Merge pull request #295084 from MicrosoftDocs/main

2/21 11:00 AM IST Publish

Author: Saisang

articles/app-service/overview-managed-identity.md

@@ -31,8 +31,23 @@ This video shows you how to use managed identities for App Service.
 
 The steps in the video are also described in the following sections.
 
+## Prerequisites
+
+To perform the steps covered in this document, you must have a minimum set of permissions over your Azure resources. The specific permissions set you need will vary based on your scenario. The most common scenarios are summarized in the following table:
+
+| Scenario | Required permission | Example built-in roles |
+|-|-|-|
+| [Create a system-assigned identity for your app](#add-a-system-assigned-identity) | `Microsoft.Web/sites/write` over the app (or `Microsoft.Web/sites/slots/write` over the slot) | [Website Contributor] |
+| [Create a user-assigned identity][create-user-assigned] | `Microsoft.ManagedIdentity/userAssignedIdentities/write` over the resource group in which the identity will be created | [Managed Identity Contributor] |
+| [Assign a user-assigned identity to your app](#add-a-user-assigned-identity) | `Microsoft.Web/sites/write` over the app (or `Microsoft.Web/sites/slots/write` over the slot),<br/>`Microsoft.ManagedIdentity/userAssignedIdentities/*/assign/action` over the identity | [Website Contributor] and [Managed Identity Operator] |
+| [Create Azure role assignments][role-assignment] | `Microsoft.Authorization/roleAssignments/write` (over the target resource scope) | [Role Based Access Control Administrator] or [User Access Administrator] |
+
+A different set of permissions might be needed for other scenarios.
+
 ## Add a system-assigned identity
 
+To enable a system-assigned managed identity on your app or slot, you need write permissions over that app or slot. The [Website Contributor] role provides these permissions.
+
 # [Azure portal](#tab/portal)
 
 1. Access your app's settings in the [Azure portal](https://portal.azure.com) under the **Settings** group in the left navigation pane.
@@ -135,11 +150,13 @@ If you need to reference these properties in a later stage in the template, you
 
 Creating an app with a user-assigned identity requires that you create the identity and then add its resource identifier to your app config.
 
+To assign a user-assigned managed identity to your app or slot, you need write permissions over that app or slot. The [Website Contributor] role provides these permissions. You must also have permission to assign the user-assigned managed identity you will be using. The [Managed Identity Operator] role provides these permissions.
+
 # [Azure portal](#tab/portal)
 
 First, you'll need to create a user-assigned identity resource.
 
-1. Create a user-assigned managed identity resource according to [these instructions](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity).
+1. Create a user-assigned managed identity resource according to [these instructions][create-user-assigned].
 
 1. In the left navigation for your app's page, scroll down to the **Settings** group.
 
@@ -256,10 +273,12 @@ The principalId is a unique identifier for the identity that's used for Microsof
 
 ## Configure target resource
 
-You may need to configure the target resource to allow access from your app or function. For example, if you [request a token](#connect-to-azure-services-in-app-code) to access Key Vault, you must also add an access policy that includes the managed identity of your app or function. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).
+You need to configure the target resource to allow access from your app. For most Azure services, you do this by [creating a role assignment][role-assignment]. Some services use mechanisms other than Azure RBAC. Refer to the documentation for each target resource to understand how to configure access using an identity. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).
+
+For example, if you [request a token](#connect-to-azure-services-in-app-code) to access a secret in Key Vault, you must also create a role assignment that allows the managed identity to work with secrets in the target vault. Otherwise, your calls to Key Vault will be rejected, even if you use a valid token. The same is true for Azure SQL Database and other services.
 
 > [!IMPORTANT]
-> The back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identity’s group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access. For alternatives to groups or role memberships, see [Limitation of using managed identities for authorization](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations).
+> The back-end services for managed identities maintain a cache per resource URI for around 24 hours. This means that it can take several hours for changes to a managed identity's group or role membership to take effect. Today, it is not possible to force a managed identity's token to be refreshed before its expiry. If you change a managed identity’s group or role membership to add or remove permissions, you may therefore need to wait several hours for the Azure resource using the identity to have the correct access. For alternatives to groups or role memberships, see [Limitation of using managed identities for authorization](/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#limitation-of-using-managed-identities-for-authorization).
 
