MicrosoftDocs
diff --git a/‎articles/iot-hub/iot-hub-managed-identity.md
Lines changed: 27 additions & 26 deletions b/‎articles/iot-hub/iot-hub-managed-identity.md
Lines changed: 27 additions & 26 deletions
diff --git a/‎articles/iot-hub/media/iot-hub-managed-identity/user-assigned.png
41.6 KB b/‎articles/iot-hub/media/iot-hub-managed-identity/user-assigned.png
41.6 KB
@@ -6,21 +6,21 @@ author: SoniaLopezBravo
 ms.author: sonialopez
 ms.service: azure-iot-hub
 ms.topic: how-to
-ms.date: 08/23/2024
+ms.date: 07/01/2025
 ms.custom: subject-rbac-steps
 ---
 
 # IoT Hub support for managed identities 
 
-Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. This eliminates the need for developers having to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. IoT Hub supports both.
+Managed identities provide Azure services with an automatically managed identity in Microsoft Entra ID in a secure manner. This feature eliminates the need for developers having to manage credentials by providing an identity. There are two types of managed identities: system-assigned and user-assigned. IoT Hub supports both.
 
 In IoT Hub, managed identities can be used to connect IoT Hub to other Azure services for features such as [message routing](iot-hub-devguide-messages-d2c.md), [file upload](iot-hub-devguide-file-upload.md), and [bulk device import/export](iot-hub-bulk-identity-mgmt.md). In this article, you learn how to use system-assigned and user-assigned managed identities in your IoT hub for different functionalities.
 
 ## Prerequisites
 
 - Understand the differences between *system-assigned* and *user-assigned* managed identity in [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 
-- An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md).
+- An IoT hub in your Azure subscription. If you don't have a hub yet, you can follow the steps in [Create an IoT hub](create-hub.md#create-an-iot-hub).
 
 ## System-assigned managed identity
 
@@ -42,7 +42,7 @@ You can enable or disable system-assigned managed identity in Azure portal
 
 You can enable system-assigned managed identity at hub creation time using ARM template
 
-To enable the system-assigned managed identity in your IoT hub at resource provisioning time, use the Azure Resource Manager (ARM) template below. 
+To enable the system-assigned managed identity in your IoT hub at resource provisioning time, use the following Azure Resource Manager (ARM) template. 
 
 ```json
 {
@@ -111,7 +111,7 @@ To enable the system-assigned managed identity in your IoT hub at resource provi
 }
 ```
 
