Merge pull request #262532 from rcdun/aoi_quickstart_cli_powershell

Add Azure CLI experiences to quickstart for Operator Insights

Author: v-dirichards

articles/operator-insights/data-product-create.md

@@ -24,30 +24,188 @@ In this article, you learn how to create an Azure Operator Insights Data Product
 - (Optional) If you plan to integrate Data Product with Microsoft Purview, you must have an active Purview account. Make note of the Purview collection ID when you [set up Microsoft Purview with a Data Product](purview-setup.md).
 - After obtaining your subscription access, register the Microsoft.NetworkAnalytics and Microsoft.HybridNetwork Resource Providers (RPs) to continue. For guidance on registering RPs in your subscription, see [Register resource providers in Azure](../azure-resource-manager/management/resource-providers-and-types.md#azure-portal).
 
-### For CMK-based data encryption or Microsoft Purview
+## Prepare your Azure portal or Azure CLI environment
+
+You can use the Azure portal or the Azure CLI to follow the steps in this article.
+
+
+# [Portal](#tab/azure-portal)
+
+Confirm that you can sign in to the [Azure portal](https://portal.azure.com) and can access the subscription.
+
+# [Azure CLI](#tab/azure-cli)
+
+You can run Azure CLI commands in one of two ways:
+
+- You can run CLI commands from within the Azure portal, in Azure Cloud Shell.
+- You can install the CLI and run CLI commands locally.
+
+### Use Azure Cloud Shell
+
+Azure Cloud Shell is a free Bash shell that you can run directly within the Azure portal. The Azure CLI is preinstalled and configured to use with your account. Select the **Cloud Shell** button on the menu in the upper-right section of the Azure portal:
+
+[![Screenshot of Cloud Shell menu.](./media/dp-quickstart-create/cloud-shell-menu.png)](https://portal.azure.com)
+
+The button launches an interactive shell that you can use to run the steps outlined in this how-to article:
+
+[![Screenshot showing the Cloud Shell window in the portal.](./media/dp-quickstart-create/cloud-shell.png)](https://portal.azure.com)
+
+
+### Install the Azure CLI locally
+
+You can also install and use the Azure CLI locally. If you plan to use Azure CLI locally, make sure you have installed the latest version of the Azure CLI. See [Install the Azure CLI](/cli/azure/install-azure-cli).
+
+To log into your local installation of the CLI, run the az sign-in command:
+
+```azurecli-interactive
+az login
+```
+
+### Change the active subscription
+
+Azure subscriptions have both a name and an ID. You can switch to a different subscription with [az account set](/cli/azure/account#az-account-set), specifying the desired subscription name or ID.
+
+- To use the name to change the active subscription:
+    ```azurecli-interactive
+    az account set --subscription "<SubscriptionName>"
+    ```
+- To use the ID to change the active subscription:
+    ```azurecli-interactive
+    az account set --subscription "<SubscriptionID>"
+    ```
+
+> [!NOTE]
+> Replace any values shown in the form \<KeyVaultName\> with the values for your deployment.
+
+---
+
+## Create a resource group
+
+A resource group is a logical container into which Azure resources are deployed and managed.
+
+# [Portal](#tab/azure-portal)
+
+If you plan to use CMK-based data encryption or Microsoft Purview, set up a resource group now:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Resource groups**.
+1. Select **Create** and follow the prompts. 
+
+For more information, see [Create resource groups](../azure-resource-manager/management/manage-resource-groups-portal.md#create-resource-groups).
+
+If you don't plan to use CMK-based date encryption or Microsoft Purview, you can set up a resource group now or when you [create the Data Product resource](#create-an-azure-operator-insights-data-product-resource).
+
+# [Azure CLI](#tab/azure-cli)
+
+Use the `az group create` command to create a resource group named \<ResourceGroup\> in the region where you want to deploy.
+
+```azurecli-interactive
+az group create --name "<ResourceGroup>" --location "<Region>"
+```
+---
+
+## Set up resources for CMK-based data encryption or Microsoft Purview
 
 If you're using CMK-based data encryption or Microsoft Purview, you must set up Azure Key Vault and user-assigned managed identity (UAMI) as prerequisites.
 
-#### Set up Azure Key Vault
+### Set up Azure Key Vault
 
 Azure key Vault Resource is used to store your Customer Managed Key (CMK) for data encryption. Data Product uses this key to encrypt your data over and above the standard storage encryption. You need to have Subscription/Resource group owner permissions to perform this step.
-1. [Create an Azure Key Vault resource](../key-vault/general/quick-create-portal.md) in the same subscription and resource group where you intend to deploy the Data Product resource.
+
+# [Portal](#tab/azure-portal)
+
+1. [Create an Azure Key Vault resource](../key-vault/general/quick-create-portal.md) in the same subscription and resource group that you set up in [Create a resource group](#create-a-resource-group).
 1. Provide your user account with the Key Vault Administrator role on the Azure Key Vault resource. This is done via the **Access Control (IAM)** tab on the Azure Key Vault resource.
 1. Navigate to the object and select **Keys**. Select **Generate/Import**.
 1. Enter a name for the key and select **Create**.
 1. Select the newly created key and select the current version of the key.
 1. Copy the Key Identifier URI to your clipboard to use when creating the Data Product.
 
-#### Set up user-assigned managed identity
+# [Azure CLI](#tab/azure-cli)
+
+<!-- CLI link is [Create an Azure Key Vault resource](../key-vault/general/quick-create-cli.md) in the same subscription and resource group where you intend to deploy the Data Product resource. --> 
+
+#### Create a key vault
+
+Use the Azure CLI `az keyvault create` command to create a Key Vault in the resource group from the previous step. You must provide:
+
+- A name for the key vault: A string of 3 to 24 characters that can contain only numbers (0-9), letters (a-z, A-Z), and hyphens (-). Each key vault must have a unique name.
+- The resource group that you created in [Create a resource group](#create-a-resource-group).
+- The region in which you created the resource group.
+ 
+```azurecli-interactive
+az keyvault create --name "<KeyVaultName>" --resource-group "<ResourceGroup>" --location "<Region>"
+```
+
+The output of this command shows properties of the newly created key vault. Take note of:
+
+- Vault Name: The name you provided to the `--name` parameter you ran.
+- Vault URI: In the example, the URI is `https://<KeyVaultName>.vault.azure.net/`. Applications that use your vault through its REST API must use this URI.
+
+At this point, your Azure account is the only one authorized to perform any operations on this new vault.
+
+#### Assign roles for the key vault
+
+Provide your user account with the Key Vault Administrator role on the Azure Key Vault resource.
+
+```azurecli-interactive
+az role assignment create --role "Key Vault Administrator" --assignee <YourEmailAddress> --scope /subscriptions/<SubscriptionID>/resourcegroups/<ResourceGroup>/providers/Microsoft.KeyVault/vaults/<KeyVaultName>
+```
+
+#### Create a key
+
+```azurecli-interactive
+az keyvault key create --vault-name "<KeyVaultName>" -n <keyName> --protection software
+```
+
+From the output screen, copy the `KeyID` and store it in your clipboard for later use.
+
+---
+
+<!-- PowerShell link is  [Create an Azure Key Vault resource](../key-vault/general/quick-create-powershell.md) in the same subscription and resource group where you intend to deploy the Data Product resource. --> 
+
+### Set up a user-assigned managed identity
+
+# [Portal](#tab/azure-portal)
 
 1. [Create a user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity) using Microsoft Entra ID for CMK-based encryption. The Data Product also uses the user-assigned managed identity (UAMI) to interact with the Microsoft Purview account.
 1. Navigate to the Azure Key Vault resource that you created earlier and assign the UAMI with **Key Vault Administrator** role.
 
+# [Azure CLI](#tab/azure-cli)
+
+<!-- Managed identity link for the CLI: /entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azcli -->
+
+#### Create a user-assigned managed identity
+
+To create a user-assigned managed identity, your account needs the Managed Identity Contributor role assignment.
+
+Use the `az identity create` command to create a user-assigned managed identity. The -g parameter specifies the resource group where to create the user-assigned managed identity. The -n parameter specifies its name. Replace the \<ResourceGroup\> and \<UserAssignedIdentityName\> parameter values with your own values.
+
+> [!IMPORTANT]
+> When you create user-assigned managed identities, only alphanumeric characters (0-9, a-z, and A-Z) and the hyphen (-) are supported. 
+
+```azurecli-interactive
+az identity create -g <ResourceGroup> -n <UserAssignedIdentityName>
+```
+
+Copy the `principalId` from the output screen and store it in your clipboard for later use.
 
-## Create an Azure Operator Insights Data Product resource in the Azure portal
+#### Assign the user-assigned managed identity to the key vault
+
+```azurecli-interactive
+az role assignment create --role "Key Vault Administrator" --assignee <principalId> --scope /subscriptions/<SubscriptionID>/resourcegroups/<ResourceGroup>/providers/Microsoft.KeyVault/vaults/<KeyVaultName>
+```
+
+---
+
+<!-- Managed identity link for PowerShell: /entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-powershell -->
+
+## Create an Azure Operator Insights Data Product resource
 
 You create the Azure Operator Insights Data Product resource.
 
