Merge pull request #3186 from santiagxf/santiagxf/entra-id-update

feat: adding images

Author: denrea

articles/ai-foundry/model-inference/includes/configure-entra-id/portal.md

@@ -14,34 +14,42 @@ zone_pivot_groups: azure-ai-models-deployment
 
 Follow these steps to configure Microsoft Entra ID for inference: 
 
-1. Go to the [Azure portal](https://portal.azure.com) and locate the Azure AI Services resource you're using. If you're using Azure AI Foundry with projects or hubs, you can navigate to it by:
+1. Go to the [Azure portal](https://portal.azure.com) and locate the **Azure AI Services** resource you're using. If you're using Azure AI Foundry with projects or hubs, you can navigate to it by:
 
    1. Go to [Azure AI Foundry portal](https://ai.azure.com).
 
    2. On the landing page, select **Open management center**.
 
    3. Go to the section **Connected resources** and select the connection to the Azure AI Services resource that you want to configure. If it isn't listed, select **View all** to see the full list.
 
+      :::image type="content" source="../../media/configure-entra-id/resource-behind-select.png" alt-text="Screenshot showing how to navigate to the details of the connection in Azure AI Foundry in the management center." lightbox="../../media/configure-entra-id/resource-behind-select.png":::
+
    4. On the **Connection details** section, under **Resource**, select the name of the Azure resource. A new page opens.
 
    5. You're now in [Azure portal](https://portal.azure.com) where you can manage all the aspects of the resource itself.
 
-2. On the left navigation bar, select **Access control (IAM)**.
+      :::image type="content" source="../../media/configure-entra-id/locate-resource-ai-services.png" alt-text="Screenshot showing the resource to which we configure Microsoft Entra ID." lightbox="../../media/configure-entra-id/locate-resource-ai-services.png":::
+
+2. On the left navigation bar, select **Access control (IAM)** and then select **Add** > **Add role assignment**.
+
+   :::image type="content" source="../../media/configure-entra-id/resource-aim.png" alt-text="Screenshot showing how to add a role assignment in the Access control section of the resource in the Azure portal." lightbox="../../media/configure-entra-id/resource-aim.png":::
 
    > [!TIP]
    > Use the **View my access** option to verify which roles are already assigned to you.
 
-3. Select **Role assignments** and then select **Add** > **Add role assignment**.
+3. On **Job function roles**, type **Cognitive Services User**. The list of roles is filtered out.
 
-4. On **Job function roles**, type **Cognitive Services User**. The list of roles is filtered out.
+   :::image type="content" source="../../media/configure-entra-id/cognitive-services-user.png" alt-text="Screenshot showing how to select the Cognitive Services User role assignment." lightbox="../../media/configure-entra-id/cognitive-services-user.png":::
 
-5.  Select the role and select **Next**.
+4. Select the role and select **Next**.
 
-6.  On **Members**, select the user or group you want to grant access to. We recommend using security groups whenever possible as they are easier to manage and maintain. 
+5. On **Members**, select the user or group you want to grant access to. We recommend using security groups whenever possible as they are easier to manage and maintain. 
 
-7.  Select **Next** and finish the wizard.
+   :::image type="content" source="../../media/configure-entra-id/select-user.png" alt-text="Screenshot showing how to select the user to whom assign the role." lightbox="../../media/configure-entra-id/select-user.png":::
 
-8.  The selected user can now use Microsoft Entra ID for inference.
+6. Select **Next** and finish the wizard.
+
+7. The selected user can now use Microsoft Entra ID for inference.
 
     > [!TIP]
     > Keep in mind that Azure role assignments may take up to five minutes to propagate. When working with security groups, adding or removing users from the security group propagates immediately.
@@ -84,6 +92,4 @@ To change this behavior, you have to update the connections from your projects t
 
 ## Disable key-based authentication in the resource
 
-Disabling key-based authentication is advisable when you implemented Microsoft Entra ID and fully addressed compatibility or fallback concerns in all the applications that consume the service.
-
-
+Disabling key-based authentication is advisable when you implemented Microsoft Entra ID and fully addressed compatibility or fallback concerns in all the applications that consume the service. Disabling key-based authentication is only available when deploying using Bicep/ARM.

articles/ai-foundry/model-inference/includes/configure-entra-id/troubleshooting.md

@@ -7,6 +7,21 @@ ms.date: 01/23/2025
 ms.topic: include
 ---
 
+Before troubleshooting, verify that you have the right permissions assigned:
+
+1. Go to the [Azure portal](https://portal.azure.com) and locate the **Azure AI Services** resource you're using.
+
+2. On the left navigation bar, select **Access control (IAM)** and then select **Check access**.
+
+3. Type the name of the user or identity you are using to connect to the service.
+
+4. Verify that the role **Cognitive Services User** is listed (or a role that contains the required permissions as explained in [Prerequisites](#prerequisites)).
+
+    > [!IMPORTANT]
+    > Roles like **Owner** or **Contributor** don't provide access via Microsoft Entra ID.
+
+5. If not listed, follow the steps in this guide before continuing.
+
 The following table contains multiple scenarios that can help troubleshooting Microsoft Entra ID:
 
 | Error / Scenario     | Root cause    | Solution |