howto-deploy portal steps

Author: kgremban

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md

@@ -21,9 +21,9 @@ Learn how to deploy Azure IoT Operations Preview to a Kubernetes cluster and the
   * Arc extensions
   * Custom locations
   * Resource sync rules
-  * Resources that you can configure in your Azure IoT Operations solution, like assets, MQTT broker, and dataflows.
+  * Resources that you can configure in your Azure IoT Operations solution, like assets and asset endpoints.
 
-* An Azure IoT Operations *instance* is one part of a deployment. It's the parent resource that bundles the suite of services that are defined in [What is Azure IoT Operations Preview?](../overview-iot-operations.md), like MQ and OPC UA connector.
+* An Azure IoT Operations *instance* is one part of a deployment. It's the parent resource that bundles the suite of services that are defined in [What is Azure IoT Operations Preview?](../overview-iot-operations.md) like MQTT broker, dataflows, and OPC UA connector.
 
 In this article, when we talk about deploying Azure IoT Operations we mean the full set of components that make up a *deployment*. Once the deployment exists, you can view, manage, and update the *instance*.
 
@@ -33,21 +33,31 @@ Cloud resources:
 
 * An Azure subscription.
 
-* Azure access permissions. At a minimum, have **Contributor** permissions in your Azure subscription. Depending on the deployment feature flag status you select, you might also need **Microsoft/Authorization/roleAssignments/write** permissions for the resource group that contains your Arc-enabled Kubernetes cluster. You can make a custom role in Azure role-based access control or assign a built-in role that grants this permission. For more information, see [Azure built-in roles for General](../../role-based-access-control/built-in-roles/general.md).
+* An Azure key vault. To create a new key vault, use the [az keyvault create](/cli/azure/keyvault#az-keyvault-create) command:
 
-  If you *don't* have role assignment write permissions, you can still deploy Azure IoT Operations by disabling some features. This approach is discussed in more detail in the [Deploy](#deploy) section of this article.
+  ```azurecli
+  az keyvault create --enable-rbac-authorization --name "<KEYVAULT_NAME>" --resource-group "<RESOURCE_GROUP>"
+  ```
 
-  * In the Azure CLI, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to give permissions. For example, `az role assignment create --assignee sp_name --role "Role Based Access Control Administrator" --scope subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup`
+* Azure access permissions:
 
-  * In the Azure portal, when you assign privileged admin roles to a user or principal, you can restrict access using conditions. For this scenario, select the **Allow user to assign all roles** condition in the **Add role assignment** page.
+  * At a minimum, have **Contributor** permissions in your Azure subscription.
 
-    :::image type="content" source="./media/howto-deploy-iot-operations/add-role-assignment-conditions.png" alt-text="Screenshot that shows assigning users highly privileged role access in the Azure portal.":::
+  * Creating secrets in Key Vault require s**Key Vault Secrets Officer** permissions.
 
-* An Azure key vault that has the **Permission model** set to **Vault access policy**. You can check this setting in the **Access configuration** section of an existing key vault. To create a new key vault, use the [az keyvault create](/cli/azure/keyvault#az-keyvault-create) command:
+  * The following tasks require **Microsoft/Authorization/roleAssignments/write** permissions. You can make a custom role in Azure role-based access control or assign a [built-in role](../../role-based-access-control/built-in-roles/general.md) that grants this permission.
 
-  ```azurecli
-  az keyvault create --enable-rbac-authorization false --name "<KEYVAULT_NAME>" --resource-group "<RESOURCE_GROUP>"
-  ```
+    * Enabling resource sync rules on the Azure IoT Operations instance. If you don't have role assignment write permissions, you can disable this feature during deployment. This approach is discussed in more detail in the [Deploy](#deploy) section of this article.
+
+    * Creating a schema registry. If you don't have role assignment write permissions, you can request them or ask that someone with the correct permissions create a schema registry that you can refer to.
+
+  > [!TIP]
+  >
+  > * If you use the Azure CLI, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to give permissions. For example, `az role assignment create --assignee sp_name --role "Role Based Access Control Administrator" --scope subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup`
+  >
+  > * If you use the Azure portal to assign privileged admin roles to a user or principal, you're prompted to restrict access using conditions. For this scenario, select the **Allow user to assign all roles** condition in the **Add role assignment** page.
+  >
+  >   :::image type="content" source="./media/howto-deploy-iot-operations/add-role-assignment-conditions.png" alt-text="Screenshot that shows assigning users highly privileged role access in the Azure portal.":::
 
