Merge pull request #313347 from dominicbetts/release-aio-2603-management-actions

AIO 2603: Management actions

Author: Stacyrch140

articles/iot-operations/discover-manage-assets/howto-connect-kafka.md

@@ -22,7 +22,7 @@ To connect to a Kafka source, you combine:
 
 The following diagram illustrates this architecture:
 
-:::image type="content" source="media/howto-connect-kafka/kafka.svg" alt-text="Diagram that shows the architecture of the solution." lightbox="media/howto-connect-kafka/kafka.png":::
+:::image type="content" source="media/howto-connect-kafka/kafka.svg" alt-text="Diagram that shows the architecture of the solution." lightbox="media/howto-connect-kafka/kafka.png" border="false":::
 
 Messages enter from the Kafka source, such as an Azure Event Hubs namespace, and are ingested into Azure IoT Operations through a data flow with a Kafka source endpoint. The data flow routes messages to topics in the internal MQTT broker. The connector for MQTT detects the topics in the MQTT broker and lets you create assets based on the topic names. Each asset can be configured to route data to specific topics in the MQTT broker. You can then perform any routing and custom processing to the messages.
 

articles/iot-operations/discover-manage-assets/howto-control-opc-ua.md

@@ -430,5 +430,6 @@ For example, the DTDL model for the `call` actions the sample uses looks like th
 
 ## Related content
 
+- [Enable and run management actions](howto-use-management-actions.md)
 - [Manage asset and device configurations](overview-manage-assets.md)
 - [Connector for OPC UA overview](overview-opc-ua-connector.md)

articles/iot-operations/discover-manage-assets/howto-use-management-actions.md

@@ -0,0 +1,155 @@
+---
+title: Enable and run management actions
+description: Enable management actions on an Azure IoT Operations instance so that you can invoke operations on southbound assets from the cloud or edge, and understand the message flow through the system.
+author: dominicbetts
+ms.author: dobett
+ms.service: azure-iot-operations
+ms.topic: how-to
+ms.date: 03/18/2026
+ai-usage: ai-assisted
+
+#CustomerIntent: As an IT or OT operator, I want to enable management actions on my Azure IoT Operations instance so that I can invoke operations such as method calls, writes, and reads on southbound assets from the cloud or edge.
+---
+
+# Enable and run management actions
+
+Management actions let you invoke operations on southbound assets connected to your Azure IoT Operations instance. You can call methods, write values, and read values on assets such as OPC UA servers, ONVIF cameras, and MQTT devices. Management actions use Azure Event Grid to route requests and responses between the cloud and the internal MQTT broker The connector subscribes to a known topic on the internal MQTT broker and then executes the operation on the target asset.
+
+When you enable management actions, the Azure CLI provisions the infrastructure that connects Event Grid to the MQTT broker. This infrastructure includes an Event Grid data flow endpoint, a request data flow that uses a WebAssembly (WASM) module to process incoming messages, a response data flow that routes replies back through Event Grid, and the required topic spaces and permission bindings. After the infrastructure is in place, you can execute actions on any asset that has a management group and action defined.
+
+This article explains how to enable management actions, execute actions on assets, and how the message flow works through the system. The management actions CLI commands are protocol-agnostic. The examples in this article use an OPC UA asset, but the same commands work for any protocol that supports management actions.
+
+## Prerequisites
+
+- A deployed [Azure IoT Operations](../deploy-iot-ops/howto-deploy-iot-operations.md) instance on an Arc-connected cluster.
+- The Azure CLI with the `azure-iot-ops` extension installed. To install or update the extension, run:
+
+  ```azurecli
+  az extension add --upgrade -n azure-iot-ops
+  ```
+
+## Enable management actions
+
+For a complete end-to-end setup script that creates the Event Grid namespace, device, asset, and enables management actions in one step, see the [management actions quickstart](https://github.com/Azure/azure-iot-ops-cli-extension/blob/v2.4.0/scripts/mgmt-actions/README.md) in the CLI extension repository.
+
+The `az iot ops mgmt-actions enable` command in the quickstart script provisions the management actions infrastructure on your Azure IoT Operations instance. The command creates the following resources:
+
+| Resource | Purpose |
+|----------|--------|
+| Event Grid topic space | Includes the `actions/requests/` and `actions/responses/` topics for message routing. |
+| Event Grid permission bindings | Grants the Azure IoT Operations instance publish and subscribe access to the topic space. |
+| Event Grid data flow endpoint | Connects the Azure IoT Operations data flow runtime to the Event Grid namespace. |
+| Request data flow graph | Routes messages from Event Grid to the MQTT broker, applying a WASM module to rewrite topic paths. |
+| Response data flow | Routes responses from the MQTT broker back to Event Grid. |
+| Role assignments | Grants the data flow identity and the Azure Device Registry namespace the required permissions. |
+
+```azurecli
+az iot ops mgmt-actions enable \
+    --instance <instance-name> \
+    --resource-group <resource-group> \
+    --eg-resource-id <event-grid-namespace-resource-id>
+```
+
+The following table describes the optional parameters:
+
+| Parameter | Description |
+|-----------|-------------|
+| `--mi-user-assigned` | Full resource ID of a user-assigned managed identity to use for the Event Grid data flow endpoint. If omitted, the system-assigned managed identity is used. |
+| `--skip-ra` | Skip role assignment creation during enable. Use this flag if role assignments were preconfigured or you lack permissions to create them. |
+| `--registry-endpoint` | Name of a registry endpoint to use for downloading the WASM data flow graph artifact. Use this flag if you need a non-default container registry. |
+
+> [!TIP]
+> The data flow graph and response data flow may take a few seconds to reconcile after the `enable` command completes. Run `az iot ops mgmt-actions show` to confirm all sub-resources are available before you execute an action.
+
+## Verify the management actions configuration
+
+After you enable management actions, verify that the configuration is correct and all sub-resources are in place:
+
+```azurecli
+az iot ops mgmt-actions show \
+    --instance <instance-name> \
+    --resource-group <resource-group>
+```
+
+The output shows the current state of the management actions infrastructure, including the Event Grid endpoint, data flows, and role assignments.
+
+## Execute a management action
+
+Run an action on an asset that has a management group and action defined. You specify the asset name, management group, action name, and a JSON payload. The following example:
+
+- Uses an asset that was created by the [management actions quickstart](https://github.com/Azure/azure-iot-ops-cli-extension/blob/mgmt_actions_quickstart/scripts/mgmt-actions/README.md) script in the CLI extension repository.
+- Invokes the `Switch` action on the `method-call-asset` asset in the `managementGroup` management group, which calls a method on an OPC UA server to switch a boiler on:
+
+```azurecli
+az iot ops mgmt-actions execute \
+    --instance <instance-name> \
+    --resource-group <resource-group> \
+    --asset method-call-asset \
+    --group managementGroup \
+    --action Switch \
+    --payload '{"On": true}'
+```
+
+> [!TIP]
+> If an asset reports a request schema in its status object for the target action, by default the CLI validates the request against the schema before sending it. Use `--show-schema` to see the schema if it exists, and `--no-validate` to disable validation.
+
+> [!TIP]
+> The `--payload` parameter supports inline JSON or a local file path that contains the JSON payload.
+
+### Action types
+
+The payload depends on the action type and the target asset's management group definition:
+
+- **Call** actions invoke a method on the asset. The payload contains the method's input parameters. To call a method that takes no parameters, set the payload to `'{}'`.
+- **Write** actions write a value to the target URI on the asset. The payload contains the value to write.
+- **Read** actions read a value from the target URI. Use an empty payload `'{}'` for read actions.
+
+For more information about how to define action types in an asset's management group, see [Control OPC UA servers](howto-control-opc-ua.md).
+
+## How management actions work
+
+Management actions use two data flows and Azure Event Grid to connect a cloud client to a connector running in the Azure IoT Operations cluster. The following sections describe the request and response message flows in detail.
+
+:::image type="content" source="media/howto-use-management-actions/architecture.svg" alt-text="Diagram that shows the architecture of management actions request and response flows through Event Grid, data flows, MQTT broker, and connector to a southbound asset." lightbox="media/howto-use-management-actions/architecture.png" border="false":::
+
+### Request flow
+
+When you execute a management action, the following sequence occurs:
+
+1. The `az iot ops mgmt-actions execute` command publishes the action request as an MQTT message to the Event Grid namespace. The message is published to a topic in the topic space created by the quickstart script, with the asset name, management group, and action name as subtopics.
+
+1. The **request data flow** subscribes to the `actions/requests/<instance-name>/#` topic on the Event Grid namespace. When a message arrives, the data flow passes it through a WASM graph module that strips the Event Grid topic prefix and rewrites the topic to the internal MQTT broker format.
+
+1. The processed message is published to the internal MQTT broker on the topic `azure-iot-operations/asset-operations/<asset-name>/<management-group>/<action-name>`.
+
+1. The connector subscribes to the `azure-iot-operations/asset-operations/` topics on the internal MQTT broker. When it receives the request, it identifies the target asset and executes the operation (call, write, or read) on the southbound asset.
+
+### Response flow
+
+After the southbound asset executes the operation and returns a response to the connector, the following sequence occurs:
+
+1. The connector publishes the action response to the internal MQTT broker on a topic under `actions/responses/<instance-name>/`.
+
+1. The **response data flow** subscribes to `actions/responses/<instance-name>/#` on the internal broker and forwards the message to the Event Grid namespace.
+
+1. The Event Grid namespace delivers the response to the waiting client, completing the request-response cycle.
+
+For details on how the connector interacts with OPC UA servers and the supported action types, see [Control OPC UA servers](howto-control-opc-ua.md).
+
+## Disable management actions
+
+When you no longer need management actions, disable them to tear down the provisioned infrastructure. The disable command removes the data flows, Event Grid topic space, permission bindings, and data flow endpoint:
+
+```azurecli
+az iot ops mgmt-actions disable \
+    --instance <instance-name> \
+    --resource-group <resource-group>
+```
+
+## Related content
+
+- [Control OPC UA servers](howto-control-opc-ua.md)
+- [Connect to MQTT endpoints](howto-use-mqtt-connector.md)
+- [Connect to ONVIF-compliant cameras](howto-use-onvif-connector.md)
+- [Understand assets and devices](concept-assets-devices.md)
+- [Management actions quickstart scripts](https://github.com/Azure/azure-iot-ops-cli-extension/blob/mgmt_actions_quickstart/scripts/mgmt-actions/README.md)

articles/iot-operations/discover-manage-assets/howto-use-mqtt-connector.md

@@ -217,6 +217,7 @@ To add a management group and define actions for it:
 When you invoke the action, the connector publishes the action payload to the **Target URI** topic on the device's inbound endpoint. A downstream subscriber on that topic receives the message and can act on it.
 
 For background on how management groups and actions work across connectors, see:
+- [Enable and run management actions](howto-use-management-actions.md)
 - [Control OPC UA servers](howto-control-opc-ua.md) — explains the action invocation pattern and the MQTT RPC protocol used to trigger actions.
 - [Manage and control the camera](howto-use-onvif-connector.md#manage-and-control-the-camera) — shows how a similar pattern is used for the connector for ONVIF.
 

articles/iot-operations/discover-manage-assets/howto-use-onvif-connector.md

@@ -308,4 +308,8 @@ The [Azure IoT Operations connector for ONVIF PTZ Demo](https://github.com/Azure
 - Use the media asset definition to retrieve a profile token from the camera's media service.
 - Use the profile token when you use the camera's PTZ capabilities control its position and orientation.
 
-The sample application uses the Azure IoT Operations MQTT broker to send commands to interact with the connector for ONVIF. To learn more, see [Publish and subscribe MQTT messages using MQTT broker](../manage-mqtt-broker/overview-broker.md).
+The sample application uses the Azure IoT Operations MQTT broker to send commands to interact with the connector for ONVIF. 
+
+To learn more, see:
+- [Enable and run management actions](howto-use-management-actions.md)
+- [Publish and subscribe MQTT messages using MQTT broker](../manage-mqtt-broker/overview-broker.md).

articles/iot-operations/discover-manage-assets/howto-use-operations-experience.md

@@ -26,7 +26,7 @@ To learn how to use the operations experience to manage assets and devices, see:
 - [Configure the media connector](howto-use-media-connector.md)
 - [Configure the connector for HTTP/REST](howto-use-http-connector.md)
 - [Configure the connector for SSE](howto-use-sse-connector.md)
-- [Configure the connector for MQTT (preview)](howto-use-mqtt-connector.md)
+- [Configure the connector for MQTT](howto-use-mqtt-connector.md)
 To learn how to use the operations experience to manage data flows, see [Process and route data with data flows](../connect-to-cloud/overview-dataflow.md).
 
 ## Prerequisites
@@ -110,5 +110,5 @@ To view activity logs as the resource level, select the resource that you want t
 - [Media connector overview](howto-use-media-connector.md)
 - [Connector for HTTP/REST overview](howto-use-http-connector.md)
 - [Connector for SSE](howto-use-sse-connector.md)
-- [Connector for MQTT (preview)](howto-use-mqtt-connector.md)
+- [Connector for MQTT](howto-use-mqtt-connector.md)
 - [Process and route data with data flows](../connect-to-cloud/overview-dataflow.md)