Rebranding AAD to Microsoft Entra ID

README.md

@@ -115,7 +115,7 @@ The expandable table below summarizes the available parameters and the possible
 |deployAppConfig|Feature Flag: Deploy (or not) an Azure app configuration|
 |deployJumpHost|Feature Flag: Deploy (or not) an Azure virtual machine (to be used as jumphost)|
 |autoApproveAfdPrivateEndpoint|Default value: true. Set to true if you want to auto approve the Private Endpoint of the AFD Premium. See details [regarding approving the App Service private endpoint connection from Front Door](#approve-the-app-service-private-endpoint-connection-from-front-door-in-the-azure-portal) | false
-|sqlServerAdministrators|The Azure Active Directory (AAD) administrator group used for SQL Server authentication.  The Azure AD group must be created before running deployment. This has three values that need to be filled, as shown below <br> **login**: the name of the AAD Group <br> **sid**: the object id  of the AAD Group <br> **tenantId**: The tenantId of the AAD ||
+|sqlServerAdministrators|The Microsoft Entra ID administrator group used for SQL Server authentication.  The Microsoft Entra ID group must be created before running deployment. This has three values that need to be filled, as shown below <br> **login**: the name of the Microsoft Entra ID Group <br> **sid**: the object id  of the Microsoft Entra ID Group <br> **tenantId**: The tenantId of the Microsoft Entra ID ||
 
 </details>
 <details>
@@ -146,8 +146,8 @@ The expandable table below summarizes the available parameters and the possible
 
 GitHub Actions pipelines are located in the [`.github/workflows`](.github/workflows/) directory with templates stored in the [`.github/actions`](.github/actions/) directory.i
 
-1. Create an Azure AD Service Principal for OIDC Authentication
-    - Reference the following documentation to configure your Azure AD Service Principal: [OIDC authentication to Azure](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial).
+1. Create an Microsoft Entra ID Service Principal for OIDC Authentication
+    - Reference the following documentation to configure your Microsoft Entra ID Service Principal: [OIDC authentication to Azure](https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/github-enterprise-managed-user-oidc-provisioning-tutorial).
 1. Configure your GitHub Actions Secrets
     - In your forked repository, navigate to `Settings > Secrets and variables > Actions`.
     - Create the following secrets:

docs/Design-Areas/identity-access-mgmt.md

@@ -2,17 +2,17 @@
 ## Design Considerations
 - Decide on the type of access for your application: public, private, or both.
 - Decide on how to authenticate users that need to access your App Service: anonymous, internal corporate users, social accounts, other [identity provider](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet), or a mixture of these.
-- Decide on whether to use system-assigned or user-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) for your App Service when connecting to AAD-protected backend resources.
+- Decide on whether to use system-assigned or user-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) for your App Service when connecting to Microsoft Entra ID-protected backend resources.
 - Consider creating [custom roles](https://learn.microsoft.com/en-us/azure/active-directory/roles/custom-create) following the principle of least privilege when out-of-box roles require modifications on existing permissions. Utilize [App Configuration](https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/appconfig-key-vault) to share common configuration values between applications, microservices, and serverless applications that are not passwords, secrets, or keys.
 ## Design Recommendations
 - If the App Service requires authentication:
     - If access to the entire app service needs to be restricted to authenticated users, disable anonymous access.
     - Use the [Easy Auth](https://learn.microsoft.com/en-us/azure/app-service/overview-authentication-authorization) capabilities of App Services, instead of writing your own authentication and authorization code.
     - Use separate [application registrations](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) for separate [slots](https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots) or environments.
     - If the App Service is intended for internal users only, use [client certificate authentication](https://learn.microsoft.com/en-us/azure/app-service/deploy-staging-slots) for increased security.
-    - If the App Service is intended for external users, utilize [Azure AD B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview) to authenticate to social accounts and Azure AD accounts. 
+    - If the App Service is intended for external users, utilize [Microsoft Entra ID B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview) to authenticate to social accounts and Microsoft Entra ID accounts. 
 - Use [Azure built-in roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#web-plan-contributor) to provide least privilege permissions to manage App Service Plans and Websites
-- Utilize system-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) to securely access AAD-protected backend resources.
+- Utilize system-assigned [managed identities](https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet) to securely access Microsoft Entra ID-protected backend resources.
 - Ensure that users with access to Production resources in Azure are controlled and limited.
 - For automated deployment purposes, setup a [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) that has the minimum required permissions to deploy from the pipeline
 - Review and follow the recommendations outlined in the [Identity and Access Control section](https://learn.microsoft.com/en-us/security/benchmark/azure/baselines/app-service-security-baseline?toc=/azure/app-service/toc.json#identity-and-access-control) of the Azure security baseline for App Service.

