Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into managing-billing-benefits

Author: ShawnJackson

articles/app-service/webjobs-sdk-how-to.md

@@ -158,7 +158,7 @@ The following table shows built-in roles that we recommend when you use triggers
 [Azure Service Bus Data Receiver]: ../role-based-access-control/built-in-roles.md#azure-service-bus-data-receiver
 [Azure Service Bus Data Sender]: ../role-based-access-control/built-in-roles.md#azure-service-bus-data-sender
 [Azure Service Bus Data Owner]: ../role-based-access-control/built-in-roles.md#azure-service-bus-data-owner
-[role-assignment-scope]: ../service-bus-messaging/service-bus-managed-service-identity.md#resource-scope
+[role-assignment-scope]: ../service-bus-messaging/service-bus-managed-service-identity.md#choose-the-resource-scope
 
 #### Connection strings in version 2.*x*
 

articles/event-grid/deliver-events-using-managed-identity.md

@@ -37,7 +37,7 @@ To deliver events to event hubs in your Event Hubs namespace using managed ident
 To deliver events to Service Bus queues or topics in your Service Bus namespace using managed identity, follow these steps:
 
 1. Enable system-assigned or user-assigned managed identity: [system topics](enable-identity-system-topics.md), [custom topics, and domains](enable-identity-custom-topics-domains.md). 
-1. [Add the identity to the **Azure Service Bus Data Sender**](../service-bus-messaging/service-bus-managed-service-identity.md#azure-built-in-roles-for-azure-service-bus) role on the Service Bus namespace
+1. [Add the identity to the **Azure Service Bus Data Sender**](../service-bus-messaging/service-bus-managed-service-identity.md#assign-a-service-bus-role-to-the-managed-identity) role on the Service Bus namespace
 1. [Enable the **Allow trusted Microsoft services to bypass this firewall** setting on your Service Bus namespace](../service-bus-messaging/service-bus-service-endpoints.md#trusted-microsoft-services). 
 1. [Configure the event subscription](managed-service-identity.md) that uses a Service Bus queue or topic as an endpoint to use the system-assigned or user-assigned managed identity.
 

articles/sap/center-sap-solutions/prepare-network.md

@@ -61,7 +61,7 @@ Each connection factory is an instance of `ConnectionFactory`, `QueueConnectionF
 To simplify connecting with Azure Service Bus, these interfaces are implemented through `ServiceBusJmsConnectionFactory`, `ServiceBusJmsQueueConnectionFactory`, or `ServiceBusJmsTopicConnectionFactory` respectively.
 
 > [!IMPORTANT]
-> Java applications leveraging JMS 2.0 API can connect to Azure Service Bus using the connection string, or using a `TokenCredential` for leveraging Microsoft Entra backed authentication. When using Microsoft Entra backed authentication, ensure to [assign roles and permissions](service-bus-managed-service-identity.md#azure-built-in-roles-for-azure-service-bus) to the identity as needed.
+> Java applications leveraging JMS 2.0 API can connect to Azure Service Bus using the connection string, or using a `TokenCredential` for leveraging Microsoft Entra backed authentication. When using Microsoft Entra backed authentication, ensure to [assign roles and permissions](service-bus-managed-service-identity.md#assign-a-service-bus-role-to-the-managed-identity) to the identity as needed.
 
 # [System Assigned Managed Identity](#tab/system-assigned-managed-identity-backed-authentication)
 

articles/service-bus-messaging/jms-developer-guide.md

@@ -81,7 +81,7 @@ In this tutorial, you'll use Microsoft Entra authentication to create `ServiceBu
 1. [Add the application to the `Service Bus Data Owner` role](/azure/role-based-access-control/role-assignments-portal).
 1. Set the `AZURE-CLIENT-ID`, `AZURE-TENANT-ID`, AND `AZURE-CLIENT-SECRET` environment variables. For instructions, see [this article](/dotnet/api/overview/azure/identity-readme#environment-variables).
 
-For a list of Service Bus built-in roles, see [Azure built-in roles for Service Bus](service-bus-managed-service-identity.md#azure-built-in-roles-for-azure-service-bus).
+For a list of Service Bus built-in roles, see [Azure built-in roles for Service Bus](service-bus-managed-service-identity.md#assign-a-service-bus-role-to-the-managed-identity).
 
 ## Create a namespace
 

articles/service-bus-messaging/service-bus-dotnet-multi-tier-app-using-service-bus-queues.md

@@ -1,52 +1,64 @@
 ---
-title: Managed identities for Azure resources with Service Bus
-description: This article describes how to use managed identities to access with Azure Service Bus entities (queues, topics, and subscriptions).
-ms.topic: article
+title: Use Managed Identities with Azure Service Bus
+description: Learn how to authenticate and access Azure Service Bus queues, topics, and subscriptions using managed identities for Azure resources.
+ms.topic: how-to
 ms.date: 02/11/2025
+
+#customer intent: As a developer, I want to use managed identities to authenticate my application to Azure Service Bus so that I can avoid storing credentials in my code.
+
 ---
 
-# Authenticate a managed identity with Microsoft Entra ID to access Azure Service Bus resources
-Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to any service such as Azure Service Bus that supports Microsoft Entra authentication, without having credentials in your code. If you aren't familiar with managed identities, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md) before proceeding to read through this article.
+# How to use managed identities with Azure Service Bus
+
+Managed identities for Azure resources provide Azure services with an automatically managed identity in Microsoft Entra ID. You can use this identity to authenticate to Azure Service Bus without storing credentials in your code.
+
+This article walks you through enabling a managed identity, assigning the appropriate Service Bus role, and connecting to Service Bus from your application code.
+
+> [!NOTE]
+> If you're not familiar with managed identities, see [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
+
+## Prerequisites
+
+To use managed identities with Azure Service Bus, you need:
+
+- An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/) before you begin.
+- An Azure Service Bus namespace. To create one, see [Create a Service Bus namespace](service-bus-create-namespace-portal.md).
+- A managed identity enabled on your Azure compute resource. See:
+  - [Configure managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md)
+  - [Configure managed identities for Azure resources on a virtual machine (VM)](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md)
 
-Here are the high-level steps to use a managed identity to access a Service Bus entity: 
+> [!IMPORTANT]
+> You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
 
-1. Enable managed identity for your client app or environment. For example, enable managed identity for your Azure App Service app, Azure Functions app, or a virtual machine in which your app is running. Here are the articles that help you with this step:
-    - [Configure managed identities for App Service and Azure Functions](../app-service/overview-managed-identity.md)
-    - [Configure managed identities for Azure resources on a virtual machine (VM)](../active-directory/managed-identities-azure-resources/qs-configure-portal-windows-vm.md)    
-1. Assign Azure Service Bus Data Owner, Azure Service Bus Data Sender, or Azure Service Bus Data Receiver role to the managed identity at the appropriate scope (Azure subscription, resource group, Service Bus namespace, or Service Bus queue or topic). For instructions to assign a role to a managed identity, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
-1. In your application, use the managed identity and the endpoint to Service Bus namespace to connect to the namespace. 
+## Assign a Service Bus role to the managed identity
 
-    For example, in .NET, you use the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient.-ctor#azure-messaging-servicebus-servicebusclient-ctor(system-string-azure-core-tokencredential)) constructor that takes `TokenCredential` and `fullyQualifiedNamespace` (a string, for example: `cotosons.servicebus.windows.net`) parameters to connect to Service Bus using the managed identity. You pass in [DefaultAzureCredential](/dotnet/api/azure.identity.defaultazurecredential), which derives from `TokenCredential` and uses the managed identity. In `DefaultAzureCredentialOptions`, set the `ManagedIdentityClientId` to the ID of client's managed identity.
+Microsoft Entra authorizes access to secured resources through [Azure role-based access control (RBAC)](../role-based-access-control/overview.md). Azure Service Bus provides Azure built-in roles that encompass common sets of permissions used to access Service Bus entities. You can also define custom roles.
 
-    ```csharp
-    string fullyQualifiedNamespace = "<your namespace>.servicebus.windows.net>";
-    string userAssignedClientId = "<your managed identity client ID>";
+The following table lists the Azure built-in roles for authorizing access to a Service Bus namespace:
 
-    var credential = new DefaultAzureCredential(
-        new DefaultAzureCredentialOptions
-        {
-            ManagedIdentityClientId = userAssignedClientId
-        });
+| Role | Description |
+|------|-------------|
+| [Azure Service Bus Data Owner](../role-based-access-control/built-in-roles.md#azure-service-bus-data-owner) | Full access to Service Bus namespace and its entities (queues, topics, subscriptions, and filters) |
+| [Azure Service Bus Data Sender](../role-based-access-control/built-in-roles.md#azure-service-bus-data-sender) | Send messages to Service Bus queues and topics |
+| [Azure Service Bus Data Receiver](../role-based-access-control/built-in-roles.md#azure-service-bus-data-receiver) | Receive messages from Service Bus queues and subscriptions |
 
-    var sbusClient = new ServiceBusClient(fullyQualifiedNamespace, credential);
-    ```    
+### Assign a role in the Azure portal
 
-    > [!IMPORTANT]
-    > You can disable local or SAS key authentication for a Service Bus namespace and allow only Microsoft Entra authentication. For step-by-step instructions, see [Disable local authentication](disable-local-authentication.md).
-    
-## Azure built-in roles for Azure Service Bus
-Microsoft Entra authorizes access to secured resources through [Azure role-based access control (RBAC)](../role-based-access-control/overview.md). Azure Service Bus defines a set of Azure built-in roles that encompass common sets of permissions used to access Service Bus entities. You can also define custom roles for accessing the data. 
+To assign a role to a managed identity in the Azure portal:
 
-Azure provides the following Azure built-in roles for authorizing access to a Service Bus namespace:
+1. Go to your Service Bus namespace, queue, or topic.
+1. Select **Access control (IAM)** from the left menu.
+1. Select **Add** > **Add role assignment**.
+1. On the **Role** tab, select the appropriate Service Bus data role.
+1. On the **Members** tab, select **Managed identity**, then select **Select members**.
+1. Select the managed identity for your Azure resource.
+1. Select **Review + assign**.
 
-- [Azure Service Bus Data Owner](../role-based-access-control/built-in-roles.md#azure-service-bus-data-owner): Use this role to allow full access to Service Bus namespace and its entities (queues, topics, subscriptions, and filters)
-- [Azure Service Bus Data Sender](../role-based-access-control/built-in-roles.md#azure-service-bus-data-sender): Use this role to allow sending messages to Service Bus queues and topics.
-- [Azure Service Bus Data Receiver](../role-based-access-control/built-in-roles.md#azure-service-bus-data-receiver): Use this role to allow receiving messages from Service Bus queues and subscriptions. 
+For more information, see [Assign Azure roles using the Azure portal](../role-based-access-control/role-assignments-portal.md).
 
-To assign a role to a managed identity in the Azure portal, use the **Access control (IAM)** page. Navigate to this page by selecting **Access control (IAM)** on the **Service Bus Namespace** page or **Service Bus queue** page, or **Service Bus topic** page. For step-by-step instructions for assigning a role, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal). 
+### Choose the resource scope
 
-## Resource scope 
-Before you assign an Azure role to a managed identity, determine the scope of access that the managed identity should have. Best practices dictate that it's always best to grant only the narrowest possible scope.
+Before you assign an Azure role, determine the scope of access that the managed identity needs. Grant only the narrowest possible scope.
 
 The following list describes the levels at which you can scope access to Service Bus resources, starting with the narrowest scope:
 
@@ -56,9 +68,11 @@ The following list describes the levels at which you can scope access to Service
 - **Subscription**: Role assignment applies to all the Service Bus resources in all of the resource groups in the subscription.
 
     > [!NOTE]
-    > Keep in mind that Azure role assignments may take up to five minutes to propagate. 
+    > Azure role assignments might take up to five minutes to propagate.
 
-Currently, the Azure portal doesn't support assigning users, groups, or managed identities to Service Bus Azure roles at the topic's subscription level. Here's an example of using the Azure CLI command: [az-role-assignment-create](/cli/azure/role/assignment?#az-role-assignment-create) to assign an identity to a Service Bus Azure role: 
+### Assign a role using Azure CLI
+
+The Azure portal doesn't support assigning managed identities to Service Bus roles at the topic subscription level. Use the Azure CLI [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to assign a role at any scope: 
 
 ```azurecli
 az role assignment create \
@@ -70,30 +84,35 @@ az role assignment create \
 For more information about how built-in roles are defined, see [Understand role definitions](../role-based-access-control/role-definitions.md#control-and-data-actions). For information about creating Azure custom roles, see [Azure custom roles](../role-based-access-control/custom-roles.md).
 
 > [!NOTE]
-> If the source service or app doesn't restart after the access to a Service Bus entity is disabled by removing the source's managed identity from the Service Bus RBAC role, the source app may continue to send/receive messages to/from the Service Bus entity until the token expires (default token validity is 24 hours). This behavior is by design. 
+> If the source service or app doesn't restart after you remove its managed identity from the Service Bus RBAC role, the source app might continue to send or receive messages to or from the Service Bus entity until the token expires (default token validity is 24 hours). This behavior is by design. 
 >
-> Therefore, after you remove the source's managed identity from the RBAC role, restart the source app or service to immediately expire the token and prevent it from sending messages to or receiving messages from the Service Bus entity. 
+> After you remove the source's managed identity from the RBAC role, restart the source app or service to immediately expire the token and prevent it from sending or receiving messages from the Service Bus entity. 
+
+## Connect to Service Bus using managed identity in Azure SDKs
 
-## Using SDKs
+Azure SDKs for .NET, Java, JavaScript, and Python support managed identity authentication with Service Bus. The following example shows how to connect using the .NET SDK.
 
 In .NET, the [ServiceBusClient](/dotnet/api/azure.messaging.servicebus.servicebusclient) object is initialized by using a constructor that takes a fully qualified namespace and a `TokenCredential`. The `DefaultAzureCredential` derives from `TokenCredential`, which automatically uses the managed identity configured for the app. The flow of the managed identity context to Service Bus and the authorization handshake are automatically handled by the token credential. It's a simpler model than using SAS.
 
 ```csharp
-var client = new ServiceBusClient('cotosons.servicebus.windows.net', new DefaultAzureCredential());
+var client = new ServiceBusClient("contoso.servicebus.windows.net", new DefaultAzureCredential());
 ```
 
 You send and receive messages as usual using [ServiceBusSender](/dotnet/api/azure.messaging.servicebus.servicebussender) and [ServiceBusReceiver](/dotnet/api/azure.messaging.servicebus.servicebusreceiver) or [ServiceBusProcessor](/dotnet/api/azure.messaging.servicebus.servicebusprocessor). 
 
-For complete step-by-step instructions to send and receive messages using a managed identity, see the following quickstarts. These quickstarts have the code to use a service principal to send and receive messages, but the code is the same for using a managed identity.  
+For step-by-step instructions to send and receive messages using a managed identity, see the following quickstarts. These quickstarts have the code to use a service principal to send and receive messages, but the code is the same for using a managed identity.  
 
-- [.NET](service-bus-dotnet-get-started-with-queues.md).
-- [Java](service-bus-java-how-to-use-queues.md).
+- [.NET](service-bus-dotnet-get-started-with-queues.md)
+- [Java](service-bus-java-how-to-use-queues.md)
 - [JavaScript](service-bus-nodejs-how-to-use-queues.md)
 - [Python](service-bus-python-how-to-use-queues.md)
 
 > [!NOTE]
-> The managed identity works only inside the Azure environment, on App services, Azure VMs, and scale sets. For .NET applications, the Microsoft.Azure.Services.AppAuthentication library, which is used by the Service Bus NuGet package, provides an abstraction over this protocol and supports a local development experience. This library also allows you to test your code locally on your development machine, using your user account from Visual Studio, Azure CLI 2.0, or Active Directory Integrated Authentication. For more on local development options with this library, see [Service-to-service authentication to Azure Key Vault using .NET](/dotnet/api/overview/azure/service-to-service-authentication).  
+> Managed identities work only inside the Azure environment, on App Service, Azure VMs, and scale sets. For .NET applications, the Microsoft.Azure.Services.AppAuthentication library, which the Service Bus NuGet package uses, provides an abstraction over this protocol and supports a local development experience. This library also lets you test your code locally on your development machine, using your user account from Visual Studio, Azure CLI, or Microsoft Entra Integrated Authentication. For more on local development options with this library, see [Service-to-service authentication to Azure Key Vault using .NET](/dotnet/api/overview/azure/service-to-service-authentication).  
 
 
 ## Next steps
-See [this .NET web application sample on GitHub](https://github.com/Azure-Samples/app-service-msi-servicebus-dotnet/tree/master), which uses a managed identity to connect to Service Bus to send and receive messages. Add the identity of the app service to the **Azure Service Bus Data Owner** role. 
+
+- [Sample: .NET web application using managed identity with Service Bus](https://github.com/Azure-Samples/app-service-msi-servicebus-dotnet/tree/master)
+- [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md)
+- [Disable local authentication for Service Bus](disable-local-authentication.md)