Created Java Entra include and other edits

Author: gsteve88

includes/iot-hub-howto-connect-service-iothub-entra-java.md

@@ -11,25 +11,65 @@ ms.manager: lizross
 ms.date: 11/06/2024
 ---
 
-### Microsoft Entra client secret credential
+A backend app that uses Microsoft Entra must successfully authenticate and obtain a security token credential before connecting to IoT Hub. This token is passed to a IoT Hub connection method. For general information about setting up and using Microsoft Entra for IoT Hub, see [Control access to IoT Hub by using Microsoft Entra ID](/azure/iot-hub/authenticate-authorize-azure-ad).
 
-Use [ClientSecretCredential](/java/api/com.azure.identity.clientsecretcredential) to authenticate an application with Microsoft Entra.
+For an overview of Java SDK authentication, see [Getting started with user authentication on Azure](https://learn.microsoft.com/en-us/azure/developer/java/sdk/authentication/azure-hosted-apps).
 
-`ClientSecretCredential` is configured using [ClientSecretCredentialBuilder](/java/api/com.azure.identity.clientsecretcredentialbuilder).
+##### Configure Microsoft Entra app
+
+You must set up a Microsoft Entra app that is configured for your preferred authentication credential. The app contains parameters such as client secret that are used by the backend application to authenticate. The available app authentication configurations are:
+
+* Client secret
+* Certificate
+* Federated identity credential
+
+Microsoft Entra apps may require specific role permissions depending on operations being performed. For example, [IoT Hub Twin Contributor](/azure/role-based-access-control/built-in-roles/internet-of-things#iot-hub-twin-contributor) is required to enable read and write access to a IoT Hub device and module twins. For more information, see [Manage access to IoT Hub by using Azure RBAC role assignment](/azure/iot-hub/authenticate-authorize-azure-ad?#manage-access-to-iot-hub-by-using-azure-rbac-role-assignment).
+
+For more information about setting up a Microsoft Entra app, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
+
+##### Authenticate using DefaultAzureCredential
+
+The easiest way to use Microsoft Entra to authenticate a backend application is to use [DefaultAzureCredential](/azure/developer/java/sdk/authentication/credential-chains#defaultazurecredential-overview), but it's recommended to use a different method in a production environment including a specific `TokenCredential` or pared-down `ChainedTokenCredential`. For simplicity, this section describes authentication using `DefaultAzureCredential` and Client secret.
+For more information about the pros and cons of using `DefaultAzureCredential`, see
+[ChainedTokenCredential](/java/sdk/authentication/credential-chains).
+
+[DefaultAzureCredential](/java/api/com.azure.identity.defaultazurecredential) supports different authentication mechanisms and determines the appropriate credential type based on the environment it's executing in. It attempts to use multiple credential types in an order until it finds a working credential.
+
+You can authenticate Microsoft Entra app credentials using [DefaultAzureCredentialBuilder](/java/api/com.azure.identity.defaultazurecredentialbuilder). Save connection parameters such as client secret tenantID, clientID, and client secret values as environmental varaibles. Once the `TokenCredential` is created, pass it to [ServiceClient](https://learn.microsoft.com/en-us/java/api/com.azure.core.annotation.serviceclient) or other builder as the 'credential' parameter.
+
+In this example, `DefaultAzureCredentialBuilder` will attempt to authenticate a connection from the list described in [DefaultAzureCredential](/java/api/com.azure.identity.defaultazurecredential). The result of a successful Microsoft Entra authentication is a security token credential that is passed to a constructor.
 
 ```java
-TokenCredential clientSecretCredential = new ClientSecretCredentialBuilder().tenantId(tenantId)
-     .clientId(clientId)
-     .clientSecret(clientSecret)
-     .build();
+TokenCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build();
 ```
 
-### Microsoft Entra client certificate credential
+##### Authenticate using ClientSecretCredentialBuilder
+
+You can use [ClientSecretCredentialBuilder](/java/api/com.azure.identity.clientsecretcredentialbuilder) to create a credential using client secret information. If successful, this method returns a [TokenCredential](/java/api/com.azure.core.credential.tokencredential).
+
+In this example, Microsoft Entra app registration client secret, client ID, and tenant ID values have been added to environment variables. These environment variables are used by `ClientSecretCredentialBuilder` to build the credential.
+
+```java
+// Credentials can be built from types from the Azure Identity library like ClientSecretCredential.
+// The Azure Identity library also defines other implementations of the TokenCredential interface such as
+// DefaultAzureCredential, InteractiveBrowserCredential, and many others.
+
+string clientSecretValue = System.getenv("AZURE_CLIENT_SECRET");
+string clientID = System.getenv("AZURE_CLIENT_ID");
+string tenantID = System.getenv("AZURE_TENANT_ID");
+
+TokenCredential credential =
+     new ClientSecretCredentialBuilder()
+          .tenantId(tenantID)
+          .clientId(clientID)
+          .clientSecret(clientSecretValue)
+          .build();
+```
 
