Add CLI tab

Pat Altimore · Pat Altimore · commit f8ea37a19a8d · 2025-06-17T16:46:47.000-07:00
diff --git a/articles/iot-operations/connect-to-cloud/howto-configure-fabric-real-time-intelligence.md b/articles/iot-operations/connect-to-cloud/howto-configure-fabric-real-time-intelligence.md
@@ -6,7 +6,7 @@ ms.author: patricka
 ms.service: azure-iot-operations
 ms.subservice: azure-data-flows
 ms.topic: how-to
-ms.date: 06/12/2025
+ms.date: 06/17/2025
 ai-usage: ai-assisted
 
 #CustomerIntent: As an operator, I want to understand how to configure data flow endpoints for  Microsoft Fabric Real-Time Intelligence in Azure IoT Operations so that I can send real-time data to Microsoft Fabric.
@@ -48,16 +48,12 @@ Retrieve the [Kafka-compatible connection details for the custom endpoint](/fabr
 
 ## Create a Microsoft Fabric Real-Time Intelligence data flow endpoint
 
-To configure a data flow endpoint for Microsoft Fabric Real-Time Intelligence, you need to use Simple Authentication and Security Layer (SASL) based authentication.
-
-Azure Key Vault is the recommended way to sync the connection string to the Kubernetes cluster so that it can be referenced in the data flow. [Secure settings](../deploy-iot-ops/howto-enable-secure-settings.md) must be enabled to configure this endpoint using the operations experience web UI.
+Microsoft Fabric Real-Time Intelligence, supports Simple Authentication and Security Layer (SASL), System-assigned managed identity, and User-assigned managed identity authentication methods. The following sections describe how to configure a data flow endpoint for Microsoft Fabric Real-Time Intelligence using these authentication methods. For details on the available authentication methods, see [Available authentication methods](#available-authentication-methods).
 
 # [Operations experience](#tab/portal)
 
 1. In the IoT Operations experience portal, select the **Data flow endpoints** tab.
 1. Under **Create new data flow endpoint**, select **Microsoft Fabric Real-Time Intelligence** > **New**.
-
-
 1. Enter the following settings for the endpoint.
 
     :::image type="content" source="media/howto-configure-fabric-real-time-intelligence/event-stream-sasl.png" alt-text="Screenshot using operations experience to create a new Fabric Real-Time Intelligence data flow endpoint.":::
@@ -66,7 +62,7 @@ Azure Key Vault is the recommended way to sync the connection string to the Kube
     | --------------------- | ----------------------------------------------------------------- |
     | Name                  | The name of the data flow endpoint. |
     | Host                  | The hostname of the event stream custom endpoint in the format `*.servicebus.windows.net:9093`. Use the bootstrap server address noted previously. |
-    | Authentication method | *SASL* is currently the only supported authentication method. |
+    | Authentication method | *SASL* is currently the only supported authentication method in operations experience. Use Azure CLI, Bicep, or Kubernetes manifests to configure other authentication methods. |
     | SASL type             | Choose *Plain* |
     | Synced secret name    | Enter a name for the synced secret. A Kubernetes secret with this name is created on the cluster. |
 
@@ -89,7 +85,7 @@ Azure Key Vault is the recommended way to sync the connection string to the Kube
 Use the [az iot ops dataflow endpoint create fabric-realtime](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-create-fabric-realtime) command to create or replace a Microsoft Fabric Real-Time Intelligence data flow endpoint.
 
 ```azurecli
-az iot ops dataflow endpoint create fabric-realtime --resource-group <ResourceGroupName> --instance <AioInstanceName> --name <EndpointName> --workspace <WorkspaceName> --host <BootstrapServerAddress>
+az iot ops dataflow endpoint create fabric-realtime --resource-group <ResourceGroupName> --instance <AioInstanceName> --name <EndpointName> --host "<BootstrapServerAddress>"
 ```
 
