Merge pull request #270265 from JAC0BSMITH/jac0bsmith_cli

v-dirichards · web-flow · commit beb429df4757 · 2024-03-26T16:49:45.000-05:00
Update SP expectations
diff --git a/articles/operator-nexus/howto-service-principal-rotation.md b/articles/operator-nexus/howto-service-principal-rotation.md
@@ -4,14 +4,15 @@ description: Instructions on service principal rotation lifecycle management.
 ms.service: azure-operator-nexus
 ms.custom: template-how-to
 ms.topic: how-to
-ms.date: 02/05/2024
+ms.date: 03/05/2024
 author: sbatchu0108
 ms.author: sbatchu
 ---
 
-# Service principal rotation on the target cluster
+# Service Principal rotation on the target Cluster
 
-This document provides an overview on the process of performing service principal rotation on the target cluster.
+This document provides an overview on the process of performing Service Principal rotation on the target Nexus cluster.
+In alignment with security best practices, a Security Principal should be rotated periodically. Anytime the integrity of the Service Principal is suspected or known to be compromised, it should be rotated immediately.
 
 ## Prerequisites
 
@@ -23,38 +24,38 @@ This document provides an overview on the process of performing service principa
 6. Service Principal rotation should be performed prior to the configured credentials expiring.
 7. Service Principal should have owner privilege on the subscription of the target cluster.
 
-## Append secondary credential to the existing service principal
+## Append secondary credential to the existing Service Principal
 
-List existing credentials info for the service principal
+List existing credentials info for the Service Principal
 
 ```azurecli
 az ad app credential list --id "<SP Application (client) ID>"
 ```
 
-Append secondary credential to the service principal. Please copy the resulting generated password somewhere safe.
+Append secondary credential to the Service Principal. Please copy the resulting generated password somewhere safe, following best practices.
 
 ```azurecli
 az ad app credential reset --id "<SP Application (client) ID>" --append --display-name "<human-readable description>"
 ```
-## Create a new service principal
+## Create a new Service Principal
 
-New service principal should have owner privilege scope on the target cluster subscription.
+New Service Principal should have owner privilege scope on the target Cluster subscription.
 
 ```azurecli
 az ad sp create-for-rbac -n "<service principal display name>" --role owner --scopes /subscriptions/<subscription-id>
 ```
 
-## Rotate service principal on the target cluster
+## Rotate Service Principal on the target Cluster
 
-Service principal can be rotated on the target cluster by supplying the new information, which can either be only secondary credential update or it could be the new service principal for the target cluster.
+Service Principal can be rotated on the target Cluster by supplying the new information, which can either be only secondary credential update or it could be the new Service Principal for the target Cluster.
 
 ```azurecli
 az networkcloud cluster update --resource-group "<resourceGroupName>" --cluster-service-principal application-id="<sp app id>" password="<cleartext password>" principal-id="<sp id>" tenant-id="<tenant id>" -n <cluster name> --subscription <subscription-id>
 ```
 
-## Verify new service principal update on the target cluster
+## Verify new Service Principal update on the target Cluster
 
-Cluster show will list the new service principal changes if its rotated on the target cluster.
+Cluster show will list the new Service Principal changes if its rotated on the target Cluster.
 
 ```azurecli
 az networkcloud cluster show --name "clusterName" --resource-group "resourceGroup"
@@ -71,9 +72,9 @@ In the output, you can find the details under `clusterServicePrincipal` property
 ```
 
 > [!NOTE]
-> Ensure you're using the correct service principal ID(object ID in Azure) when updating it. There are two different object IDs retrievable from Azure for the same Service Principal name, follow these steps to find the right one:
+> Ensure you're using the correct Service Principal ID(object ID in Azure) when updating it. There are two different object IDs retrievable from Azure for the same Service Principal name, follow these steps to find the right one:
 > 1. Avoid retrieving the object ID from the Service Principal of type application that appears when you search for service principal on the Azure portal search bar.
 > 2. Instead, Search for the service principal name under "Enterprise applications" in Azure Services to find the correct object ID and use it as principal ID.
 
 If you still have questions, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade).
-For more information about Support plans, see [Azure Support plans](https://azure.microsoft.com/support/plans/response/).
+For more information about Support plans, see [Azure Support plans](https://azure.microsoft.com/support/plans/response/).
