Merge pull request #313079 from lootle1/FR39

Freshness Edit: App Service 1 of 3

Author: denrea

articles/app-service/includes/tutorial-connect-app-access-microsoft-graph-as-user/intro.md

@@ -35,7 +35,7 @@ In this tutorial, you learn how to:
 
 Now that you've enabled authentication and authorization on your web app, the web app is registered with the Microsoft identity platform and is backed by a Microsoft Entra application. In this step, you give the web app permissions to access Microsoft Graph for the user. (Technically, you give the web app's Microsoft Entra application the permissions to access the Microsoft Graph Microsoft Entra application for the user.)
 
-1. In the [Microsoft Entra admin center](https://entra.microsoft.com), select **Applications**.
+1. In the [Microsoft Entra admin center](https://entra.microsoft.com), select **Entra ID**.
 
 1. Select **App registrations** > **Owned applications** > **View all applications in this directory**. Select your web app name, and then select **API permissions**.
 
@@ -51,11 +51,11 @@ The web app now has the required permissions to access Microsoft Graph as the si
 > If you don't configure App Service to return a usable access token, you receive a ```CompactToken parsing failed with error code: 80049217``` error when you call Microsoft Graph APIs in your code.
 
 # [Azure Resource Explorer](#tab/azure-resource-explorer)
-Go to [Azure Resource Explorer](https://resources.azure.com/) and using the resource tree, locate your web app. The resource URL should be similar to `https://resources.azure.com/subscriptions/subscriptionId/resourceGroups/SecureWebApp/providers/Microsoft.Web/sites/SecureWebApp20200915115914`.
+Go to [Azure Resource Explorer](https://rc.portal.azure.com/#view/Microsoft_Azure_Resources/ResourceExplorer.ReactView) and using the resource tree, locate your web app. The resource URL should be similar to `https://management.azure.com/subscriptions/subscriptionId/resourceGroups/SecureWebApp/providers/Microsoft.Web/sites/SecureWebApp20200915115914`.
 
 The Azure Resource Explorer is now opened with your web app selected in the resource tree. 
 
-1. At the top of the page, select **Read/Write** to enable editing of your Azure resources.
+1. At the top of the page, select **Edit** to enable editing of your Azure resources.
 
 1. In the left browser, drill down to **config** > **authsettingsV2**.
 

articles/app-service/includes/tutorial-dotnet-storage-managed-identity/introduction.md

@@ -14,15 +14,15 @@ ms.custom:
 ---
 Learn how to access Azure services, _such as Azure Storage_, from a web app (not a signed-in user) running on Azure App Service by using managed identities. This tutorial demonstrates connecting to Azure Storage as an example. 
 
-[Any service](../../../active-directory/managed-identities-azure-resources/managed-identities-status.md) that supports managed identity (_B_ in the following image) can be securely accessed using this tutorial: 
+[Any service](/entra/identity/managed-identities-azure-resources/managed-identities-status) that supports managed identity (_B_ in the following image) can be securely accessed using this tutorial: 
 
 * Azure Storage
 * Azure SQL Database
 * Azure Key Vault
 
 :::image type="content" alt-text="Diagram that shows how to access storage." source="../../media/scenario-secure-app-access-storage/web-app-access-storage.svg" border="false":::
 
-You want to add secure access to Azure services (Azure Storage, Azure SQL Database, Azure Key Vault, or other services) from your web app. You could use a shared key, but then you have to worry about operational security of who can create, deploy, and manage the secret. It's also possible that the key could be checked into GitHub, which hackers know how to scan for. A safer way to give your web app access to data is to use [managed identities](../../../active-directory/managed-identities-azure-resources/overview.md).
+You want to add secure access to Azure services (Azure Storage, Azure SQL Database, Azure Key Vault, or other services) from your web app. You could use a shared key, but then you have to worry about operational security of who can create, deploy, and manage the secret. It's also possible that the key could be checked into GitHub, which hackers know how to scan for. A safer way to give your web app access to data is to use [managed identities](/entra/identity/managed-identities-azure-resources/overview).
 
