Merge pull request #50094 from lootle1/MR93

Technical Review 1044093: Authenticate your Azure deployment pipeline…

Author: v-dirichards

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/1-introduction.yml

@@ -1,14 +1,14 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.introduction
-title: Introduction
-metadata:
-  unitType: introduction
-  title: Introduction
-  description: Learn how to create, manage, and grant permissions to service principals, which enable your deployment pipelines to securely authenticate to Azure. 
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-durationInMinutes: 2
-content: |
-  [!include[](includes/1-introduction.md)]
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.introduction
+title: Introduction
+metadata:
+  unitType: introduction
+  title: Introduction
+  description: Learn how to create, manage, and grant permissions to service principals, which enable your deployment pipelines to securely authenticate to Azure. 
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/2-understand-service-principals.yml

@@ -1,14 +1,14 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.understand-service-principals
-title: Understand service principals
-metadata:
-  unitType: learning-content
-  title: Understand service principals
-  description: Learn what service principals are, how they're different from user accounts, and how they work.
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-durationInMinutes: 8
-content: |
-  [!include[](includes/2-understand-service-principals.md)]
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.understand-service-principals
+title: Understand service principals
+metadata:
+  unitType: learning-content
+  title: Understand Service Principals
+  description: Learn what service principals are, how they're different from user accounts, and how they work.
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+durationInMinutes: 8
+content: |
+  [!include[](includes/2-understand-service-principals.md)]

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/3-create-service-principal-key.yml

@@ -1,15 +1,15 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.create-service-principal-key
-title: Create a service principal and key
-metadata:
-  unitType: learning-content
-  title: Create a service principal and key
-  description: Learn how to create service principals, and how to manage keys and other credentials for service principals.
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-  zone_pivot_groups: azure-shell-interface
-durationInMinutes: 6
-content: |
-  [!include[](includes/3-create-service-principal-key.md)]
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.create-service-principal-key
+title: Create a service principal and key
+metadata:
+  unitType: learning-content
+  title: Create a Service Principal and Key
+  description: Learn how to create service principals, and how to manage keys and other credentials for service principals.
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+  zone_pivot_groups: azure-shell-interface
+durationInMinutes: 6
+content: |
+  [!include[](includes/3-create-service-principal-key.md)]

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/4-exercise-create-service-principal-key.yml

@@ -1,18 +1,18 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.exercise-create-service-principal-key
-title: Exercise - Create a service principal and key
-metadata:
-  unitType: exercise
-  title: Exercise - Create a service principal and key
-  description: Learn how to create service principals, and how to manage keys and other credentials for service principals.
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-  ms.custom:
-    - devx-track-azurepowershell
-  zone_pivot_groups: azure-shell-interface
-durationInMinutes: 3
-content: |
-  [!include[](includes/4-exercise-create-service-principal-key.md)]
-
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.exercise-create-service-principal-key
+title: Exercise - Create a service principal and key
+metadata:
+  unitType: exercise
+  title: Exercise - Create a Service Principal and Key
+  description: Learn how to create service principals, and how to manage keys and other credentials for service principals.
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+  ms.custom:
+    - devx-track-azurepowershell
+  zone_pivot_groups: azure-shell-interface
+durationInMinutes: 3
+content: |
+  [!include[](includes/4-exercise-create-service-principal-key.md)]
+

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/5-grant-service-principal-access-azure.yml

@@ -1,18 +1,18 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.grant-service-principal-access-azure
-title: Grant a service principal access to Azure
-metadata:
-  unitType: learning-content
-  title: Grant a service principal access to Azure
-  description: Learn how to create an Azure role assignment for a service principal.
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-  ms.custom:
-    - devx-track-bicep
-  zone_pivot_groups: azure-shell-interface
-durationInMinutes: 6
-content: |
-  [!include[](includes/5-grant-service-principal-access-azure.md)]
-
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.grant-service-principal-access-azure
+title: Grant a service principal access to Azure
+metadata:
+  unitType: learning-content
+  title: Grant a Service Principal Access to Azure
+  description: Learn how to create an Azure role assignment for a service principal.
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+  ms.custom:
+    - devx-track-bicep
+  zone_pivot_groups: azure-shell-interface
+durationInMinutes: 6
+content: |
+  [!include[](includes/5-grant-service-principal-access-azure.md)]
+

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/6-exercise-authorize-service-principal-deployments.yml

@@ -1,18 +1,18 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.exercise-authorize-service-principal-deployments
-title: Exercise - Authorize your service principal for deployments
-metadata:
-  unitType: exercise
-  title: Exercise - Authorize your service principal for deployments
-  description: Learn how to create an Azure role assignment for a service principal.
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-  ms.custom:
-    - devx-track-bicep
-  zone_pivot_groups: azure-shell-interface
-durationInMinutes: 5
-content: |
-  [!include[](includes/6-exercise-authorize-service-principal-deployments.md)]
-
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.exercise-authorize-service-principal-deployments
+title: Exercise - Authorize your service principal for deployments
+metadata:
+  unitType: exercise
+  title: Exercise - Authorize your Service Principal for Deployments
+  description: Learn how to create an Azure role assignment for a service principal.
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+  ms.custom:
+    - devx-track-bicep
+  zone_pivot_groups: azure-shell-interface
+durationInMinutes: 5
+content: |
+  [!include[](includes/6-exercise-authorize-service-principal-deployments.md)]
+

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/7-knowledge-check.yml

@@ -1,66 +1,66 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.knowledge-check
-title: Module assessment
-metadata:
-  unitType: knowledge_check
-  title: Module assessment
-  description: Knowledge check
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-durationInMinutes: 3
-content: |
-quiz:
-  questions:
-  - content: You're building a custom deployment agent that runs on an Azure virtual machine that you control. Which of these authentication techniques should the agent use to authenticate and work with Azure resources?
-    choices:
-    - content: User account
-      isCorrect: false
-      explanation: Deployment agents run in an unattended mode, so you should never use a user account.
-    - content: Service principal
-      isCorrect: false
-      explanation: A service principal can be used for this purpose, but using a service principal requires that you manage credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
-    - content: Managed identity
-      isCorrect: true
-      explanation: Managed identities are designed for unattended access, and they don't require you work with credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
-  - content: You need to create a service principal for a pipeline that deploys your infrastructure to three environments - development, test, and production. Each environment is in a dedicated resource group in three different subscriptions. What should you do?
-    choices:
-    - content: Create a single service principal and grant it access to the tenant root management group.
-      isCorrect: false
-      explanation: Although this will work, it's not a good practice to use a single service principal for all of your environments. Additionally, granting access to your tenant root management group will allow the service principal to modify resources anywhere in your Azure environment, which is unnecessarily permissive.
-    - content: Create a single service principal and grant it access to each of the resource groups in the three subscriptions.
-      isCorrect: false
-      explanation: Although this will work, it's not good practice to use a single service principal for all of your environments. At the very least, you should separate production and non-production environments by using two service principals, but a dedicated service principal for each environment is preferred.
-    - content: Create three service principals, one per environment, and grant each access to a single resource group in the relevant subscription.
-      isCorrect: true
-      explanation: When you work with multiple environments, it's best to use dedicated service principals for each environment so that your pipeline can't accidentally change anything in another environment.
-  - content: You create a service principal with a key, and you set the key to expire 30 days in the future. What happens after that time?
-    choices:
-    - content: Nothing - the key will automatically renew.
-      isCorrect: false
-      explanation: Service principal keys don't automatically renew.
-    - content: Your client can no longer authenticate.
-      isCorrect: true
-      explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
-    - content: Your client can authenticate, but it receives a warning that the key has expired.
-      isCorrect: false
-      explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
-  - content: You're creating a service principal to run a pipeline. The pipeline deploys a Bicep template that creates a single storage account. Which of the following options has the least privileged access that you need for your pipeline?
-    choices:
-    - content: |
-        **Role definition:** Contributor<br />
-        **Scope:** Subscription
-      isCorrect: false
-      explanation: The Contributor role is a good one to use. However, you should avoid granting it over the subscription scope unless you need to. In this case, you don't.
-    - content: |
-        **Role definition:** Contributor<br />
-        **Scope:** Resource group
-      isCorrect: true
-      explanation: The Contributor role is a good one to use. Additionally, it's a good practice to grant it over the resource group, which is all that this pipeline needs.
-    - content: |
-        **Role definition:** Owner<br />
-        **Scope:** Resource group
-      isCorrect: false
-      explanation: This role assignment is too permissive. You should avoid granting the Owner role unless it's required. In this example, it's not.
-
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.knowledge-check
+title: Module assessment
+metadata:
+  unitType: knowledge_check
+  title: Module Assessment
+  description: Knowledge check
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+quiz:
+  questions:
+  - content: You're building a custom deployment agent that runs on an Azure virtual machine that you control. Which of these authentication techniques should the agent use to authenticate and work with Azure resources?
+    choices:
+    - content: User account
+      isCorrect: false
+      explanation: Deployment agents run in an unattended mode, so you should never use a user account.
+    - content: Service principal
+      isCorrect: false
+      explanation: A service principal can be used for this purpose, but using a service principal requires that you manage credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
+    - content: Managed identity
+      isCorrect: true
+      explanation: Managed identities are designed for unattended access, and they don't require you work with credentials. Because you're running a custom deployment agent on a virtual machine, you should use a managed identity so that you don't have to maintain credentials.
+  - content: You need to create a service principal for a pipeline that deploys your infrastructure to three environments - development, test, and production. Each environment is in a dedicated resource group in three different subscriptions. What should you do?
+    choices:
+    - content: Create a single service principal and grant it access to the tenant root management group.
+      isCorrect: false
+      explanation: Although this will work, it's not a good practice to use a single service principal for all of your environments. Additionally, granting access to your tenant root management group will allow the service principal to modify resources anywhere in your Azure environment, which is unnecessarily permissive.
+    - content: Create a single service principal and grant it access to each of the resource groups in the three subscriptions.
+      isCorrect: false
+      explanation: Although this will work, it's not good practice to use a single service principal for all of your environments. At the very least, you should separate production and nonproduction environments by using two service principals, but a dedicated service principal for each environment is preferred.
+    - content: Create three service principals, one per environment, and grant each access to a single resource group in the relevant subscription.
+      isCorrect: true
+      explanation: When you work with multiple environments, it's best to use dedicated service principals for each environment so that your pipeline can't accidentally change anything in another environment.
+  - content: You create a service principal with a key, and you set the key to expire 30 days in the future. What happens after that time?
+    choices:
+    - content: Nothing - the key will automatically renew.
+      isCorrect: false
+      explanation: Service principal keys don't automatically renew.
+    - content: Your client can no longer authenticate.
+      isCorrect: true
+      explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
+    - content: Your client can authenticate, but it receives a warning that the key has expired.
+      isCorrect: false
+      explanation: After a service principal's key has expired, the key can't be used to authenticate. You'll need to issue a new key.
+  - content: You're creating a service principal to run a pipeline. The pipeline deploys a Bicep template that creates a single storage account. Which of the following options has the least privileged access that you need for your pipeline?
+    choices:
+    - content: |
+        **Role definition:** Contributor<br />
+        **Scope:** Subscription
+      isCorrect: false
+      explanation: The Contributor role is a good one to use. However, you should avoid granting it over the subscription scope unless you need to. In this case, you don't.
+    - content: |
+        **Role definition:** Contributor<br />
+        **Scope:** Resource group
+      isCorrect: true
+      explanation: The Contributor role is a good one to use. Additionally, it's a good practice to grant it over the resource group, which is all that this pipeline needs.
+    - content: |
+        **Role definition:** Owner<br />
+        **Scope:** Resource group
+      isCorrect: false
+      explanation: This role assignment is too permissive. You should avoid granting the Owner role unless it's required. In this example, it's not.
+

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/8-summary.yml

@@ -1,14 +1,14 @@
-### YamlMime:ModuleUnit
-uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.summary
-title: Summary
-metadata:
-  unitType: summary
-  title: Summary
-  description: Summary.
-  ms.date: 01/16/2024
-  author: mumian
-  ms.author: jgao
-  ms.topic: unit
-durationInMinutes: 1
-content: |
-  [!include[](includes/8-summary.md)]
+### YamlMime:ModuleUnit
+uid: learn.azure.authenticate-azure-deployment-pipeline-service-principals.summary
+title: Summary
+metadata:
+  unitType: summary
+  title: Summary
+  description: Summary.
+  ms.date: 04/22/2025
+  author: mumian
+  ms.author: jgao
+  ms.topic: unit
+durationInMinutes: 1
+content: |
+  [!include[](includes/8-summary.md)]

learn-pr/azure/authenticate-azure-deployment-pipeline-service-principals/includes/1-introduction.md

@@ -1,8 +1,8 @@
-Deployment pipelines need to communicate with Azure, so they can create and configure your Azure resources. In this module, you'll learn how service principals work, how to create and manage them, and how to authorize them to work with Azure on your behalf.
+Deployment pipelines need to communicate with Azure so they can create and configure your Azure resources. In this module, you'll learn how service principals work, how to create and manage them, and how to authorize them to work with Azure on your behalf.
 
 ## Example scenario
 
-Suppose you're responsible for deploying and configuring the Azure infrastructure at a toy company. You've created a Bicep template to deploy your company's website. Until now, you've been deploying it from your own computer by using command-line tools. You've decided to move the deployment into a pipeline. 
+Suppose you're responsible for deploying and configuring the Azure infrastructure at a toy company. You've created a Bicep template to deploy your company's website. Until now, you've been deploying it from your own computer by using command-line tools. You've decided to move the deployment into a pipeline.
 
 One of your colleagues has told you that you'll need to set up a service principal for the deployment pipeline. You need to understand what this is, and then set it up so you can deploy your company's website.