rough edit

gitName · gitName · commit e1a3743270ae · 2025-04-24T16:53:44.000-07:00
diff --git a/articles/api-center/authorize-api-access.md b/articles/api-center/authorize-api-access.md
@@ -14,40 +14,42 @@ ms.custom:
 
 <!-- Is this a governance or inventory feature -->
 
-You can configure settings to authorize users to access APIs in your API center inventory.
+You can configure settings to authorize access to APIs in your API center inventory. These settings:
 
-* Add settings to the API center for authentication using API keys or OAuth 2.0 authorization.
-* Associate specific authentication settings with specific API versions in your inventory.
-* Restrict use of API authentication methods to designated users or groups using access policies.
-* Enable authorized users to test APIs directly in the API Center portal.
+* Enable API authentication using API keys or OAuth 2.0 authorization
+* Associate specific authentication methods with specific API versions in your inventory
+* Can limit use of API authentication methods to designated users or groups through access policies
+* Enable authorized users to test APIs directly in the API Center portal
 
 > [!NOTE]
 > This feature is currently in preview.
 
-* An API center in your Azure subscription. If you haven't created one already, see [Quickstart: Create your API center](../set-up-api-center.md).
+## Prerequisites
+
+* An API center in your Azure subscription. If you haven't created one already, see [Quickstart: Create your API center](set-up-api-center.md).
 
 * Register at least API in your API center. For more information, see [Tutorial: Register APIs in your API inventory](register-apis.md).
 
 * Configure an environment and a deployment for the API. For more information, see [Tutorial: Add environments and deployments for APIs](configure-environments-deployments.md).
 
 * Set up the API Center portal. For more information, see [Set up API Center portal](set-up-api-center-portal.md).
 
-* (To configure settings for OAuth 2.0 authorization using Microsoft Entra ID) Permissions to create an app registration in a Microsoft Entra tenant associated with your Azure subscription. 
+* (For OAuth 2.0 authorization using Microsoft Entra ID) Permissions to create an app registration in a Microsoft Entra tenant associated with your Azure subscription. 
 
 
 ## Configure settings for API key authentication
 
-Follow these steps to configure settings for API key authentication. The API key is stored in Azure Key Vault, and the API center uses a managed identity to access the key vault.
+Follow these steps to configure settings for API key authentication. The API key must be stored in Azure Key Vault, and access to the key vault is through your API center's managed identity.
 
 ### Store secret in Azure Key Vault
 
 To store the API key securely, use Azure Key Vault. You can create a new key vault or use an existing one, using the Azure portal, Azure tools, or Azure SDKs. Your key vault should use the Azure role-based access control (RBAC) permission model.
 
-* For steps to create a Key Vault, see [Create a Key Vault](/azure/key-vault/general/quick-create-portal).
+* For steps to create a key vault, see [Create a Key Vault](/azure/key-vault/general/quick-create-portal).
 
-* To store a secret in the Key Vault, see [Set and retrieve secret in Key Vault](/azure/key-vault/secrets/quick-create-portal).
+* To store the API key as a secret in the Key Vault, see [Set and retrieve secret in Key Vault](/azure/key-vault/secrets/quick-create-portal).
 
-    Note the *secret identifier* of the secret. This is a URI of the form `https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/<version>`. You will need this value when you configure the API key authorization in your API center.
+    Note the *secret identifier* of the secret. This is a URI of the form `https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/<version>`. You need this value when you add the API key configuration in your API center.
 
 <!-- Should we use the version of the secret in the URI? -->
 
@@ -66,14 +68,14 @@ The following examples show how to enable a system-assigned managed identity by
 
 ### Assign the Key Vault Secrets User role to the managed identity
 
-Assign your API center's managed identity the **Key Vault Secrets User** role in your key vault. The following steps use the [portal](../role-based-access-control/role-assignments-portal-managed-identity.yml).
+Assign your API center's managed identity the **Key Vault Secrets User** role in your key vault. The following steps use the Azure portal.
 