 Here's an example command to create or replace a Microsoft Fabric Real-Time Intelligence data flow endpoint named `fabric-realtime-endpoint`:
@@ -185,6 +181,254 @@ kubectl apply -f <FILE>.yaml
 
 ---
 
+## Available authentication methods
+
+The following authentication methods are available for Fabric Real-Time Intelligence data flow endpoints.
+
+### System-assigned managed identity
+
+Before you configure the data flow endpoint, assign a role to the Azure IoT Operations managed identity that grants permission to connect to the Kafka broker:
+
+1. In Azure portal, go to your Azure IoT Operations instance and select **Overview**.
+1. Copy the name of the extension listed after **Azure IoT Operations Arc extension**. For example, *azure-iot-operations-xxxx7*.
+1. Go to the cloud resource you need to grant permissions. For example, go to the Event Hubs namespace > **Access control (IAM)** > **Add role assignment**.
+1. On the **Role** tab, select an appropriate role.
+1. On the **Members** tab, for **Assign access to**, select **User, group, or service principal** option, then select **+ Select members** and search for the Azure IoT Operations managed identity. For example, *azure-iot-operations-xxxx7*.
+
+Then, configure the data flow endpoint with system-assigned managed identity settings.
+
+# [Operations experience](#tab/portal)
+
+> [!NOTE] Supported?
+
+In the operations experience data flow endpoint settings page, select the **Basic** tab then choose **Authentication method** > **System assigned managed identity**.
+
+# [Azure CLI](#tab/cli)
+
+#### Create or replace
+
+Use the [az iot ops dataflow endpoint create](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-create) command with the `--auth-type` parameter set to `SystemAssignedManagedIdentity` for system-assigned managed identity authentication.
+
+```azurecli
+az iot ops dataflow endpoint create <Command> --auth-type SystemAssignedManagedIdentity --audience <Audience> --resource-group <ResourceGroupName> --instance <AioInstanceName> --name <EndpointName>
+```
+
+#### Create or change
+
+Use the [az iot ops dataflow endpoint apply](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-apply) command with the `--config-file` parameter.
+
+In this example, assume a configuration file with the following content:
+
+```json
+{
+    "endpointType": "Kafka",
+    "kafkaSettings": {
+        "host": "fabricrealtime.servicebus.windows.net:9093",
+        "authentication": {
+            "method": "SystemAssignedManagedIdentity",
+            "systemAssignedManagedIdentitySettings": {}
+        },
+        "tls": {
+            "mode": "Enabled"
+        }
+    }
+}
+```
+
+# [Bicep](#tab/bicep)
+
+```bicep
+kafkaSettings: {
+  authentication: {
+    method: 'SystemAssignedManagedIdentity'
+    systemAssignedManagedIdentitySettings: {}
+  }
+}
+```
+
+# [Kubernetes (preview)](#tab/kubernetes)
+
+```yaml
+kafkaSettings:
+  authentication:
+    method: SystemAssignedManagedIdentity
+    systemAssignedManagedIdentitySettings:
+      {}
+```
+
+---
+
+### User-assigned managed identity
+
+To use user-assigned managed identity for authentication, you must first deploy Azure IoT Operations with secure settings enabled. Then you need to [set up a user-assigned managed identity for cloud connections](../deploy-iot-ops/howto-enable-secure-settings.md#set-up-a-user-assigned-managed-identity-for-cloud-connections). To learn more, see [Enable secure settings in Azure IoT Operations deployment](../deploy-iot-ops/howto-enable-secure-settings.md).
+
+Before you configure the data flow endpoint, assign a role to the user-assigned managed identity that grants permission to connect to the Kafka broker:
+
+1. In Azure portal, go to the cloud resource you need to grant permissions. For example, go to the Event Grid namespace > **Access control (IAM)** > **Add role assignment**.
+1. On the **Role** tab, select an appropriate role.
+1. On the **Members** tab, for **Assign access to**, select **Managed identity** option, then select **+ Select members** and search for your user-assigned managed identity.
+
+Then, configure the data flow endpoint with user-assigned managed identity settings.
+
+# [Operations experience](#tab/portal)
+
+In the operations experience data flow endpoint settings page, select the **Basic** tab then choose **Authentication method** > **User assigned managed identity**.
+
+# [Azure CLI](#tab/cli)
+
+#### Create or replace
+
+Use the [az iot ops dataflow endpoint create](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-create) command with the `--auth-type` parameter set to `UserAssignedManagedIdentity` for with user-assigned managed identity authentication.
+
+```azurecli
