Merge pull request #291395 from spelluru/sfi-guids-12-04

SFI: Removed hardcoded GUIDs and added steps

Author: JamesJBarnett

articles/event-grid/media/event-grid-app-id/select-microsoft-event-grid.png

@@ -19,14 +19,25 @@ Here are the high level steps from the script:
 1. Add service principal of event subscription writer Microsoft Entra app to the AzureEventGridSecureWebhookSubscriber role 
 1. Add service principal of Microsoft.EventGrid to the AzureEventGridSecureWebhookSubscriber role as well
 
+## Get Microsoft.EventGrid application ID
+
+1. Navigate to [Azure portal](https://portal.azure.com).
+1. In the search bar, type `Microsoft.EventGrid`, and then select **Microsoft.EventGrid (Service Principal)** in the drop-down list. 
+    
+    :::image type="content" source="../media/event-grid-app-id/select-microsoft-event-grid.png" alt-text="Screenshot that shows the selection of Microsoft Event Grid from the drop-down list.":::
+1. On the **Microsoft.EventGrid** page, note down or copy the **Application ID** to the clipboard.
+1. In the following script, set the `$eventGridAppId` variable to this value before running it.  
+
 ## Sample script - stable
 
 ```azurepowershell
 # NOTE: Before run this script ensure you are logged in Azure by using "az login" command.
 
+$eventGridAppId = "[REPLACE_WITH_EVENT_GRID_APP_ID]"
 $webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
 $eventSubscriptionWriterAppId = "[REPLACE_WITH_YOUR_ID]"
 
+
 # Start execution
 try {
 
@@ -51,8 +62,6 @@ try {
     # You don't need to modify this id
     # But Azure Event Grid Entra Application Id is different for different clouds
 
-    $eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7" # Azure Public Cloud
-    # $eventGridAppId = "54316b56-3481-47f9-8f30-0300f5542a7b" # Azure Government Cloud
     $eventGridSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
     if ($eventGridSP.DisplayName -match "Microsoft.EventGrid")
     {

articles/event-grid/scripts/powershell-webhook-secure-delivery-microsoft-entra-app.md

@@ -18,11 +18,22 @@ Here are the high level steps from the script:
 1. Add service principal of user who is creating the subscription to the AzureEventGridSecureWebhookSubscriber role.
 1. Add service principal of Microsoft.EventGrid to the AzureEventGridSecureWebhookSubscriber.
 
+## Get Microsoft.EventGrid application ID
+
+1. Navigate to [Azure portal](https://portal.azure.com).
+1. In the search bar, type `Microsoft.EventGrid`, and then select **Microsoft.EventGrid (Service Principal)** in the drop-down list. 
+    
+    :::image type="content" source="../media/event-grid-app-id/select-microsoft-event-grid.png" alt-text="Screenshot that shows the selection of Microsoft Event Grid from the drop-down list.":::
+1. On the **Microsoft.EventGrid** page, note down or copy the **Application ID** to the clipboard.
+1. In the following script, set the `$eventGridAppId` variable to this value before running it. 
+
+ 
 ## Sample script
 
 ```azurepowershell
 # NOTE: Before run this script ensure you are logged in Azure by using "az login" command.
 
+$eventGridAppId = "[REPLACE_WITH_EVENT_GRID_APP_ID]"
 $webhookAppObjectId = "[REPLACE_WITH_YOUR_ID]"
 $eventSubscriptionWriterUserPrincipalName = "[REPLACE_WITH_USER_PRINCIPAL_NAME_OF_THE_USER_WHO_WILL_CREATE_THE_SUBSCRIPTION]"
 
@@ -50,8 +61,6 @@ try {
     # You don't need to modify this id
     # But Azure Event Grid Microsoft Entra Application Id is different for different clouds
    
-    $eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7" # Azure Public Cloud
-    # $eventGridAppId = "54316b56-3481-47f9-8f30-0300f5542a7b" # Azure Government Cloud
     $eventGridSP = Get-MgServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
     if ($eventGridSP.DisplayName -match "Microsoft.EventGrid")
     {

articles/event-grid/scripts/powershell-webhook-secure-delivery-microsoft-entra-user.md

