Merge pull request #221005 from cilwerner/content-health-1

ttorble · web-flow · commit d154c3b700ce · 2022-12-12T11:57:47.000Z
[GTD][Core Content] Remove .NET 3.1 references from scenario-protected-web-api-app-configuration.md
diff --git a/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md b/articles/active-directory/develop/scenario-protected-web-api-app-configuration.md
@@ -8,7 +8,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
-ms.date: 05/12/2022
+ms.date: 12/09/2022
 ms.author: jmprieur
 #Customer intent: As an application developer, I want to know how to write a protected web API using the Microsoft identity platform for developers.
 ---
@@ -23,7 +23,7 @@ To configure the code for your protected web API, understand:
 
 ## What defines ASP.NET and ASP.NET Core APIs as protected?
 
-Like web apps, the ASP.NET and ASP.NET Core web APIs are protected because their controller actions are prefixed with the **[Authorize]** attribute. The controller actions can be called only if the API is called with an authorized identity.
+Like web apps, ASP.NET and ASP.NET Core web APIs are protected because their controller actions are prefixed with the **[Authorize]** attribute. The controller actions can be called only if the API is called with an authorized identity.
 
 Consider the following questions:
 
@@ -49,7 +49,7 @@ HttpResponseMessage response = await _httpClient.GetAsync(apiUri);
 ```
 
 > [!IMPORTANT]
-> A client application requests the bearer token to the Microsoft identity platform *for the web API*. The web API is the only application that should verify the token and view the claims it contains. Client apps should never try to inspect the claims in tokens.
+> A client application requests the bearer token to the Microsoft identity platform *for the web API*. The API is the only application that should verify the token and view the claims it contains. Client apps should never try to inspect the claims in tokens.
 > 
 > In the future, the web API might require that the token be encrypted. This requirement would prevent access for client apps that can view access tokens.
 
@@ -59,21 +59,17 @@ This section describes how to configure a bearer token.
 
 ### Config file
 
+You need to specify the `TenantId` only if you want to accept access tokens from a single tenant (line-of-business app). Otherwise, it can be left as `common`. The different values can be:
+  - A GUID (Tenant ID = Directory ID)
+  - `common` can be any organization and personal accounts
+  - `organizations` can be any organization
+  - `consumers` are Microsoft personal accounts
+
 ```Json
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
-    /*
-      You need specify the TenantId only if you want to accept access tokens from a single tenant
-     (line-of-business app).
-      Otherwise, you can leave them set to common.
-      This can be:
-      - A GUID (Tenant ID = Directory ID)
-      - 'common' (any organization and personal accounts)
-      - 'organizations' (any organization)
-      - 'consumers' (Microsoft personal accounts)
-    */
+    "ClientId": "Enter_the_Application_(client)_ID_here"
     "TenantId": "common"
   },
   "Logging": {
@@ -85,19 +81,18 @@ This section describes how to configure a bearer token.
 }
 ```
 
-#### Case where you used a custom App ID URI for your web API
+#### Using a custom App ID URI for a web API
 
-If you've accepted the default App ID URI proposed by the Azure portal, you don't need to specify the audience (see [Application ID URI and scopes](scenario-protected-web-api-app-registration.md#scopes-and-the-application-id-uri)). Otherwise, add an `Audience` property whose value is the App ID URI for your web API.
+If you've accepted the default App ID URI proposed by the Azure portal, you don't need to specify the audience (see [Application ID URI and scopes](scenario-protected-web-api-app-registration.md#scopes-and-the-application-id-uri)). Otherwise, add an `Audience` property whose value is the App ID URI for your web API. This typically starts with `api://`.
 
