Merge pull request #298119 from PatAltimore/patricka-release-2504-aio

prmerger-automator[bot] · web-flow · commit 6a338e1ed01d · 2025-04-11T16:48:08.000Z
Add CLI tab and feedback
diff --git a/articles/iot-operations/connect-to-cloud/howto-configure-dataflow-profile.md b/articles/iot-operations/connect-to-cloud/howto-configure-dataflow-profile.md
@@ -17,11 +17,11 @@ ms.date: 04/09/2025
 
 Data flow profiles can be used to group data flows together so that they share the same configuration. You can create multiple data flow profiles to manage sets of different data flow configurations. 
 
-The most important setting is the instance count, which determines the number of instances that run the data flows. For example, you might have a data flow profile with a single instance for development and testing, and another profile with multiple instances for production. Or, you might use a data flow profile with low instance count for low-throughput data flows and a profile with high instance count for high-throughput data flows. Similarly, you can create a data flow profile with different diagnostic settings for debugging purposes.
+The most important setting is the instance count. For a given data flow, the instance count determines the number of copies that run on your cluster. For example, you might have a data flow profile with a single instance for development and testing, and another profile with multiple instances for production. Or, you might use a data flow profile with low instance count for low-throughput data flows and a profile with high instance count for high-throughput data flows. Similarly, you can create a data flow profile with different diagnostic settings for debugging purposes.
 
 ## Default data flow profile
 
-A data flow profile named *default* is created when Azure IoT Operations is deployed. This data flow profile has a single instance count. You can use this data flow profile to get started with Azure IoT Operations.
+A data flow profile named *default* is created when Azure IoT Operations is deployed. You can use this data flow profile to get started with Azure IoT Operations.
 
 # [Portal](#tab/portal)
 
@@ -122,7 +122,7 @@ spec:
 
 ## Scaling
 
-You can scale the data flow profile to adjust the number of instances that run the data flows. Increasing the instance count can improve the throughput of the data flows by creating multiple clients to process the data. When using data flows with cloud services that have rate limits per client, increasing the instance count can help you stay within the rate limits.
+You can scale the data flow profile to adjust the number of instances that run the data flows. For a given data flow, instance count is the number of copies that run on your cluster. Increasing the instance count can improve the throughput of the data flows by creating multiple clients to process the data. When using data flows with cloud services that have rate limits per client, increasing the instance count can help you stay within the rate limits.
 
 Scaling can also improve the resiliency of the data flows by providing redundancy in case of failures.
 
@@ -157,7 +157,7 @@ spec:
 
 ## Diagnostic settings
 
-You can configure other diagnostics settings for a data flow profile such as log level and metrics interval. 
+You can configure other diagnostics settings for a data flow profile such as log level.
 
 In most cases, the default settings are sufficient. However, you can override the log level or other settings for debugging. 
 
diff --git a/articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md b/articles/iot-operations/manage-mqtt-broker/howto-configure-authentication.md
@@ -8,7 +8,7 @@ ms.subservice: azure-mqtt-broker
 ms.topic: how-to
 ms.custom:
   - ignite-2023
-ms.date: 02/28/2025
+ms.date: 04/10/2025
 
 #CustomerIntent: As an operator, I want to configure authentication so that I have secure MQTT broker communications.
 ---
@@ -47,6 +47,14 @@ Azure IoT Operations deploys a default BrokerAuthentication resource named `defa
 
 To add new authentication methods, select **Add method**.
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authn show](/cli/azure/iot/ops/broker/authn#az-iot-ops-broker-authn-show) command to view the local MQTT broker default authentication policy.
+
+```azurecli
+az iot ops broker authn show --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker default --name default 
+```
+
 # [Bicep](#tab/bicep)
 
 To edit the default endpoint, create a Bicep `.bicep` file with the following content. Update the settings as needed. Replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
@@ -184,6 +192,81 @@ To add an authentication method to a policy:
 
