Merge pull request #311006 from dominicbetts/aio-connector-security

AIO: Clarify connector and certificate security

Author: Carolyn135

articles/iot-operations/discover-manage-assets/howto-configure-opc-ua.md

@@ -40,6 +40,10 @@ Your IT administrator must configure the OPC UA connector template for your Azur
 
 An OPC UA server that you can reach from your Azure IoT Operations cluster. If you don't have an OPC UA server, use the OPC PLC simulator from the Azure IoT Operations samples repository.
 
+## Configure a certificate trust list for the connector
+
+[!INCLUDE [connector-certificate-application](../includes/connector-certificate-application.md)]
+
 ## Create a device
 
 An Azure IoT Operations deployment can include a sample OPC PLC simulator. To create a device that uses the OPC PLC simulator:
@@ -152,8 +156,6 @@ To use the `UsernamePassword` authentication mode, complete the following steps:
 
 ### Other security options
 
-To manage the trusted certificates list for the connector for OPC UA, see [Manage certificates for external communications](../secure-iot-ops/howto-manage-certificates.md#manage-certificates-for-external-communications).
-
 When you create the inbound endpoint, you can also select:
 
 | Option | Type | Description |
@@ -384,7 +386,7 @@ Now you can define the events associated with the asset. To add OPC UA events in
 
 ### Event filters
 
-Define event filters to customize the information that's included in event notifications from the server. By default, the server sends a selection of standard fields in event notifications. The server determines the exact selection for each event type. For example:
+Define event filters to customize the information included in event notifications from the server. By default, the server sends a selection of standard fields in event notifications. The server determines the exact selection for each event type. For example:
 
 ```json
 {
@@ -401,7 +403,7 @@ Define event filters to customize the information that's included in event notif
 
 Use an event filter to:
 
-- Include additional fields in event notifications.
+- Include extra fields in event notifications.
 - Exclude fields from event notifications.
 - Modify field names in event notifications.
 
@@ -424,7 +426,7 @@ The three properties for a filter row are:
 - _Type definition ID_. Optional value that specifies the OPC UA type definition of the source field.
 - _Field ID_. Optional value that specifies the name to use for the field in the forwarded event notification. If you don't specify a field ID, the original field name is used.
 
-The resulting message forwarded by the connector now looks like the following:
+The resulting message forwarded by the connector now looks like the following example:
 
 ```json
 {
@@ -527,7 +529,7 @@ resource asset 'Microsoft.DeviceRegistry/namespaces/assets@2025-10-01' existing
 output asset object = asset
 ```
 
-To update an existing asset, for example to modify the description and add a data point, use a template like the following:
+To update an existing asset, for example to modify the description and add a data point, use a template like the following example:
 
 ```bicep
 param aioNamespaceName string = '<AIO_NAMESPACE_NAME>'

articles/iot-operations/discover-manage-assets/howto-use-http-connector.md

@@ -18,24 +18,24 @@ In Azure IoT Operations, the connector for HTTP/REST enables access to data from
 
 [!INCLUDE [iot-operations-device-definition](../includes/iot-operations-device-definition.md)]
 
-The connector for HTTP/REST supports the following features:
-
-- Automatic retries when sampling failures occur. Reports a failed status for errors that can't be retried.
-- Integration with OpenTelemetry.
-- Use of _device endpoints_ and _assets_.
-- Optionally transform incoming data using WASM modules.
-- Device endpoint and asset definition validation for REST compatibility.
-- Multiple authentication methods:
-  - Username/password basic HTTP authentication
-  - x509 client certificates
-  - Anonymous access for testing purposes
-- To establish a TLS connection to the HTTP endpoint, you can configure a certificate trust list for the connector.
+The following table summarizes the features the connector for HTTP/REST currently supports:
+
+| Feature | Supported | Notes |
+|---------|:---------:|-------|
+| Username/password authentication | Yes | Basic HTTP authentication |
+| X.509 client certificates | Yes | Certificates for client authentication and authorization |
+| Anonymous access | Yes | For testing purposes |
+| Certificate trust list | Yes | For secure TLS connections to the HTTP endpoint |
+| OpenTelemetry integration | Yes | |
+| Automatic retries | Yes | Reports failed status for nonretryable errors |
+| WASM data transformation | Yes | Optionally transform incoming data |
+| Schema generation | Yes | Registers inferred schema with the schema registry |
 
 For each configured dataset, the connector for HTTP/REST:
 
-- Performs a GET request to the address specified in the device endpoint and appends the dataset's data source from the asset.
-- Generates a message schema for each dataset based on the data it receives, and registers it with Schema Registry and Azure Device Registry.
-- Forwards the data to the specified destination.
+1. Performs a GET request to the address specified in the device endpoint and appends the dataset's data source from the asset.
+1. Generates a message schema for each dataset based on the data it receives, and registers it with the schema registry in Azure Device Registry.
+1. Forwards the data to the specified destination.
 
 This article explains how to use the connector for HTTP/REST to perform tasks such as:
 
@@ -56,6 +56,10 @@ You need any credentials required to access the HTTP source. If the HTTP source
 
 [!INCLUDE [deploy-connectors-simple](../includes/deploy-connectors-simple.md)]
 
+### Configure a certificate trust list for the connector
+
+[!INCLUDE [connector-certificate-application](../includes/connector-certificate-application.md)]
+
 ## Create a device
 
 To configure the connector for HTTP/REST, first create a device that defines the connection to the HTTP source. The device includes the URL of the HTTP source and any credentials you need to access the HTTP source:
@@ -160,11 +164,7 @@ To use the `Username password` authentication mode, complete the following steps
 
 ### Configure a device to use an X.509 certificate
 
-[!INCLUDE [connector-certificate](../includes/connector-certificate.md)]
-
-### Configure a certificate trust list for a device to use
-
-To manage the trusted certificates list for the connector for HTTP/REST, see [Manage certificates for external communications](../secure-iot-ops/howto-manage-certificates.md#manage-certificates-for-external-communications).
+[!INCLUDE [connector-certificate-user](../includes/connector-certificate-user.md)]
 
 ## Create an asset
 

articles/iot-operations/discover-manage-assets/howto-use-media-connector.md

@@ -18,24 +18,36 @@ In Azure IoT Operations, the media connector enables access to media from media
 
 [!INCLUDE [iot-operations-device-definition](../includes/iot-operations-device-definition.md)]
 
+The following table summarizes the features the media connector supports:
+
+| Feature | Supported | Notes |
+|---------|:---------:|-------|
+| Username/password authentication | Yes | Basic HTTP authentication |
+| X.509 client certificates | No | |
+| Anonymous access | Yes | For testing purposes |
+| Certificate trust list | Yes | For secure TLS connections to to media sources |
+| OpenTelemetry integration | Yes | |
+| Northbound username/password authentication | Yes | For RTSP and RTSPS endpoints |
+| Northbound anonymous access | Yes | For RTSP and RTSPS endpoints |
+| Northbound certificate trust list | Yes | For secure connections to RTSPS endpoints only |
+| Snapshot to MQTT | Yes | Publish image snapshots to MQTT topics |
+| Clip to file system | Yes | Save video clips to local storage |
+| Snapshot to file system | Yes | Save image snapshots to local storage |
+| Stream to RTSP/RTSPS | Yes | Proxy live video streams to an RTSP or RTSPS endpoint |
+
+For each configured stream, the connector for media:
+
+1. Opens a connection to the stream from the media source.
+1. Generates clips, captures snapshots, or proxies the stream as specified in the stream configuration.
+1. Sends the media to the specified destination.
+
 This article explains how to use the media connector to perform tasks such as:
 
 - Define the devices that connect media sources to your Azure IoT Operations instance.
 - Add assets, and define their streams for capturing media from the media source.
 - Send an image snapshot to the MQTT broker.
 - Save a video clip to Azure storage.
 
-The media connector supports the following southbound authentication methods:
-  - Username/password authentication
-  - Anonymous access for testing purposes
-
-To establish a TLS connection to the media source, you can configure a certificate trust list for the connector.
-
-The media connector supports the following northbound authentication methods:    
-  - Username/password for RTSP and RTSPS endpoints
-  - Anonymous access for testing purposes on RTSP and RTSPS endpoints
-  - Certificate trust list for RTSPS endpoints only
-
 ## Prerequisites
 
 To configure devices and assets, you need a running instance of Azure IoT Operations.
@@ -90,6 +102,10 @@ Example uses of the media connector include:
 
 [!INCLUDE [deploy-connectors](../includes/deploy-connectors.md)]
 
+### Configure a certificate trust list for the connector
+
+[!INCLUDE [connector-certificate-application](../includes/connector-certificate-application.md)]
+
 ## Create a device with a media endpoint
 
 To configure the media connector, first create a device that defines the connection to the media source. The device includes the URL of the media source and any credentials you need to access the media source:
@@ -190,10 +206,6 @@ To use the `Username password` authentication mode, complete the following steps
 
 ---
 
-### Configure a certificate trust list for a device to use
-
-To manage the trusted certificates list for the media connector, see [Manage certificates for external communications](../secure-iot-ops/howto-manage-certificates.md#manage-certificates-for-external-communications).
-
 ## Create an asset to publish an image snapshot
 
 To define an asset that publishes an image snapshot from the media source to the MQTT broker:
@@ -300,7 +312,7 @@ The following steps show you how to run the **mosquitto_sub** tool in the cluste
 
 [!INCLUDE [deploy-mqttui](../includes/deploy-mqttui.md)]
 
-To save the payload of a single message, use a command like the following:
+To save the payload of a single message, use a command like the following example:
 
 ```bash
 mosquitto_sub --host aio-broker --port 18883 --topic "azure-iot-operations/data/my-camera/#" -C 1 -F %p --cafile /var/run/certs/

articles/iot-operations/discover-manage-assets/howto-use-mqtt-connector.md

@@ -12,20 +12,29 @@ ms.date: 10/21/2025
 
 # Configure the connector for MQTT (preview)
 
-This is a preview version of the connector for MQTT connector that lets you model external MQTT endpoints as assets in Azure IoT Operations. The MQTT connector can detect new topic paths as they appear, you can view the custom resources that represent the detected topics.
+This preview version of the connector for MQTT connector lets you model external MQTT endpoints as assets in Azure IoT Operations. The MQTT connector can detect new topic paths as they appear, you can view the custom resources that represent the detected topics.
 
 [!INCLUDE [iot-operations-asset-definition](../includes/iot-operations-asset-definition.md)]
 
 [!INCLUDE [iot-operations-device-definition](../includes/iot-operations-device-definition.md)]
 
-The connector for MQTT (preview) supports the following features:
+The following table summarizes the features the connector for MQTT (preview) supports:
 
-- Enables topics from MQTT device to be represented as assets in Azure Device Registry (ADR).
-- Establishes communication with MQTT broker for northbound and southbound connections.
-- Detects new topics that appear under a given topic path and communicates with Akri. Akri creates the _detected asset_ custom resource ready for OT approval and import into ADR.
-- Detects new topics that appear under a given MQTT wildcard path and communicates with Akri. Akri creates the _detected asset_ custom resource ready for OT approval and import into ADR.
-- For approved or imported assets, the connector copies data from raw paths to user-assigned unified namespace paths.
-- Follows MQTTS practices for secure communications with the Azure IoT Operations MQTT broker.
+| Feature | Supported | Notes |
+|---------|:---------:|-------|
+| Username/password authentication | Yes | Basic HTTP authentication |
+| X.509 client certificates | No | |
+| Anonymous access | Yes | For testing purposes |
+| Certificate trust list | Yes | MQTTS for secure communications with the inbound endpoint |
+| OpenTelemetry integration | Yes | |
+| WASM data transformation | No | |
+| Schema generation | Yes | Registers inferred schema with the schema registry |
+
+The connector for MQTT:
+
+1. Detects new topics that appear under a given topic path or MQTT wildcard path and communicates with Akri.
+1. Akri creates the *detected asset* custom resource ready for OT approval and import into Azure Device Registry.
+1. For approved or imported assets, the connector for MQTT subscribes to the topics and forwards the data to the unified namespace topics you specify.
 
 This article explains how to use the connector for MQTT to perform tasks such as:
 
@@ -38,14 +47,18 @@ This article explains how to use the connector for MQTT to perform tasks such as
 
 [!INCLUDE [iot-operations-entra-id-setup](../includes/iot-operations-entra-id-setup.md)]
 
-Your IT administrator must have configured the connector for MQTT template for your Azure IoT Operations instance in the Azure portal.
+Your IT administrator must configure the connector for MQTT template for your Azure IoT Operations instance in the Azure portal.
 
 You need any credentials required to access the MQTT source. If the MQTT source requires authentication, you need to create a Kubernetes secret that contains the username and password for the MQTT source.
 
 ## Deploy the connector for MQTT
 
 [!INCLUDE [deploy-connectors-simple](../includes/deploy-connectors-simple.md)]
 
+### Configure a certificate trust list for the connector
+
+[!INCLUDE [connector-certificate-application](../includes/connector-certificate-application.md)]
+
 ## Create a device
 
 To configure the connector for MQTT, first create a device that defines the connection to the MQTT topic to subscribe from. The device includes the address of the MQTT topic and any credentials you need to access it:
@@ -88,10 +101,6 @@ To use the `Username password` authentication mode:
 
 [!INCLUDE [connector-username-password-portal](../includes/connector-username-password-portal.md)]
 
-### Configure a certificate trust list for a device to use
-
-To manage the trusted certificates list for the connector for MQTT, see [Manage certificates for external communications](../secure-iot-ops/howto-manage-certificates.md#manage-certificates-for-external-communications).
-
 ## Discover and create assets
 
 When you send a message to a topic that matches the topic filter you specified when creating the device, the connector for MQTT detects the new topic and creates a _detected asset_ custom resource. For example, if you specified the topic filter as `A/B/+`, and you send a message to the topic `A/B/asset1`, the connector for MQTT detects the new topic and creates a _detected asset_ that you can view in the operations experience web UI:
@@ -112,7 +121,7 @@ To create an asset from the detected asset, follow these steps:
     :::image type="content" source="media/howto-use-mqtt-connector/detected-asset-dataset.png" alt-text="Screenshot that shows the dataset created from the detected asset." lightbox="media/howto-use-mqtt-connector/detected-asset-dataset.png":::
 
     > [!TIP]
-    > You can add more datasets if required to capture messages from other topics.
+    > You can add more datasets if necessary to capture messages from other topics.
 
     Select **Next** to continue.
 

articles/iot-operations/discover-manage-assets/howto-use-onvif-connector.md

@@ -12,12 +12,27 @@ ms.date: 12/11/2025
 
 # Configure the connector for ONVIF
 
-In Azure IoT Operations, the connector for ONVIF enables you to discover and use an [ONVIF conformant](https://www.onvif.org/profiles-add-ons-specifications/) camera that's connected to your Azure IoT Operations cluster.
+In Azure IoT Operations, the connector for ONVIF enables you to discover and use an [ONVIF conformant](https://www.onvif.org/profiles-add-ons-specifications/) camera  connected to your Azure IoT Operations cluster.
 
 [!INCLUDE [iot-operations-asset-definition](../includes/iot-operations-asset-definition.md)]
 
 [!INCLUDE [iot-operations-device-definition](../includes/iot-operations-device-definition.md)]
 
+The following table summarizes the features the connector for ONVIF supports:
+
+| Feature | Supported | Notes |
+|---------|:---------:|-------|
+| Username/password authentication | Yes | |
+| X.509 client certificates | No | |
+| Anonymous access | Yes | For testing purposes |
+| Certificate trust list | Yes | For secure TLS connections to ONVIF cameras |
+| OpenTelemetry integration | Yes | |
+| Device discovery | Yes | Discovers ONVIF cameras on the network |
+| Capability discovery | Yes | Discovers PTZ and other device capabilities |
+| Media endpoint discovery | Yes | Discovers media streams, framerate, resolution, encoding |
+| Camera configuration | Yes | Retrieve and update camera settings |
+| PTZ control | Yes | Control pan, tilt, and zoom |
+
 The connector connects ONVIF cameras to your Azure IoT Operations instance and registers them in the Azure Device Registry. The connector then automatically discovers:
 
 - The capabilities, such as pan-tilt-zoom (PTZ), of the ONVIF device.
@@ -45,12 +60,6 @@ This article describes how to use the operations experience web UI and Azure CLI
 - Create a device that represents the media endpoints exposed by the ONVIF camera.
 - Create an asset that captures snapshots from the media endpoint and publishes them to the MQTT broker.
 
-The connector for ONVIF supports the following authentication methods:
-  - Username/password authentication
-  - Anonymous access for testing purposes
-
-To establish a TLS connection to the ONVIF camera, you can configure a certificate trust list for the connector.
-
 ## Prerequisites
 
 [!INCLUDE [enable-resource-sync-rules](../includes/enable-resource-sync-rules.md)]
@@ -80,6 +89,10 @@ The connector enables support for the following capabilities:
 
 [!INCLUDE [deploy-connectors-simple](../includes/deploy-connectors-simple.md)]
 
+### Configure a certificate trust list for the connector
+
+[!INCLUDE [connector-certificate-application](../includes/connector-certificate-application.md)]
+
 ## Create a device with an ONVIF endpoint
 
 To add a device that includes an ONVIF endpoint for a compliant camera:
@@ -172,8 +185,6 @@ To use the `Username password` authentication mode, complete the following steps
 
 ### Other security options
 
-To manage the trusted certificates list for the connector for ONVIF, see [Manage certificates for external communications](../secure-iot-ops/howto-manage-certificates.md#manage-certificates-for-external-communications).
-
 When you create the inbound endpoint in the operations experience, you can also select the following options on the **Advanced** tab:
 
 | Option | Type | Description |