Merge pull request #277772 from HeidiSteen/heidst-june7

[azure search] security section cleanup

Author: AnnaMHuff

articles/search/search-howto-managed-identities-cosmos-db.md

@@ -1,83 +1,106 @@
 ---
-title: Set up an indexer connection to Azure Cosmos DB via a managed identity
+title: Set up an indexer connection to Azure Cosmos DB using a managed identity
 titleSuffix: Azure AI Search
-description: Learn how to set up an indexer connection to an Azure Cosmos DB account via a managed identity.
+description: Learn how to set up an indexer connection to an Azure Cosmos DB account using a managed identity.
 author: gmndrg
 ms.author: gimondra
 
 ms.service: cognitive-search
 ms.topic: how-to
-ms.date: 02/22/2024
+ms.date: 06/10/2024
 ms.custom:
   - subject-rbac-steps
   - ignite-2023
 ---
 
-# Set up an indexer connection to Azure Cosmos DB via a managed identity
+# Connect to Azure Cosmos DB using a managed identity (Azure AI Search)
 
 This article explains how to set up an indexer connection to an Azure Cosmos DB database using a managed identity instead of providing credentials in the connection string.'
 
-You can use a system-assigned managed identity or a user-assigned managed identity (preview). Managed identities are Microsoft Entra logins and require Azure role assignments to access data in Azure Cosmos DB. 
+You can use a system-assigned managed identity or a user-assigned managed identity. Managed identities are Microsoft Entra logins and require Azure role assignments to access data in Azure Cosmos DB. 
 
 ## Prerequisites
 
 * [Create a managed identity](search-howto-managed-identities-data-sources.md) for your search service.
 
-* Assign the **Cosmos DB Account Reader** role to the search service managed identity. This role grants the ability to read Azure Cosmos DB account data. For more information about role assignments in Cosmos DB, see [Configure role-based access control to data](search-howto-managed-identities-data-sources.md#assign-a-role).
+* Azure Cosmos DB for NoSQL. You can optionally [enforce role-based access as the only authentication method](../cosmos-db/how-to-setup-rbac.md#disable-local-auth) for data connections by setting `disableLocalAuth` to `true` for your Cosmos DB account.
 
-* Data Plane Role assignment: Follow [Data plane Role assignment](../cosmos-db/how-to-setup-rbac.md) to know more.
+## Limitations
+
+Indexer support for Azure Cosmos DB for Gremlin and MongoDB Collections is currently in preview. At this time, a preview limitation requires Azure AI Search to connect using keys. You can still set up a managed identity and role assignment, but Azure AI Search will only use the role assignment to get keys for the connection. This limitation means that you can't configure a [role-based approach](../cosmos-db/how-to-setup-rbac.md#disable-local-auth) if your indexers are connecting to Gremlin or MongoDB.
+
+## Create a role assignment in Azure Cosmos DB
+
+### [**Azure portal**](#tab/portal)
+
+1. Sign in to Azure portal and find your Cosmos DB for NoSQL account.
+
+1. Select **Access control (IAM)**.
+
+1. Select **Add** and then select **Role assignment**.
+
+1. From the list of job function roles, select **Cosmos DB Account Reader**.
+
+1. Select **Next**.
+
+1. Select **Managed identity** and then select **Members**.
+
+1. Filter by system-assigned managed identities or user-assigned managed identities. You should see the managed identity that you previously created for your search service. If you don't have one, see [Configure search to use a managed identity](search-howto-managed-identities-data-sources.md). If you already set one up but it's not available, give it a few minutes.
+
+1. Select the identity and save the role assignment.
+
+For more information, see [Configure role-based access control with Microsoft Entra ID for your Azure Cosmos DB account](../cosmos-db/how-to-setup-rbac.md).
+
+### [**PowerShell**](#tab/powershell)
+
+Set variables:
 
-* Example for a read-only data plane role assignment:
 ```azurepowershell
 $cosmosdb_acc_name = <cosmos db account name>
 $resource_group = <resource group name>
-$subsciption = <subscription id>
-$system_assigned_principal = <principal id for system assigned identity>
-$readOnlyRoleDefinitionId = "00000000-0000-0000-0000-000000000001"
+$subsciption = <subscription ID>
+$system_assigned_principal = <principal ID for the search service's system assigned identity>
+$readOnlyRoleDefinitionId = "00000000-0000-0000-0000-00000000000"
 $scope=$(az cosmosdb show --name $cosmosdbname --resource-group $resourcegroup --query id --output tsv)
 ```
 
