Merge pull request #287721 from kgremban/m2-touchups

Touchups from reviews

Author: Stacyrch140

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md

@@ -73,6 +73,95 @@ Use the Azure portal or Azure CLI to deploy Azure IoT Operations to your Arc-ena
 
 The Azure portal deployment experience is a helper tool that generates a deployment command based on your resources and configuration. The final step is to run an Azure CLI command, so you still need the Azure CLI prerequisites described in the previous section.
 
+### [Azure portal](#tab/portal)
+
+1. In the [Azure portal](https://portal.azure.com), search for and select **Azure IoT Operations**.
+
+1. Select **Create**.
+
+1. On the **Basics** tab, provide the following information:
+
+   | Parameter | Value |
+   | --------- | ----- |
+   | **Subscription** | Select the subscription that contains your Arc-enabled cluster. |
+   | **Resource group** | Select the resource group that contains your Arc-enabled cluster. |
+   | **Cluster name** | Select the cluster that you want to deploy Azure IoT Operations to. |
+   | **Custom location name** | *Optional*: Replace the default name for the custom location. |
+
+   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-basics.png" alt-text="A screenshot that shows the first tab for deploying Azure IoT Operations from the portal.":::
+
+1. Select **Next: Configuration**.
+
+1. On the **Configuration** tab, provide the following information:
+
+   | Parameter | Value |
+   | --------- | ----- |
+   | **Azure IoT Operations name** | *Optional*: Replace the default name for the Azure IoT Operations instance. |
+   | **MQTT broker configuration** | *Optional*: Edit the default settings for the MQTT broker. For more information, see [Configure core MQTT broker settings](../manage-mqtt-broker/howto-configure-availability-scale.md). |
+   | **Dataflow profile configuration** | *Optional*: Edit the default settings for dataflows. For more information, see [Configure dataflow profile](../connect-to-cloud/howto-configure-dataflow-profile.md). |
+
+   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-configuration.png" alt-text="A screenshot that shows the second tab for deploying Azure IoT Operations from the portal.":::
+
+1. Select **Next: Dependency management**.
+
+1. On the **Dependency management** tab, select an existing schema registry or use these steps to create one:
+
+   1. Select **Create new**.
+
+   1. Provide a **Schema registry name** and **Schema registry namespace**.
+
+   1. Select **Select Azure Storage container**.
+
+   1. Schema registry requires an Azure Storage account with hierarchical namespace and public network access enabled. Choose a storage account from the list of hierarchical namespace-enabled accounts, or select **Create** to create one.
+
+   1. Select a container in your storage account or select **Container** to create one.
+
+   1. Select **Apply** to confirm the schema registry configurations.
+
+1. On the **Dependency management** tab, select the **Secure settings** deployment option.
+
+   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-dependency-management-1.png" alt-text="A screenshot that shows selecting secure settings on the third tab for deploying Azure IoT Operations from the portal.":::
+
+1. In the **Deployment options** section, provide the following information:
+
+   | Parameter | Value |
+   | --------- | ----- |
+   | **Subscription** | Select the subscription that contains your Azure key vault. |
+   | **Azure Key Vault** | Select an Azure key vault select **Create new**.<br><br>Ensure that your key vault has **Vault access policy** as its permission model. To check this setting, select **Manage selected vault** > **Settings** > **Access configuration**. |
+   | **User assigned managed identity for secrets** | Select an identity or select **Create new**. |
+   | **User assigned managed identity for AIO components** | Select an identity or select **Create new**. Don't use the same managed identity as the one you selected for secrets. |
+
+   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-dependency-management-2.png" alt-text="A screenshot that shows configuring secure settings on the third tab for deploying Azure IoT Operations from the portal.":::
+
+1. Select **Next: Automation**.
+
+1. One at a time, run each Azure CLI command on the **Automation** tab in a terminal:
+
+   1. Sign in to Azure CLI interactively with a browser even if you already signed in before. If you don't sign in interactively, you might get an error that says *Your device is required to be managed to access your resource* when you continue to the next step to deploy Azure IoT Operations.
+
+      ```azurecli
+      az login
+      ```
+
+   1. If you didn't prepare your Azure CLI environment as described in the prerequisites, do so now in a terminal of your choice:
+
+      ```azurecli
+      az upgrade
+      az extension add --upgrade --name azure-iot-ops
+      ```
+
+   1. If you chose to create a new schema registry on the previous tab, copy and run the `az iot ops schema registry create` command.
+
+   1. Copy and run the `az iot ops init` command.
+
+   1. Copy and run the `az iot ops create` command.
+
+   1. Copy and run the `az iot ops secretsync enable` command.
+
+   1. Copy and run the `az iot ops identity assign` command.
+
+1. Once all of the Azure CLI commands complete successfully, you can close the **Install Azure IoT Operations** wizard.
+
 ### [Azure CLI](#tab/cli)
 
