Merge pull request #303513 from SoniaLopezBravo/aio-rbac

AnnaMHuff · web-flow · commit 6cd1f221f351 · 2025-07-30T13:43:35.000-06:00
Adding new built-in rbac
diff --git a/articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md b/articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md
@@ -146,6 +146,13 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
    az extension add --upgrade --name azure-iot-ops
    ```
 
+    > [!IMPORTANT]
+    > For [preview releases](./howto-upgrade.md#upgrade-to-preview-version), you need to append the `--allow-preview` flag to the `az extension add` command to install the preview version of the Azure IoT Operations CLI extension.
+    >
+    > ```azurecli
+    > az extension add --upgrade --name azure-iot-ops --allow-preview
+    > ```
+
 1. Copy and run the provided [az iot ops schema registry create](/cli/azure/iot/ops/schema/registry#az-iot-ops-schema-registry-create) command to create a schema registry which is used by Azure IoT Operations components. If you chose to use an existing schema registry, this command isn't displayed on the **Automation** tab.
 
    > [!NOTE]
@@ -163,6 +170,9 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
       1. In the left menu, select **Namespaces**. 
       1. Then select **+ Create** to create a new namespace. Make sure to use the same resource group as your Arc-enabled Kubernetes cluster.
 
+    > [!NOTE]
+    > Namespace resources are available from [2507 preview release](https://github.com/Azure/azure-iot-operations/releases/tag/v1.2.35). If you're using an earlier release version, namespaces aren't available and you can skip this step. 
+
 1. To prepare the cluster for Azure IoT Operations deployment, copy and run the provided [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init) command.
 
    > [!TIP]
@@ -174,25 +184,26 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
 
     * If you want to use an existing namespace, add the following parameter to the `create` command:
 
-    ```azurecli
-    --ns-resource-id $(az iot ops ns show --name <my namespace name> --resource-group $RESOURCE_GROUP -o tsv --query id)
-    ```
+        ```azurecli
+        --ns-resource-id $(az iot ops ns show --name <my namespace name> --resource-group $RESOURCE_GROUP -o tsv --query id)
+        ```
 
    * If you want to use the preview connector configuration, add the following parameter to the `create` command:
 
-      ```bash
-      --feature connectors.settings.preview=Enabled
-      ```
+        ```bash
+        --feature connectors.settings.preview=Enabled
+        ```
+    
+        > [!NOTE]
+        > The `--feature` configuration parameter is only available in the [latest GA version](https://github.com/Azure/azure-iot-operations/releases/tag/v1.1.59). If you're using the [2507 preview release](https://github.com/Azure/azure-iot-operations/releases/tag/v1.2.35), this parameter isn't available.
 
     * If you followed the optional prerequisites to set up your own certificate authority issuer, add the `--trust-settings` parameters to the `create` command:
 
-    ```bash
-    --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>
-    ```
-
-1. Enable secret sync for the deployed Azure IoT Operations instance. Copy and run the provided [az iot ops secretsync enable](/cli/azure/iot/ops/secretsync#az-iot-ops-secretsync-enable) command.
+        ```bash
+        --trust-settings configMapName=<CONFIGMAP_NAME> configMapKey=<CONFIGMAP_KEY_WITH_PUBLICKEY_VALUE> issuerKind=<CLUSTERISSUER_OR_ISSUER> issuerName=<ISSUER_NAME>
+        ```
 
-   This command:
+1. Enable secret sync for the deployed Azure IoT Operations instance. Copy and run the provided [az iot ops secretsync enable](/cli/azure/iot/ops/secretsync#az-iot-ops-secretsync-enable) command. This command:
 
    * Creates a federated identity credential using the user-assigned managed identity.
    * Adds a role assignment to the user-assigned managed identity for access to the Azure Key Vault.
diff --git a/articles/iot-operations/deploy-iot-ops/howto-deploy-iot-test-operations.md b/articles/iot-operations/deploy-iot-ops/howto-deploy-iot-test-operations.md
@@ -132,6 +132,14 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
     az extension add --upgrade --name azure-iot-ops
     ```
 
