Merge pull request #224342 from jlian/patch-87

Add prominent warning about DPS

Author: prmerger-automator[bot]

articles/iot-dps/how-to-manage-linked-iot-hubs.md

@@ -3,7 +3,7 @@ title: How to manage linked IoT hubs with Device Provisioning Service (DPS)
 description: This article shows how to link and manage IoT hubs with the Device Provisioning Service (DPS).
 author: kgremban
 ms.author: kgremban
-ms.date: 10/24/2022
+ms.date: 01/18/2023
 ms.topic: how-to
 ms.service: iot-dps
 services: iot-dps
@@ -38,6 +38,12 @@ When you link an IoT hub to your DPS instance, it becomes available to participa
 
 * For enrollments that do explicitly set the IoT hubs to apply allocation policy to, you'll need to manually or programmatically add the new IoT hub to the enrollment settings for it to participate in allocation.
 
+### Limitations
+
+* There are some limitations when working with linked IoT hubs and private endpoints. For more information, see [Private endpoint limitations](virtual-network-support.md#private-endpoint-limitations).
+
+* The linked IoT Hub must have [Connect using shared access policies](../iot-hub/iot-hub-dev-guide-azure-ad-rbac.md#azure-ad-access-and-shared-access-policies) set to **Allow**.
+
 ### Use the Azure portal to link an IoT hub
 
 In the Azure portal, you can link an IoT hub either from the left menu of your DPS instance or from the enrollment when creating or updating an enrollment. In both cases, the IoT hub is scoped to the DPS instance (not just the enrollment).
@@ -215,10 +221,6 @@ To update symmetric keys for a linked IoT hub with Azure CLS:
     az iot dps update --name MyExampleDps --set properties.iotHubs[0].connectionString="HostName=MyExampleHub-2.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=NewTokenValue"
     ```
 
-## Limitations
-
-There are some limitations when working with linked IoT hubs and private endpoints. For more information, see [Private endpoint limitations](virtual-network-support.md#private-endpoint-limitations).
-
 ## Next steps
 
 * To learn more about allocation policies, see [Manage allocation policies](how-to-use-allocation-policies.md).

articles/iot-hub/iot-hub-dev-guide-azure-ad-rbac.md

@@ -7,7 +7,7 @@ ms.author: kgremban
 ms.service: iot-hub
 services: iot-hub
 ms.topic: conceptual
-ms.date: 10/20/2021
+ms.date: 01/18/2023
 ms.custom: ['Role: Cloud Development', devx-track-azurecli]
 ---
 
@@ -94,14 +94,16 @@ The following table describes the permissions available for IoT Hub service API
 
 ## Azure AD access and shared access policies
 
-By default, IoT Hub supports service API access through both Azure AD and [shared access policies and security tokens](iot-hub-dev-guide-sas.md). To minimize potential security vulnerabilities inherent in security tokens, disable access with shared access policies: 
+By default, IoT Hub supports service API access through both Azure AD and [shared access policies and security tokens](iot-hub-dev-guide-sas.md). To minimize potential security vulnerabilities inherent in security tokens, disable access with shared access policies. 
 
 1. Ensure that your service clients and users have [sufficient access](#manage-access-to-iot-hub-by-using-azure-rbac-role-assignment) to your IoT hub. Follow the [principle of least privilege](../security/fundamentals/identity-management-best-practices.md).
 1. In the [Azure portal](https://portal.azure.com), go to your IoT hub.
 1. On the left pane, select **Shared access policies**.
-1. Under **Connect using shared access policies**, select **Deny**.
+1. Under **Connect using shared access policies**, select **Deny**, and review the warning.
     :::image type="content" source="media/iot-hub-dev-guide-azure-ad-rbac/disable-local-auth.png" alt-text="Screenshot that shows how to turn off IoT Hub shared access policies." border="true":::
-1. Review the warning, and then select **Save**.
+
+   > [!WARNING]
+   > By denying connections using shared access policies, all users and services that connect using this method lose access immediately. Notably, since Device Provisioning Service (DPS) only supports linking IoT hubs using shared access policies, all device provisioning flows will fail with "unauthorized" error. Proceed carefully and plan to replace access with Azure AD role based access. **Do not proceed if you use DPS**.
 
 Your IoT Hub service APIs can now be accessed only through Azure AD and RBAC.