Merge pull request #290913 from gsteve88/add-entra-howto-device-twins

Updated how-to device twins to include Microsoft Entra auth option

Author: Jill Grant

articles/iot-hub/how-to-device-twins.md

@@ -42,26 +42,6 @@ This article shows you how to develop two types of applications:
 
 * **A registered device**. Some SDK calls require the device primary connection string, so make a note of the connection string.
 
-* **IoT Hub service connection string**
-
-  In this article, you create a back-end service that adds desired properties to a device twin and then queries the identity registry to find all devices with reported properties that have been updated accordingly. Your service needs the **service connect** permission to modify desired properties of a device twin, and it needs the **registry read** permission to query the identity registry. There is no default shared access policy that contains only these two permissions, so you need to create one.
-
-  To create a shared access policy that grants **service connect** and **registry read** permissions and get a connection string for this policy, follow these steps:
-
-  1. In the Azure portal, select **Resource groups**. Select the resource group where your hub is located, and then select your hub from the list of resources.
-
-  1. On the left-side pane of your hub, select **Shared access policies**.
-
-  1. From the top menu above the list of policies, select **Add shared policy access policy**.
-
-  1. In the **Add shared access policy** pane on the right, enter a descriptive name for your policy, such as "serviceAndRegistryRead". Under **Permissions**, select **Registry Read** and **Service Connect**, and then select **Add**.
-
-  1. Select your new policy from the list of policies.
-
-  1. Select the copy icon for the **Primary connection string** and save the value.
-
-  For more information about IoT Hub shared access policies and permissions, see [Control access to IoT Hub with shared access signatures](/azure/iot-hub/authenticate-authorize-sas).
-
 * If your application uses the MQTT protocol, make sure that **port 8883** is open in your firewall. The MQTT protocol communicates over port 8883. This port may be blocked in some corporate and educational network environments. For more information and ways to work around this issue, see [Connecting to IoT Hub (MQTT)](../iot/iot-mqtt-connect-to-iot-hub.md#connecting-to-iot-hub).
 
 * Language SDK requirements:

