Merge pull request #6854 from msakande/freshness-configure-entra-id

freshness entra id configuration

Author: v-dirichards

articles/ai-foundry/foundry-models/how-to/configure-entra-id.md

@@ -1,18 +1,21 @@
 ---
 title: Configure key-less authentication with Microsoft Entra ID
 titleSuffix: Azure AI Foundry
-description: Learn how to configure key-less authorization to use Azure AI Foundry Models with Microsoft Entra ID.
+description: Learn how to configure key-less authorization to use Azure AI Foundry Models with Microsoft Entra ID and enhance security.
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
 ms.topic: how-to
-ms.date: 08/29/2025
+ms.date: 09/26/2025
 ms.custom: ignite-2024, github-universe-2024
 author: msakande
 ms.author: mopeakande
 recommendations: false
 zone_pivot_groups: azure-ai-models-deployment
 ms.reviewer: fasantia
 reviewer: santiagxf
+ai-usage: ai-assisted
+
+#CustomerIntent: As a developer, I want to configure keyless authentication with Microsoft Entra ID for Azure AI Foundry Models so that I can secure my AI model deployments without relying on API keys and leverage role-based access control for better security and compliance.
 ---
 
 # Configure key-less authentication with Microsoft Entra ID
@@ -29,6 +32,6 @@ reviewer: santiagxf
 [!INCLUDE [bicep](../../foundry-models/includes/configure-entra-id/bicep.md)]
 ::: zone-end
 
-## Next steps
+## Next step
 
 * [Develop applications using Azure AI Foundry Models](../../model-inference/supported-languages.md)

articles/ai-foundry/foundry-models/includes/code-create-chat-client-entra.md

@@ -3,20 +3,20 @@ manager: nitinme
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
 ms.topic: include
-ms.date: 1/21/2025
+ms.date: 09/26/2025
 ms.author: fasantia
 author: santiagxf
 ---
 
 # [Python](#tab/python)
 
-Install the package `azure-ai-inference` using your package manager, like pip:
+Install the `azure-ai-inference` package, using a package manager like pip:
 
 ```bash
 pip install azure-ai-inference
 ```
 
-Then, you can use the package to consume the model. The following example shows how to create a client to consume chat completions with Entra ID:
+Then, use the package to consume the model. The following example shows how to create a client to consume chat completions with Microsoft Entra ID:
 
 ```python
 import os
@@ -32,13 +32,13 @@ client = ChatCompletionsClient(
 
 # [JavaScript](#tab/javascript)
 
-Install the package `@azure-rest/ai-inference` using npm:
+Install the `@azure-rest/ai-inference` package with npm:
 
 ```bash
 npm install @azure-rest/ai-inference
 ```
 
-Then, you can use the package to consume the model. The following example shows how to create a client to consume chat completions with Entra ID:
+Then, use the package to consume the model. The following example shows how to create a client to consume chat completions with Microsoft Entra ID:
 
 ```javascript
 import ModelClient from "@azure-rest/ai-inference";
@@ -76,7 +76,7 @@ using Azure.Identity;
 using Azure.AI.Inference;
 ```
 
-Then, you can use the package to consume the model. The following example shows how to create a client to consume chat completions with Entra ID:
+Then, use the package to consume the model. The following example shows how to create a client to consume chat completions with Microsoft Entra ID:
 
 ```csharp
 TokenCredential credential = new DefaultAzureCredential();
@@ -108,7 +108,7 @@ Add the package to your project:
 </dependency>
 ```
 
-Then, you can use the package to consume the model. The following example shows how to create a client to consume chat completions:
+Then, use the package to consume the model. The following example shows how to create a client to consume chat completions:
 
