editing

alexwolfmsft · alexwolfmsft · commit d8ed85d87f75 · 2023-01-23T14:37:08.000-05:00
diff --git a/articles/service-bus-messaging/service-bus-migrate-azure-credentials.md b/articles/service-bus-messaging/service-bus-migrate-azure-credentials.md
@@ -1,7 +1,7 @@
 ---
 title: Migrate applications to use passwordless authentication with Azure Service Bus
 titleSuffix: Azure Service Bus
-description: Learn to migrate existing service bus applications away from connection strings to use Azure AD and Azure RBAC for enhanced security.
+description: Learn to migrate existing Service Bus applications away from connection strings to use Azure AD and Azure RBAC for enhanced security.
 author: alexwolfmsft
 ms.author: alexwolf
 ms.reviewer: randolphwest
@@ -22,9 +22,9 @@ ms.devlang: csharp
 
 Application requests to Azure Service Bus must be authenticated using either account access keys or passwordless connections. However, you should prioritize passwordless connections in your applications when possible. This tutorial explores how to migrate from traditional authentication methods to more secure, passwordless connections.
 
-## Security risks associated with connection strings
+## Security risks associated with access keys
 
-The following code example demonstrates how to connect to Azure Service Bus using a connection string. When you create a Service Bus Namespace, Azure generates connection strings automatically. Many developers gravitate towards this solution because it feels familiar to options they have worked with in the past. If your application currently uses connection strings, consider migrating to passwordless connections using the steps described later in this document.
+The following code example demonstrates how to connect to Azure Service Bus using a connection string that includes an access key. When you create a Service Bus, Azure generates these keys and connection strings automatically. Many developers gravitate towards this solution because it feels familiar to options they have worked with in the past. If your application currently uses connection strings, consider migrating to passwordless connections using the steps described in this document.
 
 ```csharp
 var serviceBusClient = new ServiceBusClient("<NAMESPACE-CONNECTION-STRING>", clientOptions);
@@ -46,7 +46,7 @@ The following steps explain how to migrate an existing application to use passwo
 
 ### Sign-in and migrate the app code to use passwordless connections
 
-For local development, make sure you're authenticated with the same Azure AD account you assigned the role to for the service bus namespace. You can authenticate via the Azure CLI, Visual Studio, Azure PowerShell, or other tools such as IntelliJ.
+For local development, make sure you're authenticated with the same Azure AD account you assigned the role to for the Service Bus namespace. You can authenticate via the Azure CLI, Visual Studio, Azure PowerShell, or other tools such as IntelliJ.
 
 [!INCLUDE [default-azure-credential-sign-in](../../includes/passwordless/default-azure-credential-sign-in.md)]
 
@@ -74,12 +74,12 @@ Next you will need to update your code to use passwordless connections.
 
     //TODO: Replace the "<NAMESPACE-NAME>" placeholder.
     client = new ServiceBusClient(
-        "<NAMESPACE-NAME>.servicebus.windows.net",
+        "<SERVICE-BUS-NAMESPACE-NAME>.servicebus.windows.net",
         new DefaultAzureCredential(),
         clientOptions);
    ```
 
-1. Make sure to update the service bus namespace in the URI of your `ServiceBusClient`. You can find the namespace on the overview page of the Azure portal.
+1. Make sure to update the Service Bus namespace in the URI of your `ServiceBusClient`. You can find the namespace on the overview page of the Azure portal.
 
 #### Run the app locally
 
@@ -189,19 +189,19 @@ az vm identity assign \
 
 #### Assign roles to the managed identity
 
-Next, you need to grant permissions to the managed identity you created to access your service bus. You can do this by assigning a role to the managed identity, just like you did with your local development user.
+Next, you need to grant permissions to the managed identity you created to access your Service Bus. You can do this by assigning a role to the managed identity, just like you did with your local development user.
 
 ### [Service Connector](#tab/assign-role-service-connector)
 
 If you connected your services using the Service Connector you do not need to complete this step. The necessary configurations were handled for you:
 
-* If you selected a managed identity while creating the connection, a system-assigned managed identity was created for your app and assigned the **Azure Service Bus Data Owner** role on the service bus.
+* If you selected a managed identity while creating the connection, a system-assigned managed identity was created for your app and assigned the **Azure Service Bus Data Owner** role on the Service Bus.
 
 * If you selected connection string, the connection string was added as an app environment variable.