+az iot ops dataflow endpoint create <Command> --auth-type UserAssignedManagedIdentity --client-id <ClientId> --tenant-id <TenantId> --resource-group <ResourceGroupName> --instance <AioInstanceName> --name <EndpointName>
+```
+
+#### Create or change
+
+Use the [az iot ops dataflow endpoint apply](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-apply) with the `--config-file` parameter
+
+In this example, assume a configuration file with the following content:
+
+```json
+{
+    "endpointType": "Kafka",
+    "kafkaSettings": {
+        "authentication": {
+          "method": "UserAssignedManagedIdentity",
+          "userAssignedManagedIdentitySettings": {
+            "clientId": "<ID>",
+            "tenantId": "<ID>",
+            // Optional
+            "scope": "https://<Scope_Url>"
+          }
+        }
+    }
+}
+```
+
+# [Bicep](#tab/bicep)
+
+```bicep
+kafkaSettings: {
+  authentication: {
+    method: 'UserAssignedManagedIdentity'
+    UserAssignedManagedIdentitySettings: {
+      clientId: '<CLIENT_ID>'
+      tenantId: '<TENANT_ID>'
+      // Optional
+      // scope: 'https://<SCOPE_URL>'
+    }
+  }
+  ...
+}
+```
+
+# [Kubernetes (preview)](#tab/kubernetes)
+
+```yaml
+kafkaSettings:
+  authentication:
+    method: UserAssignedManagedIdentity
+    userAssignedManagedIdentitySettings:
+      clientId: <CLIENT_ID>
+      tenantId: <TENANT_ID>
+      # Optional
+      # scope: https://<SCOPE_URL>
+```
+
+---
+
+### SASL
+
+To use SASL for authentication, specify the SASL authentication method and configure SASL type and a secret reference with the name of the secret that contains the SASL token.
+
+Azure Key Vault is the recommended way to sync the connection string to the Kubernetes cluster so that it can be referenced in the data flow. [Secure settings](../deploy-iot-ops/howto-enable-secure-settings.md) must be enabled to configure this endpoint using the operations experience web UI.
+
+# [Operations experience](#tab/portal)
+
+In the operations experience data flow endpoint settings page, select the **Basic** tab then choose **Authentication method** > **SASL**.
+
+Enter the following settings for the endpoint:
+
+| Setting                        | Description                                                                                       |
+| ------------------------------ | ------------------------------------------------------------------------------------------------- |
+| SASL type                      | The type of SASL authentication to use. Supported types are `Plain`, `ScramSha256`, and `ScramSha512`. |
+| Synced secret name             | The name of the Kubernetes secret that contains the SASL token.                                   |
+| Username reference or token secret | The reference to the username or token secret used for SASL authentication.                     |
+| Password reference of token secret | The reference to the password or token secret used for SASL authentication.                     |
+
+# [Azure CLI](#tab/cli)
+
+#### Create or replace
+
+Use the [az iot ops dataflow endpoint create](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-create) command with the `--auth-type` parameter set to `Sasl` for SASL authentication.
+
+```azurecli
+az iot ops dataflow endpoint create <Command> --auth-type Sasl --sasl-type <SaslType> --secret-name <SecretName> --resource-group <ResourceGroupName> --instance <AioInstanceName> --name <EndpointName>
+```
+
+#### Create or change
+
+Use the [az iot ops dataflow endpoint apply](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-apply) with the `--config-file` parameter
+
+In this example, assume a configuration file with the following content:
+
+```json
+{
+    "endpointType": "Kafka",
+    "kafkaSettings": {
+        "authentication": {
+          "method": "Sasl",
+          "saslSettings": {
+            "saslType": "<SaslType>",
+            "secretRef": "<SecretName>"
+          }
+        }
+    }
+}
+```
+
+# [Bicep](#tab/bicep)
+
+```bicep
+kafkaSettings: {
+  authentication: {
+    method: 'Sasl' // Or ScramSha256, ScramSha512
+    saslSettings: {
+      saslType: 'Plain' // Or ScramSha256, ScramSha512
+      secretRef: '<SECRET_NAME>'
+    }
+  }
+}
+```
+
+# [Kubernetes (preview)](#tab/kubernetes)
+
+```bash
+kubectl create secret generic sasl-secret -n azure-iot-operations \
+  --from-literal=token='<YOUR_SASL_TOKEN>'
+```
+
+```yaml
+kafkaSettings:
+  authentication:
+    method: Sasl
+    saslSettings:
+      saslType: Plain # Or ScramSha256, ScramSha512
+      secretRef: <SECRET_NAME>
+```
+
+---
+
+The supported SASL types are:
+
+- `Plain`
+- `ScramSha256`
+- `ScramSha512`
+
+The secret must be in the same namespace as the Kafka data flow endpoint. The secret must have the SASL token as a key-value pair.
+
 ## Advanced settings
 