+
+    > [!IMPORTANT]
+    > For [preview releases](./howto-upgrade.md#upgrade-to-preview-version), you need to append the `--allow-preview` flag to the `az extension add` command to install the preview version of the Azure IoT Operations CLI extension.
+    >
+    > ```azurecli
+    > az extension add --upgrade --name azure-iot-ops --allow-preview
+    > ```
+
 1. Copy and run the provided [az iot ops schema registry create](/cli/azure/iot/ops/schema/registry#az-iot-ops-schema-registry-create) command to create a schema registry which is used by Azure IoT Operations components. If you chose to use an existing schema registry, this command isn't displayed on the **Automation** tab.
 
 1. Azure IoT Operations uses *namespaces* to organize assets and devices. Each Azure IoT Operations instance uses a single namespace for its assets and devices. You can use an existing namespace or run the `az iot ops ns create` command to create an Azure Device Registry namespace. Replace `<my namespace name>` with a unique name for your namespace.
@@ -145,6 +153,9 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
       1. In the search box, type and select **Azure Device Registry**.
       1. In the left menu, select **Namespaces**. 
       1. Then select **+ Create** to create a new namespace. Make sure to use the same resource group as your Arc-enabled Kubernetes cluster.
+    
+    > [!NOTE]
+    > Namespace resources are available from [2507 preview release](https://github.com/Azure/azure-iot-operations/releases/tag/v1.2.35). If you're using an earlier release version, namespaces aren't available and you can skip this step. 
 
 1. Prepare the cluster for Azure IoT Operations deployment. Copy and run the provided [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init) command.
 
@@ -157,15 +168,18 @@ One at a time, run each Azure CLI command on the **Automation** tab in a termina
 
     * If you want to use an existing namespace, add the following parameter to the `create` command:
 
-    ```azurecli
-    --ns-resource-id $(az iot ops ns show --name <my namespace name> --resource-group $RESOURCE_GROUP -o tsv --query id)
-    ```
+        ```azurecli
+        --ns-resource-id $(az iot ops ns show --name <my namespace name> --resource-group $RESOURCE_GROUP -o tsv --query id)
+        ```
 
     * If you want to use the preview connector configuration, add the following parameter to the `create` command:
 
-    ```azurecli
-    --feature connectors.settings.preview=Enabled
-    ```
+        ```azurecli
+        --feature connectors.settings.preview=Enabled
+        ```
+    
+        > [!NOTE]
+        > The `--feature` configuration parameter is only available in the [latest GA version](https://github.com/Azure/azure-iot-operations/releases/tag/v1.1.59). If you're using the [2507 preview release](https://github.com/Azure/azure-iot-operations/releases/tag/v1.2.35), this parameter isn't available.
 
 1. Once all of the Azure CLI commands complete successfully, you can close the **Install Azure IoT Operations** wizard.
 
diff --git a/articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md b/articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md
@@ -1,5 +1,5 @@
 ---
-title: Enable secure settings
+title: Enable Secure Settings to a Test Instance 
 description: Enable secure settings in your Azure IoT Operations instance for developing a production-ready scenario.
 author: asergaz
 ms.author: sergaz
diff --git a/articles/iot-operations/deploy-iot-ops/overview-deploy.md b/articles/iot-operations/deploy-iot-ops/overview-deploy.md
@@ -72,11 +72,14 @@ The following table describes Azure IoT Operations deployment and management tas
 
 | Task | Required permission | Comments |
 | ---- | ------------------- | -------- |
-| Deploy Azure IoT Operations | **Contributor** role at the resource group level. |  |
-| Register resource providers | Microsoft.ExtendedLocation/register/action Microsoft.SecretSyncController/register/action Microsoft.Kubernetes/register/action Microsoft.KubernetesConfiguration/register/action Microsoft.IoTOperations/register/action Microsoft.DeviceRegistry/register/action| Only required to do once per subscription. |
-| Create a schema registry. | **Microsoft.Authorization/roleAssignments/write** permissions at the resource group level. |  |
-| Create secrets in Key Vault | **Key Vault Secrets Officer** role at the resource level. | Only required for secure settings deployment. |
-| Enable resource sync rules on an Azure IoT Operations instance | **Microsoft.Authorization/roleAssignments/write** permissions at the resource group level. | Resource sync rules are disabled by default, but can be enabled as part of the [az iot ops rsync](/cli/azure/iot/ops#az-iot-ops-rsync) command. |
+| Deploy Azure IoT Operations | [Azure IoT Operations Onboarding role](../secure-iot-ops/built-in-rbac.md#azure-iot-operations-onboarding-role) | This role has all required permissions to read and write Azure IoT operations and Azure Device Registry resources. This role has `Microsoft.Authorization/roleAssignments/write` permissions.|
+| Register resource providers | [Contributor role](/azure/role-based-access-control/built-in-roles/privileged#contributor) at subscription level| Only required to do once per subscription. You need to register the following resource providers: `Microsoft.ExtendedLocation`, `Microsoft.SecretSyncController`, `Microsoft.Kubernetes`, `Microsoft.KubernetesConfiguration`, `Microsoft.IoTOperations`, and `Microsoft.DeviceRegistry`. |
+| Create secrets in Key Vault | [Key Vault Secrets Officer role](/azure/role-based-access-control/built-in-roles/security#key-vault-secrets-officer) at the resource level | Only required for secure settings deployment to synchronize secrets from Azure Key Vault. |
+| Create and manage storage accounts | [Storage Account Contributor role](/azure/role-based-access-control/built-in-roles/storage#storage-account-contributor) | Required for Azure IoT Operations deployment. |
+| Create a resource group | Resource Group Contributor role | Required to create a resource group for storing Azure IoT Operations resources. |
+| Onboard a cluster to Azure Arc | [Kubernetes Cluster - Azure Arc Onboarding role](/azure/role-based-access-control/built-in-roles/containers#kubernetes-cluster---azure-arc-onboarding) | Arc-enabled clusters are required to deploy Azure IoT Operations. |
+| Manage deployment of Azure resource bridge| [Azure Resource Bridge Deployment role](/azure/role-based-access-control/built-in-roles/hybrid-multicloud#azure-resource-bridge-deployment-role) | Required to deploy Azure IoT Operations. |
+| Provide permissions to deployment| [Azure Arc Enabled Kubernetes Cluster User role](/azure/role-based-access-control/built-in-roles/containers#azure-arc-enabled-kubernetes-cluster-user-role) | Required to grant permission of deployment to the Azure Arc-enabled Kubernetes cluster. |
 
 > [!TIP]
 > You must enable resource sync rules on the Azure IoT Operations instance to use the automatic asset discovery capabilities of the Akri services. To learn more, see [What is OPC UA asset discovery (preview)?](../discover-manage-assets/overview-akri.md).
diff --git a/articles/iot-operations/includes/supported-versions.md b/articles/iot-operations/includes/supported-versions.md
@@ -3,15 +3,16 @@ title: include file
 description: include file with details of currently supported versions
 author: dominicbetts
 ms.topic: include
-ms.date: 06/16/2025
+ms.date: 07/30/2025
 ms.author: dobett
 ---
 
 Microsoft always supports three generally available (GA) versions of Azure IoT Operations at any one time: the latest version, and the two previous minor versions.
 
