accuracy-review

shlipsey3 · shlipsey3 · commit e91d51625d6e · 2023-03-06T14:22:56.000-07:00
diff --git a/articles/active-directory/reports-monitoring/recommendation-remove-unused-credential-from-apps.md b/articles/active-directory/reports-monitoring/recommendation-remove-unused-credential-from-apps.md
@@ -22,8 +22,6 @@ This article covers the recommendation to remove unused credentials from apps. T
 
 Application credentials can include certificates and other types of secrets that need to be registered with that application. These credentials are used to prove the identity of the application. Only credentials actively in use by an application should remain registered with the application.
 
-## Logic 
-
 This recommendation shows up if your tenant has application credentials that haven't been used in more than 30 days. 
 
 ## Value 
@@ -47,18 +45,6 @@ Applications that the recommendation identified appear in the list of **Impacted
 
     ![Screenshot of the Certificates & secrets area of app registrations.](media/recommendation-remove-unused-credential-from-apps/app-certificates-secrets.png)
 
-### Use Microsoft Graph to remove an unused credential
-
-You can use Microsoft Graph to remove an unused credential programmatically. To get started, see [How to use Microsoft Graph with Azure AD recommendations](howto-use-recommendations.md#how-to-use-microsoft-graph-with-azure-active-directory-recommendations).
-
-- Remove a **credential** from a service principal resource:
-    - Use the Microsoft Graph Service Principal API service action `removePassword`
-    - [servicePrincipal: removePassword MS Graph API documentation](/graph/api/serviceprincipal-removepassword?view=graph-rest-beta&preserve-view=true)
-
-- Remove a **key credential** from a service principal resource:
-    - Use the Microsoft Graph Service Principal API service action `removeKey`
-    - [servicePrincipal: removeKey MS Graph API documentation](/graph/api/serviceprincipal-removekey?view=graph-rest-beta&preserve-view=true)
-
 ## Next steps
 
 - [Review the Azure AD recommendations overview](overview-recommendations.md)
diff --git a/articles/active-directory/reports-monitoring/recommendation-renew-expiring-application-credential.md b/articles/active-directory/reports-monitoring/recommendation-renew-expiring-application-credential.md
@@ -22,8 +22,6 @@ This article covers the recommendation to renew expiring application credentials
 
 Application credentials can include certificates and other types of secrets that need to be registered with that application. These credentials are used to prove the identity of the application.
 
-## Logic 
-
 This recommendation shows up if your tenant has application credentials that will expire soon. 
 
 ## Value 
@@ -47,12 +45,14 @@ Applications that the recommendation identified appear in the list of **Impacted
     ![Screenshot of the Certificates & secrets area of app registrations.](media/recommendation-renew-expiring-application-credential/app-certificates-secrets.png)
 
 1. Once the certificate or secret is successfully added, update the service code to ensure it works with the new credential and doesn't negatively affect customers.
-1. Use the Azure AD sign-in logs to validate that the thumbprint of the certificate matches the one that was recently uploaded.
+1. Use the Azure AD sign-in logs to validate that the Key ID of the credential matches the one that was recently added.
 1. After validating the new credential, navigate back to **Azure AD** > **App registrations** > **Certificates and Secrets** for the app and remove the old credential.
  
 ## Known limitations
 
-When looking for the application with the credential that needs to be rotated, only the app name is used. The service doesn't have the ability to show the resource ID for the app.
+- Currently in the current list of **Impacted resources**, only the app name and resource ID is shown. The key ID for the credential that needs to be rotated is not shown. To find the key ID credential, go to **Azure AD** > **App registrations** > **Certificates and Secrets** for the impacted application. 
+
+- An impacted resource with credentials that expired recently will be marked as completed. If that resource has more than one credential expiring soon, the status of the resource will still be active.
 
 ## Next steps
 
diff --git a/articles/active-directory/reports-monitoring/recommendation-renew-expiring-service-principal-credential.md b/articles/active-directory/reports-monitoring/recommendation-renew-expiring-service-principal-credential.md
@@ -31,20 +31,25 @@ Renewing the service principal credential(s) before expiration ensures the appli
 
 ## Action plan
 
-1. Navigate to **Azure AD** > **Enterprise applications**.
-    - The status of the service principal appears in the **Certificate Expiry Status** column.
-    - Use the search box at the top of the list to find the service principal that was listed in the recommendation.
+1. Select the name of the application from the list of **Impacted resources** to go directly to the **Enterprise applications - Single sign-on** page for the selected application.
+
+    a. Alternatively, go to **Azure AD** > **Enterprise applications**. The status of the service principal appears in the **Certificate Expiry Status** column.
+    
+    b. Use the search box at the top of the list to find the application that was listed in the recommendation.
     
     ![Screenshot of the Enterprise applications area with the search box highlighted.](media/recommendation-renew-expriring-service-principal-credential/recommendation-enterprise-apps-list.png)
+    
+    c. Select the service principal with the credential that needs to be rotated, then select **Single sign-on** from the side menu.
 
-1. Select the service principal with the credential that needs to be rotated, then select **Single sign-on** from the side menu.
 1. Edit the **SAML signing certificate** section and follow the prompts to add a new certificate.
     
     ![Screenshot of the edit single-sign-on process.](media/recommendation-renew-expriring-service-principal-credential/recommendation-edit-sso.png)
 
 1. After adding the certificate, change its properties to make the certificate active, which makes the other certificate inactive.
 1. Once the certificate is successfully added and activated, update the service code to ensure it works with the new credential and doesn't negatively affect customers.
-1. Use the Azure AD sign-in logs to validate that the thumbprint of the certificate matches the one that was recently uploaded.
+1. Use the Azure AD sign-in logs to validate that the Key ID of the certificate matches the one that was recently uploaded.
+    - Go to **Azure AD Sign-in logs** > **Service principal sign-ins**.
+    - Open the details for a related sign-in and check that the **Client credential type** is "Client secret" and the **Credential key ID** matches your credential.
 1. After validating the new credential, navigate back to the **Single sign-on** area for the app and remove the old credential.
 
 ### Use Microsoft Graph to renew expiring service principal credentials
@@ -74,8 +79,9 @@ When renewing service principal credentials using Microsoft Graph, you need to r
 
 - Service principal credentials that expire before the recommendation is completed will be marked complete by the system.
 
-- The recommendation currently doesn't display the password secret credential in service principal when you select the impacted resource from the list.
+- The recommendation currently doesn't display the password secret credential in service principal when you select an **Impacted resource** from the list.
 
+- The **ID** shown in the list of **Impacted resources** is for the application not the service principal.
 
 ## Next steps
 
