add disable local auth doc

PatrickFarley · PatrickFarley · commit 4c647c8d36e8 · 2023-09-22T17:01:04.000-04:00
diff --git a/articles/ai-services/TOC.yml b/articles/ai-services/TOC.yml
@@ -79,6 +79,8 @@
       href: security-features.md
     - name: Authenticate requests
       href: authentication.md
+    - name: Disable local authentication
+      href: disable-local-authentication.md
     - name: Rotate keys
       href: rotate-keys.md
     - name: Use environment variables
diff --git a/articles/ai-services/authentication.md b/articles/ai-services/authentication.md
@@ -169,6 +169,9 @@ In the previous sections, we showed you how to authenticate against Azure AI ser
 
 In the following sections, you'll use either the Azure Cloud Shell environment or the Azure CLI to create a subdomain, assign roles, and obtain a bearer token to call the Azure AI services. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI.
 
+> [!IMPORTANT]
+> If your organization is doing authentication through Azure AD, you should [disable local authentication](./disable-local-auth.md) (authentication with keys) so that users in the organization must always use Azure AD.
+
 ### Create a resource with a custom subdomain
 
 The first step is to create a custom subdomain. If you want to use an existing Azure AI services resource which does not have custom subdomain name, follow the instructions in [Azure AI services custom subdomains](../articles/cognitive-services/cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources) to enable custom subdomain for your resource.
diff --git a/articles/ai-services/disable-local-auth.md b/articles/ai-services/disable-local-auth.md
@@ -0,0 +1,30 @@
+---
+title: Disable local authentication in Azure AI Services
+titleSuffix: Azure AI services
+description: "This article describes disabling local authentication in Azure AI Services."
+services: cognitive-services
+author: PatrickFarley
+manager: nitinme
+ms.service: cognitive-services
+ms.topic: how-to
+ms.date: 09/22/2023
+ms.author: pafarley
+---
+
+# Disable local authentication in Azure AI Services
+
+Azure AI Services provides Azure Active Directory (Azure AD) authentication support for all resources. This gives organizations control to disable local authentication methods and enforce Azure AD authentication. This feature provides you with seamless integration when you require centralized control and management of identities and resource credentials.
+
+Azure AI Services provides an optional feature to "Disable local authentication" using the Azure policy [Cognitive Services accounts should have local authentication methods disabled](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F71ef260a-8f18-47b7-abcb-62d0673d94dc). You can set it at the subscription level or resource group level to enforce the policy for a group of services.
+
+Disabling local authentication doesn't take effect immediately. Allow a few minutes for the service to block future authentication requests.
+
+You can use PowerShell to determine whether the local authentication policy is enabled. First sign in with the `Connect-AzAccount` command. Then use the cmdlet **[Get-AzCognitiveServicesAccount](/powershell/module/az.cognitiveservices/get-azcognitiveservicesaccount)** to retrieve your resource, and check the property `DisableLocalAuth`. A value of `true` means local authentication is disabled.
+
+
+## Re-enable local authentication
+
+To enable local authentication, execute the PowerShell cmdlet **[Set-AzCognitiveServicesAccount](/powershell/module/az.cognitiveservices/set-azcognitiveservicesaccount)** with the parameter `-DisableLocalAuth false`.  Allow a few minutes for the service to accept the change to allow local authentication requests.
+
+## Next steps
+- [Authenticate requests to Azure AI services](./authentication.md)