 A managed identity from Microsoft Entra ID allows App Service to access resources through role-based access control (RBAC), without requiring app credentials. After assigning a managed identity to your web app, Azure takes care of the creation and distribution of a certificate. People don't have to worry about managing secrets or app credentials.
 
@@ -64,7 +64,7 @@ Blobs in Azure Storage are organized into containers. Before you can upload a bl
 
 To create a general-purpose v2 storage account in the Azure portal, follow these steps.
 
-1. On the Azure portal menu, select **All services**. In the list of resources, enter **Storage Accounts**. As you begin typing, the list filters based on your input. Select **Storage Accounts**.
+1. On the Azure portal menu, enter **Storage Accounts**. As you begin typing, the list filters based on your input. Select **Storage Accounts**.
 
 1. In the **Storage Accounts** window that appears, select **Create**.
 
@@ -76,15 +76,14 @@ To create a general-purpose v2 storage account in the Azure portal, follow these
 
 1. Select a location (region) for your storage account, or use the default value.
 
+1. Under **Preferred storage type** field, select **Azure Blob Storage or Azure Data Lake Storage Gen2**.
+
 1. Leave these fields set to their default values:
 
     |Field|Value|
     |--|--|
-    |Deployment model|Resource Manager|
     |Performance|Standard|
-    |Account kind|StorageV2 (general-purpose v2)|
-    |Replication|Read-access geo-redundant storage (RA-GRS)|
-    |Access tier|Hot|
+    |Redundancy|Geo-redundant storage|
 
 1. Select **Review + Create** to review your storage account settings and create the account.
 
@@ -96,7 +95,7 @@ To create a Blob Storage container in Azure Storage, follow these steps.
 
 1. In the left menu for the storage account, scroll to the **Data storage** section, and then select **Containers**.
 
-1. Select the **+ Container** button.
+1. Select the **+ Add Container** button.
 
 1. Type a name for your new container. The container name must be lowercase, must start with a letter or number, and can include only letters, numbers, and the dash (-) character.
 

articles/app-service/includes/tutorial-microsoft-graph-as-app/introduction.md

@@ -13,7 +13,7 @@ Learn how to access Microsoft Graph from a web app running on Azure App Service.
 
 :::image type="content" alt-text="Diagram that shows accessing Microsoft Graph." source="../../media/scenario-secure-app-access-microsoft-graph/web-app-access-graph.svg" border="false":::
 
-You want to call Microsoft Graph for the web app. A safe way to give your web app access to data is to use a [system-assigned managed identity](../../../active-directory/managed-identities-azure-resources/overview.md). A managed identity from Microsoft Entra ID allows App Service to access resources through role-based access control (RBAC), without requiring app credentials. After assigning a managed identity to your web app, Azure takes care of the creation and distribution of a certificate. You don't have to worry about managing secrets or app credentials.
+You want to call Microsoft Graph for the web app. A safe way to give your web app access to data is to use a [system-assigned managed identity](/entra/identity/managed-identities-azure-resources/overview). A managed identity from Microsoft Entra ID allows App Service to access resources through role-based access control (RBAC), without requiring app credentials. After assigning a managed identity to your web app, Azure takes care of the creation and distribution of a certificate. You don't have to worry about managing secrets or app credentials.
 
 In this tutorial, you learn how to:
 
@@ -115,6 +115,6 @@ When accessing the Microsoft Graph, the managed identity needs to have proper pe
 
     :::image type="content" alt-text="Screenshot that shows the All applications option." source="../../media/scenario-secure-app-access-microsoft-graph/enterprise-apps-all-applications.png":::
 
-1. In **Overview**, select **Permissions**, and you'll see the added permissions for Microsoft Graph.
+1. In **Security**, select **Permissions**, and you'll see the added permissions for Microsoft Graph.
 
