Merge pull request #309161 from prasadko/build-web-application

Add quickstart: Build a web application with Microsoft Planetary Computer Pro

Author: denrea

articles/planetary-computer/TOC.yml

@@ -73,14 +73,16 @@
     href: queryables-for-explorer-custom-search-filter.md
   - name: Supported color maps
     href: supported-colormaps.md
-- name: Build and use applications
+- name: Connect and build applications
   items:
-  - name: Build applications
+  - name: Connect and build applications with your data
     href: build-applications-with-planetary-computer-pro.md
   - name: Use the explorer
     href: use-explorer.md
   - name: Application authentication
     href: application-authentication.md
+  - name: Build a web application
+    href: build-web-application.md
   - name: Connect to ArcGIS Pro
     href: create-connection-arc-gis-pro.md
   - name: Connect to QGIS

articles/planetary-computer/application-authentication.md

@@ -5,7 +5,7 @@ author: prasadko
 ms.author: prasadkomma
 ms.service: planetary-computer-pro
 ms.topic: how-to #Don't change
-ms.date: 04/23/2025
+ms.date: 01/09/2026
 
 #customer intent: As a developer or administrator, I want to set up application authentication and access to Microsoft Planetary Computer Pro so that my applications can securely interact with its resources.
 ms.custom:
@@ -19,6 +19,18 @@ This article provides step-by-step guidance for developers and administrators to
 > [!NOTE]
 > For applications that use Azure AD B2C or Microsoft Entra External ID supporting features like social identity providers, the applications need to continue using these identity solutions to proxy authentication traffic since Planetary Computer Pro doesn't support alternatives to Microsoft Entra ID authentication.  
 
+## Authentication options and recommendations
+
+The following table summarizes the recommended authentication approach based on where your application runs and how it accesses resources:
+
+| Application Hosting Environment | Access Type Required | Recommended Identity Type        | Explanation                                                                                                                               |
+| :------------------------------ | :------------------- | :------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Running on Azure** (VM, App Service, Functions, Container Apps, etc.) | App-Only (Application acts as itself) | Managed Identity (User-assigned recommended) | **Security & Manageability:** Eliminates the need to store and manage credentials (secrets or certificates) in code or configuration. Azure handles credential rotation automatically. User-assigned is preferred for sharing across multiple resources. |
+| **Running on Azure** (VM, App Service, Functions, Container Apps, etc.) | Delegated (Application acts on behalf of a user) | Managed Identity (User-assigned recommended) | **Leverages Azure Integration:** Combines the security benefits of Managed Identity for the application itself with standard user authentication flows. Simplifies infrastructure setup within Azure. |
+| **Running Outside Azure** (On-premises, other cloud, developer machine) | App-Only (Application acts as itself) | Service Principal | **Standard for External Apps:** The established method for non-Azure applications to authenticate with Microsoft Entra ID. Requires managing credentials (secrets or certificates) securely. |
+| **Running Outside Azure** (On-premises, other cloud, developer machine) | Delegated (Application acts on behalf of a user) | Service Principal | **Standard for External Apps:** Enables standard OAuth 2.0 flows for user sign-in and consent for applications outside Azure, using the application's registered identity in Entra ID. |
+| **Running Outside Azure (Alternative)** | App-Only or Delegated | Managed Identity | **Brings Azure Benefits:** By hosting the application in an Azure compute service (like a VM or Container App), it can use the enhanced security and manageability of Managed Identities, avoiding credential management even though the *origin* might be considered non-Azure. |
+
 ## Prerequisites
 
 - Azure account with an active subscription - [create an account for free](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn)
@@ -61,7 +73,7 @@ In this access scenario, a user signed into a client application. The client app
 1. Select **Add a permission**
 1. Select the **APIs my organization uses** tab
 1. Type **Azure Orbital Planetary Computer** in the search field
-1. Select on the matching entry (app ID should be 6388acc4-795e-43a9-a320-33075c1eb83b). It shows up as **Azure Orbital Microsoft Planetary Computer Pro**.
+1. Select the matching entry (app ID should be 6388acc4-795e-43a9-a320-33075c1eb83b). It shows up as **Azure Orbital Microsoft Planetary Computer Pro**.
 1. Select on **Delegated permissions** box. Check the box next to **user_impersonation**.
 1. Select **Add permissions**
 1. Select the "Grant admin consent" link (assuming your intent is to grant admin consent in the tenant for this permission)
@@ -119,8 +131,10 @@ If you can't use `DefaultAzureCredentials()` and instead use other methods such
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Build Applications with Microsoft Planetary Computer Pro](./use-explorer.md)
+> [Connect and build applications with your data](./build-applications-with-planetary-computer-pro.md)
 
 ## Related content
 
+- [Build a web application with Microsoft Planetary Computer Pro](./build-web-application.md)
+- [Use Azure Batch with Microsoft Planetary Computer Pro](./azure-batch.md)
 - [Manage access for Microsoft Planetary Computer Pro](./manage-access.md)

articles/planetary-computer/azure-batch.md

@@ -4,7 +4,7 @@ description: This quickstart shows you how to use Microsoft Planetary Computer P
 author: meaghanlewis
 ms.topic: quickstart
 ms.service: planetary-computer-pro
-ms.date: 04/24/2025
+ms.date: 01/09/2026
 ms.author: emiliod
 #customer intent: I want to use Microsoft Planetary Computer Pro GeoCatalog in Azure Batch to process geospatial data.
 ms.custom:
@@ -13,7 +13,19 @@ ms.custom:
 
 # Quickstart: Use Microsoft Planetary Computer Pro GeoCatalog in Azure Batch
 
-In this quickstart, you learn how to use Microsoft Planetary Computer Pro GeoCatalog resource in Azure Batch to process geospatial data. Planetary Computer Pro GeoCatalog is a geospatial data catalog that provides a unified view of your geospatial data assets across your organization. You can use Planetary Computer Pro GeoCatalog to discover, manage, and analyze your geospatial data.
+In this quickstart, you learn how to use a Microsoft Planetary Computer Pro GeoCatalog resource in Azure Batch to process geospatial data at scale.
+
+Azure Batch is a cloud-based job scheduling service that enables you to run large-scale parallel and high-performance computing (HPC) workloads. By combining Azure Batch with Microsoft Planetary Computer Pro, you can:
+
+- Process large volumes of geospatial data in parallel across multiple compute nodes
+- Authenticate securely to GeoCatalog APIs using managed identities
+- Scale processing power up or down based on workload demands
+- Automate geospatial data pipelines without managing infrastructure
+
+This quickstart demonstrates how to set up a Batch pool with a user-assigned managed identity, configure permissions to access your GeoCatalog, and run jobs that query the STAC API.
+
+> [!TIP]
+> For an overview of application development options with Microsoft Planetary Computer Pro, see [Connect and build applications with your data](./build-applications-with-planetary-computer-pro.md).
 
 ## Prerequisites
 
@@ -25,7 +37,7 @@ Before you begin, ensure you meet the following requirements to complete this qu
     - [Azure CLI](/cli/azure/install-azure-cli)
     - `perl` package.
 
-## Create a batch account
+## Create a Batch account
 
 Create a resource group:
 
@@ -86,7 +98,7 @@ az identity create \
     --resource-group spatiobatchdemo
 ```
 
-Create a pool of compute nodes using the Azure Portal:
+Create a pool of compute nodes using the Azure portal:
 
 1. In the Azure portal, navigate to your Batch account and select **Pools**:
     [ ![Screenshot of the Azure portal showing the Pools section of a Batch account, with options to add and manage pools.](media/batch-pools-overview.png) ](media/batch-pools-overview.png#lightbox)
@@ -100,7 +112,7 @@ Create a pool of compute nodes using the Azure Portal:
     [ ![Screenshot of the Start Task configuration page for a Batch pool. The page includes fields to specify a command line script, elevation level, and other settings for initializing compute nodes.](media/start-task-configuration-page.png) ](media/start-task-configuration-page.png#lightbox)
 1. Select **OK** to create the pool.
 
-## Assign Permissions to the Managed Identity
+## Assign permissions to the managed identity
 
 You need to provide the managed identity access to the GeoCatalog. Go to your GeoCatalog, select on **Access control (IAM)** and select **Add role assignment**:
 
@@ -114,7 +126,7 @@ Select the managed identity you created and then select **Review + assign**.
 
 [ ![Screenshot of the Azure portal showing the Select identity page. The page includes a list of available managed identities, allowing users to choose the identity they want to assign to the Batch pool.](media/select-review-assign.png) ](media/select-review-assign.png#lightbox)
 
-## Prepare the Batch Job
+## Prepare the Batch job
 
 Create a container in the storage account:
 
@@ -134,11 +146,11 @@ az storage blob upload \
     --account-name spatiobatchstorage
 ```
 
-## Run the Batch Jobs
+## Run the Batch jobs
 
 There are two examples in this quickstart: a **Python script**, and a **Bash script**. You can use either of them to create a job.
 
-### Python Script Job
+### Python script job
 
 To execute the Python script job, execute the following commands:
 
@@ -182,7 +194,7 @@ az batch task file download \
     --destination /dev/stdout
 ```
 
-### Bash Job
+### Bash job
 
 To execute the Bash script job, run the following commands:
 
@@ -212,6 +224,12 @@ az batch task file download \
 
 ## Related content
 
-- For more information about managed identities in batch pools, see [Configure managed identities in Batch pools](/azure/batch/managed-identity-pools) documentation.
-
-- For more information about how to deploy files to your Batch account, see [Copy applications and data to pool nodes](/azure/batch/batch-applications-to-pool-nodes), [Deploy applications to compute nodes with Batch application packages](/azure/batch/batch-application-packages), and [Creating and using resource files](/azure/batch/resource-files).
+- [Connect and build applications with your data](./build-applications-with-planetary-computer-pro.md)
+- [Configure application authentication for Microsoft Planetary Computer Pro](./application-authentication.md)
+- [Build a web application with Microsoft Planetary Computer Pro](./build-web-application.md)
+- [Use the Microsoft Planetary Computer Pro Explorer](./use-explorer.md)
+- [Manage access to Microsoft Planetary Computer Pro](./manage-access.md)
+- [Configure managed identities in Batch pools](/azure/batch/managed-identity-pools)
+- [Copy applications and data to pool nodes](/azure/batch/batch-applications-to-pool-nodes)
+- [Deploy applications to compute nodes with Batch application packages](/azure/batch/batch-application-packages)
+- [Creating and using resource files](/azure/batch/resource-files)