Merge pull request #216514 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 10/31

Author: ttorble

articles/active-directory/develop/quickstart-register-app.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: quickstart
 ms.workload: identity
-ms.date: 01/13/2022
+ms.date: 10/31/2022
 ms.author: cwerner
 ms.custom: aaddev, identityplatformtop40, contperf-fy21q1, contperf-fy21q2, contperf-fy21q4, mode-other
 #Customer intent: As developer, I want to know how to register my application with the Microsoft identity platform so that the security token service can issue ID and/or access tokens to client applications that request them.
@@ -136,6 +136,26 @@ Client secrets are considered less secure than certificate credentials. Applicat
 
 For application security recommendations, see [Microsoft identity platform best practices and recommendations](identity-platform-integration-checklist.md#security).
 
+
+### Add a federated credential
+
+Federated identity credentials are a type of credential that allows workloads, such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure access Azure AD protected resources without needing to manage secrets using [workload identity federation](workload-identity-federation.md).
+
+To add a federated credential, follow these steps:
+
+1. In the Azure portal, in **App registrations**, select your application.
+1. Select **Certificates & secrets** > **Federated credentials** > **Add a credential**.
+1. In the **Federated credential scenario** drop-down box, select one of the supported scenarios, and follow the corresponding guidance to complete the configuration.
+
+    - **Customer managed keys** for encrypt data in your tenant using Azure Key Vault in another tenant.
+    - **GitHub actions deploying Azure resources** to [configure a GitHub workflow](workload-identity-federation-create-trust.md#github-actions) to get tokens for your application and deploy assets to Azure.
+    - **Kubernetes accessing Azure resources** to configure a [Kubernetes service account](workload-identity-federation-create-trust.md#kubernetes) to get tokens for your application and access Azure resources.
+    - **Other issuer** to configure an identity managed by an external [OpenID Connect provider](workload-identity-federation-create-trust.md#other-identity-providers) to get tokens for your application and access Azure resources.
+    
+
+For more information, how to get an access token with a federated credential, check out the [Microsoft identity platform and the OAuth 2.0 client credentials flow](v2-oauth2-client-creds-grant-flow.md#third-case-access-token-request-with-a-federated-credential) article.
+
+
 ## Next steps
 
 Client applications typically need to access resources in a web API. You can protect your client application by using the Microsoft identity platform. You can also use the platform for authorizing scoped, permissions-based access to your web API.

articles/active-directory/develop/workload-identity-federation.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 09/19/2022
+ms.date: 10/31/2022
 ms.author: ryanwi
 ms.reviewer: shkhalid, udayh, vakarand
 ms.custom: aaddev 
@@ -23,9 +23,9 @@ You can use workload identity federation in scenarios such as GitHub Actions, wo
 
 ## Why use workload identity federation?
 
-Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services.  When these workloads run on Azure, you can use managed identities and the Azure platform manages the credentials for you.  For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Azure AD protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources).  These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.
+Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services.  When these workloads run on Azure, you can use [managed identities](../managed-identities-azure-resources/overview.md) and the Azure platform manages the credentials for you.  For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Azure AD protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources).  These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.
 
-You use workload identity federation to configure an Azure AD app registration or user-assigned managed identity to trust tokens from an external identity provider (IdP), such as GitHub.  Once that trust relationship is created, your software workload can exchange trusted tokens from the external IdP for access tokens from Microsoft identity platform.  Your software workload then uses that access token to access the Azure AD protected resources to which the workload has been granted access. This eliminates the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.
+You use workload identity federation to configure an Azure AD app registration or [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) to trust tokens from an external identity provider (IdP), such as GitHub.  Once that trust relationship is created, your software workload can exchange trusted tokens from the external IdP for access tokens from Microsoft identity platform.  Your software workload then uses that access token to access the Azure AD protected resources to which the workload has been granted access. This eliminates the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.
 
