Merge pull request #266839 from robswain/66293-aad-login

ADO 66293 - add sas.user role

Author: prmerger-automator[bot]

articles/private-5g-core/enable-azure-active-directory.md

@@ -39,6 +39,9 @@ You'll now register a new local monitoring application with Microsoft Entra ID t
 
 If your deployment contains multiple sites, you can use the same two redirect URIs for all sites, or create different URI pairs for each site. You can configure a maximum of two redirect URIs per site. If you've already registered an application for your deployment and you want to use the same URIs across your sites, you can skip this step.
 
+> [!NOTE]
+> These instructions assume you are using a single application for both distributed tracing and the packet core dashboards. If you want to grant access to different user groups for these two tools, you can instead set up one application for the packet core dashboards roles and one for the distributed trace role.
+
 1. Follow [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) to register a new application for your local monitoring tools with the Microsoft identity platform.
     1. In *Add a redirect URI*, select the **Web** platform and add the following two redirect URIs, where *\<local monitoring domain\>* is the domain name for your local monitoring tools that you set up in [Configure domain system name (DNS) for local monitoring IP](#configure-domain-system-name-dns-for-local-monitoring-ip):
 
@@ -47,13 +50,13 @@ If your deployment contains multiple sites, you can use the same two redirect UR
 
     1. In *Add credentials*, follow the steps to add a client secret. Make sure to record the secret under the **Value** column, as this field is only available immediately after secret creation. This is the **Client secret** value that you'll need later in this procedure.
 
-1. Follow [App roles UI](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to create three roles for your application (Admin, Viewer, and Editor) with the following configuration:
+1. Follow [App roles UI](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui) to create the roles for your application with the following configuration:
 
     - In **Allowed member types**, select **Users/Groups**.
-    - In **Value**, enter one of **Admin**, **Viewer**, and **Editor** for each role you're creating.
+    - In **Value**, enter one of **Admin**, **Viewer**, and **Editor** for each role you're creating. For distributed tracing, you also need a **sas.user** role.
     - In **Do you want to enable this app role?**, ensure the checkbox is selected.
 
-    You'll be able to use these roles when managing access to the packet core dashboards.
+    You'll be able to use these roles when managing access to the packet core dashboards and distributed tracing tool.
 
 1. Follow [Assign users and groups to roles](../active-directory/develop/howto-add-app-roles-in-azure-ad-apps.md#assign-users-and-groups-to-roles) to assign users and groups to the roles you created.
 

articles/private-5g-core/whats-new.md

@@ -22,6 +22,17 @@ To help you stay up to date with the latest developments, this article covers:
 
 This page is updated regularly with the latest developments in Azure Private 5G Core.
 
+## February 2024
+### New Entra ID user role needed for distributed tracing tool
+
+**Type:** New feature
+
+**Date available:** February 21, 2024
+
+Access to the [distributed tracing](distributed-tracing.md) tool now requires a dedicated sas.user role in Microsoft Entra ID. This user is available from AP5GC version 4.2310.0-8, and required from AP5GC version 2402 onwards. If you are using Microsoft Entra ID authentication, you should create this user prior to upgrading to version 2402 to avoid losing access to the tracing tool. Entra ID access to the packet core dashboards is unchanged.
+
+See [Enable Microsoft Entra ID for local monitoring tools](enable-azure-active-directory.md) for details.
+
 ## December 2023
 ### Packet Capture