Update how-to-authenticate-batch-endpoint.md

santiagxf · web-flow · commit e03ccc7106ef · 2022-10-31T15:52:35.000-04:00
diff --git a/articles/machine-learning/batch-inference/how-to-authenticate-batch-endpoint.md b/articles/machine-learning/batch-inference/how-to-authenticate-batch-endpoint.md
@@ -23,7 +23,7 @@ Batch endpoints support Azure Active Directory authentication, or `aad_token`. T
 
 ## How authentication works
 
-To invoke a batch endpoint, the user must present a valid Azure Active Directory token representing a security principal. This principal can be a user principal or a service principal. In any case, once an endpoint is invoked, a batch deployment job is created under the identity associated with the token. The identity needs the following permissions in order to successfully create a job:
+To invoke a batch endpoint, the user must present a valid Azure Active Directory token representing a security principal. This principal can be a __user principal__ or a __service principal__. In any case, once an endpoint is invoked, a batch deployment job is created under the identity associated with the token. The identity needs the following permissions in order to successfully create a job:
 
 > [!div class="checklist"]
 > * Read batch endpoints/deployments.
@@ -43,97 +43,139 @@ The following examples show different ways to start batch deployment jobs using
 
 ### Running jobs using user's credentials
 
-# [Azure ML CLI](#tab/cli)
+In this case, we want to execute a batch endpoint using the identity of the user currenly logged in. Follow these steps:
 
-Use the Azure CLI to log in using either interactive or device code authentication:
+> [!IMPORTANT] 
+> When working on a private link-enabled workspaces, batch endpoints can't be invoked from the UI in Azure ML studio. Please use the Azure ML CLI v2 instead for job creation. 
 
-```azurecli
-az login
-```
+> [!NOTE]
+> When working on Azure ML studio, batch endpoints/deployments are always executed using the identity of the current user logged in.
 
-Once authenticated, use the following command to run a batch deployment job:
+# [Azure ML CLI](#tab/cli)
 
-```azurecli
-az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
-```
+1. Use the Azure CLI to log in using either interactive or device code authentication:
 
-# [Azure ML SDK for Python](#tab/sdk)
+    ```azurecli
+    az login
+    ```
 
-Use the Azure ML SDK for Python to log in using either interactive or device authentication:
+1. Once authenticated, use the following command to run a batch deployment job:
 
-```python
-from azure.ai.ml import MLClient
-from azure.identity import InteractiveAzureCredentials
+    ```azurecli
+    az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
+    ```
 
-subscription_id = "<subscription>"
-resource_group = "<resource-group>"
-workspace = "<workspace>"
+# [Azure ML SDK for Python](#tab/sdk)
 
-ml_client = MLClient(InteractiveAzureCredentials(), subscription_id, resource_group, workspace)
-```
+1. Use the Azure ML SDK for Python to log in using either interactive or device authentication:
 
-Once authenticated, use the following command to run a batch deployment job:
+    ```python
+    from azure.ai.ml import MLClient
+    from azure.identity import InteractiveAzureCredentials
 
-```python
-job = ml_client.batch_endpoints.invoke(
-        endpoint_name, 
-        input=Input(path="https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data")
-    )
-```
+    subscription_id = "<subscription>"
+    resource_group = "<resource-group>"
+    workspace = "<workspace>"
+
+    ml_client = MLClient(InteractiveAzureCredentials(), subscription_id, resource_group, workspace)
+    ```
 
-# [studio](#tab/studio)
+1. Once authenticated, use the following command to run a batch deployment job:
 
-Jobs are always started using the identity of the user in the portal in studio.
+    ```python
+    job = ml_client.batch_endpoints.invoke(
+            endpoint_name, 
+            input=Input(path="https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data")
+        )
+    ```
 
 ---
 
 ### Running jobs using a service principal
 
+In this case, we want to execute a batch endpoint using a service princpal already created in Azure Active Directory. To complete the authentication, you will have to create a secret to perform the authentication. Follow these steps:
+
 # [Azure ML CLI](#tab/cli)
 
-For more details see [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli).
+1. Create a secret to use for authentication as explained at [Option 2: Create a new application secret](../../active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
+1. For more details see [Sign in with Azure CLI](/cli/azure/authenticate-azure-cli).
 