 
 ### [Azure portal](#tab/assign-role-azure-portal)
 
-1. Navigate to your service bus overview page and select **Access Control (IAM)** from the left navigation.
+1. Navigate to your Service Bus overview page and select **Access Control (IAM)** from the left navigation.
 
 1. Choose **Add role assignment**
 
@@ -241,7 +241,7 @@ az role assignment create \
 
 #### Test the app
 
-After making these code changes, browse to your hosted application in the browser. Your app should be able to connect to the service bus successfully. Keep in mind that it may take several minutes for the role assignments to propagate through your Azure environment. Your application is now configured to run both locally and in a production environment without the developers having to manage secrets in the application itself.
+After making these code changes, browse to your hosted application in the browser. Your app should be able to connect to the Service Bus successfully. Keep in mind that it may take several minutes for the role assignments to propagate through your Azure environment. Your application is now configured to run both locally and in a production environment without the developers having to manage secrets in the application itself.
 
 ## Next steps
 
diff --git a/includes/passwordless/migration-guide/create-managed-identity-portal.md b/includes/passwordless/migration-guide/create-managed-identity-portal.md
@@ -4,8 +4,6 @@ The following steps demonstrate how to create a system-assigned managed identity
 
 Some app hosting environments support Service Connector, which helps you connect Azure compute services to other backing services. Service Connector automatically configures network settings and connection information.  You can learn more about Service Connector and which scenarios are supported on the [overview page](../../../service-connector/overview.md).
 
-
-
 The following compute services are currently supported:
 
 * Azure App Service
@@ -28,13 +26,11 @@ For this migration guide you will use App Service, but the steps are similar on
 
    Select **Next: Authentication**.
 
-   :::image type="content" source="../media/migration-create-identity-small.png" alt-text="Screenshot showing how to create a system assigned managed identity." lightbox="../media/migration-create-identity.png":::
-
 1. Make sure **System assigned managed identity (Recommended)** is selected, and then choose **Next: Networking**.
 1. Leave the default values selected, and then choose **Next: Review + Create**.
 1. After Azure validates your settings, select **Create**.
 
-The Service Connector will automatically create a system-assigned managed identity for the app service. The connector will also assign the managed identity a **Service Bus Data Owner** role for the service bus you selected.
+The Service Connector will automatically create a system-assigned managed identity for the app service. The connector will also assign the managed identity a **Azure Service Bus Data Owner** role for the service bus you selected.
 
 ### [Azure App Service](#tab/app-service)
 
@@ -49,22 +45,22 @@ The Service Connector will automatically create a system-assigned managed identi
 
 1. Under the **System assigned** tab, make sure to set the **Status** field to **on**. A system assigned identity is managed by Azure internally and handles administrative tasks for you. The details and IDs of the identity are never exposed in your code.
 
-   :::image type="content" source="../media/storage-migrate-credentials/spring-apps-identity.png" alt-text="Screenshot showing how to enable managed identity for Azure Spring Apps.":::
+   :::image type="content" source="../media/spring-apps-identity.png" alt-text="Screenshot showing how to enable managed identity for Azure Spring Apps.":::
 
 ### [Azure Container Apps](#tab/container-apps)
 
 1. On the main overview page of your Azure Container Apps instance, select **Identity** from the left navigation.
 
 1. Under the **System assigned** tab, make sure to set the **Status** field to **on**. A system assigned identity is managed by Azure internally and handles administrative tasks for you. The details and IDs of the identity are never exposed in your code.
 
-   :::image type="content" source="../media/storage-migrate-credentials/container-apps-identity.png" alt-text="Screenshot showing how to enable managed identity for Azure Container Apps.":::
+   :::image type="content" source="../media/container-apps-identity.png" alt-text="Screenshot showing how to enable managed identity for Azure Container Apps.":::
 
 ### [Azure virtual machines](#tab/virtual-machines)
 
 1. On the main overview page of your virtual machine, select **Identity** from the left navigation.
 
 1. Under the **System assigned** tab, make sure to set the **Status** field to **on**. A system assigned identity is managed by Azure internally and handles administrative tasks for you. The details and IDs of the identity are never exposed in your code.