 ```Json
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",
-    "ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
+    "ClientId": "Enter_the_Application_(client)_ID_here",
     "TenantId": "common",
-    "Audience": "custom App ID URI for your web API"
+    "Audience": "Enter_the_Application_ID_URI_here"
   },
-  // more lines
 }
 ```
 
@@ -109,7 +104,7 @@ When an app is called on a controller action that holds an **[Authorize]** attri
 
 Microsoft recommends you use the [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) NuGet package when developing a web API with ASP.NET Core.
 
-_Microsoft.Identity.Web_ provides the glue between ASP.NET Core, the authentication middleware, and the [Microsoft Authentication Library (MSAL)](msal-overview.md) for .NET. It allows for a clearer, more robust developer experience and leverages the power of the Microsoft identity platform and Azure AD B2C.
+*Microsoft.Identity.Web* provides the glue between ASP.NET Core, the authentication middleware, and the [Microsoft Authentication Library (MSAL)](msal-overview.md) for .NET. It allows for a clearer, more robust developer experience and leverages the power of the Microsoft identity platform and Azure AD B2C.
 
 #### ASP.NET for .NET 6.0
 
@@ -124,7 +119,7 @@ dotnet new webapi --auth SingleOrg
 
 **Visual Studio** - To create a web API project in Visual Studio, select **File** > **New** > **Project** > **ASP.NET Core Web API**.
 
-Both the .NET CLI and Visual Studio project templates create a _Program.cs_ file that looks similar this code snippet. Notice the `Microsoft.Identity.Web` using directive and the lines containing authentication and authorization.
+Both the .NET CLI and Visual Studio project templates create a *Program.cs* file that looks similar to this code snippet. Notice `Microsoft.Identity.Web` using directive and the lines containing authentication and authorization.
 
 ```csharp
 using Microsoft.AspNetCore.Authentication;
@@ -161,62 +156,6 @@ app.MapControllers();
 app.Run();
 ```
 
-#### ASP.NET Core 3.1
-
-
-To create a new web API project by using the Microsoft.Identity.Web-enabled project templates in ASP.NET Core 3.1, see [Microsoft.Identity.Web - Web API project template](https://aka.ms/ms-id-web/webapi-project-templates).
-
-To add Microsoft.Identity.Web to an existing ASP.NET Core 3.1 web API project, add this using directive to your _Program.cs_ file:
-
-ASP.NET Core 3.1 uses the Microsoft.AspNetCore.Authentication.JwtBearer library. The middleware is initialized in the Startup.cs file.
-
-```csharp
-using Microsoft.AspNetCore.Authentication.JwtBearer;
-```
-
-The middleware is added to the web API by this instruction:
-
-```csharp
-// This method gets called by the runtime. Use this method to add services to the container.
-public void ConfigureServices(IServiceCollection services)
-{
-  services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
-          .AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
-}
-```
-
- Currently, the ASP.NET Core templates create Azure Active Directory (Azure AD) web APIs that sign in users within your organization or any organization. They don't sign in users with personal accounts. However, you can change the templates to use the Microsoft identity platform by using [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web) replacing the code in *Startup.cs*:
-
-```csharp
-using Microsoft.Identity.Web;
-```
-
-```csharp
-public void ConfigureServices(IServiceCollection services)
-{
- // Adds Microsoft Identity platform (AAD v2.0) support to protect this API
- services.AddAuthentication(AzureADDefaults.JwtBearerAuthenticationScheme)
-             .AddMicrosoftIdentityWebApi(Configuration, "AzureAd");
-
- services.AddControllers();
-}
-```
-
-Make sure you have `app.UseAuthentication()` and `app.UseAuthorization()` in the `Configure` method.
-
-```csharp
-public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
-{
- // More code here
- app.UseAuthentication();
- app.UseAuthorization();
-
- // More code here
-```
-
-> [!NOTE]
-> If you use Microsoft.Identity.Web and don't set the `Audience` in *appsettings.json*, `$"{ClientId}"` is automatically used if you have set the [access token accepted version](scenario-protected-web-api-app-registration.md#accepted-token-version) to `2`, or for Azure AD B2C web APIs.
-
 ## Token validation
 
 In the preceding snippet, the JwtBearer middleware, like the OpenID Connect middleware in web apps, validates the token based on the value of `TokenValidationParameters`. The token is decrypted as needed, the claims are extracted, and the signature is verified. The middleware then validates the token by checking for this data:
@@ -246,7 +185,7 @@ This table describes the validators:
 
 #### Customizing token validation
 
-The validators are associated with properties of the **TokenValidationParameters** class. The properties are initialized from the ASP.NET and ASP.NET Core configuration.
+The validators are associated with properties of the *TokenValidationParameters* class. The properties are initialized from the ASP.NET and ASP.NET Core configuration.
 
 In most cases, you don't need to change the parameters. Apps that aren't single tenants are exceptions. These web apps accept users from any organization or from personal Microsoft accounts. Issuers in this case must be validated. Microsoft.Identity.Web takes care of the issuer validation as well.
 
