microsoft · tim-p-allen · Apr 11, 2024 · Mar 13, 2024 · Mar 15, 2024 · Mar 15, 2024
diff --git a/Makefile b/Makefile
@@ -362,8 +362,8 @@ setup-local-debugging: ## 🛠️ Setup local debugging
 	&& . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/core/private.env \
 	&& . ${MAKEFILE_DIR}/devops/scripts/setup_local_debugging.sh
 
-auth: ## 🔐 Create the necessary Azure Active Directory assets
-	$(call target_title,"Setting up Azure Active Directory") \
+auth: ## 🔐 Create the necessary Microsoft Entra Workforce ID assets
+	$(call target_title,"Setting up Microsoft Entra Workforce ID") \
 	&& . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \
 	&& ${MAKEFILE_DIR}/devops/scripts/create_aad_assets.sh
 

diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ Core features include:
 - Self-service provisioning of research tooling for research teams
 - Package and repository mirroring - PyPi, R-CRAN, Apt and more.
 - Extensible architecture - build your own service templates as required
-- Azure Active Directory integration
+- Microsoft Entra Workforce ID integration
 - Airlock - import and export
 - Cost reporting
 - Ready to workspace templates including:  

diff --git a/api_app/.env.sample b/api_app/.env.sample
@@ -12,7 +12,7 @@ API_CLIENT_ID=__CHANGE_ME__
 API_CLIENT_SECRET=__CHANGE_ME__
 # The AppId for the Swagger service principal (TRE Swagger UI)
 SWAGGER_UI_CLIENT_ID=__CHANGE_ME__
-# The Azure AD tenant
+# The Microsoft Entra Workforce tenant
 AAD_TENANT_ID=__CHANGE_ME__
 
 # API parameters

diff --git a/api_app/_version.py b/api_app/_version.py
@@ -1 +1 @@
-__version__ = "0.18.5"
+__version__ = "0.18.6"
diff --git a/api_app/api/routes/workspaces.py b/api_app/api/routes/workspaces.py
@@ -99,7 +99,7 @@ async def retrieve_workspace_scope_id_by_workspace_id(workspace=Depends(get_work
 @workspaces_core_router.post("/workspaces", status_code=status.HTTP_202_ACCEPTED, response_model=OperationInResponse, name=strings.API_CREATE_WORKSPACE, dependencies=[Depends(get_current_admin_user)])
 async def create_workspace(workspace_create: WorkspaceInCreate, response: Response, user=Depends(get_current_admin_user), workspace_repo=Depends(get_repository(WorkspaceRepository)), resource_template_repo=Depends(get_repository(ResourceTemplateRepository)), operations_repo=Depends(get_repository(OperationRepository)), resource_history_repo=Depends(get_repository(ResourceHistoryRepository))) -> OperationInResponse:
     try:
-        # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Azure AD application to enable a users workspaces to be listed. This should be made optional.
+        # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Microsoft Entra Workforce ID application to enable a users workspaces to be listed. This should be made optional.
         auth_info = extract_auth_information(workspace_create.properties)
         workspace, resource_template = await workspace_repo.create_workspace_item(workspace_create, auth_info, user.id, user.roles)
     except (ValidationError, ValueError) as e:

diff --git a/api_app/schemas/azuread.json b/api_app/schemas/azuread.json
@@ -2,7 +2,7 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "$id": "https://github.com/microsoft/AzureTRE/schema/azuread.json",
     "type": "object",
-    "title": "Azure AD Authorisation Schema",
+    "title": "Microsoft Entra Workforce ID Authorisation Schema",
     "default": {},
     "required": [
     ],

diff --git a/cli/tre/commands/login.py b/cli/tre/commands/login.py
@@ -43,7 +43,7 @@ def login():
               + 'https://<id>.<location>.cloudapp.azure.com/')
 @click.option('--client-id',
               required=False,
-              help='The Client ID of the Azure AD application for the API (optional for API versions >= v0.5.7)')
+              help='The Client ID of the Microsoft Entra Workforce ID application for the API (optional for API versions >= v0.5.7)')
 @click.option('--aad-tenant-id',
               required=False,
               help='The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)')

diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf
@@ -78,37 +78,37 @@ variable "enable_swagger" {
 
 variable "swagger_ui_client_id" {
   type        = string
-  description = "The client id (app id) of the registration in Azure AD for the Swagger UI"
+  description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for the Swagger UI"
   sensitive   = true
 }
 
 variable "aad_tenant_id" {
   type        = string
-  description = "The tenant id of the Azure AD used for authentication."
+  description = "The tenant id of the Microsoft Entra Workforce ID used for authentication."
   sensitive   = true
 }
 
 variable "api_client_id" {
   type        = string
-  description = "The client id (app id) of the registration in Azure AD for the API."
+  description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for the API."
   sensitive   = true
 }
 
