Merge pull request #225536 from EdB-MSFT/refresh-rest-api-walkthrough

Refresh REST API walkthrough

Author: Maggiemouse1

articles/azure-monitor/essentials/media/rest-api-walkthrough/azure_resource_explorer.png

@@ -13,6 +13,9 @@ To access Azure REST APIs such as the Log analytics API, or to send custom metri
 
 ## Register an App
 
+Create a service principal and register an app using the Azure portal, Azure CLI, or PowerShell.
+### [Azure portal](#tab/portal)
+
 1. To register an app, open the Active Directory Overview page in the Azure portal.
 
 1. Select **App registrations** from the side bar.
@@ -38,18 +41,83 @@ To access Azure REST APIs such as the Log analytics API, or to send custom metri
      :::image type="content" source="../media/api-register-app/client-secret.png" alt-text="A screenshot showing the client secrets page.":::
 
 
+### [Azure CLI](#tab/cli)
+
+
+Run the following script to create a service principal and app. 
+
+```azurecli
+az ad sp create-for-rbac -n <Service principal display name> 
+
+```
+The response looks as follows:
+```JSON
+{
+  "appId": "0a123b56-c987-1234-abcd-1a2b3c4d5e6f",
+  "displayName": "AzMonAPIApp",
+  "password": "123456.ABCDE.~XYZ876123ABcEdB7169",
+  "tenant": "a1234bcd-5849-4a5d-a2eb-5267eae1bbc7"
+}
+
+```
+>[!Important]
+> The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control.
+
+Add a role and scope for the resources that you want to access using the API
+
+```azurecli
+az role assignment create --assignee <`appId`> --role <Role> --scope <resource URI>
+```
+
+The CLI following example assigns the `Reader` role to the service principal for all resources in the `rg-001`resource group:
+
+```azurecli
+ az role assignment create --assignee 0a123b56-c987-1234-abcd-1a2b3c4d5e6f --role Reader --scope '\/subscriptions/a1234bcd-5849-4a5d-a2eb-5267eae1bbc7/resourceGroups/rg-001'
+```
+For more information on creating a service principal using Azure CLI, see [Create an Azure service principal with the Azure CLI](https://learn.microsoft.com/cli/azure/create-an-azure-service-principal-azure-cli)
+
+### [PowerShell](#tab/powershell)
+The following sample script demonstrates creating an Azure Active Directory service principal via PowerShell. For a more detailed walkthrough, see [using Azure PowerShell to create a service principal to access resources](../../../active-directory/develop/howto-authenticate-service-principal-powershell.md)  
+
+```powershell
+$subscriptionId = "{azure-subscription-id}"
+$resourceGroupName = "{resource-group-name}"
+
+# Authenticate to a specific Azure subscription.
+Connect-AzAccount -SubscriptionId $subscriptionId
+
+# Password for the service principal
+$pwd = "{service-principal-password}"
+$secureStringPassword = ConvertTo-SecureString -String $pwd -AsPlainText -Force
+
+# Create a new Azure Active Directory application
+$azureAdApplication = New-AzADApplication `
+                        -DisplayName "My Azure Monitor" `
+                        -HomePage "https://localhost/azure-monitor" `
+                        -IdentifierUris "https://localhost/azure-monitor" `
+                        -Password $secureStringPassword
+
+# Create a new service principal associated with the designated application
+New-AzADServicePrincipal -ApplicationId $azureAdApplication.ApplicationId
+
+# Assign Reader role to the newly created service principal
+New-AzRoleAssignment -RoleDefinitionName Reader `
+                          -ServicePrincipalName $azureAdApplication.ApplicationId.Guid
+
+```
+---
+
 ## Next steps
 
-Before you can generate a token using your app, client ID, and secret, assign the app to a role using Access control (IAM) for resource that you want to access.
-The role will depend on the resource type and the API that you want to use.  
+Before you can generate a token using your app, client ID, and secret, assign the app to a role using Access control (IAM) for resource that you want to access. The role will depend on the resource type and the API that you want to use.  
 For example,
 - To grant your app read from a Log Analytics Workspace, add your app as a member to the **Reader** role using Access control (IAM) for your Log Analytics Workspace. For more information, see [Access the API](./access-api.md)
 
 - To grant access to send custom metrics for a resource,  add your app as a member to the **Monitoring Metrics Publisher** role using Access control (IAM) for your resource. For more information, see [ Send metrics to the Azure Monitor metric database using REST API](../../essentials/metrics-store-custom-rest-api.md)
 
-For more information see [Assign Azure roles using the Azure portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)  
+For more information, see [Assign Azure roles using the Azure portal](../../../role-based-access-control/role-assignments-portal.md)
 
-Once you have assigned a role you can use your app, client ID, and client secret to generate a bearer token to access the REST API.
+Once you've assigned a role, you can use your app, client ID, and client secret to generate a bearer token to access the REST API.
 
 > [!NOTE]
 > When using Azure AD authentication, it may take up to 60 minutes for the Azure Application Insights REST API to recognize new role-based access control (RBAC) permissions. While permissions are propagating, REST API calls may fail with error code 403.