Correct user-assigned managed identity

HeidiSteen · HeidiSteen · commit a292935ee0ad · 2025-08-07T16:42:19.000-07:00
diff --git a/articles/search/search-how-to-create-search-index.md b/articles/search/search-how-to-create-search-index.md
@@ -8,7 +8,7 @@ ms.author: heidist
 ms.service: azure-ai-search
 ms.update-cycle: 180-days
 ms.topic: how-to
-ms.date: 05/19/2025
+ms.date: 08/07/2025
 ---
 
 # Create an index in Azure AI Search
@@ -53,7 +53,7 @@ Use this checklist to assist the design decisions for your search index.
 
 1. Review [supported data types](/rest/api/searchservice/supported-data-types). The data type affects how the field is used. For example, numeric content is filterable but not full text searchable. The most common data type is `Edm.String` for searchable text, which is tokenized and queried using the full text search engine. The most common data type for a vector field is `Edm.Single` but you can use other types as well.
 
-1. Provide a description of the index (preview), 4,000 character maximum. This human-readable text is invaluable when a system must access several indexes and make a decision based on the description. Consider a Model Context Protocol (MCP) server that must pick the correct index at run time. The decision can be  based on the description rather than on index name alone. An index Description field is available in the [2025-05-01-preview REST API](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2025-05-01-preview&preserve-view=true), the Azure portal, or a prerelease package of an Azure SDK that provides the feature. For more information, see [Add an index description](search-howto-reindex.md#add-an-index-description-preview).
+1. Provide a description of the index (preview), 4,000 character maximum. This human-readable text is invaluable when a system must access several indexes and make a decision based on the description. Consider a Model Context Protocol (MCP) server that must pick the correct index at run time. The decision can be  based on the description rather than on index name alone. An index Description field is available in the [2025-05-01-preview REST API](/rest/api/searchservice/indexes/create-or-update?view=rest-searchservice-2025-05-01-preview&preserve-view=true), the Azure portal, or a preview package of an Azure SDK that provides the feature. For more information, see [Add an index description](search-howto-reindex.md#add-an-index-description-preview).
 
 1. Identify a [document key](#document-keys). A document key is an index requirement. It's a single string field populated from a source data field that contains unique values. For example, if you're indexing from Blob Storage, the metadata storage path is often used as the document key because it uniquely identifies each blob in the container.
 
@@ -277,12 +277,12 @@ To minimize churn in the design process, the following table describes which ele
 | Field attribute (retrievable) | Yes |
 | Stored (applies to vectors) | No |
 | [Analyzer](search-analyzers.md) | You can add and modify custom analyzers in the index. Regarding analyzer assignments on string fields, you can only modify `searchAnalyzer`. All other assignments and modifications require a rebuild. |
-| [Scoring profiles](index-add-scoring-profiles.md) | Yes |
+| [Scoring profiles](index-add-scoring-profiles.md) | Yes, you can create and edit scoring profiles with no rebuild. |
 | [Suggesters](index-add-suggesters.md) | No |
 | [cross-origin resource sharing (CORS)](#corsoptions) | Yes |
-| [Encryption](search-security-manage-encryption-keys.md) | Yes |
-| [Synonym maps](search-synonyms.md) | Yes |
-| [Semantic configuration](semantic-how-to-configure.md) | Yes |
+| [Encryption](search-security-manage-encryption-keys.md) | Yes, you can update all parts of an *existing* encryption definition. |
+| [Synonym maps](search-synonyms.md) | Yes, you can create and edit synonym maps with no rebuild. |
+| [Semantic configuration](semantic-how-to-configure.md) | Yes, you can create and edit semantic configurations with no rebuild. |
 
 ## Next steps
 
diff --git a/articles/search/search-howto-managed-identities-cosmos-db.md b/articles/search/search-howto-managed-identities-cosmos-db.md
@@ -6,7 +6,7 @@ author: arv100kri
 ms.author: arjagann
 ms.service: azure-ai-search
 ms.topic: how-to
-ms.date: 01/06/2025
+ms.date: 08/07/2025
 ms.custom:
   - subject-rbac-steps
   - ignite-2023
@@ -31,7 +31,7 @@ Azure AI Search supports two mechanisms to connect to Azure Cosmos DB using mana
 
 * The _modern_ approach requires configuring the managed identity appropriate roles on the control and data plane of the target Azure Cosmos DB account. Azure AI Search will then request an access token to access the data in the Cosmos DB account. This approach works even if the Cosmos DB account has `"disableLocalAuth": true`.
 
-Indexers that connect to Azure Cosmos DB for NoSQL support both the _legacy_ and the _modern_ approach - the _modern_ approach is highly recommended.
+Indexers that connect to Azure Cosmos DB for NoSQL support both the _legacy_ and the _modern_ approach - the _modern_ approach is recommended.
 
 ## Limitations
 
@@ -104,7 +104,7 @@ When you're connecting with a system-assigned managed identity, the only change
 Here's an example using the [Create Data Source](/rest/api/searchservice/data-sources/create) REST API that exercises the _modern_ approach.
 
 ```http
-POST https://[service name].search.windows.net/datasources?api-version=2024-11-01-preview
+POST https://[service name].search.windows.net/datasources?api-version=2024-07-01
 {
     "name": "my-cosmosdb-ds",
     "type": "cosmosdb",
@@ -118,14 +118,14 @@ POST https://[service name].search.windows.net/datasources?api-version=2024-11-0
 >[!NOTE]
 > If the `IdentityAuthType` property isn't part of the connection string, then Azure AI Search defaults to the _legacy_ approach to ensure backward compatibility.
 
-#### Connect through user-assigned identity
+#### Connect through user-assigned identity (preview)
 
 You need to add an "identity" property to the data source definition, where you specify the specific identity (out of several that can be assigned to the search service), that will be used to connect to the Azure Cosmos DB account.
 
 Here's an example using user-assigned identity via the _modern_ approach.
 
 ```http
-POST https://[service name].search.windows.net/datasources?api-version=2024-11-01-preview
+POST https://[service name].search.windows.net/datasources?api-version=2025-05-01-preview
 {
     "name": "[my-cosmosdb-ds]",
     "type": "cosmosdb",
@@ -157,7 +157,7 @@ Follow the same steps as before to assign the appropriate roles on the control p
 Here's an example to connect to MongoDB collections using system-assigned identity via the REST API
 
 ```http
-POST https://[service name].search.windows.net/datasources?api-version=2024-11-01-preview
+POST https://[service name].search.windows.net/datasources?api-version=2025-05-01-preview
 {
     "name": "my-cosmosdb-ds",
     "type": "cosmosdb",
@@ -172,7 +172,7 @@ POST https://[service name].search.windows.net/datasources?api-version=2024-11-0
 Here's an example to connect to Gremlin graphs using user-assigned identity.
 
 ```http
-POST https://[service name].search.windows.net/datasources?api-version=2024-11-01-preview
+POST https://[service name].search.windows.net/datasources?api-version=2025-05-01-preview
 {
     "name": "[my-cosmosdb-ds]",
     "type": "cosmosdb",
diff --git a/articles/search/search-howto-managed-identities-data-sources.md b/articles/search/search-howto-managed-identities-data-sources.md
@@ -7,7 +7,7 @@ author: HeidiSteen
 ms.author: heidist
 ms.service: azure-ai-search
 ms.topic: how-to
-ms.date: 07/31/2025
+ms.date: 08/07/2025
 ms.custom:
   - ignite-2023
   - build-2024
@@ -32,9 +32,9 @@ Azure AI Search can connect to other Azure resources under its system-assigned m
 
 + Search service configuration of a managed identity, whether system-assigned or user-assigned, is generally available.
 
-+ Data plane usage of a managed identity, whether system-assigned or user-assigned, is generally available. For example, if you want a user-assigned managed identity on an indexer data source connection, key vault, debug session, or enrichment cache, you can use a generally available REST API version to create the connection, assuming the feature you're using is also generally available.
++ Data plane usage of a managed identity, whether system-assigned or user-assigned, is generally available for role assignments. 
 
-A system managed identity is indicated when a connection string is the unique resource ID of a Microsoft Entra ID-aware service or application. A user-assigned managed identity is specified through an "identity" property.
++ Data plane connections via indexer data sources, such as to Azure Storage or Cosmos DB, can use either a system-assigned or user-assigned managed identity, but only system-assigned is generally available. A user identity is defined using the [SearchIndexerDataUserAssignedIdentity](/rest/api/searchservice/data-sources/create-or-update?view=rest-searchservice-2025-05-01-preview&preserve-view=true#searchindexerdatauserassignedidentity) API, which is currently in preview.
 
 A search service uses Azure Storage as an indexer data source and as a data sink for debug sessions, enrichment caching, and knowledge store. For search features that write back to storage, the managed identity needs a contributor role assignment as described in the ["Assign a role"](#assign-a-role) section. 
 
