freshness entra id configuration

Author: msakande

articles/ai-foundry/foundry-models/how-to/configure-entra-id.md

@@ -1,7 +1,7 @@
 ---
 title: Configure key-less authentication with Microsoft Entra ID
 titleSuffix: Azure AI Foundry
-description: Learn how to configure key-less authorization to use Azure AI Foundry Models with Microsoft Entra ID.
+description: Learn how to configure key-less authorization to use Azure AI Foundry Models with Microsoft Entra ID and enhance security.
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
 ms.topic: how-to
@@ -13,6 +13,9 @@ recommendations: false
 zone_pivot_groups: azure-ai-models-deployment
 ms.reviewer: fasantia
 reviewer: santiagxf
+ai-usage: ai-assisted
+
+#CustomerIntent: As a developer, I want to configure keyless authentication with Microsoft Entra ID for Azure AI Foundry Models so that I can secure my AI model deployments without relying on API keys and leverage role-based access control for better security and compliance.
 ---
 
 # Configure key-less authentication with Microsoft Entra ID
@@ -29,6 +32,6 @@ reviewer: santiagxf
 [!INCLUDE [bicep](../../foundry-models/includes/configure-entra-id/bicep.md)]
 ::: zone-end
 
-## Next steps
+## Next step
 
 * [Develop applications using Azure AI Foundry Models](../../model-inference/supported-languages.md)

articles/ai-foundry/foundry-models/includes/configure-entra-id/bicep.md

@@ -4,7 +4,7 @@ author: santiagxf
 ms.author: fasantia 
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
-ms.date: 12/15/2024
+ms.date: 08/29/2025
 ms.topic: include
 zone_pivot_groups: azure-ai-models-deployment
 ---
@@ -33,13 +33,13 @@ cd azureai-model-inference-bicep/infra
 
 ## Understand the resources
 
-The tutorial helps you create:
+In this tutorial, you create the following resources:
 
-> [!div class="checklist"]
-> * An Azure AI Foundry (formerly known Azure AI Services) resource with key access disabled. For simplicity, this template doesn't deploy models.
-> * A role-assignment for a given security principal with the role **Cognitive Services User**.
 
-You are using the following assets to create those resources:
+* An Azure AI Foundry (formerly known Azure AI Services) resource with key access disabled. For simplicity, this template doesn't deploy models.
+* A role-assignment for a given security principal with the role **Cognitive Services User**.
+
+To create these resources, use the following assets:
 
 1. Use the template `modules/ai-services-template.bicep` to describe your Azure AI Foundry (formerly known Azure AI Services) resource:
 
@@ -48,9 +48,9 @@ You are using the following assets to create those resources:
     :::code language="bicep" source="~/azureai-model-inference-bicep/infra/modules/ai-services-template.bicep":::
 
     > [!TIP]
-    > Notice that this template can take the parameter `allowKeys` which, when `false` will disable the use of keys in the resource. This configuration is optional.
+    > This template accepts the `allowKeys` parameter. Set it to `false` to disable key access in the resource. This configuration is optional.
 
-2. Use the template `modules/role-assignment-template.bicep` to describe a role assignment in Azure:
+1. Use the template `modules/role-assignment-template.bicep` to describe a role assignment in Azure:
 
     __modules/role-assignment-template.bicep__
 
@@ -66,36 +66,36 @@ In your console, follow these steps:
 
     :::code language="bicep" source="~/azureai-model-inference-bicep/infra/deploy-entra-id.bicep":::
 
-2. Log into Azure:
+1. Sign in to Azure:
 
     ```azurecli
     az login
     ```
 
-3. Ensure you are in the right subscription:
+1. Make sure you're in the right subscription:
 
     ```azurecli
     az account set --subscription "<subscription-id>"
     ```
 
-4. Run the deployment:
+1. Run the deployment:
 
     ```azurecli
     RESOURCE_GROUP="<resource-group-name>"
     SECURITY_PRINCIPAL_ID="<your-security-principal-id>"
     
     az deployment group create \
       --resource-group $RESOURCE_GROUP \
-      --securityPrincipalId $SECURITY_PRINCIPAL_ID
+      --parameters securityPrincipalId=$SECURITY_PRINCIPAL_ID \
       --template-file deploy-entra-id.bicep
     ```
 
-7. The template outputs the Azure AI Foundry Models endpoint that you can use to consume any of the model deployments you have created.
+1. The template outputs the Azure AI Foundry Models endpoint that you can use to consume any of the model deployments you created.
 