includes/iot-hub-howto-connect-service-iothub-entra-dotnet.md

@@ -0,0 +1,82 @@
+---
+title: How to connect a service to IoT Hub using Microsoft Entra (.NET)
+titleSuffix: Azure IoT Hub
+description: Learn how to connect a service to IoT Hub using Microsoft Entra and the Azure IoT Hub SDK for .NET.
+author: kgremban
+ms.author: kgremban
+ms.service: iot-hub
+ms.devlang: csharp
+ms.topic: include
+ms.manager: lizross
+ms.date: 11/19/2024
+ms.custom: mqtt, devx-track-csharp, devx-track-dotnet
+---
+
+A backend app that uses Microsoft Entra must successfully authenticate and obtain a security token credential before connecting to IoT Hub. This token is passed to a IoT Hub connection method. For general information about setting up and using Microsoft Entra for IoT Hub, see [Control access to IoT Hub by using Microsoft Entra ID](/azure/iot-hub/authenticate-authorize-azure-ad).
+
+##### Configure Microsoft Entra app
+
+You must set up a Microsoft Entra app that is configured for your preferred authentication credential. The app contains parameters such as client secret that are used by the backend application to authenticate. The available app authentication configurations are:
+
+* Client secret
+* Certificate
+* Federated identity credential
+
+Microsoft Entra apps may require specific role permissions depending on operations being performed. For example, [IoT Hub Twin Contributor](/azure/role-based-access-control/built-in-roles/internet-of-things#iot-hub-twin-contributor) is required to enable read and write access to a IoT Hub device and module twins. For more information, see [Manage access to IoT Hub by using Azure RBAC role assignment](/azure/iot-hub/authenticate-authorize-azure-ad?branch=main#manage-access-to-iot-hub-by-using-azure-rbac-role-assignment).
+
+For more information about setting up a Microsoft Entra app, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
+
+##### Authenticate using DefaultAzureCredential
+
+The easiest way to use Microsoft Entra to authenticate a backend application is to use [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential), but it's recommended to use a different method in a production environment including a specific `TokenCredential` or pared-down `ChainedTokenCredential`. For simplicity, this section describes authentication using `DefaultAzureCredential` and Client secret. For more information about the pros and cons of using `DefaultAzureCredential`, see [Usage guidance for DefaultAzureCredential](/dotnet/azure/sdk/authentication/credential-chains?tabs=dac#usage-guidance-for-defaultazurecredential).
+
+`DefaultAzureCredential` supports different authentication mechanisms and determines the appropriate credential type based on the environment it's executing in. It attempts to use multiple credential types in an order until it finds a working credential.
+
+Microsoft Entra requires these NuGet packages and corresponding `using` statements:
+
+* Azure.Core
+* Azure.Identity
+
+```csharp
+using Azure.Core;
+using Azure.Identity;
+```
+
+In this example, Microsoft Entra app registration client secret, client ID, and tenant ID are added to environment variables. These environment variables are used by `DefaultAzureCredential` to authenticate the application. The result of a successful Microsoft Entra authentication is a security token credential that is passed to an IoT Hub connection method.
+
+```csharp
+string clientSecretValue = "xxxxxxxxxxxxxxx";
+string clientID = "xxxxxxxxxxxxxx";
+string tenantID = "xxxxxxxxxxxxx";
+
+Environment.SetEnvironmentVariable("AZURE_CLIENT_SECRET", clientSecretValue);
+Environment.SetEnvironmentVariable("AZURE_CLIENT_ID", clientID);
+Environment.SetEnvironmentVariable("AZURE_TENANT_ID", tenantID);
+
+TokenCredential tokenCredential = new DefaultAzureCredential();
+```
+
+The resulting [TokenCredential](/dotnet/api/azure.core.tokencredential) can then be passed to a connect to IoT Hub method for any SDK client that accepts Microsoft Entra credentials:
+
+* [JobClient](/dotnet/api/microsoft.azure.devices.jobclient.create?#microsoft-azure-devices-jobclient-create(system-string-azure-core-tokencredential-microsoft-azure-devices-httptransportsettings))
+* [RegistryManager](/dotnet/api/microsoft.azure.devices.registrymanager.create?#microsoft-azure-devices-registrymanager-create(system-string-azure-core-tokencredential-microsoft-azure-devices-httptransportsettings))
+* [DigitalTwinClient](/dotnet/api/microsoft.azure.devices.digitaltwinclient)
+* [ServiceClient](/dotnet/api/microsoft.azure.devices.serviceclient.create?#microsoft-azure-devices-serviceclient-create(system-string-azure-core-tokencredential-microsoft-azure-devices-transporttype-microsoft-azure-devices-serviceclienttransportsettings-microsoft-azure-devices-serviceclientoptions))
+
+In this example, the `TokenCredential` is passed to `ServiceClient.Create` to create a [ServiceClient](/dotnet/api/microsoft.azure.devices.serviceclient) connection object.
+
+```csharp
+string hostname = "xxxxxxxxxx.azure-devices.net";
+using var serviceClient = ServiceClient.Create(hostname, tokenCredential, TransportType.Amqp);
+```
+
+In this example, the `TokenCredential` is passed to `RegistryManager.Create` to create a [RegistryManager](/dotnet/api/microsoft.azure.devices.registrymanager) object.
+
+```csharp
+string hostname = "xxxxxxxxxx.azure-devices.net";
+registryManager = RegistryManager.Create(hostname, tokenCredential);
+```
+
+##### Code sample
+
+For a working sample of Microsoft Entra service authentication, see [Role based authentication sample](https://github.com/Azure/azure-iot-sdk-csharp/tree/main/iothub/service/samples/how%20to%20guides/RoleBasedAuthenticationSample).

includes/iot-hub-howto-connect-service-iothub-entra-java.md

@@ -0,0 +1,86 @@
+---
+title: How to connect a service to IoT Hub using Microsoft Entra (Java)
+titleSuffix: Azure IoT Hub
+description: Learn how to connect a service to IoT Hub using Microsoft Entra and the Azure IoT Hub SDK for Java.
+author: kgremban
+ms.author: kgremban
+ms.service: iot-hub
+ms.devlang: java
+ms.topic: include
+ms.manager: lizross
+ms.date: 11/19/2024
+---
+
+A backend app that uses Microsoft Entra must successfully authenticate and obtain a security token credential before connecting to IoT Hub. This token is passed to a IoT Hub connection method. For general information about setting up and using Microsoft Entra for IoT Hub, see [Control access to IoT Hub by using Microsoft Entra ID](/azure/iot-hub/authenticate-authorize-azure-ad).
+
+For an overview of Java SDK authentication, see [Azure authentication with Java and Azure Identity](/azure/developer/java/sdk/authentication/overview).
+
+For simplicity, this section focuses on describing authentication using client secret.
+
+##### Configure Microsoft Entra app
+
+You must set up a Microsoft Entra app that is configured for your preferred authentication credential. The app contains parameters such as client secret that are used by the backend application to authenticate. The available app authentication configurations are:
+
+* Client secret
+* Certificate
+* Federated identity credential
+
+Microsoft Entra apps may require specific role permissions depending on operations being performed. For example, [IoT Hub Twin Contributor](/azure/role-based-access-control/built-in-roles/internet-of-things#iot-hub-twin-contributor) is required to enable read and write access to a IoT Hub device and module twins. For more information, see [Manage access to IoT Hub by using Azure RBAC role assignment](/azure/iot-hub/authenticate-authorize-azure-ad?#manage-access-to-iot-hub-by-using-azure-rbac-role-assignment).
+
+For more information about setting up a Microsoft Entra app, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
+
+##### Authenticate using DefaultAzureCredential
+
+The easiest way to use Microsoft Entra to authenticate a backend application is to use [DefaultAzureCredential](/azure/developer/java/sdk/authentication/credential-chains#defaultazurecredential-overview), but it's recommended to use a different method in a production environment including a specific `TokenCredential` or pared-down `ChainedTokenCredential`.
+For more information about the pros and cons of using `DefaultAzureCredential`, see
+[Credential chains in the Azure Identity client library for Java](/azure/developer/java/sdk/authentication/credential-chains).
+
+[DefaultAzureCredential](/java/api/com.azure.identity.defaultazurecredential) supports different authentication mechanisms and determines the appropriate credential type based on the environment it's executing in. It attempts to use multiple credential types in an order until it finds a working credential.
+
+You can authenticate Microsoft Entra app credentials using [DefaultAzureCredentialBuilder](/java/api/com.azure.identity.defaultazurecredentialbuilder). Save connection parameters such as client secret tenantID, clientID, and client secret values as environmental variables. Once the `TokenCredential` is created, pass it to [ServiceClient](/java/api/com.azure.core.annotation.serviceclient) or other builder as the 'credential' parameter.
+
+In this example, `DefaultAzureCredentialBuilder` attempts to authenticate a connection from the list described in [DefaultAzureCredential](/java/api/com.azure.identity.defaultazurecredential). The result of a successful Microsoft Entra authentication is a security token credential that is passed to a constructor such as [ServiceClient](/java/api/com.azure.core.annotation.serviceclient).
+
+```java
+TokenCredential defaultAzureCredential = new DefaultAzureCredentialBuilder().build();
+```
+
+##### Authenticate using ClientSecretCredentialBuilder
+
+You can use [ClientSecretCredentialBuilder](/java/api/com.azure.identity.clientsecretcredentialbuilder) to create a credential using client secret information. If successful, this method returns a [TokenCredential](/java/api/com.azure.core.credential.tokencredential) that can be passed to [ServiceClient](/java/api/com.azure.core.annotation.serviceclient) or other builder as the 'credential' parameter.
+
+In this example, Microsoft Entra app registration client secret, client ID, and tenant ID values have been added to environment variables. These environment variables are used by `ClientSecretCredentialBuilder` to build the credential.
+
+```java
+string clientSecretValue = System.getenv("AZURE_CLIENT_SECRET");
+string clientID = System.getenv("AZURE_CLIENT_ID");
+string tenantID = System.getenv("AZURE_TENANT_ID");
+
+TokenCredential credential =
+     new ClientSecretCredentialBuilder()
+          .tenantId(tenantID)
+          .clientId(clientID)
+          .clientSecret(clientSecretValue)
+          .build();
+```
+
+##### Other authentication classes
+
+The Java SDK also includes these classes that authenticate a backend app with Microsoft Entra:
+
+* [AuthorizationCodeCredential](/java/api/com.azure.identity.authorizationcodecredential)
+* [AzureCliCredential](/java/api/com.azure.identity.azureclicredential)
+* [AzureDeveloperCliCredential](/java/api/com.azure.identity.azuredeveloperclicredential)
+* [AzurePipelinesCredential](/java/api/com.azure.identity.azurepipelinescredential)
+* [ChainedTokenCredential](/java/api/com.azure.identity.chainedtokencredential)
+* [ClientAssertionCredential](/java/api/com.azure.identity.clientassertioncredential)
+* [ClientCertificateCredential](/java/api/com.azure.identity.clientcertificatecredential)
+* [DeviceCodeCredential](/java/api/com.azure.identity.devicecodecredential)
+* [EnvironmentCredential](/java/api/com.azure.identity.environmentcredential)
+* [InteractiveBrowserCredential](/java/api/com.azure.identity.interactivebrowsercredential)
+* [ManagedIdentityCredential](/java/api/com.azure.identity.managedidentitycredential)
+* [OnBehalfOfCredential](/java/api/com.azure.identity.onbehalfofcredential)
+
+##### Code samples
+
+For working samples of Microsoft Entra service authentication, see [Role based authentication sample](https://github.com/Azure/azure-iot-service-sdk-java/tree/main/service/iot-service-samples/role-based-authorization-sample).