 1. Sign in to Azure CLI interactively with a browser even if you already signed in before.
@@ -106,9 +195,11 @@ Azure IoT Operations requires a schema registry on your cluster. Schema registry
 
    | Optional parameter | Value | Description |
    | --------- | ----- | ----------- |
-   | `--custom-role-id` | Role definition ID | Provide a custom role ID to assign to the schema registry instead of the default **Storage Blob Data Contributor** role. Format: `/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/<ROLE_ID>`. |
+   | `--custom-role-id` | Role definition ID | Provide a custom role ID to assign to the schema registry instead of the default **Storage Blob Data Contributor** role. At a minimum, the role needs blob read and write permissions. Format: `/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/<ROLE_ID>`. |
    | `--sa-container` | string | Storage account container to store schemas. If this container doesn't exist, this command creates it. The default container name is **schemas**. |
 
+1. Copy the resource ID from the output of the schema registry create command to use in the next section.
+
 ### Deploy Azure IoT Operations
 
 1. Prepare your cluster with the dependencies that Azure IoT Operations requires by running [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init).
@@ -137,7 +228,7 @@ Azure IoT Operations requires a schema registry on your cluster. Schema registry
    | Optional parameter | Value | Description |
    | --------- | ----- | ----------- |
    | `--no-progress` |  | Disables the deployment progress display in the terminal. |
-   | `--enable-rsync-rules` |  | Enable the resource sync rules on the instance to project resources from the cloud to the edge. |
+   | `--enable-rsync-rules` |  | Enable the resource sync rules on the instance to project resources from the edge to the cloud. |
    | `--add-insecure-listener` |  | Add an insecure 1883 port config to the default listener. *Not for production use*. |
    | `--broker-config-file` | Path to JSON file | Provide a configuration file for the MQTT broker. For more information, see [Advanced MQTT broker config](https://github.com/Azure/azure-iot-ops-cli-extension/wiki/Advanced-Mqtt-Broker-Config) and [Configure core MQTT broker settings](../manage-mqtt-broker/howto-configure-availability-scale.md). |
 
@@ -184,95 +275,6 @@ Azure secret requires a user-assigned managed identity with access to the Azure
    az iot ops identity assign --name <INSTANCE_NAME> --resource-group <RESOURCE_GROUP> --mi-user-assigned <USER_ASSIGNED_MI_RESOURCE_ID>
    ```
 
-### [Azure portal](#tab/portal)
-
-1. In the [Azure portal](https://portal.azure.com), search for and select **Azure IoT Operations**.
-
-1. Select **Create**.
-
-1. On the **Basics** tab, provide the following information:
-
-   | Parameter | Value |
-   | --------- | ----- |
-   | **Subscription** | Select the subscription that contains your Arc-enabled cluster. |
-   | **Resource group** | Select the resource group that contains your Arc-enabled cluster. |
-   | **Cluster name** | Select the cluster that you want to deploy Azure IoT Operations to. |
-   | **Custom location name** | *Optional*: Replace the default name for the custom location. |
-
-   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-basics.png" alt-text="A screenshot that shows the first tab for deploying Azure IoT Operations from the portal.":::
-
-1. Select **Next: Configuration**.
-
-1. On the **Configuration** tab, provide the following information:
-
-   | Parameter | Value |
-   | --------- | ----- |
-   | **Azure IoT Operations name** | *Optional*: Replace the default name for the Azure IoT Operations instance. |
-   | **MQTT broker configuration** | *Optional*: Edit the default settings for the MQTT broker. For more information, see [Configure core MQTT broker settings](../manage-mqtt-broker/howto-configure-availability-scale.md). |
-   | **Dataflow profile configuration** | *Optional*: Edit the default settings for dataflows. For more information, see [Configure dataflow profile](../connect-to-cloud/howto-configure-dataflow-profile.md). |
-
-   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-configuration.png" alt-text="A screenshot that shows the second tab for deploying Azure IoT Operations from the portal.":::
-
-1. Select **Next: Dependency management**.
-
-1. On the **Dependency management** tab, select an existing schema registry or use these steps to create one:
-
-   1. Select **Create new**.
-
-   1. Provide a **Schema registry name** and **Schema registry namespace**.
-
-   1. Select **Select Azure Storage container**.
-
-   1. Schema registry requires an Azure Storage account with hierarchical namespace and public network access enabled. Choose a storage account from the list of hierarchical namespace-enabled accounts, or select **Create** to create one.
-
-   1. Select a container in your storage account or select **Container** to create one.
-
-   1. Select **Apply** to confirm the schema registry configurations.
-
-1. On the **Dependency management** tab, select the **Secure settings** deployment option.
-
-   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-dependency-management-1.png" alt-text="A screenshot that shows selecting secure settings on the third tab for deploying Azure IoT Operations from the portal.":::
-
-1. In the **Deployment options** section, provide the following information:
-
-   | Parameter | Value |
-   | --------- | ----- |
-   | **Subscription** | Select the subscription that contains your Azure key vault. |
-   | **Azure Key Vault** | Select an Azure key vault select **Create new**.<br><br>Ensure that your key vault has **Vault access policy** as its permission model. To check this setting, select **Manage selected vault** > **Settings** > **Access configuration**. |
-   | **User assigned managed identity for secrets** | Select an identity or select **Create new**. |
-   | **User assigned managed identity for AIO components** | Select an identity or select **Create new**. Don't use the same managed identity as the one you selected for secrets. |
-
-   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-dependency-management-2.png" alt-text="A screenshot that shows configuring secure settings on the third tab for deploying Azure IoT Operations from the portal.":::
-
-1. Select **Next: Automation**.
-
-1. One at a time, run each Azure CLI command on the **Automation** tab in a terminal:
-
-   1. Sign in to Azure CLI interactively with a browser even if you already signed in before. If you don't sign in interactively, you might get an error that says *Your device is required to be managed to access your resource* when you continue to the next step to deploy Azure IoT Operations.
-
-      ```azurecli
-      az login
-      ```
-
-   1. If you didn't prepare your Azure CLI environment as described in the prerequisites, do so now in a terminal of your choice:
-
-      ```azurecli
-      az upgrade
-      az extension add --upgrade --name azure-iot-ops
-      ```
-
-   1. If you chose to create a new schema registry on the previous tab, copy and run the `az iot ops schema registry create` command.
-
-   1. Copy and run the `az iot ops init` command.
-
-   1. Copy and run the `az iot ops create` command.
-
-   1. Copy and run the `az iot ops secretsync enable` command.
-
-   1. Copy and run the `az iot ops identity assign` command.
-
-1. Once all of the Azure CLI commands complete successfully, you can close the **Install Azure IoT Operations** wizard.
-
 ---
 
 While the deployment is in progress, you can watch the resources being applied to your cluster.

articles/iot-operations/deploy-iot-ops/howto-prepare-cluster.md

@@ -27,7 +27,7 @@ Azure IoT Operations should work on any Arc-enabled Kubernetes cluster that meet
 
 Microsoft supports Azure Kubernetes Service (AKS) Edge Essentials for deployments on Windows and K3s for deployments on Ubuntu. For a list of specific hardware and software combinations that are tested and validated, see [Validated environments](../overview-iot-operations.md#validated-environments).
 
-If you want to deploy Azure IoT Operations to a multi-node solution, we recommend K3s on Ubuntu.
+If you want to deploy Azure IoT Operations to a multi-node solution, use K3s on Ubuntu.
 
 To prepare your Azure Arc-enabled Kubernetes cluster, you need:
 
@@ -55,7 +55,7 @@ To prepare your Azure Arc-enabled Kubernetes cluster, you need:
 
 * Hardware that meets the system requirements:
 
-  * Ensure that your machine has a minimum of 10-GB RAM, 4 vCPUs, and 40-GB free disk space.
+  * Ensure that your machine has a minimum of 10-GB available RAM, 4 available vCPUs, and 52-GB free disk space reserved for Azure IoT Operations.
   * [Azure Arc-enabled Kubernetes system requirements](/azure/azure-arc/kubernetes/system-requirements).
   * [AKS Edge Essentials requirements and support matrix](/azure/aks/hybrid/aks-edge-system-requirements).
   * [AKS Edge Essentials networking guidance](/azure/aks/hybrid/aks-edge-concept-networking).
@@ -152,12 +152,6 @@ The [AksEdgeQuickStartForAio.ps1](https://github.com/Azure/AKS-Edge/blob/main/to
 
    In the output of the `Get-AksEdgeDeploymentInfo` command, you should see that the cluster's Arc status is `Connected`.
 
