Merge pull request #213073 from alexwolfmsft/passwordless-service-bus-queues

v-dirichards · web-flow · commit 0fd4c27c94f4 · 2022-10-21T13:50:28.000-05:00
Passwordless service bus queues
diff --git a/articles/service-bus-messaging/service-bus-dotnet-get-started-with-queues.md b/articles/service-bus-messaging/service-bus-dotnet-get-started-with-queues.md
diff --git a/articles/service-bus-messaging/service-bus-dotnet-how-to-use-topics-subscriptions.md b/articles/service-bus-messaging/service-bus-dotnet-how-to-use-topics-subscriptions.md
diff --git a/articles/storage/common/migrate-azure-credentials.md b/articles/storage/common/migrate-azure-credentials.md
@@ -67,7 +67,7 @@ The following steps explain how to migrate an existing application to use passwo
 
 For local development, make sure you're authenticated with the same Azure AD account you assigned the role to on your Blob Storage account. You can authenticate via the Azure CLI, Visual Studio, Azure PowerShell, or other tools such as IntelliJ.
 
-[!INCLUDE [default-azure-credential-sign-in](../../../includes/default-azure-credential-sign-in.md)]
+[!INCLUDE [default-azure-credential-sign-in](../../../includes/passwordless/default-azure-credential-sign-in.md)]
 
 Next you will need to update your code to use passwordless connections.
 
@@ -106,7 +106,7 @@ Once your application is configured to use passwordless connections and runs loc
 
 #### Create the managed identity using the Azure portal
 
-The following steps demonstrate how to create a system-assigned managed identity for various web hosting services. The managed identity can securely connect to other Azure Services using the app configurations you setup previously.
+The following steps demonstrate how to create a system-assigned managed identity for various web hosting services. The managed identity can securely connect to other Azure Services using the app configurations you set up previously.
 
