Updated Docs

Updated Docs

Author: kabharati

articles/postgresql/flexible-server/concepts-azure-ad-authentication.md

@@ -18,7 +18,7 @@ ms.topic: conceptual
 Microsoft Entra authentication is a mechanism of connecting to Azure Database for PostgreSQL flexible server using identities defined in Microsoft Entra ID.
 With Microsoft Entra authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management.
 
-Benefits of using Microsoft Entra ID include:
+**Benefits of using Microsoft Entra ID include:**
 
 - Authentication of users across Azure Services in a uniform way
 - Management of password policies and password rotation in a single place
@@ -27,6 +27,15 @@ Benefits of using Microsoft Entra ID include:
 - Microsoft Entra authentication uses PostgreSQL database roles to authenticate identities at the database level
 - Support of token-based authentication for applications connecting to Azure Database for PostgreSQL flexible server
 
+
+ **To configure and use Microsoft Entra authentication, use the following process:**
+
+1. Create and populate Microsoft Entra ID with user identities as needed.
+2. Optionally associate or change the Active Directory currently associated with your Azure subscription.
+3. Create a Microsoft Entra administrator for the Azure Database for PostgreSQL server.
+4. Create database users in your database mapped to Microsoft Entra identities.
+5. Connect to your database by retrieving a token for a Microsoft Entra identity and logging in.
+
 <a name='azure-active-directory-authentication-single-server-vs-flexible-server'></a>
 
 ## Microsoft Entra authentication (Azure Database for PostgreSQL single Server vs Azure Database for PostgreSQL flexible server)
@@ -55,9 +64,11 @@ The following high-level diagram summarizes how authentication works using Micro
 
  Use these steps to configure Microsoft Entra ID with Azure Database for PostgreSQL flexible server [Configure and sign in with Microsoft Entra ID for Azure Database for PostgreSQL - Flexible Server](how-to-configure-sign-in-azure-ad-authentication.md).
 
-## Manage PostgreSQL Access For AD Principals
+## Differences Between PostgreSQL Administrator and Microsoft Entra Administrator
+
+When Microsoft Entra authentication is enabled on your Flexible Server and Microsoft Entra principal is added as a **Microsoft Entra administrator** the account not only gets the same privileges as the original **PostgreSQL administrator** but also it can manage other Microsoft Entra ID enabled roles on the server. Unlike the PostgreSQL administrator, who can only create local password-based users, the Microsoft Entra administrator has the authority to manage both Entra users and local password-based users.
 
-When Microsoft Entra authentication is enabled and Microsoft Entra principal is added as a Microsoft Entra administrator the account gets the same privileges as the original PostgreSQL administrator. Only Microsoft Entra administrator can manage other Microsoft Entra ID enabled roles on the server using Azure portal or Database API. The Microsoft Entra administrator sign-in can be a Microsoft Entra user, Microsoft Entra group, Service Principal or Managed Identity. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Microsoft Entra ID without changing the users or permissions in the Azure Database for PostgreSQL flexible server instance. Multiple Microsoft Entra administrators can be configured at any time and you can optionally disable password authentication to an Azure Database for PostgreSQL flexible server instance for better auditing and compliance needs.
+Microsoft Entra administrator can be a Microsoft Entra user, Microsoft Entra group, Service Principal, or Managed Identity. Utilizing a group account as an administrator enhances manageability, as it permits centralized addition and removal of group members in Microsoft Entra ID without changing the users or permissions within the Azure Database for PostgreSQL flexible server instance. Multiple Microsoft Entra administrators can be configured concurrently, and you have the option to deactivate password authentication to an Azure Database for PostgreSQL flexible server instance for enhanced auditing and compliance requirements.
 
 ![admin structure][2]
 
@@ -85,6 +96,7 @@ Once you've authenticated against the Active Directory, you then retrieve a toke
 
 ## Other considerations
 
+- Microsoft user assigned tokens are 
 - Multiple Microsoft Entra principals (a user, group, service principal or managed identity) can be configured as Microsoft Entra Administrator for an Azure Database for PostgreSQL flexible server instance at any time.
 - Only a Microsoft Entra administrator for PostgreSQL can initially connect to the Azure Database for PostgreSQL flexible server instance using a Microsoft Entra account. The Active Directory administrator can configure subsequent Microsoft Entra database users.
 -  If a Microsoft Entra principal is deleted from Microsoft Entra ID, it still remains as PostgreSQL role, but it will no longer be able to acquire new access token. In this case, although the matching role still exists in the database it won't be able to authenticate to the server. Database administrators need to transfer ownership and drop roles manually.
@@ -94,6 +106,45 @@ Once you've authenticated against the Active Directory, you then retrieve a toke
 
 - Azure Database for PostgreSQL flexible server matches access tokens to the database role using the user’s unique Microsoft Entra user ID, as opposed to using the username. If a Microsoft Entra user is deleted and a new user is created with the same name, Azure Database for PostgreSQL flexible server considers that a different user. Therefore, if a user is deleted from Microsoft Entra ID and a new user is added with the same name the new user won't be able to connect with the existing role.
 
+## Frequently asked questions
+
+
+* **What are different authentication modes available in Azure Database for PostgreSQL Flexible Server?**
+ 
+   Azure Database for PostgreSQL flexible server supports three modes of authentication namely **PostgreSQL authentication only** , **Microsoft Entra authentication only** and **PostgreSQL and Microsoft Entra authentication**
+
+* **Can I configure multiple Microsoft Entra administrators on my Flexible Server?**
+  
+    Yes. You can configure multiple Entra administrators on your flexible server. During provisioning you can only set a single Microsoft Entra admin but once the server is created you can set as many Microsoft Entra administrators as you want by going to **Authentication** blade. 
+
+* **Is Microsoft Entra administrators only a Microsoft Entra user?****
+  
+    No. Microsoft Entra administrator can be a user, group, service principal or managed identity.
+
+* **Can Microsoft Entra administrator create local password based users?**
+  
+   Unlike the PostgreSQL administrator, who can only create local password-based users, the Microsoft Entra administrator has the authority to manage both Entra users and local password-based users.
+
+* **What happens when i enable Microsoft Entra Authentication on my flexible server?**
+  
+    When Microsoft Entra Authentication is set at the server level, PGAadAuth extension gets enabled and results in a server restart.
+
+* **how do i login using Microsoft Entra Authentication?**
+  
+    You can use client tools such as psql,pgadmin etc to login to your flexible server. Please use the Microsoft Entra ID as **User name** and use your **Entra token**as your password which is generated using azlogin.
+
+* **How do i generate my token**
+Please use below steps to generate your token.
+[Generate Token](how-to-configure-sign-in-azure-ad-authentication.md)
+
+* **What is the difference between group login and individual login?**
+  
+   The only difference between logging in as **Microsoft Entra group member** and individual **Entra user** lies in the **Username**, while logging in as individual user you provide your individual Entra ID where as you'll utilize the group name while logging as group member.Regardless, in both scenarios, you'll employ the same individual Entra token as the password.
+
+* **What is the token lifetime**
+
+User tokens are valid upto 1 hour where as System Assigned Managed Identity tokens are valid upto 24 hours.
+
 
 ## Next steps