 The advanced settings for this endpoint are identical to the [advanced settings for Azure Event Hubs endpoints](howto-configure-kafka-endpoint.md#advanced-settings).
diff --git a/articles/iot-operations/connect-to-cloud/howto-configure-kafka-endpoint.md b/articles/iot-operations/connect-to-cloud/howto-configure-kafka-endpoint.md
@@ -543,18 +543,6 @@ This configuration creates a managed identity with the default audience, which i
 
 Not supported in the operations experience.
 
-# [Bicep](#tab/bicep)
-
-```bicep
-kafkaSettings: {
-  authentication: {
-    method: 'SystemAssignedManagedIdentity'
-    systemAssignedManagedIdentitySettings: {
-        audience: '<YOUR_AUDIENCE_OVERRIDE_VALUE>'
-    }
-  }
-}
-```
 
 [Azure CLI](#tab/cli)
 
@@ -572,6 +560,19 @@ kafkaSettings: {
 }
 ```
 
+# [Bicep](#tab/bicep)
+
+```bicep
+kafkaSettings: {
+  authentication: {
+    method: 'SystemAssignedManagedIdentity'
+    systemAssignedManagedIdentitySettings: {
+        audience: '<YOUR_AUDIENCE_OVERRIDE_VALUE>'
+    }
+  }
+}
+```
+
 # [Kubernetes (preview)](#tab/kubernetes)
 
 ```yaml
@@ -686,19 +687,9 @@ Enter the following settings for the endpoint:
 | Username reference or token secret | The reference to the username or token secret used for SASL authentication.                     |
 | Password reference of token secret | The reference to the password or token secret used for SASL authentication.                     |
 
-# [Bicep](#tab/bicep)
+# [Azure CLI](#tab/cli)
 
-```bicep
-kafkaSettings: {
-  authentication: {
-    method: 'Sasl' // Or ScramSha256, ScramSha512
-    saslSettings: {
-      saslType: 'Plain' // Or ScramSha256, ScramSha512
-      secretRef: '<SECRET_NAME>'
-    }
-  }
-}
-```
+#### Create or replace
 
 Use the [az iot ops dataflow endpoint create](/cli/azure/iot/ops/dataflow/endpoint/apply#az-iot-ops-dataflow-endpoint-create) command with the `--auth-type` parameter set to `Sasl` for SASL authentication.
 
@@ -752,7 +743,6 @@ The supported SASL types are:
 - `ScramSha512`
 
 The secret must be in the same namespace as the Kafka data flow endpoint. The secret must have the SASL token as a key-value pair.
-<!-- TODO: double check! Provide an example? -->
 
 ### Anonymous
 
