diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 544d70a2731f4..68e80d3ae203c 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -86,8 +86,8 @@ "branch_mapping": {} }, { - "path_to_root": "azure-dev-docs-pr", - "url": "https://github.com/MicrosoftDocs/azure-dev-docs-pr", + "path_to_root": "azure-dev-docs", + "url": "https://github.com/MicrosoftDocs/azure-dev-docs", "branch": "main", "branch_mapping": {} } diff --git a/docs/ai/get-started-app-chat-scaling-with-azure-container-apps.md b/docs/ai/get-started-app-chat-scaling-with-azure-container-apps.md index 586277b7518c1..9436548363384 100644 --- a/docs/ai/get-started-app-chat-scaling-with-azure-container-apps.md +++ b/docs/ai/get-started-app-chat-scaling-with-azure-container-apps.md @@ -8,7 +8,7 @@ ms.topic: get-started # Scale Azure OpenAI for .NET chat using RAG with Azure Container Apps -[!INCLUDE [aca-load-balancer-intro](~/azure-dev-docs-pr/articles/ai/includes//scaling-load-balancer-introduction-azure-container-apps.md)] +[!INCLUDE [aca-load-balancer-intro](~/azure-dev-docs/articles/ai/includes//scaling-load-balancer-introduction-azure-container-apps.md)] ## Prerequisites @@ -28,15 +28,15 @@ ms.topic: get-started --- -[!INCLUDE [scaling-load-balancer-aca-procedure.md](~/azure-dev-docs-pr/articles/ai/includes//scaling-load-balancer-procedure-azure-container-apps.md)] +[!INCLUDE [scaling-load-balancer-aca-procedure.md](~/azure-dev-docs/articles/ai/includes//scaling-load-balancer-procedure-azure-container-apps.md)] -[!INCLUDE [redeployment-procedure](~/azure-dev-docs-pr/articles/ai/includes//redeploy-procedure-chat.md)] +[!INCLUDE [redeployment-procedure](~/azure-dev-docs/articles/ai/includes//redeploy-procedure-chat.md)] -[!INCLUDE [logs](~/azure-dev-docs-pr/articles/ai/includes//scaling-load-balancer-logs-azure-container-apps.md)] +[!INCLUDE [logs](~/azure-dev-docs/articles/ai/includes//scaling-load-balancer-logs-azure-container-apps.md)] -[!INCLUDE [capacity.md](~/azure-dev-docs-pr/articles/ai/includes//scaling-load-balancer-capacity.md)] +[!INCLUDE [capacity.md](~/azure-dev-docs/articles/ai/includes//scaling-load-balancer-capacity.md)] -[!INCLUDE [aca-cleanup](~/azure-dev-docs-pr/articles/ai/includes//scaling-load-balancer-cleanup-azure-container-apps.md)] +[!INCLUDE [aca-cleanup](~/azure-dev-docs/articles/ai/includes//scaling-load-balancer-cleanup-azure-container-apps.md)] ## Sample code diff --git a/docs/ai/resources/azure-ai.md b/docs/ai/resources/azure-ai.md index 5e3e8f028dce1..e81822d822286 100644 --- a/docs/ai/resources/azure-ai.md +++ b/docs/ai/resources/azure-ai.md @@ -9,4 +9,4 @@ ms.topic: reference This article contains an organized list of the best learning resources for .NET developers who are building AI apps using Azure services. Resources include popular quickstart articles, reference samples, documentation, and training courses. -[!INCLUDE [include-file-from-azure-dev-docs-pr](~/azure-dev-docs-pr/articles/ai/includes/azure-ai-for-developers-dotnet.md)] +[!INCLUDE [include-file-from-azure-dev-docs-pr](~/azure-dev-docs/articles/ai/includes/azure-ai-for-developers-dotnet.md)] diff --git a/docs/azure/sdk/authentication/local-development-broker.md b/docs/azure/sdk/authentication/local-development-broker.md index fb0cf004f2479..6a2b9376a4652 100644 --- a/docs/azure/sdk/authentication/local-development-broker.md +++ b/docs/azure/sdk/authentication/local-development-broker.md @@ -9,29 +9,29 @@ zone_pivot_groups: operating-systems-set-one # Authenticate .NET apps to Azure services during local development using brokered authentication -[!INCLUDE [broker-intro](../includes/broker-intro.md)] +[!INCLUDE [broker-intro](~/azure-dev-docs/articles/includes/authentication/broker-introduction.md)] :::zone target="docs" pivot="os-windows" -[!INCLUDE [broker-windows](../includes/broker-windows.md)] +[!INCLUDE [broker-windows](~/azure-dev-docs/articles/includes/authentication/broker-windows.md)] :::zone-end :::zone target="docs" pivot="os-macos" -[!INCLUDE [broker-mac](../includes/broker-mac.md)] +[!INCLUDE [broker-mac](~/azure-dev-docs/articles/includes/authentication/broker-mac.md)] :::zone-end :::zone target="docs" pivot="os-linux" -[!INCLUDE [broker-linux](../includes/broker-linux.md)] +[!INCLUDE [broker-linux](~/azure-dev-docs/articles/includes/authentication/broker-linux.md)] :::zone-end -[!INCLUDE [broker-configure-app](../includes/broker-configure-app.md)] +[!INCLUDE [broker-configure-app](~/azure-dev-docs/articles/includes/authentication/broker-configure-application.md)] -[!INCLUDE [broker-assign-roles](../includes/broker-assign-roles.md)] +[!INCLUDE [broker-assign-roles](~/azure-dev-docs/articles/includes/authentication/broker-assign-roles.md)] ## Implement the code @@ -97,7 +97,7 @@ The Azure Identity library provide interactive brokered authentication using using . -:::code language="csharp" source="../snippets/authentication/brokered/console-app/Program.cs" id="snippet_brokered_linux" highlight="15-21"::: + :::code language="csharp" source="../snippets/authentication/brokered/console-app/Program.cs" id="snippet_brokered_linux" highlight="15-21"::: :::zone-end diff --git a/docs/azure/sdk/authentication/local-development-dev-accounts.md b/docs/azure/sdk/authentication/local-development-dev-accounts.md index ab5e13c3865dd..86cfb27039db4 100644 --- a/docs/azure/sdk/authentication/local-development-dev-accounts.md +++ b/docs/azure/sdk/authentication/local-development-dev-accounts.md @@ -39,9 +39,9 @@ The Azure Identity library can detect that the developer is signed-in from one o This approach takes advantage of the developer's existing Azure accounts to streamline the authentication process. However, a developer's account likely has more permissions than required by the app, therefore exceeding the permissions the app runs with in production. As an alternative, you can [create application service principals to use during local development](./local-development-service-principal.md), which can be scoped to have only the access needed by the app. -[!INCLUDE [auth-create-entra-group](../includes/auth-create-entra-group.md)] +[!INCLUDE [auth-create-entra-group](~/azure-dev-docs/articles/includes/authentication/create-entra-group.md)] -[!INCLUDE [auth-assign-group-roles](../includes/auth-assign-group-roles.md)] +[!INCLUDE [auth-assign-group-roles](~/azure-dev-docs/articles/includes/authentication/assign-group-roles.md)] ## Sign-in to Azure using developer tooling @@ -53,72 +53,19 @@ Next, sign-in to Azure using one of several developer tools that can be used to ### [Visual Studio Code](#tab/sign-in-visual-studio-code) -Developers using Visual Studio Code can authenticate with their developer account directly through the editor via the broker. Apps that use or can then use this account to authenticate app requests through a seamless single-sign-on experience. - -1. In Visual Studio Code, go to the **Extensions** panel and install the [Azure Resources](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azureresourcegroups) extension. This extension lets you view and manage Azure resources directly from Visual Studio Code. It also uses the built-in Visual Studio Code Microsoft authentication provider to authenticate with Azure. - - :::image type="content" source="../media/azure-resources-extension.png" alt-text="Screenshot showing the Azure Resources extension."::: - -1. Open the Command Palette in Visual Studio Code, then search for and select **Azure: Sign in**. - - :::image type="content" source="../media/visual-studio-code-sign-in.png" alt-text="Screenshot showing how to sign in to Azure in Visual Studio Code."::: - - > [!TIP] - > Open the Command Palette using `Ctrl+Shift+P` on Windows/Linux or `Cmd+Shift+P` on macOS. - -1. Add the [Azure.Identity.Broker](https://www.nuget.org/packages/Azure.Identity.Broker) NuGet package to your app: - - ```dotnetcli - dotnet add package Azure.Identity.Broker - ``` +[!INCLUDE [sign-in-visual-studio-code](~/azure-dev-docs/articles/includes/authentication/sign-in-visual-studio-code.md)] ### [Azure CLI](#tab/sign-in-azure-cli) -Developers can use [Azure CLI](/cli/azure/what-is-azure-cli) to authenticate. Apps using or can then use this account to authenticate app requests. - -To authenticate with the Azure CLI, run the `az login` command. On a system with a default web browser, the Azure CLI launches the browser to authenticate the user. - -```azurecli -az login -``` - -For systems without a default web browser, the `az login` command uses the device code authentication flow. The user can also force the Azure CLI to use the device code flow rather than launching a browser by specifying the `--use-device-code` argument. - -```azurecli -az login --use-device-code -``` +[!INCLUDE [sign-in-azure-cli](~/azure-dev-docs/articles/includes/authentication/sign-in-azure-cli.md)] ### [Azure Developer CLI](#tab/sign-in-azure-developer-cli) -Developers can use [Azure Developer CLI](/azure/developer/azure-developer-cli/overview) to authenticate. Apps using or can then use this account to authenticate app requests. - -To authenticate with the Azure Developer CLI, run the `azd auth login` command. On a system with a default web browser, the Azure Developer CLI launches the browser to authenticate the user. - -```azdeveloper -azd auth login -``` - -For systems without a default web browser, the `azd auth login --use-device-code` uses the device code authentication flow. The user can also force the Azure Developer CLI to use the device code flow rather than launching a browser by specifying the `--use-device-code` argument. - -```azdeveloper -azd auth login --use-device-code -``` +[!INCLUDE [sign-in-azure-developer-cli](~/azure-dev-docs/articles/includes/authentication/sign-in-azure-developer-cli.md)] ### [Azure PowerShell](#tab/sign-in-azure-powershell) -Developers can use [Azure PowerShell](/powershell/azure/what-is-azure-powershell) to authenticate. Apps using or can then use this account to authenticate app requests. - -To authenticate with Azure PowerShell, run the command `Connect-AzAccount`. On a system with a default web browser and version 5.0.0 or later of Azure PowerShell, it launches the browser to authenticate the user. - -```azurepowershell -Connect-AzAccount -``` - -For systems without a default web browser, the `Connect-AzAccount` command uses the device code authentication flow. The user can also force Azure PowerShell to use the device code flow rather than launching a browser by specifying the `UseDeviceAuthentication` argument. - -```azurepowershell -Connect-AzAccount -UseDeviceAuthentication -``` +[!INCLUDE [sign-in-azure-PowerShell](~/azure-dev-docs/articles/includes/authentication/sign-in-azure-powershell.md)] --- @@ -133,10 +80,17 @@ Complete the following steps: 1. Add references to the [Azure.Identity](https://www.nuget.org/packages/Azure.Identity) and the [Microsoft.Extensions.Azure](https://www.nuget.org/packages/Microsoft.Extensions.Azure) packages in your project: ```dotnetcli - dotnet add package Azure.Identity - dotnet add package Microsoft.Extensions.Azure + dotnet package add Azure.Identity + dotnet package add Microsoft.Extensions.Azure ``` + > [!NOTE] + > When using `VisualStudioCodeCredential`, you must also install the [Azure.Identity.Broker](https://www.nuget.org/packages/Azure.Identity.Broker) package: + > + > ```dotnetcli + > dotnet package add Azure.Identity.Broker + > ``` + 1. In `Program.cs`, add `using` directives for the `Azure.Identity` and `Microsoft.Extensions.Azure` namespaces. 1. Register the Azure service client using the corresponding `Add`-prefixed extension method. diff --git a/docs/azure/sdk/authentication/local-development-service-principal.md b/docs/azure/sdk/authentication/local-development-service-principal.md index ba7aca1f8440b..5842c21cdd691 100644 --- a/docs/azure/sdk/authentication/local-development-service-principal.md +++ b/docs/azure/sdk/authentication/local-development-service-principal.md @@ -30,11 +30,11 @@ When the app is registered in Azure, an application service principal is created During local development, environment variables are set with the application service principal's identity. The Azure Identity library reads these environment variables to authenticate the app to the required Azure resources. -[!INCLUDE [create-app-registration](../includes/auth-create-app-registration.md)] +[!INCLUDE [create-app-registration](~/azure-dev-docs/articles/includes/authentication/create-app-registration.md)] -[!INCLUDE [create-entra-group](../includes/auth-create-entra-group.md)] +[!INCLUDE [create-entra-group](~/azure-dev-docs/articles/includes/authentication/create-entra-group.md)] -[!INCLUDE [auth-assign-group-roles](../includes/auth-assign-group-roles.md)] +[!INCLUDE [auth-assign-group-roles](~/azure-dev-docs/articles/includes/authentication/assign-group-roles.md)] [!INCLUDE [auth-set-environment-variables](../includes/auth-set-environment-variables.md)] diff --git a/docs/azure/sdk/authentication/on-premises-apps.md b/docs/azure/sdk/authentication/on-premises-apps.md index 48f62131d2dbd..8c08559530c25 100644 --- a/docs/azure/sdk/authentication/on-premises-apps.md +++ b/docs/azure/sdk/authentication/on-premises-apps.md @@ -21,7 +21,7 @@ Using dedicated application service principals allows you to adhere to the princ A different app registration should be created for each environment the app is hosted in. This allows environment specific resource permissions to be configured for each service principal and make sure an app deployed to one environment doesn't talk to Azure resources that are part of another environment. -[!INCLUDE [auth-create-app-registration](../includes/auth-create-app-registration.md)] +[!INCLUDE [auth-create-app-registration](~/azure-dev-docs/articles/includes/authentication/create-app-registration.md)] ## Assign roles to the application service principal diff --git a/docs/azure/sdk/authentication/system-assigned-managed-identity.md b/docs/azure/sdk/authentication/system-assigned-managed-identity.md index 33886781f7231..24a9a6c6dfed9 100644 --- a/docs/azure/sdk/authentication/system-assigned-managed-identity.md +++ b/docs/azure/sdk/authentication/system-assigned-managed-identity.md @@ -15,7 +15,7 @@ The recommended approach to authenticate an Azure-hosted app to other Azure reso - How to assign roles to the system-assigned managed identity - How to authenticate using the system-assigned managed identity from your app code -[!INCLUDE [managed-identity-concepts](../includes/managed-identity-concepts.md)] +[!INCLUDE [managed-identity-concepts](~/azure-dev-docs/articles/includes/authentication/managed-identity-concepts.md)] The sections ahead describe the steps to enable and use a system-assigned managed identity for an Azure-hosted app. If you need to use a user-assigned managed identity, visit the [user-assigned managed identities](user-assigned-managed-identity.md) article for more information. diff --git a/docs/azure/sdk/authentication/user-assigned-managed-identity.md b/docs/azure/sdk/authentication/user-assigned-managed-identity.md index 014f5382f3b84..dc49eec611c77 100644 --- a/docs/azure/sdk/authentication/user-assigned-managed-identity.md +++ b/docs/azure/sdk/authentication/user-assigned-managed-identity.md @@ -15,7 +15,7 @@ The recommended approach to authenticate an Azure-hosted app to other Azure reso - How to assign roles to the user-assigned managed identity - How to authenticate using the user-assigned managed identity from your app code -[!INCLUDE [managed-identity-concepts](../includes/managed-identity-concepts.md)] +[!INCLUDE [managed-identity-concepts](~/azure-dev-docs/articles/includes/authentication/managed-identity-concepts.md)] The sections ahead describe the steps to enable and use a user-assigned managed identity for an Azure-hosted app. If you need to use a system-assigned managed identity, visit the [system-assigned managed identities](system-assigned-managed-identity.md) article for more information. diff --git a/docs/azure/sdk/includes/auth-assign-group-roles.md b/docs/azure/sdk/includes/auth-assign-group-roles.md deleted file mode 100644 index 2a524c9cefa9d..0000000000000 --- a/docs/azure/sdk/includes/auth-assign-group-roles.md +++ /dev/null @@ -1,47 +0,0 @@ ---- -ms.topic: include -ms.date: 03/13/2025 ---- - -## Assign roles to the group - -Next, determine what roles (permissions) your app needs on what resources and assign those roles to the Microsoft Entra group you created. Groups can be assigned a role at the resource, resource group, or subscription scope. This example shows how to assign roles at the resource group scope, since most apps group all their Azure resources into a single resource group. - -### [Azure portal](#tab/azure-portal) - -1. In the Azure portal, navigate to the **Overview** page of the resource group that contains your app. -1. Select **Access control (IAM)** from the left navigation. -1. On the **Access control (IAM)** page, select **+ Add** and