Merge pull request #222631 from b-branco/aad-login-for-local-diags

Azure AD authentication for local monitoring tools

Author: v-ccolin

articles/private-5g-core/collect-required-information-for-a-site.md

@@ -69,6 +69,19 @@ For each data network that you want to configure, collect all the values in the
    | The Domain Name System (DNS) server addresses to be provided to the UEs connected to this data network. You identified this in [Allocate subnets and IP addresses](complete-private-mobile-network-prerequisites.md#allocate-subnets-and-ip-addresses). </br></br>This value may be an empty list if you don't want to configure a DNS server for the data network. In this case, UEs in this data network will be unable to resolve domain names. | **DNS Addresses** |
    |Whether Network Address and Port Translation (NAPT) should be enabled for this data network. NAPT allows you to translate a large pool of private IP addresses for UEs to a small number of public IP addresses. The translation is performed at the point where traffic enters the data network, maximizing the utility of a limited supply of public IP addresses.</br></br>If you want to use [UE-to-UE traffic](private-5g-core-overview.md#ue-to-ue-traffic) in this data network, keep NAPT disabled.  |**NAPT**|
 
+## Choose the authentication method for local monitoring tools
+
+Azure Private 5G Core provides dashboards for monitoring your deployment and a web GUI for collecting detailed signal traces. You can access these tools using [Azure Active Directory (Azure AD)](/azure/active-directory/authentication/overview-authentication) or a local username and password. We recommend setting up Azure AD authentication to improve security in your deployment.
+
+If you want to access your local monitoring tools using Azure AD, after creating a site you'll need to follow the steps in [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
+
+If you want to access your local monitoring tools using local usernames and passwords, you don't need to set any additional configuration. After deploying the site, set up your username and password by following [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui) and [Access the packet core dashboards](packet-core-dashboards.md#access-the-packet-core-dashboards).
+
+You'll be able to change the authentication method later by following [Modify the local access configuration in a site](modify-local-access-configuration.md).
+
+> [!NOTE]
+> While in [disconnected mode](disconnected-mode.md), you won't be able to change the local monitoring authentication method or sign in using Azure AD. If you expect to need access to your local monitoring tools while the ASE is disconnected, consider using the local username and password authentication method instead.
+
 ## Collect local monitoring values
 
 You can use a self-signed or a custom certificate to secure access to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md) at the edge. We recommend that you provide your own HTTPS certificate signed by a globally known and trusted certificate authority (CA), as this provides additional security to your deployment and allows your browser to recognize the certificate signer.
@@ -97,7 +110,7 @@ If you want to provide a custom HTTPS certificate at site creation, follow the s
 
 ## Next steps
 
-You can now use the information you've collected to create the site.
+Use the information you've collected to create the site:
 
-- [Create a site - Azure portal](create-a-site.md)
-- [Create a site - ARM template](create-site-arm-template.md)
+   - [Create a site - Azure portal](create-a-site.md)
+   - [Create a site - ARM template](create-site-arm-template.md)

articles/private-5g-core/create-a-site.md

@@ -65,13 +65,13 @@ In this step, you'll create the mobile network site resource representing the ph
 
     Once you've finished filling out the fields, select **Attach**.
 
-1. Repeat the previous step for each additional data network you want to configure.
-1. If you decided you want to provide a custom HTTPS certificate in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values), select **Next : Local access >**. If you decided not to provide a custom HTTPS certificate at this stage, you can skip this step.
-    
-    1. Under **Provide custom HTTPS certificate?**, select **Yes**.
-    1. Use the information you collected in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values) to select a certificate.
+1. Repeat the previous step for each additional data network you want to configure, and then select **Next : Local access >**.
+1. In the **Local access** section, set the fields as follows:
 
     :::image type="content" source="media/create-a-site/create-site-local-access-tab.png" alt-text="Screenshot of the Azure portal showing the Local access configuration tab for a site resource.":::
+  
+    - Under **Authentication type**, select the authentication method you decided to use in [Choose the authentication method for local monitoring tools](collect-required-information-for-a-site.md#choose-the-authentication-method-for-local-monitoring-tools).
+    - under **Provide custom HTTPS certificate?**, select **Yes** or **No** based on whether you decided to provide a custom HTTPS certificate in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values). If you selected **Yes**, use the information you collected in [Collect local monitoring values](collect-required-information-for-a-site.md#collect-local-monitoring-values) to select a certificate.
 
 1. Select **Review + create**.
 1. Azure will now validate the configuration values you've entered. You should see a message indicating that your values have passed validation.
@@ -96,6 +96,6 @@ In this step, you'll create the mobile network site resource representing the ph
 
 ## Next steps
 
-If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows.
+If you decided to set up Azure AD for local monitoring access, follow the steps in [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
 
-- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md)
+If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows. See [Policy control](policy-control.md) to learn more about designing the policy control configuration for your private mobile network.

articles/private-5g-core/create-site-arm-template.md

@@ -94,6 +94,6 @@ Four Azure resources are defined in the template.
 
 ## Next steps
 
-If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows.
+If you decided to set up Azure AD for local monitoring access, follow the steps in [Modify the local access configuration in a site](modify-local-access-configuration.md) and [Enable Azure Active Directory (Azure AD) for local monitoring tools](enable-azure-active-directory.md).
 
