MicrosoftDocs
diff --git a/‎articles/app-service/includes/tutorial-cleanup.md
Lines changed: 35 additions & 0 deletions b/‎articles/app-service/includes/tutorial-cleanup.md
Lines changed: 35 additions & 0 deletions
diff --git a/‎articles/app-service/includes/tutorial-connect-msi-key-vault/cleanup.md
Lines changed: 84 additions & 0 deletions b/‎articles/app-service/includes/tutorial-connect-msi-key-vault/cleanup.md
Lines changed: 84 additions & 0 deletions
diff --git a/‎articles/app-service/includes/tutorial-connect-msi-key-vault/introduction.md
Lines changed: 61 additions & 0 deletions b/‎articles/app-service/includes/tutorial-connect-msi-key-vault/introduction.md
Lines changed: 61 additions & 0 deletions
diff --git a/‎articles/app-service/includes/tutorial-dotnet-storage-managed-identity/cleanup.md
Lines changed: 33 additions & 0 deletions b/‎articles/app-service/includes/tutorial-dotnet-storage-managed-identity/cleanup.md
Lines changed: 33 additions & 0 deletions
@@ -0,0 +1,35 @@
+---
+services: storage, app-service-web
+author: rwike77
+manager: CelesteDG
+ms.service: app-service-web
+ms.topic: include
+ms.workload: identity
+ms.date: 02/16/2022
+ms.author: ryanwi
+ms.reviewer: stsoneff
+ms.devlang: csharp azurecli
+ms.custom: azureday1
+---
+
+## Clean up resources
+
+If you're finished with this tutorial and no longer need the web app or associated resources, clean up the resources you created.
+
+### Delete the resource group
+
+In the [Azure portal](https://portal.azure.com), select **Resource groups** from the portal menu and select the resource group that contains your app service and app service plan.
+
+Select **Delete resource group** to delete the resource group and all the resources.
+
+:::image type="content" alt-text="Screenshot that shows deleting the resource group." source="../media/scenario-secure-app-clean-up-resources/delete-resource-group.png":::
+
+This command might take several minutes to run.
+
+### Delete the app registration
+
+From the portal menu, select **Azure Active Directory** > **App registrations**. Then select the application you created.
+:::image type="content" alt-text="Screenshot that shows selecting app registration." source="../media/scenario-secure-app-clean-up-resources/select-app-registration.png":::
+
+In the app registration overview, select **Delete**.
+:::image type="content" alt-text="Screenshot that shows deleting the app registration." source="../media/scenario-secure-app-clean-up-resources/delete-app-registration.png":::
@@ -0,0 +1,84 @@
+---
+ms.topic: include
+ms.date: 10/26/2021
+
+ms.reviewer: madsd 
+ms.custom: devx-track-azurecli
+---
+
+1. Configure the Cognitive Services secrets as app settings `CS_ACCOUNT_NAME` and `CS_ACCOUNT_KEY`.
+
+    ```azurecli-interactive
+    # Get subscription key for Cognitive Services resource
+    csKey1=$(az cognitiveservices account keys list --resource-group $groupName --name $csResourceName --query key1 --output tsv)
+
+    az webapp config appsettings set --resource-group $groupName --name $appName --settings CS_ACCOUNT_NAME="$csResourceName" CS_ACCOUNT_KEY="$csKey1"
+    ````
+
+1. In the browser, navigate to your deploy app at `<app-name>.azurewebsites.net` and try out the language detector with strings in various languages.
+
+    ![Screenshot that shows deployed language detector app in App Service.](../../media/tutorial-connect-msi-key-vault/deployed-app.png)
+
+    If you look at the application code, you may notice the debug output for the detection results in the same font color as the background. You can see it by trying to highlight the white space directly below the result.
+
+## Secure back-end connectivity
+
+At the moment, connection secrets are stored as app settings in your App Service app. This approach is already securing connection secrets from your application codebase. However, any contributor who can manage your app can also see the app settings. In this step, you move the connection secrets to a key vault, and lock down access so that only you can manage it and only the App Service app can read it using its managed identity.
+
+1. Create a key vault. Replace *\<vault-name>* with a unique name.
+
+    ```azurecli-interactive
+    # Save app name as variable for convenience
+    vaultName=<vault-name>
+
+    az keyvault create --resource-group $groupName --name $vaultName --location $region --sku standard --enable-rbac-authorization
+    ```
+
+    The `--enable-rbac-authorization` parameter [sets Azure role-based access control (RBAC) as the permission model](../../../key-vault/general/rbac-guide.md#using-azure-rbac-secret-key-and-certificate-permissions-with-key-vault). This setting by default invalidates all access policies permissions.
+
+1. Give yourself the *Key Vault Secrets Officer* RBAC role for the vault.
+    
+    ```azurecli-interactive
+    vaultResourceId=$(az keyvault show --name $vaultName --query id --output tsv)
+    myId=$(az ad signed-in-user show --query objectId --output tsv)
+    az role assignment create --role "Key Vault Secrets Officer" --assignee-object-id $myId --assignee-principal-type User --scope $vaultResourceId
+    ```
+
+1. Enable the system-assigned managed identity for your app, and give it the *Key Vault Secrets User* RBAC role for the vault.
+
+    ```azurecli-interactive
+    az webapp identity assign --resource-group $groupName --name $appName --scope $vaultResourceId --role  "Key Vault Secrets User"
+    ```
+
+1. Add the Cognitive Services resource name and subscription key as secrets to the vault, and save their IDs as environment variables for the next step.