then choose **Add role assignment** from the drop-down menu. The **Add role assignment** page provides several tabs to configure and assign roles. -1. On the **Role** tab, use the search box to locate the role you want to assign. Select the role, and then choose **Next**. -1. On the **Members** tab: - - For the **Assign access to** value, select **User, group, or service principal** . - - For the **Members** value, choose **+ Select members** to open the **Select members** flyout panel. - - Search for the Microsoft Entra group you created earlier and select it from the filtered results. Choose **Select** to select the group and close the flyout panel. - - Select **Review + assign** at the bottom of the **Members** tab. - - :::image type="content" source="../../media/group-role-assignment.png" alt-text="A screenshot showing how to assign a role to the Microsoft Entra group."::: - -1. On the **Review + assign** tab, select **Review + assign** at the bottom of the page. - -### [Azure CLI](#tab/azure-cli) - -1. Use the [az role definition list](/cli/azure/role/definition#az-role-definition-list) command to get the names of the roles that a Microsoft Entra group or service principal can be assigned to: - - ```azurecli - az role definition list \ - --query "sort_by([].{roleName:roleName, description:description}, &roleName)" \ - --output table - ``` - -1. Use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to assign a role to the Microsoft Entra group you created: - - ```azurecli - az role assignment create \ - --assignee "" \ - --role "" \ - --resource-group "" - ``` - - For information on assigning permissions at the resource or subscription level using the Azure CLI, see [Assign Azure roles using the Azure CLI](/azure/role-based-access-control/role-assignments-cli). - ---- diff --git a/docs/azure/sdk/includes/auth-create-app-registration.md b/docs/azure/sdk/includes/auth-create-app-registration.md deleted file mode 100644 index 499df0dae5111..0000000000000 --- a/docs/azure/sdk/includes/auth-create-app-registration.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -ms.topic: include -ms.date: 03/13/2025 ---- - -## Register the app in Azure - -Application service principal objects are created through an app registration in Azure using either the Azure portal or Azure CLI. - -### [Azure portal](#tab/azure-portal) - -1. In the Azure portal, use the search bar to navigate to the **App registrations** page. -1. On the **App registrations** page, select **+ New registration**. -1. On the **Register an application** page: - - For the **Name** field, enter a descriptive value that includes the app name and the target environment. - - For the **Supported account types**, select **Accounts in this organizational directory only (Microsoft Customer Led only - Single tenant)**, or whichever option best fits your requirements. -1. Select **Register** to register your app and create the service principal. - - :::image type="content" source="../../media/app-registration.png" alt-text="A screenshot showing how to create an app registration in the Azure portal."::: - -1. On the **App registration** page for your app, copy the **Application (client) ID** and **Directory (tenant) ID** and paste them in a temporary location for later use in your app code configurations. -1. Select **Add a certificate or secret** to set up credentials for your app. -1. On the **Certificates & secrets** page, select **+ New client secret**. -1. In the **Add a client secret** flyout panel that opens: - - For the **Description**, enter a value of Current. - - For the **Expires** value, leave the default recommended value of 180 days. - - Select **Add** to add the secret. -1. On the **Certificates & secrets** page, copy the **Value** property of the client secret for use in a future step. - - > [!NOTE] - > The client secret value is only displayed once after the app registration is created. You can add more client secrets without invalidating this client secret, but there's no way to display this value again. - -### [Azure CLI](#tab/azure-cli) - -Azure CLI commands can be run in the [Azure Cloud Shell](https://shell.azure.com) or on a workstation with the [Azure CLI installed](/cli/azure/install-azure-cli). - -1. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a new app registration and service principal for the app. - - ```azurecli - az ad sp create-for-rbac --name - ``` - - The output of this command resembles the following JSON: - - ```json - { - "appId": "00000000-0000-0000-0000-000000000000", - "displayName": "", - "password": "abcdefghijklmnopqrstuvwxyz", - "tenant": "11111111-1111-1111-1111-111111111111" - } - ``` - -1. Copy this output into a temporary file in a text editor, as you'll need these values in a future step. - - > [!NOTE] - > The client secret value is only displayed once after the app registration is created. You can add more client secrets without invalidating this client secret, but there's no way to display this value again. - ---- diff --git a/docs/azure/sdk/includes/auth-create-entra-group.md b/docs/azure/sdk/includes/auth-create-entra-group.md deleted file mode 100644 index e838e01048ac6..0000000000000 --- a/docs/azure/sdk/includes/auth-create-entra-group.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -ms.topic: include -ms.date: 03/11/2025 ---- - -## Create a Microsoft Entra group for local development - -Create a Microsoft Entra group to encapsulate the roles (permissions) the app needs in local development rather than assigning the roles to individual service principal objects. This approach offers the following advantages: - -- Every developer has the same roles assigned at the group level. -- If a new role is needed for the app, it only needs to be added to the group for the app. -- If a new developer joins the team, a new application service principal is created for the developer and added to the group, ensuring the developer has the right permissions to work on the app. - -### [Azure portal](#tab/azure-portal) - -1. Navigate to the **Microsoft Entra ID** overview page in the Azure portal. -1. Select **All groups** from the left-hand menu. -1. On the **Groups** page, select **New group**. -1. On the **New group** page, fill out the following form fields: - - **Group type**: Select **Security**. - - **Group name**: Enter a name for the group that includes a reference to the app or environment name. - - **Group description**: Enter a description that explains the purpose of the group. - - :::image type="content" source="../../media/create-group.png" alt-text="A screenshot showing how to create a group in the Azure portal."::: - -1. Select the **No members selected** link under **Members** to add members to the group. -1. In the flyout panel that opens, search for the service principal you created earlier and select it from the filtered results. Choose the **Select** button at the bottom of the panel to confirm your selection. -1. Select **Create** at the bottom of the **New group** page to create the group and return to the **All groups** page. If you don't see the new group listed, wait a moment and refresh the page. - -### [Azure CLI](#tab/azure-cli) - -1. Use the [az ad group create](/cli/azure/ad/group#az-ad-group-create) command to create groups in Microsoft Entra ID. - - ```azurecli - az ad group create \ - --display-name \ - --mail-nickname \ - --description - ``` - - The `--display-name` and `--mail-nickname` parameters are required. The name given to the group should be based on the name and environment of the app to indicate the group's purpose. - -1. To add members to the group, you need the object ID of the application service principal, which is different than the application ID. Use the [az ad sp list](/cli/azure/ad/sp#az-ad-sp-list) command to list the available service principals: - - ```azurecli - az ad sp list \ - --filter "startswith(displayName, '')" \ - --query "[].{objectId:id, displayName:displayName}" - ``` - - The `--filter` parameter accepts OData-style filters and can be used to filter the list as shown. The `--query` parameter limits the output to only the columns of interest. - -1. Use the [az ad group member add](/cli/azure/ad/group/member#az-ad-group-member-add) command to add members to the group: - - ```azurecli - az ad group member add \ - --group \ - --member-id - ``` - ---- diff --git a/docs/azure/sdk/includes/broker-assign-roles.md b/docs/azure/sdk/includes/broker-assign-roles.md deleted file mode 100644 index 0904833ce7086..0000000000000 --- a/docs/azure/sdk/includes/broker-assign-roles.