dapr · hhunter-ms · Oct 30, 2023 · Oct 16, 2023 · Oct 17, 2023 · Oct 24, 2023
@@ -3,5 +3,5 @@ type: docs
 title: "Authenticate to Azure"
 linkTitle: "Authenticate to Azure"
 weight: 1600
-description: "Learn about authenticating Azure components using Azure Active Directory or Managed Identities"
+description: "Learn about authenticating Azure components using Microsoft Entra ID or Managed Identities"
 ---
@@ -2,27 +2,27 @@
 type: docs
 title: "Authenticating to Azure"
 linkTitle: "Overview"
-description: "How to authenticate Azure components using Azure AD and/or Managed Identities"
+description: "How to authenticate Azure components using Microsoft Entra ID and/or Managed Identities"
 aliases:
   - "/operations/components/setup-secret-store/supported-secret-stores/azure-keyvault-managed-identity/"
   - "/reference/components-reference/supported-secret-stores/azure-keyvault-managed-identity/"
 weight: 10000
 ---
 
-Most Azure components for Dapr support authenticating with Azure AD (Azure Active Directory). Thanks to this:
+Most Azure components for Dapr support authenticating with Microsoft Entra ID. Thanks to this:
 
 - Administrators can leverage all the benefits of fine-tuned permissions with Azure Role-Based Access Control (RBAC).
 - Applications running on Azure services such as Azure Container Apps, Azure Kubernetes Service, Azure VMs, or any other Azure platform services can leverage [Managed Identities (MI)](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) and [Workload Identity](https://learn.microsoft.com/azure/aks/workload-identity-overview). These offer the ability to authenticate your applications without having to manage sensitive credentials.
 
-## About authentication with Azure AD
+## About authentication with Microsoft Entra ID
 
-Azure AD is Azure's identity and access management (IAM) solution, which is used to authenticate and authorize users and services.
+Microsoft Entra ID is Azure's identity and access management (IAM) solution, which is used to authenticate and authorize users and services.
 
-Azure AD is built on top of open standards such OAuth 2.0, which allows services (applications) to obtain access tokens to make requests to Azure services, including Azure Storage, Azure Service Bus, Azure Key Vault, Azure Cosmos DB, Azure Database for Postgres, Azure SQL, etc. 
+Microsoft Entra ID is built on top of open standards such OAuth 2.0, which allows services (applications) to obtain access tokens to make requests to Azure services, including Azure Storage, Azure Service Bus, Azure Key Vault, Azure Cosmos DB, Azure Database for Postgres, Azure SQL, etc. 
 
 > In Azure terminology, an application is also called a "Service Principal".
 
-Some Azure components offer alternative authentication methods, such as systems based on "shared keys" or "access tokens". Although these are valid and supported by Dapr, you should authenticate your Dapr components using Azure AD whenever possible to take advantage of many benefits, including:
+Some Azure components offer alternative authentication methods, such as systems based on "shared keys" or "access tokens". Although these are valid and supported by Dapr, you should authenticate your Dapr components using Microsoft Entra ID whenever possible to take advantage of many benefits, including:
 
 - [Managed Identities and Workload Identity](#managed-identities-and-workload-identity)
 - [Role-Based Access Control](#role-based-access-control)
@@ -31,7 +31,7 @@ Some Azure components offer alternative authentication methods, such as systems
 
 ### Managed Identities and Workload Identity
 
-With Managed Identities (MI), your application can authenticate with Azure AD and obtain an access token to make requests to Azure services. When your application is running on a supported Azure service (such as Azure VMs, Azure Container Apps, Azure Web Apps, etc), an identity for your application can be assigned at the infrastructure level.
+With Managed Identities (MI), your application can authenticate with Microsoft Entra ID and obtain an access token to make requests to Azure services. When your application is running on a supported Azure service (such as Azure VMs, Azure Container Apps, Azure Web Apps, etc), an identity for your application can be assigned at the infrastructure level.
 
 Once using MI, your code doesn't have to deal with credentials, which:
 
@@ -48,11 +48,11 @@ When using Azure Role-Based Access Control (RBAC) with supported services, permi
 
 ### Auditing
 
-Using Azure AD provides an improved auditing experience for access. Tenant administrators can consult audit logs to track authentication requests.
+Using Microsoft Entra ID provides an improved auditing experience for access. Tenant administrators can consult audit logs to track authentication requests.
 
 ### (Optional) Authentication using certificates
 
-While Azure AD allows you to use MI, you still have the option to authenticate using certificates.
+While Microsoft Entra ID allows you to use MI, you still have the option to authenticate using certificates.
 
