clarifying wording around statuses

Author: Eduardo Rivera

articles/operator-nexus/howto-baremetal-bmc-ssh.md

@@ -16,13 +16,10 @@ ms.custom: template-how-to, devx-track-azurecli
 
 There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Entra Group ID>`.
 
-If an Azure Group ID is invalid on creation or update, each user supplied will have their Status set to `Invalid` and a corresponding Status Message of "AAD group doesn't exist."
-
-> [!CAUTION]
-> In the scenario where an invalid Group ID is given, current implementation does not handle a list of users with a mixture of supplied and empty UPNs. In the scenario where UPNs are only supplied for some users, all users in the list will be marked `Invalid`. It is recommended to either specify UPNs for all users during keyset creation or update. However if Group ID validation needs to be ignored, do not supply an UPN for any user.
+If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to 'Invalid', and their status message will say "Invalid because userPrincipal isn't a member of AAD group." If the Azure Group ID is invalid, each user in the keyset has their status set to 'Invalid' and their status message will say "AAD group doesn't exist." Invalid users remain in the keyset but their key won't be enabled for SSH access.
 
 > [!NOTE]
-> Not supplying a UPN is currently supported during keyset creation and update. In a future release, enforcement of AAD validation is planned. If an UPN is not supplied for a user on keyset creation/update, the user's Status will be set to `Invalid` and have a StatusMessage set to "Invalid because user does not have a UserPrincipalName specified in BareMetalMachineKeySet". A user marked invalid does not get deleted but, the user and the matching keyset will no longer be viable for SSH access. It is suggested to follow the steps to update or re-create keysets with UPN supplied for users.
+> There is currently a transitional period where specifying User Principal Names is optional. In a future release, it will become mandatory and Microsoft Entra ID validation will be enforced for all users. Users are encouraged to add User Principal Names to their keysets before the transitional period ends (planned for July 2024) to avoid keysets being invalidated. Note that if any User Principal Names are added to a keyset, even if they are not added for all users, Microsoft Entra ID validation will be enabled, and this will result in the entire keyset being invalidated if the Group ID specified is not valid.
 
 When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.
 

articles/operator-nexus/howto-baremetal-bmm-ssh.md

@@ -16,13 +16,10 @@ ms.custom: template-how-to, devx-track-azurecli
 
 There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Microsoft Entra ID `--azure-group-id <Entra Group ID>`.
 
-If a Microsoft Entra Group ID is invalid on creation or update, each user supplied will have their Status set to `Invalid` and a corresponding Status Message of "AAD group doesn't exist."
-
-> [!CAUTION]
-> In the scenario where an invalid Group ID is given, current implementation does not handle a list of users with a mixture of supplied and empty UPNs. In the scenario where UPNs are only supplied for some users, all users in the list will be marked `Invalid`. It is recommended to either specify UPNs for all users during keyset creation or update. However if Group ID validation needs to be ignored, do not supply an UPN for any user.
+If the User Principal Name for a user isn't a member of the supplied group, the user's status is set to 'Invalid', and their status message will say "Invalid because userPrincipal isn't a member of AAD group." If the Azure Group ID is invalid, each user in the keyset will have their status set to 'Invalid' and their status message will say "AAD group doesn't exist." Invalid users remain in the keyset but their key won't be enabled for SSH access.
 
 > [!NOTE]
-> Not supplying a UPN is currently supported during keyset creation and update. In a future release, enforcement of AAD validation is planned. If an UPN is not supplied for a user on keyset creation/update, the user's Status will be set to `Invalid` and have a StatusMessage set to "Invalid because user does not have a UserPrincipalName specified". A user marked invalid does not get deleted but, the user and the matching keyset will no longer be viable for SSH access. It is suggested to follow the steps to update or re-create keysets with UPN supplied for users.
+> There is currently a transitional period where specifying User Principal Names is optional. In a future release, it will become mandatory and Microsoft Entra ID validation will be enforced for all users. Users are encouraged to add User Principal Names to their keysets before the transitional period ends (planned for July 2024) to avoid keysets being invalidated. Note that if any User Principal Names are added to a keyset, even if they are not added for all users, Microsoft Entra ID validation will be enabled, and this will result in the entire keyset being invalidated if the Group ID specified is not valid.
 
 When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.