Merge pull request #241102 from medhir/update-authz-recommendations

Update authz guidance across Azure AD developer docs

Author: prmerger-automator[bot]

articles/active-directory/develop/app-sign-in-flow.md

@@ -74,6 +74,7 @@ For other topics covering authentication and authorization basics:
 * See [Authentication vs. authorization](authentication-vs-authorization.md) to learn about the basic concepts of authentication and authorization in Microsoft identity platform.
 * See [Security tokens](security-tokens.md) to learn how access tokens, refresh tokens, and ID tokens are used in authentication and authorization.
 * See [Application model](application-model.md) to learn about the process of registering your application so it can integrate with Microsoft identity platform.
+* See [Secure applications and APIs by validating claims](./claims-validation.md) to learn about how to securely use token claims for authorization logic in your applications.
 
 To learn more about app sign-in flow:
 

articles/active-directory/develop/application-model.md

@@ -77,6 +77,7 @@ For more information about authentication and authorization in the Microsoft ide
 * To learn about the basic concepts of authentication and authorization, see [Authentication vs. authorization](authentication-vs-authorization.md).
 * To learn how access tokens, refresh tokens, and ID tokens are used in authentication and authorization, see [Security tokens](security-tokens.md).
 * To learn about the sign-in flow of web, desktop, and mobile apps, see [App sign-in flow](app-sign-in-flow.md).
+* To learn about proper authorization using token claims, see [Secure applications and APIs by validating claims](./claims-validation.md)
 
 For more information about the application model, see the following articles:
 

articles/active-directory/develop/authentication-vs-authorization.md

@@ -60,3 +60,4 @@ For other topics that cover authentication and authorization basics:
 
 * To learn how access tokens, refresh tokens, and ID tokens are used in authorization and authentication, see [Security tokens](security-tokens.md).
 * To learn about the process of registering your application so it can integrate with the Microsoft identity platform, see [Application model](application-model.md).
+* To learn about proper authorization using token claims, see [Secure applications and APIs by validating claims](./claims-validation.md)

articles/active-directory/develop/authorization-basics.md

@@ -58,7 +58,7 @@ One method for achieving ABAC with Azure Active Directory is using [dynamic grou
 
 Authorization logic is often implemented within the applications or solutions where access control is required. In many cases, application development platforms offer middleware or other API solutions that simplify the implementation of authorization. Examples include use of the [AuthorizeAttribute](/aspnet/core/security/authorization/simple?view=aspnetcore-5.0&preserve-view=true) in ASP.NET or [Route Guards](./scenario-spa-sign-in.md?tabs=angular2#sign-in-with-a-pop-up-window) in Angular.
 
-For authorization approaches that rely on information about the authenticated entity, an application evaluates information exchanged during authentication. For example, by using the information that was provided within a [security token](./security-tokens.md). For information not contained in a security token, an application might make extra calls to external resources.
+For authorization approaches that rely on information about the authenticated entity, an application evaluates information exchanged during authentication. For example, by using the information that was provided within a [security token](./security-tokens.md). If you are planning on using information from tokens for authorization, we recommend following [this guidance on properly securing apps through claims validation](./claims-validation.md). in For information not contained in a security token, an application might make extra calls to external resources.
 
 It's not strictly necessary for developers to embed authorization logic entirely within their applications. Instead, dedicated authorization services can be used to centralize authorization implementation and management.
 
@@ -68,3 +68,4 @@ It's not strictly necessary for developers to embed authorization logic entirely
 - To learn about custom role-based access control implementation in applications, see [Role-based access control for application developers](./custom-rbac-for-developers.md).
 - To learn about the process of registering your application so it can integrate with the Microsoft identity platform, see [Application model](./application-model.md).
 - For an example of configuring simple authentication-based authorization, see [Configure your App Service or Azure Functions app to use Azure AD login](../../app-service/configure-authentication-provider-aad.md).
+- To learn about proper authorization using token claims, see [Secure applications and APIs by validating claims](./claims-validation.md)

articles/active-directory/develop/custom-rbac-for-developers.md

@@ -80,3 +80,4 @@ Although either app roles or groups can be used for authorization, key differenc
 ## Next steps
 
 - [Azure Identity Management and access control security best practices](../../security/fundamentals/identity-management-best-practices.md)
+- To learn about proper authorization using token claims, see [Secure applications and APIs by validating claims](./claims-validation.md)

articles/active-directory/develop/howto-add-app-roles-in-apps.md

@@ -25,7 +25,7 @@ Another approach is to use Azure Active Directory (Azure AD) groups and group cl
 
 ## Declare roles for an application
 
-You define app roles by using the [Azure portal](https://portal.azure.com) during the [app registration process](quickstart-register-app.md). App roles are defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a `roles` claim for each role that the user or service principal has been granted. This can be used to implement claim-based authorization. App roles can be assigned [to a user or a group of users](../manage-apps/add-application-portal-assign-users.md). App roles can also be assigned to the service principal for another application, or [to the service principal for a managed identity](../managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md).
+You define app roles by using the [Azure portal](https://portal.azure.com) during the [app registration process](quickstart-register-app.md). App roles are defined on an application registration representing a service, app or API. When a user signs in to the application, Azure AD emits a `roles` claim for each role that the user or service principal has been granted. This can be used to implement [claim-based authorization](./claims-validation.md). App roles can be assigned [to a user or a group of users](../manage-apps/add-application-portal-assign-users.md). App roles can also be assigned to the service principal for another application, or [to the service principal for a managed identity](../managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md).
 
 Currently, if you add a service principal to a group, and then assign an app role to that group, Azure AD doesn't add the `roles` claim to tokens it issues.
 

articles/active-directory/develop/id-tokens.md

@@ -18,7 +18,7 @@ ms.custom: aaddev, curation-claims
 
 The authorization server issues ID tokens that contain claims that carry information about the user. They can be sent alongside or instead of an access token. Information in ID tokens enables the client to verify that a user is who they claim to be. 
 
-Third-party applications are intended to understand ID tokens. ID tokens shouldn't be used for authorization purposes. Access tokens are used for authorization. The claims provided by ID tokens can be used for UX inside your application, as keys in a database, and providing access to the client application. For more information about the claims used in an ID token, see the [ID token claims reference](id-token-claims-reference.md).
+Third-party applications are intended to understand ID tokens. ID tokens shouldn't be used for authorization purposes. Access tokens are used for authorization. The claims provided by ID tokens can be used for UX inside your application, as keys in a database, and providing access to the client application. For more information about the claims used in an ID token, see the [ID token claims reference](id-token-claims-reference.md). For more information about claims-based authorization, see [Secure applications and APIs by validating claims](./claims-validation.md).
 
 ## Token formats