Updated Entra sections

gsteve88 · gsteve88 · commit 18e0d20f02b8 · 2024-11-10T17:09:35.000-08:00
diff --git a/includes/iot-hub-howto-connect-service-iothub-entra-dotnet.md b/includes/iot-hub-howto-connect-service-iothub-entra-dotnet.md
@@ -12,7 +12,9 @@ ms.date: 11/06/2024
 ms.custom: mqtt, devx-track-csharp, devx-track-dotnet
 ---
 
-Use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to use Microsoft Entra to authenticate a connection to IoT Hub. `DefaultAzureCredential` supports different authentication mechanisms and determines the appropriate credential type based of the environment it's executing in. It attempts to use multiple credential types in an order until it finds a working credential. For more information on setting up Entra for IoT Hub, see [Control access to IoT Hub by using Microsoft Entra ID](/azure/iot-hub/authenticate-authorize-azure-ad).
+##### Entra token credential
+
+Use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential) to use Microsoft Entra to authenticate a connection to IoT Hub. `DefaultAzureCredential` supports different authentication mechanisms and determines the appropriate credential type based on the environment it's executing in. It attempts to use multiple credential types in an order until it finds a working credential. For more information on setting up Entra for IoT Hub, see [Control access to IoT Hub by using Microsoft Entra ID](/azure/iot-hub/authenticate-authorize-azure-ad).
 
 To create required Microsoft Entra app parameters for `DefaultAzureCredential`, create a Microsoft Entra app registration that contains your preferred authentication mechanism:
 
@@ -22,8 +24,12 @@ To create required Microsoft Entra app parameters for `DefaultAzureCredential`,
 
 For more information, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
 
+#### Entra app permissions
+
 Microsoft Entra apps may require permissions depending on operations performed. For example, [IoT Hub Twin Contributor](/azure/role-based-access-control/built-in-roles/internet-of-things#iot-hub-twin-contributor) is required to enable read and write access to a IoT Hub device and module twins. For more information, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles#internet-of-things).
 
+### Connect to IoT Hub
+
 Add these packages and statements to your code to use the Microsoft Entra library.
 
 Packages:
diff --git a/includes/iot-hub-howto-connect-service-iothub-entra-node.md b/includes/iot-hub-howto-connect-service-iothub-entra-node.md
@@ -16,11 +16,21 @@ For an overview of Node.js SDK authentication, see:
 * [Getting started with user authentication on Azure](/azure/developer/javascript/how-to/with-authentication/getting-started)
 * [Azure Identity client library for JavaScript](/javascript/api/overview/azure/identity-readme)
 
-### Entra token credential
+##### Entra token credential
 
 Use [DefaultAzureCredential](/javascript/api/@azure/identity/defaultazurecredential) to generate a token. The token will be supplied to `fromTokenCredential`.
 
-### Connect to IoT Hub
+To create required Microsoft Entra app parameters for `DefaultAzureCredential`, create a Microsoft Entra app registration that contains your selected authentication mechanism:
+
+* Client secret
+* Certificate
+* Federated identity credential
+
+For more information, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
+
+Microsoft Entra apps may require permissions depending on operations performed. For example, [IoT Hub Twin Contributor](/azure/role-based-access-control/built-in-roles/internet-of-things#iot-hub-twin-contributor) is required to enable read and write access to a IoT Hub device and module twins. For more information, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles#internet-of-things).
+
+##### Connect to IoT Hub
 
 Use [fromTokenCredential](/javascript/api/azure-iothub/registry?#azure-iothub-registry-fromtokencredential) to create a service connection to IoT Hub using an Entra token credential.
 
diff --git a/includes/iot-hub-howto-connect-service-iothub-entra-python.md b/includes/iot-hub-howto-connect-service-iothub-entra-python.md
@@ -11,15 +11,25 @@ ms.manager: lizross
 ms.date: 11/06/2024
 ---
 
-For an overview of Python SDK authentication, see [Authenticate Python apps to Azure services by using the Azure SDK for Python](https://learn.microsoft.com/en-us/azure/developer/python/sdk/authentication/overview)
+For an overview of Python SDK authentication, see [Authenticate Python apps to Azure services by using the Azure SDK for Python](/azure/developer/python/sdk/authentication/overview)
 
 ### Entra token credential
 
 You must generate and supply a token credential to `from_token_credential`.
 
