
+5. Select **Create**.
+6. Go to the **Create a WAF policy** page.
+7. Select the **Basics** tab. 
+8. For **Policy for**, select **Global WAF (Front Door)**.
+9. For **Front Door SKU**, select between **Basic**, **Standard**, or **Premium** SKU.
+10. For **Subscription**, select your Front Door subscription name.
+11. For **Resource group**, select your Front Door resource group name.
+12. For **Policy name**, enter a unique name for your WAF policy.
+13. For **Policy state**, select **Enabled**.
+14. For **Policy mode**, select **Detection**.
+15. Select **Review + create**.
+16. Go to the **Association** tab of the Create a WAF policy page.
+17. Select **+ Associate a Front Door profile**.
+18. For **Front Door**, select your Front Door name associated with Azure AD B2C custom domain.
+19. For **Domains**, select the Azure AD B2C custom domains to associate the WAF policy to.
+20. Select **Add**.
+21. Select **Review + create**.
+22. Select **Create**.
 
-| Value | Description |
-|:--------|:-------|
-| Policy for | Global WAF (Front Door)|
-| Front Door SKU | Select between Basic, Standard, or Premium SKU |
-|Subscription | Select your Front Door subscription name |
-| Resource group | Select your Front Door resource group name |
-| Policy name | Enter a unique name for your WAF policy |
-| Policy state | Set as Enabled |
-| Policy mode | Set as Detection |
+### Detection and Prevention modes
 
-3. Select **Review + create**
+When you create WAF policy, the policy is in Detection mode. We recommend you don't disable Detection mode. In this mode, WAF doesn't block requests. Instead, requests that match the WAF rules are logged in the WAF logs. 
 
-4. Go to the **Association** tab of the Create a WAF policy page, select + **Associate a Front Door profile**, enter the following settings
+Learn more: [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
 
-| Value | Description |
-|:----|:------|
-| Front Door | Select your Front Door name associated with Azure AD B2C custom domain |
-| Domains | Select the Azure AD B2C custom domains you want to associate the WAF policy to|
+The following query shows the requests blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.
+   
+   ![Screenshot of blocked requests.](./media/partner-azure-web-application-firewall/blocked-requests-query.png)
 
-5. Select **Add**.
+   ![Screenshot of blocked requests details, such as Rule ID, Action, Mode, etc.](./media/partner-azure-web-application-firewall/blocked-requests-details.png)
 
-6. Select **Review + create**, then select **Create**.
+Review the WAF logs to determine if policy rules cause false positives. Then, exclude the WAF rules based on the WAF logs.
 
-### Change policy mode from detection to prevention
+Learn more: [Define exclusion rules based on Web Application Firewall logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs)
 
-When a WAF policy is created, by default the policy is in Detection mode. In Detection mode, WAF doesn't block any requests, instead, requests matching the WAF rules are logged in the WAF logs. For more information about WAF logging, see [Azure WAF monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md).
+#### Switching modes
 
-The sample query shows all the requests that were blocked by the WAF policy in the past 24 hours. The details include, rule name, request data, action taken by the policy, and the policy mode.
+To see WAF operating, select **Switch to prevention mode**, which changes the mode from Detection to Prevention. Requests that match the rules in the DRS are blocked and logged in the WAF logs.
 
-![Image shows the blocked requests](./media/partner-azure-web-application-firewall/blocked-requests-query.png)
+  ![Screenshot of options and selections for DefaultRuleSet under Web Application Firewall policies.](./media/partner-azure-web-application-firewall/switch-to-prevention-mode.png)
 
-![Image shows the blocked requests details](./media/partner-azure-web-application-firewall/blocked-requests-details.png)
+To revert to Detection mode, select **Switch to detection mode**.
 
-It's recommended that you let the WAF capture requests in Detection mode. Review the WAF logs to determine if there are any rules in the policy that are causing false positive results. Then after [exclude the WAF rules based on the WAF logs](../web-application-firewall/afds/waf-front-door-exclusion.md#define-exclusion-based-on-web-application-firewall-logs).
-
-To see WAF in action, use Switch to prevention mode to change from Detection to Prevention mode. All requests that match the rules defined in the Default Rule Set (DRS) are blocked and logged in the WAF logs.
-
-![Image shows the switch to prevention mode](./media/partner-azure-web-application-firewall/switch-to-prevention-mode.png)
-
-In case you want to switch back to the detection mode, you can do so by using Switch to detection mode option.
-
-![Image shows the switch to detection mode](./media/partner-azure-web-application-firewall/switch-to-detection-mode.png)
+  ![Screenshot of DefaultRuleSet with Switch to detection mode.](./media/partner-azure-web-application-firewall/switch-to-detection-mode.png)
 
 ## Next steps
 
-- [Azure WAF monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
-
-- [WAF with Front Door service exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)
+* [Azure Web Application Firewall monitoring and logging](../web-application-firewall/afds/waf-front-door-monitor.md)
+* [Web Application Firewall (WAF) with Front Door exclusion lists](../web-application-firewall/afds/waf-front-door-exclusion.md)
