minor wording changes

lilyjma · lilyjma · commit f0ece4e1eb1f · 2024-07-30T16:41:11.000-04:00
diff --git a/articles/azure-functions/durable/durable-functions-configure-managed-identity.md b/articles/azure-functions/durable/durable-functions-configure-managed-identity.md
@@ -1,36 +1,58 @@
 ---
-title: "Configure Durable Functions with managed identity"
-description: Configure Durable Functions with managed identity
+title: "Configure Durable Functions app with managed identity"
+description: Configure Durable Functions app with managed identity
 author: naiyuantian
 ms.topic: quickstart
 ms.date: 07/30/2024
 ms.author: azfuncdf
 ---
 
-# Configure Durable Functions with managed identity 
+# Quickstart: Configure Durable Functions with managed identity 
+
+A managed identity from the access management service [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) allows your app to access other Microsoft Entra protected resources, such as an Azure Storage account, without handling secrets manually. The identity is managed by the Azure platform, so you do *not* need to provision or rotate any secrets. The recommended way to authenticate access to Azure resources is through using such an identity. 
+
+In this quickstart, you complete steps to configure a Durable Functions app using the default **Azure Storage provider** to use identity-based connections for storage account access. 
+
+> [NOTE]
+> Managed identity is supported in [Durable Functions extension](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask) versions **2.7.0** and greater.
+
+If you don't have an Azure account, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+## Prerequisites
+
+To complete this quickstart, you need:
+
+- An existing Durable Functions project created in the Azure portal or a local Durable Functions project deployed to Azure.
+- Familiarity running a Durable Functions app in Azure. 
+
+If you don't have an existing Durable Functions project deployed in Azure, we recommend that you start with one of the following quickstarts:
+
+- [Create your first durable function - C#](durable-functions-create-first-csharp.md)
+- [Create your first durable function - JavaScript](quickstart-js-vscode.md)
+- [Create your first durable function - Python](quickstart-python-vscode.md)
+- [Create your first durable function - PowerShell](quickstart-powershell-vscode.md)
+- [Create your first durable function - Java](quickstart-java.md)
 
-A managed identity from the access management service [Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md) allows your app to access other Microsoft Entra protected resources without handling secrets manually. The identity is managed by the Azure platform, so you do *not* need to provision or rotate any secrets. The recommended way to authenticate access to Azure resources is through using such an identity. In this article, we show how to configure a Durable Functions app that is using the default Azure Storage provider to use a managed identity to access the storage account. 
 
 ## Local development 
 
 ### Use Azure Storage emulator
-When developing locally, it's recommended that you use Azurite, which is Azure Storage's local emulator. You can configure your app to the emulator by specifying `"AzureWebJobsStorage": "UseDevelopmentStorage = true"` in the local.settings.json.
+When developing locally, it's recommended that you use Azurite, which is Azure Storage's local emulator. Configure your app to the emulator by specifying `"AzureWebJobsStorage": "UseDevelopmentStorage = true"` in the local.settings.json.
 
 ### Identity-based connections for local development
+You can use an identity-based connection for local development if you prefer. Strictly speaking, a managed identity is only available to apps when executing on Azure. When configured to use identity-based connections, a locally executing app will utilize your developer credentials to authenticate against Azure resources. Then, when deployed on Azure, it will utilize your managed identity configuration instead.
 
-You can still use an identity-based connection for local development if you prefer. Strictly speaking, a managed identity is only available to apps when executing on Azure. When configured to use identity-based connections, a locally executing app will utilize your developer credentials to authenticate with Azure resources. Then, when deployed on Azure, it will utilize your managed identity configuration instead.
-
-When using your developer credentials, the connection attempts to get a token from the following locations, in the said order, for access to your Azure resources:
+When using developer credentials, the connection attempts to get a token from the following locations, in the said order, for access to your Azure resources:
 
 - A local cache shared between Microsoft applications
 - The current user context in Visual Studio
 - The current user context in Visual Studio Code
 - The current user context in the Azure CLI
 
-If none of these options are successful, an error occurs.
+If none of these options are successful, an error shows up regarding the app's inability to retrieve authentication token for your Azure resources. 
 
 #### Configure runtime to use local developer identity
-1. Specify the name of your Azure Storage account in local.settings.json: 
+1. Specify the name of your Azure Storage account in local.settings.json, for example: 
    ```json
    {
       "IsEncrypted": false,
@@ -51,77 +73,78 @@ If none of these options are successful, an error occurs.
 
 ## Identity-based connections for app deployed to Azure
 
-Managed identity is supported in [Durable Functions extension](https://www.nuget.org/packages/Microsoft.Azure.WebJobs.Extensions.DurableTask) versions **2.7.0** and greater. 
-
-### Prerequisites
-
-The following steps assume that you're starting with an existing Durable Functions app and are familiar with how to operate it. In particular, this quickstart assumes that you have already: 
-
-* Deployed an app running in Azure that has Durable Functions. 
-
-If this isn't the case, we suggest you start with one of the following articles, which provides detailed instructions on how to achieve all the requirements above:
-
-- [Create your first durable function - C#](durable-functions-create-first-csharp.md)
-- [Create your first durable function - JavaScript](quickstart-js-vscode.md)
-- [Create your first durable function - Python](quickstart-python-vscode.md)
-- [Create your first durable function - PowerShell](quickstart-powershell-vscode.md)
-- [Create your first durable function - Java](quickstart-java.md)
-
 ### Enable managed identity resource 
 
-Only one identity is needed for your function, either a **system assigned managed identity** or a **user assigned managed identity**. To enable a managed identity for your function application and learn more about the differences between the two identities, read the [detailed instructions](../../app-service/overview-managed-identity.md).   
+To begin, enable a managed identity for your application. Your function app must have either a system-assigned managed identity or a user-assigned managed identity. To enable a managed identity for your function app, and to learn more about the differences between the two types of identities, see the [managed identity overview](../../app-service/overview-managed-identity.md).   
 
-### Assign Role-based Access Controls (RBAC) to managed identity
+### Assign access roles to the managed identity
 
-Navigate to your app's Azure Storage resource on the Azure portal and [assign the following roles](/entra/identity/managed-identities-azure-resources/how-to-assign-access-azure-resource) to your managed identity resource:
+Navigate to your app's Azure Storage resource on the Azure portal and [assign](/entra/identity/managed-identities-azure-resources/how-to-assign-access-azure-resource) three role-based access control (RBAC) roles to your managed identity resource:
 
 * Storage Queue Data Contributor 
 * Storage Blob Data Contributor 
 * Storage Table Data Contributor 
 
-You'll need to select assign access to "Managed identity" and then "+ Select members" to find your identity resource: 
+To find your identity resource, select assign access to **Managed identity** and then **+ Select members** 
 
 ![Assign access to managed identity](./media/durable-functions-configure-df-with-credentials/assign-access-managed-identity.png)
 
 ### Add managed identity configuration to your app
 
-Navigate to your Azure Functions app’s **Configuration** page and perform the following changes: 
+Before you can use your app's managed identity, make some changes to the app configuration:
 
-1. Remove the default value "AzureWebJobsStorage". 
+1. In the Azure portal, on your function app resource menu under **Settings**, select **Configuration**.
 
+1. In the list of settings, select **AzureWebJobsStorage** and select the **Delete** icon.
   [ ![Screenshot of default storage setting.](./media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-01.png)](./media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-01.png#lightbox)
 
-2. Link your Azure Storage account by adding **either one** of the following value settings (remember to click "Apply" after making the setting changes): 
+1. Add a setting to link your Azure storage account to the application.
+
+   Use *one of the following methods* depending on the cloud that your app runs in:
+
+   - **Azure cloud**: If your app runs in *public Azure*, add a setting that identifies an Azure storage account name:
 
-   * Option 1: 
-      **AzureWebJobsStorage__accountName**: For example: `mystorageaccount123`
+      - `AzureWebJobsStorage__<accountName>`
 
-   * Option 2: 
-      **AzureWebJobsStorage__blobServiceUri**: Example: `https://mystorageaccount123.blob.core.windows.net/` 
+         Example: `AzureWebJobsStorage__mystorageaccount123`
 
-     **AzureWebJobsStorage__queueServiceUri**: Example: `https://mystorageaccount123.queue.core.windows.net/` 
+   - **Non-Azure cloud**: If your application runs in a cloud outside of Azure, you must add a specific service URI (*an endpoint*) for the storage account instead of an account name.
 
-     **AzureWebJobsStorage__tableServiceUri**: Example: `https://mystorageaccount123.table.core.windows.net/` 
+   > [!NOTE] 
+   > If you are using [Azure Government](../../azure-government/documentation-government-welcome.md) or any other cloud that's separate from public Azure, you must use the option to provide a specific service URL. For more information on using Azure Storage with Azure Government, see the [Develop by using the Storage API in Azure Government](../../azure-government/documentation-government-get-started-connect-to-storage.md). 
 
-     > [!NOTE] 
-     > If you are using [Azure Government](../../azure-government/documentation-government-welcome.md) or any other cloud that's separate from global Azure, then you will need to use this second option to provide specific service URLs. The values for these settings can be found in the storage account under the **Endpoints** tab. For more information on using Azure Storage with Azure Government, see the [Develop with Storage API on Azure Government](../../azure-government/documentation-government-get-started-connect-to-storage.md) documentation. 
+
+      - `AzureWebJobsStorage__blobServiceUri`
+
+         Example: `https://mystorageaccount123.blob.core.windows.net/` 
+
+      - `AzureWebJobsStorage__queueServiceUri`
+
+         Example: `https://mystorageaccount123.queue.core.windows.net/` 
+
+      - `AzureWebJobsStorage__tableServiceUri`
+
+         Example: `https://mystorageaccount123.table.core.windows.net/` 
+
+   You can get the values for these URI variables in the storage account information on the Endpoints tab.
 
    ![Screenshot of endpoint sample.](media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-02.png)
 
-3. Finalize your managed identity configuration (remember to click "Apply" after making the setting changes): 
+1. Finish your managed identity configuration (remember to click "Apply" after making the setting changes): 
 
-   * If **system-assigned identity** should be used, then specify nothing else. 
+   * If you use a *system-assigned identity*, make no other changes. 
 
-   * If **user-assigned identity** should be used, then add the following app settings values in your app configuration:  
-     * **AzureWebJobsStorage__credential**: managedidentity 
+   * If you use a *user-assigned identity*, add the following settings in your app configuration:  
 
-     * **AzureWebJobsStorage__clientId**: (This is a GUID value that you obtain from your managed identity resource)
+     * **AzureWebJobsStorage__credential**, enter **managedidentity** 
+
+     * **AzureWebJobsStorage__clientId**, get this GUID value from your managed identity resource
 
      ![Screenshot of user identity client id.](media/durable-functions-configure-df-with-credentials/durable-functions-managed-identity-scenario-03.png)
 
-      > [!NOTE] 
-      > Durable Functions does not support `managedIdentityResourceId` when using user-assigned identity. Use `clientId` instead. 
-   
+   > [!NOTE] 
+   > Durable Functions does *not* support `managedIdentityResourceId` when using user-assigned identity. Use `clientId` instead. 
+
 
 
 