 ## Support for other Azure environments
 
@@ -66,7 +66,7 @@ By default, Dapr components are configured to interact with Azure resources in t
 
 ## Credentials metadata fields
 
-To authenticate with Azure AD, you will need to add the following credentials as values in the metadata for your [Dapr component](#example-usage-in-a-dapr-component).
+To authenticate with Microsoft Entra ID, you will need to add the following credentials as values in the metadata for your [Dapr component](#example-usage-in-a-dapr-component).
 
 ### Metadata options
 
@@ -82,7 +82,7 @@ Depending on how you've passed credentials to your Dapr services, you have multi
 
 | Field               | Required | Details                              | Example                                      |
 |---------------------|----------|--------------------------------------|----------------------------------------------|
-| `azureTenantId`     | Y        | ID of the Azure AD tenant            | `"cd4b2887-304c-47e1-b4d5-65447fdd542b"`     |
+| `azureTenantId`     | Y        | ID of the Microsoft Entra ID tenant            | `"cd4b2887-304c-47e1-b4d5-65447fdd542b"`     |
 | `azureClientId`     | Y        | Client ID (application ID)           | `"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"`     |
 | `azureClientSecret` | Y        | Client secret (application password) | `"Ecy3XG7zVZK3/vl/a2NSB+a1zXLa8RnMum/IgD0E"` |
 
@@ -92,7 +92,7 @@ When running on Kubernetes, you can also use references to Kubernetes secrets fo
 
 | Field | Required | Details | Example |
 |--------|--------|--------|--------|
-| `azureTenantId` | Y | ID of the Azure AD tenant | `"cd4b2887-304c-47e1-b4d5-65447fdd542b"` |
+| `azureTenantId` | Y | ID of the Microsoft Entra ID tenant | `"cd4b2887-304c-47e1-b4d5-65447fdd542b"` |
 | `azureClientId` | Y | Client ID (application ID) | `"c7dd251f-811f-4ba2-a905-acd4d3f8f08b"` |
 | `azureCertificate` | One of `azureCertificate` and `azureCertificateFile` | Certificate and private key (in PFX/PKCS#12 format) | `"-----BEGIN PRIVATE KEY-----\n MIIEvgI... \n -----END PRIVATE KEY----- \n -----BEGIN CERTIFICATE----- \n MIICoTC... \n -----END CERTIFICATE-----` |
 | `azureCertificateFile` | One of `azureCertificate` and `azureCertificateFile` | Path to the PFX/PKCS#12 file containing the certificate and private key | `"/path/to/file.pem"` |
@@ -127,7 +127,7 @@ Using this authentication method does not require setting any metadata option.
 
 ### Example usage in a Dapr component
 
-In this example, you will set up an Azure Key Vault secret store component that uses Azure AD to authenticate.
+In this example, you will set up an Azure Key Vault secret store component that uses Microsoft Entra ID to authenticate.
 
 {{< tabs "Self-Hosted" "Kubernetes">}}
 
@@ -279,11 +279,11 @@ To use a **certificate**:
 
 ## Next steps
 
-{{< button text="Generate a new Azure AD application and Service Principal >>" page="howto-aad.md" >}}
+{{< button text="Generate a new Microsoft Entra ID application and Service Principal >>" page="howto-aad.md" >}}
 
 ## References
 
-- [Azure AD app credential: Azure CLI reference](https://docs.microsoft.com/cli/azure/ad/app/credential)
+- [Microsoft Entra ID app credential: Azure CLI reference](https://docs.microsoft.com/cli/azure/ad/app/credential)
 - [Azure Managed Service Identity (MSI) overview](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)
 - [Secrets building block]({{< ref secrets >}})
 - [How-To: Retrieve a secret]({{< ref "howto-secrets.md" >}})

@@ -1,9 +1,9 @@
 ---
 type: docs
-title: "How to: Generate a new Azure AD application and Service Principal"
-linkTitle: "How to: Generate Azure AD and Service Principal"
+title: "How to: Generate a new Microsoft Entra ID application and Service Principal"
+linkTitle: "How to: Generate Microsoft Entra ID and Service Principal"
 weight: 30000
-description: "Learn how to generate an Azure Active Directory and use it as a Service Principal"
+description: "Learn how to generate an Microsoft Entra ID and use it as a Service Principal"
 ---
 
 ## Prerequisites
@@ -23,9 +23,9 @@ az login
 az account set -s [your subscription id]
 ```
 
-### Create an Azure AD application
+### Create an Microsoft Entra ID application
 
-Create the Azure AD application with:
+Create the Microsoft Entra ID application with:
 
 ```sh
 # Friendly name for the application / Service Principal
@@ -107,7 +107,7 @@ When adding the returned values to your Dapr component's metadata:
 
 ### Create a Service Principal
 
-Once you have created an Azure AD application, create a Service Principal for that application. With this Service Principal, you can grant it access to Azure resources. 
+Once you have created an Microsoft Entra ID application, create a Service Principal for that application. With this Service Principal, you can grant it access to Azure resources. 
 