+
+    ```azurecli-interactive
+    csResourceKVUri=$(az keyvault secret set --vault-name $vaultName --name csresource --value $csResourceName --query id --output tsv)
+    csKeyKVUri=$(az keyvault secret set --vault-name $vaultName --name cskey --value $csKey1 --query id --output tsv)
+    ```
+
+1. Previously, you set the secrets as app settings `CS_ACCOUNT_NAME` and `CS_ACCOUNT_KEY` in your app. Now, set them as [key vault references](../../app-service-key-vault-references.md) instead.
+
+    ```azurecli-interactive
+    az webapp config appsettings set --resource-group $groupName --name $appName --settings CS_ACCOUNT_NAME="@Microsoft.KeyVault(SecretUri=$csResourceKVUri)" CS_ACCOUNT_KEY="@Microsoft.KeyVault(SecretUri=$csKeyKVUri)"
+    ```
+
+1. In the browser, navigate to `<app-name>.azurewebsites.net` again. If you get detection results back, then you're connecting to the Cognitive Services endpoint with key vault references.
+
+Congratulations, your app is now connecting to Cognitive Services using secrets kept in your key vault, without any changes to your application code.
+
+## Clean up resources
+
+In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:
+
+```azurecli-interactive
+az group delete --name $groupName
+```
+
+This command may take a minute to run.
+
+## Next steps
+
+- [Tutorial: Isolate back-end communication with Virtual Network integration](../../tutorial-networking-isolate-vnet.md)
+- [Integrate your app with an Azure virtual network](../../overview-vnet-integration.md)
+- [App Service networking features](../../networking-features.md)
@@ -0,0 +1,61 @@
+---
+ms.topic: include
+ms.date: 10/26/2021
+
+ms.reviewer: madsd 
+ms.custom: devx-track-azurecli
+---
+
+[Azure App Service](../../overview.md) can use [managed identities](../../overview-managed-identity.md) to connect to back-end services without a connection string, which eliminates connection secrets to manage and keeps your back-end connectivity secure in a production environment. For back-end services that don't support managed identities and still requires connection secrets, you can use Key Vault to manage connection secrets. This tutorial uses Cognitive Services as an example to show you how it's done in practice. When you're finished, you have an app that makes programmatic calls to Cognitive Services, without storing any connection secrets inside App Service.
+
+* [Sample application](https://github.com/Azure-Samples/app-service-language-detector)
+
+> [!TIP]
+> Azure Cognitive Services do [support authentication through managed identities](../../../cognitive-services/authentication.md#authorize-access-to-managed-identities), but this tutorial uses the [subscription key authentication](../../../cognitive-services/authentication.md#authenticate-with-a-single-service-subscription-key) to demonstrate how you could connect to an Azure service that doesn't support managed identities from App Services.
+
+![Architecture diagram for tutorial scenario.](../../media/tutorial-connect-msi-key-vault/architecture.png)
+
+With this architecture: 
+
+- Connectivity to Key Vault is secured by managed identities
+- App Service accesses the secrets using [Key Vault references](../../app-service-key-vault-references.md) as app settings.
+- Access to the key vault is restricted to the app. App contributors, such as administrators, may have complete control of the App Service resources, and at the same time have no access to the Key Vault secrets.
+- If your application code already accesses connection secrets with app settings, no change is required.
+
+What you will learn:
+
+> [!div class="checklist"]
+> * Enable managed identities
+> * Use managed identities to connect to Key Vault
+> * Use Key Vault references
+> * Access Cognitive Services
+
+## Prerequisites
+
+Prepare your environment for the Azure CLI.
+
+[!INCLUDE [azure-cli-prepare-your-environment-no-header.md](../../../../includes/azure-cli-prepare-your-environment-no-header.md)]
+
+## Create app with connectivity to Cognitive Services
+
+1. Create a resource group to contain all of your resources:
+
+    ```azurecli-interactive
+    # Save resource group name as variable for convenience
+    groupName=myKVResourceGroup
+    region=westeurope
+
+    az group create --name $groupName --location $region
+    ```
+
+1. Create a Cognitive Services resource. Replace *\<cs-resource-name>* with a unique name of your choice.
+
+    ```azurecli-interactive
+    # Save resource name as variable for convenience. 
+    csResourceName=<cs-resource-name>
+
+    az cognitiveservices account create --resource-group $groupName --name $csResourceName --location $region --kind TextAnalytics --sku F0 --custom-domain $csResourceName
+    ```
+
+    > [!NOTE]
+    > `--sku F0` creates a free tier Cognitive Services resource. Each subscription is limited to a quota of one free-tier `TextAnalytics` resource. If you're already over the quota, use `--sku S` instead.
@@ -0,0 +1,33 @@
+---
+services: microsoft-graph, app-service-web
+author: rwike77
+manager: CelesteDG
+
+ms.service: app-service-web
+ms.topic: include
+ms.workload: identity
+ms.date: 01/21/2022
+ms.author: ryanwi
+ms.reviewer: stsoneff
+ms.custom: azureday1, devx-track-azurepowershell
+#Customer intent: As an application developer, I want to learn how to access data in Microsoft Graph by using managed identities.
+---
+
+## Next steps
+
+In this tutorial, you learned how to:
+
+> [!div class="checklist"]
+>
+> * Create a system-assigned managed identity.
+> * Create a storage account and Blob Storage container.
+> * Access storage from a web app by using managed identities.
+
+> [!div class="nextstepaction"]
+> [Tutorial: Isolate back-end communication with Virtual Network integration](../../tutorial-networking-isolate-vnet.md)
+
+> [!div class="nextstepaction"]
+> [App Service accesses Microsoft Graph on behalf of the user](../../scenario-secure-app-access-microsoft-graph-as-user.md)
+
+> [!div class="nextstepaction"]
+> [Map an existing custom DNS name to Azure App Service](../../app-service-web-tutorial-custom-domain.md)