     :::image type="content" alt-text="Screenshot that shows the Permissions pane." source="../../media/scenario-secure-app-access-microsoft-graph/enterprise-apps-permissions.png":::

articles/app-service/media/scenario-secure-app-clean-up-resources/delete-app-registration.png

@@ -5,7 +5,7 @@ author: cephalin
 ms.author: cephalin
 ms.service: azure-app-service
 ms.topic: tutorial
-ms.date: 04/05/2023
+ms.date: 03/13/2026
 ms.devlang: csharp
 ms.custom: azureday1, devx-track-dotnet, AppServiceIdentity
 #Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities.

articles/app-service/media/scenario-secure-app-clean-up-resources/select-app-registration.png

@@ -5,7 +5,7 @@ author: cephalin
 ms.author: cephalin
 ms.service: azure-app-service
 ms.topic: tutorial
-ms.date: 09/15/2023
+ms.date: 03/17/2026
 ms.devlang: csharp
 ms.custom: azureday1, devx-track-dotnet, AppServiceIdentity
 #Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph for a signed-in user.
@@ -21,13 +21,14 @@ Your web app now has the required permissions and also adds Microsoft Graph's cl
 
 Using the [Microsoft.Identity.Web library](https://github.com/AzureAD/microsoft-identity-web/), the web app gets an access token for authentication with Microsoft Graph. In version 1.2.0 and later, the Microsoft.Identity.Web library integrates with and can run alongside the App Service authentication/authorization module. Microsoft.Identity.Web detects that the web app is hosted in App Service and automatically retrieves the access token from the `X-MS-TOKEN-AAD-ACCESS-TOKEN` request header that App Service injects (see [Retrieve tokens in app code](configure-authentication-oauth-tokens.md#retrieve-tokens-in-app-code)). You don't need to manually access this header in your code. The access token is then passed along to authenticated requests with the Microsoft Graph API.
 
-To see this code as part of a sample application, see the: 
+To see this code as part of a sample application, see the:
+
 * [Sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-dotnet-storage-graphapi/tree/main/2-WebApp-graphapi-on-behalf).
 
 > [!NOTE]
-> The Microsoft.Identity.Web library isn't required in your web app for basic authentication/authorization or to authenticate requests with Microsoft Graph. It's possible to [securely call downstream APIs](tutorial-auth-aad.md#call-api-securely-from-server-code) with only the App Service authentication/authorization module enabled.
-> 
-> However, the App Service authentication/authorization is designed for more basic authentication scenarios. For more complex scenarios (handling custom claims, for example), you need the Microsoft.Identity.Web library or [Microsoft Authentication Library](../active-directory/develop/msal-overview.md). There's a little more setup and configuration work in the beginning, but the Microsoft.Identity.Web library can run alongside the App Service authentication/authorization module. Later, when your web app needs to handle more complex scenarios, you can disable the App Service authentication/authorization module and Microsoft.Identity.Web will already be a part of your app.
+> The Microsoft.Identity.Web library isn't required in your web app for basic authentication/authorization or to authenticate requests with Microsoft Graph. It's possible to [securely call downstream APIs](tutorial-auth-aad.md) with only the App Service authentication/authorization module enabled.
+>
+> However, the App Service authentication/authorization is designed for more basic authentication scenarios. For more complex scenarios (handling custom claims, for example), you need the Microsoft.Identity.Web library or [Microsoft Authentication Library](/entra/identity-platform/msal-overview). There's a little more setup and configuration work in the beginning, but the Microsoft.Identity.Web library can run alongside the App Service authentication/authorization module. Later, when your web app needs to handle more complex scenarios, you can disable the App Service authentication/authorization module, and Microsoft.Identity.Web will already be a part of your app.
 
