Merge branch 'main' into users/jukullam/authentication-gha-refresh-feb25

Author: juliakm

articles/ai-services/agents/how-to/tools/bing-grounding.md

@@ -44,6 +44,8 @@ Developers and end users don't have access to raw content returned from Groundin
 1. Create a Grounding with Bing Search resource. You need to have `owner` or `contributor` role in your subscription or resource group to create it.
 
    1. You can create one in the [Azure portal](https://portal.azure.com/#create/Microsoft.BingGroundingSearch), and select the different fields in the creation form. Make sure you create this Grounding with Bing Search resource in the same resource group as your Azure AI Agent, AI Project, and other resources.
+
+    :::image type="content" source="../../media/tools/bing/resource-selection.png" alt-text="A screenshot of the Bing resource selection in the Azure portal." lightbox="../../media/tools/bing/resource-selection.png":::
 
    1. You can also create one through code-first experience. If so, you need to manually [register](/azure/azure-resource-manager/management/resource-providers-and-types#register-resource-provider) Bing Search as an Azure resource provider. You must have permission to perform the `/register/action` operation for the resource provider. The permission is included in the **Contributor** and **Owner** roles.
 

articles/ai-services/agents/media/quickstart/agents-foundry.png

@@ -2,22 +2,22 @@
 title: Authentication in Azure AI services
 titleSuffix: Azure AI services
 description: "There are three ways to authenticate a request to an Azure AI services resource: a resource key, a bearer token, or a multi-service subscription. In this article, you'll learn about each method, and how to make a request."
-author: mgreenegit
+author: eric-urban
 manager: nitinme
 ms.service: azure-ai-services
 ms.custom: devx-track-azurepowershell
 ms.topic: how-to
-ms.date: 8/1/2024
-ms.author: migreene
+ms.date: 2/7/2025
+ms.author: eur
 ---
 
 # Authenticate requests to Azure AI services
 
 Each request to an Azure AI service must include an authentication header. This header passes along a resource key or authentication token, which is used to validate your subscription for a service or group of services. In this article, you'll learn about three ways to authenticate a request and the requirements for each.
 
-* Authenticate with a [single-service](#authenticate-with-a-single-service-resource-key) or [multi-service](#authenticate-with-a-multi-service-resource-key) resource key
-* Authenticate with a [token](#authenticate-with-an-access-token)
-* Authenticate with [Microsoft Entra ID](#authenticate-with-azure-active-directory)
+* Authenticate with a [single-service](#authenticate-with-a-single-service-resource-key) or [multi-service](#authenticate-with-a-multi-service-resource-key) resource key.
+* Authenticate with a [token](#authenticate-with-an-access-token).
+* Authenticate with [Microsoft Entra ID](#authenticate-with-azure-active-directory).
 
 ## Prerequisites
 
@@ -106,7 +106,7 @@ Some Azure AI services accept, and in some cases require, an access token. Curre
 * Speech Services: Speech to text API
 * Speech Services: Text to speech API
 
->[!WARNING]
+> [!WARNING]
 > The services that support access tokens may change over time, please check the API reference for a service before using this authentication method.
 
 Both single service and multi-service resource keys can be exchanged for authentication tokens. Authentication tokens are valid for 10 minutes. They're stored in JSON Web Token (JWT) format and can be queried programmatically using the [JWT libraries](https://jwt.io/libraries). 
@@ -176,13 +176,13 @@ The first step is to create a custom subdomain. If you want to use an existing A
    Set-AzContext -SubscriptionName <SubscriptionName>
    ```
 
-2. Next, [create an Azure AI services resource](/powershell/module/az.cognitiveservices/new-azcognitiveservicesaccount) with a custom subdomain. The subdomain name needs to be globally unique and cannot include special characters, such as: ".", "!", ",".
+1. Next, [create an Azure AI services resource](/powershell/module/az.cognitiveservices/new-azcognitiveservicesaccount) with a custom subdomain. The subdomain name needs to be globally unique and cannot include special characters, such as: ".", "!", ",".
 
    ```powershell-interactive
    $account = New-AzCognitiveServicesAccount -ResourceGroupName <RESOURCE_GROUP_NAME> -name <ACCOUNT_NAME> -Type <ACCOUNT_TYPE> -SkuName <SUBSCRIPTION_TYPE> -Location <REGION> -CustomSubdomainName <UNIQUE_SUBDOMAIN>
    ```
 
-3. If successful, the **Endpoint** should show the subdomain name unique to your resource.
+1. If successful, the **Endpoint** should show the subdomain name unique to your resource.
 
 
 ### Assign a role to a service principal
@@ -202,7 +202,7 @@ Now that you have a custom subdomain associated with your resource, you're going
 
    You're going to need the **ApplicationId** in the next step.
 
-2. Next, you need to [create a service principal](/powershell/module/az.resources/new-azadserviceprincipal) for the Microsoft Entra application.
+1. Next, you need to [create a service principal](/powershell/module/az.resources/new-azadserviceprincipal) for the Microsoft Entra application.
 
    ```powershell-interactive
    New-AzADServicePrincipal -ApplicationId <APPLICATION_ID>
@@ -211,7 +211,7 @@ Now that you have a custom subdomain associated with your resource, you're going
    > [!NOTE]
    > If you register an application in the Azure portal, this step is completed for you.
 
-3. The last step is to [assign the "Cognitive Services User" role](/powershell/module/az.Resources/New-azRoleAssignment) to the service principal (scoped to the resource). By assigning a role, you're granting service principal access to this resource. You can grant the same service principal access to multiple resources in your subscription.
+1. The last step is to [assign the "Cognitive Services User" role](/powershell/module/az.Resources/New-azRoleAssignment) to the service principal (scoped to the resource). By assigning a role, you're granting service principal access to this resource. You can grant the same service principal access to multiple resources in your subscription.
 
    > [!NOTE]
    > The ObjectId of the service principal is used, not the ObjectId for the application.
@@ -231,7 +231,7 @@ In this sample, a password is used to authenticate the service principal. The to
    $context.Tenant.Id
    ```
 
-2. Get a token:
+1. Get a token:
    ```powershell-interactive
    $tenantId = $context.Tenant.Id
    $clientId = $app.ApplicationId
@@ -253,7 +253,7 @@ In this sample, a password is used to authenticate the service principal. The to
    > [!NOTE]
    > Anytime you use passwords in a script, the most secure option is to use the PowerShell Secrets Management module and integrate with a solution such as Azure Key Vault.
   
-3. Call the Computer Vision API:
+1. Call the Computer Vision API:
    ```powershell-interactive
    $url = $account.Endpoint+"vision/v1.0/models"
    $result = Invoke-RestMethod -Uri $url  -Method Get -Headers @{"Authorization"="Bearer $accessToken"} -Verbose
@@ -284,7 +284,7 @@ You can [use Azure Key Vault](./use-key-vault.md) to securely develop Azure AI s
 
 Authentication is done via Microsoft Entra ID. Authorization may be done via Azure role-based access control (Azure RBAC) or Key Vault access policy. Azure RBAC can be used for both management of the vaults and access data stored in a vault, while key vault access policy can only be used when attempting to access data stored in a vault.
 
-## See also
+## Related content
 
 * [What are Azure AI services?](./what-are-ai-services.md)
 * [Azure AI services pricing](https://azure.microsoft.com/pricing/details/cognitive-services/)

articles/ai-services/agents/media/quickstart/model-list.png

@@ -6,15 +6,15 @@ author: eric-urban
 manager: nitinme
 ms.service: azure-ai-services
 ms.topic: how-to
-ms.date: 8/11/2024
+ms.date: 2/7/2025
 ms.author: eur
 ---
 
 # Use environment variables with Azure AI services
 
 This guide shows you how to set and retrieve environment variables for your Azure AI services credentials when you test applications.
 
-[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/azure-key-vault.md)]
+[!INCLUDE [Azure key vault](~/reusable-content/ce-skilling/azure/includes/ai-services/security/microsoft-entra-id-akv.md)]
 
 ## Set an environment variable
 

articles/ai-services/agents/media/tools/bing/resource-selection.png

@@ -26,6 +26,8 @@ This guide shows you how to use the groundedness detection API. This feature aut
 * (Optional) If you want to use the _reasoning_ feature, create an Azure OpenAI Service resource with a GPT model deployed.
 * [cURL](https://curl.haxx.se/) or [Python](https://www.python.org/downloads/) installed.
 