-```bash
-az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
-```
+    ```bash
+    az login --service-principal -u <app-id> -p <password-or-cert> --tenant <tenant>
+    ```
 
-Once authenticated, use the following command to run a batch deployment job:
+1. Once authenticated, use the following command to run a batch deployment job:
 
-```azurecli
-az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
-```
+    ```azurecli
+    az ml batch-endpoint invoke --name $ENDPOINT_NAME --input https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data
+    ```
 
 # [Azure ML SDK for Python](#tab/sdk)
 
-To authenticate using a service principal, indicate the tenant ID, client ID and client secret of the service principal using environment variables as demonstrated here:
-
-```python
-from azure.ai.ml import MLClient
-from azure.identity import EnvironmentCredential
-
-os.environ["AZURE_TENANT_ID"] = "<TENANT_ID>"
-os.environ["AZURE_CLIENT_ID"] = "<CLIENT_ID>"
-os.environ["AZURE_CLIENT_SECRET"] = "<CLIENT_SECRET>"
-
-subscription_id = "<subscription>"
-resource_group = "<resource-group>"
-workspace = "<workspace>"
-
-ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)
-```
-
-Once authenticated, use the following command to run a batch deployment job:
-
-```python
-job = ml_client.batch_endpoints.invoke(
-        endpoint_name, 
-        input=Input(path="https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data")
-    )
-```
-
-# [studio](#tab/studio)
-
-You can't run jobs using a service principal from studio.
+1. Create a secret to use for authentication as explained at [Option 2: Create a new application secret](../../active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
+1. To authenticate using a service principal, indicate the tenant ID, client ID and client secret of the service principal using environment variables as demonstrated:
+
+    ```python
+    from azure.ai.ml import MLClient
+    from azure.identity import EnvironmentCredential
+
+    os.environ["AZURE_TENANT_ID"] = "<TENANT_ID>"
+    os.environ["AZURE_CLIENT_ID"] = "<CLIENT_ID>"
+    os.environ["AZURE_CLIENT_SECRET"] = "<CLIENT_SECRET>"
+
+    subscription_id = "<subscription>"
+    resource_group = "<resource-group>"
+    workspace = "<workspace>"
+
+    ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace)
+    ```
+
+1. Once authenticated, use the following command to run a batch deployment job:
+
+    ```python
+    job = ml_client.batch_endpoints.invoke(
+            endpoint_name, 
+            input=Input(path="https://azuremlexampledata.blob.core.windows.net/data/heart-disease-uci/data")
+        )
+    ```
+
+# [REST](#tab/rest)
+
+You can use the REST API of Azure Machine Learning to start a batch endpoints job using the user's credential. Follow these steps:
+
+1. Use the login service from Azure to get an authorization token. Authorization tokens are issued to a particular scope. The resource type for Azure Machine learning is `https://ml.azure.com`. The request would look as follows:
+    
+    __POST__: https://login.microsoftonline.com/<TENANT_ID>/oauth2/token
+    ```Body
+    grant_type=client_credentials&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&resource=https://ml.azure.com
+    ```
+    
+    > [!IMPORTANT]
+    > Notice that the resource scope for invoking a batch endpoints (`https://ml.azure.com1) is different from the resource scope used to manage them. All management APIs in Azure use the resource scope `https://management.azure.com`, including Azure Machine Learning.
+
+3. Once authenticated, use the query to run a batch deployment job:
+    
+    __POST__: <ENDPOINT_URI>
+    
+    ```json
+    {
+        "properties": {
+    	    "InputData": {
+    		"mnistinput": {
+    		    "JobInputType" : "UriFolder",
+    		    "Uri":  "https://pipelinedata.blob.core.windows.net/sampledata/mnist"
+    	        }
+            }
+        }
+    }
+    ```
+    
+    The following headers need to be included:
+    
+    | Header        | Value            |
+    |---------------|------------------|
+    | Authorization | Bearer <TOKEN>   |
+    | Content-Type  | application/json |
 
 ---
 
@@ -174,10 +216,6 @@ job = ml_client.batch_endpoints.invoke(
     )
 ```
 
-# [studio](#tab/studio)
-
-You can't run jobs using a managed identity from studio.
-
 ---
 
 ## Next steps