 variable "api_client_secret" {
   type        = string
-  description = "A client secret used by the API to authenticate with Azure AD for access to Microsoft Graph."
+  description = "A client secret used by the API to authenticate with Microsoft Entra Workforce ID for access to Microsoft Graph."
   sensitive   = true
 }
 
 variable "application_admin_client_id" {
   type        = string
-  description = "The client id (app id) of the registration in Azure AD for creating AAD Applications."
+  description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for creating AAD Applications."
   sensitive   = true
 }
 
 variable "application_admin_client_secret" {
   type        = string
-  description = "A client secret used by the Resource Processor to authenticate with Azure AD to create AAD Applications."
+  description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra Workforce ID to create AAD Applications."
   sensitive   = true
 }
 

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.9.6"
+__version__ = "0.9.7"
diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh
@@ -11,15 +11,15 @@ function show_usage()
 
 Utility script for creating app registrations required by Azure TRE. This script will create the API and Client
 Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application.
-You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script.
+You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script.
 
 Usage: $0 -n <app-name> [-r <reply-url>] [-a] [-s] [--automation-account]
 
 Options:
     -n,--name                   Required. The prefix for the app (registration) names e.g., "TRE", or "Workspace One".
     -u,--tre-url                TRE URL, used to construct auth redirection URLs for the UI and Swagger app.
     -a,--admin-consent          Optional, but recommended. Grants admin consent for the app registrations, when this flag is set.
-                                Requires directory admin privileges to the Azure AD in question.
+                                Requires directory admin privileges to the Microsoft Entra Workforce ID in question.
     -t,--automation-clientid    Optional, when --workspace is specified the client ID of the automation account can be added to the TRE workspace.
     -r,--reset-password         Optional, switch to automatically reset the password. Default 0
 
@@ -102,7 +102,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-
 msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
-echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Azure AD tenant.\e[0m"
+echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m"
 
 # Load in helper functions
 # shellcheck disable=SC1091

diff --git a/devops/scripts/aad/create_application_administrator.sh b/devops/scripts/aad/create_application_administrator.sh
@@ -11,14 +11,14 @@ function show_usage()
 Utility script for creating an application administrator for TRE. This is mandatory and is used
 to manage AAD Application creation within TRE. This script is called when you run "make auth" and
 the environment variable AUTO_WORKSPACE_APP_REGISTRATION determines the permission this identity has.
-You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script.
+You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script.
 
 Usage: $0 --name "MYTRE" --application-permission "Application.ReadWrite.OwnedBy" [--admin-consent]
 
 Options:
     -n,--name                   Required. The prefix for the app (registration) names e.g., "TRE".
     -a,--admin-consent          Optional, but recommended. Grants admin consent for the app registrations, when this flag is set.
-                                Requires directory admin privileges to the Azure AD in question.
+                                Requires directory admin privileges to the Microsoft Entra Workforce ID in question.
     -p,--application-permission The API Permission that this identity will be granted.
     -r,--reset-password         Optional, switch to automatically reset the password. Default 0
 
@@ -85,7 +85,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-
 msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
-echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Azure AD tenant.\e[0m"
+echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m"
 
 # Load in helper functions
 # shellcheck disable=SC1091

diff --git a/devops/scripts/aad/create_automation_administrator.sh b/devops/scripts/aad/create_automation_administrator.sh
@@ -10,7 +10,7 @@ function show_usage()
 
 Utility script for creating an automation administrator for TRE. This is optional and is used when you
 want to run the E2E tests locally or automatically register bundles in the TRE.
-You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script.
+You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script.
 
 Usage: $0 --name "mytre" [--admin-consent]
 
@@ -70,7 +70,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-
 msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
-echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Azure AD tenant.\e[0m"
+echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m"
 
 # Load in helper functions
 # shellcheck disable=SC1091

diff --git a/devops/scripts/aad/create_workspace_application.sh b/devops/scripts/aad/create_workspace_application.sh
@@ -10,7 +10,7 @@ function show_usage()
 
 Utility script for creating a workspace TRE. You would typically have one of these per workspace
 for a security boundary.
-You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script.
+You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script.
 
