jwt readme

scenarios/jwt_authentication/README.md

@@ -1,19 +1,10 @@
 # :point_right: JWT Authentication to Event Grid
 
-| [Create the Client Certificate](#lock-create-the-client-certificate) | [Configure Event Grid Namespaces](#triangular_ruler-configure-event-grid-namespaces) | [Configure Mosquitto](#fly-configure-mosquitto) | [Run the Sample](#game_die-run-the-sample) |
+ [Configure Event Grid Namespaces](#triangular_ruler-configure-event-grid-namespaces) |  [Run the Sample](#game_die-run-the-sample) |
 
-This scenario showcases how to authenticate to Azure Event Grid via JWT authentication using MQTT 5. This scenario is identical to `getting_started` in functionality.
+This scenario showcases how to authenticate to Azure Event Grid via JWT authentication using MQTT 5. This scenario is identical to `getting_started` in functionality. 
 
-The sample provides step by step instructions on how to perform following tasks:
-
-- Create the resources including client, topic spaces, permission bindings
-- Use $all client group, which is the default client group with all the clients in a namespace, to authorize publish and subscribe access in permission bindings
-- Create a custom role assignment on the Azure Portal to access Event Grid via Json Web Token (JWT) authentication.
-- Create a JWT, which is used to authenticate to Event Grid.
-- Connect with MQTT 5.0.0
-  - Configure connection settings such as KeepAlive and CleanSession
-- Publish messages to a topic
-- Subscribe to a topic to receive messages
+JWT authentication is documented in [Microsoft Entra JWT authentication and Azure RBAC authorization to publish or subscribe MQTT messages](https://learn.microsoft.com/en-us/azure/event-grid/mqtt-client-microsoft-entra-token-and-rbac) from Event Grid documentation.
 
 To keep the scenario simple, a single client called "sample_client" publishes and subscribes to MQTT messages on topics shown in the table.  
 
@@ -25,39 +16,43 @@ To keep the scenario simple, a single client called "sample_client" publishes an
 ## Prerequisites
 This sample involves configuring Event Grid per the specifications in [getting_started](../getting_started). If that sample has not already been set up and run, it should be done before moving onto this one.
 
-##  :lock: Configure the Json Web Token and AAD Role Assignments
-
-1. Modify the following JSON snippet by adding an Azure subscription Id:
-
-```json
-{ 
-    "properties": { 
-        "roleName": "Event Grid Pub-Sub", 
-        "description": "communicate with Event Grid.", 
-        "assignableScopes": [ 
-            "/subscriptions/<YOUR SUBSCRIPTION ID HERE>"    
-        ], 
-        "permissions": [ 
-            { 
-                "actions": [], 
-                "notActions": [], 
-                "dataActions": [ 
-                    "Microsoft.EventGrid/*" 
-                ], 
-                "notDataActions": [] 
-            } 
-        ] 
-    } 
-} 
+## 🔒 Create an Identity in Microsoft Entra ID
+
+Event Grid namespaces supports JWT authentication for Managed Identities and Service principals only:
+
+- **Managed Identity**. You can use a [Managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) provided by many Azure services, such as Azure Container Apps, Azure Container Instances, Azure Kubernetes Services or Azure Web Apps, full list is available [here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identities-status).
+
+- **Service Principal**. You can create your own [Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) by creating an Application Registration in Microsoft Entra ID. 
+
+To create the service principal and the secret using the Azure CLI:
+
+```bash
+clientId=(az ad app create --display-name "MyMqttApp" -query AppId -o tsv)
+
+az ad app credential reset --id $clientId --append
 ```
-2. Copy the modified snippet and save it locally.
-3. In the Azure portal, go to your Resource Group that contains Event Grid and open the Access control (IAM) page. 
-4. Click Add and then click Add custom role. This opens the custom roles editor. 
-5. On the `Basics` tab, select `Start from JSON`, and upload the modified JSON file you saved locally.
-6. Select the `Review and Create` tab and then `Create`.
-7. **NOTE:** It is possible that your Azure account may not have room for more custom role assignments. In this instance the current workaround is to create a free Azure account and complete this process while logged in from there.
 
-## :triangular_ruler: Configure Event Grid Namespaces (Skip if [getting_started](../getting_started) has already been properly configured)
+## Assign RBAC permissions
+
+In Azure EventGrid Namespaces, assign permissions to the Microsoft Entra ID identity using the roles "Event Grid Topic Spaces Publisher/Subscriber"
+
+```bash
+# from the root folder
+source az.env
+
+az role assigment create \
+  --assignee $clientId \
+  --role "EventGrid TopicSpaces Publisher" \
+  --scope $res_id
+
+az role assigment create \
+  --assignee $clientId \
+  --role "EventGrid TopicSpaces Subscriber" \
+  --scope $res_id
+```
+
+
+## 📐 Configure Event Grid Namespaces (Skip if [getting_started](../getting_started) has already been properly configured)
 
 Ensure to create an Event Grid namespace by following the steps in [setup](../setup).  Event Grid namespace requires registering the client, and the topic spaces to authorize the publish/subscribe permissions.
 
@@ -66,6 +61,7 @@ Ensure to create an Event Grid namespace by following the steps in [setup](../se
 We will use the SubjectMatchesAuthenticationName validation scheme for `sample_client`. Instructions for how to do this can be found in [getting_started](../getting_started). If this has already been done once, it does not have to be done again (unless using a different Azure account).
 
 ### Create topic spaces and permission bindings
+
 Run the commands to create the "samples" topic space, and the two permission bindings that provide publish and subscribe access to $all client group on the samples topic space. As for above, the instructions to do this are part of [getting_started](../getting_started) and do not have to be repeated if they have already been done in the Azure account being used to run this sample.
 
 ## :game_die: Run the Sample