 ## Connect to Azure services in app code
 
@@ -363,10 +382,13 @@ $accessToken = $tokenResponse.access_token
 -----
 
 For more information on the REST endpoint, see [REST endpoint reference](#rest-endpoint-reference).
+
 ## <a name="remove"></a>Remove an identity
 
 When you remove a system-assigned identity, it's deleted from Microsoft Entra ID. System-assigned identities are also automatically removed from Microsoft Entra ID when you delete the app resource itself.
 
+To remove a managed identity from your app or slot, you need write permissions over that app or slot. The [Website Contributor] role provides these permissions.
+
 # [Azure portal](#tab/portal)
 
 1. In the left navigation of your app's page, scroll down to the **Settings** group.
@@ -453,3 +475,11 @@ The **IDENTITY_ENDPOINT** is a local URL from which your app can request tokens.
 - [Access Azure Storage securely using a managed identity](scenario-secure-app-access-storage.md)
 - [Call Microsoft Graph securely using a managed identity](scenario-secure-app-access-microsoft-graph-as-app.md)
 - [Connect securely to services with Key Vault secrets](tutorial-connect-msi-key-vault.md)
+
+[create-user-assigned]: /entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities#create-a-user-assigned-managed-identity
+[role-assignment]: ../role-based-access-control/role-assignments-steps.md
+[Managed Identity Contributor]: ../role-based-access-control/built-in-roles/identity.md#managed-identity-contributor
+[Managed Identity Operator]: ../role-based-access-control/built-in-roles/identity.md#managed-identity-operator
+[Website Contributor]: ../role-based-access-control/built-in-roles/web-and-mobile.md#website-contributor
+[Role Based Access Control Administrator]: ../role-based-access-control/built-in-roles/privileged.md#role-based-access-control-administrator
+[User Access Administrator]: ../role-based-access-control/built-in-roles/privileged.md#user-access-administrator

