Merge pull request #277025 from HeidiSteen/heidist-june3

[azure search] Moved enable roles to standalone article

Author: Jak-MS

articles/search/TOC.yml

@@ -418,6 +418,10 @@
     href: hybrid-search-how-to-query.md
   - name: Security
     items:
+    - name: Enable role-based access control
+      href: search-security-enable-roles.md
+    - name: Configure a managed identity
+      href: search-howto-managed-identities-data-sources.md
     - name: Inbound connections
       items:
       - name: Connect using API keys
@@ -438,8 +442,6 @@
         href: search-indexer-howto-access-trusted-service-exception.md
       - name: Connect using a managed identity
         items:
-        - name: Any Azure resource
-          href: search-howto-managed-identities-data-sources.md
         - name: Azure Storage
           href: search-howto-managed-identities-storage.md
         - name: Azure Cosmos DB
@@ -472,16 +474,16 @@
       href: search-api-versions.md
     - name: Preview features
       href: search-api-preview.md
-    - name: Handle concurrent updates
-      href: search-howto-concurrency.md
-    - name: Develop in .NET
-      href: search-howto-dotnet-sdk.md
+    - name: Upgrade the REST API
+      href: search-api-migration.md
     - name: Upgrade .NET libraries
       href: search-dotnet-sdk-migration-version-11.md
+    - name: Develop in .NET
+      href: search-howto-dotnet-sdk.md
     - name: Manage with Azure SDKs
       href: search-dotnet-mgmt-sdk-migration.md
-    - name: Upgrade the REST API
-      href: search-api-migration.md
+    - name: Handle concurrent updates
+      href: search-howto-concurrency.md
   - name: Monitoring and performance
     items:
     - name: Monitor

articles/search/media/search-security-rbac/search-security-enable-roles.png

@@ -61,7 +61,7 @@ If you're starting with the free service, you're limited to three indexes, three
 
 We recommend role assignments for search service connections to other resources. 
 
-1. On Azure AI Search, [enable role-based access](search-security-rbac.md#enable-role-based-access-for-data-plane-operations).
+1. On Azure AI Search, [enable role-based access](search-security-enable-roles.md).
 
 1. Configure your search service to [use a system or user-assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity). 
 

articles/search/search-get-started-portal-import-vectors.md

@@ -42,7 +42,7 @@ This article uses the REST APIs to illustrate each step.
   + [Use data pipelines](/fabric/data-engineering/tutorial-lakehouse-data-ingestion) from [Microsoft Fabric](https://fabric.microsoft.com/)
   + [Add shortcuts](/fabric/onelake/create-onelake-shortcut) from external data sources like [Amazon S3](/fabric/onelake/create-s3-shortcut) or [Google Cloud Storage](/fabric/onelake/create-gcs-shortcut).  
 
-+ A search service configured for either a [system managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity) or [user-assigned assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-user-assigned-managed-identity-preview). 
++ A search service configured for either a [system managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity) or [user-assigned assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-user-assigned-managed-identity). 
 
 + A Contributor role assignment in the Microsoft Fabric workspace where the lakehouse is located. Steps are outlined in the [Grant permissions](#assign-service-permissions) section of this article.
 

articles/search/search-how-to-index-onelake-files.md

@@ -64,7 +64,7 @@ All calls to the Management REST API are authenticated through Microsoft Entra I
    GET https://management.azure.com/subscriptions/{{subscriptionId}}/providers/Microsoft.Search/searchServices?api-version=2023-11-01
    ```
 
-1. Use PATCH to update service configuration. The following modifications enable both keys and role-based access. If you want a roles-only configuration, see [Disable API keys](search-security-rbac.md#disable-api-key-authentication).
+1. Use PATCH to update service configuration. The following modifications enable both keys and role-based access. If you want a roles-only configuration, see [Disable API keys](search-security-enable-roles.md#disable-api-key-authentication).
 
