Merge pull request #273740 from HeidiSteen/heidist-bug

prmerger-automator[bot] · web-flow · commit a9113baa9c2e · 2024-04-29T22:59:50.000Z
[azure search] RBAC doc updates
diff --git a/articles/search/search-security-rbac.md b/articles/search/search-security-rbac.md
@@ -8,25 +8,25 @@ author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
 ms.topic: how-to
-ms.date: 01/05/2024
+ms.date: 04/29/2024
 ms.custom:
   - subject-rbac-steps
   - references_regions
   - ignite-2023
 ---
 
-# Connect to Azure AI Search using Azure role-based access control (Azure RBAC)
+# Connect to Azure AI Search using Azure role-based access control
 
 Azure provides a global [role-based access control authorization system](../role-based-access-control/role-assignments-portal.yml) for all services running on the platform. In Azure AI Search, you can use Azure roles for:
 
 + Control plane operations (service administration tasks through Azure Resource Manager).
 
 + Data plane operations, such as creating, loading, and querying indexes.
 
-Per-user access over search results (sometimes referred to as row-level security or document-level security) isn't supported. As a workaround, [create security filters](search-security-trimming-for-azure-search.md) that trim results by user identity, removing documents for which the requestor shouldn't have access.
+Per-user access over search results (sometimes referred to as *row-level security* or *document-level security*) isn't supported. As a workaround, [create security filters](search-security-trimming-for-azure-search.md) that trim results by user identity, removing documents for which the requestor shouldn't have access.
 
 > [!NOTE]
-> In Azure AI Search, "control plane" refers to operations supported in the [Management REST API](/rest/api/searchmanagement/) or equivalent client libraries. The "data plane" refers to operations against the search service endpoint, such as indexing or queries, or any other operation specified in the [Search REST API](/rest/api/searchservice/) or equivalent client libraries.
+> A quick note about terminology. *Control plane* refers to operations supported in the [Management REST API](/rest/api/searchmanagement/) or equivalent client libraries. *Data plane* refers to operations against the search service endpoint, such as indexing or queries, or any other operation specified in the [Search REST API](/rest/api/searchservice/) or equivalent client libraries.
 
 ## Built-in roles used in Search
 
@@ -37,12 +37,12 @@ The following roles are built in. If these roles are insufficient, [create a cus
 | [Owner](../role-based-access-control/built-in-roles.md#owner) | Control & Data | Full access to the control plane of the search resource, including the ability to assign Azure roles. Only the Owner role can enable or disable authentication options or manage roles for other users. Subscription administrators are members by default. </br></br>On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.|
 | [Contributor](../role-based-access-control/built-in-roles.md#contributor) | Control & Data |  Same level of control plane access as Owner, minus the ability to assign roles or change authentication options. </br></br>On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.|
 | [Reader](../role-based-access-control/built-in-roles.md#reader) | Control & Data | Read access across the entire service, including search metrics, content metrics (storage consumed, number of objects), and the object definitions of data plane resources (indexes, indexers, and so on). However, it can't read API keys or read content within indexes. |
-| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | Control & Data | Read-write access to object definitions (indexes, synonym maps, indexers, data sources, and skillsets). See [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch) for the permissions list. This role can't access content in an index, so no querying or indexing, but it can create, delete, and list indexes, return index definitions and statistics, and test analyzers. This role is for search service administrators who need to manage the search service and its objects, but without content access. |
-| [Search Index Data Contributor](../role-based-access-control/built-in-roles.md#search-index-data-contributor) | Data | Read-write access to content in all indexes on the search service. This role is for developers or index owners who need to import, refresh, or query the documents collection of an index. |
-| [Search Index Data Reader](../role-based-access-control/built-in-roles.md#search-index-data-reader) | Data |  Read-only access to all search indexes on the search service. This role is for apps and users who run queries. |
+| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | Control & Data | Read-write access to object definitions (indexes, aliases, synonym maps, indexers, data sources, and skillsets). This role is for developers who create objects, and for administrators who manage a search service and its objects, but without access to index content. Use this role to create, delete, and list indexes, get index definitions, get service information (statistics and quotas), test analyzers, create and manage synonym maps, indexers, data sources, and skillsets. See [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch) for the permissions list. |
+| [Search Index Data Contributor](../role-based-access-control/built-in-roles.md#search-index-data-contributor) | Data | Read-write access to content in indexes. This role is for developers or index owners who need to import, refresh, or query the documents collection of an index. This role doesn't support index creation or management. By default, this role is for all indexes on a search service. See [Grant access to a single index](#grant-access-to-a-single-index) to narrow the scope.  |
+| [Search Index Data Reader](../role-based-access-control/built-in-roles.md#search-index-data-reader) | Data |  Read-only access for querying search indexes. This role is for apps and users who run queries. This role doesn't support read access to object definitions. For example, you can't read a search index definition or get search service statistics. By default, this role is for all indexes on a search service. See [Grant access to a single index](#grant-access-to-a-single-index) to narrow the scope.  |
 