articles/application-gateway/toc.yml

@@ -1,18 +1,14 @@
 - name: Application Gateway documentation
   href: index.yml
-- name: Overview
+- name: Get started
+  expanded: true
   items:
-  - name: About application gateways
+  - name: Application Gateway overview
     href: overview.md
   - name: Application Gateway v2
     href: overview-v2.md
   - name: Application Gateway for Containers
     href: ./for-containers/overview.md
-  - name: Well-Architected review of Application Gateway
-    href: /azure/architecture/framework/services/networking/azure-application-gateway?toc=/azure/application-gateway/toc.json&bc=/azure/application-gateway/breadcrumb/toc.json
-- name: Quickstarts
-  expanded: true
-  items:
   - name: Create Application Gateway - Portal
     href: quick-create-portal.md
   - name: Create Application Gateway - PowerShell
@@ -27,26 +23,10 @@
     href: quick-create-template.md
   - name: Create Application Gateway - Terraform
     href: quick-create-terraform.md
-- name: Tutorials
-  items:
-  - name: Secure with SSL
-    href: create-ssl-portal.md
-  - name: Host multiple sites
-    href: create-multiple-sites-portal.md
-  - name: Route by URL
-    href: create-url-route-portal.md
-  - name: Redirect web traffic
-    href: tutorial-url-redirect-cli.md
-  - name: Autoscaling and zone redundant
-    href: tutorial-autoscale-ps.md
-  - name: Ingress Controller add-on for AKS (Greenfield)
-    href: tutorial-ingress-controller-add-on-new.md
-  - name: Ingress Controller add-on for AKS (Brownfield)
-    href: tutorial-ingress-controller-add-on-existing.md
-  - name: Deploy Application Gateway with DDoS protection
-    href: tutorial-protect-application-gateway.md
-- name: Concepts
+- name: Design
   items:
+  - name: Well-Architected review of Application Gateway
+    href: /azure/architecture/framework/services/networking/azure-application-gateway?toc=/azure/application-gateway/toc.json&bc=/azure/application-gateway/breadcrumb/toc.json
   - name: Basics
     items:
     - name: Application Gateway features
@@ -55,20 +35,20 @@
       href: how-application-gateway-works.md
     - name: Application Gateway components
       href: application-gateway-components.md
-    - name: Configuration
-      items:
-      - name: Overview
-        href: configuration-overview.md
-      - name: Infrastructure
-        href: configuration-infrastructure.md
-      - name: Frontend IP address
-        href: configuration-frontend-ip.md
-      - name: Listeners
-        href: configuration-listeners.md
-      - name: Request routing rules
-        href: configuration-request-routing-rules.md
-      - name: HTTP settings
-        href: configuration-http-settings.md
+  - name: Configuration
+    items:
+    - name: Overview
+      href: configuration-overview.md
+    - name: Infrastructure
+      href: configuration-infrastructure.md
+    - name: Frontend IP address
+      href: configuration-frontend-ip.md
+    - name: Listeners
+      href: configuration-listeners.md
+    - name: Request routing rules
+      href: configuration-request-routing-rules.md
+    - name: HTTP settings
+      href: configuration-http-settings.md
   - name: Routing
     items:
     - name: Multi-site hosting
@@ -79,38 +59,7 @@
       href: redirect-overview.md
     - name: Rewrite HTTP headers and URL
       href: rewrite-http-headers-url.md
-  - name: Security
-    items:
-    - name: Security baseline
-      href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
-    - name: Private Deployment
-      href: application-gateway-private-deployment.md
-    - name: Private Link
-      href: private-link.md
-  - name: SSL
-    items:
-    - name: SSL termination and end to end SSL
-      href: ssl-overview.md
-    - name: SSL policy overview
-      href: application-gateway-ssl-policy-overview.md
-    - name: Mutual authentication
-      href: mutual-authentication-overview.md
-    - name: Using Key Vault
-      href: key-vault-certs.md
-    - name: SSL certificate management
-      href: ssl-certificate-management.md
-  - name: Health monitoring
-    items:
-    - name: Monitor Application Gateway
-      href: monitor-application-gateway.md
-    - name: Health probe
-      href: application-gateway-probe-overview.md
-    - name: Backend health
-      href: application-gateway-backend-health.md      
-    - name: Diagnostic logs
-      href: application-gateway-diagnostics.md
-    - name: Metrics
-      href: application-gateway-metrics.md
+
   - name: TCP/TLS proxy
     href: tcp-tls-proxy-overview.md
   - name: Support for working remotely
@@ -127,8 +76,38 @@
     href: understanding-pricing.md
   - name: FAQ
     href: application-gateway-faq.yml
-- name: How-to guides
+- name: Security
+  items:
+  - name: Private Deployment
+    href: application-gateway-private-deployment.md
+  - name: Private Link
+    href: private-link.md
+  - name: Secure with SSL
+    href: create-ssl-portal.md
+  - name: SSL termination and end to end SSL
+    href: ssl-overview.md
+  - name: SSL policy overview
+    href: application-gateway-ssl-policy-overview.md
+  - name: Mutual authentication
+    href: mutual-authentication-overview.md
+  - name: Using Key Vault
+    href: key-vault-certs.md