@@ -129,15 +129,17 @@ A user-assigned managed identity is an Azure resource that can be scoped to subs
 
 The steps are as follows:
 
-1. In your Azure subscription, create a user-assigned managed identity.
++ In your Azure subscription, create a user-assigned managed identity.
 
-1. On your search service, update the service definition to enable the user-assigned managed identity.
++ On your search service, update the service definition to enable the user-assigned managed identity.
 
-1. On other Azure services you want to connect to, create a role assignment for the identity.
++ On other Azure services you want to connect to, create a role assignment for the identity.
 
-1. In data source connections on Azure AI Search, such as an indexer data source, reference the user-managed identity in the connection details. This step is generally available if support for the feature is generally available.
+Associating a user-assigned managed identity with an Azure AI Search service is supported in the Azure portal, Search Management REST APIs, and SDK packages that provide the feature.
 
-Associating a user-assigned managed identity is supported in the Azure portal, Search Management REST APIs, and SDK packages that provide the feature.
+> [!NOTE]
+> User-assigned managed identities can also be used in indexer data source connection strings. Currently, only the newer preview REST APIs and preview packages support a user-assigned managed identity in a data source connection string. Be sure to switch to a preview version if you call the 
+[SearchIndexerDataUserAssignedIdentity](/rest/api/searchservice/data-sources/create-or-update?view=rest-searchservice-2025-05-01-preview&preserve-view=true#searchindexerdatauserassignedidentity) API.
 
 ### [**Azure portal**](#tab/portal-user)
 
@@ -224,9 +226,14 @@ The following steps illustrate the role assignment workflow. This example is for
 
 ## Connection string examples
 
+A system managed identity is indicated when a connection string is the unique resource ID of a Microsoft Entra ID-aware service or application. A user-assigned managed identity is specified through an "identity" property.
+
 Once a managed identity is defined for the search service and given a role assignment, outbound connections can be modified to use the unique resource ID of the other Azure resource. Here are some examples of connection strings for various scenarios.
 
-You can use generally available REST API versions and Azure SDK packages for these connections.
+You can use generally available REST API versions and Azure SDK packages for connections using a system-assigned managed identity.
+
+User-assigned managed identities can also be used in indexer data source connection strings. Currently, only the newer preview REST APIs and preview packages support a user-assigned managed identity in a data source connection string. Be sure to switch to a preview version if you call the 
+[SearchIndexerDataUserAssignedIdentity](/rest/api/searchservice/data-sources/create-or-update?view=rest-searchservice-2025-05-01-preview&preserve-view=true#searchindexerdatauserassignedidentity) API.
 
 > [!TIP]
 > You can create most of these objects in the Azure portal, specifying either a system or user-assigned managed identity, and then view the JSON definition to get the connection string.
diff --git a/articles/search/search-security-manage-encryption-keys.md b/articles/search/search-security-manage-encryption-keys.md
@@ -18,7 +18,11 @@ ms.custom:
 
 Azure AI Search automatically encrypts data at rest with [Microsoft-managed keys](/azure/security/fundamentals/encryption-atrest#azure-encryption-at-rest-components). If you need another layer of encryption or the ability to revoke keys and shut down access to content, you can use keys that you create and manage in Azure Key Vault. This article explains how to set up customer-managed key (CMK) encryption.
 
-You can store keys using either Azure Key Vault or Azure Key Vault Managed HSM (Hardware Security Module). An Azure Key Vault Managed HSM is an FIPS 140-2 Level 3 validated HSM. HSM support is new in Azure AI Search. To migrate to HSM, [rotate your keys](#rotate-or-update-encryption-keys) and choose Managed HSM for storage.
+You can store keys using either:
+
++ Azure Key Vault
+
++ Azure Key Vault Managed HSM (Hardware Security Module). An Azure Key Vault Managed HSM is an FIPS 140-2 Level 3 validated HSM. HSM support is new in Azure AI Search. To migrate from Azure Key Vault to HSM, [rotate your keys](#rotate-or-update-encryption-keys) and choose Managed HSM for storage.
 
 > [!IMPORTANT]
 > CMK encryption is irreversible. You can rotate keys and change CMK configuration, but index encryption lasts for the lifetime of the index. Post-CMK encryption, an index is only accessible if the search service has access to the key. If you revoke access to the key by deleting or changing role assignment, the index is unusable and the service can't be scaled until the index is deleted or access to the key is restored. If you delete or rotate keys, the most recent key is cached for up to 60 minutes.
@@ -37,6 +41,8 @@ Encryption is performed over the following content:
 
 If you require CMK across your search service, [set an enforcement policy](#set-up-a-policy-to-enforce-cmk-compliance).
 
+Although you can't add encryption to an existing object, once an object is configured for encryption, you can change all parts of its encryption definition, including switching to a different key vault or HMS storage as long as the resource is in the same tenant.
+
 ## Prerequisites
 
 + [Azure AI Search](search-create-service-portal.md) on a [billable tier](search-sku-tier.md#tier-descriptions) (Basic or higher, in any region).
diff --git a/articles/search/tutorial-document-layout-image-verbalization.md b/articles/search/tutorial-document-layout-image-verbalization.md
@@ -73,7 +73,7 @@ The following instructions apply to Azure Storage which provides the sample data
         }
         ```
 
-   1. For connections made using a user-assigned managed identity, get a connection string that contains a ResourceId, with no account key or password. The ResourceId must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name. Provide an identity using the syntax shown in the following example. Set userAssignedIdentity to the user-assigned managed identity. The connection string is similar to the following example:
+   1. For connections made using a user-assigned managed identity, get a connection string that contains a ResourceId, with no account key or password. The ResourceId must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name. Provide an identity using the syntax shown in the following example. Set userAssignedIdentity to the user-assigned managed identity The connection string is similar to the following example:
 
       ```json
       "credentials" : { 
@@ -131,6 +131,7 @@ For authenticated connections that occur during indexer and skillset processing,
    @searchUrl = PUT-YOUR-SEARCH-SERVICE-ENDPOINT-HERE
    @searchApiKey = PUT-YOUR-ADMIN-API-KEY-HERE
    @storageConnection = PUT-YOUR-STORAGE-CONNECTION-STRING-HERE
+   @cognitiveServicesUrl = PUT-YOUR-AZURE-AI-MULTI-SERVICE-ENDPOINT-HERE
    @openAIResourceUri = PUT-YOUR-OPENAI-URI-HERE
    @openAIKey = PUT-YOUR-OPENAI-KEY-HERE
    @chatCompletionResourceUri = PUT-YOUR-CHAT-COMPLETION-URI-HERE
diff --git a/articles/search/whats-new.md b/articles/search/whats-new.md
@@ -4,7 +4,7 @@ description: Announcements of new and enhanced features, including a service ren
 author: HeidiSteen
 ms.author: heidist
 manager: nitinme
-ms.date: 08/01/2025
+ms.date: 08/07/2025
 ms.service: azure-ai-search
 ms.topic: overview
 ms.custom:
@@ -27,7 +27,7 @@ Learn about the latest updates to Azure AI Search functionality, docs, and sampl
 | [Search Management 2025-05-01](/rest/api/searchmanagement/operation-groups?view=rest-searchmanagement-2025-05-01&preserve-view=true) | REST | Stable release of the REST APIs for the control plane operations described in this table. For migration guidance, see [Upgrade to the latest REST API in Azure AI Search](search-api-migration.md). |
 | [Service upgrade](search-how-to-upgrade.md) | Service | Now generally available through [Upgrade Service (REST API)](/rest/api/searchmanagement/services/upgrade?view=rest-searchmanagement-2025-05-01&preserve-view=true) and the Azure portal. |
 | [Pricing tier change](search-capacity-planning.md#change-your-pricing-tier) | Service | Now generally available through the `sku` property in [Update Service (REST API)](/rest/api/searchmanagement/services/update?view=rest-searchmanagement-2025-05-01&preserve-view=true) and the Azure portal. |
-| [User-assigned managed identity](search-howto-managed-identities-data-sources.md) | Security | Now generally available through the `identity` property in [Update Service (REST API)](/rest/api/searchmanagement/services/update?view=rest-searchmanagement-2025-05-01&preserve-view=true) and the Azure portal. |
+| [User-assigned managed identity](search-howto-managed-identities-data-sources.md) | Security | Now generally available through the `identity` property that associates a user-assigned managed identity to a search service.  User-assigned managed identities can be used for search service authentication in Azure-to-Azure connections. Configure the association using the [Update Service (REST API)](/rest/api/searchmanagement/services/update?view=rest-searchmanagement-2025-05-01&preserve-view=true) or the Azure portal. |
 
 ## May 2025
 