-Role assignment for system-assigned identity:
+Define a role assignment for the system-assigned identity:
 
 ```azurepowershell
 az cosmosdb sql role assignment create --account-name $cosmosdbname --resource-group $resourcegroup --role-definition-id $readOnlyRoleDefinitionId --principal-id $sys_principal --scope $scope
 ```
 
-* For Cosmos DB for NoSQL, you can optionally [enforce role-based access as the only authentication method](../cosmos-db/how-to-setup-rbac.md#disable-local-auth)
-for data connections by setting `disableLocalAuth` to `true` for your Cosmos DB account.
+---
 
-* *For Gremlin and MongoDB Collections*: 
-   Indexer support is currently in preview. At this time, a preview limitation exists that requires Azure AI Search to connect using keys. You can still set up a managed identity and role assignment, but Azure AI Search will only use the role assignment to get keys for the connection. This limitation means that you can't configure a [role-based approach](../cosmos-db/how-to-setup-rbac.md#disable-local-auth) if your indexers are connecting to Gremlin or MongoDB using Search with managed identities to connect to Azure Cosmos DB.
+## Specify a managed identity in a connection string
 
-* You should be familiar with [indexer concepts](search-indexer-overview.md) and [configuration](search-howto-index-cosmosdb.md).
+Once you have a role assignment, you can set up a connection to Azure Cosmos DB for NoSQL that operates under that role.
 
-## Create the data source
+Indexers use a data source object for connections to an external data source. This section explains how to specify a system-assigned managed identity or a user-assigned managed identity on a data source connection string. You can find more [connection string examples](search-howto-managed-identities-data-sources.md#connection-string-examples) in the managed identity article.
 
-Create the data source and provide either a system-assigned managed identity or a user-assigned managed identity (preview) in the connection string. 
+> [!TIP]
+> You can create a data source connection to CosmosDB in the Azure portal, specifying either a system or user-assigned managed identity, and then view the JSON definition to see how the connection string is formulated.
 
 ### System-assigned managed identity
 
 The [REST API](/rest/api/searchservice/create-data-source), Azure portal, and the [.NET SDK](/dotnet/api/azure.search.documents.indexes.models.searchindexerdatasourceconnection) support using a system-assigned managed identity. 
 
-When you're connecting with a system-assigned managed identity, the only change to the data source definition is the format of the "credentials" property. You'll provide the database name and a ResourceId that has no account key or password. The ResourceId must include the subscription ID of Azure Cosmos DB, the resource group, and the Azure Cosmos DB account name.
+When you're connecting with a system-assigned managed identity, the only change to the data source definition is the format of the "credentials" property. Provide a database name and a ResourceId that has no account key or password. The ResourceId must include the subscription ID of Azure Cosmos DB, the resource group, and the Azure Cosmos DB account name.
 
 * For SQL collections, the connection string doesn't require "ApiKind". 
 * For SQL collections, add "IdentityAuthType=AccessToken" if role-based access is enforced as the only authentication method. It isn't applicable for MongoDB and Gremlin collections.
 * For MongoDB collections, add "ApiKind=MongoDb" to the connection string and use a preview REST API.
 * For Gremlin graphs, add "ApiKind=Gremlin" to the connection string and use a preview REST API.
 
-Here's an example of how to create a data source to index data from a storage account using the [Create Data Source](/rest/api/searchservice/create-data-source) REST API and a managed identity connection string. The managed identity connection string format is the same for the REST API, .NET SDK, and the Azure portal.
+Here's an example of how to create a data source to index data from a Cosmos DB account using the [Create Data Source](/rest/api/searchservice/create-data-source) REST API and a managed identity connection string. The managed identity connection string format is the same for the REST API, .NET SDK, and the Azure portal.
 
 ```http
-POST https://[service name].search.windows.net/datasources?api-version=2020-06-30
-Content-Type: application/json
-api-key: [Search service admin key]
-
+POST https://[service name].search.windows.net/datasources?api-version=2023-11-01
 {
-    "name": "[my-cosmosdb-ds]",
+    "name": "my-cosmosdb-ds",
     "type": "cosmosdb",
     "credentials": {
-        "connectionString": "ResourceId=/subscriptions/[subscription-id]/resourceGroups/[rg-name]/providers/Microsoft.DocumentDB/databaseAccounts/[cosmos-account-name];Database=[cosmos-database];ApiKind=[SQL | Gremlin | MongoDB];IdentityAuthType=[AccessToken | AccountKey]"
+        "connectionString": "ResourceId=/subscriptions/[subscription-id]/resourceGroups/[rg-name]/providers/Microsoft.DocumentDB/databaseAccounts/[cosmos-account-name];Database=[cosmos-database];ApiKind=SQL;IdentityAuthType=[AccessToken | AccountKey]"
     },
     "container": { "name": "[my-cosmos-collection]", "query": null },
     "dataChangeDetectionPolicy": null
@@ -86,9 +109,9 @@ api-key: [Search service admin key]
 }
 ```
 
