Merge pull request #277733 from eak13/main

prmerger-automator[bot] · web-flow · commit 44ee0e900057 · 2024-06-10T21:16:13.000Z
Updates for keyset expiration &amp; verbiage improvements
diff --git a/articles/operator-nexus/howto-baremetal-bmc-ssh.md b/articles/operator-nexus/howto-baremetal-bmc-ssh.md
@@ -12,11 +12,11 @@ ms.custom: template-how-to, devx-track-azurecli
 # Manage emergency access to a bare metal machine using the `az networkcloud cluster bmckeyset`
 
 > [!CAUTION]
-> Please note this process is used in emergency situations when all other troubleshooting options via Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
+> Please note this process is used in emergency situations when all other troubleshooting options via Azure are exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
 
-There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Entra Group ID>`.
+There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure are exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Entra Group ID>`.
 
-If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to 'Invalid', and their status message will say "Invalid because userPrincipal isn't a member of AAD group." If the Azure Group ID is invalid, each user in the keyset has their status set to 'Invalid' and their status message will say "AAD group doesn't exist." Invalid users remain in the keyset but their key won't be enabled for SSH access.
+If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to "Invalid." Additionally, their status message is set to "Invalid because userPrincipal isn't a member of Entra group." If the Azure Group ID is invalid, each user in the keyset has their status set to "Invalid" and their status message is set to "Entra group doesn't exist." Invalid users remain in the keyset but their key aren't for SSH access.
 
 > [!NOTE]
 > There is currently a transitional period where specifying User Principal Names is optional. In a future release, it will become mandatory and Microsoft Entra ID validation will be enforced for all users. Users are encouraged to add User Principal Names to their keysets before the transitional period ends (planned for July 2024) to avoid keysets being invalidated. Note that if any User Principal Names are added to a keyset, even if they are not added for all users, Microsoft Entra ID validation will be enabled, and this will result in the entire keyset being invalidated if the Group ID specified is not valid.
@@ -35,7 +35,7 @@ The BMCs support a maximum number of 12 users. Users are defined on a per Cluste
 - To restrict access for managing keysets, create a custom role. For more information, see [Azure Custom Roles](../role-based-access-control/custom-roles.md). In this instance, add or exclude permissions for `Microsoft.NetworkCloud/clusters/bmcKeySets`. The options are `/read`, `/write`, and `/delete`.
 