 ### [Service Connector](#tab/service-connector)
 
@@ -240,7 +240,7 @@ az spring app identity assign \
 
 ### [Azure Container Apps](#tab/container-apps-identity)
 
-You can assign a managed identity to an Azure Container Apps instance with the [az containerapp identity assign](/cli/azure/containerapp/identity) command.
+You can assign a managed identity to an Azure Container Apps instance with the [az container app identity assign](/cli/azure/containerapp/identity) command.
 
 ```azurecli
 az containerapp identity assign \
diff --git a/includes/passwordless/default-azure-credential-sign-in.md b/includes/passwordless/default-azure-credential-sign-in.md
@@ -10,6 +10,8 @@ ms.author: alexwolf
 ms.custom: include file
 ---
 
+Make sure you're authenticated with the same Azure AD account you assigned the role to. You can authenticate via the Azure CLI, Visual Studio, or Azure PowerShell.
+
 ### [Azure CLI](#tab/sign-in-azure-cli)
 
 Sign-in to Azure through the Azure CLI using the following command:
@@ -22,11 +24,11 @@ az login
 
 Select the **Sign in** button in the top right of Visual Studio.
 
-:::image type="content" source="../articles/storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-small.png" alt-text="Screenshot showing the button to sign in to Azure using Visual Studio.":::
+:::image type="content" source="../../articles/storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-small.png" alt-text="Screenshot showing the button to sign in to Azure using Visual Studio.":::
 
 Sign-in using the Azure AD account you assigned a role to previously.
 
-:::image type="content" source="../articles/storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection.":::
+:::image type="content" source="../../articles/storage/blobs/media/storage-quickstart-blobs-dotnet/sign-in-visual-studio-account-small.png" alt-text="Screenshot showing the account selection.":::
 
 ### [Visual Studio Code](#tab/sign-in-visual-studio-code)
 
diff --git a/includes/passwordless/dotnet-default-azure-credential-overview.md b/includes/passwordless/dotnet-default-azure-credential-overview.md
@@ -0,0 +1,15 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 10/21/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+`DefaultAzureCredential` is a class provided by the Azure Identity client library for .NET. To learn more about `DefaultAzureCredential`, see the [DefaultAzureCredential overview](/dotnet/azure/sdk/authentication#defaultazurecredential). `DefaultAzureCredential` supports multiple authentication methods and determines which method should be used at runtime. This approach enables your app to use different authentication methods in different environments (local vs. production) without implementing environment-specific code.
+
+For example, your app can authenticate using your Visual Studio sign-in credentials when developing locally, and then use a [managed identity](/azure/active-directory/managed-identities-azure-resources/overview) once it has been deployed to Azure. No code changes are required for this transition.
diff --git a/includes/passwordless/passwordless-overview.md b/includes/passwordless/passwordless-overview.md
@@ -0,0 +1,15 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 09/09/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+Application requests to most Azure Services must be authorized. Using the `DefaultAzureCredential` class provided by the Azure Identity client library is the recommended approach for implementing passwordless connections to Azure services in your code.
+
+You can also authorize requests to Azure services using passwords, connection strings, or other credentials directly. However, this approach should be used with caution. Developers must be diligent to never expose these secrets in an unsecure location. Anyone who gains access to the password or secret key is able to authenticate. `DefaultAzureCredential` offers improved management and security benefits over the account key to allow passwordless authentication. Both options are demonstrated in the following example.
diff --git a/includes/passwordless/service-bus/media/add-role.png b/includes/passwordless/service-bus/media/add-role.png
diff --git a/includes/passwordless/service-bus/service-bus-assign-roles.md b/includes/passwordless/service-bus/service-bus-assign-roles.md
@@ -0,0 +1,72 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 09/09/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+When developing locally, make sure that the user account that connects to Azure Service Bus has the correct permissions. You'll need the `Azure Service Bus Data Owner` role in order to send and receive messages. To assign yourself this role, you'll need the User Access Administrator role, or another role that includes the `Microsoft.Authorization/roleAssignments/write` action. You can assign Azure RBAC roles to a user using the Azure portal, Azure CLI, or Azure PowerShell. Learn more about the available scopes for role assignments on the [scope overview](/azure/role-based-access-control/scope-overview) page.
+
+The following example assigns the `Azure Service Bus Data Owner` role to your user account, which provides full access to Azure Service Bus resources. In a real scenario, follow the [Principle of Least Privilege](/azure/active-directory/develop/secure-least-privileged-access) to give users only the minimum permissions needed for a more secure production environment.
+
+> [!IMPORTANT]
+> In most cases, it will take a minute or two for the role assignment to propagate in Azure. In rare cases, it may take up to eight minutes. If you receive authentication errors when you first run your code, wait a few moments and try again.
+
+### [Azure portal](#tab/roles-azure-portal)
+
+1. In the Azure portal, locate your service bus namespace using the main search bar or left navigation.
+
+2. On the overview page, select **Access control (IAM)** from the left-hand menu.	
+
+3. On the **Access control (IAM)** page, select the **Role assignments** tab.
+
+4. Select **+ Add** from the top menu and then **Add role assignment** from the resulting drop-down menu.
+
+    :::image type="content" source="media/add-role.png" alt-text="A screenshot showing how to assign a role.":::    
+
+5. Use the search box to filter the results to the desired role. For this example, search for `Azure Service Bus Data Owner` and select the matching result. Then choose **Next**.
+