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -ms.topic: include -ms.date: 03/19/2025 ---- - -## Assign roles - -To run your app code successfully with brokered authentication, grant your user account permissions using [Azure role-based access control (RBAC)](/azure/role-based-access-control/overview). Assign an appropriate role to your user account for the relevant Azure service. For example: - -- **Azure Blob Storage**: Assign the **Storage Account Data Contributor** role. -- **Azure Key Vault**: Assign the **Key Vault Secrets Officer** role. - -If an app is specified, it must have API permissions set for **user_impersonation Access Azure Storage** (step 6 in the previous section). This API permission allows the app to access Azure storage on behalf of the signed-in user after consent is granted during sign-in. diff --git a/docs/azure/sdk/includes/broker-configure-app.md b/docs/azure/sdk/includes/broker-configure-app.md deleted file mode 100644 index 77ce644c20215..0000000000000 --- a/docs/azure/sdk/includes/broker-configure-app.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -ms.topic: include -ms.date: 03/19/2025 ---- - -## Configure the app for brokered authentication - -To enable brokered authentication in your application, follow these steps: - -1. In the [Azure portal](https://portal.azure.com), navigate to **Microsoft Entra ID** and select **App registrations** on the left-hand menu. -1. Select the registration for your app, then select **Authentication**. -1. Add the appropriate redirect URI to your app registration via a platform configuration: - 1. Under **Platform configurations**, select **+ Add a platform**. - 1. Under **Configure platforms**, select the tile for your application type (platform) to configure its settings, such as **mobile and desktop applications**. - 1. In **Custom redirect URIs**, enter the following redirect URI for your platform: - - | Platform | Redirect URI | - |-------------|-----------------------------------------------------------------------------------------------------------------------| - | Windows 10+ or WSL | `ms-appx-web://Microsoft.AAD.BrokerPlugin/{your_client_id}` | - | macOS | `msauth.com.msauth.unsignedapp://auth` for unsigned apps
`msauth.{bundle_id}://auth` for signed apps | - | Linux | `https://login.microsoftonline.com/common/oauth2/nativeclient` | - - Replace `{your_client_id}` or `{bundle_id}` with the **Application (client) ID** from the app registration's **Overview** pane. - - 1. Select **Configure**. - - To learn more, see [Add a redirect URI to an app registration](/entra/identity-platform/quickstart-register-app#add-a-redirect-uri). - -1. Back on the **Authentication** pane, under **Advanced settings**, select **Yes** for **Allow public client flows**. -1. Select **Save** to apply the changes. -1. To authorize the application for specific resources, navigate to the resource in question, select **API Permissions**, and enable **Microsoft Graph** and other resources you want to access. - - > [!IMPORTANT] - > You must also be the admin of your tenant to grant consent to your application when you sign in for the first time. diff --git a/docs/azure/sdk/includes/broker-intro.md b/docs/azure/sdk/includes/broker-intro.md deleted file mode 100644 index 2ac265642c74d..0000000000000 --- a/docs/azure/sdk/includes/broker-intro.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -ms.topic: include -ms.date: 04/25/2025 ---- - -Brokered authentication collects user credentials using the system authentication broker to authenticate an app. A system authentication broker is an app running on a user's machine that manages the authentication handshakes and token maintenance for all connected accounts. - -Brokered authentication offers the following benefits: - -- **Enables Single Sign-On (SSO):** Enables apps to simplify how users authenticate with Microsoft Entra ID and protects Microsoft Entra ID refresh tokens from exfiltration and misuse. -- **Enhanced security:** Many security enhancements are delivered with the broker, without needing to update the app logic. -- **Enhanced feature support:** With the help of the broker, developers can access rich OS and service capabilities. -- **System integration:** Applications that use the broker plug-and-play with the built-in account picker, allowing the user to quickly pick an existing account instead of re-entering the same credentials over and over. -- **Token Protection:** Ensures that the refresh tokens are device bound and enables apps to acquire device bound access tokens. For more information, see [Token Protection](/azure/active-directory/conditional-access/concept-token-protection). diff --git a/docs/azure/sdk/includes/broker-linux.md b/docs/azure/sdk/includes/broker-linux.md deleted file mode 100644 index 87a5fa1de997c..0000000000000 --- a/docs/azure/sdk/includes/broker-linux.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -ms.topic: include -ms.date: 04/25/2025 ---- - -Linux uses [Microsoft single sign-on for Linux](/entra/identity/devices/sso-linux) as its authentication broker. diff --git a/docs/azure/sdk/includes/broker-mac.md b/docs/azure/sdk/includes/broker-mac.md deleted file mode 100644 index 93b027043a9ad..0000000000000 --- a/docs/azure/sdk/includes/broker-mac.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -ms.topic: include -ms.date: 04/25/2025 ---- - -macOS doesn't natively include a built-in authentication broker. The Azure Identity client library implements brokered authentication features using platform-specific mechanisms and can integrate with apps like Microsoft Company Portal when devices are managed. For more information, see [Microsoft Enterprise SSO plug-in for Apple devices](/entra/identity-platform/apple-sso-plugin). diff --git a/docs/azure/sdk/includes/broker-windows.md b/docs/azure/sdk/includes/broker-windows.md deleted file mode 100644 index 542b09c88a54d..0000000000000 --- a/docs/azure/sdk/includes/broker-windows.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -ms.topic: include -ms.date: 04/25/2025 ---- - -Windows provides an authentication broker called [Web Account Manager (WAM)](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam). WAM enables identity providers such as Microsoft Entra ID to natively plug into the OS and provide secure login services to apps. Brokered authentication enables the app for all operations allowed by the interactive login credentials. - -Personal Microsoft accounts and work or school accounts are supported. On supported Windows versions, the default browser-based UI is replaced with a smoother authentication experience, similar to built-in Windows apps. diff --git a/docs/azure/sdk/includes/managed-identity-concepts.md b/docs/azure/sdk/includes/managed-identity-concepts.md deleted file mode 100644 index cf0a596178290..0000000000000 --- a/docs/azure/sdk/includes/managed-identity-concepts.md +++ /dev/null @@ -1,11 +0,0 @@ -## Essential managed identity concepts - -A managed identity enables your app to securely connect to other Azure resources without the use of secret keys or other application secrets. Internally, Azure tracks the identity and which resources it's allowed to connect to. Azure uses this information to automatically obtain Microsoft Entra tokens for the app to allow it to connect to other Azure resources. - -There are two types of managed identities to consider when configuring your hosted app: - -- **System-assigned** managed identities are enabled directly on an Azure resource and are tied to its life cycle. When the resource is deleted, Azure automatically deletes the identity for you. System-assigned identities provide a minimalistic approach to using managed identities. -- **User-assigned** managed identities are created as standalone Azure resources and offer greater flexibility and capabilities. They're ideal for solutions involving multiple Azure resources that need to share the same identity and permissions. For example, if multiple virtual machines need to access the same set of Azure resources, a user-assigned managed identity provides reusability and optimized management. - -> [!TIP] -> Learn more about selecting and managing system-assigned managed identities and user-assigned managed identities in the [Managed identity best practice recommendations](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations) article.