    Under "properties", set ["authOptions"](/rest/api/searchmanagement/services/create-or-update#dataplaneauthoptions) to "aadOrApiKey". The "disableLocalAuth" property must be false to set "authOptions".
 

articles/search/search-howto-aad.md

@@ -8,141 +8,117 @@ manager: nitinme
 
 ms.service: cognitive-search
 ms.topic: how-to
-ms.date: 02/22/2024
+ms.date: 06/03/2024
 ms.custom:
   - subject-rbac-steps
   - ignite-2023
 ---
 
-# Set up an indexer connection to Azure Storage using a managed identity
+# Connect to Azure Storage using a managed identity (Azure AI Search)
 
-This article explains how to set up an indexer connection to an Azure Storage account using a managed identity instead of providing credentials in the connection string.
+This article explains how to configure a search service connection to an Azure Storage account using a managed identity instead of providing credentials in the connection string.
 
-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Microsoft Entra logins and require Azure role assignments to access data in Azure Storage. 
+You can use a system-assigned managed identity or a user-assigned managed identity. Managed identities are Microsoft Entra logins and require role assignments for access to Azure Storage. 
+
+## Prerequisites
+
++ Azure AI Search, Basic tier or higher, with a [managed identity](search-howto-managed-identities-data-sources.md).
 
 > [!NOTE]
 > If storage is network-protected and in the same region as your search service, you must use a system-assigned managed identity and either one of the following network options: [connect as a trusted service](search-indexer-howto-access-trusted-service-exception.md), or [connect using the resource instance rule](../storage/common/storage-network-security.md#grant-access-from-azure-resource-instances). 
 
-## Prerequisites
-
-* [Create a managed identity](search-howto-managed-identities-data-sources.md) for your search service.
+## Create a role assignment in Azure Storage
 
-* [Assign a role](search-howto-managed-identities-data-sources.md#assign-a-role) in Azure Storage: 
+1. Sign in to Azure portal and find your storage account.
+1. Select **Access control (IAM)**.
+1. Select **Add** and then select **Role assignment**.
+1. From the list of job function roles, select the roles needed for your search service:
 
-  * Choose **Storage Blob Data Reader** for data read access in Blob Storage and ADLS Gen2. 
+   | Task | Role assignment |
+   |------|-----------------|
+   | Blob indexing using an indexer | Add **Storage Blob Data Reader** |
+   | ADLS Gen2 indexing using an indexer | Add **Storage Blob Data Reader** |
+   | Table indexing using an indexer | Add **Reader and Data Access** |
+   | File indexing using an indexer | Add **Reader and Data Access** |
+   | Write to a knowledge store | Add **Storage Blob DataContributor** for object and file projections, and **Reader and Data Access** for table projections. |
+   | Write to an enrichment cache | Add **Storage Blob Data Contributor**  |
+   | Save debug session state | Add **Storage Blob Data Contributor**  |
 
-  * Choose **Reader and Data** for data read access in Table Storage and File Storage.
+1. Select **Next**.
+1. Select **Managed identity** and then select **Members**.
+1. Filter by system-assigned managed identities or user-assigned managed identities. If you don't have a managed identity, see [Configure search to use a managed identity](search-howto-managed-identities-data-sources.md). If you already set one up but it's not available, give it a few minutes.
+1. Select the identity and save the role assignment.
 
-* You should be familiar with [indexer concepts](search-indexer-overview.md) and [configuration](search-howto-indexing-azure-blob-storage.md).
+## Specify a managed identity in a connection string
 
-> [!TIP]
-> For a code example in C#, see [Index Data Lake Gen2 using Microsoft Entra ID](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/data-lake-gen2-acl-indexing/README.md) on GitHub.
+Once you have a role assignment, you can set up a connection to Azure Storage that operates under that role.
 
-## Create the data source
+Indexers use a data source object for connections to an external data source. This section explains how to specify a system-assigned managed identity or a user-assigned managed identity on a data source connection string. You can find more [connection string examples](search-howto-managed-identities-data-sources.md#connection-string-examples) in the managed identity article.
 
-Create the data source and provide either a system-assigned managed identity or a user-assigned managed identity (preview). 
+> [!TIP]
+> You can create a data source connection to Azure Storage in the Azure portal, specifying either a system or user-assigned managed identity, and then view the JSON definition to see how the connection string is formulated.
 