+## Authentication
+For enhanced security, you need to use Managed Identity (MI) to manage access to your resources, for more details, please refer to [Security](./overview.md#security).
 
 ## Check groundedness without reasoning
 
@@ -171,7 +173,7 @@ The Groundedness detection API provides the option to include _reasoning_ in the
 ### Connect your own GPT deployment
 
 > [!TIP]
-> We only support **Azure OpenAI GPT4o (0513, 0806 version) ** resources and do not support other GPT types. You have the flexibility to deploy your Azure OpenAI GPT4o (0513, 0806 version) resources in any region. However, to minimize potential latency and avoid any geographical boundary data privacy and risk concerns, we recommend situating them in the same region as your content safety resources. For comprehensive details on data privacy, refer to the [Data, privacy and security guidelines for Azure OpenAI Service](/legal/cognitive-services/openai/data-privacy) and [Data, privacy, and security for Azure AI Content Safety](/legal/cognitive-services/content-safety/data-privacy?context=%2Fazure%2Fai-services%2Fcontent-safety%2Fcontext%2Fcontext).
+> We only support Azure OpenAI GPT4o (0513, 0806 version) resources and do not support other GPT types. You have the flexibility to deploy your Azure OpenAI GPT4o (0513, 0806 version) resources in any region. However, to minimize potential latency and avoid any geographical boundary data privacy and risk concerns, we recommend situating them in the same region as your content safety resources. For comprehensive details on data privacy, refer to the [Data, privacy and security guidelines for Azure OpenAI Service](/legal/cognitive-services/openai/data-privacy) and [Data, privacy, and security for Azure AI Content Safety](/legal/cognitive-services/content-safety/data-privacy?context=%2Fazure%2Fai-services%2Fcontent-safety%2Fcontext%2Fcontext).
 
 In order to use your Azure OpenAI GPT4o (0513, 0806 version) resource to enable the reasoning feature, use Managed Identity to allow your Content Safety resource to access the Azure OpenAI resource:
 

articles/ai-services/authentication.md

@@ -6,7 +6,7 @@ author: eric-urban
 manager: nitinme
 ms.service: azure-ai-services
 ms.topic: quickstart
-ms.date: 8/1/2024
+ms.date: 2/7/2025
 ms.author: eur
 ms.custom:
   - subject-armqs
@@ -35,7 +35,7 @@ The template that you use in this quickstart is from [Azure Quickstart Templates
 
 One Azure resource is defined in the Bicep file. The `kind` field in the Bicep file defines the type of resource.
 
-As needed, change the `sku` parameter value to the [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/) instance you want. The `sku` depends on the resource `kind` that you use. For example, use `TextAnalytics` for the Azure AI Language service. The `TextAnalytics` kind uses `S` instead of `S0` for the `sku` value.
+As needed, change the `sku` parameter value to the [pricing](https://azure.microsoft.com/pricing/details/cognitive-services/) instance you want. The `sku` depends on the resource `kind` that you use. For example, use `AIServices` for the Azure AI Language service. 
 
 ## Deploy the template
 

articles/ai-services/cognitive-services-environment-variables.md

@@ -6,7 +6,7 @@ author: laujan
 manager: nitinme
 ms.service: azure-ai-document-intelligence
 ms.topic: conceptual
-ms.date: 11/19/2024
+ms.date: 02/07/2025
 ms.author: lajanuar
 monikerRange: '>=doc-intel-3.1.0'
 ---

articles/ai-services/content-safety/quickstart-groundedness.md

@@ -5,7 +5,7 @@ author: laujan
 manager: nitinme
 ms.service: azure-ai-document-intelligence
 ms.topic: include
-ms.date: 11/19/2024
+ms.date: 02/07/2025
 ms.author: lajanuar
 ms.custom: devx-track-csharp, linux-related-content
 monikerRange: 'doc-intel-4.0.0'
@@ -88,7 +88,7 @@ monikerRange: 'doc-intel-4.0.0'
 
 1. Open the *Program.cs* file.
 
-1. Delete the pre-existing code, including the line `Console.Writeline("Hello World!")`.
+1. Delete the existing code, including the line `Console.Writeline("Hello World!")`.
 
 1. Select one of the following code samples and copy/paste into your application's *Program.cs* file: