[DOC-368] Azure workload identity docs changes (#22881)

* added info

* minor edit

* change from review

* changes from review and copy to stable

* review comment fix

* refined the order

* edits

* edits

* minor edits

* review comments

* copy to stable

---------

Co-authored-by: Dwight Hodge <[email protected]>

docs/content/preview/yugabyte-platform/configure-yugabyte-platform/aws.md

@@ -101,7 +101,7 @@ Enter a Provider name. The Provider name is an internal tag used for organizing
 
 **Credential Type**. YBA requires the ability to create VMs in AWS. To do this, you can do one of the following:
 
-- **Specify Access ID and Secret Key** - Create an AWS Service Account with the required permissions (refer to [Cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes/)), and provide your AWS Access Key ID and Secret Access Key.
+- **Specify Access ID and Secret Key** - Create an AWS Service Account with the required permissions (refer to [Cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes-aws/)), and provide your AWS Access Key ID and Secret Access Key.
 - **Use IAM Role from this YBA host's instance** - Provision the YBA VM instance with an IAM role that has sufficient permissions by attaching an [IAM role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) to the YBA VM in the **EC2** tab. This option is only available if YBA is installed on AWS.
 
 **Use AWS Route 53 DNS Server**. Choose whether to use the cloud DNS Server / load balancer for universes deployed using this provider. Generally, SQL clients should prefer to use [smart client drivers](../../../drivers-orms/smart-drivers/) to connect to cluster nodes, rather than load balancers. However, in some cases (for example, if no smart driver is available in the language), you may use a DNS Server or load-balancer. The DNS Server acts as a load-balancer that routes clients to various nodes in the database universe. YBA integrates with [Amazon Route53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html) to provide managed Canonical Name (CNAME) entries for your YugabyteDB universes, and automatically updates the DNS entry as nodes get created, removed, or undergo maintenance.

docs/content/preview/yugabyte-platform/configure-yugabyte-platform/azure.md

@@ -51,13 +51,13 @@ When deploying a universe, YBA uses the provider configuration settings to do th
 
 ## Prerequisites
 
-You need to add the following Azure cloud provider credentials via YBA:
+You need to add the following Azure cloud provider credentials:
 
+- Application client ID and (if using credentials) client secret
+- Resource group name
 - Subscription ID
 - Tenant ID
 - SSH port and user
-- Application client ID and secret
-- Resource group
 
 YBA uses the credentials to automatically provision and deprovision YugabyteDB instances.
 
@@ -107,11 +107,29 @@ Enter a Provider name. The Provider name is an internal tag used for organizing
 
 ### Cloud Info
 
-- **Client ID** represents the [ID of an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret) registered in your Azure Active Directory.
-- **Client Secret** represents the secret of an application registered in your Azure Active Directory. You need to enter the `Value` of the secret (not the `Secret ID`).
-- **Resource Group** represents the group in which YugabyteDB nodes compute and network resources are created. Your Azure Active Directory application (client ID and client secret) needs to have `Network Contributor` and `Virtual Machine Contributor` roles assigned for this resource group.
-- **Subscription ID** is required for cost management. The virtual machine resources managed by YBA are tagged with this subscription.
-- **Tenant ID** represents the Azure Active Directory tenant ID which belongs to an active subscription. To find your tenant ID, follow instructions provided in [How to find your Azure Active Directory tenant ID](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-find-tenant).
+Enter the following details of your Azure cloud account, as described in [Azure cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes-azure/).
+
+#### Client ID
+
+Provide the ID of the application you registered with the Microsoft Identity Platform.
+
+#### Credential type
+
+If you [added credentials](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials) in the form of a client secret to your registered application:
+
+1. Select **Specify Client Secret**.
+1. Enter the Client Secret of the application associated with the Client ID you provided. You need to enter the `Value` of the secret (not the `Secret ID`).
+
+If you are using the [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm) of the Azure VM hosting YugabyteDB Anywhere to authenticate:
+
+- Select **Use Managed Identity from this YBA host's instance**.
+
+#### Additional fields
+
+- **Resource Group** is the name of the resource group you created for your application, and in which YugabyteDB node compute and network resources will be created.
+- **Subscription ID** is required for cost management. The virtual machine resources managed by YBA are tagged with this subscription. To get the subscription ID, open Subscriptions in Azure portal and find your subscription. Then, copy the Subscription ID.
+- Optionally, if you created a different resource group for your network interfaces, provide the **Network Resource Group** name and the associated **Network Subscription ID**. If you do not provide a Network Resource Group or Subscription ID, network resources will be created in the default resource group.
+- **Tenant ID** represents the tenant ID which belongs to an active subscription. To find your tenant ID, follow instructions provided in [How to find your Microsoft Entra tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant).
 - **Private DNS zone** lets you use a custom domain name for the nodes in your universe. For details and instructions, see [Define a private DNS zone](#define-a-private-dns-zone).
 
