aadedits

vivgk · vivgk · commit e85e24a789f8 · 2022-09-29T18:10:44.000+05:30
diff --git a/articles/mysql/flexible-server/concepts-azure-ad-authentication.md b/articles/mysql/flexible-server/concepts-azure-ad-authentication.md
@@ -29,7 +29,7 @@ Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of con
 
 1.	Select your preferred authentication method for accessing the MySQL flexible server. By default, the authentication selected will be MySQL authentication only. Select Azure Active Directory authentication only or MySQL and Azure Active Directory authentication to enabled Azure AD authentication.
 2.	Select the user managed identity (UMI) with the following privileges: _User.Read.All, GroupMember.Read.All_ and _Application.Read.ALL_, which can be used to configure Azure AD authentication.
-3.	Add Azure AD Admin. It can be Azure AD Users, Groups or security principles, which will have access to Azure Database for MySQL flexible server.
+3.	Add Azure AD Admin. It can be Azure AD Users or Groups, which will have access to Azure Database for MySQL flexible server.
 4. Create database users in your database mapped to Azure AD identities. 
 5. Connect to your database by retrieving a token for an Azure AD identity and logging in. 
 
@@ -38,16 +38,16 @@ Microsoft Azure Active Directory (Azure AD) authentication is a mechanism of con
 
 ## Architecture
 
-User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity, and when the managed identity is deleted, the corresponding service principal is automatically removed. The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Only a User-assigned Managed Identity (UMI) is currently supported by Azure Database for MySQL-Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure. Azure takes care of rolling the credentials that are used by the service instance.
+User-managed identities are required for Azure Active Directory authentication. When a User-Assigned Identity is linked to the flexible server, the Managed Identity Resource Provider (MSRP) issues a certificate internally to that identity, and when the managed identity is deleted, the corresponding service principal is automatically removed. The service then uses the managed identity to request access tokens for services that support Azure AD authentication. Only a User-assigned Managed Identity (UMI) is currently supported by Azure Database for MySQL-Flexible Server. For more information, see [Managed identity types](../../active-directory/managed-identities-azure-resources/overview.md#managed-identity-types) in Azure.
 
 The following high-level diagram summarizes how authentication works using Azure AD authentication with Azure Database for MySQL. The arrows indicate communication pathways.
 
 :::image type="content" source="media/concepts-azure-ad-authentication/azure-ad-authentication-flow.jpg" alt-text="Diagram of how Azure ad authentication works.":::
 
 1. Your application can request a token from the Azure Instance Metadata Service identity endpoint. 
 2. Using the client ID and certificate, a call is made to Azure AD to request an access token.  
-3. A JSON Web Token (JWT) access token is returned by Azure AD.  
-4. Your application sends the access token on a call to Azure Database for MySQL flexible server. 
+3. A JSON Web Token (JWT) access token is returned by Azure AD. Your application sends the access token on a call to Azure Database for MySQL flexible server. 
+4. MySQL flexible server validates the token with Azure AD.
 
 ## Administrator structure
  
@@ -56,24 +56,26 @@ When using Azure AD authentication, there are two Administrator accounts for the
 :::image type="content" source="media/concepts-azure-ad-authentication/azure-ad-admin-structure.jpg" alt-text="Diagram of Azure ad admin structure.":::
 
 Methods of authentication for accessing the MySQL flexible server include: 
-- MySQL Authentication only - Create a MySQL admin login and password to access your MySQL server with MySQL authentication. 
-- Only Azure AD authentication - Authenticate as an Azure AD admin using an existing Azure AD user or group; the server parameter **aad_auth_only** will be _enabled_. 
-- Authentication with MySQL and Azure AD - Authenticate using MySQL admin credentials or as an Azure AD admin using an existing Azure AD user or group; the server parameter **aad_auth_only** will be _disabled_. 
+- MySQL Authentication only - This is the default option. This is the default option.  Only native MySQL Authentication with a MySQL login and password will be used to access Azure Database for MySQL flexible server. 
+- Only Azure AD authentication - MySQL Native authentication will be disabled, and users will be able to authenticate using only their Azure AD user and token. To enable this mode, the server parameter **aad_auth_only** will be _enabled_. 
+- Authentication with MySQL and Azure AD - Both native MySQL authentication and Azure AD authentication are supported. To enable this mode, the server parameter **aad_auth_only** will be _disabled_. 
 
 ## Permissions
 
 To allow the UMI to read from Microsoft Graph as the server identity, the following permissions are required. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role.
 
-These permissions should be granted before you provision a logical server or managed instance. After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.
-
 > [!IMPORTANT]
 > Only a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) can grant these permissions.
 
 - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.
 - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.
 - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.
 
