User-assigned MI details

Author: jlian

articles/iot-operations/connect-to-cloud/howto-configure-adlsv2-endpoint.md

@@ -301,7 +301,9 @@ dataLakeStorageSettings:
 
 #### User-assigned managed identity
 
-To use a user-assigned managed identity, specify the `UserAssignedManagedIdentity` authentication method and provide the `clientId` and `tenantId` of the managed identity.
+To use user-managed identity for authentication, you must first deploy Azure IoT Operations with secure settings enabled. To learn more, see [Enable secure settings in Azure IoT Operations Preview deployment](../deploy-iot-ops/howto-enable-secure-settings.md).
+
+Then, specify the user-assigned managed identity authentication method along with the client ID, tenant ID, and scope of the managed identity.
 
 # [Bicep](#tab/bicep)
 
@@ -312,6 +314,8 @@ dataLakeStorageSettings: {
     userAssignedManagedIdentitySettings: {
       cliendId: '<ID>'
       tenantId: '<ID>'
+      // Optional, defaults to 'https://storage.azure.com/.default'
+      // scope: 'https://<SCOPE_URL>'
     }
   }
 }
@@ -326,6 +330,8 @@ dataLakeStorageSettings:
     userAssignedManagedIdentitySettings:
       clientId: <ID>
       tenantId: <ID>
+      # Optional, defaults to 'https://storage.azure.com/.default'
+      # scope: https://<SCOPE_URL>
 ```
 
 ---

articles/iot-operations/connect-to-cloud/howto-configure-adx-endpoint.md

@@ -194,7 +194,9 @@ dataExplorerSettings:
 
 #### User-assigned managed identity
 
-To use a user-assigned managed identity, specify the `UserAssignedManagedIdentity` authentication method and provide the `clientId` and `tenantId` of the managed identity.
+To use user-managed identity for authentication, you must first deploy Azure IoT Operations with secure settings enabled. To learn more, see [Enable secure settings in Azure IoT Operations Preview deployment](../deploy-iot-ops/howto-enable-secure-settings.md).
+
+Then, specify the user-assigned managed identity authentication method along with the client ID, tenant ID, and scope of the managed identity.
 
 # [Bicep](#tab/bicep)
 
@@ -205,6 +207,8 @@ dataExplorerSettings: {
     userAssignedManagedIdentitySettings: {
       clientId: '<ID>'
       tenantId: '<ID>'
+      // Optional, defaults to 'https://api.kusto.windows.net/.default'
+      // scope: 'https://<SCOPE_URL>'
     }
   }
 }
@@ -219,6 +223,8 @@ dataExplorerSettings:
     userAssignedManagedIdentitySettings:
       clientId: <ID>
       tenantId: <ID>
+      # Optional, defaults to 'https://api.kusto.windows.net/.default'
+      # scope: https://<SCOPE_URL>
 ```
 
 ---

articles/iot-operations/connect-to-cloud/howto-configure-fabric-endpoint.md

@@ -187,15 +187,21 @@ fabricOneLakeSettings:
 
 #### User-assigned managed identity
 
+To use user-managed identity for authentication, you must first deploy Azure IoT Operations with secure settings enabled. To learn more, see [Enable secure settings in Azure IoT Operations Preview deployment](../deploy-iot-ops/howto-enable-secure-settings.md).
+
+Then, specify the user-assigned managed identity authentication method along with the client ID, tenant ID, and scope of the managed identity.
+
 # [Bicep](#tab/bicep)
 
 ```bicep
 fabricOneLakeSettings: {
   authentication: {
     method: 'UserAssignedManagedIdentity'
     userAssignedManagedIdentitySettings: {
-      clientId: '<clientId>'
-      tenantId: '<tenantId>'
+      clientId: '<ID>'
+      tenantId: '<ID>'
+      // Optional, defaults to 'https://storage.azure.com/.default'
+      // scope: 'https://<SCOPE_URL>' 
     }
   }
 }
@@ -212,6 +218,8 @@ fabricOneLakeSettings:
     userAssignedManagedIdentitySettings:
       clientId: <ID>
       tenantId: <ID>
+      # Optional, defaults to 'https://storage.azure.com/.default'
+      # scope: https://<SCOPE_URL>
 ```
 
 ---

articles/iot-operations/connect-to-cloud/howto-configure-kafka-endpoint.md

@@ -484,6 +484,8 @@ In the operations experience dataflow endpoint settings page, select the **Basic
 
 Enter the user assigned managed identity client ID, tenant ID, and scope in the appropriate fields.
 