 To create the Service Principal, run the following command:
 
@@ -124,7 +124,7 @@ Expected output:
 Service Principal ID: 1d0ccf05-5427-4b5e-8eb4-005ac5f9f163
 ```
 
-The returned value above is the **Service Principal ID**, which is different from the Azure AD application ID (client ID). The Service Principal ID is defined within an Azure tenant and used to grant access to Azure resources to an application  
+The returned value above is the **Service Principal ID**, which is different from the Microsoft Entra ID application ID (client ID). The Service Principal ID is defined within an Azure tenant and used to grant access to Azure resources to an application  
 You'll use the Service Principal ID to grant permissions to an application to access Azure resources. 
 
 Meanwhile, **the client ID** is used by your application to authenticate. You'll use the client ID in Dapr manifests to configure authentication with Azure services.

@@ -10,7 +10,7 @@ description: "Learn how to use Managed Identities"
 
 Using Managed Identities (MI), authentication happens automatically by virtue of your application running on top of an Azure service that has an assigned identity. 
 
-For example, let's say you enable a managed service identity for an Azure VM, Azure Container App, or an Azure Kubernetes Service cluster. When you do, an Azure AD application is created for you and automatically assigned to the service. Your Dapr services can then leverage that identity to authenticate with Azure AD, transparently and without you having to specify any credentials.
+For example, let's say you enable a managed service identity for an Azure VM, Azure Container App, or an Azure Kubernetes Service cluster. When you do, an Microsoft Entra ID application is created for you and automatically assigned to the service. Your Dapr services can then leverage that identity to authenticate with Microsoft Entra ID, transparently and without you having to specify any credentials.
 
 To get started with managed identities, you need to assign an identity to a new or existing Azure resource. The instructions depend on the service use. Check the following official documentation for the most appropriate instructions:
 

@@ -16,7 +16,7 @@ The main difference between the two flows is that the `Authorization Code Grant
 
 Different authorization servers provide different application registration experiences. Here are some samples:
 <!-- IGNORE_LINKS -->
-* [Azure AAD](https://docs.microsoft.com/azure/active-directory/develop/v1-protocols-oauth-code)
+* [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/develop/v1-protocols-oauth-code)
 * [Facebook](https://developers.facebook.com/apps)
 * [Fitbit](https://dev.fitbit.com/build/reference/web-api/oauth2/)
 * [GitHub](https://developer.github.com/apps/building-oauth-apps/creating-an-oauth-app/)
@@ -37,7 +37,7 @@ Authorization/Token URLs of some of the popular authorization servers:
 <!-- IGNORE_LINKS -->
 | Server  | Authorization URL | Token URL |
 |---------|-------------------|-----------|
-|Azure AAD|<https://login.microsoftonline.com/{tenant}/oauth2/authorize>|<https://login.microsoftonline.com/{tenant}/oauth2/token>|
+|Microsoft Entra ID|<https://login.microsoftonline.com/{tenant}/oauth2/authorize>|<https://login.microsoftonline.com/{tenant}/oauth2/token>|
 |GitHub|<https://github.com/login/oauth/authorize>|<https://github.com/login/oauth/access_token>|
 |Google|<https://accounts.google.com/o/oauth2/v2/auth>|<https://accounts.google.com/o/oauth2/token> <https://www.googleapis.com/oauth2/v4/token>|
 |Twitter|<https://api.twitter.com/oauth/authorize>|<https://api.twitter.com/oauth2/token>|

@@ -43,16 +43,16 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 | Field              | Required | Binding support | Details | Example |
 |--------------------|:--------:|--------|---------|---------|
 | `accountName` | Y | Input/Output | The name of the Azure Storage account | `"myexmapleaccount"` |
-| `accountKey` | Y* | Input/Output | The access key of the Azure Storage account. Only required when not using Azure AD authentication. | `"access-key"` |
+| `accountKey` | Y* | Input/Output | The access key of the Azure Storage account. Only required when not using Microsoft Entra ID authentication. | `"access-key"` |
 | `containerName` | Y | Output | The name of the Blob Storage container to write to | `myexamplecontainer` |
 | `endpoint` | N | Input/Output | Optional custom endpoint URL. This is useful when using the [Azurite emulator](https://github.com/Azure/azurite) or when using custom domains for Azure Storage (although this is not officially supported). The endpoint must be the full base URL, including the protocol (`http://` or `https://`), the IP or FQDN, and optional port. | `"http://127.0.0.1:10000"`
 | `decodeBase64` | N | Output | Configuration to decode base64 file content before saving to Blob Storage. (In case of saving a file with binary content). Defaults to `false` | `true`, `false` |