-### Configure multi-node clusters for Azure Container Storage
-
-On multi-node clusters with at least three nodes, you have the option of enabling fault tolerance for storage with [Azure Container Storage enabled by Azure Arc](/azure/azure-arc/container-storage/overview) when you deploy Azure IoT Operations.
-
-By default, Azure Kubernetes Service Edge Essentials clusters support Azure Container Storage. There are no extra steps to configure AKS Edge Essential clusters for fault tolerance.
-
 ### [Ubuntu](#tab/ubuntu)
 
 To prepare a K3s Kubernetes cluster on Ubuntu:

articles/iot-operations/deploy-iot-ops/overview-deploy.md

@@ -20,8 +20,6 @@ Azure IoT Operations should work on any Arc-enabled Kubernetes cluster that meet
 
 Microsoft supports Azure Kubernetes Service (AKS) Edge Essentials for deployments on Windows and K3s for deployments on Ubuntu. For a list of specific hardware and software combinations that are tested and validated, see [Validated environments](../overview-iot-operations.md#validated-environments).
 
-If you want to deploy Azure IoT Operations to a multi-node solution, we recommend K3s on Ubuntu.
-
 ## Choose your features
 
 Azure IoT Operations offers two deployment modes. You can choose to deploy with *test settings*, a basic subset of features that are simpler to get started with for evaluation scenarios. Or, you can choose to deploy with *secure settings*, the full feature set.
@@ -55,18 +53,17 @@ The following table described Azure IoT Operations deployment and management tas
 
 | Task | Required permission | Comments |
 | ---- | ------------------- | -------- |
-| Deploy Azure IoT Operations | **Contributor** permissions at the subscription level. |  |
-| Create secrets in Key Vault | **Key Vault Secrets Officer** permissions at the resource level. | Only required for secure settings deployment. |
-| Enable resource sync rules on an Azure IoT Operations instance | **Microsoft/Authorization/roleAssignments/write** permissions at the resource group level. | Resource sync rules are disabled by default, but can be enabled during instance creation. |
+| Deploy Azure IoT Operations | **Contributor** role at the subscription level. |  |
+| Register resource providers | **Contributor** role at the subscription level. | Only required to do once per subscription. |
 | Create a schema registry. | **Microsoft/Authorization/roleAssignments/write** permissions at the resource group level. |  |
+| Create secrets in Key Vault | **Key Vault Secrets Officer** role at the resource level. | Only required for secure settings deployment. |
+| Enable resource sync rules on an Azure IoT Operations instance | **Microsoft/Authorization/roleAssignments/write** permissions at the resource group level. | Resource sync rules are disabled by default, but can be enabled during instance creation. |
+
+If you use the Azure CLI to assign roles, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to give permissions. For example, `az role assignment create --assignee sp_name --role "Role Based Access Control Administrator" --scope subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup`
+
+If you use the Azure portal to assign privileged admin roles to a user or principal, you're prompted to restrict access using conditions. For this scenario, select the **Allow user to assign all roles** condition in the **Add role assignment** page.
 
-> [!TIP]
->
-> * If you use the Azure CLI to assign roles, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to give permissions. For example, `az role assignment create --assignee sp_name --role "Role Based Access Control Administrator" --scope subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup`
->
-> * If you use the Azure portal to assign privileged admin roles to a user or principal, you're prompted to restrict access using conditions. For this scenario, select the **Allow user to assign all roles** condition in the **Add role assignment** page.
->
->   :::image type="content" source="./media/howto-deploy-iot-operations/add-role-assignment-conditions.png" alt-text="Screenshot that shows assigning users highly privileged role access in the Azure portal.":::
+:::image type="content" source="./media/howto-deploy-iot-operations/add-role-assignment-conditions.png" alt-text="Screenshot that shows assigning users highly privileged role access in the Azure portal.":::
 
 ## Included components
 
@@ -76,10 +73,12 @@ Azure IoT Operations is a suite of data services that run on Azure Arc-enabled e
   * Dataflows
   * MQTT Broker
   * Connector for OPC UA
+  * Akri
 
 * Installed dependencies
   * [Azure Device Registry](../discover-manage-assets/overview-manage-assets.md#store-assets-as-azure-resources-in-a-centralized-registry)
   * [Azure Container Storage enabled by Azure Arc](/azure/azure-arc/container-storage/overview)
+  * Secret Sync Controller
 
 ## Organize instances by using sites
 

articles/iot-operations/get-started-end-to-end-sample/quickstart-deploy.md

@@ -110,7 +110,7 @@ To connect your cluster to Azure Arc:
 1. Use the [az connectedk8s connect](/cli/azure/connectedk8s#az-connectedk8s-connect) command to Arc-enable your Kubernetes cluster and manage it as part of your Azure resource group:
 
    ```azurecli
-   az connectedk8s connect --name $CLUSTER_NAME --location $LOCATION --resource-group $RESOURCE_GROUP --disable-auto-upgrade
+   az connectedk8s connect --name $CLUSTER_NAME --location $LOCATION --resource-group $RESOURCE_GROUP
    ```
 
    >[!TIP]