-To create a new Azure AD database user, you must connect as the Azure AD administrator. This is demonstrated in Configure and Login with Azure AD for Azure Database for MySQL. 
+For guidance about how to grant and use the permissions, refer [Microsoft Graph permissions](/graph/permissions-reference)
+
+After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.
+
+To create a new Azure AD database user, you must connect as the Azure AD administrator.
  
 Any Azure AD authentication is only possible if the Azure AD admin was created for Azure Database for MySQL Flexible server. If the Azure Active Directory admin was removed from the server, existing Azure Active Directory users created previously can no longer connect to the database using their Azure Active Directory credentials.  
 
@@ -117,4 +119,4 @@ Please note that management operations, such as adding new users, are only suppo
 
 ## Next steps
 
-- To learn how to create and populate Azure AD, and then configure Azure AD with Azure Database for MySQL, see [Set up Azure Active Directory authentication for Azure Database for MySQL flexible server](how-to-azure-ad.md)
+- To learn how to configure Azure AD with Azure Database for MySQL, see [Set up Azure Active Directory authentication for Azure Database for MySQL flexible server](how-to-azure-ad.md)
diff --git a/articles/mysql/flexible-server/how-to-azure-ad.md b/articles/mysql/flexible-server/how-to-azure-ad.md
@@ -23,33 +23,38 @@ In this tutorial, you learn how to:
 
 ## Configure the Azure AD Admin
  
-Only an Azure AD Admin user can create/enable users for Azure AD-based authentication. To create an Azure AD Admin user, please follow the following steps. 
+To create an Azure AD Admin user, please follow the following steps. 
 
 - In the Azure portal, select the instance of Azure Database for MySQL Flexible server that you want to enable for Azure AD. 
  
-- Under Security pane, select Authentication:
+- Under Security pane, select **Authentication**:
 :::image type="content" source="media//how-to-azure-ad/azure-ad-configuration.jpg" alt-text="Diagram of how to configure Azure ad authentication.":::
 
 - There are three types of authentication available: 
 
-    - MySQL authentication only – By default, MySQL uses the built-in mysql_native_password authentication plugin, which performs authentication using the native password hashing method 
+    - **MySQL authentication only** – By default, MySQL uses the built-in mysql_native_password authentication plugin, which performs authentication using the native password hashing method 
 
-    - Azure Active Directory authentication only – Only allows authentication with an Azure AD account. Disables mysql_native_password authentication and turns _ON_ the server parameter **aad_auth_only** 
+    - **Azure Active Directory authentication only** – Only allows authentication with an Azure AD account. Disables mysql_native_password authentication and turns _ON_ the server parameter aad_auth_only 
 
-    - MySQL and Azure Active Directory authentication – Allows authentication using a native MySQL password or an Azure AD account. Turns _OFF_ the server parameter **aad_auth_only** 
+    - **MySQL and Azure Active Directory authentication** – Allows authentication using a native MySQL password or an Azure AD account. Turns _OFF_ the server parameter aad_auth_only 
 
-- Select Identity – Select/Add User assigned managed identity. To allow the UMI to read from Microsoft Graph as the server identity, the following permissions are required. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role. 
+    > [!NOTE]
+    > The server parameter aad_auth_only stays set to ON when the authentication type is changed to Azure Active Directory authentication only. We recommend disabling it manually when you opt for MySQL authentication only in the future.
+
+- **Select Identity** – Select/Add User assigned managed identity. To allow the UMI to read from Microsoft Graph as the server identity, the following permissions are required. Alternatively, give the UMI the [Directory Readers](../../active-directory/roles/permissions-reference.md#directory-readers) role. 
 
     - [User.Read.All](/graph/permissions-reference#user-permissions): Allows access to Azure AD user information.
     - [GroupMember.Read.All](/graph/permissions-reference#group-permissions): Allows access to Azure AD group information.
     - [Application.Read.ALL](/graph/permissions-reference#application-resource-permissions): Allows access to Azure AD service principal (application) information.
 
-These permissions should be granted before you provision a logical server or managed instance. After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.
+For guidance about how to grant and use the permissions, refer [Microsoft Graph permissions](/graph/permissions-reference)
+
+After you grant the permissions to the UMI, they're enabled for all servers or instances that are created with the UMI assigned as a server identity.
 
 > [!IMPORTANT]
 > Only a [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) or [Privileged Role Administrator](/azure/active-directory/roles/permissions-reference#privileged-role-administrator) can grant these permissions.
 
-- Select a valid Azure AD user or an Azure AD group in the customer tenant to be Azure AD administrator. Once Azure AD authentication support has been enabled, Azure AD Admins can be added as security principals with permissions to add Azure AD Users to the MySQL server.  
+- Select a valid Azure AD user or an Azure AD group in the customer tenant to be **Azure AD administrator**. Once Azure AD authentication support has been enabled, Azure AD Admins can be added as security principals with permissions to add Azure AD Users to the MySQL server.  
 