 > [!NOTE]
-> When BMC access is created, modified or deleted via the commands described in this
+> When BMC access is created, modified, or deleted via the commands described in this
 > article, a background process delivers those changes to the machines. This process is paused during
 > Operator Nexus software upgrades. If an upgrade is known to be in progress, you can use the `--no-wait`
 > option with the command to prevent the command prompt from waiting for the process to complete.
@@ -76,8 +76,9 @@ az networkcloud cluster bmckeyset create \
   --cluster-name                              [Required] : The name of the cluster.
   --expiration                                [Required] : The date and time after which the users
                                                            in this key set are removed from
-                                                           the BMCs. The limit is up to 1 year from creation.
-                                                           Format is "YYYY-MM-DDTHH:MM:SS.000Z"
+                                                           the BMCs. The maximum expiration date is a
+                                                           year from creation date. Format is
+                                                           "YYYY-MM-DDTHH:MM:SS.000Z".
   --extended-location                         [Required] : The extended location of the cluster
                                                            associated with the resource.
     Usage: --extended-location name=XX type=XX
@@ -208,14 +209,11 @@ az networkcloud cluster bmckeyset update \
 ```azurecli
   --bmc-key-set-name --name -n                [Required] : The name of the BMC key set.
   --cluster-name                              [Required] : The name of the cluster.
-  --expiration                                           : The date and time after which the users
+  --expiration                                [Required] : The date and time after which the users
                                                            in this key set are removed from
-                                                           the BMCs. Format is:
-                                                           "YYYY-MM-DDTHH:MM:SS.000Z"
-  --jump-hosts-allowed                                   : The list of IP addresses of jump hosts
-                                                           with management network access from
-                                                           which a login is allowed for the
-                                                           users. Supports IPv4 or IPv6 addresses.
+                                                           the BMCs. The maximum expiration date is a
+                                                           year from creation date. Format is
+                                                           "YYYY-MM-DDTHH:MM:SS.000Z".
   --privilege-level                                      : The access level allowed for the users
                                                            in this key set.  Allowed values:
                                                            "Administrator" or "ReadOnly".
diff --git a/articles/operator-nexus/howto-baremetal-bmm-ssh.md b/articles/operator-nexus/howto-baremetal-bmm-ssh.md
@@ -12,11 +12,11 @@ ms.custom: template-how-to, devx-track-azurecli
 # Manage emergency access to a bare metal machine using the `az networkcloud cluster baremetalmachinekeyset`
 
 > [!CAUTION]
-> Please note this process is used in emergency situations when all other troubleshooting options using Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
+> Please note this process is used in emergency situations when all other troubleshooting options using Azure are exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
 
-There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Microsoft Entra ID `--azure-group-id <Entra Group ID>`.
+There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways via Azure are exhausted. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Microsoft Entra ID `--azure-group-id <Entra Group ID>`.
 
-If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to 'Invalid', and their status message will say "Invalid because userPrincipal isn't a member of AAD group." If the Azure Group ID is invalid, each user in the keyset will have their status set to 'Invalid' and their status message will say "AAD group doesn't exist." Invalid users remain in the keyset but their key won't be enabled for SSH access.
+If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to "Invalid." Additionally, their status message reads "Invalid because userPrincipal isn't a member of Entra group." If the Azure Group ID is invalid, each user in the keyset has their status set to "Invalid" and their status message says "Entra group doesn't exist." Invalid users remain in the keyset but their key aren't enabled for SSH access.
 
 > [!NOTE]
 > There is currently a transitional period where specifying User Principal Names is optional. In a future release, it will become mandatory and Microsoft Entra ID validation will be enforced for all users. Users are encouraged to add User Principal Names to their keysets before the transitional period ends (planned for July 2024) to avoid keysets being invalidated. Note that if any User Principal Names are added to a keyset, even if they are not added for all users, Microsoft Entra ID validation will be enabled, and this will result in the entire keyset being invalidated if the Group ID specified is not valid.
@@ -28,7 +28,7 @@ There's no limit to the number of users in a group.
 > [!CAUTION]
 > Notes for jump host IP addresses
 
-- The keyset create/update process adds the jump host IP addresses to the IP tables for each machine in the Cluster. This restricts SSH access to be allowed only from those jump hosts.
+- The keyset create/update process adds the jump host IP addresses to the IP tables for each machine in the Cluster. The IP tables update restricts SSH access to be allowed only from those jump hosts.
 - It's important to specify the Cluster facing IP addresses for the jump hosts. These IP addresses might be different than the public facing IP address used to access the jump host.
 - Once added, users are able to access bare metal machines from any specified jump host IP including a jump host IP defined in another bare metal machine keyset group.
 - Existing SSH access remains when adding the first bare metal machine keyset. However, the keyset command limits an existing user's SSH access to the specified jump host IPs in the keyset commands.
@@ -43,7 +43,7 @@ There's no limit to the number of users in a group.
 - To restrict access for managing keysets, create a custom role. For more information, see [Azure Custom Roles](../role-based-access-control/custom-roles.md). In this instance, add or exclude permissions for `Microsoft.NetworkCloud/clusters/bareMetalMachineKeySets`. The options are `/read`, `/write`, and `/delete`.
 
 > [!NOTE]
-> When bare metal machine access is created, modified or deleted via the commands described in this
+> When bare metal machine access is created, modified, or deleted via the commands described in this
 > article, a background process delivers those changes to the machines. This process is paused during
 > Operator Nexus software upgrades. If an upgrade is known to be in progress, you can use the `--no-wait`
 > option with the command to prevent the command prompt from waiting for the process to complete.
@@ -86,8 +86,9 @@ az networkcloud cluster baremetalmachinekeyset create \
   --cluster-name                              [Required] : The name of the cluster.
   --expiration                                [Required] : The date and time after which the users
                                                            in this key set are removed from
-                                                           the bare metal machines. Format is:
-                                                           "YYYY-MM-DDTHH:MM:SS.000Z"
+                                                           the bare metal machines. The maximum
+                                                           expiration date is a year from creation
+                                                           date. Format is: "YYYY-MM-DDTHH:MM:SS.000Z".
   --extended-location                         [Required] : The extended location of the cluster
                                                            associated with the resource.
     Usage: --extended-location name=XX type=XX
@@ -228,8 +229,9 @@ az networkcloud cluster baremetalmachinekeyset update \
   --cluster-name                              [Required] : The name of the cluster.
   --expiration                                           : The date and time after which the users
                                                            in this key set are removed from
-                                                           the bare metal machines. Format is:
-                                                           "YYYY-MM-DDTHH:MM:SS.000Z"
+                                                           the bare metal machines. The maximum
+                                                           expiration date is a year from creation
+                                                           date. Format is: "YYYY-MM-DDTHH:MM:SS.000Z".
   --jump-hosts-allowed                                   : The list of IP addresses of jump hosts
                                                            with management network access from
                                                            which a login is allowed for the