 
 ## Use Microsoft Entra ID in your code
 
-Once you configured Microsoft Entra ID in your resource, you need to update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
+After you configure Microsoft Entra ID in your resource, update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
 
 [!INCLUDE [code](../code-create-chat-client-entra.md)]
 
@@ -107,7 +107,7 @@ Once you configured Microsoft Entra ID in your resource, you need to update your
 
 ## Disable key-based authentication in the resource
 
-Disabling key-based authentication is advisable when you implemented Microsoft Entra ID and fully addressed compatibility or fallback concerns in all the applications that consume the service. You can achieve it by changing the property `disableLocalAuth`:
+We advise that you disable key-based authentication when you implement Microsoft Entra ID and fully address compatibility or fallback concerns in all the applications that consume the service. Change the `disableLocalAuth` property to disable key-based authentication:
 
 __modules/ai-services-template.bicep__
 

articles/ai-foundry/foundry-models/includes/configure-entra-id/cli.md

@@ -4,7 +4,7 @@ author: santiagxf
 ms.author: fasantia 
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
-ms.date: 12/15/2024
+ms.date: 08/29/2025
 ms.topic: include
 zone_pivot_groups: azure-ai-models-deployment
 ---
@@ -19,74 +19,74 @@ zone_pivot_groups: azure-ai-models-deployment
 
   * Your Azure AI Foundry (formerly known Azure AI Services) resource name.
 
-  * The resource group where the Azure AI Foundry (formerly known Azure AI Services) resource is deployed.
+  * The resource group where you deployed the Azure AI Foundry resource (formerly known Azure AI Services resource).
 
 
 ## Configure Microsoft Entra ID for inference
 
 Follow these steps to configure Microsoft Entra ID for inference:
 
 
-1. Log in into your Azure subscription:
+1. Sign in to your Azure subscription:
 
     ```azurecli
     az login
     ```
 
-2. If you have more than one subscription, select the subscription where your resource is located:
+1. If you have more than one subscription, select the subscription where your resource is located:
 
     ```azurecli
     az account set --subscription "<subscription-id>"
     ```
 
-3. Set the following environment variables with the name of the Azure AI Foundry (formerly known Azure AI Services) resource you plan to use and resource group.
+1. Set the following environment variables with the name of the Azure AI Foundry (formerly known Azure AI Services) resource you plan to use and resource group.
 
     ```azurecli
     ACCOUNT_NAME="<ai-services-resource-name>"
     RESOURCE_GROUP="<resource-group>"
     ```
 
-4. Get the full name of your resource:
+1. Get the full name of your resource:
 
     ```azurecli
-    RESOURCE_ID=$(az resource show -g $RESOURCE_GROUP -n $ACCOUNT_NAME --resource-type "Microsoft.CognitiveServices/accounts")
+    RESOURCE_ID=$(az resource show -g $RESOURCE_GROUP -n $ACCOUNT_NAME --resource-type "Microsoft.CognitiveServices/accounts" --query id --output tsv)
     ```
 
-5. Get the object ID of the security principal you want to assign permissions to. The following example shows how to get the object ID associated with:
+1. Get the object ID of the security principal you want to assign permissions to. The following example shows how to get the object ID associated with:
     
-    __Your own logged in account:__
+    **Your own signed in account:**
 
     ```azurecli
     OBJECT_ID=$(az ad signed-in-user show --query id --output tsv)
     ```
 
-    __A security group:__
+    **A security group:**
 
     ```azurecli
     OBJECT_ID=$(az ad group show --group "<group-name>" --query id --output tsv)
     ```
 
-    __A service principal:__
+    **A service principal:**
 
     ```azurecli
     OBJECT_ID=$(az ad sp show --id "<service-principal-guid>" --query id --output tsv)
     ```
     
-6. Assign the **Cognitive Services User** role to the service principal (scoped to the resource). By assigning a role, you're granting service principal access to this resource.
+1. Assign the **Cognitive Services User** role to the service principal (scoped to the resource). By assigning a role, you grant the service principal access to this resource.
 
     ```azurecli
     az role assignment create --assignee-object-id $OBJECT_ID --role "Cognitive Services User" --scope $RESOURCE_ID
     ```
 
-8.  The selected user can now use Microsoft Entra ID for inference.
+1. The selected user can now use Microsoft Entra ID for inference.
 
     > [!TIP]
-    > Keep in mind that Azure role assignments may take up to five minutes to propagate. Adding or removing users from a security group propagates immediately.
+    > Keep in mind that Azure role assignments can take up to five minutes to propagate. Adding or removing users from a security group propagates immediately.
 
 
 ## Use Microsoft Entra ID in your code
 
-Once Microsoft Entra ID is configured in your resource, you need to update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
+After you configure Microsoft Entra ID in your resource, update your code to use it when consuming the inference endpoint. The following example shows how to use a chat completions model:
 
 [!INCLUDE [code](../code-create-chat-client-entra.md)]
 

articles/ai-foundry/foundry-models/includes/configure-entra-id/intro.md

@@ -4,17 +4,17 @@ author: santiagxf
 ms.author: fasantia 
 ms.service: azure-ai-foundry
 ms.subservice: azure-ai-foundry-model-inference
-ms.date: 01/23/2025
+ms.date: 08/29/2025
 ms.topic: include
 ---
 
-Azure AI Foundry Models support key-less authorization using Microsoft Entra ID. Key-less authorization enhances security, simplifies the user experience, reduces operational complexity, and provides robust compliance support for modern development. It makes it a strong choice for organizations adopting secure and scalable identity management solutions.
+Azure AI Foundry Models support keyless authorization with Microsoft Entra ID. Keyless authorization enhances security, simplifies the user experience, reduces operational complexity, and provides robust compliance support for modern development. Keyless authorization is a strong choice for organizations adopting secure and scalable identity management solutions.
 
 This article explains how to configure Microsoft Entra ID for inference in Azure AI Foundry Models.
 
 ## Understand roles in the context of resource in Azure
 
-Microsoft Entra ID uses the idea of Role-based Access Control (RBAC) for authorization. Roles are central to managing access to your cloud resources. A role is essentially a collection of permissions that define what actions can be performed on specific Azure resources. By assigning roles to users, groups, service principals, or managed identities—collectively known as security principals—you control their access within your Azure environment to specific resources.
+Microsoft Entra ID uses the idea of role-based access control (RBAC) for authorization. Roles are central to managing access to your cloud resources. A role is essentially a collection of permissions that define what actions can be performed on specific Azure resources. By assigning roles to users, groups, service principals, or managed identities—collectively known as security principals—you control their access within your Azure environment to specific resources.
 
 When you assign a role, you specify the security principal, the role definition, and the scope. This combination is known as a role assignment. Azure AI Foundry Models is a capability of the Azure AI Services resources, and hence, roles assigned to that particular resource control the access for inference.
 
@@ -27,9 +27,8 @@ You identify two different types of access to the resources:
 In Azure, administration operations are always performed using Microsoft Entra ID. Roles like **Cognitive Services Contributor** allow you to perform those operations. On the other hand, developer operations can be performed using either access keys or/and Microsoft Entra ID. Roles like **Cognitive Services User** allow you to perform those operations.
 
 > [!IMPORTANT]
-> Having administration access to a resource doesn't necessarily grants developer access to it. Explicit access by granting roles is still required. It's analogous to how database servers work. Having administrator access to the database server doesn't mean you can read the data inside of a database.
+> Having administration access to a resource doesn't necessarily grant developer access to it. Explicit access by granting roles is still required. It's analogous to how database servers work. Having administrator access to the database server doesn't mean you can read the data inside of a database.
 
-Follow these steps to configure developer access to Azure AI Foundry Models for inference.
 
 ## Prerequisites
 
@@ -41,11 +40,11 @@ To complete this article, you need:
 
 * To assign a role, you must specify three elements: 
 
-  * Security principal: e.g. your user account.
+  * Security principal: your user account.
   * Role definition: the *Cognitive Services User* role.
   * Scope: the Azure AI Services resource.
 
-* If you want to create a custom role definition instead of using *Cognitive Services User* role, ensure the role has the following permissions:
+* If you want to create a custom role definition instead of using the *Cognitive Services User* role, ensure the role has the following permissions:
 
   ```json
   {