Merge pull request #264255 from KarlErickson/karler-entra-fixes

fixes for Microsoft Entra

Author: v-dirichards

articles/spring-apps/connect-managed-identity-to-azure-sql.md

@@ -115,5 +115,5 @@ Rebuild the app and deploy it to the Azure Spring Apps provisioned in the second
 
 * [How to access Storage blob with managed identity in Azure Spring Apps](https://github.com/Azure-Samples/azure-spring-apps-samples/tree/main/managed-identity-storage-blob)
 * [How to enable system-assigned managed identity for applications in Azure Spring Apps](./how-to-enable-system-assigned-managed-identity.md)
-* [Learn more about managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
+* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 * [Authenticate Azure Spring Apps with Key Vault in GitHub Actions](./github-actions-key-vault.md)

articles/spring-apps/expose-apps-gateway-end-to-end-tls.md

@@ -184,9 +184,9 @@ az network public-ip create \
     --sku Standard
 ```
 
-## Create a Managed Identity for Application Gateway
+## Create a managed identity for Application Gateway
 
-Application Gateway will need to be able to access Key Vault to read the certificate. To do so, it will use a User-assigned [Managed Identity](../active-directory/managed-identities-azure-resources/overview.md). Create the Managed Identity by using the following command:
+Application Gateway will need to be able to access Key Vault to read the certificate. To do so, it will use a user-assigned [managed identity](/entra/identity/managed-identities-azure-resources/overview). Create the managed identity by using the following command:
 
 ```azurecli
 export APPGW_IDENTITY_NAME='name-for-appgw-managed-identity'
@@ -195,7 +195,7 @@ az identity create \
     --name $APPGW_IDENTITY_NAME
 ```
 
-Then fetch the objectId for the Managed Identity as it will be used later on to give rights to access the certificate in Key Vault:
+Then fetch the objectId for the managed identity as it will be used later on to give rights to access the certificate in Key Vault:
 
 ```azurecli
 export APPGW_IDENTITY_CLIENTID=$(az identity show \
@@ -211,7 +211,7 @@ export APPGW_IDENTITY_OID=$(az ad sp show \
 
 ## Set policy on Key Vault
 
-Configure Key Vault using the following command so that the Managed Identity for Application Gateway is allowed to access the certificate stored in Key Vault:
+Configure Key Vault using the following command so that the managed identity for Application Gateway is allowed to access the certificate stored in Key Vault:
 
 ```azurecli
 az keyvault set-policy \
@@ -224,7 +224,7 @@ az keyvault set-policy \
 
 ## Create Application Gateway
 
-Create an application gateway using `az network application-gateway create` and specify your application's private fully qualified domain name (FQDN) as servers in the backend pool. Make sure to use the user-assigned Managed Identity and to point to the certificate in Key Vault using the certificate's Secret ID. Then update the HTTP setting using `az network application-gateway http-settings update` to use the public host name.
+Create an application gateway using `az network application-gateway create` and specify your application's private fully qualified domain name (FQDN) as servers in the backend pool. Make sure to use the user-assigned managed identity and to point to the certificate in Key Vault using the certificate's Secret ID. Then update the HTTP setting using `az network application-gateway http-settings update` to use the public host name.
 
 ```azurecli
 export APPGW_NAME='name-for-application-gateway'

articles/spring-apps/expose-apps-gateway-tls-termination.md

@@ -105,7 +105,7 @@ az network public-ip create \
 
 ### Create a managed identity for the application gateway
 
-Your application gateway will need to be able to access Key Vault to read the certificate. To do this, the application gateway will use a user-assigned managed identity. For more information, see [What are managed identities for Azure resources?](../active-directory/managed-identities-azure-resources/overview.md). Create the managed identity by using the following command, replacing the *\<...>* placeholder:
+Your application gateway will need to be able to access Key Vault to read the certificate. To do this, the application gateway will use a user-assigned managed identity. For more information, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) Create the managed identity by using the following command, replacing the *\<...>* placeholder:
 
 ```azurecli
 export APPGW_IDENTITY_NAME='<name-for-appgw-managed-identity>'

articles/spring-apps/how-to-enable-system-assigned-managed-identity.md

@@ -24,7 +24,7 @@ Managed identities for Azure resources provide an automatically managed identity
 
 ## Prerequisites
 
-If you're unfamiliar with managed identities for Azure resources, see the [Managed identities for Azure resources overview section](../active-directory/managed-identities-azure-resources/overview.md).
+If you're unfamiliar with managed identities for Azure resources, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 
 ::: zone pivot="sc-enterprise"
 
@@ -91,9 +91,9 @@ az spring app identity assign \
 
 An app can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
 
-You may need to [configure the target resource to allow access from your application](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-azure-ad-authentication).
+You may need to [configure the target resource to allow access from your application](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that can use managed identities to access other services](/entra/identity/managed-identities-azure-resources/managed-identities-status).
 
-Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token.  See [How to use VM token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md) for various code and script examples and guidance on important topics such as handling token expiration and HTTP errors.
+Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machine. We recommend using Java SDK or spring boot starters to acquire a token.  See [How to use VM token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token) for various code and script examples and guidance on important topics such as handling token expiration and HTTP errors.
 
 ## Disable system-assigned identity from an app
 
@@ -135,5 +135,5 @@ az ad sp show --id <object-ID> --query appId
 
 ## Next steps
 
-* [Learn more about managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
+* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 * [How to use managed identities with Java SDK](https://github.com/Azure-Samples/azure-spring-apps-samples)

articles/spring-apps/how-to-manage-user-assigned-managed-identities.md

@@ -23,14 +23,14 @@ Managed identities for Azure resources provide an automatically managed identity
 
 ## Prerequisites
 
-- If you're unfamiliar with managed identities for Azure resources, see the [Managed identities for Azure resources overview section](../active-directory/managed-identities-azure-resources/overview.md).
+- If you're unfamiliar with managed identities for Azure resources, see [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 
 ::: zone pivot="sc-enterprise"
 
 - An already provisioned Azure Spring Apps Enterprise plan instance. For more information, see [Quickstart: Build and deploy apps to Azure Spring Apps using the Enterprise plan](quickstart-deploy-apps-enterprise.md).
 - [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli).
 - [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]
-- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).
+- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
 
 ::: zone-end
 
@@ -39,7 +39,7 @@ Managed identities for Azure resources provide an automatically managed identity
 - An already provisioned Azure Spring Apps instance. For more information, see [Quickstart: Deploy your first application to Azure Spring Apps](./quickstart.md).
 - [Azure CLI version 2.45.0 or higher](/cli/azure/install-azure-cli).
 - [!INCLUDE [install-app-user-identity-extension](includes/install-app-user-identity-extension.md)]
-- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md).
+- At least one already provisioned user-assigned managed identity. For more information, see [Manage user-assigned managed identities](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities).
 
 ::: zone-end
 
@@ -87,9 +87,9 @@ az spring app identity assign \
 
 An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
 
-You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). For example, if you request a token to access Key Vault, be sure you've added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](../active-directory/managed-identities-azure-resources/services-azure-active-directory-support.md)
+You may need to configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, be sure you've added an access policy that includes your application's identity. Otherwise, your calls to Key Vault are rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](/entra/identity/managed-identities-azure-resources/services-id-authentication-support)
 
-Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](../active-directory/managed-identities-azure-resources/how-to-use-vm-token.md).
+Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, and guidance on important topics such as handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token).
 
 ## Remove user-assigned managed identities from an existing app
 
@@ -123,5 +123,5 @@ For user-assigned managed identity limitations, see [Quotas and service plans fo
 
 ## Next steps
 
-- [Learn more about managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
+- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 - [How to use managed identities with Java SDK](https://github.com/Azure-Samples/azure-spring-apps-samples)

articles/spring-apps/how-to-outbound-public-ip.md

@@ -51,5 +51,5 @@ az spring show --resource-group <group_name> --name <service_name> --query prope
 
 ## Next steps
 
-* [Learn more about managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md)
+* [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 * [Learn more about key vault in Azure Spring Apps](./tutorial-managed-identities-key-vault.md)

articles/spring-apps/how-to-set-up-sso-with-azure-ad.md

@@ -53,7 +53,7 @@ Register your application to establish a trust relationship between your app and
 1. In *Redirect URI (optional)* select **Web**, then enter the URL from the above section in the text box. The redirect URI is the location where Microsoft Entra ID redirects your client and sends security tokens after authentication.
 1. Select **Register** to finish registering the application.
 
-:::image type="content" source="./media/how-to-setup-sso-with-azure-ad/sso-create-app-registration.png" alt-text="Screenshot of how to fill out the Add App Registration screen." lightbox="./media/how-to-setup-sso-with-azure-ad/sso-create-app-registration.png":::
+:::image type="content" source="media/how-to-set-up-sso-with-azure-ad/sso-create-app-registration.png" alt-text="Screenshot of how to fill out the Add App Registration screen." lightbox="media/how-to-set-up-sso-with-azure-ad/sso-create-app-registration.png":::
 
 When registration finishes, you'll see the *Application (client) ID* on the **Overview** screen of the *App registrations** page.
 
@@ -65,9 +65,9 @@ You can also add redirect URIs after app registration by following these steps:
 1. Select **Web**, then select **Add URI** under *Redirect URIs*.
 1. Add a new redirect URI, then select **Save**.
 
-:::image type="content" source="./media/how-to-setup-sso-with-azure-ad/sso-redirect-uri.png" alt-text="Screenshot of adding a redirect U R I to the authentication screen." lightbox="./media/how-to-setup-sso-with-azure-ad/sso-redirect-uri.png":::
+:::image type="content" source="media/how-to-set-up-sso-with-azure-ad/sso-redirect-uri.png" alt-text="Screenshot of adding a redirect U R I to the authentication screen." lightbox="media/how-to-set-up-sso-with-azure-ad/sso-redirect-uri.png":::
 
-For more information on Application Registration, see [Quickstart: Register an app in the Microsoft identity platform ](../active-directory/develop/quickstart-register-app.md#quickstart-register-an-application-with-the-microsoft-identity-platform).
+For more information on Application Registration, see [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app).
 
 ## Add a client secret
 
@@ -83,7 +83,7 @@ The application uses a client secret to authenticate itself in SSO workflow. You
 
 ## Configure scope
 
-The `scope` property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to permissions. Identity platform supports several [OpenID Connect scopes](../active-directory/develop/v2-permissions-and-consent.md#openid-connect-scopes), such as `openid`, `email` and `profile`.
+The `scope` property of SSO is a list of scopes to be included in JWT identity tokens. They're often referred to permissions. Identity platform supports several OpenID Connect scopes, such as `openid`, `email` and `profile`. For more information, see the [OpenID Connect scopes](/entra/identity-platform/scopes-oidc#openid-connect-scopes) section of [Scopes and permissions in the Microsoft identity platform](/entra/identity-platform/scopes-oidc).
 
 ## Configure issuer URI
 

articles/spring-apps/how-to-use-managed-identities.md

@@ -38,7 +38,7 @@ For user-assigned managed identities, see [How to assign and remove user-assigne
 
 An application can use its managed identity to get tokens to access other resources protected by Microsoft Entra ID, such as Azure Key Vault. These tokens represent the application accessing the resource, not any specific user of the application.
 
-You can configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](/entra/identity/managed-identities-azure-resources/services-id-authentication-support.
+You can configure the target resource to allow access from your application. For more information, see [Assign a managed identity access to a resource by using the Azure portal](/entra/identity/managed-identities-azure-resources/howto-assign-access-portal). For example, if you request a token to access Key Vault, be sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token. To learn more about which resources support Microsoft Entra tokens, see [Azure services that support Microsoft Entra authentication](/entra/identity/managed-identities-azure-resources/services-id-authentication-support).
 
 Azure Spring Apps shares the same endpoint for token acquisition with Azure Virtual Machines. We recommend using Java SDK or Spring Boot starters to acquire a token. For various code and script examples, as well as guidance on important topics like handling token expiration and HTTP errors, see [How to use managed identities for Azure resources on an Azure VM to acquire an access token](/entra/identity/managed-identities-azure-resources/how-to-use-vm-token).
 
@@ -75,5 +75,5 @@ The following table shows the mappings between concepts in Managed Identity scop
 
 ## Next steps
 
-- [Learn more about managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)
+- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview)
 - [How to use managed identities with Java SDK](https://github.com/Azure-Samples/azure-spring-apps-samples)