Update quickstart to use Microsoft Entra ID

Author: zhenlan

articles/azure-app-configuration/TOC.yml

@@ -204,19 +204,21 @@
       href: concept-disaster-recovery.md
   - name: Security
     items:
-    - name: Encrypt using customer-managed keys
-      href: concept-customer-managed-keys.md
-    - name: Secure your config store using Private Endpoints
-      href: concept-private-endpoint.md
-    - name: Enable access using Microsoft Entra ID
+    - name: Authenticate using Microsoft Entra ID
       href: concept-enable-rbac.md
-    - name: Assign an Azure Managed Identity
-      href: overview-managed-identity.md
-    - name: Manage access key authentication
+    - name: Authenticate using access keys
       href: howto-disable-access-key-authentication.md
-    - name: Security controls by Azure Policy
+    - name: Secure your store using Private Endpoints
+      href: concept-private-endpoint.md
+    - name: Disable public network access
+      href: howto-disable-public-access.md
+    - name: Encrypt your data using customer-managed keys
+      href: concept-customer-managed-keys.md
+    - name: Add a Managed Identity to your store
+      href: overview-managed-identity.md
+    - name: Enforce security controls using Azure Policies
       href: ./security-controls-policy.md
-    - name: Security baseline
+    - name: Understand the security baselines
       href: /security/benchmark/azure/baselines/azure-app-configuration-security-baseline?toc=/azure/azure-app-configuration/TOC.json
 - name: How-to guides
   items:
@@ -240,8 +242,6 @@
     href: howto-recover-deleted-stores-in-azure-app-configuration.md
   - name: Enable geo-replication
     href: howto-geo-replication.md
-  - name: Disable public access
-    href: howto-disable-public-access.md
   - name: Set up private access
     href: howto-set-up-private-access.md
 - name: Reference

articles/azure-app-configuration/concept-enable-rbac.md

@@ -1,40 +1,62 @@
 ---
-title: Authorize access to Azure App Configuration using Microsoft Entra ID
+title: Access Azure App Configuration using Microsoft Entra ID
 description: Enable Azure RBAC to authorize access to your Azure App Configuration instance.
-author: maud-lv
-ms.author: malev
-ms.date: 04/05/2024
+author: zhenlan
+ms.author: zhenlwa
+ms.date: 10/05/2024
 ms.topic: conceptual
 ms.service: azure-app-configuration
 
 ---
-# Authorize access to Azure App Configuration using Microsoft Entra ID
-Besides using Hash-based Message Authentication Code (HMAC), Azure App Configuration supports using Microsoft Entra ID to authorize requests to App Configuration instances. Microsoft Entra ID allows you to use Azure role-based access control (Azure RBAC) to grant permissions to a security principal. A security principal may be a user, a [managed identity](../active-directory/managed-identities-azure-resources/overview.md), or an [application service principal](../active-directory/develop/app-objects-and-service-principals.md). To learn more about roles and role assignments, see [Understanding different roles](../role-based-access-control/overview.md).
+# Access Azure App Configuration using Microsoft Entra ID
+Azure App Configuration supports authorization of requests to App Configuration stores using Microsoft Entra ID. With Microsoft Entra ID, you can leverage Azure role-based access control ([Azure RBAC](../role-based-access-control/overview.md)) to grant permissions to security principals, which can be user principals, [managed identities](../active-directory/managed-identities-azure-resources/overview.md), or [service principals](../active-directory/develop/app-objects-and-service-principals.md).
 
 ## Overview
-Requests made by a security principal to access an App Configuration resource must be authorized. With Microsoft Entra ID, access to a resource is a two-step process:
-1. The security principal's identity is authenticated and an OAuth 2.0 token is returned. The resource name to request a token is `https://login.microsoftonline.com/{tenantID}` where `{tenantID}` matches the Microsoft Entra tenant ID to which the service principal belongs.
-2. The token is passed as part of a request to the App Configuration service to authorize access to the specified resource.
+Accessing an App Configuration store using Microsoft Entra ID involves two steps:
 
-The authentication step requires that an application request contains an OAuth 2.0 access token at runtime. If an application is running within an Azure entity, such as an Azure Functions app, an Azure Web App, or an Azure VM, it can use a managed identity to access the resources. To learn how to authenticate requests made by a managed identity to Azure App Configuration, see [Authenticate access to Azure App Configuration resources with Microsoft Entra ID and managed identities for Azure Resources](howto-integrate-azure-managed-service-identity.md).
+1. **Authentication**: Acquire a token of the security principal from Microsoft Entra ID for App Configuration. For more details, see [Microsoft Entra authentication](./rest-api-authentication-azure-ad.md) in App Configuration.
 
-The authorization step requires that one or more Azure roles be assigned to the security principal. Azure App Configuration provides Azure roles that encompass sets of permissions for App Configuration resources. The roles that are assigned to a security principal determine the permissions provided to the principal. For more information about Azure roles, see [Azure built-in roles for Azure App Configuration](#azure-built-in-roles-for-azure-app-configuration). 
-
-## Assign Azure roles for access rights
-Microsoft Entra authorizes access rights to secured resources through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md).
-
-When an Azure role is assigned to a Microsoft Entra security principal, Azure grants access to those resources for that security principal. Access is scoped to the App Configuration resource. A Microsoft Entra security principal may be a user, a group, an application service principal, or a [managed identity for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
+1. **Authorization**: Pass the token as part of a request to an App Configuration store. To authorize access to the specified App Configuration store, the serurity principal must be assigned the appropriate roles in advance. For more information, see [Microsoft Entra authorization](./rest-api-authorization-azure-ad.md) in App Configuration.
 
 ## Azure built-in roles for Azure App Configuration
-Azure provides the following Azure built-in roles for authorizing access to App Configuration data using Microsoft Entra ID:
+Azure provides the following built-in roles for authorizing access to App Configuration using Microsoft Entra ID:
 
-- **App Configuration Data Owner**: Use this role to give read/write/delete access to App Configuration data. This role doesn't grant access to the App Configuration resource.
+### Data plane access
+Requests for [data plane](../azure-resource-manager/management/control-plane-and-data-plane.md#data-plane) operations are sent to the endpoint of your App Configuration store. These requests pertain to App Configuration data.
+
+- **App Configuration Data Owner**: Use this role to give read, write, and delete access to App Configuration data. This role doesn't grant access to the App Configuration resource.
 - **App Configuration Data Reader**: Use this role to give read access to App Configuration data. This role doesn't grant access to the App Configuration resource.
-- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role doesn't grant direct access to the data using Microsoft Entra ID. This role is required if you access the App Configuration data via ARM template, Bicep, or Terraform during deployment. For more information, see [deployment](quickstart-deployment-overview.md).
+
+### Control plane access
+All requests for [control plane](../azure-resource-manager/management/control-plane-and-data-plane.md#control-plane) operations are sent to the Azure Resource Manager URL. These requests pertain to the App Configuration resource.
+
+- **Contributor** or **Owner**: Use this role to manage the App Configuration resource. It grants access to the resource's access keys. While the App Configuration data can be accessed using access keys, this role doesn't grant direct access to the data using Microsoft Entra ID.
 - **Reader**: Use this role to give read access to the App Configuration resource. This role doesn't grant access to the resource's access keys, nor to the data stored in App Configuration.
 
 > [!NOTE]
 > After a role assignment is made for an identity, allow up to 15 minutes for the permission to propagate before accessing data stored in App Configuration using this identity.
 
