AAD -> Microsoft Entra ID

.devcontainer/devcontainer.json

@@ -109,7 +109,7 @@
               ]
             },
             {
-              "name": "E2E Extended AAD",
+              "name": "E2E Extended Microsoft Entra ID",
               "type": "python",
               "request": "launch",
               "module": "pytest",

.github/actions/devcontainer_run_command/action.yml

@@ -65,10 +65,10 @@ inputs:
     description: "The API Client Secret."
     required: false
   APPLICATION_ADMIN_CLIENT_ID:
-    description: "The Client ID of an identity that can manage the AAD Applications."
+    description: "The Client ID of an identity that can manage the Microsoft Entra ID Applications."
     required: false
   APPLICATION_ADMIN_CLIENT_SECRET:
-    description: "The Client secret of an identity that can manage the AAD Applications."
+    description: "The Client secret of an identity that can manage the Microsoft Entra ID Applications."
     required: false
   ACR_NAME:
     description: "The Container Registry that holds our Research images."

.github/scripts/build.js

@@ -97,7 +97,7 @@ async function getCommandFromComment({ core, context, github }) {
 
       case "/test-extended-aad":
         {
-          const runTests = await handleTestCommand({ core, github }, parts, "extended AAD tests", runId, { number: prNumber, authorUsername: prAuthorUsername, repoOwner, repoName, headSha: prHeadSha, refId: prRefId, details: pr }, { username: commentUsername, link: commentLink });
+          const runTests = await handleTestCommand({ core, github }, parts, "extended Microsoft Entra ID tests", runId, { number: prNumber, authorUsername: prAuthorUsername, repoOwner, repoName, headSha: prHeadSha, refId: prRefId, details: pr }, { username: commentUsername, link: commentLink });
           if (runTests) {
             command = "run-tests-extended-aad";
           }
@@ -247,7 +247,7 @@ async function showHelp({ github }, repoOwner, repoName, prNumber, commentUser,
 You can use the following commands:
     /test - build, deploy and run smoke tests on a PR
     /test-extended - build, deploy and run smoke & extended tests on a PR
-    /test-extended-aad - build, deploy and run smoke & extended AAD tests on a PR
+    /test-extended-aad - build, deploy and run smoke & extended Microsoft Entra ID tests on a PR
     /test-shared-services - test the deployment of shared services on a PR build
     /test-force-approve - force approval of the PR tests (i.e. skip the deployment checks)
     /test-destroy-env - delete the validation environment for a PR (e.g. to enable testing a deployment from a clean start after previous tests)

.github/scripts/build.test.js

@@ -407,7 +407,7 @@ describe('getCommandFromComment', () => {
             owner: 'someOwner',
             repo: 'someRepo',
             issue_number: PR_NUMBER.UPSTREAM_NON_DOCS_CHANGES,
-            bodyMatcher: /Running extended AAD tests: https:\/\/github.com\/someOwner\/someRepo\/actions\/runs\/11112222 \(with refid `cbce50da`\)/,
+            bodyMatcher: /Running extended Microsoft Entra ID tests: https:\/\/github.com\/someOwner\/someRepo\/actions\/runs\/11112222 \(with refid `cbce50da`\)/,
           });
         });
       });

Makefile

@@ -334,8 +334,8 @@ test-e2e-extended: ## 🧪 Run E2E extended tests
 	$(call target_title, "Running E2E extended tests") && \
 	$(MAKE) test-e2e-custom SELECTOR=extended
 
-test-e2e-extended-aad: ## 🧪 Run E2E extended AAD tests
-	$(call target_title, "Running E2E extended AAD tests") && \
+test-e2e-extended-aad: ## 🧪 Run E2E extended Microsoft Entra ID tests
+	$(call target_title, "Running E2E extended Microsoft Entra ID tests") && \
 	$(MAKE) test-e2e-custom SELECTOR=extended_aad
 
 test-e2e-shared-services: ## 🧪 Run E2E shared service tests

api_app/.env.sample

@@ -4,7 +4,7 @@
 # LOGGING_LEVEL can be set to DEBUG, INFO, WARNING, ERROR or CRITICAL
 LOGGING_LEVEL="INFO"
 
-# OAUTH information - client ids etc. for the AAD Apps
+# OAUTH information - client ids etc. for the Microsoft Entra ID Apps
 # ----------------------------------------------------
 # The AppId for the API service principal (TRE API)
 API_CLIENT_ID=__CHANGE_ME__

api_app/models/schemas/workspace.py

@@ -27,11 +27,11 @@ class AuthProvider(str, Enum):
     """
     Auth Provider
     """
-    AAD = "AAD"
+    Microsoft Entra ID = "Microsoft Entra ID"
 
 
 class AuthenticationConfiguration(BaseModel):
-    provider: AuthProvider = Field(AuthProvider.AAD, title="Authentication Provider")
+    provider: AuthProvider = Field(AuthProvider.Microsoft Entra ID, title="Authentication Provider")
     data: dict = Field({}, title="Authentication information")
 
 

api_app/resources/strings.py

@@ -99,7 +99,7 @@
 
 # Error strings
 ACCESS_APP_IS_MISSING_ROLE = "The App is missing role"
-ACCESS_PLEASE_SUPPLY_CLIENT_ID = "Please supply the client_id for the AAD application"
+ACCESS_PLEASE_SUPPLY_CLIENT_ID = "Please supply the client_id for the Microsoft Entra ID application"
 ACCESS_UNABLE_TO_GET_INFO_FOR_APP = "Unable to get app info for app:"
 ACCESS_UNABLE_TO_GET_ROLE_ASSIGNMENTS_FOR_USER = "Unable to get role assignments for user"
 ACCESS_UNABLE_TO_GET_ACCOUNT_TYPE = "Unable to look up account type"

api_app/services/aad_authentication.py

@@ -168,7 +168,7 @@ def _ensure_b64padding(key: str) -> str:
 
     def _get_token_key(self, key_id: str) -> str:
         """
-        Rather tha use PyJWKClient.get_signing_key_from_jwt every time, we'll get all the keys from AAD and cache them.
+        Rather tha use PyJWKClient.get_signing_key_from_jwt every time, we'll get all the keys from Microsoft Entra ID and cache them.
         """
         if key_id not in AzureADAuthorization._jwt_keys:
             response = requests.get(f"{self.aad_instance}/{config.AAD_TENANT_ID}/v2.0/.well-known/openid-configuration")
@@ -203,7 +203,7 @@ def _get_msgraph_token() -> str:
         except Exception:
             result = None
         if not result:
-            logger.debug('No suitable token exists in cache, getting a new one from AAD')
+            logger.debug('No suitable token exists in cache, getting a new one from Microsoft Entra ID')
             result = app.acquire_token_for_client(scopes=scopes)
         if "access_token" not in result:
             raise Exception(f"API app registration access token cannot be retrieved. {result.get('error')}: {result.get('error_description')}")
@@ -321,8 +321,8 @@ def _get_batch_users_by_role_assignments_body(self, roles_graph_data):
 
         return request_body
 
-    # This method is called when you create a workspace and you already have an AAD App Registration
-    # to link it to. You pass in the client_id and go and get the extra information you need from AAD
+    # This method is called when you create a workspace and you already have an Microsoft Entra ID App Registration
+    # to link it to. You pass in the client_id and go and get the extra information you need from Microsoft Entra ID
     # If the auth_type is `Automatic`, then these values will be written by Terraform.
     def _get_app_auth_info(self, client_id: str) -> dict:
         graph_data = self._get_app_sp_graph_data(client_id)
@@ -396,7 +396,7 @@ def extract_workspace_auth_information(self, data: dict) -> dict:
             raise AuthConfigValidationError(strings.ACCESS_PLEASE_SUPPLY_CLIENT_ID)
 
         auth_info = {}
-        # The user may want us to create the AAD workspace app and therefore they
+        # The user may want us to create the Microsoft Entra ID workspace app and therefore they
         # don't know the client_id yet.
         if data["auth_type"] != "Automatic":
             auth_info = self._get_app_auth_info(data["client_id"])

api_app/services/authentication.py

@@ -8,15 +8,15 @@
 
 
 def extract_auth_information(workspace_creation_properties: dict) -> dict:
-    access_service = get_access_service('AAD')
+    access_service = get_access_service('Microsoft Entra ID')
     try:
         return access_service.extract_workspace_auth_information(workspace_creation_properties)
     except AuthConfigValidationError as e:
         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
 
 
-def get_access_service(provider: str = AuthProvider.AAD) -> AccessService:
-    if provider == AuthProvider.AAD:
+def get_access_service(provider: str = AuthProvider.Microsoft Entra ID) -> AccessService:
+    if provider == AuthProvider.Microsoft Entra ID:
         return AzureADAuthorization()
     raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=strings.INVALID_AUTH_PROVIDER)
 

api_app/tests_ma/test_service_bus/test_substitutions.py

@@ -242,7 +242,7 @@ def test_substitution_list_strings(primary_resource, resource_to_update):
                     "rules": [
                         {
                             "name": "AllowAzureAD",
-                            "description": "AAD access for authNZ",
+                            "description": "Microsoft Entra ID access for authNZ",
                             "source_addresses": "",
                             "destination_addresses": ["AzureActiveDirectory"],
                             "destination_ports": ["*", "{{resource.id}}"],

cli/tre/commands/login.py

@@ -46,7 +46,7 @@ def login():
               help='The Client ID of the Microsoft Entra ID application for the API (optional for API versions >= v0.5.7)')
 @click.option('--aad-tenant-id',
               required=False,
-              help='The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)')
+              help='The Tenant ID for the Microsoft Entra ID tenant to authenticate with (optional for API versions >= v0.5.7)')
 @click.option('--api-scope',
               required=False,
               help='The API scope for the base API (optional for API versions >= v0.5.7)')
@@ -173,7 +173,7 @@ def login_device_code(base_url: str, client_id: str, aad_tenant_id: str, api_sco
 @click.option(
     "--aad-tenant-id",
     required=False,
-    help="The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)",
+    help="The Tenant ID for the Microsoft Entra ID tenant to authenticate with (optional for API versions >= v0.5.7)",
 )
 @click.option("--api-scope", required=False, help="The API scope for the base API (optional for API versions >= v0.5.7)")
 @click.option(