 ### Regions

docs/content/preview/yugabyte-platform/configure-yugabyte-platform/gcp.md

@@ -110,7 +110,7 @@ Enter a Provider name. The Provider name is an internal tag used for organizing
 
 ### Cloud Info
 
-If your YBA instance is not running inside GCP, you need to supply YBA with credentials to the desired GCP project by uploading a configuration file. To do this, set **Credential Type** to **Upload Service Account config** and proceed to upload the JSON file that you obtained when you created your service account, as described in [Cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes/).
+If your YBA instance is not running inside GCP, you need to supply YBA with credentials to the desired GCP project by uploading a configuration file. To do this, set **Credential Type** to **Upload Service Account config** and proceed to upload the JSON file that you obtained when you created your service account, as described in [Cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes-gcp/).
 
 If your YBA instance is running inside GCP, the preferred method for authentication to the GCP APIs is to add a service account role to the GCP instance running YBA and then configure YBA to use the instance's service account. To do this, set **Credential Type** to **Use service account from this YBA host's instance**.
 

docs/content/preview/yugabyte-platform/prepare/cloud-permissions/cloud-permissions-nodes-aws.md

@@ -123,8 +123,8 @@ If using a service account, record the following two pieces of information about
 
 | Save for later | To configure |
 | :--- | :--- |
-| Access key ID | [AWS cloud provider](../../../configure-yugabyte-platform/aws/) |
-| Secret Access Key | [AWS cloud provider](../../../configure-yugabyte-platform/aws/) |
+| Access key ID | [AWS provider configuration](../../../configure-yugabyte-platform/aws/) |
+| Secret Access Key | |
 
 ### IAM role
 
@@ -178,4 +178,4 @@ If you will be using your own custom SSH keys, then ensure that you have them wh
 
 | Save for later | To configure |
 | :--- | :--- |
-| Custom SSH keys | [AWS provider](../../../configure-yugabyte-platform/kubernetes/) |
+| Custom SSH keys | [AWS provider configuration](../../../configure-yugabyte-platform/kubernetes/) |

docs/content/preview/yugabyte-platform/prepare/cloud-permissions/cloud-permissions-nodes-azure.md

@@ -52,30 +52,46 @@ The more permissions that you can provide, the more YBA can automate.
 
 ## Azure
 
-The following permissions are required for the Azure resource group where you will deploy.
+### Application and resource group
+
+YugabyteDB Anywhere requires cloud permissions to create VMs. You grant YugabyteDB Anywhere access to manage Azure resources such as VMs by registering an application in the Azure portal so the Microsoft identity platform can provide authentication and authorization services for your application. Registering your application establishes a trust relationship between your application and the Microsoft identity platform.
+
+In addition, your Azure application needs to have a [resource group](https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview#resource-groups) with the following permissions:
 
 ```sh
 Network Contributor
 Virtual Machine Contributor 
 ```
 
-To grant the required access, you can do one of the following:
+You can optionally create a resource group for network resources if you want network interfaces to be created separately. The network resource group must have the `Network Contributor` permission.
+
+For more information on registering applications, refer to [Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate) in the Microsoft Entra documentation.
+
+For more information on roles, refer to [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition) in the Microsoft Azure documentation.
+
+### Credentials
+
+YugabyteDB Anywhere can authenticate with Azure using one of the following methods:
+
+- [Add credentials](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials), in the form of a client secret, to your registered application.
 
-- [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) in the Azure portal so the Microsoft identity platform can provide authentication and authorization services for your application. Registering your application establishes a trust relationship between your application and the Microsoft identity platform.
+    For information on creating client secrets, see [Create a new client secret](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret) in the Microsoft Entra documentation.
 
-- [Assign a managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm) to the Azure VM hosting YugabyteDB Anywhere.
+- [Assign a managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm) to the Azure VM hosting YugabyteDB Anywhere. Azure will use the managed identity assigned to your instance to authenticate.
 
-For information on assigning roles to applications, see [Assign a role to an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#assign-a-role-to-the-application); and assigning roles for managed identities, see [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition) in the Microsoft Azure documentation.
+    For information on assigning roles for managed identities, see [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition) in the Microsoft Azure documentation.
 
-If you are registering an application, record the following information about your service account. You will need to provide this information later to YBA.
+Record the following information about your service account. You will need to provide this information later when creating an Azure provider configuration.
 
 | Save for later | To configure |
 | :--- | :--- |
-| **Service account details** | [Azure cloud provider](../../../configure-yugabyte-platform/azure/) |
+| **Service account details** | [Azure provider configuration](../../../configure-yugabyte-platform/azure/) |
 | Client ID: | |
-| Client Secret: | |
+| Client Secret:<br>(not required when using managed identity) | |
 | Resource Group: | |
 | Subscription ID: | |
+| (Optional) Network Resource Group: | |
+| (Optional) Network Subscription ID: | |
 | Tenant ID: | |
 
 ## Managing SSH keys for VMs
@@ -89,4 +105,4 @@ If you will be using your own custom SSH keys, then ensure that you have them wh
 
 | Save for later | To configure |
 | :--- | :--- |
-| Custom SSH keys | [Azure provider](../../../configure-yugabyte-platform/azure/) |
+| Custom SSH keys | [Azure provider configuration](../../../configure-yugabyte-platform/azure/) |

docs/content/preview/yugabyte-platform/prepare/cloud-permissions/cloud-permissions-nodes-gcp.md

@@ -70,7 +70,7 @@ Then use one of the following methods:
 
 | Save for later | To configure |
 | :--- | :--- |
-| Service account JSON | [GCP cloud provider](../../../configure-yugabyte-platform/gcp/) |
+| Service account JSON | [GCP provider configuration](../../../configure-yugabyte-platform/gcp/) |
 
 ## Managing SSH keys for VMs
 
@@ -83,4 +83,4 @@ If you will be using your own custom SSH keys, then ensure that you have them wh
 
 | Save for later | To configure |
 | :--- | :--- |
-| Custom SSH keys | [GCP provider](../../../configure-yugabyte-platform/gcp/) |
+| Custom SSH keys | [GCP provider configuration](../../../configure-yugabyte-platform/gcp/) |

docs/content/stable/yugabyte-platform/configure-yugabyte-platform/aws.md

@@ -98,7 +98,7 @@ Enter a Provider name. The Provider name is an internal tag used for organizing
 
 **Credential Type**. YBA requires the ability to create VMs in AWS. To do this, you can do one of the following:
 
-- **Specify Access ID and Secret Key** - Create an AWS Service Account with the required permissions (refer to [Cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes/)), and provide your AWS Access Key ID and Secret Access Key.
+- **Specify Access ID and Secret Key** - Create an AWS Service Account with the required permissions (refer to [Cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes-aws/)), and provide your AWS Access Key ID and Secret Access Key.
 - **Use IAM Role from this YBA host's instance** - Provision the YBA VM instance with an IAM role that has sufficient permissions by attaching an [IAM role](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) to the YBA VM in the **EC2** tab. This option is only available if YBA is installed on AWS.
 