 Usage: $0 [--admin-consent]
 
@@ -20,7 +20,7 @@ Options:
     -y,--application-admin-clientid Required. The client ID of the Application Administrator that will be able to update this application.
                                     e.g. updating a redirect URI.
     -a,--admin-consent              Optional, but recommended. Grants admin consent for the app registrations, when this flag is set.
-                                    Requires directory admin privileges to the Azure AD in question.
+                                    Requires directory admin privileges to the Microsoft Entra Workforce ID in question.
     -z,--automation-clientid        Optional, the client ID of the automation account can be added to the TRE workspace.
     -r,--reset-password             Optional, switch to automatically reset the password. Default 0
 
@@ -103,7 +103,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show-
 msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0"
 tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id')
 
-echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Azure AD tenant.\e[0m"
+echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m"
 
 # Load in helper functions
 # shellcheck disable=SC1091

diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh
@@ -12,7 +12,7 @@ CHANGED_TENANT=0
 LOGGED_IN_TENANT_ID=$(az account show --query tenantId -o tsv)
 
 if [ "${LOGGED_IN_TENANT_ID}" != "${AAD_TENANT_ID}" ]; then
-  echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Azure Active Directory assets."
+  echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Microsoft Entra Workforce ID assets."
 
   # First we need to login to the AAD tenant (as it is different to the subscription tenant)
   az login --tenant "${AAD_TENANT_ID}" --allow-no-subscriptions --use-device-code

diff --git a/docs/azure-tre-overview/architecture.md b/docs/azure-tre-overview/architecture.md
@@ -8,7 +8,7 @@ All traffic has to be explicitly allowed by the Application Gateway or the Firew
 
 [![Architecture overview](../assets/archtecture-overview.png)](../assets/archtecture-overview.png)
 
-The Azure resources outside the network boundries of the Azure TRE are Azure Active Directory, Microsoft Graph and TRE Management. TRE Management are resources used during deployment.
+The Azure resources outside the network boundries of the Azure TRE are Microsoft Entra Workforce ID, Microsoft Graph and TRE Management. TRE Management are resources used during deployment.
 
 The Azure TRE core plane consists of two groups of components:
 

diff --git a/docs/index.md b/docs/index.md
@@ -20,7 +20,7 @@ Core features include:
 - Self-service for research teams – research tooling creation and administration
 - Package and repository mirroring
 - Extensible architecture - build your own service templates as required
-- Azure Active Directory integration
+- Microsoft Entra Workforce ID integration
 - Airlock
 - Cost reporting
 - Ready to workspace templates including:

diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md
@@ -1,8 +1,8 @@
 # Introduction to Authentication and Authorization
 
-[Azure Active Directory (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role.
+[Microsoft Entra Workforce ID (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role.
 
-It is common that the Azure Administrator is not necessarily the Azure Active Directory Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually.
+It is common that the Azure Administrator is not necessarily the Microsoft Entra Workforce ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually.
 
 This page describes the automated Auth setup for TRE.
 
@@ -15,7 +15,7 @@ The automation utilises a `make` command, which reads a few environment variable
 |AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.|
 | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.
 |AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md).
-|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).
+|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra Workforce ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).
 
 ## Create Authentication assets
 You can build all of the Identity assets by running the following at the command line
@@ -38,16 +38,16 @@ The contents of your authentication section in `config.yaml` file should contain
   | `WORKSPACE_API_CLIENT_ID` | Each workspace is secured behind it's own AD Application|
   | `WORKSPACE_API_CLIENT_SECRET` | Each workspace is secured behind it's own AD Application. This is the secret for that application.|
 
-### Using a separate Azure Active Directory tenant
+### Using a separate Microsoft Entra Workforce ID tenant
 
 !!! caution
-    This section is only relevant it you are setting up a separate Azure Active Directory tenant for use.
-    This is only recommended for development environments when you don't have the required permissions to register applications in Azure Active Directory.
-    Using a separate Azure Active Directory tenant will prevent you from using certain Azure Active Directory integrated services.
-    For production deployments, work with your Azure Active Directory administrator to perform the required registration
+    This section is only relevant it you are setting up a separate Microsoft Entra Workforce ID tenant for use.
+    This is only recommended for development environments when you don't have the required permissions to register applications in Microsoft Entra Workforce ID.
+    Using a separate Microsoft Entra Workforce ID tenant will prevent you from using certain Microsoft Entra Workforce ID integrated services.
+    For production deployments, work with your Microsoft Entra Workforce ID administrator to perform the required registration
 
-1. Create an Azure Active Directory tenant
-    To create a new Azure Active Directory tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant)
+1. Create an Microsoft Entra Workforce ID tenant
+    To create a new Microsoft Entra Workforce ID tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant)
 
 1. Follow the steps outlined above. `make auth` should logon to the correct tenant. Make sure you logon back to the correct tenant before running `make all`.
 
@@ -72,7 +72,7 @@ We strongly recommend that you use `make auth` to create the AAD assets as this
 
 For a user to gain access to the system, they have to:
 
-1. Have an identity in Azure AD
+1. Have an identity in Microsoft Entra Workforce ID
 1. Be linked with an app registration and assigned a role
 
 When these requirements are met, the user can sign-in using their credentials and use their privileges to use the API, login to workspace environment etc. based on their specific roles.