consolidate auth/auth articles

Author: kgremban

articles/iot-hub/.openpublishing.redirection.iot-hub.json

@@ -1350,32 +1350,32 @@
     },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-x509-certificate-concepts.md",
-      "redirect_url": "/azure/iot-hub/authenticate-x509",
+      "redirect_url": "/azure/iot-hub/authenticate-authorize-x509",
       "redirect_document_id": true
     },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-x509ca-overview.md",
-      "redirect_url": "/azure/iot-hub/authenticate-x509",
+      "redirect_url": "/azure/iot-hub/authenticate-authorize-x509",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-x509ca-concept.md",
-      "redirect_url": "/azure/iot-hub/authenticate-x509",
+      "redirect_url": "/azure/iot-hub/authenticate-authorize-x509",
       "redirect_document_id": false
     },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-dev-guide-azure-ad-rbac.md",
-      "redirect_url": "/azure/iot-hub/authenticate-azure-ad",
+      "redirect_url": "/azure/iot-hub/authenticate-authorize-azure-ad",
       "redirect_document_id": true
     },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-dev-guide-sas.md",
-      "redirect_url": "/azure/iot-hub/authenticate-sas",
+      "redirect_url": "/azure/iot-hub/authenticate-authorize-sas",
       "redirect_document_id": true
     },
     {
       "source_path_from_root": "/articles/iot-hub/iot-hub-devguide-security.md",
-      "redirect_url": "/azure/iot-hub/authenticate-overview",
+      "redirect_url": "/azure/iot-hub/authenticate-authorize-azure-ad",
       "redirect_document_id": false
     },
     {

articles/iot-hub/TOC.yml

@@ -161,17 +161,17 @@
       - name: High availability and disaster recovery
         displayName: HA, DR, availability zone, failover, failback
         href: iot-hub-ha-dr.md
-    - name: Control access to IoT Hub
+    - name: Authentication and authorization
       items:
-        - name: Overview
-          displayName: access control, permissions, Azure Active Directory, Azure AD, identity registry
-          href: iot-hub-devguide-security.md
-        - name: Control access with Azure AD
-          displayName: Active Directory, permissions, security principal, RBAC
-          href: iot-hub-dev-guide-azure-ad-rbac.md
-        - name: Control access with SAS
-          displayName: Shared Access Signatures, permissions, MQTT, AMQP, HTTPS, SASL PLAIN
-          href: iot-hub-dev-guide-sas.md
+      - name: Azure Active Directory
+        displayName: authenticate, authentication, auth, authn, authz
+        href: authenticate-authorize-azure-ad.md
+      - name: Shared access signatures
+        displayName: authenticate, authentication, auth, authn, authz
+        href: authenticate-authorize-sas.md
+      - name: X.509 certificates
+        displayName: authenticate, authentication, auth, authn, authz
+        href: authenticate-authorize-x509.md
     - name: IoT Hub SDKs
       items:
         - name: SDK overview
@@ -191,25 +191,6 @@
           href: ../iot-edge/iot-edge-as-gateway.md
     - name: Security
       items:
-        - name: Authentication
-          items:
-          - name: Azure Active Directory
-            displayName: authenticate, authentication, auth, authn
-            href: authenticate-azure-ad.md
-          - name: Shared access signatures
-            displayName: authenticate, authentication, auth, authn
-            href: authenticate-sas.md
-          - name: X.509 certificates
-            displayName: authenticate, authentication, auth, authn
-            href: authenticate-x509.md
-        - name: Authorization
-          items:
-          - name: Azure Active Directory
-            displayName: authorization, authorize, auth, authz
-            href: authorize-azure-ad.md
-          - name: Shared access signatures
-            displayName: authorization, authorize, auth, authz
-            href: authorize-sas.md
         - name: TLS support
           displayName: security, Transport Layer Security
           href: iot-hub-tls-support.md

articles/iot-hub/authorize-azure-ad.md renamed to articles/iot-hub/authenticate-authorize-azure-ad.md