 **Use AWS Route 53 DNS Server**. Choose whether to use the cloud DNS Server / load balancer for universes deployed using this provider. Generally, SQL clients should prefer to use [smart client drivers](../../../drivers-orms/smart-drivers/) to connect to cluster nodes, rather than load balancers. However, in some cases (for example, if no smart driver is available in the language), you may use a DNS Server or load-balancer. The DNS Server acts as a load-balancer that routes clients to various nodes in the database universe. YBA integrates with [Amazon Route53](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html) to provide managed Canonical Name (CNAME) entries for your YugabyteDB universes, and automatically updates the DNS entry as nodes get created, removed, or undergo maintenance.

docs/content/stable/yugabyte-platform/configure-yugabyte-platform/azure.md

@@ -49,13 +49,13 @@ When deploying a universe, YBA uses the provider configuration settings to do th
 
 ## Prerequisites
 
-You need to add the following Azure cloud provider credentials via YBA:
+You need to add the following Azure cloud provider credentials:
 
+- Application client ID and (if using credentials) client secret
+- Resource group name
 - Subscription ID
 - Tenant ID
 - SSH port and user
-- Application client ID and secret
-- Resource group
 
 YBA uses the credentials to automatically provision and deprovision YugabyteDB instances.
 
@@ -105,11 +105,29 @@ Enter a Provider name. The Provider name is an internal tag used for organizing
 
 ### Cloud Info
 
-- **Client ID** represents the [ID of an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret) registered in your Azure Active Directory.
-- **Client Secret** represents the secret of an application registered in your Azure Active Directory. You need to enter the `Value` of the secret (not the `Secret ID`).
-- **Resource Group** represents the group in which YugabyteDB nodes compute and network resources are created. Your Azure Active Directory application (client ID and client secret) needs to have `Network Contributor` and `Virtual Machine Contributor` roles assigned for this resource group.
-- **Subscription ID** is required for cost management. The virtual machine resources managed by YBA are tagged with this subscription.
-- **Tenant ID** represents the Azure Active Directory tenant ID which belongs to an active subscription. To find your tenant ID, follow instructions provided in [How to find your Azure Active Directory tenant ID](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-find-tenant).
+Enter the following details of your Azure cloud account, as described in [Azure cloud permissions](../../prepare/cloud-permissions/cloud-permissions-nodes-azure/).
+
+#### Client ID
+
+Provide the ID of the application you registered with the Microsoft Identity Platform.
+
+#### Credential type
+
+If you [added credentials](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret#add-credentials) in the form of a client secret to your registered application:
+
+1. Select **Specify Client Secret**.
+1. Enter the Client Secret of the application associated with the Client ID you provided. You need to enter the `Value` of the secret (not the `Secret ID`).
+
+If you are using the [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-portal-windows-vm) of the Azure VM hosting YugabyteDB Anywhere to authenticate:
+
+- Select **Use Managed Identity from this YBA host's instance**.
+
+#### Additional fields
+
+- **Resource Group** is the name of the resource group you created for your application, and in which YugabyteDB node compute and network resources will be created.
+- **Subscription ID** is required for cost management. The virtual machine resources managed by YBA are tagged with this subscription. To get the subscription ID, open Subscriptions in Azure portal and find your subscription. Then, copy the Subscription ID.
+- Optionally, if you created a different resource group for your network interfaces, provide the **Network Resource Group** name and the associated **Network Subscription ID**. If you do not provide a Network Resource Group or Subscription ID, network resources will be created in the default resource group.
+- **Tenant ID** represents the tenant ID which belongs to an active subscription. To find your tenant ID, follow instructions provided in [How to find your Microsoft Entra tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant).
 - **Private DNS zone** lets you use a custom domain name for the nodes in your universe. For details and instructions, see [Define a private DNS zone](#define-a-private-dns-zone).
 
 ### Regions