Merge pull request #272260 from Padmalathas/BatchFixes-Patch1

Invalid JSON Fix and Authentication Mode Fix

Author: v-dirichards

articles/batch/automatic-certificate-rotation.md

@@ -3,7 +3,7 @@ title: Enable automatic certificate rotation in a Batch pool
 description: You can create a Batch pool with a managed identity and a certificate that can automatically be renewed.
 ms.topic: conceptual
 ms.custom:
-ms.date: 12/05/2023
+ms.date: 04/16/2024
 ---
 
 # Enable automatic certificate rotation in a Batch pool
@@ -143,7 +143,7 @@ Request Body for Windows node
                                 "requireInitialSync": true,
                                 "observedCertificates": [
                                     {
-                                        "https://testkvwestus2s.vault.azure.net/secrets/authcertforumatesting/8f5f3f491afd48cb99286ba2aacd39af",
+                                        "url": "https://testkvwestus2s.vault.azure.net/secrets/authcertforumatesting/8f5f3f491afd48cb99286ba2aacd39af",
                                         "certificateStoreLocation": "LocalMachine",
                                         "keyExportable": true
                                     }
@@ -186,7 +186,7 @@ root@74773db5fe1b42ab9a4b6cf679d929da000000:/var/lib/waagent/Microsoft.Azure.Key
 
 ## Troubleshooting Key Vault Extension
 
-If Key Vault extension is configured incorrectly, the compute node might be in usuable state. To troubleshoot Key Vault extension failure, you can temporarily set requireInitialSync to false and redeploy your pool, then the compute node is in idle state, you can log in to the compute node to check KeyVault extension logs for errors and fix the configuration issues. Visit following Key Vault extension doc link for more information.
+If Key Vault extension is configured incorrectly, the compute node might be in usable state. To troubleshoot Key Vault extension failure, you can temporarily set requireInitialSync to false and redeploy your pool, then the compute node is in idle state, you can log in to the compute node to check KeyVault extension logs for errors and fix the configuration issues. Visit following Key Vault extension doc link for more information.
 
 - [Azure Key Vault extension for Linux](../virtual-machines/extensions/key-vault-linux.md)
 - [Azure Key Vault extension for Windows](../virtual-machines/extensions/key-vault-windows.md)

articles/batch/batch-account-create-portal.md

@@ -2,7 +2,7 @@
 title: Create a Batch account in the Azure portal
 description: Learn how to use the Azure portal to create and manage an Azure Batch account for running large-scale parallel workloads in the cloud.
 ms.topic: how-to
-ms.date: 04/04/2024
+ms.date: 04/16/2024
 ms.custom: subject-rbac-steps, linux-related-content
 ---
 
@@ -138,6 +138,23 @@ To create a Batch account in user subscription mode:
 1. After you select the key vault, select the checkbox next to **I agree to grant Azure Batch access to this key vault**.
 1. Select **Review + create**, and then select **Create** to create the Batch account.
 
+### Create a Batch account with designated authentication mode
+
+To create a Batch account with authentication mode settings:
+
+1. Follow the preceding instructions to [create a Batch account](#create-a-batch-account), but select **Batch Service** for **Authentication mode** on the **Advanced** tab of the **New Batch account** page.
+1. You must then select **Authentication mode** to define which authentication mode that a Batch account can use by authentication mode property key.
+1. You can select either of the 3 **"Microsoft Entra ID**, **Shared Key**, **Task Authentication Token** authentication mode for the Batch account to support or leave the settings at default values. 
+
+   :::image type="content" source="media/batch-account-create-portal/authentication-mode-property.png" alt-text="Screenshot of the Authentication Mode options when creating a Batch account.":::
+1. Leave the remaining settings at default values, select **Review + create**, and then select **Create**.
+
+> [!TIP]
+> For enhanced security, it is advised to confine the authentication mode of the Batch account solely to **Microsoft Entra ID**. This measure mitigates the risk of shared key exposure and introduces additional RBAC controls. For more details, see [Batch security best practices](./security-best-practices.md#batch-account-authentication).
+
+> [!WARNING]
+> The **Task Authentication Token** will retire on September 30, 2024. Should you require this feature, it is recommended to use [User assigned managed identity](./managed-identity-pools.md) in the Batch pool as an alternative. 
+
 ### Grant access to the key vault manually
 
 You can also grant access to the key vault manually.