 ```java
 TokenCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
@@ -118,11 +118,11 @@ ChatCompletionsClient client = new ChatCompletionsClientBuilder()
     .buildClient();
 ```
 
-Explore our [samples](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/ai/azure-ai-inference/src/samples) and read the [API reference documentation](https://aka.ms/azsdk/azure-ai-inference/java/reference) to get yourself started.
+Explore our [samples](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/ai/azure-ai-inference/src/samples) and read the [API reference documentation](https://aka.ms/azsdk/azure-ai-inference/java/reference) to get started.
 
 # [REST](#tab/rest)
 
-Use the reference section to explore the API design and which parameters are available and indicate authentication token in the header `Authorization`. For example, the reference section for [Chat completions](../../model-inference/reference/reference-model-inference-chat-completions.md) details how to use the route `/chat/completions` to generate predictions based on chat-formatted instructions. Notice that the path `/models` is included to the root of the URL:
+Use the reference section to explore the API design and see which parameters are available. Indicate the authentication token in the header `Authorization`. For example, the reference section for [Chat completions](../../model-inference/reference/reference-model-inference-chat-completions.md) details how to use the route `/chat/completions` to generate predictions based on chat-formatted instructions. The path `/models` is included in the root of the URL:
 
 __Request__
 
@@ -132,7 +132,7 @@ Authorization: Bearer <bearer-token>
 Content-Type: application/json
 ```
 
-Tokens have to be issued with scope `https://cognitiveservices.azure.com/.default`.
+Tokens must be issued with scope `https://cognitiveservices.azure.com/.default`.
 
 For testing purposes, the easiest way to get a valid token for your user account is to use the Azure CLI. In a console, run the following Azure CLI command:
 

articles/ai-foundry/foundry-models/includes/configure-entra-id/about-credentials.md

@@ -4,15 +4,15 @@ author: santiagxf
 ms.author: fasantia 
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
-ms.date: 01/23/2025
+ms.date: 09/26/2025
 ms.topic: include
 ---
 
 ### Options for credential when using Microsoft Entra ID
 
-`DefaultAzureCredential` is an opinionated, ordered sequence of mechanisms for authenticating to Microsoft Entra ID. Each authentication mechanism is a class derived from the `TokenCredential` class and is known as a credential. At runtime, `DefaultAzureCredential` attempts to authenticate using the first credential. If that credential fails to acquire an access token, the next credential in the sequence is attempted, and so on, until an access token is successfully obtained. In this way, your app can use different credentials in different environments without writing environment-specific code.
+`DefaultAzureCredential` is an opinionated, ordered sequence of mechanisms for authenticating to Microsoft Entra ID. Each authentication mechanism is a class derived from the `TokenCredential` class and is known as a credential. At runtime, `DefaultAzureCredential` attempts to authenticate by using the first credential. If that credential fails to acquire an access token, the next credential in the sequence is attempted, and so on, until an access token is successfully obtained. In this way, your app can use different credentials in different environments without writing environment-specific code.
 
-When the preceding code runs on your local development workstation, it looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. Either approach can be used to authenticate the app to Azure resources during local development.
+When the preceding code runs on your local development workstation, it looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. You can use either approach to authenticate the app to Azure resources during local development.
 
 When deployed to Azure, this same code can also authenticate your app to other Azure resources. `DefaultAzureCredential` can retrieve environment settings and managed identity configurations to authenticate to other services automatically.
 

articles/ai-foundry/foundry-models/includes/configure-entra-id/bicep.md

@@ -4,7 +4,7 @@ author: santiagxf
 ms.author: fasantia 
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
-ms.date: 12/15/2024
+ms.date: 09/26/2025
 ms.topic: include
 zone_pivot_groups: azure-ai-models-deployment
 ---
@@ -19,7 +19,7 @@ zone_pivot_groups: azure-ai-models-deployment
 
