fix: message

Author: santiagxf

articles/ai-foundry/model-inference/includes/configure-entra-id/about-credentials.md

@@ -0,0 +1,16 @@
+### Options for credential when using Microsoft Entra ID
+
+`DefaultAzureCredential` is an opinionated, ordered sequence of mechanisms for authenticating to Microsoft Entra ID. Each authentication mechanism is a class derived from the `TokenCredential` class and is known as a credential. At runtime, `DefaultAzureCredential` attempts to authenticate using the first credential. If that credential fails to acquire an access token, the next credential in the sequence is attempted, and so on, until an access token is successfully obtained. In this way, your app can use different credentials in different environments without writing environment-specific code.
+
+When the preceding code runs on your local development workstation, it looks in the environment variables for an application service principal or at locally installed developer tools, such as Visual Studio, for a set of developer credentials. Either approach can be used to authenticate the app to Azure resources during local development.
+
+When deployed to Azure, this same code can also authenticate your app to other Azure resources. `DefaultAzureCredential` can retrieve environment settings and managed identity configurations to authenticate to other services automatically.
+
+### Best practices
+
+* Use deterministic credentials in production environments: Strongly consider moving from `DefaultAzureCredential` to one of the following deterministic solutions on production environments:
+
+  * A specific `TokenCredential` implementation, such as `ManagedIdentityCredential`. See the [Derived list for options](/dotnet/api/azure.core.tokencredential#definition).
+  * A pared-down `ChainedTokenCredential` implementation optimized for the Azure environment in which your app runs. `ChainedTokenCredential` essentially creates a specific allow-list of acceptable credential options, such as `ManagedIdentity` for production and `VisualStudioCredential` for development.
+
+* If your application in running on Azure, configure system-assigned or user-assigned managed identities to the resources where your code is running and configure Microsoft Entra ID access to those specific identities. 

articles/ai-foundry/model-inference/includes/configure-entra-id/bicep.md

@@ -89,4 +89,19 @@ In your console, follow these steps:
       --template-file deploy-entra-id.bicep
     ```
 
-7. The template outputs the Azure AI model inference endpoint that you can use to consume any of the model deployments you have created.
+7. The template outputs the Azure AI model inference endpoint that you can use to consume any of the model deployments you have created.
+
+
+## Use Microsoft Entra ID in your code
+
+Once you configured Microsoft Entra ID in your resource, you need to update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
+
+[!INCLUDE [code](../code-create-chat-client-entra.md)]
+
+[!INCLUDE [about-credentials](about-credentials.md)]
+
+
+
+## Disable key-based authentication in the resource
+
+Disabling key-based authentication is advisable when you implemented Microsoft Entra ID and fully addressed compatibility or fallback concerns in all the applications that consume the service.

articles/ai-foundry/model-inference/includes/configure-entra-id/cli.md

@@ -53,19 +53,19 @@ Follow these steps to configure Microsoft Entra ID for inference in you Azure AI
 
 5. Get the object ID of the security principal you want to assign permissions to. The following example shows how to get the object ID associated with:
     
-    __Your own logged in account__
+    __Your own logged in account:__
 
     ```azurecli
     OBJECT_ID=$(az ad signed-in-user show --query id --output tsv)
     ```
 
-    __A security group__
+    __A security group:__
 
     ```azurecli
     OBJECT_ID=$(az ad group show --group "<group-name>" --query id --output tsv)
     ```
 
-    __A service principal__
+    __A service principal:__
 
     ```azurecli
     OBJECT_ID=$(az ad sp show --id "<service-principal-guid>" --query id --output tsv)
@@ -87,4 +87,6 @@ Follow these steps to configure Microsoft Entra ID for inference in you Azure AI
 
 Once Microsoft Entra ID has been configured in your resource, you need to update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
 
-[!INCLUDE [code](../code-create-chat-client-entra.md)]
+[!INCLUDE [code](../code-create-chat-client-entra.md)]
+
+[!INCLUDE [about-credentials](about-credentials.md)]

articles/ai-foundry/model-inference/includes/configure-entra-id/intro.md

@@ -1,6 +1,6 @@
 [!INCLUDE [Feature preview](../../../../ai-studio/includes/feature-preview.md)]
 