+# [Portal](#tab/azure-portal)
+
 1. Sign in to the [Azure portal](https://portal.azure.com/).
 1. In the search bar, search for Operator Insights and select **Azure Operator Insights - Data Products**.
 1. On the Azure Operator Insights - Data Products page, select **Create**.
@@ -74,7 +232,33 @@ You create the Azure Operator Insights Data Product resource.
 1. Select **Review + create**.
 1. Select **Create**. Your Data Product instance is created in about 20-25 minutes. During this time, all the underlying components are provisioned. After this process completes, you can work with your data ingestion, explore sample dashboards and queries, and so on.
 
-## Deploy Sample Insights
+# [Azure CLI](#tab/azure-cli)
+
+To create an Azure Operator Insights Data Product with the minimum required parameters, use the following command:
+
+```azurecli-interactive
+az network-analytics data-product create --name <DataProductName> --resource-group <ResourceGroup> --location <Region> --publisher Microsoft --product <ProductName> --major-version  <ProductMajorVersion>
+```
+
+Use the following values for \<ProductName\> and \<ProductMajorVersion>.
+
+
+|Date Product  |\<ProductName\> |\<ProductMajorVersion>|
+|---------|---------|---------|
+|Quality of Experience - Affirmed MCC GIGW |`Quality of Experience - Affirmed MCC GIGW`|`1.0`|
+|Quality of Experience - Affirmed MCC PGW or GGSN |`Quality of Experience - Affirmed MCC PGW or GGSN`|`1.0`|
+|Monitoring - Affirmed MCC|`Monitoring - Affirmed MCC`|`0` or `1`|
+
+
+To create an Azure Operator Insights DataProduct with all parameters, use the following command:
+
+```azurecli-interactive
+az network-analytics data-product create --name <DataProductName> --resource-group <ResourceGroup> --location <Region> --publisher Microsoft --product <ProductName> --major-version  <ProductMajorVersion --owners <<xyz@email>> --customer-managed-key-encryption-enabled Enabled --key-encryption-enable Enabled --encryption-key '{"keyVaultUri":"<VaultURI>","keyName":"<KeyName>","keyVersion":"<KeyVersion>"}' --purview-account <PurviewAccount> --purview-collection <PurviewCollection> --identity '{"type":"userAssigned","userAssignedIdentities":{"/subscriptions/<SubscriptionID>/resourceGroups/<ResourceGroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<UserAssignedIdentityName>"}}' --tags '{"key1":"value1","key2":"value2"}'
+```
+
+---
+
+## Deploy sample insights
 
 Once your Data Product instance is created, you can deploy a sample insights dashboard. This dashboard works with the sample data that came along with the Data Product instance.
 
@@ -139,7 +323,16 @@ The consumption URL also allows you to write your own Kusto query to get insight
 
 When you have finished exploring Azure Operator Insights Data Product, you should delete the resources you've created to avoid unnecessary Azure costs.
 
+# [Portal](#tab/azure-portal)
+
 1. On the **Home** page of the Azure portal, select **Resource groups**.
 1. Select the resource group for your Azure Operator Insights Data Product and verify that it contains the Azure Operator Insights Data Product instance.
 1. At the top of the Overview page for your resource group, select **Delete resource group**.
 1. Enter the resource group name to confirm the deletion, and select **Delete**.
+
+# [Azure CLI](#tab/azure-cli)
+
+```azurecli-interactive
+az group delete --name "ResourceGroup"
+```
+---

articles/operator-insights/media/dp-quickstart-create/cloud-shell-menu.png

@@ -31,7 +31,7 @@ You can access your Purview account through the Azure portal by going to `https:
 
 To begin to catalog a data product in this account, [create a collection](../purview/how-to-create-and-manage-collections.md) to hold the Data Product.
 
-Provide the user-assigned managed identity (UAMI) for your Azure Operator Insights Data Product with necessary roles in the Microsoft Purview compliance portal. This UAMI was set up when the Data Product was created. For information on how to set up this UAMI, see [Set up user-assigned managed identity](data-product-create.md#set-up-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.
+Provide the user-assigned managed identity (UAMI) for your Azure Operator Insights Data Product with necessary roles in the Microsoft Purview compliance portal. This UAMI was set up when the Data Product was created. For information on how to set up this UAMI, see [Set up a user-assigned managed identity](data-product-create.md#set-up-a-user-assigned-managed-identity). At the desired collection, assign this UAMI to the **Collection admin**, **Data source admin**, and **Data curator** roles. Alternately, you can apply the UAMI at the root collection/account level. All collections would inherit these role assignments by default.
 
 :::image type="content" source="media/purview-setup/data-product-role-assignments.png" alt-text="Screenshot of collections with Role assignment tab open and icon to add the UAMI to the collection admins role highlighted.":::