     :::image type="content" source="media/howto-configure-authentication/create-authentication-policy.png" alt-text="Screenshot that shows using the Azure portal to add an MQTT broker authentication policy method.":::
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authn apply](/cli/azure/iot/ops/broker/authn#az-iot-ops-broker-authn-apply) command to create or change an MQTT broker authentication policy.
+
+```azurecli
+az iot ops broker authn apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+
+The `--config-file` parameter is the path and file name of a JSON configuration file containing the resource properties.
+
+In this example, assume a configuration file named `my-authn-policy.json` with the following content stored in the user's home directory:
+
+```json
+{
+    "authenticationMethods": [
+      {
+        "customSettings": {
+          "auth": {
+            "x509": {
+              "secretRef": "custom-auth-client-cert"
+            }
+          },
+          "caCertConfigMap": "custom-auth-ca",
+          "endpoint": "https://auth-server-template",
+          "headers": {
+            "header_key": "header_value"
+          }
+        },
+        "method": "Custom"
+      },
+      {
+        "method": "ServiceAccountToken",
+        "serviceAccountTokenSettings": {
+          "audiences": [
+            "my-audience"
+          ]
+        }
+      },
+      {
+        "method": "X509",
+        "x509Settings": {
+          "authorizationAttributes": {
+            "intermediate": {
+              "attributes": {
+                "city": "seattle",
+                "foo": "bar"
+              },
+              "subject": "CN = Contoso Intermediate CA"
+            },
+            "root": {
+              "attributes": {
+                "organization": "contoso"
+              },
+              "subject": "CN = Contoso Root CA Cert, OU = Engineering, C = US"
+            },
+            "smartfan": {
+              "attributes": {
+                "building": "17"
+              },
+              "subject": "CN = smart-fan"
+            }
+          },
+          "trustedClientCaCert": "client-ca"
+        }
+      }
+    ]
+}
+```
+
+An example command to create a new authentication policy named `my-policy` is as follows:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-policy --config-file ~/my-authn-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 ```bicep
@@ -427,6 +510,37 @@ After the trusted CA certificate is imported, enable X.509 client authentication
 1. Optionally, add authorization attributes for clients by using X.509 certificates. To learn more, see [Certificate attributes for authorization](#optional-certificate-attributes-for-authorization).
 1. Select **Apply** to save the changes.
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authn apply](/cli/azure/iot/ops/broker/authn#az-iot-ops-broker-authn-apply) command to create or change an MQTT broker authentication policy.
+
+```azurecli
+az iot ops broker authn apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+
+The `--config-file` parameter is the path and file name of a JSON configuration file containing the resource properties.
+
+In this example, assume a configuration file named `my-authn-policy.json` with an X.509 method is stored in the user's home directory:
+
+```json
+{
+    "authenticationMethods": [
+      {
+        "method": "X509",
+        "x509Settings": {
+          "trustedClientCaCert": "client-ca"
+        }
+      }
+    ]
+}
+```
+
+An example command to create a new authentication policy named `my-policy` with an X.509 method is as follows:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-policy --config-file ~/my-authn-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 ```bicep
@@ -470,7 +584,6 @@ resource myBrokerAuthentication 'Microsoft.IoTOperations/instances/brokers/authe
     ]
   }
 }
-
 ```
 
 Replace `<TRUSTED_CA_CONFIGMAP>` with the name of the ConfigMap that contains the trusted CA certificate. For example, use `client-ca`.
@@ -534,7 +647,59 @@ In the Azure portal, when you configure the X.509 authentication method, add the
   }
 }
 ```
-  
+
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authn apply](/cli/azure/iot/ops/broker/authn#az-iot-ops-broker-authn-apply) command to create or change an MQTT broker authentication policy.
+
+```azurecli
+az iot ops broker authn apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+
+The `--config-file` parameter is the path and file name of a JSON configuration file containing the resource properties.
+
+In this example, assume a configuration file named `my-authn-policy.json` with an X.509 method and certificate properties is stored in the user's home directory
+
+```json
+{
+  "authenticationMethods": [
+    {
+      "method": "X509",
+      "x509Settings": {
+        "authorizationAttributes": {
+          "intermediate": {
+            "attributes": {
+              "city": "seattle",
+              "foo": "bar"
+            },
+            "subject": "CN = Contoso Intermediate CA"
+          },
+          "root": {
+            "attributes": {
+              "organization": "contoso"
+            },
+            "subject": "CN = Contoso Root CA Cert, OU = Engineering, C = US"
+          },
+          "smartfan": {
+            "attributes": {
+              "building": "17"
+            },
+            "subject": "CN = smart-fan"
+          }
+        },
+        "trustedClientCaCert": "client-ca"
+      }
+    }
+  ]
+}
+```
+
+An example command to create a new authentication policy named `my-policy` is as follows:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-policy --config-file ~/my-authn-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 ```bicep
@@ -708,6 +873,39 @@ Modify the `authenticationMethods` setting in a BrokerAuthentication resource to
 
 :::image type="content" source="media/howto-configure-authentication/sat-method.png" alt-text="Screenshot that shows using the Azure portal to set the MQTT broker SAT authentication method.":::
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authn apply](/cli/azure/iot/ops/broker/authn#az-iot-ops-broker-authn-apply) command to create or change an MQTT broker authentication policy.
+
+```azurecli
+az iot ops broker authn apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+
+The `--config-file` parameter is the path and file name of a JSON configuration file containing the resource properties.
+
+In this example, assume a configuration file named `my-authn-policy.json` with a Kubernetes SAT method is stored in the user's home directory:
+
+```json
+{
+  "authenticationMethods": [
+    {
+      "method": "ServiceAccountToken",
+      "serviceAccountTokenSettings": {
+        "audiences": [
+          "my-audience"
+        ]
+      }
+    }
+  ]
+}
+```
+
+An example command to create a new authentication policy named `my-policy` with a Kubernetes SAT method is as follows:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-policy --config-file ~/my-authn-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 ```bicep
@@ -838,6 +1036,54 @@ Modify the **Authentication methods** setting in a BrokerAuthentication resource
 
     :::image type="content" source="media/howto-configure-authentication/custom-method.png" alt-text="Screenshot that shows using the Azure portal to set the MQTT broker Custom authentication method.":::
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker authn apply](/cli/azure/iot/ops/broker/authn#az-iot-ops-broker-authn-apply) command to create or change an MQTT broker authentication policy.
+
+```azurecli
+az iot ops broker authn apply --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker <BrokerName> --name <AuthenticationResourceName> --config-file <ConfigFilePathAndName>
+```
+
+The `--config-file` parameter is the path and file name of a JSON configuration file containing the resource properties.
+
+In this example, assume a configuration file named `my-authn-policy.json` with a custom method is stored in the user's home directory:
+
+```json
+{
+  "authenticationMethods": [
+    {
+      "method": "Custom",
+      "customSettings": {
+        "auth": {
+          "x509": {
+            "secretRef": "custom-auth-client-cert"
+          }
+        },
+        "caCertConfigMap": "custom-auth-ca",
+        "endpoint": "https://auth-server-template",
+        "headers": {
+          "header_key": "header_value"
+        }
+      }
+    },
+    {
+      "method": "ServiceAccountToken",
+      "serviceAccountTokenSettings": {
+        "audiences": [
+          "my-audience"
+        ]
+      }
+    }
+  ]
+}
+```
+
+An example command to create a new authentication policy named `my-policy` with a Kubernetes SAT method is as follows:
+
+```azurecli
+az iot ops broker authn apply --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name my-policy --config-file ~/my-authn-policy.json
+```
+
 # [Bicep](#tab/bicep)
 
 ```bicep
@@ -930,6 +1176,20 @@ For testing, you can disable authentication for a broker listener port. We don't
 1. Select the broker listener you want to edit from the list.
 1. On the port where you want to disable authentication, select **None** in the authentication dropdown.
 
+# [Azure CLI](#tab/cli)
+
+Use the [az iot ops broker listener port add](/cli/azure/iot/ops/broker/listener#az-iot-ops-broker-listener-port-add) command to disable authentication for a port. To disable authentication, don't include the `--authn-ref` parameter.
+
+```azurecli
+az iot ops broker listener port add --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker default --name <ListenerName> --port <ListenerServicePort>
+```
+
+The following example disables authentication for port 8884 to the listener named `aio-broker-loadbalancer`:
+
+```azurecli
+az iot ops broker listener port add --resource-group myResourceGroupName --instance myAioInstanceName --broker default --name aio-broker-loadbalancer --port 8884
+```
+
 # [Bicep](#tab/bicep)
 
 To disable authentication, omit `authenticationRef` in the `ports` setting of your BrokerListener resource.
diff --git a/articles/iot-operations/manage-mqtt-broker/howto-configure-brokerlistener.md b/articles/iot-operations/manage-mqtt-broker/howto-configure-brokerlistener.md
@@ -620,7 +620,7 @@ The following example is a BrokerListener resource that enables TLS on port 8884
 
 # [Azure CLI](#tab/cli)
 
-Use the [az iot ops broker listener port add](/cli/azure/iot/ops/broker/listener#az-iot-ops-broker-listener-port-add) command to add or change a TCP port configuration to an MQTT broker listener service.
+Use the [az iot ops broker listener port add](/cli/azure/iot/ops/broker/listener#az-iot-ops-broker-listener-port-add) command to add or change a TCP port configuration to an MQTT broker listener service. If the listener exists, the command updates the existing listener. If the listener doesn't exist, the command creates a new listener.
 
 ```azurecli
 az iot ops broker listener port add --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker default --name <ListenerName> --port <ListenerServicePort> --authn-ref default --tls-issuer-ref name=<IssuerName> kind=<IssuerKind> group=<IssuerGroup>
@@ -838,7 +838,7 @@ The following example shows a BrokerListener resource that enables TLS on port 8
 
 # [Azure CLI](#tab/cli)
 
-Use the [az iot ops broker listener port add](/cli/azure/iot/ops/broker/listener#az-iot-ops-broker-listener-port-add) command to add or change the port configuration for an MQTT broker listener service.
+Use the [az iot ops broker listener port add](/cli/azure/iot/ops/broker/listener#az-iot-ops-broker-listener-port-add) command to add or change a TCP port configuration to an MQTT broker listener service. If the listener exists, the command updates the existing listener. If the listener doesn't exist, the command creates a new listener.
 
 ```azurecli
 az iot ops broker listener port add --resource-group <ResourceGroupName> --instance <AioInstanceName> --broker default --listener <ListenerName> --port <ListenerServicePort> --authn-ref default --tls-man-secret-ref <SecretReferenceName>
