Merge pull request #1665 from craddm/entra-id

Update documents to reflect change to Microsoft Entra ID

docs/source/deployment/deploy_sre.md

@@ -32,13 +32,13 @@ PS> ./Deploy_SRE.ps1 -shmId <SHM ID> -sreId <SRE ID> -VMs <VM sizes>
 
 - where `<SHM ID>` is the {ref}`management environment ID <roles_deployer_shm_id>` for this SHM
 - where `<SRE ID>` is the {ref}`secure research environment ID <roles_deployer_sre_id>` for this SRE
-- where `<VM sizes>` is a list of [Azure VM sizes](https://docs.microsoft.com/en-us/azure/virtual-machines/sizes) that you want to create. For example `'Standard_D2s_v3', 'default', 'Standard_NC6s_v3'`. If you are unsure of the appropriate VM sizes, run the script with a single `'default'`.
+- where `<VM sizes>` is a list of [Azure VM sizes](https://docs.microsoft.com/en-us/azure/virtual-machines/sizes) that you want to create. For example `'Standard_D2s_v3', 'default', 'Standard_NC6s_v3'`. If you are unsure of the appropriate VM sizes, run the script with a single `'default'`. The default VM size is `Standard_D2s_v3`.
 - VMs can be resized after deployment. See how to do so in the {ref}`System Manager instructions <resize_vm>`.
 
 You will be prompted for credentials for:
 
 - a user with admin rights over the Azure subscriptions you plan to deploy into
-- a user with Global Administrator privileges over the SHM Azure Active Active directory
+- a user with Global Administrator privileges over the SHM Microsoft Entra ID
 
 This will perform the following actions, which can be run individually if desired:
 
@@ -251,23 +251,24 @@ For example, if you have authorised a corporate VPN, check that you have correct
 ```
 
 ````{error}
-If you see an error like the following when attempting to log in, it is likely that the AzureAD application is not registered as an `ID token` provider.
+If you see an error like the following when attempting to log in, it is likely that the Microsoft Entra application is not registered as an `ID token` provider.
 
 ```{image} deploy_sre/guacamole_aad_idtoken_failure.png
 :alt: AAD ID token failure
 :align: center
 ```
 
-<details><summary><b>Register AzureAD application</b></summary>
+<details><summary><b>Register Microsoft Entra application</b></summary>
 
-![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute)
+![Microsoft Entra ID: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%2
+0ID&color=blue&message=one%20minute)
 
-- From the Azure portal, navigate to the AAD you have created.
-- Navigate to `Azure Active Directory > App registrations`, and select the application called `Guacamole SRE <SRE ID>`.
+- From the Azure portal, navigate to the Microsoft Entra ID you have created.
+- Navigate to `Microsoft Entra ID > App registrations`, and select the application called `Guacamole SRE <SRE ID>`.
 - Click on `Authentication` on the left-hand sidebar
 - Ensure that the `ID tokens` checkbox is ticked and click on the `Save` icon if you had to make any changes
   ```{image} deploy_sre/guacamole_aad_app_registration_idtoken.png
-  :alt: AAD app registration
+  :alt: Microsoft Entra app registration
   :align: center
   ```
 </details>

docs/source/deployment/index.md

@@ -32,3 +32,12 @@ For instructions on removing deployed resources, refer to the guide for {ref}`Sy
 
 [Security checklist](security_checklist.md)
 : an example security checklist used at the Alan Turing Institute to help evaluate the security of our deployments.
+
+````{warning}
+Microsoft have renamed Azure Active Directory to [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/new-name).
+We have updated these guides in the light of this change.
+However, as of February 2024, Microsoft have not completed the renaming process.
+Some software and documentation retains the old Azure Active Directory name.
+Our documentation reflects the name that is currently in use, rather than the name that will be used once the renaming process is complete.
+Where we use the name "Azure Active Directory", if the corresponding software, menu option, or documentation cannot be found, look instead for a version using the Microsoft Entra ID name.
+````

docs/source/deployment/snippets/00_symbols.partial.md

@@ -41,11 +41,11 @@ If you see a warning dialog that the certificate cannot be verified as root, acc
 - You will need to login to the portal using an account with privileges to make the necessary changes to the resources you are altering
 ```
 
-```{admonition} Azure Active Directory operation
-![Azure AD: estimate of time needed](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=estimate%20of%20time%20needed)
+```{admonition} Microsoft Entra ID operation
+![Microsoft Entra ID: estimate of time needed](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=estimate%20of%20time%20needed)
 
 - This indicates an operation which needs to be carried out in the [`Azure Portal`](https://portal.azure.com) using a web browser on your local machine.
-- You will need to login to the portal using an account with administrative privileges on the `Azure Active Directory` that you are altering.
+- You will need to login to the portal using an account with administrative privileges on the `Microsoft Entra ID` that you are altering.
 - Note that this might be different from the account which is able to create/alter resources in the Azure subscription where you are building the Safe Haven.
 ```
 

docs/source/deployment/snippets/01_prerequisites.partial.md

@@ -6,15 +6,15 @@
 
     ```{tip}
     - Ensure that the **Owner** of the subscription is an `Azure Security group` that contains all administrators and no-one else.
-    - We recommend using separate `Azure Active Directories` for users and administrators
+    - We recommend using separate `Microsoft Entra IDs` for users and administrators
     ```
 