-You can use [ClientCertificateCredential](/java/api/com.azure.identity.clientcertificatecredential) to create a `TokenCredential` using a certificate.
+##### Authenticate using InteractiveBrowserCredential
 
-The `TokenCredential` can then be passed to service constructors such as:
+Use [InteractiveBrowserCredential](https://learn.microsoft.com/en-us/java/api/com.azure.identity.interactivebrowsercredential) to authenticate a user sign-in using a web browser.
 
-* [DeviceTwin](/java/api/com.microsoft.azure.sdk.iot.service.devicetwin.devicetwin?#com-microsoft-azure-sdk-iot-service-devicetwin-devicetwin-devicetwin(java-lang-string-com-azure-core-credential-tokencredential))
+##### Code samples
 
-For more information about Microsoft Entra app registration, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
+For working samples of Microsoft Entra service authentication, see [Role based authentication sample](github.com/Azure/azure-iot-service-sdk-java/tree/main/service/iot-service-samples/role-based-authorization-sample).

includes/iot-hub-howto-connect-service-iothub-entra-node.md

@@ -53,16 +53,12 @@ import { DefaultAzureCredential } from "@azure/identity";
 const credential = new DefaultAzureCredential();
 ```
 
-The resulting credential token can then be passed to a connection method to connect to IoT Hub method for any SDK client that accepts Microsoft Entra credentials:
+The resulting credential token can then be passed to [fromTokenCredential](/javascript/api/azure-iothub/registry?#azure-iothub-registry-fromtokencredential) to connect to IoT Hub for any SDK client that accepts Microsoft Entra credentials:
 
 * [Registry](/javascript/api/azure-iothub/registry?#azure-iothub-registry-fromtokencredential)
 * [Client](/javascript/api/azure-iothub/client?#azure-iothub-client-fromtokencredential)
 * [JobClient](/javascript/api/azure-iothub/jobclient?#azure-iothub-jobclient-fromtokencredential)
 
-##### Connect to IoT Hub
-
-Use [fromTokenCredential](/javascript/api/azure-iothub/registry?#azure-iothub-registry-fromtokencredential) to create a service connection to IoT Hub using a Microsoft Entra token credential.
-
 `fromTokenCredential` requires two parameters:
 
 * The Azure service URL - The Azure service URL should be in the format `{Your Entra domain URL}.azure-devices.net` without a `https://` prefix. For example, `MyAzureDomain.azure-devices.net`.

includes/iot-hub-howto-connect-service-iothub-entra-python.md

@@ -53,7 +53,7 @@ credential = DefaultAzureCredential()
 The resulting [AccessToken](/python/api/azure-core/azure.core.credentials.accesstoken) can then be passed to `from_token_credential` to connect to IoT Hub method for any SDK client that accepts Microsoft Entra credentials:
 
 * [IoTHubRegistryManager](/python/api/azure-iot-hub/azure.iot.hub.iothubregistrymanager?#azure-iot-hub-iothubregistrymanager-from-token-credential) to create a service connection to IoT Hub using an Entra token credential.
-* [IoTHubJobManager](/python/api/azure-iot-hub/azure.iot.hub.iothubjobmanager?view=azure-python&#azure-iot-hub-iothubjobmanager-from-token-credential)
+* [IoTHubJobManager](/python/api/azure-iot-hub/azure.iot.hub.iothubjobmanager?#azure-iot-hub-iothubjobmanager-from-token-credential)
 * [DigitalTwinClient](/python/api/azure-iot-hub/azure.iot.hub.digitaltwinclient?#azure-iot-hub-digitaltwinclient-from-token-credential)
 * [IoTHubHttpRuntimeManager](/python/api/azure-iot-hub/azure.iot.hub.iothubhttpruntimemanager?#azure-iot-hub-iothubhttpruntimemanager-from-token-credential)
 * [IoTHubConfigurationManager](/python/api/azure-iot-hub/azure.iot.hub.iothubconfigurationmanager?#azure-iot-hub-iothubconfigurationmanager-from-token-credential)