includes/iot-hub-howto-connect-service-iothub-entra-node.md

@@ -0,0 +1,94 @@
+---
+title: How to connect a service to IoT Hub using Microsoft Entra (Node.js)
+titleSuffix: Azure IoT Hub
+description: Learn how to connect a service to IoT Hub using Microsoft Entra and the Azure IoT Hub SDK for Node.js.
+author: kgremban
+ms.author: kgremban
+ms.service: iot-hub
+ms.devlang: javascript
+ms.topic: include
+ms.manager: lizross
+ms.date: 11/19/2024
+---
+
+A backend app that uses Microsoft Entra must successfully authenticate and obtain a security token credential before connecting to IoT Hub. This token is passed to a IoT Hub connection method. For general information about setting up and using Microsoft Entra for IoT Hub, see [Control access to IoT Hub by using Microsoft Entra ID](/azure/iot-hub/authenticate-authorize-azure-ad).
+
+For an overview of Node.js SDK authentication, see:
+
+* [Getting started with user authentication on Azure](/azure/developer/javascript/how-to/with-authentication/getting-started)
+* [Azure Identity client library for JavaScript](/javascript/api/overview/azure/identity-readme)
+
+##### Configure Microsoft Entra app
+
+You must set up a Microsoft Entra app that is configured for your preferred authentication credential. The app contains parameters such as client secret that are used by the backend application to authenticate. The available app authentication configurations are:
+
+* Client secret
+* Certificate
+* Federated identity credential
+
+Microsoft Entra apps may require specific role permissions depending on operations being performed. For example, [IoT Hub Twin Contributor](/azure/role-based-access-control/built-in-roles/internet-of-things#iot-hub-twin-contributor) is required to enable read and write access to a IoT Hub device and module twins. For more information, see [Manage access to IoT Hub by using Azure RBAC role assignment](/azure/iot-hub/authenticate-authorize-azure-ad?#manage-access-to-iot-hub-by-using-azure-rbac-role-assignment).
+
+For more information about setting up a Microsoft Entra app, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
+
+##### Authenticate using DefaultAzureCredential
+
+The easiest way to use Microsoft Entra to authenticate a backend application is to use [DefaultAzureCredential](/javascript/api/@azure/identity/defaultazurecredential), but it's recommended to use a different method in a production environment including a specific `TokenCredential` or pared-down `ChainedTokenCredential`. For simplicity, this section describes authentication using `DefaultAzureCredential` and Client secret.
+For more information about the pros and cons of using `DefaultAzureCredential`, see
+[Credential chains in the Azure Identity client library for JavaScript](/azure/developer/javascript/sdk/credential-chains#use-defaultazurecredential-for-flexibility)
+
+[DefaultAzureCredential](/javascript/api/@azure/identity/defaultazurecredential) supports different authentication mechanisms and determines the appropriate credential type based on the environment it's executing in. It attempts to use multiple credential types in an order until it finds a working credential.
+
+Microsoft Entra requires this package:
+
+```shell
+npm install --save @azure/identity
+```
+
+In this example, Microsoft Entra app registration client secret, client ID, and tenant ID have been added to environment variables. These environment variables are used by `DefaultAzureCredential` to authenticate the application. The result of a successful Microsoft Entra authentication is a security token credential that is passed to an IoT Hub connection method.
+
+```javascript
+import { DefaultAzureCredential } from "@azure/identity";
+
+// Azure SDK clients accept the credential as a parameter
+const credential = new DefaultAzureCredential();
+```
+
+The resulting credential token can then be passed to [fromTokenCredential](/javascript/api/azure-iothub/registry?#azure-iothub-registry-fromtokencredential) to connect to IoT Hub for any SDK client that accepts Microsoft Entra credentials:
+
+* [Registry](/javascript/api/azure-iothub/registry?#azure-iothub-registry-fromtokencredential)
+* [Client](/javascript/api/azure-iothub/client?#azure-iothub-client-fromtokencredential)
+* [JobClient](/javascript/api/azure-iothub/jobclient?#azure-iothub-jobclient-fromtokencredential)
+
+`fromTokenCredential` requires two parameters:
+
+* The Azure service URL - The Azure service URL should be in the format `{Your Entra domain URL}.azure-devices.net` without a `https://` prefix. For example, `MyAzureDomain.azure-devices.net`.
+* The Azure credential token
+
+In this example, the Azure credential is obtained using `DefaultAzureCredential`. The Azure domain URL and credential are then supplied to `Registry.fromTokenCredential` to create the connection to IoT Hub.
+
+```javascript
+const { DefaultAzureCredential } = require("@azure/identity");
+
+let Registry = require('azure-iothub').Registry;
+
+// Define the client secret values
+clientSecretValue = 'xxxxxxxxxxxxxxx'
+clientID = 'xxxxxxxxxxxxxx'
+tenantID = 'xxxxxxxxxxxxx'
+
+// Set environment variables
+process.env['AZURE_CLIENT_SECRET'] = clientSecretValue;
+process.env['AZURE_CLIENT_ID'] = clientID;
+process.env['AZURE_TENANT_ID'] = tenantID;
+
+// Acquire a credential object
+const credential = new DefaultAzureCredential()
+
+// Create an instance of the IoTHub registry
+hostName = 'MyAzureDomain.azure-devices.net';
+let registry = Registry.fromTokenCredential(hostName,credential);
+```
+
+##### Code samples
+
+For working samples of Microsoft Entra service authentication, see [Azure identity examples](https://github.com/Azure/azure-sdk-for-js/blob/@azure/identity_4.5.0/sdk/identity/identity/samples/AzureIdentityExamples.md).