 1. In the [portal](https://azure.microsoft.com), navigate to your key vault.
 1. In the left menu, select **Access control (IAM)**.
 1. Select **+ Add role assignment**.
 1. On the **Add role assignment** page, set the values as follows: 
     1. On the **Role** tab, select **Key Vault Secrets User**.
-    1. On the **Members** tab, in **Assign access to** - Select **Managed identity** > **+ Select members**.
+    1. On the **Members** tab, in **Assign access to**, select **Managed identity** > **+ Select members**.
     1. On the **Select managed identities** page, select the system-assigned managed identity of your API center that you added in the previous section. Click **Select**.
     1. Select **Review + assign**.
 
@@ -96,16 +98,15 @@ Assign your API center's managed identity the **Key Vault Secrets User** role in
 <!-- Which identity providers are supported? Just Entra? -->
 
 
-You can configure one or both of the following OAuth 2.0 authorization flows:
+Follow these steps to configure settings for OAuth 2.0 authorization to APIs. You can configure settings for one or both of the following OAuth 2.0 authorization flows:
 
-* Authorization code flow with PKCE (Proof Key for Code Exchange) - This flow is recommended for public clients, such as mobile apps or single-page applications (SPAs).
-* Client credentials flow - This flow is recommended for confidential clients, such as web apps or web APIs.
+* **Authorization code flow with PKCE (Proof Key for Code Exchange)** - This flow is recommended for authenticating users in mobile and web applications such as the API Center portal.
+* **Client credentials flow** - This flow is recommended for machine-to-machine applications that don't require a specific user's permissions to access data, such as background services or daemons.
 
 
 ### Create an OAuth 2.0 app
 
-For OAuth 2.0 authorization, create an app registration in an identity provider, such as the Microsoft Entra tenant associated with your Azure subscription. This app registration is used to authenticate users and authorize access to your APIs. The exact steps depend on the identity provider you use. The following example shows how to create an app registration in the Microsoft Entra tenant associated with your Azure subscription.
-
+For OAuth 2.0 authorization, create an app registration in an identity provider, such as the Microsoft Entra tenant associated with your Azure subscription. The exact steps depend on the identity provider you use. The following example shows how to create an app registration in the Microsoft Entra tenant associated with your Azure subscription.
 
 
 Minimally you need to configure:
@@ -120,7 +121,7 @@ Minimally you need to configure:
 1. On the **Register an application** page, enter your application registration settings:
     1. In **Name**, enter a meaningful name for the app.
     1. In **Supported account types**, select an option that suits your scenario, for example, **Accounts in this organizational directory only (Single tenant)**.
-    1. Set the **Redirect URI** to **SPA**, and set the URI. Enter the URI of your API Center portal deployment, in the following form: https://<service-name>.portal.<location>.azure-api-center.ms. 
+    1. Set the **Redirect URI** to **SPA**, and set the URI. Enter the URI of your API Center portal deployment, in the following form: `https://<service-name>.portal.<location>.azure-api-center.ms` 
     1. Select **Register**.
 1. On the left menu, under **Manage**, select **Certificates & secrets**, and then select **+ New client secret**.    
     1. Enter a **Description**.
@@ -144,8 +145,8 @@ In the following section, you will need the following values:
     1. In **Security scheme**, select **OAuth2**.
     1. In **Client ID**, enter the client ID of the app that you created in the previous section.
     1. In **Client secret**, enter the client secret of the app that you created in the previous section.
-    1. In **Authorization URL**, enter the OAuth 2.0 authorization endpoint configured in the app in the previous section. 
-    1. In **Token URL**, enter the OAuth 2.0 token endpoint configured in the app in the previous section.
+    1. In **Authorization URL**, enter the OAuth 2.0 authorization endpoint used by the identity provider. 
+    1. In **Token URL**, enter the OAuth 2.0 token endpoint used by the identity provider.
     1. In **OAuth2 flow**, select one or both of the OAuth 2.0 flows that you want to use. Available values are **Authorization code (PKCE)** and **Client credentials**.
     1. In **Scopes**, optionally enter one or more API scopes that your API supports. Example: `User.Read`
     1. Select **Create**.
@@ -185,7 +186,7 @@ You can limit access to the authentication settings associated with an API to sp
 ## Test API in API Center portal
 
 
-You can test an API with the authorization in the API Center portal. 
+You can test an API with the authentication and access settings in the API Center portal. 
 
 1. In the [portal](https://azure.microsoft.com), navigate to your API center.
 1. In the left menu, under **API Center Portal**, select **Portal settings**.