-- [Learn more about designing the policy control configuration for your private mobile network](policy-control.md)
+If you haven't already done so, you should now design the policy control configuration for your private mobile network. This allows you to customize how your packet core instances apply quality of service (QoS) characteristics to traffic. You can also block or limit certain flows. See [Policy control](policy-control.md) to learn more about designing the policy control configuration for your private mobile network.

articles/private-5g-core/disconnected-mode.md

@@ -27,11 +27,10 @@ The following functions aren't supported while in disconnected mode:
 
 ## Monitoring and troubleshooting during disconnects
 
-<!-- TODO: add in paragraph once AAD feature is live and remove first sentence of existing paragraph.
-Azure Active Directory based sign on for distributed tracing and Grafana monitoring won't be available while in disconnected mode. However, you can configure username and password access to each of these tools if you plan to require access during periods of disconnect. -->
-Distributed tracing and packet core dashboards are accessible in disconnected mode. Once the disconnect ends, log analytics on Azure will update with the stored data, excluding rate and gauge type metrics.
+While in disconnected mode, you won't be able to change the local monitoring authentication method or sign in to the [distributed tracing](distributed-tracing.md) and [packet core dashboards](packet-core-dashboards.md) using Azure Active Directory. If you expect to need access to your local monitoring tools while the ASE is disconnected, you can change your authentication method to local usernames and passwords by following [Modify the local access configuration in a site](modify-local-access-configuration.md).
+
+Once the disconnect ends, log analytics on Azure will update with the stored data, excluding rate and gauge type metrics.
 
 ## Next steps
 
-- [Configure username and password for Grafana](packet-core-dashboards.md)
-- [Configure username and password for distributed tracing](distributed-tracing.md)
+- [Change the authentication method for local monitoring tools](modify-local-access-configuration.md)

articles/private-5g-core/distributed-tracing-share-traces.md

@@ -33,7 +33,7 @@ Azure Private 5G Core Preview offers a distributed tracing web GUI, which you ca
 
 In this step, you'll export the trace from the distributed tracing web GUI and save it locally.
 
-1. Sign in to the distributed tracing web GUI at https://*\<LocalMonitoringIP\>*/sas, where *\<LocalMonitoringIP\>* is the IP address you set up for accessing local monitoring tools.
+1. Sign in to the distributed tracing web GUI as described in [Access the distributed tracing web GUI](distributed-tracing.md#access-the-distributed-tracing-web-gui).
 1. In the **Search** tab, specify the SUPI and time for the event you're interested in and select **Search**.
 
     :::image type="content" source="media\distributed-tracing-share-traces\distributed-tracing-search.png" alt-text="Screenshot of the Search display in the distributed tracing web G U I, showing the S U P I search field and date and time range options.":::

articles/private-5g-core/distributed-tracing.md

@@ -16,14 +16,23 @@ Azure Private 5G Core Preview offers a *distributed tracing web GUI*, which you
 
 ## Access the distributed tracing web GUI
 
-To sign in to the distributed tracing web GUI:
+> [!TIP]
+> When signing in, if you see a warning in your browser that the connection isn't secure, you may be using a self-signed certificate to attest access to your local monitoring tools. We recommend following [Modify the local access configuration in a site](modify-local-access-configuration.md) to configure a custom HTTPS certificate signed by a globally known and trusted certificate authority.
 
-1. In your browser, enter https://*\<LocalMonitoringIP\>*/sas, where *\<LocalMonitoringIP\>* is the IP address for accessing the local monitoring tools that you set up in [Management network](complete-private-mobile-network-prerequisites.md#management-network).
+### Azure Active Directory
 
-    :::image type="content" source="media\distributed-tracing\distributed-tracing-sign-in.png" alt-text="Screenshot of the distributed tracing web G U I sign in page, with fields for the username and password.":::
+To sign in to the distributed tracing web GUI if you enabled Azure Active Directory authentication:
+
+1. In your browser, enter https://*\<local monitoring domain\>*/sas, where *\<local monitoring domain\>* is the domain name for your local monitoring tools that you set up in [Configure domain system name (DNS) for local monitoring IP](enable-azure-active-directory.md#configure-domain-system-name-dns-for-local-monitoring-ip).
+1. Follow the prompts to sign in with your account credentials.
+
+### Local username and password
 
-    > [!TIP]
-    > If you see a warning in your browser that the connection isn't secure, you may be using a self-signed certificate to attest access to your local monitoring tools. We recommend following [Modify the local access configuration in a site](modify-local-access-configuration.md) to configure a custom HTTPS certificate signed by a globally known and trusted certificate authority.
+To sign in to the distributed tracing web GUI if you enabled local username and password authentication:
+
+1. In your browser, enter https://*\<local monitoring IP\>*/sas, where *\<local monitoring IP\>* is the IP address for accessing the local monitoring tools that you set up in [Management network](complete-private-mobile-network-prerequisites.md#management-network).
+
+    :::image type="content" source="media\distributed-tracing\distributed-tracing-sign-in.png" alt-text="Screenshot of the distributed tracing web G U I sign in page, with fields for the username and password.":::
 
 1. Sign in using your credentials.