Merge pull request #277857 from duongau/managedafd

Azure Front Door and CDN - Managed identity when configuring HTTPS for custom domain.

Author: prmerger-automator[bot]

articles/cdn/cdn-custom-ssl.md

@@ -110,70 +110,9 @@ You can use your own certificate to enable the HTTPS feature. This process is do
 > - Azure Content Delivery Network only supports PFX certificates.
 > - The certificate must have a complete certificate chain with leaf and intermediate certificates, and root CA must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).
 
-### Register Azure CDN
+### Set up managed identity for Azure CDN
 
-Register Azure CDN as an app in your Microsoft Entra ID.
-
-> [!NOTE]
-> - `205478c0-bd83-4e1b-a9d6-db63a3e1e1c8` is the service principal for `Microsoft.AzureFrontDoor-Cdn`.
-> - You need to have the **Global Administrator** role to run this command.
-> - The service principal name was changed from `Microsoft.Azure.Cdn` to `Microsoft.AzureFrontDoor-Cdn`.
-
-#### Azure PowerShell
-
-1. If needed, install [Azure PowerShell](/powershell/azure/install-azure-powershell) on your local machine.
-
-2. In PowerShell, run the following command:
-
-     `New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"`
-
-    ```
-    New-AzADServicePrincipal -ApplicationId "205478c0-bd83-4e1b-a9d6-db63a3e1e1c8"
-
-    Secret                :
-    ServicePrincipalNames : {205478c0-bd83-4e1b-a9d6-db63a3e1e1c8,
-				https://microsoft.onmicrosoft.com/033ce1c9-f832-4658-b024-ef1cbea108b8}
-    ApplicationId         : 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
-    ObjectType            : ServicePrincipal DisplayName           : Microsoft.AzureFrontDoor-Cdn Id                    : abcdef12-3456-7890-abcd-ef1234567890
-    Type                  :
-    ```
-
-<a name='azure-cli'></a>
-
-#### The Azure CLI
-
-1. If needed, install the [Azure CLI](/cli/azure/install-azure-cli) on your local machine.
-
-1. Use the Azure CLI to run the following command:
-
-     ```azurecli-interactive
-     az ad sp create --id 205478c0-bd83-4e1b-a9d6-db63a3e1e1c8
-     ```
-
-### Grant Azure CDN access to your key vault
-
-Grant Azure CDN permission to access the certificates (secrets) in your Azure Key Vault account.
-
-1. In your key vault in the **Settings** section, select **Access policies**. In the right pane, select **+ Add Access Policy**:
-
-    :::image type="content" source="./media/cdn-custom-ssl/cdn-new-access-policy.png" alt-text="Screenshot of create a Key Vault access policy for Azure Content Delivery Network." border="true":::
-
-2. In the **Add access policy** page, select **None selected** next to **Select principal**. In the **Principal** page, enter **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8**. Select **Microsoft.AzureFrontdoor-Cdn**. Choose **Select**:
-
-3. In **Select principal**, search for **205478c0-bd83-4e1b-a9d6-db63a3e1e1c8**, choose **Microsoft.AzureFrontDoor-Cdn**. Choose **Select**.
-
-    :::image type="content" source="./media/cdn-custom-ssl/cdn-access-policy-settings.png" alt-text="Select service principal of Azure CDN" border="true":::
-
-4. Select **Certificate permissions**. Select the checkbox for **Get** to allow CDN permissions to get the certificates.
-
-5. Select **Secret permissions**. Select the checkbox for **Get** to allow CDN permissions to get the secrets:
-
-    :::image type="content" source="./media/cdn-custom-ssl/cdn-vault-permissions.png" alt-text="Screenshot of select permissions for Azure Content Delivery Network to Key Vault." border="true":::
-
-6. Select **Add**.
-
-> [!NOTE]
-> Azure CDN can now access this key vault and the certificates (secrets) that are stored in this key vault. Any CDN instance created in this subscription will have access to the certificates in this key vault.
+Follow the steps in [Configure managed identity for Azure CDN](managed-identity.md) to allow Azure CDN to access your Azure Key Vault account.
 