+  - name: SSL certificate management
+    href: ssl-certificate-management.md
+  - name: Security baseline
+    href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
+- name: Deploy
   items:
+  - name: Host multiple sites
+    href: create-multiple-sites-portal.md
+  - name: Route by URL
+    href: create-url-route-portal.md
+  - name: Redirect web traffic
+    href: tutorial-url-redirect-cli.md
+  - name: Autoscaling and zone redundant
+    href: tutorial-autoscale-ps.md
+  - name: Deploy Application Gateway with DDoS protection
+    href: tutorial-protect-application-gateway.md
   - name: Configure TCP/TLS proxy
     items:
     - name: Azure portal
@@ -187,10 +166,14 @@
         href: application-gateway-configure-listener-specific-ssl-policy.md
   - name: Ingress for AKS 
     items:
-    - name: Ingress for AKS via Helm (Brownfield)
-      href: ingress-controller-install-existing.md
     - name: Ingress for AKS via Helm (Greenfield)
       href: ingress-controller-install-new.md
+    - name: Ingress Controller add-on for AKS (Greenfield)
+      href: tutorial-ingress-controller-add-on-new.md
+    - name: Ingress for AKS via Helm (Brownfield)
+      href: ingress-controller-install-existing.md
+    - name: Ingress Controller add-on for AKS (Brownfield)
+      href: tutorial-ingress-controller-add-on-existing.md
     - name: Migrate from Helm deployment to AKS add-on 
       href: ingress-controller-migration.md
     - name: Disable and re-enable AKS Ingress Controller add-on
@@ -301,50 +284,62 @@
       href: ../operational-excellence/relocation-app-gateway.md?toc=/azure/application-gateway/toc.json
     - name: Migrate to availability zone support
       href: ../reliability/migrate-app-gateway-v2.md?toc=/azure/application-gateway/toc.json
-  - name: Troubleshoot
-    items:
-      - name: ILB with an App Service Environment
-        href: create-gateway-internal-load-balancer-app-service-environment.md
-      - name: App service issues
-        href: troubleshoot-app-service-redirection-app-service-url.md
-      - name: Session affinity issues
-        href: how-to-troubleshoot-application-gateway-session-affinity-issues.md
-      - name: Bad Gateway (502) errors
-        href: application-gateway-troubleshooting-502.md
-      - name: HTTP response codes
-        href: http-response-codes.md
-      - name: Mutual authentication
-        href: mutual-authentication-troubleshooting.md
-      - name: Ingress for AKS 
-        href: ingress-controller-troubleshoot.md
-      - name: Resource Health
-        href: resource-health-overview.md
-      - name: Use Log Analytics
-        href: log-analytics.md
-      - name: Backend health issues
-        href: application-gateway-backend-health-troubleshooting.md
-      - name: Key Vault errors
-        href: application-gateway-key-vault-common-errors.md
-      - name: Disabled listeners
-        href: disabled-listeners.md
   - name: Proxy buffer configuration
     href: proxy-buffers.md
   - name: Custom error pages
     href: custom-error.md
   - name: Migrate to v2 SKU
     items:
-      - name: About v1 retirement
-        href: v1-retirement.md
-      - name: Migrate from v1 to v2
-        href: migrate-v1-v2.md  
-      - name: FAQ
-        href: retirement-faq.md
+    - name: About v1 retirement
+      href: v1-retirement.md
+    - name: Migrate from v1 to v2
+      href: migrate-v1-v2.md  
+    - name: Migration FAQ
+      href: retirement-faq.md
   - name: Configure alerts
     href: configure-alerts-with-templates.md
   - name: Classic to Resource Manager
     href: classic-to-resource-manager.md
   - name: Configure Private Link
     href: private-link-configure.md
+- name: Health monitoring
+  items:
+  - name: Monitor Application Gateway
+    href: monitor-application-gateway.md
+  - name: Health probe
+    href: application-gateway-probe-overview.md
+  - name: Backend health
+    href: application-gateway-backend-health.md      
+  - name: Diagnostic logs
+    href: application-gateway-diagnostics.md
+  - name: Metrics
+    href: application-gateway-metrics.md
+- name: Troubleshoot
+  items:
+  - name: ILB with an App Service Environment
+    href: create-gateway-internal-load-balancer-app-service-environment.md
+  - name: App service issues
+    href: troubleshoot-app-service-redirection-app-service-url.md
+  - name: Session affinity issues
+    href: how-to-troubleshoot-application-gateway-session-affinity-issues.md
+  - name: Bad Gateway (502) errors
+    href: application-gateway-troubleshooting-502.md
+  - name: HTTP response codes
+    href: http-response-codes.md
+  - name: Mutual authentication
+    href: mutual-authentication-troubleshooting.md
+  - name: Ingress for AKS 
+    href: ingress-controller-troubleshoot.md
+  - name: Resource Health
+    href: resource-health-overview.md
+  - name: Use Log Analytics
+    href: log-analytics.md
+  - name: Backend health issues
+    href: application-gateway-backend-health-troubleshooting.md
+  - name: Key Vault errors
+    href: application-gateway-key-vault-common-errors.md
+  - name: Disabled listeners
+    href: disabled-listeners.md
 - name: Reference
   items:
   - name: Monitoring data reference