+## Authentication with Token Credentials
+
+To enable your application to authenticate with Microsoft Entra ID, the Azure Identity library supports various token credentials for Microsoft Entra ID authentication. For example, you might choose Visual Studio Credential when developing your application in Visual Studio, Workload Identity Credential when your application runs on Kubernetes, or Managed Identity Credential when your application is deployed in Azure services like Azure Functions.
+
+### Use DefaultAzureCredential
+
+The `DefaultAzureCredential` is a preconfigured [chain of token credentials](/dotnet/azure/sdk/authentication/credential-chains.md#defaultazurecredential-overview) that automatically attempts an ordered sequence of the most common authentication methods. Using the `DefaultAzureCredential` allows you to keep the same code in both local development and Azure environments. However, it's important to know which credential is being used in each environment, as you need to grant the appropriate roles for authorization to work. For example, authorize your own account when you expect the `DefaultAzureCredential` to fall back to your user identity during local development. Similarly, enable managed identity in Azure Functions and assign it the necessary role when you expect the `DefaultAzureCredential` to fall back to the `ManagedIdentityCredential` when your Function App runs in Azure.
+
+### Assign App Configuration Data Roles
+
+Regardless of which credential you use, you must assign it the appropriate roles before it can access your App Configuration store. If your application only needs to read data from your App Configuration store, assign it the *App Configuration Data Reader* role. If your application also needs to write data to your App Configuration store, assign it the *App Configuration Data Owner* role.
+
+Follow these steps to assign App Configuration Data roles to your credential.
+
+1. In the Azure portal, navigate to your App Configuration store and select **Access control (IAM)**.
+1. Select **Add** -> **Add role assignment**.
+   
+   If you don't have permission to assign roles, the **Add role assignment** option will be disabled. Only users with *Owner* or *User Access Administrator* roles can make role assignments.
+2. On the **Role** tab, select the **App Configuration Data Reader** role (or another App Configuration role as appropriate) and then select **Next**.
+3. On the **Members** tab, follow the wizard to select the credential you are granting access to and then select **Next**.
+4. Finally, on the **Review + assign** tab, select **Review + assign** to assign the role.
+
 ## Next steps
-Learn more about using [managed identities](howto-integrate-azure-managed-service-identity.md) to administer your App Configuration service.
+Learn how to [use managed identities to access your App Configuration store](howto-integrate-azure-managed-service-identity.md).

articles/azure-app-configuration/quickstart-azure-functions-csharp.md

@@ -178,15 +178,17 @@ This project will use [dependency injection in .NET Azure Functions](../azure-fu
 
 ## Test the function locally
 
-1. Set an environment variable named **ConnectionString**, and set it to the access key to your App Configuration store. If you use the Windows command prompt, run the following command and restart the command prompt to allow the change to take effect:
+1. Set an environment variable named **ConnectionString**, and set it to the access key to your App Configuration store. 
 
+    If you use the Windows command prompt, run the following command and restart the command prompt to allow the change to take effect:
+    
     ```cmd
         setx ConnectionString "connection-string-of-your-app-configuration-store"
     ```
 
-    If you use Windows PowerShell, run the following command:
+    If you use PowerShell, run the following command:
 
-    ```azurepowershell
+    ```powershell
         $Env:ConnectionString = "connection-string-of-your-app-configuration-store"
     ```
 

articles/azure-app-configuration/quickstart-dotnet-core-app.md

@@ -7,7 +7,7 @@ ms.service: azure-app-configuration
 ms.devlang: csharp
 ms.topic: quickstart
 ms.custom: devx-track-csharp, mode-other, devx-track-dotnet
-ms.date: 02/20/2024
+ms.date: 10/05/2024
 ms.author: malev
 #Customer intent: As a .NET developer, I want to manage all my app settings in one place.
 ---
@@ -43,73 +43,117 @@ You can use the [.NET command-line interface (CLI)](/dotnet/core/tools/) to crea
 
 ## Connect to an App Configuration store
 
-1. Add a reference to the `Microsoft.Extensions.Configuration.AzureAppConfiguration` NuGet package by running the following command:
+You can connect to your App Configuration store using Microsoft Entra ID (recommended), or a connection string
 
+1. Add NuGet package references by running the following command:
+
+    ### [Microsoft Entra ID](#tab/entra-id)
     ```dotnetcli
     dotnet add package Microsoft.Extensions.Configuration.AzureAppConfiguration
+    dotnet add package Azure.Identity
     ```
 
+    ### [Connection string](#tab/connection-string)
+    ```dotnetcli
+    dotnet add package Microsoft.Extensions.Configuration.AzureAppConfiguration
+    ```
+    ---
+
 1. Run the following command to restore packages for your project:
 
     ```dotnetcli
     dotnet restore
     ```
 
-1. Open *Program.cs*, and add the following statements:
+1. Open the *Program.cs* file, and add the following namespaces:
+
 
+    ### [Microsoft Entra ID](#tab/entra-id)
     ```csharp
     using Microsoft.Extensions.Configuration;
     using Microsoft.Extensions.Configuration.AzureAppConfiguration;
+    using Azure.Identity;
     ```
 
-1. Use App Configuration by calling the `AddAzureAppConfiguration` method in the `Program.cs` file.
+    ### [Connection string](#tab/connection-string)
+    ```csharp
+    using Microsoft.Extensions.Configuration;
+    using Microsoft.Extensions.Configuration.AzureAppConfiguration;
+    ```
+    ---
+
+1. Connect to your App Configuration store by calling the `AddAzureAppConfiguration` method in the `Program.cs` file.
+
+    ### [Microsoft Entra ID](#tab/entra-id)
+    You can use any token credentials to authenticate to your App Configuration store as appropriate. In this example, you use the `DefaultAzureCredential`. Follow the [instructions](./concept-enable-rbac.md#authentication-with-token-credentials) to assign your credential the **App Configuration Data Reader** role and allow sufficient time for the permission to propagate before running your application.
 
+    ```csharp
+    var builder = new ConfigurationBuilder();
+    builder.AddAzureAppConfiguration(options =>
+    {
+        string endpoint = Environment.GetEnvironmentVariable("Endpoint");
+        options.Connect(new Uri(endpoint), new DefaultAzureCredential());
+    });
+
+    var config = builder.Build();
+    Console.WriteLine(config["TestApp:Settings:Message"] ?? "Hello world!");
+    ```
+
+    ### [Connection string](#tab/connection-string)
     ```csharp
     var builder = new ConfigurationBuilder();
     builder.AddAzureAppConfiguration(Environment.GetEnvironmentVariable("ConnectionString"));
     
     var config = builder.Build();
     Console.WriteLine(config["TestApp:Settings:Message"] ?? "Hello world!");
     ```
+    ---
 
 ## Build and run the app locally
 
-1. Set an environment variable named **ConnectionString**, and set it to the access key to your App Configuration store. At the command line, run the following command:
+1. Set an environment variable.
 
-    ### [Windows command prompt](#tab/windowscommandprompt)
+    ### [Microsoft Entra ID](#tab/entra-id)
+    Set the environment variable named **Endpoint** to the endpoint of your App Configuration store found under the *Overview* of your store in the Azure portal.
 
-    To build and run the app locally using the Windows command prompt, run the following command:
+    If you use the Windows command prompt, run the following command and restart the command prompt to allow the change to take effect:
 
-    ```console
-    setx ConnectionString "connection-string-of-your-app-configuration-store"
+    ```cmd
+        setx Endpoint "endpoint-of-your-app-configuration-store"
     ```
 
-    Restart the command prompt to allow the change to take effect. Print the value of the environment variable to validate that it's set properly.
+    If you use PowerShell, run the following command:
 
-    ### [PowerShell](#tab/powershell)
+    ```powershell
+        $Env:Endpoint = "endpoint-of-your-app-configuration-store"
+    ```
 
-    If you use Windows PowerShell, run the following command:
+    If you use macOS or Linux, run the following command:
 
-    ```azurepowershell
-    $Env:ConnectionString = "connection-string-of-your-app-configuration-store"
+    ```bash
+        export Endpoint='endpoint-of-your-app-configuration-store'
     ```
 
-    ### [macOS](#tab/unix)
+    ### [Connection string](#tab/connection-string)
+    Set the environment variable named **ConnectionString** to the read-only connection string of your App Configuration store found under *Access keys* of your store in the Azure portal.
 
-    If you use macOS, run the following command:
+    If you use the Windows command prompt, run the following command and restart the command prompt to allow the change to take effect:
 
-    ```console
-    export ConnectionString='connection-string-of-your-app-configuration-store'
+    ```cmd
+        setx ConnectionString "connection-string-of-your-app-configuration-store"
     ```
 
-    ### [Linux](#tab/linux)
-
-    If you use Linux, run the following command:
+   If you use PowerShell, run the following command:
 
-    ```console
-    export ConnectionString='connection-string-of-your-app-configuration-store'
+    ```powershell
+        $Env:ConnectionString = "connection-string-of-your-app-configuration-store"
     ```
 
+    If you use macOS or Linux, run the following command:
+
+    ```bash
+        export ConnectionString='connection-string-of-your-app-configuration-store'
+    ```
     ---
 
 1. Run the following command to build the console app:
@@ -124,6 +168,8 @@ You can use the [.NET command-line interface (CLI)](/dotnet/core/tools/) to crea
     dotnet run
     ```
 
+    ![Quickstart app launch local](./media/quickstarts/dotnet-core-app-run.png)
+    
 ## Clean up resources
 
 [!INCLUDE [azure-app-configuration-cleanup](../../includes/azure-app-configuration-cleanup.md)]