Merge pull request #99804 from CaitlinV39/master

2 New Pages & Resource Page Update

Author: megvanhuygen

articles/healthcare-apis/TOC.yml

@@ -24,14 +24,17 @@
 - name: Tutorials
   expanded: false
   items:
-  - name: 1. Get started with Azure API for FHIR
-    href: tutorial-2-setup-environment.md
-  - name: 2. Set up application configuration
-    href: tutorial-1-decision-flow.md
-  - name: 3. Configure additional settings
-    href: azure-api-for-fhir-additional-settings.md
-  - name: 4. Write an application
-    href: tutorial-3-connect-to-endpoint.md
+  - name: Write an application to connect to FHIR endpoint
+    expanded: false
+    items:
+    - name: 1. Get started with Azure API for FHIR
+      href: tutorial-2-setup-environment.md
+    - name: 2. Set up application configuration
+      href: tutorial-1-decision-flow.md
+    - name: 3. Configure additional settings
+      href: azure-api-for-fhir-additional-settings.md
+    - name: 4. Write an application
+      href: tutorial-3-connect-to-endpoint.md
   - name: Access FHIR API with Postman
     href: access-fhir-postman-tutorial.md
   - name: Use SMART on FHIR proxy

articles/healthcare-apis/fhir-paas-portal-quickstart.md

@@ -44,17 +44,16 @@ Confirm creation and await FHIR API deployment.
 
 ## Additional settings
 
-Click **Next: Additional settings** to configure the authority, audience, identity object IDs that should be allowed to access this Azure API for FHIR, enable SMART on FHIR if needed, and configure Cosmos DB throughput:
+Click **Next: Additional settings** to configure the authority, audience, identity object IDs that should be allowed to access this Azure API for FHIR, enable SMART on FHIR if needed, and configure database throughput:
 
 - **Authority:** You can specify different Azure AD tenant from the one that you are logged into as authentication authority for the service.
 - **Audience:** You can specify audience, that is different from https:\//azurehealthcareapis.com.
-- **Allowed object IDs:** You can specify identity object IDs that should be allowed to access this Azure API for FHIR  
+- **Allowed object IDs:** You can specify identity object IDs that should be allowed to access this Azure API for FHIR. You can learn more on finding the object id for users and service principals in the [Find identity object IDs](find-identity-object-ids.md) how-to guide.  
 - **Smart On FHIR proxy:** You can enable SMART on FHIR proxy. For details on how to configure SMART on FHIR proxy see tutorial [Azure API for FHIR SMART on FHIR proxy](https://docs.microsoft.com/azure/healthcare-apis/use-smart-on-fhir-proxy)  
-- **Cosmos DB throughput:** Azure API for FHIR relies on Cosmos DB as its underlying database. Here you can specify Cosmos DB throughput settings for your Azure API for FHIR. You can change this setting later in the Cosmos DB blade. For details on Cosmos DB RUs please read [Request Units in Azure Cosmos DB](https://docs.microsoft.com/azure/cosmos-db/request-units)
+- **Provisioned throughput (RU/s):** Here you can specify throughput settings for the underlying database for your Azure API for FHIR. You can change this setting later in the Database blade. For more details, please see the [configure database settings](configure-database.md) page.
 
-![Configure allowed object IDs](media/quickstart-paas-portal/configure-audience.png)
 
-See [how to find identity object IDs](find-identity-object-ids.md) for details on how to locate identity object IDs for users and service principals.
+![Configure allowed object IDs](media/quickstart-paas-portal/configure-audience.png)
 
 ## Fetch FHIR API capability statement
 

articles/healthcare-apis/media/public-client-app/api-permissions.PNG

@@ -12,7 +12,7 @@ ms.author: mihansen
 
 # Register a public client application in Azure Active Directory
 
-In this article, you'll learn how to register a public application in Azure Active Directory. This is preparation for deploying FHIR API in Azure.  
+In this article, you'll learn how to register a public application in Azure Active Directory.  
 
 Client application registrations are Azure Active Directory representations of applications that can authenticate and ask for API permissions on behalf of a user. Public clients are applications such as mobile applications and single page javascript applications that can't keep secrets confidential. The procedure is similar to [registering a confidential client](register-confidential-azure-ad-client-app.md), but since public clients can't be trusted to hold an application secret, there's no need to add one.
 
