Update exposed-apis-create-app-webapp.md

Author: denisebmsft

defender-endpoint/api/exposed-apis-create-app-webapp.md

@@ -51,9 +51,12 @@ In general, you'll need to take the following steps to use the APIs:
 
 This article explains how to create a Microsoft Entra application, get an access token to Microsoft Defender for Endpoint, and validate the token.
 
+> [!IMPORTANT]
+> Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.
+
 ## Create an app
 
-1. Log on to [Azure](https://portal.azure.com) with a user that has the **Global Administrator** role.
+1. Sign in to the [Azure portal](https://portal.azure.com) with a user that has the Global Administrator role.
 
 2. Navigate to **Microsoft Entra ID** \> **App registrations** \> **New registration**. 
 
@@ -64,55 +67,55 @@ This article explains how to create a Microsoft Entra application, get an access
 4. To enable your app to access Defender for Endpoint and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** \> **Add permission** \> **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**.
 
    > [!NOTE]
-   > *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear.
+   > `WindowsDefenderATP` does not appear in the original list. Start writing its name in the text box to see it appear.
 
    :::image type="content" source="../media/add-permission.png" alt-text="The API permissions pane" lightbox="../media/add-permission.png":::
 
    Select **Application permissions** \> **Alert.Read.All**, and then select **Add permissions**.
 
    :::image type="content" source="../media/application-permissions.png" alt-text="The application permission information pane" lightbox="../media/application-permissions.png":::
 
-     You need to select the relevant permissions. 'Read All Alerts' is only an example. For example:
+5. Select appropriate permissions. `Read All Alerts` is only an example. Here are some examples:
 
-     - To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission.
-     - To [isolate a device](isolate-machine.md), select the 'Isolate machine' permission.
-     - To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
+   - To [run advanced queries](run-advanced-query-api.md), select the `Run advanced queries` permission.
+   - To [isolate a device](isolate-machine.md), select the `Isolate machine` permission.
+   - To determine which permission you need, look at the **Permissions** section in the API you are interested to call.
 
 5. Select **Grant consent**.
 
-     > [!NOTE]
-     > Every time you add a permission, you must select **Grant consent** for the new permission to take effect.
+   > [!NOTE]
+   > Every time you add a permission, you must select **Grant consent** for the new permission to take effect.
 
-    :::image type="content" source="../media/grant-consent.png" alt-text="The grant permissions page" lightbox="../media/grant-consent.png":::
+   :::image type="content" source="../media/grant-consent.png" alt-text="The grant permissions page" lightbox="../media/grant-consent.png":::
 
 6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**.
 
-    > [!NOTE]
-    > After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave.
+   > [!NOTE]
+   > After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave.
 
-      :::image type="content" source="../media/webapp-create-key2.png" alt-text="The create application option" lightbox="../media/webapp-create-key2.png":::
+   :::image type="content" source="../media/webapp-create-key2.png" alt-text="The create application option" lightbox="../media/webapp-create-key2.png":::
 
 7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following.
 
    :::image type="content" source="../media/app-and-tenant-ids.png" alt-text="The created app and tenant IDs" lightbox="../media/app-and-tenant-ids.png":::
 
-8. **For Microsoft Defender for Endpoint Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted:
+8. **For Microsoft Defender for Endpoint Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted, follow these steps:
 
-    - Go to **Authentication**, and add `https://portal.azure.com` as the **Redirect URI**.
+   1. Go to **Authentication**, and add `https://portal.azure.com` as the **Redirect URI**.
 
-    - On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app.
+   2. On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app.
 
-    You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Defender for Endpoint on behalf of your customer.
+      You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Defender for Endpoint on behalf of your customer.
 
-    You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory.
+       You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory.
 
-    The consent link is formed as follows: 
+       The consent link is formed as follows: 
 
-    ```https
-    https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
-    ```
+       ```https
+       https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
+       ```
 
-    Where 00000000-0000-0000-0000-000000000000 is replaced with your application ID.
+       Where `00000000-0000-0000-0000-000000000000` is replaced with your application ID.
 
 
 **Done!** You have successfully registered an application! See examples below for token acquisition and validation.
@@ -152,7 +155,9 @@ The following code was tested with NuGet Microsoft.Identity.Client 3.19.8.
 > The [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory) NuGet package and Azure AD Authentication Library (ADAL) have been deprecated. No new features have been added since June 30, 2020.   We strongly encourage you to upgrade, see the [migration guide](/azure/active-directory/develop/msal-migration) for more details.
 
 1. Create a new console application.
+
 1. Install NuGet [Microsoft.Identity.Client](https://www.nuget.org/packages/Microsoft.Identity.Client/).
+
 1. Add the following:
 
     ```csharp
@@ -176,6 +181,7 @@ The following code was tested with NuGet Microsoft.Identity.Client 3.19.8.
 
     string token = authResult.AccessToken;
     ```
+
 ### Use Python
 
 See [Get token using Python](run-advanced-query-sample-python.md#get-token).
@@ -186,8 +192,11 @@ See [Get token using Python](run-advanced-query-sample-python.md#get-token).
 > The following procedure assumes that Curl for Windows is already installed on your computer.
 
 1. Open a command prompt, and set CLIENT_ID to your Azure application ID.
+
 1. Set CLIENT_SECRET to your Azure application secret.
+
 1. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Defender for Endpoint.
+
 1. Run the following command:
 
     ```console
@@ -215,7 +224,9 @@ Ensure that you got the correct token:
 ## Use the token to access Microsoft Defender for Endpoint API
 
 1. Choose the API you want to use. For more information, see [Supported Defender for Endpoint APIs](exposed-apis-list.md).
+
 1. Set the authorization header in the http request you send to "Bearer {token}" (Bearer is the authorization scheme).
+
 1. The expiration time of the token is one hour. You can send more than one request with the same token.
 
 The following is an example of sending a request to get a list of alerts **using C#**:
@@ -233,6 +244,8 @@ var response = httpClient.SendAsync(request).GetAwaiter().GetResult();
 ```
 
 ## See also
+
 - [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md)
 - [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]