 ## About this tutorial
 
-The example in this article is based on code samples contained in the [Azure-Samples/azureai-model-inference-bicep](https://github.com/Azure-Samples/azureai-model-inference-bicep) repository. To run the commands locally without having to copy or paste file content, use the following commands to clone the repository and go to the folder for your coding language:
+The example in this article is based on code samples in the [Azure-Samples/azureai-model-inference-bicep](https://github.com/Azure-Samples/azureai-model-inference-bicep) repository. To run the commands locally without copying or pasting file content, use the following commands to clone the repository and go to the folder for your coding language:
 
 ```azurecli
 git clone https://github.com/Azure-Samples/azureai-model-inference-bicep
@@ -33,24 +33,24 @@ cd azureai-model-inference-bicep/infra
 
 ## Understand the resources
 
-The tutorial helps you create:
+In this tutorial, you create the following resources:
 
-> [!div class="checklist"]
-> * An Azure AI Foundry (formerly known Azure AI Services) resource with key access disabled. For simplicity, this template doesn't deploy models.
-> * A role-assignment for a given security principal with the role **Cognitive Services User**.
 
-You are using the following assets to create those resources:
+* An Azure AI Foundry resource (formerly known as Azure AI Services resource) with key access disabled. For simplicity, this template doesn't deploy models.
+* A role-assignment for a given security principal with the role **Cognitive Services User**.
 
-1. Use the template `modules/ai-services-template.bicep` to describe your Azure AI Foundry (formerly known Azure AI Services) resource:
+To create these resources, use the following assets:
+
+1. Use the template `modules/ai-services-template.bicep` to describe your Azure AI Foundry resource:
 
     __modules/ai-services-template.bicep__
 
     :::code language="bicep" source="~/azureai-model-inference-bicep/infra/modules/ai-services-template.bicep":::
 
     > [!TIP]
-    > Notice that this template can take the parameter `allowKeys` which, when `false` will disable the use of keys in the resource. This configuration is optional.
+    > This template accepts the `allowKeys` parameter. Set it to `false` to disable key access in the resource. This configuration is optional.
 
-2. Use the template `modules/role-assignment-template.bicep` to describe a role assignment in Azure:
+1. Use the template `modules/role-assignment-template.bicep` to describe a role assignment in Azure:
 
     __modules/role-assignment-template.bicep__
 
@@ -66,36 +66,36 @@ In your console, follow these steps:
 
     :::code language="bicep" source="~/azureai-model-inference-bicep/infra/deploy-entra-id.bicep":::
 
-2. Log into Azure:
+1. Sign in to Azure:
 
     ```azurecli
     az login
     ```
 
-3. Ensure you are in the right subscription:
+1. Make sure you're in the right subscription:
 
     ```azurecli
     az account set --subscription "<subscription-id>"
     ```
 
-4. Run the deployment:
+1. Run the deployment:
 
     ```azurecli
     RESOURCE_GROUP="<resource-group-name>"
     SECURITY_PRINCIPAL_ID="<your-security-principal-id>"
     
     az deployment group create \
       --resource-group $RESOURCE_GROUP \
-      --securityPrincipalId $SECURITY_PRINCIPAL_ID
+      --parameters securityPrincipalId=$SECURITY_PRINCIPAL_ID \
       --template-file deploy-entra-id.bicep
     ```
 
-7. The template outputs the Azure AI Foundry Models endpoint that you can use to consume any of the model deployments you have created.
+1. The template outputs the Azure AI Foundry Models endpoint that you can use to consume any of the model deployments you created.
 
 
 ## Use Microsoft Entra ID in your code
 
-Once you configured Microsoft Entra ID in your resource, you need to update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
+After you configure Microsoft Entra ID in your resource, update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
 
 [!INCLUDE [code](../code-create-chat-client-entra.md)]
 
@@ -107,7 +107,7 @@ Once you configured Microsoft Entra ID in your resource, you need to update your
 
 ## Disable key-based authentication in the resource
 
-Disabling key-based authentication is advisable when you implemented Microsoft Entra ID and fully addressed compatibility or fallback concerns in all the applications that consume the service. You can achieve it by changing the property `disableLocalAuth`:
+Disable key-based authentication when you implement Microsoft Entra ID and fully address compatibility or fallback concerns in all the applications that consume the service. Change the `disableLocalAuth` property to disable key-based authentication:
 
 __modules/ai-services-template.bicep__
 

articles/ai-foundry/foundry-models/includes/configure-entra-id/cli.md

@@ -4,7 +4,7 @@ author: santiagxf
 ms.author: fasantia 
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
-ms.date: 12/15/2024
+ms.date: 09/26/2025
 ms.topic: include
 zone_pivot_groups: azure-ai-models-deployment
 ---
@@ -17,76 +17,76 @@ zone_pivot_groups: azure-ai-models-deployment
 
   * Your Azure subscription ID.
 
-  * Your Azure AI Foundry (formerly known Azure AI Services) resource name.
+  * Your Azure AI Foundry resource (formerly known as Azure AI Services resource) name.
 
-  * The resource group where the Azure AI Foundry (formerly known Azure AI Services) resource is deployed.
+  * The resource group where you deployed the Azure AI Foundry resource.
 
 
 ## Configure Microsoft Entra ID for inference
 
 Follow these steps to configure Microsoft Entra ID for inference:
 
 
-1. Log in into your Azure subscription:
+1. Sign in to your Azure subscription.
 
     ```azurecli
     az login
     ```
 
-2. If you have more than one subscription, select the subscription where your resource is located:
+1. If you have more than one subscription, select the subscription where your resource is located.
 
     ```azurecli
     az account set --subscription "<subscription-id>"
     ```
 
-3. Set the following environment variables with the name of the Azure AI Foundry (formerly known Azure AI Services) resource you plan to use and resource group.
+1. Set the following environment variables with the name of the Azure AI Foundry resource you plan to use and resource group.
 
     ```azurecli
     ACCOUNT_NAME="<ai-services-resource-name>"
     RESOURCE_GROUP="<resource-group>"
     ```
 
-4. Get the full name of your resource:
+1. Get the full name of your resource.
 
     ```azurecli
-    RESOURCE_ID=$(az resource show -g $RESOURCE_GROUP -n $ACCOUNT_NAME --resource-type "Microsoft.CognitiveServices/accounts")
+    RESOURCE_ID=$(az resource show -g $RESOURCE_GROUP -n $ACCOUNT_NAME --resource-type "Microsoft.CognitiveServices/accounts" --query id --output tsv)
     ```
 
-5. Get the object ID of the security principal you want to assign permissions to. The following example shows how to get the object ID associated with:
+1. Get the object ID of the security principal you want to assign permissions to. The following example shows how to get the object ID associated with:
     
-    __Your own logged in account:__
+    **Your own signed in account:**
 
     ```azurecli
     OBJECT_ID=$(az ad signed-in-user show --query id --output tsv)
     ```
 
-    __A security group:__
+    **A security group:**
 
     ```azurecli
     OBJECT_ID=$(az ad group show --group "<group-name>" --query id --output tsv)
     ```
 
-    __A service principal:__
+    **A service principal:**
 
     ```azurecli
     OBJECT_ID=$(az ad sp show --id "<service-principal-guid>" --query id --output tsv)
     ```
     
-6. Assign the **Cognitive Services User** role to the service principal (scoped to the resource). By assigning a role, you're granting service principal access to this resource.
+1. Assign the **Cognitive Services User** role to the service principal (scoped to the resource). By assigning a role, you grant the service principal access to this resource.
 
     ```azurecli
     az role assignment create --assignee-object-id $OBJECT_ID --role "Cognitive Services User" --scope $RESOURCE_ID
     ```
 
-8.  The selected user can now use Microsoft Entra ID for inference.
+1. The selected user can now use Microsoft Entra ID for inference.
 
     > [!TIP]
-    > Keep in mind that Azure role assignments may take up to five minutes to propagate. Adding or removing users from a security group propagates immediately.
+    > Keep in mind that Azure role assignments can take up to five minutes to propagate. Adding or removing users from a security group propagates immediately.
 
 
 ## Use Microsoft Entra ID in your code
 
-Once Microsoft Entra ID is configured in your resource, you need to update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
+After you configure Microsoft Entra ID in your resource, update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
 
 [!INCLUDE [code](../code-create-chat-client-entra.md)]