@@ -41,7 +41,7 @@ Use [Hybrid Identity Administrator](/entra/identity/role-based-access-control/pe
 Sign in fails with error code 50034. Error message is similar to:
 
 ```
-{"error":"invalid_grant","error_description":"AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII doesn't exist in the 0c349e3f-1ac3-4610-8599-9db831cbaf62 directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 2222cccc-33dd-eeee-ff44-aaaaaa555555\r\nCorrelation ID: cccc2222-dd33-4444-55ee-666666ffffff\r\nTimestamp: 2019-04-29 15:52:16Z", "error_codes":[50034],"timestamp":"2019-04-29 15:52:16Z","trace_id":"2222cccc-33dd-eeee-ff44-aaaaaa555555", "correlation_id":"cccc2222-dd33-4444-55ee-666666ffffff"}
+{"error":"invalid_grant","error_description":"AADSTS50034: The user account Microsoft.AzureAD.Telemetry.Diagnostics.PII doesn't exist in the aaaabbbb-0000-cccc-1111-dddd2222eeee directory. To sign into this application, the account must be added to the directory.\r\nTrace ID: 2222cccc-33dd-eeee-ff44-aaaaaa555555\r\nCorrelation ID: cccc2222-dd33-4444-55ee-666666ffffff\r\nTimestamp: 2019-04-29 15:52:16Z", "error_codes":[50034],"timestamp":"2019-04-29 15:52:16Z","trace_id":"2222cccc-33dd-eeee-ff44-aaaaaa555555", "correlation_id":"cccc2222-dd33-4444-55ee-666666ffffff"}
 ```
 
 ### Cause

articles/hdinsight/domain-joined/domain-joined-authentication-issues.md

@@ -75,7 +75,7 @@ The certificate provided for Service principal access might have expired.
 1. If the service principal certificate has expired, the output will look something like this:
 
     ```
-    Exception in OAuthTokenController.GetOAuthToken: 'System.InvalidOperationException: Error while getting the OAuth token from AAD for AppPrincipalId 23abe517-2ffd-4124-aa2d-7c224672cae2, ResourceUri https://management.core.windows.net/, AADTenantId https://login.windows.net/80abc8bf-86f1-41af-91ab-2d7cd011db47, ClientCertificateThumbprint C49C25705D60569884EDC91986CEF8A01A495783 ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. **[Reason - The key used is expired.**, Thumbprint of key used by client: 'C49C25705D60569884EDC91986CEF8A01A495783', Found key 'Start=08/03/2016, End=08/03/2017, Thumbprint=C39C25705D60569884EDC91986CEF8A01A4956D1', Configured keys: [Key0:Start=08/03/2016, End=08/03/2017, Thumbprint=C39C25705D60569884EDC91986CEF8A01A4956D1;]]
+    Exception in OAuthTokenController.GetOAuthToken: 'System.InvalidOperationException: Error while getting the OAuth token from AAD for AppPrincipalId aaaaaaaa-bbbb-cccc-1111-222222222222, ResourceUri https://management.core.windows.net/, AADTenantId https://login.windows.net/80abc8bf-86f1-41af-91ab-2d7cd011db47, ClientCertificateThumbprint C49C25705D60569884EDC91986CEF8A01A495783 ---> Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature. **[Reason - The key used is expired.**, Thumbprint of key used by client: 'C49C25705D60569884EDC91986CEF8A01A495783', Found key 'Start=08/03/2016, End=08/03/2017, Thumbprint=C39C25705D60569884EDC91986CEF8A01A4956D1', Configured keys: [Key0:Start=08/03/2016, End=08/03/2017, Thumbprint=C39C25705D60569884EDC91986CEF8A01A4956D1;]]
     Trace ID: 0000aaaa-11bb-cccc-dd22-eeeeee333333
     Correlation ID: aaaa0000-bb11-2222-33cc-444444dddddd
     Timestamp: 2017-10-06 20:44:56Z ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.