Merge pull request #286166 from mehasharma/faq

added exclude credential

Author: JamesJBarnett

articles/trusted-signing/faq.yml

@@ -146,7 +146,7 @@ sections:
         answer: |
           | Error       | Details     |
           | :------------------- | :------------------- |
-          | 400          | An Azure authentication error. This error is due to caching of certificates. Add `"ExcludeCredentials": ["SharedTokenCacheCredential"]` to your JSON file. For more information, see [DefaultAzureCredential Class (Azure.Identity)](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet). |
+          | 400          | An Azure authentication error. This error is due to caching of certificates. Add `"ExcludeCredentials": ["<include list of credentials to be excluded>"]` to your JSON file. For more information, see [DefaultAzureCredential Class (Azure.Identity)](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet). |
           | 401          |  You aren't authenticated. Sign out and sign back in. |
           | 404          |  Ensure that no changes were made to your configuration or firewalls rules. |
           | "MsalUiRequiredException"           |  Typically occurs due to the local cache. The error resolves after the cache is refreshed from Azure. |

articles/trusted-signing/how-to-device-guard-signing-service-migration.md

@@ -1,7 +1,7 @@
 ---
 title: Device Guard Signing Service migration to Trusted Signing
 description: Learn how to migrate from Device Guard Signing Service (DGSSv2) to Trusted Signing for code integrity policy 
-author: mehasharma 
+author: meha 
 ms.author: mesharm 
 ms.service: trusted-signing
 ms.topic: how-to 

articles/trusted-signing/how-to-signing-integrations.md

@@ -41,7 +41,7 @@ To complete the steps in this article, you need:
 1. [Download and install the .NET 8 Runtime](#download-and-install-net-80-runtime).
 1. [Download and install the Trusted Signing dlib package](#download-and-install-the-trusted-signing-dlib-package).
 1. [Create a JSON file to provide your Trusted Signing account and a certificate profile](#create-a-json-file).
-1. [Invoke SignTool to sign a file](#use-signtool-to-sign-a-file).
+1. [To Sign a file, Invoke SignTool](#use-signtool-to-sign-a-file).
 
 ### Download and install SignTool
 
@@ -51,7 +51,7 @@ To download and install SignTool:
 
 1. Download the latest version of SignTool and Windows Build Tools NuGet at [Microsoft.Windows.SDK.BuildTools](https://www.nuget.org/packages/Microsoft.Windows.SDK.BuildTools/).
 
-1. Install SignTool from the Windows SDK (minimum version: 10.0.2261.755, 20348 Windows SDK version is not supported with our dlib).
+1. Install SignTool from the Windows SDK (minimum version: 10.0.2261.755, 20348 Windows SDK version isn't supported with our dlib).
 
 Another option is to use the latest *nuget.exe* file to download and extract the latest Windows SDK Build Tools NuGet package by using PowerShell:
 
@@ -82,7 +82,7 @@ To download and install the Trusted Signing dlib package (a .zip file):
 
 1. Download the [Trusted Signing dlib package](https://www.nuget.org/packages/Microsoft.Trusted.Signing.Client).
 
-1. Extract the Trusted Signing dlib zipped content and install it on your signing node in your choice of directory. The node must be the node where you'll use SignTool to sign files.
+1. Extract the Trusted Signing dlib zipped content and install it on your signing node in your choice of directory. The node must be the node where you use SignTool to sign files.
 
 Another option is to download the [Trusted Signing dlib package](https://www.nuget.org/packages/Microsoft.Trusted.Signing.Client) via NuGet similar like the Windows SDK Build Tools NuGet package:
 
@@ -119,6 +119,26 @@ To sign by using Trusted Signing, you need to provide the details of your Truste
 
    <sup>1</sup> The optional `"CorrelationId"` field is an opaque string value that you can provide to correlate sign requests with your own workflows, such as build identifiers or machine names.
 
+### Authentication
+
+This Task performs authentication using [DefaultAzureCredential](https://learn.microsoft.com/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet), which attempts a series of authentication methods in order. If one method fails, it attempts the next one until authentication is successful.
+
+Each authentication method can be disabled individually to avoid unnecessary attempts.
+
+For example, when authenticating with [EnvironmentCredential](https://learn.microsoft.com/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet) specifically, disable the other credentials with the following inputs:
+
+ExcludeEnvironmentCredential: false
+ExcludeManagedIdentityCredential: true
+ExcludeSharedTokenCacheCredential: true
+ExcludeVisualStudioCredential: true
+ExcludeVisualStudioCodeCredential: true
+ExcludeAzureCliCredential: true
+ExcludeAzurePowershellCredential: true
+ExcludeInteractiveBrowserCredential: true
+
+Similarly, if using for example an [AzureCliCredential](https://learn.microsoft.com/dotnet/api/azure.identity.azureclicredential?view=azure-dotnet) , then we want to skip over attempting to authenticate with the several methods that come before it in order.
+
+
 ### Use SignTool to sign a file
 
 To invoke SignTool to sign a file: