Skip to content

Update visual studio code auth content and diagrams #48182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
+86 −4
Open

Update visual studio code auth content and diagrams #48182

Show file tree
Hide file tree
Changes from 15 commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
efc7876
update visual studio code auth content
alexwolfmsft Aug 29, 2025
bc1052f
fixes
alexwolfmsft Aug 29, 2025
8c4a38f
fix image
alexwolfmsft Aug 29, 2025
03ef5f1
fix diagram
alexwolfmsft Aug 29, 2025
aaa4e72
trim image
alexwolfmsft Aug 29, 2025
9bb3d06
images
alexwolfmsft Aug 29, 2025
6e03fa3
Merge branch 'main' into visual-studio-code-updates
alexwolfmsft Aug 29, 2025
41a7f94
standardize
alexwolfmsft Aug 29, 2025
788b37c
fix link
alexwolfmsft Aug 29, 2025
2c0aae8
fixes
alexwolfmsft Aug 29, 2025
dce1297
added broker section
alexwolfmsft Sep 2, 2025
d7379a8
fix image
alexwolfmsft Sep 2, 2025
f72eb22
diagram fixes
alexwolfmsft Sep 2, 2025
02c0579
PR changes
alexwolfmsft Sep 2, 2025
0130b2a
update images
alexwolfmsft Sep 2, 2025
813aeb8
Apply suggestions from code review
alexwolfmsft Sep 2, 2025
ad6cdd6
image changes
alexwolfmsft Sep 2, 2025
c6e8daf
Feedback changes
alexwolfmsft Sep 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion docs/azure/sdk/authentication/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Use of connection strings should be limited to scenarios where token-based authe

The specific type of token-based authentication an app should use to authenticate to Azure resources depends on where the app runs. The following diagram provides guidance for different scenarios and environments:

:::image type="content" source="../media/dotnet-sdk-auth-strategy.png" alt-text="A diagram showing the recommended token-based authentication strategies for an app depending on where it's running." :::
:::image type="content" source="../media/mermaidjs/authentication-environments.svg" alt-text="A diagram showing the recommended token-based authentication strategies for an app depending on where it's running." :::

When an app is:

Expand Down Expand Up @@ -76,6 +76,13 @@ A service principal is created in a Microsoft Entra tenant to represent an app a
> [!div class="nextstepaction"]
> [Authenticate locally using a service principal](local-development-service-principal.md)

#### Use a broker

Brokered authentication collects user credentials using the system authentication broker to authenticate an app. A system authentication broker runs on a user's machine and manages the authentication handshakes and token maintenance for all connected accounts.

> [!div class="nextstepaction"]
> [Authenticate locally using a broker](local-development-broker.md)

## Authentication for apps hosted on-premises

For apps hosted on-premises, you can use a service principal to authenticate to Azure resources. This involves creating a service principal in Microsoft Entra ID, assigning it the necessary permissions, and configuring your app to use its credentials. This method allows your on-premises app to securely access Azure services.
Expand Down
2 changes: 2 additions & 0 deletions docs/azure/sdk/authentication/local-development-broker.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ Brokered authentication offers the following benefits:
- **System integration:** Applications that use the broker plug-and-play with the built-in account picker, allowing the user to quickly pick an existing account instead of reentering the same credentials over and over.
- **Token Protection:** Ensures that the refresh tokens are device bound and enables apps to acquire device bound access tokens. See [Token Protection](/azure/active-directory/conditional-access/concept-token-protection).

:::image type="content" source="../media/mermaidjs/local-broker-authentication.svg" alt-text="A diagram showing how a local .NET app uses brokered credentials to connect to Azure resources.":::

:::zone target="docs" pivot="os-windows"

Windows provides an authentication broker called [Web Account Manager (WAM)](/entra/msal/dotnet/acquiring-tokens/desktop-mobile/wam). WAM enables identity providers such as Microsoft Entra ID to natively plug into the OS and provide secure login services to apps. Brokered authentication enables the app for all operations allowed by the interactive login credentials.
Expand Down
3 changes: 2 additions & 1 deletion docs/azure/sdk/authentication/local-development-dev-accounts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,15 @@ During local development, applications need to authenticate to Azure to access v
- How to sign-in to supported local development tools
- How to authenticate using a developer account from your app code

:::image type="content" source="../media/local-dev-dev-accounts-overview.png" alt-text="A diagram showing an app running in local development using a developer tool identity to connect to Azure resources.":::
:::image type="content" source="../media/mermaidjs/local-developer-authentication.svg" alt-text="A diagram showing an app running in local development using a developer tool identity to connect to Azure resources.":::

For an app to authenticate to Azure during local development using the developer's Azure credentials, the developer must be signed-in to Azure from one of the following developer tools:

- Azure CLI
- Azure Developer CLI
- Azure PowerShell
- Visual Studio
- Visual Studio Code

The Azure Identity library can detect that the developer is signed-in from one of these tools. The library can then obtain the Microsoft Entra access token via the tool to authenticate the app to Azure as the signed-in user.

Expand Down
2 changes: 1 addition & 1 deletion docs/azure/sdk/authentication/local-development-service-principal.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ During local development, applications need to authenticate to Azure to access v

Using dedicated application service principals allows you to adhere to the principle of least privilege when accessing Azure resources. Permissions are limited to the specific requirements of the app during development, preventing accidental access to Azure resources intended for other apps or services. This approach also helps avoid issues when the app is moved to production by ensuring it isn't over-privileged in the development environment.

:::image type="content" source="../media/local-dev-service-principal-overview.png" alt-text="A diagram showing how a local .NET app uses the developer's credentials to connect to Azure by using locally installed development tools.":::
:::image type="content" source="../media/mermaidjs/local-service-principal-authentication.svg" alt-text="A diagram showing how a local .NET app uses a service principal to connect to Azure resources.":::

When the app is registered in Azure, an application service principal is created. For local development:

Expand Down
Binary file modified docs/azure/sdk/media/broker-macos-account-picker.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/azure/sdk/media/dotnet-sdk-auth-strategy.png
View file
Open in desktop
Binary file not shown.
Binary file removed docs/azure/sdk/media/local-dev-dev-accounts-overview.png
View file
Open in desktop
Binary file not shown.
47 changes: 47 additions & 0 deletions docs/azure/sdk/media/mermaidjs/authentication-environments.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
ms.topic: include
ms.date: 08/07/2024
---

```mermaid
%% STEPS TO GENERATE IMAGE
%% =======================
%% 1. Install mermaid CLI v10.9.1 (see https://github.com/mermaid-js/mermaid-cli/blob/master/README.md):
%% npm i -g @mermaid-js/[email protected]
%% 2. Run command: mmdc -i authentication-environments.md -o ../../media/mermaidjs/authentication-environments.svg
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor': '#fff', 'edgeLabelBackground':'#fff', 'fontSize': '24px'}}}%%
flowchart LR
NetApp[".NET app"]
Q1{Where is the app running?}
NetApp --> Q1
%% Local Development Machine Branch
Q1 --> LocalDev[Development Machine]
LocalDev --> AppSP["**Application service principal**"]
LocalDev --> DevAccount["**Developer account**"]
LocalDev --> Broker["**Broker**"]
%% Azure Branch
Q1 --> AzureApp[Azure]
AzureApp --> ManagedId["**Managed identity**"]
%% On-premises Server Branch
Q1 --> OnPremApp[On-premises server]
OnPremApp --> ServicePrincipal["**Service principal**"]
%% Styling
classDef questionBox fill:#4472C4,stroke:#333,stroke-width:2px,color:#fff,font-size:24px
classDef authMethod fill:#e6f2ff,stroke:#4472C4,stroke-width:2px,color:#000,font-size:24px
classDef envNode fill:#8fbc8f,stroke:#333,stroke-width:2px,color:#000,font-size:24px
classDef startNode fill:#2d5f3f,stroke:#333,stroke-width:2px,color:#fff,font-size:24px
%% Edge label styling
linkStyle default font-size:24px
class NetApp startNode
class Q1 questionBox
class AppSP,DevAccount,Broker,ManagedId,ServicePrincipal authMethod
class LocalDev,AzureApp,OnPremApp envNode
```
1 change: 1 addition & 0 deletions docs/azure/sdk/media/mermaidjs/authentication-environments.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
28 changes: 28 additions & 0 deletions docs/azure/sdk/media/mermaidjs/local-broker-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
ms.topic: include
ms.date: 08/07/2024
---

```mermaid
%% STEPS TO GENERATE IMAGE
%% =======================
%% 1. Install mermaid CLI v10.9.1 (see https://github.com/mermaid-js/mermaid-cli/blob/master/README.md):
%% npm i -g @mermaid-js/[email protected]
%% 2. Run command: mmdc -i local-broker-authentication.md -o ../../media/mermaidjs/local-broker-authentication.svg

flowchart LR
APP["Local .NET app"]
BK["Developer account credentials supplied by broker"]
AS["Azure services"]

APP --> BK
BK --> AS

classDef app fill:#e6f3ff,stroke:#0078d4,stroke-width:2px,color:#000,font-size:16px
classDef serviceP fill:#D4F4D4,stroke:#7BC97B,stroke-width:2px,color:#000,font-size:16px
classDef services fill:#0078d4,stroke:#005ba1,stroke-width:2px,color:#fff,font-size:16px

class APP app
class SP serviceP
class AS services
```
1 change: 1 addition & 0 deletions docs/azure/sdk/media/mermaidjs/local-broker-authentication.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
49 changes: 49 additions & 0 deletions docs/azure/sdk/media/mermaidjs/local-developer-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
ms.topic: include
ms.date: 08/07/2024
---

```mermaid
%% STEPS TO GENERATE IMAGE
%% =======================
%% 1. Install mermaid CLI v10.9.1 (see https://github.com/mermaid-js/mermaid-cli/blob/master/README.md):
%% npm i -g @mermaid-js/[email protected]
%% 2. Run command: mmdc -i local-developer-authentication.md -o ../../media/mermaidjs/local-developer-authentication.svg
flowchart TD
ARL[Local .NET app]
VS[Visual Studio]
VSC[Visual Studio Code]
AZCLI[Azure CLI]
AZPS[Azure PowerShell]
AZD[Azure Developer CLI]
DevAccount["Developer account credentials"]
AS["Azure services"]
ARL --> VS
ARL --> VSC
ARL --> AZD
ARL --> AZCLI
ARL --> AZPS
VS --> DevAccount
VSC --> DevAccount
AZD --> DevAccount
AZCLI --> DevAccount
AZPS --> DevAccount
DevAccount --> AS
classDef highlight fill:#0078d4,stroke:#005ba1,stroke-width:2px,color:#fff,font-size:16px
classDef tools fill:#e6f3ff,stroke:#0078d4,stroke-width:1px,font-size:16px
classDef default font-size:16px
classDef lightgreen fill:#D4F4D4,stroke:#7BC97B,stroke-width:2px,color:#000,font-size:16px
class AS highlight
class VS,VSC,AZD,AZCLI,AZPS tools
class LA,ARL default
class DevAccount lightgreen
```
1 change: 1 addition & 0 deletions docs/azure/sdk/media/mermaidjs/local-developer-authentication.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
28 changes: 28 additions & 0 deletions docs/azure/sdk/media/mermaidjs/local-service-principal-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
ms.topic: include
ms.date: 08/07/2024
---

```mermaid
%% STEPS TO GENERATE IMAGE
%% =======================
%% 1. Install mermaid CLI v10.9.1 (see https://github.com/mermaid-js/mermaid-cli/blob/master/README.md):
%% npm i -g @mermaid-js/[email protected]
%% 2. Run command: mmdc -i local-service-principal-authentication.md -o ../../media/mermaidjs/local-service-principal-authentication.svg
flowchart LR
APP["Local .NET app"]
SP["App service principal stored in environment variables"]
AS["Azure services"]
APP --> SP
SP --> AS
classDef app fill:#e6f3ff,stroke:#0078d4,stroke-width:2px,color:#000,font-size:16px
classDef serviceP fill:#D4F4D4,stroke:#7BC97B,stroke-width:2px,color:#000,font-size:16px
classDef services fill:#0078d4,stroke:#005ba1,stroke-width:2px,color:#fff,font-size:16px
class APP app
class SP serviceP
class AS services
```
Loading