+6. Under **Assign access to**, select **User, group, or service principal**, and then choose **+ Select members**.
+
+7. In the dialog, search for your Azure AD username (usually your *user@domain* email address) and then choose **Select** at the bottom of the dialog. 
+
+8. Select **Review + assign** to go to the final page, and then **Review + assign** again to complete the process.
+
+### [Azure CLI](#tab/roles-azure-cli)
+
+To assign a role at the resource level using the Azure CLI, you first must retrieve the resource ID using the `az servicebus namespace show` command. You can filter the output properties using the `--query` parameter. 
+
+```azurecli
+az servicebus namespace show -g '<your-service-bus-resource-group>' -n '<your-service-bus-name> --query id
+```
+
+Copy the output `Id` from the preceding command. You can then assign roles using the [az role](/cli/azure/role) command of the Azure CLI.
+
+```azurecli
+az role assignment create --assignee "<user@domain>" \
+--role "Azure Service Bus Data Owner" \
+--scope "<your-resource-id>"
+```
+
+### [PowerShell](#tab/roles-powershell)
+
+To assign a role at the resource level using Azure PowerShell, you first must retrieve the resource ID using the `Get-AzResource` command.
+
+```azurepowershell
+Get-AzResource -ResourceGroupName "<your-service-bus-resource-group>" -Name "<your-service-bus-name>"
+```
+
+Copy the `Id` value from the preceding command output. You can then assign roles using the [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment) command in PowerShell.
+
+```azurepowershell
+New-AzRoleAssignment -SignInName <user@domain> `
+-RoleDefinitionName "Azure Service Bus Data Owner" `
+-Scope <yourStorageAccountId>
+```
+
+--- 
diff --git a/includes/passwordless/service-bus/service-bus-create-namespace-portal-passwordless.md b/includes/passwordless/service-bus/service-bus-create-namespace-portal-passwordless.md
@@ -0,0 +1,48 @@
+---
+ title: include file
+ description: include file
+ services: service-bus-messaging
+ author: spelluru
+ ms.service: service-bus-messaging
+ ms.topic: include
+ ms.date: 04/26/2022
+ ms.author: spelluru
+ ms.custom: include file
+---
+
+## Create a namespace in the Azure portal
+To begin using Service Bus messaging entities in Azure, you must first create a namespace with a name that is unique across Azure. A namespace provides a scoping container for Service Bus resources within your application.
+
+To create a namespace:
+
+1. Sign in to the [Azure portal](https://portal.azure.com)
+2. In the left navigation pane of the portal, select **+ Create a resource**, select **Integration**, and then select **Service Bus**.
+
+    :::image type="content" source="../../../articles/service-bus-messaging/includes/media/service-bus-create-namespace-portal/create-resource-service-bus-menu.png" alt-text="Image showing selection of Create a resource, Integration, and then Service Bus in the menu.":::
+3. In the **Basics** tag of the **Create namespace** page, follow these steps: 
+    1. For **Subscription**, choose an Azure subscription in which to create the namespace.
+    1. For **Resource group**, choose an existing resource group in which the namespace will live, or create a new one.      
+    1. Enter a **name for the namespace**. The namespace name should adhere to the following naming conventions:
+        - The name must be unique across Azure. The system immediately checks to see if the name is available. 
+        - The name length is at least 6 and at most 50 characters.
+        - The name can contain only letters, numbers, and hyphens ("-").
+        - The name must start with a letter and end with a letter or number.
+        - The name doesn't end with "-sb" or "-mgmt".
+    1. For **Location**, choose the region in which your namespace should be hosted.
+    1. For **Pricing tier**, select the pricing tier (Basic, Standard, or Premium) for the namespace. For this quickstart, select **Standard**. 
+    
+        > [!IMPORTANT]
+        > If you want to use [Topics and subscriptions](../../../articles/service-bus-messaging/service-bus-queues-topics-subscriptions.md#topics-and-subscriptions), choose either Standard or Premium. Topics/subscriptions aren't supported in the Basic pricing tier. 
+
+        If you selected the **Premium** pricing tier, specify the number of **messaging units**. The premium tier provides resource isolation at the CPU and memory level so that each workload runs in isolation. This resource container is called a messaging unit. A premium namespace has at least one messaging unit. You can select 1, 2, 4, 8 or 16 messaging units for each Service Bus Premium namespace. For more information, see [Service Bus Premium Messaging](../../../articles/service-bus-messaging/service-bus-premium-messaging.md).
+
+    1. Select **Review + create**. The system now creates your namespace and enables it. You might have to wait several minutes as the system provisions resources for your account.
+   
+        :::image type="content" source="../../../articles/service-bus-messaging/includes/media/service-bus-create-namespace-portal/create-namespace.png" alt-text="Image showing the Create a namespace page.":::
+    1. On the **Create** page, review settings, and select **Create**. 
+4. Select **Go to resource** on the deployment page. 
+
+    :::image type="content" source="../../../articles/service-bus-messaging/includes/media/service-bus-create-namespace-portal/deployment-alert.png" alt-text="Image showing the deployment succeeded page with the Go to resource link.":::
+5. You see the home page for your service bus namespace. 
+
+    :::image type="content" source="../../../articles/service-bus-messaging/includes/media/service-bus-create-namespace-portal/service-bus-namespace-home-page.png" alt-text="Image showing the home page of the Service Bus namespace created." :::
diff --git a/includes/passwordless/service-bus/service-bus-passwordless-template-tabbed.md b/includes/passwordless/service-bus/service-bus-passwordless-template-tabbed.md
@@ -0,0 +1,37 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 09/09/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+## Authenticate the app to Azure
+
+[!INCLUDE [passwordless-overview](../passwordless-overview.md)]
+
+## [Passwordless (Recommended)](#tab/passwordless)
+
+[!INCLUDE [passwordless-default-azure-credential-overview](../dotnet-default-azure-credential-overview.md)]
+
+### Assign roles to your Azure AD user
+
+[!INCLUDE [service-bus-assign-roles](service-bus-assign-roles.md)]
+
+### Sign in and add the Azure Identity package
+
+You can authorize access to the service bus namespace using the following steps:
+
+[!INCLUDE [default-azure-credential-sign-in](../default-azure-credential-sign-in.md)]
+
+[!INCLUDE [visual-studio-add-identity](../visual-studio-add-identity.md)]
+
+## [Connection String](#tab/connection-string)
+
+[!INCLUDE [service-bus-retrieve-connection-string](service-bus-retrieve-connection-string.md)]
+
+---
diff --git a/includes/passwordless/service-bus/service-bus-retrieve-connection-string.md b/includes/passwordless/service-bus/service-bus-retrieve-connection-string.md
@@ -0,0 +1,25 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 10/21/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+Creating a new namespace automatically generates an initial Shared Access Signature (SAS) policy with primary and secondary keys, and primary and secondary connection strings that each grant full control over all aspects of the namespace. See [Service Bus authentication and authorization](../../../articles/service-bus-messaging/service-bus-authentication-and-authorization.md) for information about how to create rules with more constrained rights for regular senders and receivers. 
+
+
+
+To copy the primary connection string for your namespace, follow these steps: 
+
+1. On the **Service Bus Namespace** page, select **Shared access policies** on the left menu.
+2. On the **Shared access policies** page, select **RootManageSharedAccessKey**.
+3. In the **Policy: RootManageSharedAccessKey** window, select the copy button next to **Primary Connection String**, to copy the connection string to your clipboard for later use. Paste this value into Notepad or some other temporary location.
+   
+    :::image type="content" source="../../../articles/service-bus-messaging/includes/media/service-bus-create-namespace-portal/connection-string.png" alt-text="Screenshot shows an SAS policy called RootManageSharedAccessKey, which includes keys and connection strings.":::
+
+    You can use this page to copy primary key, secondary key, primary connection string, and secondary connection string. 
diff --git a/includes/passwordless/visual-studio-add-identity.md b/includes/passwordless/visual-studio-add-identity.md
@@ -0,0 +1,29 @@
+---
+title: "include file"
+description: "include file"
+services: storage
+author: alexwolfmsft
+ms.service: storage
+ms.topic: include
+ms.date: 10/21/2022
+ms.author: alexwolf
+ms.custom: include file
+---
+
+To use `DefaultAzureCredential`, add the **Azure.Identity** package to your application.
+
+# [Visual Studio](#tab/identity-visual-studio)
+
+1. In **Solution Explorer**, right-click the **Dependencies** node of your project. Select **Manage NuGet Packages**.
+
+1. In the resulting window, search for *Azure.Identity*. Select the appropriate result, and select **Install**.
+
+    :::image type="content" source="../../articles/storage/common/media/visual-studio-identity-package.png" alt-text="A screenshot showing how to add the identity package."::: 
+
+# [.NET CLI](#tab/identity-netcore-cli)
+
+```dotnetcli
+dotnet add package Azure.Identity
+```
+
+---
diff --git a/includes/storage-quickstart-credential-free-include.md b/includes/storage-quickstart-credential-free-include.md
@@ -34,13 +34,9 @@ For example, your app can authenticate using your Visual Studio sign-in credenti
 
 You can authorize access to data in your storage account using the following steps:
 
-1. Make sure you're authenticated with the same Azure AD account you assigned the role to on your Blob Storage account. You can authenticate via the Azure CLI, Visual Studio, or Azure PowerShell.
+1. [!INCLUDE [default-azure-credential-sign-in](passwordless/default-azure-credential-sign-in.md)]
 
-    [!INCLUDE [default-azure-credential-sign-in](default-azure-credential-sign-in.md)]
-
-2. To use `DefaultAzureCredential`, add the **Azure.Identity** package to your application.
-
-    [!INCLUDE [visual-studio-add-identity](visual-studio-add-identity.md)]
+2. [!INCLUDE [visual-studio-add-identity](passwordless/visual-studio-add-identity.md)]
 
 3. Update your *Program.cs* code to match the following example. When the code is run on your local workstation during development, it will use the developer credentials of the prioritized tool you're logged into to authenticate to Azure, such as the Azure CLI or Visual Studio.
 
@@ -59,7 +55,7 @@ You can authorize access to data in your storage account using the following ste
 
 4. Make sure to update the Storage account name in the URI of your `BlobServiceClient`. The Storage account name can be found on the overview page of the Azure portal.
 
-    :::image type="content" source="../articles/storage/blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png" alt-text="A screenshot showing how find the storage account name.":::
+    :::image type="content" source="../articles/storage/blobs/media/storage-quickstart-blobs-dotnet/storage-account-name.png" alt-text="A screenshot showing how to find the storage account name.":::
 
     > [!NOTE]
     > When deployed to Azure, this same code can be used to authorize requests to Azure Storage from an application running in Azure. However, you'll need to enable managed identity on your app in Azure. Then configure your Blob Storage account to allow that managed identity to connect. For detailed instructions on configuring this connection between Azure services, see the [Auth from Azure-hosted apps](/dotnet/azure/sdk/authentication-azure-hosted-apps) tutorial.
@@ -83,7 +79,7 @@ After you copy the connection string, write it to a new environment variable on
 setx AZURE_STORAGE_CONNECTION_STRING "<yourconnectionstring>"
 ```
 
-After you add the environment variable in Windows, you must start a new instance of the command window. If you are using Visual Studio on Windows, you may need to relaunch Visual Studio after creating the environment variable for the change to be detected.
+After you add the environment variable in Windows, you must start a new instance of the command window. If you're using Visual Studio on Windows, you may need to relaunch Visual Studio after creating the environment variable for the change to be detected.
 
 **Linux**:
 
diff --git a/includes/visual-studio-add-identity.md b/includes/visual-studio-add-identity.md