scenarios/secure-baseline-multitenant/README.md

@@ -29,7 +29,7 @@ See: [Multitenant](/docs/Images/Multitenant/AppServiceLandingZoneArchitecture-mu
 
 ## Core architecture components
 
-- The application's users are authenticated by [Azure Active Directory (Azure AD)](https://azure.microsoft.com/services/active-directory/) or [Azure AD B2C](https://azure.microsoft.com/services/active-directory/external-identities/b2c/). The browser performs DNS lookups to resolve addresses to Azure Front Door.
+- The application's users are authenticated by [Microsoft Entra ID](https://azure.microsoft.com/services/active-directory/) or [Microsoft Entra ID B2C](https://azure.microsoft.com/services/active-directory/external-identities/b2c/). The browser performs DNS lookups to resolve addresses to Azure Front Door.
 - [Virtual Network](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works) enables Azure resources to securely communicate with each other, the internet, and on-premises networks by creating boundaries, isolation and segmentation of your workloads in the cloud, much like a physical network.
 - [Network Security Group](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview?toc=%2Fazure%2Fnetworking%2Ffundamentals%2Ftoc.json) is a set of security policies that Allow or Deny Inbound/Outbound traffic (Protocols/Ports).
 - [Azure Front Door](https://azure.microsoft.com/services/frontdoor/) is a public front-end for all internet requests, acting as a global HTTP reverse proxy and cache in front of several Azure services. Front Door also provides automatic protection from layer 3 and 4 DDoS attacks, and a range of other features including WAF (web application firewall), caching, and custom rules to enhance the security and performance of your application.
@@ -57,7 +57,7 @@ For network and subnet topology details, see the [Azure sample template](https:/
 
 ## Alternatives
 
-- Either Azure AD or Azure AD B2C can be used as an identity provider in this scenario. Azure AD is designed for internal applications and business-to-business (B2B) scenarios, while Azure AD B2C is designed for business-to-consumer (B2C) scenarios.
+- Either Microsoft Entra ID or Microsoft Entra ID B2C can be used as an identity provider in this scenario. Microsoft Entra ID is designed for internal applications and business-to-business (B2B) scenarios, while Microsoft Entra ID B2C is designed for business-to-consumer (B2C) scenarios.
 - You can choose to bring your own DNS provider or use Azure-managed DNS, which is recommended.
 - Azure Application Gateway can be used solely instead of Azure Front Door when most users are located close to the Azure region that hosts your workload, and when content caching isn't required. Azure DDoS Network Protection is recommended for protecting internet-facing Application Gateway services.
 
@@ -125,7 +125,7 @@ For more recommendations and information, see [Azure Redis Cache Security Baseli
 
 Deploy this reference architecture using this [Azure sample on GitHub](/scenarios/secure-baseline-multitenant/README.md).
 
-- Azure AD, Azure AD B2C, and Azure DNS aren't deployed by this sample.
+- Microsoft Entra ID, Microsoft Entra ID B2C, and Azure DNS aren't deployed by this sample.
 - Custom domain names and TLS/SSL certificates aren't created and configured. Default frontend DNS names are used instead.
 - The scripts are modular so you if you already have an existing environment, you can pick and choose the relevant section or adjust the relevant pieces according to your needs (deploy only SPOKE, replace SQL DB with PostgreSQL and etc.).
 

scenarios/secure-baseline-multitenant/azure-resource-manager/README.md

@@ -41,7 +41,7 @@ The table below summarizes the available parameters and the possible values that
 |deployAppConfig|Feature Flag: Deploy (or not) an Azure app configuration|
 |deployJumpHost|Feature Flag: Deploy (or not) an Azure virtual machine (to be used as jumphost)|
 |deployOpenAi|Feature Flag: Deploy (or not) an Azure OpenAI account. ATTENTION: At the time of writing, [OpenAI is in preview](https://learn.microsoft.com/azure/ai-services/openai/chatgpt-quickstart#prerequisites) and available in limited regions. |false
-|sqlServerAdministrators|The Azure Active Directory (AAD) administrator group used for SQL Server authentication.  The Azure AD group  must be created before running deployment. This has three values that need to be filled, as shown below <br> **login**: the name of the AAD Group <br> **sid**: the object id  of the AAD Group <br> **tenantId**: The tenantId of the AAD ||
+|sqlServerAdministrators|The Microsoft Entra ID administrator group used for SQL Server authentication.  The Microsoft Entra ID group  must be created before running deployment. This has three values that need to be filled, as shown below <br> **login**: the name of the Microsoft Entra ID Group <br> **sid**: the object id  of the Microsoft Entra ID Group <br> **tenantId**: The tenantId of the Microsoft Entra ID ||
 