config.sample.yaml

@@ -48,8 +48,8 @@ authentication:
   # create an identity with `Application.ReadWrite.OwnedBy`.
   # Setting AUTO_WORKSPACE_APP_REGISTRATION to true will:
   # create an identity with `Application.ReadWrite.All` and `Directory.Read.All`.
-  # When this is true, create Workspaces will also create an AAD Application automatically.
-  # When this is false, the AAD Application will need creating manually.
+  # When this is true, create Workspaces will also create an Microsoft Entra ID Application automatically.
+  # When this is false, the Microsoft Entra ID Application will need creating manually.
   auto_workspace_app_registration: true
   # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All`
   auto_workspace_group_creation: false

config_schema.json

@@ -98,7 +98,7 @@
           "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
         },
         "auto_workspace_app_registration": {
-          "description": "This identity is used to manage other AAD applications that it owns. Read more about it here: docs/tre-admins/auth.md",
+          "description": "This identity is used to manage other Microsoft Entra ID applications that it owns. Read more about it here: docs/tre-admins/auth.md",
           "type": "boolean"
         },
         "auto_workspace_group_creation": {
@@ -121,12 +121,12 @@
           "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
         },
         "application_admin_client_id": {
-          "description": "This client will administer AAD Applications for TRE.",
+          "description": "This client will administer Microsoft Entra ID Applications for TRE.",
           "type": "string",
           "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$"
         },
         "application_admin_client_secret": {
-          "description": "Secret to client which will administer AAD Applications for TRE",
+          "description": "Secret to client which will administer Microsoft Entra ID Applications for TRE",
           "type": "string",
           "minLength": 11
         },

core/terraform/variables.tf

@@ -102,13 +102,13 @@ variable "api_client_secret" {
 
 variable "application_admin_client_id" {
   type        = string
-  description = "The client id (app id) of the registration in Microsoft Entra ID for creating AAD Applications."
+  description = "The client id (app id) of the registration in Microsoft Entra ID for creating Microsoft Entra ID Applications."
   sensitive   = true
 }
 
 variable "application_admin_client_secret" {
   type        = string
-  description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra ID to create AAD Applications."
+  description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra ID to create Microsoft Entra ID Applications."
   sensitive   = true
 }
 

devops/scripts/aad/create_api_application.sh

@@ -10,7 +10,7 @@ function show_usage()
     cat << USAGE
 
 Utility script for creating app registrations required by Azure TRE. This script will create the API and Client
-Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application.
+Applications. The Client Application is the public facing app, whereas the API is an internal Microsoft Entra ID Application.
 You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script.
 
 Usage: $0 -n <app-name> [-r <reply-url>] [-a] [-s] [--automation-account]

devops/scripts/aad/create_application_administrator.sh

@@ -9,7 +9,7 @@ function show_usage()
     cat << USAGE
 
 Utility script for creating an application administrator for TRE. This is mandatory and is used
-to manage AAD Application creation within TRE. This script is called when you run "make auth" and
+to manage Microsoft Entra ID Application creation within TRE. This script is called when you run "make auth" and
 the environment variable AUTO_WORKSPACE_APP_REGISTRATION determines the permission this identity has.
 You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script.
 

devops/scripts/aad/update_resource_access.sh

@@ -4,7 +4,7 @@
 
 # Utility function that retrieves all of the 'requiredResourceAccess' from an application,
 # it then removes any access for a given `resourceAppId`, merges in a new element into the
-# array and then posts it back to AAD.
+# array and then posts it back to Microsoft Entra ID.
 function update_resource_access()
 {
   local msGraphUri=$1

devops/scripts/create_aad_assets.sh

@@ -14,7 +14,7 @@ LOGGED_IN_TENANT_ID=$(az account show --query tenantId -o tsv)
 if [ "${LOGGED_IN_TENANT_ID}" != "${AAD_TENANT_ID}" ]; then
   echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Microsoft Entra ID assets."
 
-  # First we need to login to the AAD tenant (as it is different to the subscription tenant)
+  # First we need to login to the Microsoft Entra ID tenant (as it is different to the subscription tenant)
   az login --tenant "${AAD_TENANT_ID}" --allow-no-subscriptions --use-device-code
   CHANGED_TENANT=1
 fi

docs/azure-tre-overview/airlock.md

@@ -117,7 +117,7 @@ Whenever the airlock process changes to a state of **Draft**, **Submitted**, **A
 When the state changes to `In-progress` the Workspace Owner (Airlock Manager) gets notified.
 
 > * The Notification mechanism is also data-driven, allowing an organization to extend the notifications behavior. The mechanism is exemplified with a Logic App determining the notifications logic.
-> * Notifications will work with All TRE users being AAD users (guests or not), with email defined – if not, notifications will not be sent.
+> * Notifications will work with All TRE users being Microsoft Entra ID users (guests or not), with email defined – if not, notifications will not be sent.
 
 ## Architecture