 > [!NOTE]
-> If you disable Azure role-based access, built-in roles for the control plane (Owner, Contributor, Reader) continue to be available. Disabling Azure RBAC removes just the data-related permissions associated with those roles. In a disabled-RBAC scenario, Search Service Contributor is equivalent to control-plane Contributor.
+> If you disable Azure role-based access, built-in roles for the control plane (Owner, Contributor, Reader) continue to be available. Disabling role-based access removes just the data-related permissions associated with those roles. If data plane roles are disabled, Search Service Contributor is equivalent to control-plane Contributor.
 
 ## Limitations
 
@@ -193,11 +193,11 @@ Make sure that you [register your client application with Microsoft Entra ID](se
 
 1. On the Overview page, select the **Indexes** tab:
 
-   + Contributors can view and create any object, but can't query an index using Search Explorer.
+   + Search Service Contributors can view and create any object, but can't load documents or query an index. To verify permissions, [create a search index](search-how-to-create-search-index.md#create-an-index).
 
-   + Search Index Data Readers can use Search Explorer to query the index. You can use any API version to check for access. You should be able to send queries and view results, but you shouldn't be able to view the index definition.
+   + Search Index Data Contributors can load and query documents. To verify permissions, use [Search explorer](search-explorer.md) to query documents. There's no load documents option in the portal outside of Import data wizard. Because the wizard also creates objects, you would need Search Service Contributor, plus Search Index Data Contributor.
 
-   + Search Service Contributors can select **New Index** to create a new index. Saving a new index verifies write access on the service.
+   + Search Index Data Readers can query the index. To verify permissions, use [Search explorer](search-explorer.md). You should be able to send queries and view results, but you shouldn't be able to view the index definition.
 
 ### [**REST API**](#tab/test-rest)
 
@@ -253,10 +253,6 @@ For more information on how to acquire a token for a specific environment, see [
 
 1. Use [Azure.Identity for .NET](/dotnet/api/overview/azure/identity-readme) for token authentication. Microsoft recommends [`DefaultAzureCredential()`](/dotnet/api/azure.identity.defaultazurecredential) for most scenarios.
 
-   + When obtaining the OAuth token, the scope is "https://search.azure.com/.default". The SDK requires the audience to be "https://search.azure.com". The ".default" is a Microsoft Entra convention.
-
-   + The SDK validates that the user has the "user_impersonation" scope, which must be granted by your app, but the SDK itself just asks for "https://search.azure.com/.default".
-
 1. Here's an example of a client connection using `DefaultAzureCredential()`.
 
     ```csharp
@@ -362,7 +358,7 @@ The portal doesn't currently support role assignments at this level of granulari
 
 In PowerShell, use [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment), providing the Azure user or group name, and the scope of the assignment.
 
-1. Load the Azure and AzureAD modules and connect to your Azure account:
+1. Load the `Azure` and `AzureAD` modules and connect to your Azure account:
 
    ```powershell
    Import-Module -Name Az
@@ -419,7 +415,7 @@ These steps create a custom role that augments search query rights to include li
         "roleName": "search index data explorer",
         "description": "",
         "assignableScopes": [
-            "/subscriptions/a5b1ca8b-bab3-4c26-aebe-4cf7ec4791a0/resourceGroups/heidist-free-search-svc/providers/Microsoft.Search/searchServices/demo-search-svc"
+            "/subscriptions/0000000000000000000000000000000/resourceGroups/free-search-svc/providers/Microsoft.Search/searchServices/demo-search-svc"
         ],
         "permissions": [
             {
@@ -548,17 +544,17 @@ To re-enable key authentication, rerun the last request, setting "disableLocalAu
 
 ## Conditional Access
 
-[Conditional Access](../active-directory/conditional-access/overview.md) is a tool in Microsoft Entra ID used to enforce organizational policies. By using Conditional Access policies, you can apply the right access controls when needed to keep your organization secure. When accessing an Azure AI Search service using role-based access control, Conditional Access can enforce organizational policies.
+We recommend [Microsoft Entra Conditional Access](/entra/identity/conditional-access/overview) if you need to enforce organizational policies, such as multifactor authentication.
 
-To enable a Conditional Access policy for Azure AI Search, follow the below steps:
+To enable a Conditional Access policy for Azure AI Search, follow these steps:
 
 1. [Sign in](https://portal.azure.com) to the Azure portal.
 
 1. Search for **Microsoft Entra Conditional Access**.
 
 1. Select **Policies**.
 
-1. Select **+ New policy**.
+1. Select **New policy**.
 
 1. In the **Cloud apps or actions** section of the policy, add **Azure AI Search** as a cloud app depending on how you want to set up your policy.
 
diff --git a/articles/search/search-what-is-azure-search.md b/articles/search/search-what-is-azure-search.md
@@ -55,7 +55,7 @@ Azure AI Search is well suited for the following application scenarios:
 
 + Use it for traditional full text search and next-generation vector similarity search. Back your generative AI apps with information retrieval that leverages the strength of keyword and similarity search. Use both modalities to retrieve the most relevant results.
 
-+ Consolidate heterogeneous content into a user-defined and populated search index composed of vectors and text. You own and control what's searchable.
++ Consolidate heterogeneous content into a user-defined and populated search index composed of vectors and text. You maintain ownership and control over what's searchable.
 
 + [Integrate data chunking and vectorization](vector-search-integrated-vectorization.md) for generative AI and RAG apps.
 
@@ -109,18 +109,10 @@ Customers often ask how Azure AI Search compares with other search-related solut
 
 Key strengths include:
 
-+ Store, index, and search vector embeddings for sentences, images, graphs, and more. 
-+ Find information that’s semantically similar to search queries, even if the search terms aren’t exact matches. 
-+ Use hybrid search for the best of keyword and vector search.
-+ Relevance tuning through semantic ranking and scoring profiles.
-+ Data integration (crawlers) at the indexing layer.
++ Support for vector and nonvector (text) indexing and queries. With vector similarity search, you can find information that’s semantically similar to search queries, even if the search terms aren’t exact matches. Use hybrid search for the best of keyword and vector search.
++ Ranking and relevance tuning through semantic ranking and scoring profiles. Query syntax supports term boosting and field prioritization.
++ Azure data integration (crawlers) at the indexing layer.
 + Azure AI integration for transformations that make content text and vector searchable.
 + Microsoft Entra security for trusted connections, and Azure Private Link for private connections in no-internet scenarios.
 + [Full search experience](search-features-list.md): Linguistic and custom text analysis in 56 languages. Faceting, autocomplete queries and suggested results, and synonyms.
 + Azure scale, reliability, and global reach.
-
-<!-- ## Watch this video
-
-In this 15-minute video, review the main capabilities of Azure AI Search.
-
->[!VIDEO https://www.youtube.com/embed/kOJU0YZodVk?version=3] -->
