Merge pull request #218272 from vivgk/aad-ga-edits1

Merge pull request #218247

Author: prmerger-automator[bot]

articles/mysql/flexible-server/concepts-azure-ad-authentication.md

@@ -1,5 +1,5 @@
 ---
-title: Active Directory authentication - Azure Database for MySQL - Flexible Server Preview
+title: Active Directory authentication - Azure Database for MySQL - Flexible Server
 description: Learn about the concepts of Azure Active Directory for authentication with Azure Database for MySQL flexible server
 author: vivgk
 ms.author: vivgk
@@ -10,7 +10,7 @@ ms.subservice: flexible-server
 ms.topic: conceptual
 ---
 
-# Active Directory authentication - Azure Database for MySQL - Flexible Server Preview
+# Active Directory authentication - Azure Database for MySQL - Flexible Server
 
 [!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]
 
@@ -28,7 +28,11 @@ Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of con
 ## Use the steps below to configure and use Azure AD authentication
 
 1.	Select your preferred authentication method for accessing the MySQL flexible server. By default, the authentication selected will be MySQL authentication only. Select Azure Active Directory authentication only or MySQL and Azure Active Directory authentication to enabled Azure AD authentication.
-2.	Select the user managed identity (UMI) with the following privileges: _User.Read.All, GroupMember.Read.All_ and _Application.Read.ALL_, which can be used to configure Azure AD authentication.
+2.	Select the user managed identity (UMI) with the following privileges to configure Azure AD authentication:
+    - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.
+    - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.
+    - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.
+
 3.	Add Azure AD Admin. It can be Azure AD Users or Groups, which will have access to Azure Database for MySQL flexible server.
 4. Create database users in your database mapped to Azure AD identities. 
 5. Connect to your database by retrieving a token for an Azure AD identity and logging in. 
@@ -38,7 +42,9 @@ Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of con
 
 ## Architecture
 
-User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity, and when the managed identity is deleted, the corresponding service principal is automatically removed. The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Only a User-assigned Managed Identity (UMI) is currently supported by Azure Database for MySQL-Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
+User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity, and when the managed identity is deleted, the corresponding service principal is automatically removed. 
+
+The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Only a User-assigned Managed Identity (UMI) is currently supported by Azure Database for MySQL-Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
 
 The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for MySQL. The arrows indicate communication pathways.
 
@@ -51,7 +57,9 @@ The following high-level diagram summarizes how authentication works using Azure
 
 ## Administrator structure
 
-When using Azure AD authentication, there are two Administrator accounts for the MySQL server; the original MySQL administrator and the Azure AD administrator. Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL Flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL Flexible server. Only one Azure AD administrator (a user or group) can be configured at a time. 
+When using Azure AD authentication, there are two Administrator accounts for the MySQL server; the original MySQL administrator and the Azure AD administrator. 
+
+Only the administrator based on an Azure AD account can create the first Azure AD contained database user in a user database. The Azure AD administrator login can be an Azure AD user or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL Flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL Flexible server. Only one Azure AD administrator (a user or group) can be configured at a time. 
 
 :::image type="content" source="media/concepts-azure-ad-authentication/azure-ad-admin-structure.jpg" alt-text="Diagram of Azure ad admin structure.":::
 
@@ -75,10 +83,6 @@ For guidance about how to grant and use the permissions, refer [Microsoft Graph
 
 After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.
 
-To create a new Azure AD database user, you must connect as the Azure AD administrator.
- 
-Any Azure AD authentication is only possible if the Azure AD admin was created for Azure Database for MySQL Flexible server. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously can no longer connect to the database using their Azure Active Directory credentials.  
-
 ## Token Validation
 
 Azure AD authentication in Azure Database for MySQL flexible server ensures that the user exists in the MySQL server, and it checks the validity of the token by validating the contents of the token. The following token validation steps are performed:
@@ -108,13 +112,16 @@ Please note that management operations, such as adding new users, are only suppo
 ## Additional considerations
 
 - Only one Azure AD administrator can be configured for an Azure Database for MySQL Flexible server at any time. 
+
 - Only an Azure AD administrator for MySQL can initially connect to the Azure Database for MySQL Flexible server using an Azure Active Directory account. The Active Directory administrator can configure subsequent Azure AD database users or an Azure AD group. When the administrator is a group account, it can be used by any group member, enabling multiple Azure AD administrators for the MySQL Flexible server. Using a group account as an administrator enhances manageability by allowing you to centrally add and remove group members in Azure AD without changing the users or permissions in the MySQL Flexible server.  
+
 - If a user is deleted from Azure AD, that user will no longer be able to authenticate with Azure AD, and therefore it will no longer be possible to acquire an access token for that user. In this case, although the matching user will still be in the database, it will not be possible to connect to the server with that user. 
 
 > [!NOTE]
 > Login with the deleted Azure AD user can still be done till the token expires (up to 60 minutes from token issuing).  If you also remove the user from Azure Database for MySQL this access will be revoked immediately.
 
 - If the Azure AD admin is removed from the server, the server will no longer be associated with an Azure AD tenant, and therefore all Azure AD logins will be disabled for the server. Adding a new Azure AD admin from the same tenant will re-enable Azure AD logins. 
+
 - Azure Database for MySQL Flexible server matches access tokens to the Azure Database for MySQL user using the user’s unique Azure AD user ID, as opposed to using the username. This means that if an Azure AD user is deleted in Azure AD and a new user created with the same name, Azure Database for MySQL considers that a different user. Therefore, if a user is deleted from Azure AD and then a new user with the same name added, the new user will not be able to connect with the existing user. 
 
 ## Next steps

articles/mysql/flexible-server/how-to-azure-ad.md

@@ -1,5 +1,5 @@
 ---
-title: Set up Azure Active Directory authentication for Azure Database for MySQL flexible server Preview
+title: Set up Azure Active Directory authentication for Azure Database for MySQL flexible server
 description: Learn how to set up Azure Active Directory authentication for Azure Database for MySQL flexible Server
 author: vivgk
 ms.author: vivgk
@@ -10,7 +10,7 @@ ms.subservice: flexible-server
 ms.topic: how-to
 ---
 
-# Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server Preview
+# Set up Azure Active Directory authentication for Azure Database for MySQL - Flexible Server
 
 [!INCLUDE[applies-to-mysql-flexible-server](../includes/applies-to-mysql-flexible-server.md)]
 
@@ -38,9 +38,6 @@ To create an Azure AD Admin user, please follow the following steps.
 
     - **MySQL and Azure Active Directory authentication** – Allows authentication using a native MySQL password or an Azure AD account. Turns _OFF_ the server parameter aad_auth_only 
 
-    > [!NOTE]
-    > The server parameter aad_auth_only stays set to ON when the authentication type is changed to Azure Active Directory authentication only. We recommend disabling it manually when you opt for MySQL authentication only in the future.
-
 - **Select Identity** – Select/Add User assigned managed identity. To allow the UMI to read from Microsoft Graph as the server identity, the following permissions are required. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role. 
 
     - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.
@@ -146,9 +143,6 @@ The access token validity is anywhere between 5 minutes to 60 minutes. We recomm
 
 When connecting you need to use the access token as the MySQL user password. When using GUI clients such as MySQLWorkbench, you can use the method described above to retrieve the token. 
 
-> [!NOTE]
-> The newly restored server will also have the server parameter aad_auth_only set to ON if it was ON on the source server during failover. If you wish to use MySQL authentication on the restored server, you must manually disable this server parameter. Otherwise, an Azure AD Admin must be configured.
-
 #### Using MySQL CLI
 When using the CLI, you can use this short-hand to connect: