Fressness, in progress.

Author: TimShererWithAquent

articles/azure-functions/function-keys-how-to.md

@@ -14,10 +14,10 @@ Azure Functions lets you use secret keys to make it more difficult to access you
 
 While access keys provide some mitigation against unwanted access, you should consider other options to secure HTTP endpoints in production. For example, it's not a good practice to distribute shared secrets in a public app. If your function is being called from a public client, you should consider implementing these or other security mechanisms:
 
-+ [Enable App Service Authentication/Authorization](security-concepts.md#enable-app-service-authenticationauthorization)
-+ [Use Azure API Management (APIM) to authenticate requests](security-concepts.md#use-azure-api-management-apim-to-authenticate-requests)
-+ [Deploy your function app to a virtual network](security-concepts.md#deploy-your-function-app-to-a-virtual-network)
-+ [Deploy your function app in isolation](security-concepts.md#deploy-your-function-app-in-isolation)
+- [Enable App Service Authentication/Authorization](security-concepts.md#enable-app-service-authenticationauthorization)
+- [Use Azure API Management (APIM) to authenticate requests](security-concepts.md#use-azure-api-management-apim-to-authenticate-requests)
+- [Deploy your function app to a virtual network](security-concepts.md#deploy-your-function-app-to-a-virtual-network)
+- [Deploy your function app in isolation](security-concepts.md#deploy-your-function-app-in-isolation)
 
 Access keys provide the basis for HTTP authorization in HTTP triggered functions. For more information, see [Authorization level](./functions-bindings-http-webhook-trigger.md#http-auth).
 
@@ -30,7 +30,7 @@ The scope of an access key and the actions it supports depend on the type of acc
 | **Function** | `default` or user defined | `function` | Allows access only to a specific function endpoint. |
 | **Host** | `default` or user defined | `function` | Allows access to all function endpoints in a function app. |
 | **Master** | `_master` | `admin` | Special host key that also provides administrative access to the runtime REST APIs in a function app. Because the master key grants elevated permissions in your function app, you shouldn't share this key with third parties or distribute it in native client applications. |
-| **System** | Depends on the extension | n/a | Specific extensions might require a system-managed key to access webhook endpoints. System keys are designed for extension-specific function endpoints that get called by internal components. For example, the [Event Grid trigger](functions-bindings-event-grid-trigger.md) requires that the subscription use a system key when calling the trigger endpoint. Durable Functions also uses system keys to call [Durable Task extension APIs](durable/durable-functions-http-api.md). <br/>System keys can only be created by specific extensions, and you can't explicitly set their values. Like other keys, you can generate a new value for the key from the portal or by using the key APIs. | 
+| **System** | Depends on the extension | n/a | Specific extensions might require a system-managed key to access webhook endpoints. System keys are designed for extension-specific function endpoints that get called by internal components. For example, the [Event Grid trigger](functions-bindings-event-grid-trigger.md) requires that the subscription use a system key when calling the trigger endpoint. Durable Functions also uses system keys to call [Durable Task extension APIs](durable/durable-functions-http-api.md). <br/>Only specific extenstions can create system keys. You can't explicitly set their values. Like other keys, you can generate a new value for the key from the portal or by using the key APIs. | 
 
 Each key is named for reference, and there's a default key (named `default`) at the function and host level. Function keys take precedence over host keys. When two keys are defined with the same name, the function key is always used.
 
@@ -50,7 +50,7 @@ The following table compares the uses for various kinds of access keys:
 
 In Functions, access keys are randomly generated 32-byte arrays that are encoded as URL-safe base-64 strings. While you can generate your own access keys and use them with Functions, we strongly recommend that you instead allow Functions to generate all of your access keys for you. 
 
-Functions-generated access keys include special signature and checksum values that indicate the type of access key and that it was generated by Azure Functions. Having these extra components in the key itself makes it much easier to determine the source of these kinds of secrets located during security scanning and other automated processes. 
+Functions-generated access keys include special signature and checksum values that indicate the type of access key and that Azure Functions generated it. Having these extra components in the key itself makes it much easier to determine the source of these kinds of secrets located during security scanning and other automated processes. 
 
 To allow Functions to generate your keys for you, don't supply the key `value` to any of the APIs that you can use to generate keys.
 
@@ -65,7 +65,7 @@ Keys are stored as part of your function app in Azure and are encrypted at rest.
 | File system  | `files` | Keys are persisted on the local file system,  which is the default in Functions v1.x. File system storage isn't recommended. |
 | Kubernetes Secrets  |`kubernetes` | The resource set in [AzureWebJobsKubernetesSecretName](functions-app-settings.md#azurewebjobskubernetessecretname) is used to store keys. Supported only when your function app is deployed to Kubernetes. The [Azure Functions Core Tools](functions-run-local.md) generates the values automatically when you use it to deploy your app to a Kubernetes cluster. [Immutable secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable) aren't supported | 
 
-When using Key Vault for key storage, the app settings you need depend on the managed identity type, either system-assigned or user-assigned. 
+When you use Key Vault for key storage, the app settings you need depend on the managed identity type, either system-assigned or user-assigned. 
 
 | Setting name | System-assigned | User-assigned | App registration | 
 | --- | --- | --- | --- |
@@ -78,18 +78,18 @@ When using Key Vault for key storage, the app settings you need depend on the ma
 
 ## Use access keys
 
-HTTP triggered functions can generally be called by using a URL in the format: `https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>`. When the authorization level of a given function is set a value other than `anonymous`, you must also provide an access key in your request. The access key can either be provided in the URL using the `?code=` query string or in the request header (`x-functions-key`). For more information, see [Access key authorization](functions-bindings-http-webhook-trigger.md#api-key-authorization). 
+HTTP triggered functions can generally be called by using a URL in the format: `https://<APP_NAME>.azurewebsites.net/api/<FUNCTION_NAME>`. When the authorization level of a given function is set as a value other than `anonymous`, you must also provide an access key in your request. The access key can either be provided in the URL using the `?code=` query string or in the request header (`x-functions-key`). For more information, see [Access key authorization](functions-bindings-http-webhook-trigger.md#api-key-authorization). 
 
 To access the runtime REST APIs (under `/admin/`), you must provide the master key (`_master`) in the `x-functions-key` request header. You can [remove the admin endpoints](./security-concepts.md#disable-administrative-endpoints) using the `functionsRuntimeAdminIsolationEnabled` site property.
 
 ## Get your function access keys
 
 You can get function and host keys programmatically by using these Azure Resource Manager APIs: 
 
-+ [List Function Keys](/rest/api/appservice/webapps/listfunctionkeys)
-+ [List Host Keys](/rest/api/appservice/webapps/listhostkeys)
-+ [List Function Keys Slot](/rest/api/appservice/webapps/listfunctionkeysslot)
-+ [List Host Keys Slot](/rest/api/appservice/webapps/listhostkeysslot).
+- [List Function Keys](/rest/api/appservice/webapps/listfunctionkeys)
+- [List Host Keys](/rest/api/appservice/webapps/listhostkeys)
+- [List Function Keys Slot](/rest/api/appservice/webapps/listfunctionkeysslot)
+- [List Host Keys Slot](/rest/api/appservice/webapps/listhostkeysslot).
 
 To learn how to call Azure Resource Manager APIs, see the [Azure REST API reference](/rest/api/azure/).
 
@@ -141,10 +141,10 @@ When you renew or create your access key values, you must manually redistribute
 
 You can renew function and host keys programmatically or create new ones by using these Azure Resource Manager APIs: 
 
-+ [Create Or Update Function Secret](/rest/api/appservice/webapps/createorupdatefunctionsecret) 
-+ [Create Or Update Function Secret Slot](/rest/api/appservice/webapps/createorupdatefunctionsecretslot)
-+ [Create Or Update Host Secret](/rest/api/appservice/webapps/createorupdatehostsecret) 
-+ [Create Or Update Host Secret Slot](/rest/api/appservice/webapps/createorupdatehostsecretslot)
+- [Create Or Update Function Secret](/rest/api/appservice/webapps/createorupdatefunctionsecret) 
+- [Create Or Update Function Secret Slot](/rest/api/appservice/webapps/createorupdatefunctionsecretslot)
+- [Create Or Update Host Secret](/rest/api/appservice/webapps/createorupdatehostsecret) 
+- [Create Or Update Host Secret Slot](/rest/api/appservice/webapps/createorupdatehostsecretslot)
 
 To learn how to call Azure Resource Manager APIs, see the [Azure REST API reference](/rest/api/azure/).
 
@@ -212,16 +212,16 @@ The new key value generated by Functions is returned for your reference. It must
 
 You can delete function and host keys programmatically by using these Azure Resource Manager APIs: 
 
-+ [Delete Function Secret](/rest/api/appservice/webapps/deletefunctionsecret)
-+ [Delete Function Secret Slot](/rest/api/appservice/webapps/deletefunctionsecretslot)
-+ [Delete Host Secret](/rest/api/appservice/webapps/deletehostsecret)
-+ [Delete Host Secret Slot](/rest/api/appservice/webapps/deletehostsecretslot)
+- [Delete Function Secret](/rest/api/appservice/webapps/deletefunctionsecret)
+- [Delete Function Secret Slot](/rest/api/appservice/webapps/deletefunctionsecretslot)
+- [Delete Host Secret](/rest/api/appservice/webapps/deletehostsecret)
+- [Delete Host Secret Slot](/rest/api/appservice/webapps/deletehostsecretslot)
 
 To learn how to call Azure Resource Manager APIs, see the [Azure REST API reference](/rest/api/azure/). 
 
 ## Related content
 
-+ [Securing Azure Functions](security-concepts.md)
-+ [Azure Functions HTTP trigger](functions-bindings-http-webhook-trigger.md)
-+ [Manage your function app](functions-how-to-use-azure-function-app-settings.md)
+- [Securing Azure Functions](security-concepts.md)
+- [Azure Functions HTTP trigger](functions-bindings-http-webhook-trigger.md)
+- [Manage your function app](functions-how-to-use-azure-function-app-settings.md)