 ### Install client library packages
 
@@ -50,6 +51,7 @@ dotnet add package Microsoft.Identity.Web
 Open the project/solution in Visual Studio, and open the console by using the **Tools** > **NuGet Package Manager** > **Package Manager Console** command.
 
 Run the install commands.
+
 ```powershell
 Install-Package Microsoft.Identity.Web.GraphServiceClient
 
@@ -58,7 +60,7 @@ Install-Package Microsoft.Identity.Web
 
 ### Startup.cs
 
-In the *Startup.cs* file, the ```AddMicrosoftIdentityWebApp``` method adds Microsoft.Identity.Web to your web app. The ```AddMicrosoftGraph``` method adds Microsoft Graph support.  For info on managing incremental consent and conditional access, [read this](https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access).
+In the *Startup.cs* file, the ```AddMicrosoftIdentityWebApp``` method adds Microsoft.Identity.Web to your web app. The ```AddMicrosoftGraph``` method adds Microsoft Graph support. For info on managing incremental consent and conditional access, [read this article](https://github.com/AzureAD/microsoft-identity-web/wiki/Managing-incremental-consent-and-conditional-access).
 
 ```csharp
 using Microsoft.AspNetCore.Builder;
@@ -102,7 +104,7 @@ public class Startup
 
 ### appsettings.json
 
-*AzureAd* specifies the configuration for the Microsoft.Identity.Web library. In the [Microsoft Entra admin center](https://entra.microsoft.com), select **Applications** from the portal menu and then select **App registrations**. Select the app registration created when you enabled the App Service authentication/authorization module. (The app registration should have the same name as your web app.) You can find the tenant ID and client ID in the app registration overview page. The domain name can be found in the Microsoft Entra overview page for your tenant.
+*AzureAd* specifies the configuration for the Microsoft.Identity.Web library. In the [Microsoft Entra admin center](https://entra.microsoft.com), select **Entra ID** from the portal menu and then select **App registrations**. Select the app registration created when you enabled the App Service authentication/authorization module. (The app registration should have the same name as your web app.) You can find the tenant ID and client ID in the app registration overview page. The domain name can be found in the Microsoft Entra overview page for your tenant.
 
 *Graph* specifies the Microsoft Graph endpoint and the initial scopes needed by the app.
 
@@ -197,5 +199,4 @@ public class IndexModel : PageModel
 }
 ```
 
-
 [!INCLUDE [second-part](./includes/tutorial-connect-app-access-microsoft-graph-as-user/end.md)]

articles/app-service/scenario-secure-app-access-microsoft-graph-as-app.md

@@ -5,7 +5,7 @@ author: cephalin
 ms.author: cephalin
 ms.service: azure-app-service
 ms.topic: tutorial
-ms.date: 07/31/2023
+ms.date: 03/17/2026
 ms.devlang: csharp
 # ms.devlang: csharp, azurecli
 ms.custom: azureday1, devx-track-azurecli, devx-track-azurepowershell, subject-rbac-steps, devx-track-dotnet, AppServiceIdentity
@@ -18,7 +18,6 @@ ms.custom: azureday1, devx-track-azurecli, devx-track-azurepowershell, subject-r
 
 ## Access Blob Storage
 
-
 The [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class is used to get a token credential for your code to authorize requests to Azure Storage. Create an instance of the [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) class, which uses the managed identity to fetch tokens and attach them to the service client. The following code example gets the authenticated token credential and uses it to create a service client object, which uploads a new blob.
 
 To see this code as part of a sample application, see the [sample on GitHub](https://github.com/Azure-Samples/ms-identity-easyauth-dotnet-storage-graphapi/tree/main/1-WebApp-storage-managed-identity).
@@ -76,7 +75,7 @@ static public async Task UploadBlob(string accountName, string containerName, st
 
     try
     {
-        // Create the container if it does not exist.
+        // Create the container if it doesn't exist.
         await containerClient.CreateIfNotExistsAsync();
 
         // Upload text to a new block blob.