     > [!NOTE]
     > Only one Azure AD admin can be created per MySQL server and selection of another one will overwrite the existing Azure AD admin configured for the server.
@@ -141,6 +146,9 @@ The access token validity is anywhere between 5 minutes to 60 minutes. We recomm
 
 When connecting you need to use the access token as the MySQL user password. When using GUI clients such as MySQLWorkbench, you can use the method described above to retrieve the token. 
 
+> [!NOTE]
+> The newly restored server will also have the server parameter aad_auth_only set to ON if it was ON on the source server during failover. If you wish to use MySQL authentication on the restored server, you must manually disable this server parameter. Otherwise, an Azure AD Admin must be configured.
+
 #### Using MySQL CLI
 When using the CLI, you can use this short-hand to connect: 
 
@@ -151,13 +159,12 @@ mysql -h mydb.mysql.database.azure.com \
   --user user@tenant.onmicrosoft.com \ 
   --enable-cleartext-plugin \ 
   --password=`az account get-access-token --resource-type oss-rdbms --output tsv --query accessToken`
-```
-
+```  
 #### Using MySQL Workbench
 
 * Launch MySQL Workbench and Click the Database option, then click "Connect to database"
 * In the hostname field, enter the MySQL FQDN eg. mysql.database.azure.com
-* In the username field, enter the MySQL Azure Active Directory administrator name and append this with MySQL server name, not the FQDN e.g. user@tenant.onmicrosoft.com@
+* In the username field, enter the MySQL Azure Active Directory administrator name and append this with MySQL server name, not the FQDN e.g. user@tenant.onmicrosoft.com
 * In the password field, click "Store in Vault" and paste in the access token from file e.g. C:\temp\MySQLAccessToken.txt
 * Click the advanced tab and ensure that you check "Enable Cleartext Authentication Plugin"
 * Click OK to connect to the database
diff --git a/articles/mysql/flexible-server/whats-new.md b/articles/mysql/flexible-server/whats-new.md
@@ -28,13 +28,15 @@ This article summarizes new releases and features in Azure Database for MySQL -
 
   The read replica feature allows you to replicate data from an Azure Database for MySQL flexible server to a read-only server. You can replicate the source server to up to 10 replicas. This functionality is now extended to support HA enabled servers within same region.[Learn more](concepts-read-replicas.md)
 
-
-
 - **Azure Active Directory authentication for Azure Database for MySQL – Flexible Server (Public Preview)**
 
   You can now authenticate to Azure Database for MySQL - Flexible server using Microsoft Azure Active Directory (Azure AD) using identities. With Azure AD authentication, you can manage database user identities and other Microsoft services in a central location, which simplifies permission management. [Learn More](concepts-azure-ad-authentication.md)
 
+- **Known issues**
 
+  - The server parameter aad_auth_only stays set to ON when the authentication type is changed to Azure Active Directory authentication only. We recommend disabling it manually when you opt for MySQL authentication only in the future.
+
+  - The newly restored server will also have the server parameter aad_auth_only set to ON if it was ON on the source server during failover. If you wish to use MySQL authentication on the restored server, you must manually disable this server parameter. Otherwise, an Azure AD Admin must be configured.  
 
 - **Customer managed keys data encryption – Azure Database for MySQL – Flexible Server (Preview)**
 
@@ -43,6 +45,13 @@ This article summarizes new releases and features in Azure Database for MySQL -
 - **Change Timezone of your Azure Database for MySQL - Flexible Server in a single step**
 
    Previously to change time_zone of your Azure Database for MySQL - Flexible Server required two steps to take effect. Now you no longer need to call the procedure mysql.az_load_timezone() to populate the mysql.time_zone_name table. Flexible Server timezone can be changed directly by just changing the server parameter time_zone from [portal](./how-to-configure-server-parameters-portal.md#working-with-the-time-zone-parameter) or [CLI](./how-to-configure-server-parameters-cli.md#working-with-the-time-zone-parameter). 
+
+- **Known issues**
+
+  - The server parameter aad_auth_only stays set to ON when the authentication type is changed to Azure Active Directory authentication only. We recommend disabling it manually when you opt for MySQL authentication only in the future.
+
+  - The newly restored server will also have the server parameter aad_auth_only set to ON if it was ON on the source server during failover. If you wish to use MySQL authentication on the restored server, you must manually disable this server parameter. Otherwise, an Azure AD Admin must be configured.  
+
 ## August 2022
 
 - **Server logs for Azure Database for MySQL - Flexible Server**