 ### System-assigned managed identity
 
-The [REST API](/rest/api/searchservice/create-data-source), Azure portal, and the [.NET SDK](/dotnet/api/azure.search.documents.indexes.models.searchindexerdatasourceconnection) support using a system-assigned managed identity.
+You must have a [system-assigned managed identity already configured](search-howto-managed-identities-data-sources.md), and it must have a role-assignment on Azure Storage. 
 
-When you're connecting with a system-assigned managed identity, the only change to the data source definition is the format of the "credentials" property. Provide a ResourceId that has no account key or password. The ResourceId must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name.
+For connections made using a system-assigned managed identity, the only change to the [data source definition](/rest/api/searchservice/create-data-source) is the format of the `credentials` property. 
 
-Here's an example of how to create a data source to index data from a storage account using the [Create Data Source](/rest/api/searchservice/create-data-source) REST API and a managed identity connection string. The managed identity connection string format is the same for the REST API, .NET SDK, and the Azure portal.
+Provide a `ResourceId` that has no account key or password. The `ResourceId` must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name.
 
 ```http
 POST https://[service name].search.windows.net/datasources?api-version=2023-11-01
-Content-Type: application/json
-api-key: [admin key]
 
 {
     "name" : "blob-datasource",
     "type" : "azureblob",
     "credentials" : { 
-        "connectionString" : "ResourceId=/subscriptions/[subscription ID]/resourceGroups/[resource group name]/providers/Microsoft.Storage/storageAccounts/[storage account name]/;" 
+        "connectionString" : "ResourceId=/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/MY-DEMO-RESOURCE-GROUP/providers/Microsoft.Storage/storageAccounts/MY-DEMO-STORAGE-ACCOUNT/;" 
     },
     "container" : { 
         "name" : "my-container", "query" : "<optional-virtual-directory-name>" 
     }
 }   
 ```
 
-### User-assigned managed identity (preview)
+### User-assigned managed identity
 
-The 2021-04-30-preview REST API supports connections based on a user-assigned managed identity. When you're connecting with a user-assigned managed identity, there are two changes to the data source definition:
+You must have a [user-assigned managed identity already configured](search-howto-managed-identities-data-sources.md) and associated with your search service, and the identity must have a role-assignment on Azure Storage. 
 
-* First, the format of the "credentials" property is a ResourceId that has no account key or password. The ResourceId must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name. This format is the same format as the system-assigned managed identity.
+Connections made through user-assigned managed identities use the same credentials as a system-assigned managed identity, plus an extra identity property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set `userAssignedIdentity` to the user-assigned managed identity..
 
-* Second, add an "identity" property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set it to type "userAssignedIdentities".
+Provide a `ResourceId` that has no account key or password. The `ResourceId` must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name.
 
-Here's an example of how to create an indexer data source object using the [preview Create or Update Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source) REST API:
+Provide an `identity` using the syntax shown in the following example.
 
 ```http
-POST https://[service name].search.windows.net/datasources?api-version=2021-04-30-preview
-Content-Type: application/json
-api-key: [admin key]
+POST https://[service name].search.windows.net/datasources?api-version=2023-11-01
 
 {
     "name" : "blob-datasource",
     "type" : "azureblob",
     "credentials" : { 
-        "connectionString" : "ResourceId=/subscriptions/[subscription ID]/resourceGroups/[resource group name]/providers/Microsoft.Storage/storageAccounts/[storage account name]/;" 
+        "connectionString" : "ResourceId=/subscriptions/00000000-0000-0000-0000-00000000/resourceGroups/MY-DEMO-RESOURCE-GROUP/providers/Microsoft.Storage/storageAccounts/MY-DEMO-STORAGE-ACCOUNT/;" 
     },
     "container" : { 
         "name" : "my-container", "query" : "<optional-virtual-directory-name>" 
     },
     "identity" : { 
         "@odata.type": "#Microsoft.Azure.Search.DataUserAssignedIdentity",
-        "userAssignedIdentity" : "/subscriptions/[subscription ID]/resourcegroups/[resource group name]/providers/Microsoft.ManagedIdentity/userAssignedIdentities/[managed identity name]" 
+        "userAssignedIdentity" : "/subscriptions/00000000-0000-0000-0000-00000000/resourcegroups/MY-DEMO-RESOURCE-GROUP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/MY-DEMO-USER-MANAGED-IDENTITY" 
     }
 }   
 ```
 
-## Create the index
-
-The index specifies the fields in a document, attributes, and other constructs that shape the search experience.
-
-Here's a [Create Index](/rest/api/searchservice/create-index) REST API call with a searchable `content` field to store the text extracted from blobs:
-
-```http
-POST https://[service name].search.windows.net/indexes?api-version=2023-11-01
-Content-Type: application/json
-api-key: [admin key]
-
-{
-        "name" : "my-target-index",
-        "fields": [
-        { "name": "id", "type": "Edm.String", "key": true, "searchable": false },
-        { "name": "content", "type": "Edm.String", "searchable": true, "filterable": false, "sortable": false, "facetable": false }
-        ]
-}
-```
-
-## Create the indexer
-
-An indexer connects a data source with a target search index, and provides a schedule to automate the data refresh. Once the index and data source have been created, you're ready to create and run the indexer. If the indexer is successful, the connection syntax and role assignments are valid.
-
-Here's a [Create Indexer](/rest/api/searchservice/create-indexer) REST API call with a blob indexer definition. The indexer runs when you submit the request.
-
-```http
-POST https://[service name].search.windows.net/indexers?api-version=2023-11-01
-Content-Type: application/json
-api-key: [admin key]
-
-{
-    "name" : "blob-indexer",
-    "dataSourceName" : "blob-datasource",
-    "targetIndexName" : "my-target-index"
-}
-```
+Connection information and permissions on the remote service are validated at run time during indexer execution. If the indexer is successful, the connection syntax and role assignments are valid. For more information, see [Run or reset indexers, skills, or documents](search-howto-run-reset-indexers.md).
 
 ## Accessing network secured data in storage accounts
 
 Azure storage accounts can be further secured using firewalls and virtual networks. If you want to index content from a storage account that is secured using a firewall or virtual network, see [Make indexer connections to Azure Storage as a trusted service](search-indexer-howto-access-trusted-service-exception.md).
 
 ## See also
 
-* [Azure blob indexer](search-howto-indexing-azure-blob-storage.md)
-* [ADLS Gen2 indexer](search-howto-index-azure-data-lake-storage.md)
-* [Azure table indexer](search-howto-indexing-azure-tables.md)
-* [C# Example: Index Data Lake Gen2 using Microsoft Entra ID (GitHub)](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/data-lake-gen2-acl-indexing/README.md)
++ [Azure blob indexer](search-howto-indexing-azure-blob-storage.md)
++ [ADLS Gen2 indexer](search-howto-index-azure-data-lake-storage.md)
++ [Azure table indexer](search-howto-indexing-azure-tables.md)
++ [C# Example: Index Data Lake Gen2 using Microsoft Entra ID (GitHub)](https://github.com/Azure-Samples/azure-search-dotnet-utilities/blob/main/data-lake-gen2-acl-indexing/README.md)

articles/search/search-howto-managed-identities-data-sources.md

@@ -184,7 +184,7 @@ In this step, configure your search service to recognize an **authorization** he
 
 To use role-based access control for data plane operations, set `authOptions` to `aadOrApiKey` and then send the request.
 
-To use role-based access control exclusively, [turn off API key authentication](search-security-rbac.md#disable-api-key-authentication) by following up with a second request, this time setting `disableLocalAuth` to true.
+To use role-based access control exclusively, [turn off API key authentication](search-security-enable-roles.md#disable-api-key-authentication) by following up with a second request, this time setting `disableLocalAuth` to true.
 
 ```http
 PATCH https://management.azure.com/subscriptions/{{subscriptionId}}/resourcegroups/{{resource-group}}/providers/Microsoft.Search/searchServices/{{search-service-name}}?api-version=2023-11-01 HTTP/1.1