 [DefaultAzureCredential](/azure/developer/python/sdk/authentication/overview#use-defaultazurecredential-in-an-application) is the easiest way to generate a token. You can also use credential chains to generate a token. For more information, see [Credential chains in the Azure Identity client library for Python](/azure/developer/python/sdk/authentication/credential-chains).
 
-### Connect to IoT Hub
+To create required Microsoft Entra app parameters for `DefaultAzureCredential`, create a Microsoft Entra app registration that contains your selected authentication mechanism:
+
+* Client secret
+* Certificate
+* Federated identity credential
+
+For more information, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
+
+Microsoft Entra apps may require permissions depending on operations performed. For example, [IoT Hub Twin Contributor](/azure/role-based-access-control/built-in-roles/internet-of-things#iot-hub-twin-contributor) is required to enable read and write access to a IoT Hub device and module twins. For more information, see [Azure built-in roles](/azure/role-based-access-control/built-in-roles#internet-of-things).
+
+#### Connect to IoT Hub
 
 Use [from_token_credential](/python/api/azure-iot-hub/azure.iot.hub.iothubregistrymanager?#azure-iot-hub-iothubregistrymanager-from-token-credential) to create a service connection to IoT Hub using an Entra token credential.
 
@@ -28,7 +38,7 @@ Use [from_token_credential](/python/api/azure-iot-hub/azure.iot.hub.iothubregist
 * The Azure service URL
 * The Azure credential token
 
-In this example, the Azure credential is obtained using `DefaultAzureCredential`. THe Azure domain URL and credential are then supplied to `BlobServiceClient`.
+In this example, the Azure credential is obtained using `DefaultAzureCredential`. The Azure domain URL and credential are then supplied to `BlobServiceClient`.
 
 ```python
 from azure.identity import DefaultAzureCredential
diff --git a/includes/iot-hub-howto-module-twins-node.md b/includes/iot-hub-howto-module-twins-node.md
@@ -325,6 +325,13 @@ let Registry = require('azure-iothub').Registry;
 
 ### Connect to IoT hub
 
+You can connect a backend service to IoT Hub using the following methods:
+
+* Shared access policy
+* Microsoft Entra
+
+#### Connect using a shared access policy
+
 Use [fromConnectionString](/javascript/api/azure-iothub/registry?#azure-iothub-registry-fromconnectionstring) to connect to IoT hub.
 
 The SDK methods in this section require these shared access policy permissions:
@@ -339,6 +346,10 @@ let connectionString = '{IoT hub shared access policy connection string}';
 let registry = Registry.fromConnectionString(serviceConnectionString);
 ```
 
+#### Connect using Microsoft Entra
+
+[!INCLUDE [iot-hub-howto-connect-service-iothub-entra-node](iot-hub-howto-connect-service-iothub-entra-node.md)]
+
 ### Retrieve a module identity twin and update desired properties
 
 You can create a patch that contains desired property updates for a module identity twin.
diff --git a/includes/iot-hub-howto-module-twins-python.md b/includes/iot-hub-howto-module-twins-python.md
@@ -164,6 +164,13 @@ from azure.iot.hub.models import Twin, TwinProperties, QuerySpecification, Query
 
 ### Connect to IoT hub
 
+You can connect a backend service to IoT Hub using the following methods:
+
+* Shared access policy
+* Microsoft Entra
+
+#### Connect using a shared access policy
+
 Connect to IoT hub using [from_connection_string](/python/api/azure-iot-hub/azure.iot.hub.iothubregistrymanager?#azure-iot-hub-iothubregistrymanager-from-connection-string).
 
 The SDK methods in this section require these shared access policy permissions:
@@ -181,6 +188,10 @@ IOTHUB_CONNECTION_STRING = "{IoT hub shared access policy connection string}"
 iothub_registry_manager = IoTHubRegistryManager.from_connection_string(IOTHUB_CONNECTION_STRING)
 ```
 
+#### Connect using Microsoft Entra
+
+[!INCLUDE [iot-hub-howto-connect-service-iothub-entra-python](iot-hub-howto-connect-service-iothub-entra-python.md)]
+
 ### Retrieve and update module identity twin desired properties
 
 You can update desired properties from a backend application using [update_module_twin](/python/api/azure-iot-hub/azure.iot.hub.iothubregistrymanager?#azure-iot-hub-iothubregistrymanager-update-module-twin).