 
-   :::image type="content" source="../media/storage-migrate-credentials/virtual-machine-identity.png" alt-text="Screenshot showing how to enable managed identity for virtual machines.":::
+   :::image type="content" source="../media/virtual-machine-identity.png" alt-text="Screenshot showing how to enable managed identity for virtual machines.":::
 
 ---
diff --git a/includes/passwordless/migration-guide/migrate-to-passwordless-overview.md b/includes/passwordless/migration-guide/migrate-to-passwordless-overview.md
@@ -5,7 +5,7 @@ Many Azure services support passwordless connections through Azure AD and Role B
 
 `DefaultAzureCredential` supports multiple authentication methods and automatically determines which should be used at runtime. This approach enables your app to use different authentication methods in different environments (local dev vs. production) without implementing environment-specific code.
 
-The order and locations in which `DefaultAzureCredential` searches for credentials can be found in the [Azure Identity library overview](/dotnet/api/overview/azure/Identity-readme#defaultazurecredential) and varies between languages. For example, when working locally with .NET, `DefaultAzureCredential` will generally authenticate using the account the developer used to sign-in to Visual Studio. When the app is deployed to Azure, `DefaultAzureCredential` will automatically switch to use a [managed identity](../../active-directory/managed-identities-azure-resources/overview.md). No code changes are required for this transition.
+The order and locations in which `DefaultAzureCredential` searches for credentials can be found in the [Azure Identity library overview](/dotnet/api/overview/azure/Identity-readme#defaultazurecredential) and varies between languages. For example, when working locally with .NET, `DefaultAzureCredential` will generally authenticate using the account the developer used to sign-in to the Azure CLI or Visual Studio. When the app is deployed to Azure, `DefaultAzureCredential` will automatically discover and use the [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) of the associated hosting service, such as Azure App Service. No code changes are required for this transition.
 
 > [!NOTE]
 > A managed identity provides a security identity to represent an app or service. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. You can read more about managed identities in the [overview](../../active-directory/managed-identities-azure-resources/overview.md) documentation.
diff --git a/includes/passwordless/service-bus/service-bus-assign-roles-tabbed.md b/includes/passwordless/service-bus/service-bus-assign-roles-tabbed.md
@@ -10,20 +10,20 @@ ms.author: alexwolf
 ms.custom: include file
 ---
 
-When developing locally, make sure that the user account that is accessing blob data has the correct permissions. You'll need **Azure Service Bus Data Owner** to read and write blob data. To assign yourself this role, you'll need to be assigned the **User Access Administrator** role, or another role that includes the **Microsoft.Authorization/roleAssignments/write** action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. You can learn more about the available scopes for role assignments on the [scope overview](../articles/role-based-access-control/scope-overview.md) page.
+When developing locally, make sure that the user account that is accessing Service Bus has the correct permissions. You'll need **Azure Service Bus Data Owner** to send and receive data. To assign yourself this role, you'll need to be assigned the **User Access Administrator** role, or another role that includes the **Microsoft.Authorization/roleAssignments/write** action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. You can learn more about the available scopes for role assignments on the [scope overview](../articles/role-based-access-control/scope-overview.md) page.
 
-In this scenario, you'll assign permissions to your user account, scoped to the service bus, to follow the [Principle of Least Privilege](../articles/active-directory/develop/secure-least-privileged-access.md). This practice gives users only the minimum permissions needed and creates more secure production environments.
+In this scenario, you'll assign permissions to your user account scoped to a specific Service Bus namespace, to follow the [Principle of Least Privilege](../articles/active-directory/develop/secure-least-privileged-access.md). This practice gives users only the minimum permissions needed and creates more secure production environments.
 
-The following example will assign the **Azure Service Bus Data Owner** role to your user account, which provides both read and write access to blob data in your service bus.
+The following example will assign the **Azure Service Bus Data Owner** role to your user account, which allows you to send and receive data.
 
 > [!IMPORTANT]
 > In most cases it will take a minute or two for the role assignment to propagate in Azure, but in rare cases it may take up to eight minutes. If you receive authentication errors when you first run your code, wait a few moments and try again.
 
 ### [Azure portal](#tab/roles-azure-portal)
 
-1. In the Azure portal, locate your service bus using the main search bar or left navigation.
+1. In the Azure portal, locate your Service Bus namespace using the main search bar or left navigation.
 
-2. On the service bus overview page, select **Access control (IAM)** from the left-hand menu.
+2. On the Service Bus overview page, select **Access control (IAM)** from the left-hand menu.
 
 3. On the **Access control (IAM)** page, select the **Role assignments** tab.
 