-### User-assigned managed identity (preview)
+### User-assigned managed identity
 
-The 2021-04-30-preview REST API supports connections based on a user-assigned managed identity. When you're connecting with a user-assigned managed identity, there are two changes to the data source definition:
+When you're connecting with a user-assigned managed identity, there are two changes to the data source definition:
 
 * First, the format of the "credentials" property is the database name and a ResourceId that has no account key or password. The ResourceId must include the subscription ID of Azure Cosmos DB, the resource group, and the Azure Cosmos DB account name.
 
@@ -99,19 +122,16 @@ The 2021-04-30-preview REST API supports connections based on a user-assigned ma
 
 * Second, you add an "identity" property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set it to type "userAssignedIdentities".
 
-Here's an example of how to create an indexer data source object using the [preview Create or Update Data Source](/rest/api/searchservice/preview-api/create-or-update-data-source) REST API:
-
+Here's an example of how to create an indexer data source object using the REST API.
 
 ```http
-POST https://[service name].search.windows.net/datasources?api-version=2021-04-30-preview
-Content-Type: application/json
-api-key: [Search service admin key]
+POST https://[service name].search.windows.net/datasources?api-version=2023-11-01
 
 {
     "name": "[my-cosmosdb-ds]",
     "type": "cosmosdb",
     "credentials": {
-        "connectionString": "ResourceId=/subscriptions/[subscription-id]/resourceGroups/[rg-name]/providers/Microsoft.DocumentDB/databaseAccounts/[cosmos-account-name];Database=[cosmos-database];ApiKind=[SQL | Gremlin | MongoDB];IdentityAuthType=[AccessToken | AccountKey]"
+        "connectionString": "ResourceId=/subscriptions/[subscription-id]/resourceGroups/[rg-name]/providers/Microsoft.DocumentDB/databaseAccounts/[cosmos-account-name];Database=[cosmos-database];ApiKind=SQL;IdentityAuthType=[AccessToken | AccountKey]"
     },
     "container": { 
         "name": "[my-cosmos-collection]", "query": null 
@@ -124,49 +144,13 @@ api-key: [Search service admin key]
 }
 ```
 
-## Create the index
-
-The index specifies the fields in a document, attributes, and other constructs that shape the search experience.
-
-Here's a [Create Index](/rest/api/searchservice/create-index) REST API call with a searchable `booktitle` field:
-
-```http
-POST https://[service name].search.windows.net/indexes?api-version=2020-06-30
-Content-Type: application/json
-api-key: [admin key]
-
-{
-    "name" : "my-target-index",
-    "fields": [
-    { "name": "id", "type": "Edm.String", "key": true, "searchable": false },
-    { "name": "booktitle", "type": "Edm.String", "searchable": true, "filterable": false, "sortable": false, "facetable": false }
-    ]
-}
-```
-
-## Create the indexer
-
-An indexer connects a data source with a target search index and provides a schedule to automate the data refresh. Once the index and data source have been created, you're ready to create and run the indexer. If the indexer is successful, the connection syntax and role assignments are valid.
-
-Here's a [Create Indexer](/rest/api/searchservice/create-indexer) REST API call with an Azure Cosmos DB for NoSQL indexer definition. The indexer runs when you submit the request.
-
-```http
-    POST https://[service name].search.windows.net/indexers?api-version=2020-06-30
-    Content-Type: application/json
-    api-key: [admin key]
-
-    {
-      "name" : "cosmos-db-indexer",
-      "dataSourceName" : "cosmos-db-datasource",
-      "targetIndexName" : "my-target-index"
-    }
-```
+Connection information and permissions on the remote service are validated at run time during indexer execution. If the indexer is successful, the connection syntax and role assignments are valid. For more information, see [Run or reset indexers, skills, or documents](search-howto-run-reset-indexers.md).
 
