added info about statuses for invalid groups

Author: Eduardo Rivera

articles/operator-nexus/howto-baremetal-bmc-ssh.md

@@ -14,10 +14,15 @@ ms.custom: template-how-to, devx-track-azurecli
 > [!CAUTION]
 > Please note this process is used in emergency situations when all other troubleshooting options via Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
 
-There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Azure AAD Group ID>`.
+There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways using Azure have been exhausted. Operator Nexus provides the `az networkcloud cluster bmckeyset` command so users can manage SSH access to the baseboard management controller (BMC) on these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Entra Group ID>`.
+
+If an Azure Group ID is invalid on creation or update, each user supplied will have their Status set to `Invalid` and a corresponding Status Message of "AAD group doesn't exist."
+
+> [!CAUTION]
+> In the scenario where an invalid Group ID is given, current implementation does not handle a list of users with a mixture of supplied and empty UPNs. In the scenario where UPNs are only supplied for some users, all users in the list will be marked `Invalid`. It is recommended to either specify UPNs for all users during keyset creation or update. However if Group ID validation needs to be ignored, do not supply an UPN for any user.
 
 > [!NOTE]
-> Not supplying a UPN is currently supported during keyset creation and update. However in a future release enforcement of AAD validation is planned and if a UPN is not supplied for a user on keyset creation/update the user will marked invalid. A user marked invalid does not get deleted but, the user and the matching keyset will no longer be able to be used for SSH access. It is suggested that begin to follow steps to update or re-create keysets supplying UPN for users.
+> Not supplying a UPN is currently supported during keyset creation and update. In a future release, enforcement of AAD validation is planned. If an UPN is not supplied for a user on keyset creation/update, the user's Status will be set to `Invalid` and have a StatusMessage set to "Invalid because user does not have a UserPrincipalName specified in BareMetalMachineKeySet". A user marked invalid does not get deleted but, the user and the matching keyset will no longer be viable for SSH access. It is suggested to follow the steps to update or re-create keysets with UPN supplied for users.
 
 When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.
 

articles/operator-nexus/howto-baremetal-bmm-ssh.md

@@ -14,10 +14,15 @@ ms.custom: template-how-to, devx-track-azurecli
 > [!CAUTION]
 > Please note this process is used in emergency situations when all other troubleshooting options using Azure have been exhausted. SSH access to these bare metal machines is restricted to users managed via this method from the specified jump host list.
 
-There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Azure Group ID `--azure-group-id <Azure AAD Group ID>`.
+There are rare situations where a user needs to investigate & resolve issues with a bare metal machine and all other ways have been exhausted via Azure. Azure Operator Nexus provides the `az networkcloud cluster baremetalmachinekeyset` command so users can manage SSH access to these bare metal machines. On keyset creation, users are validated against Microsoft Entra ID for proper authorization by cross referencing the User Principal Name provided for a user against the supplied Microsoft Entra ID `--azure-group-id <Entra Group ID>`.
+
+If a Microsoft Entra Group ID is invalid on creation or update, each user supplied will have their Status set to `Invalid` and a corresponding Status Message of "AAD group doesn't exist."
+
+> [!CAUTION]
+> In the scenario where an invalid Group ID is given, current implementation does not handle a list of users with a mixture of supplied and empty UPNs. In the scenario where UPNs are only supplied for some users, all users in the list will be marked `Invalid`. It is recommended to either specify UPNs for all users during keyset creation or update. However if Group ID validation needs to be ignored, do not supply an UPN for any user.
 
 > [!NOTE]
-> Not supplying a UPN is currently supported during keyset creation and update. However in a future release enforcement of AAD validation is planned and if a UPN is not supplied for a user on keyset creation/update the user will marked invalid. A user marked invalid does not get deleted but, the user and the matching keyset will no longer be able to be used for SSH access. It is suggested that begin to follow steps to update or re-create keysets supplying UPN for users.
+> Not supplying a UPN is currently supported during keyset creation and update. In a future release, enforcement of AAD validation is planned. If an UPN is not supplied for a user on keyset creation/update, the user's Status will be set to `Invalid` and have a StatusMessage set to "Invalid because user does not have a UserPrincipalName specified". A user marked invalid does not get deleted but, the user and the matching keyset will no longer be viable for SSH access. It is suggested to follow the steps to update or re-create keysets with UPN supplied for users.
 
 When the command runs, it executes on each bare metal machine in the Cluster with an active Kubernetes node. There's a reconciliation process that runs periodically that retries the command on any bare metal machine that wasn't available at the time of the original command. Also, any bare metal machine that returns to the cluster via an `az networkcloud baremetalmachine actionreimage` or `az networkcloud baremetalmachine actionreplace` command (see [BareMetal functions](./howto-baremetal-functions.md)) sends a signal causing any active keysets to be sent to the machine as soon as it returns to the cluster. Multiple commands execute in the order received.
 
@@ -58,7 +63,7 @@ az networkcloud cluster baremetalmachinekeyset create \
   --extended-location name=<Extended Location ARM ID> \
     type="CustomLocation" \
   --location <Azure Region> \
-  --azure-group-id <Azure AAD Group ID> \
+  --azure-group-id <Azure Group ID> \
   --expiration <Expiration Timestamp> \
   --jump-hosts-allowed <List of jump server IP addresses> \
   --os-group-name <Name of the Operating System Group> \