Add DisableLocalAuth docs for SignalR/Web PubSub

Author: terencefan

articles/azure-signalr/howto-disable-local-auth.md

@@ -0,0 +1,115 @@
+---
+title: Disable local (access key) authentication with Azure SignalR Service
+description: This article provides information about how to disable access key authentication and use only Azure AD authentication.
+author: terencefan
+
+ms.author: tefa
+ms.date: 03/31/2023
+ms.service: signalr
+ms.topic: conceptual
+---
+
+# Disable local (access key) authentication with Azure SignalR Service
+
+There are two ways to authenticate to Azure SignalR Service resources: Azure Active Directory (Azure AD) and Access Key. Azure AD provides superior security and ease of use over access key. With Azure AD, there’s no need to store the tokens in your code and risk potential security vulnerabilities. We recommend that you use Azure AD with your Azure SignalR Service resources when possible.
+
+## Use Azure Portal
+
+In this section, you will learn how to use the Azure portal to disable local authentication.
+
+1. Navigate to your SignalR Service resource in the [Azure portal](https://portal.azure.com).
+
+2. in the **Settings** section of the menu sidebar, select **Keys** blade.
+
+3. Select **Disabled** for local authentication.
+
+4. Click **Save** button.
+
+![Screenshot of disabling local auth](./media/howto-azure-active-directory/disable-local-auth.png)
+
+## Use Azure Resource Manager template
+
+You can disable local authentication by setting `disableLocalAuth` property to true as shown in the following Azure Resource Manager template.
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "resource_name": {
+            "defaultValue": "test-for-disable-aad",
+            "type": "String"
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.SignalRService/SignalR",
+            "apiVersion": "2022-08-01-preview",
+            "name": "[parameters('resource_name')]",
+            "location": "eastus",
+            "sku": {
+                "name": "Premium_P1",
+                "tier": "Premium",
+                "size": "P1",
+                "capacity": 1
+            },
+            "kind": "SignalR",
+            "properties": {
+                "tls": {
+                    "clientCertEnabled": false
+                },
+                "features": [
+                    {
+                        "flag": "ServiceMode",
+                        "value": "Default",
+                        "properties": {}
+                    },
+                    {
+                        "flag": "EnableConnectivityLogs",
+                        "value": "True",
+                        "properties": {}
+                    }
+                ],
+                "cors": {
+                    "allowedOrigins": [
+                        "*"
+                    ]
+                },
+                "serverless": {
+                    "connectionTimeoutInSeconds": 30
+                },
+                "upstream": {},
+                "networkACLs": {
+                    "defaultAction": "Deny",
+                    "publicNetwork": {
+                        "allow": [
+                            "ServerConnection",
+                            "ClientConnection",
+                            "RESTAPI",
+                            "Trace"
+                        ]
+                    },
+                    "privateEndpoints": []
+                },
+                "publicNetworkAccess": "Enabled",
+                "disableLocalAuth": true,
+                "disableAadAuth": false
+            }
+        }
+    ]
+}
+```
+
+## Use Azure Policy
+
+You can assign the [Azure SignalR Service should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff70eecba-335d-4bbc-81d5-5b17b03d498f) Azure policy to an Azure subscription or a resource group to enforce disabling of local authentication for all SignalR resources in the subscription or the resource group.
+
+![Screenshot of disabling local auth policy](./media/howto-azure-active-directory/disable-local-auth-policy.png)
+
+## Next steps
+
+See the following docs to learn about authentication methods.
+
+- [Authenticate with Azure applications](./signalr-howto-authorize-application.md)
+- [Authenticate with managed identities](./signalr-howto-authorize-managed-identity.md)

articles/azure-signalr/media/howto-azure-active-directory/application-overview.png

@@ -24,14 +24,14 @@ The first step is to register an Azure application.
 2. Under **Manage** section, select **App registrations**.
 3. Select **New registration**.
 
-    ![Screenshot of registering an application](./media/authenticate/register-an-application.png)
+    ![Screenshot of registering an application](./media/howto-azure-active-directory/register-an-application.png)
 
 4. Enter a display **Name** for your application.
 5. Select **Register** to confirm the register.
 
 Once you have your application registered, you can find the **Application (client) ID** and **Directory (tenant) ID** under its Overview page. These GUIDs can be useful in the following steps.
 
-![Screenshot of an application](./media/authenticate/application-overview.png)
+![Screenshot of an application](./media/howto-azure-active-directory/application-overview.png)
 
 To learn more about registering an application, see
 - [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md).
@@ -47,7 +47,7 @@ The application requires a client secret to prove its identity when requesting a
 
 1. Under **Manage** section, select **Certificates & secrets**
 1. On the **Client secrets** tab, select **New client secret**.
-![Screenshot of creating a client secret](./media/authenticate/new-client-secret.png)
+![Screenshot of creating a client secret](./media/howto-azure-active-directory/new-client-secret.png)
 1. Enter a **description** for the client secret, and choose a **expire time**.
 1. Copy the value of the **client secret** and then paste it to a secure location. 
     > [!NOTE]
@@ -57,7 +57,7 @@ The application requires a client secret to prove its identity when requesting a
 
 You can also upload a certification instead of creating a client secret.
 
-![Screenshot of uploading a certification](./media/authenticate/upload-certificate.png)
+![Screenshot of uploading a certification](./media/howto-azure-active-directory/upload-certificate.png)
 
 To learn more about adding credentials, see
 

articles/azure-signalr/media/howto-azure-active-directory/disable-local-auth-policy.png

@@ -26,7 +26,7 @@ This example shows you how to configure `System-assigned managed identity` on a
 1. Open [Azure portal](https://portal.azure.com/), Search for and select a Virtual Machine.
 1. Under **Settings** section, select **Identity**.
 1. On the **System assigned** tab, toggle the **Status** to **On**.
-   ![Screenshot of an application](./media/authenticate/identity-virtual-machine.png)
+   ![Screenshot of an application](./media/howto-azure-active-directory/identity-virtual-machine.png)
 1. Select the **Save** button to confirm the change.