-After substituting the values for your resource `name`, `location`, `SKU.name` and `SKU.tier`, you can use Azure CLI to deploy the resource in an existing resource group using:
+After substituting the values for your resource `name`, `location`, `SKU.name`, and `SKU.tier`, you can use Azure CLI to deploy the resource in an existing resource group using:
 
 ```azurecli-interactive
 az deployment group create --name <deployment-name> --resource-group <resource-group-name> --template-file <template-file.json> --parameters iotHubName=<valid-iothub-name> skuName=<sku-name> skuTier=<sku-tier> location=<any-of-supported-regions>
@@ -132,11 +132,12 @@ az resource show --resource-type Microsoft.Devices/IotHubs --name <iot-hub-resou
 In this section, you learn how to add and remove a user-assigned managed identity from an IoT hub using Azure portal.
 
 1. First you need to create a user-assigned managed identity as a standalone resource. To do so, you can follow the instructions in [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
-2. Go to your IoT hub, navigate to the **Identity** in the IoT Hub portal.
-3. Under **User-Assigned** tab, click **Associate a user-assigned managed identity**. Choose the user-assigned managed identity you want to add to your hub and then click **Select**.
-4. You can remove a user-assigned identity from an IoT hub. Choose the user-assigned identity you want to remove, and click **Remove** button. Note you are only removing it from IoT hub, and this removal does not delete the user-assigned identity as a resource. To delete the user-assigned identity as a resource, follow the instructions in [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
+2. Go to your IoT hub, then select **Identity** under **Security settings** from the service menu in Azure portal.
+3. Under the **User-Assigned** tab, select **Associate a user-assigned managed identity**. Choose the user-assigned managed identity you want to add to your hub and then select **Add**.
 
-    :::image type="content" source="./media/iot-hub-managed-identity/user-assigned.png" alt-text="Screenshot showing how to add user-assigned managed identity for an IoT hub." lightbox="./media/iot-hub-managed-identity/user-assigned.png":::
+    :::image type="content" source="./media/iot-hub-managed-identity/user-assigned.png" alt-text="Screenshot showing how to add a user-assigned managed identity for an IoT hub." lightbox="./media/iot-hub-managed-identity/user-assigned.png":::
+
+4. You can remove a user-assigned identity from an IoT hub. Choose the user-assigned identity you want to remove, and select **Remove**. You're removing it only from your IoT hub, and this removal doesn't delete the user-assigned identity as a resource. To delete the user-assigned identity as a resource, follow the instructions in [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
 
 ### [Azure Resource Manager](#tab/arm)
 
@@ -269,10 +270,10 @@ In this section, we use the [message routing](iot-hub-devguide-messages-d2c.md)
 
    For more information about role assignments, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).
 
-1. If you need to restrict the connectivity to your custom endpoint through a VNet, you need to turn on the trusted Microsoft first party exception, to give your IoT hub access to the specific endpoint. For example, if you're adding an event hub custom endpoint, navigate to the **Firewalls and virtual networks** tab in your event hub and enable **Allow access from selected networks** option. Under the **Exceptions** list, check the box for **Allow trusted Microsoft services to access event hubs**. Click the **Save** button. This also applies to storage account and service bus. Learn more about [IoT Hub support for virtual networks](./virtual-network-support.md).
+1. If you need to restrict the connectivity to your custom endpoint through a virtual network, you need to turn on the trusted Microsoft first party exception, to give your IoT hub access to the specific endpoint. For example, if you're adding an event hub custom endpoint, navigate to the **Firewalls and virtual networks** tab in your event hub and enable **Allow access from selected networks** option. Under the **Exceptions** list, check the box for **Allow trusted Microsoft services to access event hubs**, then select **Save**. This requirement also applies to storage account and service bus. Learn more about [IoT Hub support for virtual networks with Azure Private Link](./virtual-network-support.md).
 
     > [!NOTE]
-    > You need to complete above steps to assign the managed identity the right access before adding the event hub as a custom endpoint in IoT Hub. Please wait a few minutes for the role assignment to propagate.
+    > You need to complete above steps to assign the managed identity the right access before adding the event hub as a custom endpoint in IoT Hub. Wait a few minutes for the role assignment to propagate.
 
 1. Next, go to your IoT hub. In your hub, navigate to **Message Routing**, then select **Add**.
 
@@ -322,23 +323,23 @@ IoT Hub's [file upload](iot-hub-devguide-file-upload.md) feature allows devices
 
    For more information about role assignments, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.yml).
 
-    If you need to restrict the connectivity to your storage account through a VNet, you need to turn on the trusted Microsoft first party exception, to give your IoT hub access to the storage account. On your storage account resource page, navigate to the **Firewalls and virtual networks** tab and enable **Allow access from selected networks** option. Under the **Exceptions** list, check the box for **Allow trusted Microsoft services to access this storage account**. Click the **Save** button. Learn more about [IoT Hub support for virtual networks](./virtual-network-support.md). 
+    If you need to restrict the connectivity to your storage account through a virtual network, you need to turn on the trusted Microsoft first party exception, to give your IoT hub access to the storage account. On your storage account resource page, navigate to the **Firewalls and virtual networks** tab and enable **Allow access from selected networks** option. Under the **Exceptions** list, check the box for **Allow trusted Microsoft services to access this storage account**, and then select **Save**. Learn more about [IoT Hub support for virtual networks with Azure Private Link](./virtual-network-support.md). 
 
     > [!NOTE]
-    > You need to complete above steps to assign the managed identity the right access before saving the storage account in IoT Hub for file upload using the managed identity. Please wait a few minutes for the role assignment to propagate.
+    > You need to complete above steps to assign the managed identity the right access before saving the storage account in IoT Hub for file upload using the managed identity. Wait a few minutes for the role assignment to propagate.
 
 1. On your IoT hub's resource page, navigate to **File upload** tab.
 
-1. On the page that shows up, select the container that you intend to use in your blob storage, configure the **File notification settings, SAS TTL, Default TTL, and Maximum delivery count** as desired. Choose the preferred authentication type, and click **Save**. If you get an error at this step, temporarily set your storage account to allow access from **All networks**, then try again. You can configure firewall on the storage account once the File upload configuration is complete.
+1. On the page that shows up, select the container that you intend to use in your blob storage, configure the **File notification settings, SAS TTL, Default TTL, and Maximum delivery count** as desired. Choose the preferred authentication type, and select **Save**. If you get an error at this step, temporarily set your storage account to allow access from **All networks**, then try again. You can configure firewall on the storage account once the File upload configuration is complete.
 
     :::image type="content" source="./media/iot-hub-managed-identity/file-upload.png" alt-text="Screen shot that shows file upload with msi.":::
 
     > [!NOTE]
-    > In the file upload scenario, both hub and your device need to connect with your storage account. The steps above are for connecting your IoT hub to your storage account with desired authentication type. You still need to connect your device to storage using the SAS URI. Today the SAS URI is generated using connection string. We'll add support to generate SAS URI with managed identity soon. Please follow the steps in [file upload](iot-hub-devguide-file-upload.md).
+    > In the file upload scenario, both hub and your device need to connect with your storage account. The previous steps are for connecting your IoT hub to your storage account with desired authentication type. You must connect your device to storage using the SAS URI. Currently, the SAS URI is generated using the connection string. Follow the steps in [Upload files with IoT Hub](iot-hub-devguide-file-upload.md).
 
 ## Configure bulk device import/export with managed identities
 
-IoT Hub supports the functionality to [import/export device information in bulk](iot-hub-bulk-identity-mgmt.md) from or to a customer-provided storage blob. This functionality requires connectivity from IoT Hub to the storage account.
+IoT Hub supports the functionality to [import and export device information in bulk](iot-hub-bulk-identity-mgmt.md) from or to a customer-provided storage blob. This functionality requires connectivity from IoT Hub to the storage account.
 
 1. In the Azure portal, navigate to your storage account.
 
@@ -362,7 +363,7 @@ IoT Hub supports the functionality to [import/export device information in bulk]
 
 ### Using REST API or SDK for import and export jobs
 
-You can now use the Azure IoT REST APIs for creating import and export jobs. You will need to provide the following properties in the request body:
+You can now use the Azure IoT REST APIs for creating import and export jobs. You need to provide the following properties in the request body:
 
 - **storageAuthenticationType**: Set the value to **identityBased**. 
 - **inputBlobContainerUri**: Set this property only in the import job.
@@ -430,11 +431,11 @@ result = iothub_job_manager.create_import_export_job(JobProperties(
 
 > [!NOTE]
 >
-> - If **storageAuthenticationType** is set to **identityBased** and **userAssignedIdentity** property is not **null**, the jobs will use the specified user-assigned managed identity.
-> - If the IoT hub is not configured with the user-assigned managed identity specified in **userAssignedIdentity**, the job will fail.
-> - If **storageAuthenticationType** is set to **identityBased** the **userAssignedIdentity** property is null, the jobs will use system-assigned identity.
-> - If the IoT hub is not configured with the user-assigned managed identity, the job will fail.
-> - If **storageAuthenticationType** is set to **identityBased** and neither **user-assigned** nor **system-assigned** managed identities are configured on the hub, the job will fail.
+> - If **storageAuthenticationType** is set to **identityBased** and **userAssignedIdentity** property isn't **null**, the jobs use the specified user-assigned managed identity.
+> - If the IoT hub isn't configured with the user-assigned managed identity specified in **userAssignedIdentity**, the job fails.
+> - If **storageAuthenticationType** is set to **identityBased** the **userAssignedIdentity** property is null, the jobs use system-assigned identity.
+> - If the IoT hub isn't configured with the user-assigned managed identity, the job fails.
+> - If **storageAuthenticationType** is set to **identityBased** and **user-assigned** or **system-assigned** managed identities aren't configured on the hub, the job fails.
 
 ## SDK samples
 
@@ -444,8 +445,8 @@ result = iothub_job_manager.create_import_export_job(JobProperties(
 
 ## Next steps
 
-Use the links below to learn more about IoT Hub features:
+Use the following links to learn more about IoT Hub features:
 
-- [Message routing](./iot-hub-devguide-messages-d2c.md)
-- [File upload](./iot-hub-devguide-file-upload.md)
-- [Bulk device import/export](./iot-hub-bulk-identity-mgmt.md)
+- [Use IoT Hub message routing to send device-to-cloud messages to Azure services](./iot-hub-devguide-messages-d2c.md)
+- [Upload files with IoT Hub](./iot-hub-devguide-file-upload.md)
+- [Import and export IoT Hub device identities in bulk](./iot-hub-bulk-identity-mgmt.md)