Updates to login docs (login step, Entra branding) (#1574)

* Login updates

* Revert dash change

* Assume AZURE_TENANT_ID is set

* Bring back legit Matt changes

Author: pamelafox

app/backend/core/authentication.py

@@ -84,7 +84,7 @@ def get_auth_setup_for_client(self) -> dict[str, Any]:
             "msalConfig": {
                 "auth": {
                     "clientId": self.client_app_id,  # Client app id used for login
-                    "authority": self.authority,  # Directory to use for login https://learn.microsoft.com/azure/active-directory/develop/msal-client-application-configuration#authority
+                    "authority": self.authority,  # Directory to use for login https://learn.microsoft.com/entra/identity-platform/msal-client-application-configuration#authority
                     "redirectUri": "/redirect",  # Points to window.location.origin. You must register this URI on Azure Portal/App Registration.
                     "postLogoutRedirectUri": "/",  # Indicates the page to navigate after logout.
                     "navigateToLoginRequestUrl": False,  # If "true", will navigate back to the original request location before processing the auth code response.
@@ -100,10 +100,10 @@ def get_auth_setup_for_client(self) -> dict[str, Any]:
                 # Scopes you add here will be prompted for user consent during sign-in.
                 # By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.
                 # For more information about OIDC scopes, visit:
-                # https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes
+                # https://learn.microsoft.com/entra/identity-platform/permissions-consent-overview#openid-connect-scopes
                 "scopes": [".default"],
                 # Uncomment the following line to cause a consent dialog to appear on every login
-                # For more information, please visit https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code
+                # For more information, please visit https://learn.microsoft.com/entra/identity-platform/v2-oauth2-auth-code-flow#request-an-authorization-code
                 # "prompt": "consent"
             },
             "tokenRequest": {
@@ -211,7 +211,7 @@ async def get_auth_claims_if_enabled(self, headers: dict) -> dict[str, Any]:
         try:
             # Read the authentication token from the authorization header and exchange it using the On Behalf Of Flow
             # The scope is set to the Microsoft Graph API, which may need to be called for more authorization information
-            # https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
+            # https://learn.microsoft.com/entra/identity-platform/v2-oauth2-on-behalf-of-flow
             auth_token = AuthenticationHelper.get_token_auth_header(headers)
             # Validate the token before use
             await self.validate_access_token(auth_token)
@@ -225,13 +225,13 @@ async def get_auth_claims_if_enabled(self, headers: dict) -> dict[str, Any]:
                 raise AuthError(error=str(graph_resource_access_token), status_code=401)
 
             # Read the claims from the response. The oid and groups claims are used for security filtering
-            # https://learn.microsoft.com/azure/active-directory/develop/id-token-claims-reference
+            # https://learn.microsoft.com/entra/identity-platform/id-token-claims-reference
             id_token_claims = graph_resource_access_token["id_token_claims"]
             auth_claims = {"oid": id_token_claims["oid"], "groups": id_token_claims.get("groups", [])}
 
             # A groups claim may have been omitted either because it was not added in the application manifest for the API application,
             # or a groups overage claim may have been emitted.
-            # https://learn.microsoft.com/azure/active-directory/develop/id-token-claims-reference#groups-overage-claim
+            # https://learn.microsoft.com/entra/identity-platform/id-token-claims-reference#groups-overage-claim
             missing_groups_claim = "groups" not in id_token_claims
             has_group_overage_claim = (
                 missing_groups_claim

app/frontend/src/authConfig.ts

@@ -27,7 +27,7 @@ interface AuthSetup {
     msalConfig: {
         auth: {
             clientId: string; // Client app id used for login
-            authority: string; // Directory to use for login https://learn.microsoft.com/azure/active-directory/develop/msal-client-application-configuration#authority
+            authority: string; // Directory to use for login https://learn.microsoft.com/entra/identity-platform/msal-client-application-configuration#authority
             redirectUri: string; // Points to window.location.origin. You must register this URI on Azure Portal/App Registration.
             postLogoutRedirectUri: string; // Indicates the page to navigate after logout.
             navigateToLoginRequestUrl: boolean; // If "true", will navigate back to the original request location before processing the auth code response.
@@ -42,7 +42,7 @@ interface AuthSetup {
          * Scopes you add here will be prompted for user consent during sign-in.
          * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.
          * For more information about OIDC scopes, visit:
-         * https://docs.microsoft.com/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes
+         * https://learn.microsoft.com/entra/identity-platform/permissions-consent-overview#openid-connect-scopes
          */
         scopes: Array<string>;
     };
@@ -81,7 +81,7 @@ export const msalConfig = authSetup.msalConfig;
  * Scopes you add here will be prompted for user consent during sign-in.
  * By default, MSAL.js will add OIDC scopes (openid, profile, email) to any login request.
  * For more information about OIDC scopes, visit:
- * https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#openid-connect-scopes
+ * https://learn.microsoft.com/entra/identity-platform/permissions-consent-overview#openid-connect-scopes
  */
 export const loginRequest = authSetup.loginRequest;
 

docs/deploy_features.md

@@ -123,7 +123,7 @@ By default, the deployed Azure web app will have no authentication or access res
 
 Alternatively, you can manually require authentication to your Azure Active Directory by following the [Add app authentication](https://learn.microsoft.com/azure/app-service/scenario-secure-app-authentication-app-service) tutorial and set it up against the deployed web app.
 
-To then limit access to a specific set of users or groups, you can follow the steps from [Restrict your Azure AD app to a set of users](https://learn.microsoft.com/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users) by changing "Assignment Required?" option under the Enterprise Application, and then assigning users/groups access.  Users not granted explicit access will receive the error message -AADSTS50105: Your administrator has configured the application <app_name> to block users unless they are specifically granted ('assigned') access to the application.-
+To then limit access to a specific set of users or groups, you can follow the steps from [Restrict your Microsoft Entra app to a set of users](https://learn.microsoft.com/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users) by changing "Assignment Required?" option under the Enterprise Application, and then assigning users/groups access.  Users not granted explicit access will receive the error message -AADSTS50105: Your administrator has configured the application <app_name> to block users unless they are specifically granted ('assigned') access to the application.-
 
 ## Enabling login and document level access control