-Models deployed to Azure AI model inference in Azure AI Services support key-less authorization using Microsoft Entra ID. It enhances security, simplifies the user experience, reduces operational complexity, and provides robust compliance support for modern development. It makes it a strong choice for organizations adopting secure and scalable identity management solutions. You can configure Microsoft Entra ID authorization in the resource and, optionally, **disable key-based authentication** to prevent any user to still use keys to access the service.
+Models deployed to Azure AI model inference in Azure AI Services support key-less authorization using Microsoft Entra ID. Key-less authorization enhances security, simplifies the user experience, reduces operational complexity, and provides robust compliance support for modern development. It makes it a strong choice for organizations adopting secure and scalable identity management solutions.
 
 This article explains how to configure Microsoft Entra ID for inference in Azure AI model inference.
 
@@ -12,8 +12,9 @@ When you assign a role, you specify the security principal, the role definition,
 
 You identify two different types of access to the resources:
 
-* **Administration access**: The actions that are related with the administration of the resources. They usually change the state of the resource and its configuration. In Azure, those operations are control-plane operations and can be executed using the Azure portal, the Azure CLI, or with infrastructure as code. Examples of includes creating a new model deployments, changing content filtering configurations, changing the version of the model served, or changing SKU of a deployment.
-* **Developer access**: The actions that are related with the consumption of the resources. They consumes the capabilities of the resource. For example, invoking the chat completions API. However, the user can't change the state of the resource and its configuration.
+* **Administration access**: The actions that are related with the administration of the resource. They usually change the state of the resource and its configuration. In Azure, those operations are control-plane operations and can be executed using the Azure portal, the Azure CLI, or with infrastructure as code. Examples of includes creating a new model deployments, changing content filtering configurations, changing the version of the model served, or changing SKU of a deployment.
+
+* **Developer access**: The actions that are related with the consumption of the resources. For example, invoking the chat completions API. However, the user can't change the state of the resource and its configuration.
 
 In Azure, administration operations are always performed using Microsoft Entra ID. Roles like **Cognitive Services Contributor** allow you to perform those operations. On the other hand, developer operations can be performed using either access keys or/and Microsoft Entra ID. Roles like **Cognitive Services User** allow you to perform those operations.
 
@@ -30,4 +31,10 @@ To complete this article, you need:
 
 * An Azure AI services resource. For more information, see [Create an Azure AI Services resource](/articles/ai-foundry/model-inference/how-to/quickstart-create-resources).
 
-* Administrator roles for the scope of the Azure AI Services resource or the resource group.
+* An account with `Microsoft.Authorization/roleAssignments/write` and `Microsoft.Authorization/roleAssignments/delete` permissions, such as the **Administrator** role-based access control.
+
+* To assign a role, you must specify three elements: 
+  
+  * Security principal: e.g. your user account.
+  * Role definition: the *Cognitive Services User* role.
+  * Scope: the Azure AI Services resource.

articles/ai-foundry/model-inference/includes/configure-entra-id/portal.md

@@ -55,10 +55,13 @@ Once you configured Microsoft Entra ID in your resource, you need to update your
 
 [!INCLUDE [code](../code-create-chat-client-entra.md)]
 
+[!INCLUDE [about-credentials](about-credentials.md)]
 
 ## Use Microsoft Entra ID in your project
 
-Even when your resource has Microsoft Entra ID configured, your projects may still be using keys to consume predictions from the resource. To change this behavior, you have to update the connections from your projects to use Microsoft Entra ID. Follow these steps:
+Even when your resource has Microsoft Entra ID configured, your projects may still be using keys to consume predictions from the resource. When using the Azure AI Foundry playground, the credentials associated with the connection your project has are used. 
+
+To change this behavior, you have to update the connections from your projects to use Microsoft Entra ID. Follow these steps:
 
 1. Go to [Azure AI Foundry portal](https://ai.azure.com).