+Here, the scope is the audience of the managed identity. The default value is the same as the Event Hubs namespace host value in the form of `https://<NAMESPACE>.servicebus.windows.net`. However, if you need to override the default audience, you can set the scope field to the desired value.
+
 # [Bicep](#tab/bicep)
 
 ```bicep
@@ -493,7 +495,9 @@ kafkaSettings: {
     UserAssignedManagedIdentitySettings: {
       clientId: '<CLIENT_ID>'
       tenantId: '<TENANT_ID>'
-      scope: '<SCOPE>'
+      // Optional, defaults to https://<NAMESPACE>.servicebus.windows.net/.default
+      // Matching the Event Hub namespace you configured as host
+      // scope: 'https://<SCOPE_URL>'
     }
   }
   ...
@@ -509,7 +513,9 @@ kafkaSettings:
     userAssignedManagedIdentitySettings:
       clientId: <CLIENT_ID>
       tenantId: <TENANT_ID>
-      scope: <SCOPE>
+      # Optional, defaults to https://<NAMESPACE>.servicebus.windows.net/.default
+      # Matching the Event Hub namespace you configured as host
+      # scope: https://<SCOPE_URL>
 ```
 
 ---

articles/iot-operations/connect-to-cloud/howto-configure-mqtt-endpoint.md

@@ -522,6 +522,8 @@ In the operations experience dataflow endpoint settings page, select the **Basic
 
 Enter the user assigned managed identity client ID, tenant ID, and scope in the appropriate fields.
 
+Here, the scope is optional, and defaults to `https://eventgrid.azure.net/.default`, which is the same for all Event Grid namespaces. If you're using a different MQTT broker, you can specify the scope as needed.
+
 # [Bicep](#tab/bicep)
 
 ```bicep
@@ -531,7 +533,8 @@ mqttSettings: {
     userAssignedManagedIdentitySettings: {
       cliendId: '<ID>'
       tenantId: '<ID>'
-      scope: '<SCOPE>'
+      // Optional, defaults to 'https://eventgrid.azure.net/.default'
+      // scope: 'https://<SCOPE_URL>' 
     }
   }
 }
@@ -546,7 +549,8 @@ mqttSettings:
     userAssignedManagedIdentitySettings:
       clientId: <ID>
       tenantId: <ID>
-      scope: <SCOPE>
+      # Optional, defaults to 'https://eventgrid.azure.net/.default'
+      # scope: https://<SCOPE_URL>
 ```
 
 ---

articles/iot-operations/connect-to-cloud/howto-create-dataflow.md

@@ -346,6 +346,39 @@ Here, the wildcard `+` is used to select all devices under the `thermostats` and
 
 ---
 
+##### Shared subscriptions
+
+To use shared subscriptions with MQTT sources, you can specify the shared subscription topic in the form of `$shared/<GROUP_NAME>/<TOPIC_FILTER>`.
+
+# [Portal](#tab/portal)
+
+In operations experience dataflow **Source details**, select **MQTT** and use the **MQTT topic** field to specify the shared subscription group and topic.
+
+# [Bicep](#tab/bicep)
+
+```bicep
+sourceSettings: {
+  dataSources: [
+    '$shared/<GROUP_NAME>/<TOPIC_FILTER>'
+  ]
+}
+```
+
+# [Kubernetes](#tab/kubernetes)
+
+```yaml
+sourceSettings:
+  dataSources:
+    - $shared/<GROUP_NAME>/<TOPIC_FILTER>
+```
+
+---
+
+> [!NOTE]
+> If the instance count in the [dataflow profile](howto-configure-dataflow-profile.md) is greater than 1, shared subscription is must be enabled for all MQTT topic filters by adding topic prefix `$shared/<GROUP_NAME>` to each topic filter.
+
+<!-- TODO: Details -->
+
 #### Kafka topics
 
 When the source is a Kafka (Event Hubs included) endpoint, specify the individual kafka topics to subscribe to for incoming messages. Wildcards are not supported, so you must specify each topic statically.
@@ -420,42 +453,6 @@ sourceSettings:
 
 ---
 
-
-#### Shared subscriptions
-
-<!-- TODO: may not be final -->
-
-To use shared subscriptions with MQTT sources, you can specify the shared subscription topic in the form of `$shared/<GROUP_NAME>/<TOPIC_FILTER>`.
-
-# [Portal](#tab/portal)
-
-In operations experience dataflow **Source details**, select **MQTT** and use the **MQTT topic** field to specify the shared subscription group and topic.
-
-# [Bicep](#tab/bicep)
-
-```bicep
-sourceSettings: {
-  dataSources: [
-    '$shared/<GROUP_NAME>/<TOPIC_FILTER>'
-  ]
-}
-```
-
-# [Kubernetes](#tab/kubernetes)
-
-```yaml
-sourceSettings:
-  dataSources:
-    - $shared/<GROUP_NAME>/<TOPIC_FILTER>
-```
-
----
-
-> [!NOTE]
-> If the instance count in the [dataflow profile](howto-configure-dataflow-profile.md) is greater than 1, then the shared subscription topic prefix is automatically added to the topic filter.
-
-<!-- TODO: Details -->
-
 ## Transformation
 
 The transformation operation is where you can transform the data from the source before you send it to the destination. Transformations are optional. If you don't need to make changes to the data, don't include the transformation operation in the dataflow configuration. Multiple transformations are chained together in stages regardless of the order in which they're specified in the configuration. The order of the stages is always: