Merge pull request #107808 from orspod/2020-3-1-CMK-updates

CMK updates

Author: megvanhuygen

articles/data-explorer/managed-identities.md

@@ -6,27 +6,49 @@ ms.author: itsagui
 ms.reviewer: orspodek
 ms.service: data-explorer
 ms.topic: conceptual
-ms.date: 01/06/2020
+ms.date: 03/12/2020
 ---
 
 # Configure managed identities for your Azure Data Explorer cluster
 
 A [managed identity from Azure Active Directory](/azure/active-directory/managed-identities-azure-resources/overview) allows your cluster to easily access other AAD-protected resources such as Azure Key Vault. The identity is managed by the Azure platform and doesn't require you to provision or rotate any secrets. This article shows you how to create a managed identity for Azure Data Explorer clusters. Managed identity configuration is currently supported only to [enable customer-managed keys for your cluster](/azure/data-explorer/security#customer-managed-keys-with-azure-key-vault).
 
 > [!Note]
-> Managed identities for Azure Data Explorer won't behave as expected if your app is migrated across subscriptions or tenants. The app will need to obtain a new identity, which can be done by disabling and re-enabling the feature using [remove an identity](#remove-an-identity). Access policies of downstream resources will also need to be updated to use the new identity.
+> Managed identities for Azure Data Explorer won't behave as expected if your app is migrated across subscriptions or tenants. The app will need to obtain a new identity, which can be done by [disabling](#remove-a-system-assigned-identity) and [re-enabling](#add-a-system-assigned-identity) the feature. Access policies of downstream resources will also need to be updated to use the new identity.
 
 ## Add a system-assigned identity
+                                                                                                    
+Assign a system-assigned identity that is tied to your cluster, and is deleted if your cluster is deleted. A cluster can only have one system-assigned identity. Creating a cluster with a system-assigned identity requires an additional property to be set on the cluster. The system-assigned identity is added using C#, ARM templates, or the Azure portal as detailed below.
 
-Your cluster can be assigned a **system-assigned identity** that is tied to your cluster, and is deleted if your cluster is deleted. A cluster can only have one system-assigned identity. Creating a cluster with a system-assigned identity requires an additional property to be set on the cluster.
+# [Azure portal](#tab/portal)
+
+### Add a system-assigned identity using the Azure portal
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. [Create an Azure Data Explorer cluster](/azure/data-explorer/create-cluster-database-portal#create-a-cluster)
+1. Select **Settings** > **Identity** in left pane of portal.
+1. In the **Identity** pane > **System assigned** tab:
+   1. Move the **Status** slider to **On**.
+   1. Select **Save**
+   1. In the pop-up window, select **Yes**
+
+    ![Add system assigned identity](media/managed-identities/turn-system-assigned-identity-on.png)
+
+1. After a few minutes, the resulting screen shows **Object ID** and **Role assignments**.
+
+    ![System assigned identity on](media/managed-identities/system-assigned-identity-on.png)
+
+# [C#](#tab/c-sharp)
 
 ### Add a system-assigned identity using C#
 
-To set up a managed identity using the Azure Data Explorer C# client, do the following:
+#### Prerequisites
+
+To set up a managed identity using the Azure Data Explorer C# client:
 
 * Install the [Azure Data Explorer (Kusto) NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Management.Kusto/).
 * Install the [Microsoft.IdentityModel.Clients.ActiveDirectory NuGet package](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) for authentication.
-* To run the following example, [create an Azure AD application](/azure/active-directory/develop/howto-create-service-principal-portal) and service principal that can access resources. You can add role assignment at the subscription scope and get the required `Directory (tenant) ID`, `Application ID`, and `Client Secret`.
+* [Create an Azure AD application](/azure/active-directory/develop/howto-create-service-principal-portal) and service principal that can access resources. You add role assignment at the subscription scope and get the required `Directory (tenant) ID`, `Application ID`, and `Client Secret`.
 
 #### Create or update your cluster
 
@@ -47,7 +69,7 @@ To set up a managed identity using the Azure Data Explorer C# client, do the fol
     {
         SubscriptionId = subscriptionId
     };
-    
+                                                                                                    
     var resourceGroupName = "testrg";
     var clusterName = "mykustocluster";
     var location = "Central US";
@@ -67,13 +89,15 @@ To set up a managed identity using the Azure Data Explorer C# client, do the fol
     ```
 
     If the result contains `ProvisioningState` with the `Succeeded` value, then the cluster was created or updated, and should have the following properties:
-   
+
     ```csharp
     var principalId = cluster.Identity.PrincipalId;
     var tenantId = cluster.Identity.TenantId;
     ```
 
-    `PrincipalId` and `TenantId` are replaced with GUIDs. The `TenantId` property identifies the AAD tenant to which the identity belongs. The `PrincipalId` is a unique identifier for the cluster's new identity. Within AAD, the service principal has the same name that you gave to your App Service or Azure Functions instance.
+`PrincipalId` and `TenantId` are replaced with GUIDs. The `TenantId` property identifies the AAD tenant to which the identity belongs. The `PrincipalId` is a unique identifier for the cluster's new identity. Within AAD, the service principal has the same name that you gave to your App Service or Azure Functions instance.
+
+# [ARM template](#tab/arm)
 
 ### Add a system-assigned identity using an Azure Resource Manager template
 
@@ -120,16 +144,51 @@ When the cluster is created, it has the following additional properties:
 
 `<TENANTID>` and `<PRINCIPALID>` are replaced with GUIDs. The `TenantId` property identifies the AAD tenant to which the identity belongs. The `PrincipalId` is a unique identifier for the cluster's new identity. Within AAD, the service principal has the same name that you gave to your App Service or Azure Functions instance.
 
-## Remove an identity
+---
+
+## Remove a system-assigned identity
+
+Removing a system-assigned identity will also delete it from AAD. System-assigned identities are also automatically removed from AAD when the cluster resource is deleted. A system-assigned identity can be removed by disabling the feature.  The system-assigned identity is removed using C#, ARM templates, or the Azure portal as detailed below.
 
-Removing a system-assigned identity will also delete it from AAD. System-assigned identities are also automatically removed from AAD when the cluster resource is deleted. A system-assigned identity can be removed by disabling the feature:
+# [Azure portal](#tab/portal)
+
+### Remove a system-assigned identity using the Azure portal
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+1. Select **Settings** > **Identity** in left pane of portal.
+1. In the **Identity** pane > **System assigned** tab:
+    1. Move the **Status** slider to **Off**.
+    1. Select **Save**
+    1. In the pop-up window, select **Yes** to disable the system-assigned identity. The **Identity** pane reverts to same condition as before the addition of the system-assigned identity.
+
+    ![System assigned identity off](media/managed-identities/system-assigned-identity.png)
+
+# [C#](#tab/c-sharp)
+
+### Remove a system-assigned identity using C#
+
+Run the following to remove the system-assigned identity:
+
+```csharp
+var identity = new Identity(IdentityType.None);
+var cluster = new Cluster(location, sku, identity: identity);
+await kustoManagementClient.Clusters.CreateOrUpdateAsync(resourceGroupName, clusterName, cluster);
+```
+
+# [ARM template](#tab/arm)
+
+### Remove a system-assigned identity using an Azure Resource Manager template
+
+Run the following to remove the system-assigned identity:
 
 ```json
 "identity": {
     "type": "None"
 }
 ```
 
+---
+
 ## Next steps
 
 * [Secure Azure Data Explorer clusters in Azure](security.md)