 ## Troubleshooting
 
-If you recently rotated your Azure Cosmos DB account keys, you need to wait up to 15 minutes for the managed identity connection string to work.
+For Azure Cosmos DB for NoSQL, check whether the account has its access restricted to select networks. You can rule out any firewall issues by trying the connection without restrictions in place.
 
-Check to see if the Azure Cosmos DB account has its access restricted to select networks. You can rule out any firewall issues by trying the connection without restrictions in place.
+For Gremlin or MongoDB, if you recently rotated your Azure Cosmos DB account keys, you need to wait up to 15 minutes for the managed identity connection string to work.
 
 ## See also
 

articles/search/search-howto-managed-identities-data-sources.md

@@ -11,12 +11,14 @@ ms.custom:
   - ignite-2023
   - build-2024
 ms.topic: how-to
-ms.date: 06/03/2024
+ms.date: 06/10/2024
 ---
 
-# Configure a search service to connect using a managed identity
+# Configure a search service to connect using a managed identity in Azure AI Search
 
-You can configure an Azure AI Search service to make outbound connections to other Azure resources using a [system-assigned or user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) and an Azure role assignment. Managed identities and role assignments eliminate the need for passing secrets and credentials in a connection string or code.
+You can use Microsoft Entra ID and role assignments for outbound connections from Azure AI Search to resources providing data, applied AI, or vectorization during indexing or queries. 
+
+To use roles on an outbound connection, first configure your search service to use either a [system-assigned or user-assigned managed identity](../active-directory/managed-identities-azure-resources/overview.md) as the security principle for your search service in a Microsoft Entra tenant. Once you have a managed identity, you can assign roles for authorized access. Managed identities and role assignments eliminate the need for passing secrets and credentials in a connection string or code.
 
 ## Prerequisites
 

articles/search/search-howto-managed-identities-storage.md

@@ -30,8 +30,11 @@ You can use a system-assigned managed identity or a user-assigned managed identi
 ## Create a role assignment in Azure Storage
 
 1. Sign in to Azure portal and find your storage account.
+
 1. Select **Access control (IAM)**.
+
 1. Select **Add** and then select **Role assignment**.
+
 1. From the list of job function roles, select the roles needed for your search service:
 
    | Task | Role assignment |
@@ -45,8 +48,11 @@ You can use a system-assigned managed identity or a user-assigned managed identi
    | Save debug session state | Add **Storage Blob Data Contributor**  |
 
 1. Select **Next**.
+
 1. Select **Managed identity** and then select **Members**.
-1. Filter by system-assigned managed identities or user-assigned managed identities. If you don't have a managed identity, see [Configure search to use a managed identity](search-howto-managed-identities-data-sources.md). If you already set one up but it's not available, give it a few minutes.
+
+1. Filter by system-assigned managed identities or user-assigned managed identities. You should see the managed identity that you previously created for your search service. If you don't have one, see [Configure search to use a managed identity](search-howto-managed-identities-data-sources.md). If you already set one up but it's not available, give it a few minutes.
+
 1. Select the identity and save the role assignment.
 
 ## Specify a managed identity in a connection string
@@ -85,7 +91,7 @@ POST https://[service name].search.windows.net/datasources?api-version=2023-11-0
 
 You must have a [user-assigned managed identity already configured](search-howto-managed-identities-data-sources.md) and associated with your search service, and the identity must have a role-assignment on Azure Storage. 
 
-Connections made through user-assigned managed identities use the same credentials as a system-assigned managed identity, plus an extra identity property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set `userAssignedIdentity` to the user-assigned managed identity..
+Connections made through user-assigned managed identities use the same credentials as a system-assigned managed identity, plus an extra identity property that contains the collection of user-assigned managed identities. Only one user-assigned managed identity should be provided when creating the data source. Set `userAssignedIdentity` to the user-assigned managed identity.
 
 Provide a `ResourceId` that has no account key or password. The `ResourceId` must include the subscription ID of the storage account, the resource group of the storage account, and the storage account name.