@@ -28,7 +28,7 @@ Client application registrations are Azure Active Directory representations of a
 
 ## Application registration overview
 
-1. Give the application with a display name.
+1. Give the application a display name.
 
 2. Provide a reply URL. The reply URL is where authentication codes will be returned to the client application. You can add more reply URLs and edit existing ones later.
 
@@ -38,15 +38,22 @@ Client application registrations are Azure Active Directory representations of a
 
 Similarly to the [confidential client application](register-confidential-azure-ad-client-app.md), you'll need to select which API permissions this application should be able to request on behalf of users:
 
-1. Open the **API permissions** and select your [FHIR API Resource Application Registration](register-resource-azure-ad-client-app.md):
+1. Open the **API permissions**. If you are using the Azure API for FHIR, you will add a permission to the Azure Healthcare APIs by searching for Azure Healthcare APIs under **APIs my organization uses** (image below). If you are referencing a different Resource Application, select your [FHIR API Resource Application Registration](register-resource-azure-ad-client-app.md) that you created previously under **My APIs**:
 
-    ![Azure portal. New public API Permissions.](media/how-to-aad/portal-aad-register-new-app-registration-PUB-CLIENT-API-PERMISSIONS.png)
+    ![Azure portal. New public API permissions - Azure API for FHIR Default](media/public-client-app/api-permissions.png)
 
-2. Select the scopes that you would like the application to be able to request.
+
+2. Select the permissions that you would like the application to be able to request:
+    ![Azure portal. App permissions](media/public-client-app/app-permissions.png)
+
+## Validate FHIR server authority
+If the application you registered in this article and your FHIR server are in the same Azure AD tenant, you are good to proceed to the next steps.
+
+If you configure your client application in a different Azure AD tenant from your FHIR server, you will need to update the **Authority**. In Azure API for FHIR, you do set the Authority under Settings --> Authentication. Set your Authority to **https://login.microsoftonline.com/\<TENANT-ID>**.
 
 ## Next steps
 
-In this article, you've learned how to register a public client application in Azure Active Directory. Next, learn more about using SMART on FHIR.
+In this article, you've learned how to register a public client application in Azure Active Directory. Next, test access to your FHIR server using Postman.
 
 >[!div class="nextstepaction"]
->[Azure API for FHIR SMART on FHIR proxy](use-smart-on-fhir-proxy.md)
+>[Access Azure API for FHIR with Postman](access-fhir-postman-tutorial.md)

articles/healthcare-apis/media/public-client-app/app-permissions.PNG

@@ -14,6 +14,8 @@ ms.author: mihansen
 
 In this article, you'll learn how to register a resource (or API) application in Azure Active Directory. A resource application is an Azure Active Directory representation of the FHIR server API itself and client applications can request access to the resource when authenticating. The resource application is also known as the *audience* in OAuth parlance.
 
+If you are using the Azure API for FHIR, a resource application is automatically created when you deploy the service. As long as you are using the Azure API for FHIR in the same Azure Active Directory tenant as you are deploying your application, you can skip this how-to-guide and instead deploy your Azure API for FHIR to get started.
+
 ## App registrations in Azure portal
 
 1. In the [Azure portal](https://portal.azure.com), on the left navigation panel, click **Azure Active Directory**.
@@ -40,9 +42,9 @@ A resource application has an identifier URI (Application ID URI), which clients
 
 3. Enter the identifier URI and click **Save**. A good identifier URI would be the URI of your FHIR server.
 
-4. Click **Add a scope** and add any scopes that you would like to define for your API. Azure AD does not currently allow slashes (`/`) in scope names. We recommend using `$` instead. A scope like `patient/*.read` would be `patient$*.read`.
+4. Click **Add a scope** and add any scopes that you would like to define for your API. You are required to add at least one scope in order to grant permissions to your resource application in the future. If you don't have any specific scopes you want to add, you can add user_impersonation as a scope.
 
-    ![Audience and scope](media/how-to-aad/portal-aad-register-new-app-registration-AUD-SCOPE.png)
+![Audience and scope](media/how-to-aad/portal-aad-register-new-app-registration-AUD-SCOPE.png)
 
 ## Define application roles