 ## Supported scenarios
 
@@ -41,7 +41,10 @@ The following scenarios are supported for accessing Azure AD protected resources
 
 ## How it works
 
-Create a trust relationship between the external IdP and an app or user-assigned managed identity in Azure AD by configuring a [federated identity credential](/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-beta&preserve-view=true). The federated identity credential is used to indicate which token from the external IdP should be trusted by your application or managed identity. You configure the federated identity credential on an app registration in the Azure portal or through Microsoft Graph.  A federated credential is configured on a user-assigned managed identity through the Azure portal, Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The steps for configuring the trust relationship will differ, depending on the scenario and external IdP.
+Create a trust relationship between the external IdP and an app registration or user-assigned managed identity in Azure AD. The federated identity credential is used to indicate which token from the external IdP should be trusted by your application or managed identity. You configure a federated identity either:
+
+- On an Azure AD [App registration](/azure/active-directory/develop/quickstart-register-app) in the Azure portal or through Microsoft Graph. This configuration allows you to get an access token for your application without needing to manage secrets outside Azure. For more information, learn how to [configure an app to trust an external identity provider](workload-identity-federation-create-trust.md).
+- On a user-assigned managed identity through the Azure portal, Azure CLI, Azure PowerShell, Azure SDK, and Azure Resource Manager (ARM) templates. The external workload uses the access token to access Azure AD protected resources without needing to manage secrets (in supported scenarios). The [steps for configuring the trust relationship](workload-identity-federation-create-trust-user-assigned-managed-identity.md) will differ, depending on the scenario and external IdP. 
 
 The workflow for exchanging an external token for an access token is the same, however, for all scenarios. The following diagram shows the general workflow of a workload exchanging an external token for an access token and then accessing Azure AD protected resources.
 
@@ -62,4 +65,4 @@ Learn more about how workload identity federation works:
 - How to create, delete, get, or update [federated identity credentials](workload-identity-federation-create-trust.md) on an app registration.
 - How to create, delete, get, or update [federated identity credentials](workload-identity-federation-create-trust-user-assigned-managed-identity.md) on a user-assigned managed identity.
 - Read the [GitHub Actions documentation](https://docs.github.com/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) to learn more about configuring your GitHub Actions workflow to get an access token from Microsoft identity provider and access Azure resources.
-- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format).
+- For information about the required format of JWTs created by external identity providers, read about the [assertion format](active-directory-certificate-credentials.md#assertion-format).

articles/azure-app-configuration/TOC.yml

@@ -23,7 +23,9 @@
           href: quickstart-azure-functions-csharp.md
         - name: Java Spring
           href: quickstart-java-spring-app.md
-        - name: Python
+        - name: Python provider
+          href: quickstart-python-provider.md
+        - name: Python SDK
           href: quickstart-python.md
         - name: JavaScript/Node.js
           href: quickstart-javascript.md

articles/azure-app-configuration/quickstart-python-provider.md

@@ -0,0 +1,192 @@
+---
+title: Quickstart for using Azure App Configuration with Python apps using the Python provider | Microsoft Docs
+description: In this quickstart, create a Python app with the Azure App Configuration Python provider to centralize storage and management of application settings separate from your code.
+services: azure-app-configuration
+author: maud-lv
+ms.service: azure-app-configuration
+ms.devlang: python
+ms.topic: quickstart
+ms.custom: devx-track-python, mode-other
+ms.date: 10/31/2022
+ms.author: malev
+#Customer intent: As a Python developer, I want to manage all my app settings in one place.
+---
+# Quickstart: Create a Python app with the Azure App Configuration Python provider
+
+In this quickstart, you will use the Python provider for Azure App Configuration to centralize storage and management of application settings using the [Azure App Configuration Python provider client library](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration-provider).
+
+The Python App Configuration provider is a library running on top of the Azure SDK for Python, helping Python developers easily consume the App Configuration service. It enables configuration settings to be used like a dictionary.
+
+## Prerequisites
+
+- Azure subscription - [create one for free](https://azure.microsoft.com/free/)
+- Python 3.6 or later - for information on setting up Python on Windows, see the [Python on Windows documentation](/windows/python/)
+
+## Create an App Configuration store
+
+[!INCLUDE [azure-app-configuration-create](../../includes/azure-app-configuration-create.md)]
+
+9. Select **Configuration Explorer** > **Create** > **Key-value** to add the following key-value pairs:
+
+    | Key            | Value             | Label       | Content type       |
+    |----------------|-------------------|-------------|--------------------|
+    | *message*      | *Hello*           | Leave empty | Leave empty        |
+    | *test.message* | *Hello test*      | Leave empty | Leave empty        |
+    | *my_json*      | *{"key":"value"}* | Leave empty | *application/json* |
+
+10. Select **Apply**.
+
+## Set up the Python app
+
+1. Create a new directory for the project named *app-configuration-quickstart*.
+
+    ```console
+    mkdir app-configuration-quickstart
+    ```
+
+1. Switch to the newly created *app-configuration-quickstart* directory.
+
+    ```console
+    cd app-configuration-quickstart
+    ```
+
+1. Install the Azure App Configuration provider by using the `pip install` command.
+
+    ```console
+    pip install azure-appconfiguration-provider
+    ```
+
+1. Create a new file called *app-configuration-quickstart.py* in the *app-configuration-quickstart* directory and add the following code:
+
+    ```python
+    from azure.appconfiguration.provider import (
+        AzureAppConfigurationProvider,
+        SettingSelector
+    )
+    import os
+
+    connection_string = os.environ.get("AZURE_APPCONFIG_CONNECTION_STRING")
+
+    # Connect to Azure App Configuration using a connection string.
+    config = AzureAppConfigurationProvider.load(
+        connection_string=connection_string)
+
+    # Find the key "message" and print its value.
+    print(config["message"])
+    # Find the key "my_json" and print the value for "key" from the dictionary.
+    print(config["my_json"]["key"])
+
+    # Connect to Azure App Configuration using a connection string and trimmed key prefixes.
+    trimmed = {"test."}
+    config = AzureAppConfigurationProvider.load(
+        connection_string=connection_string, trimmed_key_prefixes=trimmed)
+    # From the keys with trimmed prefixes, find a key with "message" and print its value.
+    print(config["message"])
+
+    # Connect to Azure App Configuration using SettingSelector.
+    selects = {SettingSelector("message*", "\0")}
+    config = AzureAppConfigurationProvider.load(
+        connection_string=connection_string, selects=selects)
+
+   # Print True or False to indicate if "message" is found in Azure App Configuration.
+    print("message found: " + str("message" in config))
+    print("test.message found: " + str("test.message" in config))
+    ```
+
+## Configure your App Configuration connection string
+
+1. Set an environment variable named **AZURE_APPCONFIG_CONNECTION_STRING**, and set it to the connection string of your App Configuration store. At the command line, run the following command:
+
+    ### [Windows command prompt](#tab/windowscommandprompt)
+
+    To build and run the app locally using the Windows command prompt, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:
+
+    ```cmd
+    setx AZURE_APPCONFIG_CONNECTION_STRING "connection-string-of-your-app-configuration-store"
+    ```
+
+    ### [PowerShell](#tab/powershell)
+
+    If you use Windows PowerShell, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:
+
+    ```azurepowershell
+    $Env:AZURE_APPCONFIG_CONNECTION_STRING = "<app-configuration-store-connection-string>"
+    ```
+
+    ### [macOS](#tab/unix)
+
+    If you use macOS, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:
+
+    ```console
+    export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'
+    ```
+
+    ### [Linux](#tab/linux)
+
+    If you use Linux, run the following command and replace `<app-configuration-store-connection-string>` with the connection string of your app configuration store:
+
+    ```console
+    export AZURE_APPCONFIG_CONNECTION_STRING='<app-configuration-store-connection-string>'
+   ```
+
+1. Restart the command prompt to allow the change to take effect. Print out the value of the environment variable to validate that it is set properly with the command below.
+
+    ### [Windows command prompt](#tab/windowscommandprompt)
+
+    Using the Windows command prompt, run the following command:
+
+    ```cmd
+    printenv AZURE_APPCONFIG_CONNECTION_STRING
+    ```
+
+    ### [PowerShell](#tab/powershell)
+
+    If you use Windows PowerShell, run the following command:
+
+    ```azurepowershell
+    $Env:AZURE_APPCONFIG_CONNECTION_STRING
+    ```
+
+    ### [macOS](#tab/unix)
+
+    If you use macOS, run the following command:
+
+    ```console
+    echo "$AZURE_APPCONFIG_CONNECTION_STRING"
+    ```
+
+    ### [Linux](#tab/linux)
+
+    If you use Linux, run the following command:
+
+    ```console
+    echo "$AZURE_APPCONFIG_CONNECTION_STRING"
+
+1. After the build successfully completes, run the following command to run the app locally:
+
+    ```python
+    python app-configuration-quickstart.py
+    ```
+
+    You should see the following output:
+
+    ```Output
+    Hello
+    value
+    Hello test
+    message found: True
+    test.message found: False
+    ```
+
+## Clean up resources
+
+[!INCLUDE [azure-app-configuration-cleanup](../../includes/azure-app-configuration-cleanup.md)]
+
+## Next steps
+
+In this quickstart, you created a new App Configuration store and learned how to access key-values from a Python app.
+
+For additional code samples, visit:
+
+> [!div class="nextstepaction"]
+> [Azure App Configuration Python provider](https://github.com/Azure/azure-sdk-for-python/tree/main/sdk/appconfiguration/azure-appconfiguration-provider)