 Currently, there are only two minor versions available. [Azure support](https://azure.microsoft.com/support/plans) is currently available for the following versions:
 
-- [1.1.x](https://github.com/Azure/azure-iot-operations/releases/tag/v1.1.19) (latest GA version)
+- [1.2.x](https://github.com/Azure/azure-iot-operations/releases/tag/v1.2.35) (latest preview version)
+- [1.1.x](https://github.com/Azure/azure-iot-operations/releases/tag/v1.1.59) (latest GA version)
 - [1.0.x](https://github.com/Azure/azure-iot-operations/releases/tag/v1.0.9) (previous minor GA version)
 
 > [!IMPORTANT]
diff --git a/articles/iot-operations/reference/custom-rbac.md b/articles/iot-operations/reference/custom-rbac.md
@@ -1,5 +1,5 @@
 ---
-title: Custom RBAC for your resources
+title: Custom RBAC Roles
 description: Use the Azure portal to secure access to Azure IoT Operations resources such as data flows and assets by using Azure role-based access control.
 author: dominicbetts
 ms.author: dobett
@@ -9,26 +9,33 @@ ms.date: 04/16/2025
 #CustomerIntent: As an IT administrator, I want configure Azure RBAC custom roles on resources in my Azure IoT Operations instance to control access to them.
 ---
 
-# Custom RBAC for your Azure IoT Operations resources
+# Custom RBAC roles for your Azure IoT Operations resources
 
-To define custom roles that grant specific permissions to users, you can use Azure RBAC. For example, you can define an **Onboarding** role that grants sufficient permissions to a user to complete the Azure Arc connect process and deploy Azure IoT Operations securely.
-
-This article includes a list of example that you can download and use in your environment. These custom roles are JSON files that list the specific permissions and scope for the role.
+To define custom roles that grant specific permissions to users, you can use Azure RBAC. This article includes a list of example that you can download and use as reference to build your custom roles. 
 
 To learn more about custom roles in Azure RBAC, see [Azure custom roles](/azure/role-based-access-control/custom-roles).
 
-## Example custom roles
+Azure IoT operations also offers built-in roles designed to simplify and secure access management for Azure IoT Operations resources. For more information, see [Built-in RBAC roles for IoT Operations](../secure-iot-ops/built-in-rbac.md).
+
+## Examples of custom roles
 
-The following sections list the example Azure IoT Operations custom roles you can download and use:
+The following sections list the example Azure IoT Operations custom roles you can download and use as reference. These custom roles are JSON files that list the specific permissions and scope for the role, which you should use as a starting point to create your own custom roles.
+
+> [!NOTE]
+> The following custom roles are examples only. You need to review and modify the permissions in the JSON files to suit your specific requirements.
 
 ### Onboarding roles
 
+You can define an *Onboarding* role that grants sufficient permissions to a user to complete the Azure Arc connect process and deploy Azure IoT Operations securely.
+
 | Custom role | Description |
 | ----------- | ----------- |
 | [Onboarding](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Onboarding.json) | This is privileged role. The user can complete Azure Arc connect process and deploy Azure IoT Operations securely. |
 
 ### Viewer roles
 
+You can define different *Viewer* roles that grant read-only access to the Azure IoT Operations instance and its resources. These roles are useful for users who need to monitor the instance without making changes.
+
 | Custom role | Description |
 | ----------- | ----------- |
 | [Instance viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Viewer.json) | This role allows the user to view the Azure IoT Operations instance. |
@@ -41,6 +48,8 @@ The following sections list the example Azure IoT Operations custom roles you ca
 
 ### Administrator roles
 
+You can define different *Administrator* roles that grant full access to the Azure IoT Operations instance and its resources. These roles are useful for users who need to manage the instance and its resources.
+
 | Custom role | Description |
 | ----------- | ----------- |
 | [Instance administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Administrator.json) | This is privileged role. The user can deploy an instance. The role includes permissions to create and update instances, brokers, authentications, listeners, dataflow profiles, dataflow endpoints, schema registries, and user assigned identities. The role also includes permission to delete instances. |
diff --git a/articles/iot-operations/secure-iot-ops/built-in-rbac.md b/articles/iot-operations/secure-iot-ops/built-in-rbac.md
diff --git a/articles/iot-operations/secure-iot-ops/howto-manage-certificates.md b/articles/iot-operations/secure-iot-ops/howto-manage-certificates.md
diff --git a/articles/iot-operations/toc.yml b/articles/iot-operations/toc.yml
