Merge pull request #254445 from alexbuckgit/alexbuckgit/docutune-autopr-20231010-210011-7888089-ignore-build

[BULK] DocuTune - Updates to Azure AD rebranding guidance and DocuTune configuration (part 59)

Author: v-ccolin

articles/cosmos-db/analytical-store-private-endpoints.md

@@ -119,7 +119,7 @@ To configure network isolation for this account from a Synapse workspace:
    ```
 
    > [!NOTE]
-   > Azure Cosmos DB account and Azure Synapse Analytics workspace should be under same Azure Active Directory (AD) tenant.
+   > Azure Cosmos DB account and Azure Synapse Analytics workspace should be under same Microsoft Entra tenant.
 
 2. You can now access the account from serverless SQL pools, using T-SQL queries over Azure Synapse Link. However, to ensure network isolation for the data in analytical store, you must add an **analytical** managed private endpoint for this account. Otherwise, the data in the analytical store will not be blocked from public access.
 

articles/cosmos-db/cmk-troubleshooting-guide.md

@@ -35,11 +35,13 @@ Another option is to create a new identity with [the expected permission](./how-
 
 After assigning the permissions, wait upwards to one hour for the account to stop being in revoke state. If the issue isn't resolved after more than two hours, contact customer service. 
 
-## Azure Active Directory Token Acquisition error 
+<a name='azure-active-directory-token-acquisition-error'></a>
+
+## Microsoft Entra Token Acquisition error 
 
 ### Reason for error? 
 
-You see this error when Azure Cosmos DB is unable to obtain the default's identity Microsoft Azure Active Directory access token. The token is used for communicating with the Azure Key Vault in order to wrap and unwrap the data encryption key. 
+You see this error when Azure Cosmos DB is unable to obtain the default's identity Microsoft Entra access token. The token is used for communicating with the Azure Key Vault in order to wrap and unwrap the data encryption key. 
 
 ### Troubleshooting 
 

articles/cosmos-db/continuous-backup-restore-permissions.md

@@ -103,7 +103,7 @@ This operation is currently not supported.
 
 ## <a id="custom-restorable-action"></a>Custom role creation for restore action with CLI
 
-The subscription owner can provide the permission to restore to any other Azure AD identity. The restore permission is based on the action: `Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action`, and it should be included in their restore permission. There is a built-in role called *CosmosRestoreOperator* that has this role included. You can either assign the permission using this built-in role or create a custom role.
+The subscription owner can provide the permission to restore to any other Microsoft Entra identity. The restore permission is based on the action: `Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action`, and it should be included in their restore permission. There is a built-in role called *CosmosRestoreOperator* that has this role included. You can either assign the permission using this built-in role or create a custom role.
 
 The RestorableAction below represents a custom role. You have to explicitly create this role. The following JSON template creates a custom role *RestorableAction* with restore permission:
 

articles/cosmos-db/data-explorer.md

@@ -43,7 +43,7 @@ To open Azure Cosmos DB Explorer from the Azure portal:
 
 Currently, viewing documents that contain a UUID isn't supported in Data Explorer. This limitation doesn't affect loading collections, only viewing individual documents or queries that include these documents. To view and manage these documents, users should continue to use the tool that was originally used to create these documents.
 
-Customers receiving HTTP-401 errors may be due to insufficient Azure RBAC permissions for your Azure account, particularly if the account has a custom role. Any custom roles must have `Microsoft.DocumentDB/databaseAccounts/listKeys/*` action to use Data Explorer if signing in using their Azure Active Directory credentials.
+Customers receiving HTTP-401 errors may be due to insufficient Azure RBAC permissions for your Azure account, particularly if the account has a custom role. Any custom roles must have `Microsoft.DocumentDB/databaseAccounts/listKeys/*` action to use Data Explorer if signing in using their Microsoft Entra credentials.
 
 ## Next steps
 

articles/cosmos-db/faq.yml

@@ -95,7 +95,7 @@ sections:
 
           The following conditions apply to Try Azure Cosmos DB subscriptions:
 
-          * Account access can be granted to personal Microsoft accounts (MSA). Avoid using Azure Active Directory (Azure AD) accounts or accounts belonging to corporate Azure AD Tenants, they might have limitations in place that could block access granting.
+          * Account access can be granted to personal Microsoft accounts (MSA). Avoid using Microsoft Entra accounts or accounts belonging to corporate Microsoft Entra tenants, they might have limitations in place that could block access granting.
           * One [throughput provisioned container](./set-throughput.md#set-throughput-on-a-container) per subscription for API for NoSQL, Gremlin, and Table accounts.
           * Up to three [throughput provisioned collections](./set-throughput.md#set-throughput-on-a-container) per subscription for MongoDB accounts.
           * One [throughput provisioned database](./set-throughput.md#set-throughput-on-a-database) per subscription. Throughput provisioned databases can contain any number of containers inside.