 Development resources:
 
@@ -61,7 +71,7 @@ Development resources:
 
 A cluster host:
 
-* An Azure Arc-enabled Kubernetes cluster. If you don't have one, follow the steps in [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md?tabs=wsl-ubuntu).
+* An Azure Arc-enabled Kubernetes cluster with the custom location and workload identity features enabled. If you don't have one, follow the steps in [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md?tabs=wsl-ubuntu).
 
   If you deployed Azure IoT Operations to your cluster previously, uninstall those resources before continuing. For more information, see [Update Azure IoT Operations](#update-azure-iot-operations).
 
@@ -142,33 +152,70 @@ The Azure portal deployment experience is a helper tool that generates a deploym
    | Parameter | Value |
    | --------- | ----- |
    | **Azure IoT Operations name** | *Optional*: Replace the default name for the Azure IoT Operations instance. |
-   | **MQTT broker configuration** | *Optional*: Replace the default settings for the MQTT broker. For more information, see [Configure core MQTT broker settings](../manage-mqtt-broker/howto-configure-availability-scale.md). |
+   | **MQTT broker configuration** | *Optional*: Edit the default settings for the MQTT broker. For more information, see [Configure core MQTT broker settings](../manage-mqtt-broker/howto-configure-availability-scale.md). |
+   | **Dataflow profile configuration** | *Optional*: Edit the default settings for dataflows. For more information, see [Configure dataflow profile](../connect-to-cloud/howto-configure-dataflow-profile.md). |
 
-1. Select **Next: Automation**.
+   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-configuration.png" alt-text="A screenshot that shows the second tab for deploying Azure IoT Operations from the portal.":::
+
+1. Select **Next: Dependency management**.
+
+1. On the **Dependency management** tab, select an existing schema registry or use these steps to create one:
+
+   1. Select **Create new**.
+
+   1. Provide a **Schema registry name** and **Schema registry namespace**.
+
+   1. Select **Select Azure Storage container**.
+
+   1. Schema registry requires an Azure Storage account with hierarchical namespace and public network access enabled. Choose a storage account from the list of hierarchical namespace-enabled accounts, or select **Create** to create one.
+
+   1. Select a container in your storage account or select **Container** to create one.
+
+   1. Select **Apply** to confirm the schema registry configurations.
+
+1. On the **Dependency management** tab, select the **Secure settings** deployment option.
 
-1. On the **Automation** tab, provide the following information:
+   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-dependency-management-1.png" alt-text="A screenshot that shows selecting secure settings on the third tab for deploying Azure IoT Operations from the portal.":::
+
+1. In the **Deployment options** section, provide the following information:
 
    | Parameter | Value |
    | --------- | ----- |
    | **Subscription** | Select the subscription that contains your Azure key vault. |
-   | **Azure Key Vault** | Select your Azure key vault. Or, select **Create new**.<br><br>Ensure that your key vault has **Vault access policy** as its permission model. To check this setting, select **Manage selected vault** > **Settings** > **Access configuration**. |
+   | **Azure Key Vault** | Select an Azure key vault select **Create new**.<br><br>Ensure that your key vault has **Vault access policy** as its permission model. To check this setting, select **Manage selected vault** > **Settings** > **Access configuration**. |
+   | **User assigned managed identity for secrets** | Select an identity or select **Create new**. |
+   | **User assigned managed identity for AIO components** | Select an identity or select **Create new**. Don't use the same managed identity as the one you selected for secrets. |
 
-   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-automation.png" alt-text="A screenshot that shows the third tab for deploying Azure IoT Operations from the portal.":::
+   :::image type="content" source="./media/howto-deploy-iot-operations/deploy-dependency-management-2.png" alt-text="A screenshot that shows configuring secure settings on the third tab for deploying Azure IoT Operations from the portal.":::
 
-1. If you didn't prepare your Azure CLI environment as described in the prerequisites, do so now in a terminal of your choice:
+1. Select **Next: Automation**.
 
-   ```azurecli
-   az upgrade
-   az extension add --upgrade --name azure-iot-ops
-   ```
+1. One at a time, run each Azure CLI command on the **Automation** tab in a terminal:
 
-1. Sign in to Azure CLI interactively with a browser even if you already signed in before. If you don't sign in interactively, you might get an error that says *Your device is required to be managed to access your resource* when you continue to the next step to deploy Azure IoT Operations.
+   1. Sign in to Azure CLI interactively with a browser even if you already signed in before. If you don't sign in interactively, you might get an error that says *Your device is required to be managed to access your resource* when you continue to the next step to deploy Azure IoT Operations.
 
-   ```azurecli
-   az login
-   ```
+      ```azurecli
+      az login
+      ```
+
+   1. If you didn't prepare your Azure CLI environment as described in the prerequisites, do so now in a terminal of your choice:
+
+      ```azurecli
+      az upgrade
+      az extension add --upgrade --name azure-iot-ops
+      ```
+
+   1. Copy and run the `az iot ops schema registry create` command.
+
+   1. Copy and run the `az iot ops init` command.
+
+   1. Copy and run the `az iot ops create` command.
+
+   1. Copy and run the `az iot ops secretsync enable` command.
+
+   1. Copy and run the `az iot ops identity assign` command.
 
-1. Copy the [az iot ops init](/cli/azure/iot/ops#az-iot-ops-init) command from the **Automation** tab in the Azure portal and run it in your terminal.
+1. Once all of the Azure CLI commands have completed successfully, you can close the **Install Azure IoT Operations** wizard.
 
 ---
 

articles/iot-operations/deploy-iot-ops/howto-prepare-cluster.md

@@ -23,13 +23,13 @@ An Azure Arc-enabled Kubernetes cluster is a prerequisite for deploying Azure Io
 
 ## Prerequisites
 
-Azure IoT Operations should work on any Arc-enabled Kubernetes cluster that meets the [Azure Arc-enabled Kubernetes system requirements](/azure/azure-arckubernetes/system-requirements). Currently Azure IoT Operations doesn't support ARM64 architectures.
+Azure IoT Operations should work on any Arc-enabled Kubernetes cluster that meets the [Azure Arc-enabled Kubernetes system requirements](/azure/azure-arc/kubernetes/system-requirements). Currently Azure IoT Operations doesn't support ARM64 architectures.
 
 Microsoft supports AKS Edge Essentials for deployments on Windows and K3s for deployments on Ubuntu. For a list of specific hardware and software combinations that are tested and validated, see [Validated environments](../overview-iot-operations.md#validated-environments).
 
 To prepare your Azure Arc-enabled Kubernetes cluster, you need:
 
-* Hardware that meets the [system requirements](/azure/azure-arckubernetes/system-requirements).
+* Hardware that meets the [system requirements](/azure/azure-arc/kubernetes/system-requirements).
 
 ### [AKS Edge Essentials](#tab/aks-edge-essentials)
 
@@ -254,65 +254,25 @@ To connect your cluster to Azure Arc:
    export CLUSTER_NAME=<NEW_CLUSTER_NAME>
    ```
 