 After the parameters have been initialized, you can deploy the Landing Zone Accelerator resources with the following `az cli` command:
 
@@ -92,9 +92,9 @@ done
 
 ### Connect to the Jumpbox VM (deployed in the spoke resource group)
 
-You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is AADJoined by default. This means that you can connect to the jumpbox, either with the local user/password compination (azureuser is the default username) or with a valid AAD account. In certain circumastances your organization may not allow the device to be enrolled. If the jumpbox VM is AAD joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands 
+You can connect to the jumpbox win 11 VM only through bastion. The default parameters deploy a Bastion in Standard SKU, with native client support enabled. The jumpbox VM is Microsoft Entra IDJoined by default. This means that you can connect to the jumpbox, either with the local user/password compination (azureuser is the default username) or with a valid Microsoft Entra ID account. In certain circumastances your organization may not allow the device to be enrolled. If the jumpbox VM is Microsoft Entra ID joined and properly intune enrolled, you can use native rdp client to connect by running the below Az CLI commands 
 
-From a PowerShell terminal, connect to the DevOps VM using your Azure AD credentials (or Windows Hello). 
+From a PowerShell terminal, connect to the DevOps VM using your Microsoft Entra ID credentials (or Windows Hello). 
 
 ```powershell
 az upgrade
@@ -108,18 +108,18 @@ az network bastion rdp --name bast-bastion --resource-group rg-hub --target-reso
 
 More  details on how to [connect to a windows VM with native rdp client, can be found here](https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows#connect-windows)
 
-The Azure AD enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices)
+The Microsoft Entra ID enrollment can take a few minutes to complete. Check: [https://portal.manage-beta.microsoft.com/devices](https://portal.manage-beta.microsoft.com/devices)
 
-If your organization requires device enrollment before accessing corporate resources (i.e. if you see an error "You can't get there from here." or "This device does not meet your organization's compliance requirements"),login to the VM with local user (i.e. azureuser) and enroll the Jumpbox to Azure AD by following the steps in Edge: 
+If your organization requires device enrollment before accessing corporate resources (i.e. if you see an error "You can't get there from here." or "This device does not meet your organization's compliance requirements"),login to the VM with local user (i.e. azureuser) and enroll the Jumpbox to Microsoft Entra ID by following the steps in Edge: 
 - open Edge and click "Sign in to sync data", 
 - select "Work or school account", 
 - and then press OK on "Allow my organization to manage my device". 
 
 It takes a few minutes for the policies to be applied, device scanned and confirmed as secure to access corporate resources. You will know that the process is complete.
 
-If you experience issues connecting to the DevOps VM using your AAD credentials, see [Unable to connect to DevOps VM using AAD credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials)
+If you experience issues connecting to the DevOps VM using your Microsoft Entra ID credentials, see [Unable to connect to DevOps VM using Microsoft Entra ID credentials](../terraform/README.md#unable-to-connect-to-devops-vm-using-aad-credentials)
 
-Once completed, and if you provided a valid (AAD) administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Azure AD account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions:
+Once completed, and if you provided a valid (Microsoft Entra ID administrator group used for SQL Server authentication (and not only local SQL user administrator), you should be able to connect to the SQL Server using the Microsoft Entra ID account from SQL Server Management Studio. On the sample database (sample-db by default), run the following commands to create the user and grant minimal permissions:
 
 ```sql
 CREATE USER [web-app-name] FROM EXTERNAL PROVIDER;

scenarios/secure-baseline-multitenant/azure-resource-manager/main-portal-ux.json

@@ -635,7 +635,7 @@
                                     "type": "Microsoft.Common.TextBlock",
                                     "visible": "[equals(steps('extra').jumpBoxSection.deployJumpHost, true)]",
                                     "options": {
-                                        "text": "Give the CredentialsCombo for your windows Jump-box. The VM will be AAD Joined, so you can use your AAD credentials to login. The password must contain at least 12 characters, with at least 1 uppercase, 1 lowercase and 1 number.",
+                                        "text": "Give the CredentialsCombo for your windows Jump-box. The VM will be Microsoft Entra ID Joined, so you can use your Microsoft Entra ID credentials to login. The password must contain at least 12 characters, with at least 1 uppercase, 1 lowercase and 1 number.",
                                         "link": {
                                             "label": "Learn more for Windows VM Password Policy",
                                             "uri": "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/faq#what-are-the-password-requirements-when-creating-a-vm-"