-- Access to a **global administrator** account on the SHM Azure Active Directory
+- Access to a **global administrator** account on the SHM Microsoft Entra ID
 
 ### {{beginner}} Software
 
 - `PowerShell` with support for Azure
-    - We recommend [installing](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell) the [latest stable release](https://learn.microsoft.com/en-us/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3) of Powershell. We have most recently tested deployment using version `7.3.2`.
+    - We recommend [installing](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell) the [latest stable release](https://learn.microsoft.com/en-us/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3) of Powershell. We have most recently tested deployment using version `7.3.9`.
     - Install the [Azure PowerShell Module](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps) using `Install-Module -Name Az -RequiredVersion 5.0.0 -Repository PSGallery`
 - `Microsoft Remote Desktop`
     - On macOS this can be installed from the [Apple store](https://www.apple.com/app-store/)

docs/source/deployment/snippets/06_01_create_user_account.partial.md

@@ -1,5 +1,5 @@
 These steps ensure that you have created a non-privileged user account that you can use for testing.
-You must ensure that you have assigned a licence to this user in the Azure Active Directory so that MFA will work correctly.
+You must ensure that you have assigned a licence to this user in the Microsoft Entra ID so that MFA will work correctly.
 
 You should have already set up a non-privileged user account upon setting up the SHM, when {ref}`validating the active directory synchronisation <deploy_shm>`, but you may wish to set up another or verify that you have set one up already:
 
@@ -31,20 +31,20 @@ You should have already set up a non-privileged user account upon setting up the
   - Enter the start of your username and click `Check names`
   - Select your username and click `Ok`
   - Click `Ok` again to exit the `Add users` dialogue
-- Synchronise with Azure Active Directory by running following the `Powershell` command on the SHM primary domain controller
+- Synchronise with Microsoft Entra ID by running following the `Powershell` command on the SHM primary domain controller
 
 ```powershell
 PS> C:\Installation\Run_ADSync.ps1
 ```
 
 ### {{closed_lock_with_key}} Ensure that your non-privileged user account has MFA enabled
 
-Switch to your custom Azure Active Directory in the Azure portal and make the following checks:
+Switch to your custom Microsoft Entra ID in the Azure portal and make the following checks:
 
-![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute)
+![Microsoft Entra ID: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=one%20minute)
 
-- From the Azure portal, navigate to the AAD you have created.
-- The `Usage Location` must be set in Azure Active Directory (should be automatically synchronised from the local Active Directory if it was correctly set there)
-  - Navigate to `Azure Active Directory > Manage / Users > (user account)`, and ensure that `Settings > Usage Location` is set.
+- From the Azure portal, navigate to the Microsoft Entra ID you have created.
+- The `Usage Location` must be set in Microsoft Entra ID (should be automatically synchronised from the local Active Directory if it was correctly set there)
+  - Navigate to `Microsoft Entra ID > Manage / Users > (user account)`, and ensure that `Settings > Usage Location` is set.
 - A licence must be assigned to the user.
-  - Navigate to `Azure Active Directory > Manage / Users > (user account) > Licenses` and verify that a license is assigned and the appropriate MFA service enabled.
+  - Navigate to `Microsoft Entra ID > Manage / Users > (user account) > Licenses` and verify that a license is assigned and the appropriate MFA service enabled.