-1. Set the Azure subscription context for all commands:
-
-   ```azurecli
-   az account set -s $SUBSCRIPTION_ID
-   ```
-
-1. Register the required resource providers in your subscription:
-
-   >[!NOTE]
-   >This step only needs to be run once per subscription. To register resource providers, you need permission to do the `/register/action` operation, which is included in subscription Contributor and Owner roles. For more information, see [Azure resource providers and types](../../azure-resource-manager/management/resource-providers-and-types.md).
-
-   ```azurecli
-   az provider register -n "Microsoft.ExtendedLocation"
-   az provider register -n "Microsoft.Kubernetes"
-   az provider register -n "Microsoft.KubernetesConfiguration"
-   az provider register -n "Microsoft.IoTOperationsOrchestrator"
-   az provider register -n "Microsoft.IoTOperations"
-   az provider register -n "Microsoft.DeviceRegistry"
-   ```
-
-1. Download and install a preview version of the `connectedk8s` extension for Azure CLI.
-
-   ```azurecli
-   az storage blob download --auth-mode login --blob-url https://github.com/AzureArcForKubernetes/azure-cli-extensions/blob/connectedk8s/public/cli-extensions/connectedk8s-1.10.0-py2.py3-none-any.whl -f ./connectedk8s-1.10.0-py2.py3-none-any.whl
-   
-   az extension add --upgrade --source ./connectedk8s-1.10.0-py2.py3-none-any.whl
-   ```
-
-1. Use the [az group create](/cli/azure/group#az-group-create) command to create a resource group in your Azure subscription to store all the resources:
-
-   ```azurecli
-   az group create --location $LOCATION --resource-group $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID
-   ```
-
-1. Use the [az connectedk8s connect](/cli/azure/connectedk8s#az-connectedk8s-connect) command to Arc-enable your Kubernetes cluster and manage it as part of your Azure resource group:
-
-   ```azurecli
-   az connectedk8s connect -n $CLUSTER_NAME -l $LOCATION -g $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID --disable-auto-upgrade
-   ```
-
-1. Upgrade the Azure Arc agent to use a preview build that supports the workload identity feature that Azure IoT Operations uses for user-assigned managed identities.
+[!INCLUDE [connect-cluster-k3s](../includes/connect-cluster-k3s.md)]
 
+### [Codespaces](#tab/codespaces)
 
+To connect your cluster to Azure Arc:
 
-1. Get the `objectId` of the Microsoft Entra ID application that the Azure Arc service uses and save it as an environment variable.
+1. In your codespace terminal, sign in to Azure CLI:
 
    ```azurecli
-   export OBJECT_ID=$(az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query id -o tsv)
+   az login
    ```
 
-1. Use the [az connectedk8s enable-features](/cli/azure/connectedk8s#az-connectedk8s-enable-features) command to enable custom location support on your cluster. This command uses the `objectId` of the Microsoft Entra ID application that the Azure Arc service uses. Run this command on the machine where you deployed the Kubernetes cluster:
-
-    ```azurecli
-    az connectedk8s enable-features -n $CLUSTER_NAME -g $RESOURCE_GROUP --custom-locations-oid $OBJECT_ID --features cluster-connect custom-locations
-    ```
+   > [!TIP]
+   > If you're using the GitHub codespace environment in a browser rather than VS Code desktop, running `az login` returns a localhost error. To fix the error, either:
+   >
+   > * Open the codespace in VS Code desktop, and then return to the browser terminal and rerun `az login`.
+   > * Or, after you get the localhost error on the browser, copy the URL from the browser and run `curl "<URL>"` in a new terminal tab. You should see a JSON response with the message "You have logged into Microsoft Azure!."
 
-### [Codespaces](#tab/codespaces)
-
-[!INCLUDE [connect-cluster-codespaces](../includes/connect-cluster-codespaces.md)]
+[!INCLUDE [connect-cluster-k3s](../includes/connect-cluster-k3s.md)]
 
 ---
 
@@ -324,7 +284,7 @@ To verify that your cluster is ready for Azure IoT Operations deployment, you ca
 az iot ops verify-host
 ```
 
-To verify that your Kubernetes cluster is now Azure Arc-enabled, run the following command:
+To verify that your Kubernetes cluster is Azure Arc-enabled, run the following command:
 
 ```console
 kubectl get deployments,pods -n azure-arc
@@ -360,10 +320,6 @@ pod/resource-sync-agent-769bb66b79-z9n46          2/2     Running   0
 pod/metrics-agent-6588f97dc-455j8                 2/2     Running   0               10m
 ```
 
-## Create sites
-
-A _site_ is a collection of Azure IoT Operations instances. Sites typically group instances by physical location and make it easier for OT users to locate and manage assets. An IT administrator creates sites and assigns Azure IoT Operations instances to them. To learn more, see [What is Azure Arc site manager (preview)?](/azure/azure-arc/site-manager/overview).
-
 ## Next steps
 
 Now that you have an Azure Arc-enabled Kubernetes cluster, you can [deploy Azure IoT Operations](howto-deploy-iot-operations.md).