@@ -1,9 +1,10 @@
 ---
-title: Authorize access with Azure Active Directory
+title: Control access with Azure Active Directory
 titleSuffix: Azure IoT Hub
-description: Understand how Azure IoT Hub uses Azure Active Directory to authorize access to IoT hubs and devices. 
+description: Understand how Azure IoT Hub uses Azure Active Directory to authenticate identities and authorize access to IoT hubs and devices. 
 author: kgremban
 ms.service: iot-hub
+services: iot-hub
 ms.author: kgremban
 ms.topic: conceptual
 ms.date: 09/01/2023
@@ -12,25 +13,17 @@ ms.custom: ['Role: Cloud Development', 'Role: IoT Device', 'Role: System Archite
 
 # Control access to IoT Hub by using Azure Active Directory
 
-
 You can use Azure Active Directory (Azure AD) to authenticate requests to Azure IoT Hub service APIs, like create device identity and invoke direct method. You can also use Azure role-based access control (Azure RBAC) to authorize those same service APIs. By using these technologies together, you can grant permissions to access IoT Hub service APIs to an Azure AD security principal. This security principal could be a user, group, or application service principal.
 
-Authenticating access by using Azure AD and controlling permissions by using Azure RBAC provides improved security and ease of use over [security tokens](iot-hub-dev-guide-sas.md). To minimize potential security issues inherent in security tokens, we recommend that you use Azure AD with your IoT hub whenever possible.
+Authenticating access by using Azure AD and controlling permissions by using Azure RBAC provides improved security and ease of use over [security tokens](iot-hub-dev-guide-sas.md). To minimize potential security issues inherent in security tokens, we recommend that you [use Azure AD with your IoT hub whenever possible](#azure-ad-access-and-shared-access-policies). 
 
 > [!NOTE]
 > Authentication with Azure AD isn't supported for the IoT Hub *device APIs* (like device-to-cloud messages and update reported properties). Use [symmetric keys](iot-hub-dev-guide-sas.md#use-a-symmetric-key-in-the-identity-registry) or [X.509](iot-hub-x509ca-overview.md) to authenticate devices to IoT Hub.
 
-## Authorization in IoT Hub
-
-*Authorization* is the process of confirming permissions for an authenticated user or device on IoT Hub. It specifies what resources and commands you're allowed to access, and what you can do with those resources and commands. Authorization is sometimes shortened to *AuthZ*. Authorization is separate from *authentication*, which is the process of proving that you are who you say you are.
-
-This article describes authorization using **Azure Active Directory (Azure AD) integration** for service APIs. Azure provides identity-based authentication with AAD and fine-grained authorization with Azure role-based access control (Azure RBAC). Azure AD and RBAC integration is supported for IoT hub service APIs only. For other authorization options, see [Authorize access with shared access signatures](authorize-sas.md). 
-
-> [!TIP]
-> You can enable a lock on your IoT resources to prevent them being accidentally or maliciously deleted. To learn more about Azure Resource locks, please visit, [Lock your resources to protect your infrastructure](../azure-resource-manager/management/lock-resources.md?tabs=json)
-
 ## Authentication and authorization
 
+*Authentication* is the process of proving that you are who you say you are. This is achieved by verifying of the identity of a user or device to IoT Hub. It's sometimes shortened to *AuthN*. *Authorization* is the process of confirming permissions for an authenticated user or device on IoT Hub. It specifies what resources and commands you're allowed to access, and what you can do with those resources and commands. Authorization is sometimes shortened to *AuthZ*.
+
 When an Azure AD security principal requests access to an IoT Hub service API, the principal's identity is first *authenticated*. For authentication, the request needs to contain an OAuth 2.0 access token at runtime. The resource name for requesting the token is `https://iothubs.azure.net`. If the application runs in an Azure resource like an Azure VM, Azure Functions app, or Azure App Service app, it can be represented as a [managed identity](../active-directory/managed-identities-azure-resources/how-managed-identities-work-vm.md). 
 
 After the Azure AD principal is authenticated, the next step is *authorization*. In this step, IoT Hub uses the Azure AD role assignment service to determine what permissions the principal has. If the principal's permissions match the requested resource or API, IoT Hub authorizes the request. So this step requires one or more Azure roles to be assigned to the security principal. IoT Hub provides some built-in roles that have common groups of permissions.