 | `getBlobRetryCount` | N | Output | Specifies the maximum number of HTTP GET requests that will be made while reading from a RetryReader Defaults to `10` | `1`, `2`
 | `publicAccessLevel` | N | Output | Specifies whether data in the container may be accessed publicly and the level of access (only used if the container is created by Dapr). Defaults to `none` | `blob`, `container`, `none`
 
-### Azure Active Directory (AAD) authentication
+### Microsoft Entra ID authentication
 
-The Azure Blob Storage binding component supports authentication using all Azure Active Directory mechanisms. For further information and the relevant component metadata fields to provide depending on the choice of AAD authentication mechanism, see the [docs for authenticating to Azure]({{< ref authenticating-azure.md >}}).
+The Azure Blob Storage binding component supports authentication using all Microsoft Entra ID mechanisms. For further information and the relevant component metadata fields to provide depending on the choice of Microsoft Entra ID authentication mechanism, see the [docs for authenticating to Azure]({{< ref authenticating-azure.md >}}).
 
 ## Binding support
 

@@ -48,9 +48,9 @@ The above example uses secrets as plain strings. It is recommended to use a secr
 
 For more information see [Azure Cosmos DB resource model](https://docs.microsoft.com/azure/cosmos-db/account-databases-containers-items).
 
-### Azure Active Directory (Azure AD) authentication
+### Microsoft Entra ID authentication
 
-The Azure Cosmos DB binding component supports authentication using all Azure Active Directory mechanisms. For further information and the relevant component metadata fields to provide depending on the choice of AAD authentication mechanism, see the [docs for authenticating to Azure]({{< ref authenticating-azure.md >}}).
+The Azure Cosmos DB binding component supports authentication using all Microsoft Entra ID mechanisms. For further information and the relevant component metadata fields to provide depending on the choice of Microsoft Entra ID authentication mechanism, see the [docs for authenticating to Azure]({{< ref authenticating-azure.md >}}).
 
 You can read additional information for setting up Cosmos DB with Azure AD authentication in the [section below](#setting-up-cosmos-db-for-authenticating-with-azure-ad).
 

@@ -90,9 +90,9 @@ This component supports **output binding** with the following operations:
 
 - `create`: publishes a message on the Event Grid topic
 
-## Azure AD credentials
+## Microsoft Entra ID credentials
 
-The Azure Event Grid binding requires an Azure AD application and service principal for two reasons:
+The Azure Event Grid binding requires an Microsoft Entra ID application and service principal for two reasons:
 
 - Creating an [event subscription](https://docs.microsoft.com/azure/event-grid/concepts#event-subscriptions) when Dapr is started (and updating it if the Dapr configuration changes)
 - Authenticating messages delivered by Event Hubs to your application.
@@ -106,7 +106,7 @@ Requirements:
 - [Microsoft.Graph module for PowerShell](https://learn.microsoft.com/powershell/microsoftgraph/installation) for PowerShell installed:  
   `Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force`
 
-For the first purpose, you will need to [create an Azure Service Principal](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal). After creating it, take note of the Azure AD application's **clientID** (a UUID), and run the following script with the Azure CLI:
+For the first purpose, you will need to [create an Azure Service Principal](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal). After creating it, take note of the Microsoft Entra ID application's **clientID** (a UUID), and run the following script with the Azure CLI:
 
 ```bash
 # Set the client ID of the app you created
@@ -140,7 +140,7 @@ Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All"
 ./setup-eventgrid-sp.ps1 $clientId
 ```
 
-> Note: if your directory does not have a Service Principal for the application "Microsoft.EventGrid", you may need to run the command `Connect-MgGraph` and sign in as an admin for the Azure AD tenant (this is related to permissions on the Azure AD directory, and not the Azure subscription). Otherwise, please ask your tenant's admin to sign in and run this PowerShell command: `New-MgServicePrincipal -AppId "4962773b-9cdb-44cf-a8bf-237846a00ab7"` (the UUID is a constant)
+> Note: if your directory does not have a Service Principal for the application "Microsoft.EventGrid", you may need to run the command `Connect-MgGraph` and sign in as an admin for the Microsoft Entra ID tenant (this is related to permissions on the Microsoft Entra ID directory, and not the Azure subscription). Otherwise, please ask your tenant's admin to sign in and run this PowerShell command: `New-MgServicePrincipal -AppId "4962773b-9cdb-44cf-a8bf-237846a00ab7"` (the UUID is a constant)
 
 ### Testing locally