docs/source/design/architecture/index.md

@@ -23,7 +23,7 @@ Each deployment of the Data Safe Haven consists of two components:
 ```
 
 The SHM controls the authentication process for the infrastructure.
-The identity provider is Microsoft Active Directory, which is synchronised with AzureAD to provide cloud and multifactor authentication into the individual project Secure Research Environment (SRE).
+The identity provider is Microsoft Active Directory, which is synchronized with Microsoft Entra ID to provide cloud and multifactor authentication into the individual project Secure Research Environment (SRE).
 
 The SHM is connected to each SRE through virtual network peering, which allows authentication requests from the SRE servers to be resolved by the SHM Active Directory.
 Although all SREs are peered with the SHM, they are not able to connect directly to one another, ensuring the isolation of each project.

docs/source/design/architecture/shm_details.md

@@ -14,7 +14,7 @@ This provides a centralised management facility, ensuring consistency across all
 Within the Management segment all authentication services are contained within a single virtual network (VNet).
 The Windows Servers are running Active Directory and are acting as Domain Controllers.
 They are configured within an Azure availability set to ensure maximum up time.
-The Domain Controllers synchronise user details to the Azure Active Directory that is associated with the Management subscription to support self-service account activation and password reset.
+The Domain Controllers synchronise user details to the Microsoft Entra ID that is associated with the Management subscription to support self-service account activation and password reset.
 
 Network security is provided by Azure Network Security Groups that ensure that inbound connections from the SREs are limited to Active Directory and RADIUS traffic.
 

docs/source/design/security/reference_configuration.md

@@ -10,7 +10,7 @@ The set of controls applied at the Alan Turing Institute are discussed here, tog
 
 - Users must set up MFA before accessing the secure analysis environment.
 - Users cannot access the environment without MFA.
-- Users are required to create passwords that meet the [Azure Active Directory policy](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy) requirements.
+- Users are required to create passwords that meet the [Microsoft Entra policy](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy) requirements.
 
 ### Implication:
 

docs/source/processes/data_access_controls.md

@@ -6,7 +6,7 @@ However, some manual configuration steps are required and each organisation is r
 
 ## Administrative access
 
-Access to all Data Safe Haven Azure resources is controlled via `Azure Active Directory` (Azure AD) and Role-Based Access Control (RBAC).
+Access to all Data Safe Haven Azure resources is controlled via `Microsoft Entra ID` and Role-Based Access Control (RBAC).
 By default, only members of a specific administrator security group have administrative access to any element of the Safe Haven.
 
 ```{important}
@@ -23,13 +23,13 @@ These comprise the software defined infrastructure of the Data Safe Haven, such
 - virtual networks
 - network security groups
 - virtual machines
-- `Azure Active Directory`
+- `Microsoft Entra ID`
 
 Access to the underlying Azure resources requires administrators to log into Azure.
 
 ```{hint}
 Data Safe Haven administrator accounts should be separate from accounts used for any other purpose, including accessing the Data Safe Haven in any other role (e.g. as a {ref}`Researcher <role_researcher>`).
-At the Turing, Data Safe Haven administrator accounts are configured on a separate institutional `Azure Active Directory` to the Data Safe Haven `Azure Active Directory`.
+At the Turing, Data Safe Haven administrator accounts are configured on a separate institutional `Microsoft Entra ID` to the Data Safe Haven `Microsoft Entra ID`.
 Other organisations may wish to follow the same model.
 ```
 

docs/source/roles/researcher/user_guide.md

@@ -212,7 +212,7 @@ Please follow these steps carefully.
   The virtual keyboard inside the SRE may not be the same as your physical keyboard and this can make it difficult to type some symbols.
   ```
 
-  Note that this will also ensure that it passes the [Microsoft Azure AD password requirements](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy).
+  Note that this will also ensure that it passes the [Microsoft Entra password requirements](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy).
 
   ```{tip}
   We recommend using a password generator [like this one](https://bitwarden.com/password-generator/) to create a password that meets these requirements.

docs/source/roles/system_manager/manage_deployments.md

@@ -193,7 +193,7 @@ The storage account can be found under `RG_SHM_<SHM ID>_PERSISTENT_DATA`, with a
 Deleting the SRE storage account from `RG_SHM_<SHM ID>_PERSISTENT_DATA` will delete any work that was done in the SRE.
 ```
 
-### {{unlock}} Disconnect from the Azure Active Directory
+### {{unlock}} Disconnect from the Microsoft Entra ID
 
 Connect to the **SHM Domain Controller (DC1)** via Remote Desktop Client over the SHM VPN connection
 
@@ -205,8 +205,8 @@ Connect to the **SHM Domain Controller (DC1)** via Remote Desktop Client over th
     - You will need to provide login credentials (including MFA if set up) for `<admin username>@<SHM domain>`
 
 ```{attention}
-Full disconnection of the Azure Active Directory can take up to 72 hours but is typically less.
-If you are planning to install a new SHM connected to the same Azure Active Directory you may find the `AzureADConnect` installation step requires you to wait for the previous disconnection to complete.
+Full disconnection of the Microsoft Entra ID can take up to 72 hours but is typically less.
+If you are planning to install a new SHM connected to the same Microsoft Entra ID you may find the `AzureADConnect` installation step requires you to wait for the previous disconnection to complete.
 ```
 
 ### {{bomb}} Tear down the SHM