articles/cosmos-db/how-to-always-encrypted.md

@@ -72,12 +72,12 @@ The first step to get started with Always Encrypted is to create your CMKs in Az
 1. Create a new key in the **Keys** section.
 1. Once the key is created, browse to its current version, and copy its full key identifier:<br>`https://<my-key-vault>.vault.azure.net/keys/<key>/<version>`. If you omit the key version at the end of the key identifier, the latest version of the key is used.
 
-Next, you need to configure how the Azure Cosmos DB SDK will access your Azure Key Vault instance. This authentication is done through an Azure Active Directory (AD) identity. Most likely, you'll use the identity of an Azure AD application or a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) as the proxy between your client code and your Azure Key Vault instance, although any kind of identity could be used. Use the following steps to use your Azure AD identity as the proxy:
+Next, you need to configure how the Azure Cosmos DB SDK will access your Azure Key Vault instance. This authentication is done through a Microsoft Entra identity. Most likely, you'll use the identity of a Microsoft Entra application or a [managed identity](../active-directory/managed-identities-azure-resources/overview.md) as the proxy between your client code and your Azure Key Vault instance, although any kind of identity could be used. Use the following steps to use your Microsoft Entra identity as the proxy:
 
 1. From your Azure Key Vault instance, browse to the **Access policies** section, and add a new policy:
 
    1. In **Key permissions**, select **Get**, **List**, **Unwrap Key**, **Wrap Key**, **Verify** and **Sign**.
-   1. In **Select principal**, search for your Azure AD identity.
+   1. In **Select principal**, search for your Microsoft Entra identity.
 
 ### Protect your CMK from accidental deletion
 
@@ -103,7 +103,7 @@ If you're using an existing Azure Key Vault instance, you can verify that these
 
 To use Always Encrypted, an instance of a `KeyResolver` must be attached to your Azure Cosmos DB SDK instance. This class, defined in the `Azure.Security.KeyVault.Keys.Cryptography` namespace, is used to interact with the key store hosting your CMKs.
 
-The following snippets use the `DefaultAzureCredential` class to retrieve the Azure AD identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/dotnet/api/overview/azure/identity-readme#credential-classes).
+The following snippets use the `DefaultAzureCredential` class to retrieve the Microsoft Entra identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/dotnet/api/overview/azure/identity-readme#credential-classes).
 
 > [!NOTE]
 > You will need the additional [Azure.Identity package](https://www.nuget.org/packages/Azure.Identity/) to access the `TokenCredential` classes.
@@ -119,7 +119,7 @@ var client = new CosmosClient("<connection-string>")
 
 To use Always Encrypted, an instance of a `KeyEncryptionKeyClientBuilder` must be attached to your Azure Cosmos DB SDK instance. This class, defined in the `com.azure.security.keyvault.keys.cryptography` namespace, is used to interact with the key store hosting your CMKs.
 
-The following snippets use the `DefaultAzureCredential` class to retrieve the Azure AD identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/java/api/overview/azure/identity-readme#credential-classes).
+The following snippets use the `DefaultAzureCredential` class to retrieve the Microsoft Entra identity to use when accessing your Azure Key Vault instance. You can find examples of creating different kinds of `TokenCredential` classes [here](/java/api/overview/azure/identity-readme#credential-classes).
 
 ```java
 TokenCredential tokenCredential = new DefaultAzureCredentialBuilder()

articles/cosmos-db/how-to-restrict-user-data.md

@@ -15,7 +15,7 @@ ms.custom: devx-track-azurepowershell, ignite-2022
 
 In Azure Cosmos DB, there are two ways to authenticate your interactions with the database service:
 
-- using your Azure Active Directory identity when interacting with the Azure portal,
+- using your Microsoft Entra identity when interacting with the Azure portal,
 - using Azure Cosmos DB [keys](database-security.md#primary-keys) or [resource tokens](secure-access-to-data.md#resource-tokens) when issuing calls from APIs and SDKs.
 
 Each authentication method gives access to different sets of operations, with some overlap:
@@ -25,7 +25,7 @@ Each authentication method gives access to different sets of operations, with so
 In some scenarios, you may want to restrict some users of your organization to perform data operations (that is CRUD requests and queries) only. This is typically the case for developers who don't need to create or delete resources, or change the provisioned throughput of the containers they are working on.
 
 You can restrict the access by applying the following steps:
-1. Creating a custom Azure Active Directory role for the users whom you want to restrict access. The custom Active Directory role should have fine-grained access level to operations using Azure Cosmos DB's [granular actions](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb).
+1. Creating a custom Microsoft Entra role for the users whom you want to restrict access. The custom Active Directory role should have fine-grained access level to operations using Azure Cosmos DB's [granular actions](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb).
 1. Disallowing the execution of non-data operations with keys. You can achieve this by restricting these operations to Azure Resource Manager calls only.
 
 The next sections of this article show how to perform these steps.
@@ -48,9 +48,11 @@ Login-AzAccount
 Select-AzSubscription $MySubscriptionId
 ```
 