 ### Select the certificate for Azure CDN to deploy
 

articles/frontdoor/standard-premium/how-to-configure-https-custom-domain.md

@@ -77,13 +77,14 @@ You can also choose to use your own TLS certificate. Your TLS certificate must m
 
 Create a separate Azure Key Vault instance in which you store your Azure Front Door TLS certificates. For more information, see [Create a Key Vault instance](../../key-vault/general/quick-create-portal.md). If you already have a certificate, you can upload it to your new Key Vault instance. Otherwise, you can create a new certificate through Key Vault from one of the certificate authority (CA) partners.
 
-> [!WARNING]
-> Azure Front Door currently only supports Key Vault in the same subscription. Selecting Key Vault under a different subscription results in a failure.
+There are currently two ways to authenticate Azure Front Door to access your Key Vault:
 
-Other points to note about certificates:
+- **Managed identity**: Azure Front Door uses a managed identity to authenticate to your Key Vault. This method is recommended because it's more secure and doesn't require you to manage credentials. For more information, see [Use managed identities in Azure Front Door](../managed-identity.md). Skip to [Select the certificate for Azure Front Door to deploy](#select-the-certificate-for-azure-front-door-to-deploy) if you're using this method.
+- **App registration**: Azure Front Door uses an app registration to authenticate to your Key Vault. This method is being deprecated and will be retired in the future. For more information, see [Use app registration in Azure Front Door](#register-azure-front-door).
 
-* Azure Front Door doesn't support certificates with elliptic curve cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates. The root CA also must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).
-* We recommend that you use [managed identity](../managed-identity.md) to allow access to your Key Vault certificates because app registration will be retired in the future.
+> [!WARNING]
+> *Azure Front Door currently only supports Key Vault in the same subscription. Selecting Key Vault under a different subscription results in a failure.
+> * Azure Front Door doesn't support certificates with elliptic curve cryptography algorithms. Also, your certificate must have a complete certificate chain with leaf and intermediate certificates. The root CA also must be part of the [Microsoft Trusted CA List](https://ccadb-public.secure.force.com/microsoft/IncludedCACertificateReportForMSFT).
 
 #### Register Azure Front Door
 

articles/key-vault/general/overview-vnet-service-endpoints.md

@@ -53,7 +53,7 @@ Here's a list of trusted services that are allowed to access a key vault if the
 | Azure Backup|Allow backup and restore of relevant keys and secrets during Azure Virtual Machines backup, by using [Azure Backup](../../backup/backup-overview.md).|
 | Azure Batch | [Configure customer-managed keys for Batch accounts](../../batch/batch-customer-managed-key.md) and [Key Vault for User Subscription Batch accounts](../../batch/batch-account-create-portal.md) |
 | Azure Bot Service | [Azure AI Bot Service encryption for data at rest](/azure/bot-service/bot-service-encryption#grant-azure-bot-service-access-to-a-key-vault) |
-| Azure CDN | [Configure HTTPS on an Azure CDN custom domain: Grant Azure CDN access to your key vault](../../cdn/cdn-custom-ssl.md?tabs=option-2-enable-https-with-your-own-certificate#grant-azure-cdn-access-to-your-key-vault)|
+| Azure CDN | [Configure HTTPS on an Azure CDN custom domain: Grant Azure CDN access to your key vault](../../cdn/cdn-custom-ssl.md?tabs=option-2-enable-https-with-your-own-certificate#set-up-managed-identity-for-azure-cdn)|
 | Azure Container Registry|[Registry encryption using customer-managed keys](../../container-registry/tutorial-enable-customer-managed-keys.md)
 | Azure Data Factory|[Fetch data store credentials in Key Vault from Data Factory](https://go.microsoft.com/fwlink/?linkid=2109491)|
 | Azure Data Lake Store|[Encryption of data in Azure Data Lake Store](../../data-lake-store/data-lake-store-encryption.md) with a customer-managed key.|