add section for uami

Signed-off-by: Troy Connor <[email protected]>

Author: troy0820

articles/operator-nexus/howto-configure-cluster.md

@@ -118,6 +118,7 @@ Managed Identity can be assigned to the Cluster during creation or update operat
 - **--mi-system-assigned** - Enable System-assigned managed identity. Once added, the Identity can only be removed via the API call at this time.
 - **--mi-user-assigned** - Space-separated resource IDs of the User-assigned managed identities to be added. Once added, the Identity can only be removed via the API call at this time.
 
+[Create cluster with User assigned Managed Identity](./howto-create-cluster-with-user-assigned-managed-identity.md)
 ### Create the Cluster using Azure Resource Manager template editor
 
 An alternate way to create a Cluster is with the ARM template editor.

articles/operator-nexus/howto-create-cluster-with-user-assigned-managed-identity.md

@@ -10,3 +10,75 @@ ms.custom: template-how-to
 ---
 
 
+# Create a Cluster Resource with a User Assigned Managed Identity
+
+To create a cluster without a service principal user name and password, you can now create a cluster with a user-assigned managed identity that has permissions over the Log Analytics Workspace.  This will be used when installing the extensions that utilize the Log Analytics Workspace.
+
+## Prerequisites
+
+1. Install the latest version of the
+   [appropriate CLI extensions](./howto-install-cli-extensions.md)
+1. A Log Analytics Workspace 
+1. A user-assigned managed identity resource with permissions over the log analytics workspace of [Log Analytics Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/analytics#log-analytics-contributor).
+
+> [!NOTE]
+> This functionality exists with the latest GA API offered by Azure Operator Nexus 
+
+
+### Create and configure Log Analytics Workspace and User Assigned Managed Identity
+
+1. Create a Log Analytics Workspace [Create a Log Analytics Workspace](/azure/azure-monitor/logs/quick-create-workspace).
+1. Assign the "Log Analytics Contributor" role to users and managed identities which need access to the Log Analytics Workspace.
+   1. See [Assign an Azure role for access to the analytics Workspace](azure/azure-monitor/logs/manage-access?tabs=portal#azure-rbac). The role must also be assigned to either a user-assigned managed identity or the cluster's own system-assigned managed identity.
+   1. For more information on managed identities, see [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview).
+   1. If using the Cluster's system assigned identity, the system assigned identity needs to be added to the cluster before it can be granted access.
+   1. When assigning a role to the cluster's system-assigned identity, make sure you select the resource with the type "Cluster (Operator Nexus)."
+
+### Configure the cluster to use a user-assigned managed identity for Log Analytics Workspace access
+
+```azurecli-interactive
+az networkcloud cluster create --name "<cluster-name>" \
+  --resource-group "<cluster-resource-group>" \
+  --mi-user-assigned "<user-assigned-identity-resource-id>" \
+  --analytics-output-settings identity-type="UserAssignedIdentity" \
+  identity-resource-id="<user-assigned-identity-resource-id>" \
+  --subscription "<subscription>"
+```
+
+### View the principal ID for the managed identity
+
+The identity resource ID can be found by selecting "JSON view" on the identity resource; the ID is at the top of the panel that appears. The container URL can be found on the Settings -> Properties tab of the container resource.
+
+The CLI can also be used to view the identity and the associated principal ID data within the cluster.
+
+Example:
+
+```console
+az networkcloud cluster show --ids /subscriptions/<Subscription ID>/resourceGroups/<Cluster Resource Group Name>/providers/Microsoft.NetworkCloud/clusters/<Cluster Name>
+```
+
+System-assigned identity example:
+
+```
+    "identity": {
+        "principalId": "aaaaaaaa-bbbb-cccc-1111-222222222222",
+        "tenantId": "aaaabbbb-0000-cccc-1111-dddd2222eeee",
+        "type": "SystemAssigned"
+    },
+```
+
+User-assigned identity example:
+
+```
+    "identity": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+            "/subscriptions/<subscriptionID>/resourcegroups/<resourceGroupName>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<userAssignedIdentityName>": {
+                "clientId": "00001111-aaaa-2222-bbbb-3333cccc4444",
+                "principalId": "bbbbbbbb-cccc-dddd-2222-333333333333"
+            }
+        }
+    },
+```
+
+