-## Create the custom Azure Active Directory role
+<a name='create-the-custom-azure-active-directory-role'></a>
 
-The following script creates an Azure Active Directory role assignment with "Key Only" access for Azure Cosmos DB accounts. The role is based on [Azure custom roles](../role-based-access-control/custom-roles.md) and [Granular actions for Azure Cosmos DB](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb). These roles and actions are part of the `Microsoft.DocumentDB` Azure Active Directory namespace.
+## Create the custom Microsoft Entra role
+
+The following script creates a Microsoft Entra role assignment with "Key Only" access for Azure Cosmos DB accounts. The role is based on [Azure custom roles](../role-based-access-control/custom-roles.md) and [Granular actions for Azure Cosmos DB](../role-based-access-control/resource-provider-operations.md#microsoftdocumentdb). These roles and actions are part of the `Microsoft.DocumentDB` Microsoft Entra namespace.
 
 1. First, create a JSON document named `AzureCosmosKeyOnlyAccess.json` with the following content:
 

articles/cosmos-db/how-to-setup-cross-tenant-customer-managed-keys.md

@@ -43,7 +43,7 @@ Deploy an ARM template with the following specific parameters:
 | --- | --- | --- |
 | `keyVaultKeyUri` | Identifier of the customer-managed key residing in the service provider's key vault. | `https://my-vault.vault.azure.com/keys/my-key` |
 | `identity` | Object specifying that the managed identity should be assigned to the Azure Cosmos DB account. | `"identity":{"type":"UserAssigned","userAssignedIdentities":{"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity":{}}}` |
-| `defaultIdentity` | Combination of the resource ID of the managed identity and the application ID of the multi-tenant Azure Active Directory application. | `UserAssignedIdentity=/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity&FederatedClientId=11111111-1111-1111-1111-111111111111` |
+| `defaultIdentity` | Combination of the resource ID of the managed identity and the application ID of the multi-tenant Microsoft Entra application. | `UserAssignedIdentity=/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity&FederatedClientId=11111111-1111-1111-1111-111111111111` |
 
 Here's an example of a template segment with the three parameters configured:
 

articles/cosmos-db/how-to-setup-customer-managed-keys-existing-accounts.md

@@ -57,7 +57,7 @@ For enabling CMK on existing account that has continuous backup and point in tim
 
 
 
-1. Configure managed identity to your cosmos account [Configure managed identities with Azure AD for your Azure Cosmos DB account](./how-to-setup-managed-identity.md)
+1. Configure managed identity to your cosmos account [Configure managed identities with Microsoft Entra ID for your Azure Cosmos DB account](./how-to-setup-managed-identity.md)
 
 1. Update cosmos account to set default identity to point to managed identity added in previous step
 

articles/cosmos-db/how-to-setup-customer-managed-keys.md

@@ -352,7 +352,7 @@ az cosmosdb show \
 
 ## Using a managed identity in the Azure Key Vault access policy
 
-This access policy ensures that your encryption keys can be accessed by your Azure Cosmos DB account. The access policy is implemented by granting access to a specific Azure Active Directory (AD) identity. Two types of identities are supported:
+This access policy ensures that your encryption keys can be accessed by your Azure Cosmos DB account. The access policy is implemented by granting access to a specific Microsoft Entra identity. Two types of identities are supported:
 
 - Azure Cosmos DB's first-party identity can be used to grant access to the Azure Cosmos DB service.
 - Your Azure Cosmos DB account's [managed identity](how-to-setup-managed-identity.md) can be used to grant access to your account specifically.
@@ -751,4 +751,3 @@ Steps to assign a new managed-identity:
 ## Next steps
 
 - Learn more about [data encryption in Azure Cosmos DB](database-encryption-at-rest.md).
-