Merge pull request #308657 from aatsang/entraid-release-clean

Entraid release clean

Author: denrea

articles/bastion/bastion-connect-vm-rdp-windows.md

@@ -17,6 +17,9 @@ This article shows you how to securely and seamlessly create an RDP connection t
 
 Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see [What is Azure Bastion?](bastion-overview.md)
 
+> [!NOTE]
+> Entra ID authentication for RDP connections is now available in public preview! See [Microsoft Entra ID](#microsoft-entra-id-authentication-preview) for details.
+
 ## Prerequisites
 
 Before you begin, verify that you've met the following criteria:
@@ -35,6 +38,40 @@ Before you begin, verify that you've met the following criteria:
 * Reader role on the Azure Bastion resource.
 * Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).
 
+## Microsoft Entra ID authentication (Preview)
+
+> [!NOTE]
+> Microsoft Entra ID Authentication support for RDP connections within the portal is only supported for Windows VMs. For SSH connections to Linux VMs, see [Connect to a Linux VM using SSH](bastion-connect-vm-ssh-linux.md#microsoft-entra-id-authentication).
+
+If the following prerequisites are met, Microsoft Entra ID becomes the default option to connect to your VM. If any prerequisite is not met, Microsoft Entra ID will not be presented as a Connection Method. To learn more about Entra ID authentication for Azure machines, see [Enable Microsoft Entra sign in for a Windows virtual machine in Azure or Arc-enabled Windows Server](/entra/identity/devices/howto-vm-sign-in-azure-ad-windows#enable-microsoft-entra-sign-in-for-a-windows-virtual-machine-in-azure-or-arc-enabled-windows-server)
+
+Prerequisites:
+
+* **AADLoginForWindows** extension should be enabled on the VM. Microsoft Entra ID Login can be enabled during VM creation by checking the box for **Login with Microsoft Entra ID** or by adding the **AADLogin** extension to a pre-existing VM.
+
+* One of the following required roles should be configured on the VM for the user:
+
+  * **Virtual Machine Administrator Login**: This role is necessary if you want to sign in with administrator privileges.
+  * **Virtual Machine User Login**: This role is necessary if you want to sign in with regular user privileges.
+
+Use the following steps to authenticate using Microsoft Entra ID.
+
+1. To authenticate using Microsoft Entra ID, configure the following settings.
+
+    | Setting                | Description                                                                 |
+    |------------------------|-----------------------------------------------------------------------------|
+    | **Connection Settings**| Only available for SKUs higher than the Basic SKU.                          |
+    | **Protocol**           | Select RDP.                                                                 |
+    | **Port**               | Specify the port number.                                                    |
+    | **Authentication type**| Select **Microsoft Entra ID (Preview)** from the dropdown.                            |
+    
+1. To work with the VM in a new browser tab, select **Open in new browser tab**.
+
+1. Click **Connect** to connect to the VM.
+
+Limitations
+* RDP + Entra ID authentication support in the portal cannot be used concurrently with graphical session recording.
+
 ### Ports
 
 To connect to the Windows VM, you must have the following ports open on your Windows VM:

articles/bastion/bastion-overview.md

@@ -20,7 +20,9 @@ Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtua
 
 |Benefit    |Description|
 |-----------|-----------|
+|Session recording on VM sessions| Azure Bastion Premium allows for [graphical session recording](session-recording.md) of all sessions connected through the Bastion, stored in a customer-designated storage container, and viewed within the Bastion resource|
 |RDP and SSH through the Azure portal|You can get to the RDP and SSH session directly in the Azure portal using a single-click seamless experience.|
+|Entra ID authentication support| Azure Bastion supports Entra ID authentication for the portal and through native client. This allows for identity-based authentication to the VM, eliminating the need for local authentication methods.
 |Remote Session over TLS and firewall traversal for RDP/SSH|Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This enables the traffic to traverse firewalls more securely. Bastion supports TLS 1.2. Older TLS versions aren't supported.|
 |No Public IP address required on the Azure VM| Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM. You don't need a public IP address on your virtual machine.|
 |No hassle of managing Network Security Groups (NSGs)| You don't need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines. For more information about NSGs, see [Network Security Groups](../virtual-network/network-security-groups-overview.md#security-rules).|
@@ -30,6 +32,8 @@ Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtua
 |Protection against zero-day exploits |The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.|
 
 ## <a name="sku"></a>SKUs
+> [!NOTE]
+> Bastion Premium SKU is now generally available, providing graphical session recording and private only deployment capabilities. 
 
 Azure Bastion offers multiple SKU tiers. The following table shows features and corresponding SKUs. For more information about SKUs, see the [Configuration settings](configuration-settings.md#skus) article.
 
@@ -71,10 +75,6 @@ For more information, see the [Configuration settings](configuration-settings.md
 
 Azure Bastion pricing is a combination of hourly pricing based on SKU and instances (scale units), plus data transfer rates. Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. For the latest pricing information, see the [Azure Bastion pricing](https://azure.microsoft.com/pricing/details/azure-bastion) page.
 
-## <a name="new"></a>What's new?
-
-Subscribe to the RSS feed and view the latest Azure Bastion feature updates on the [Azure Updates](https://azure.microsoft.com/updates?filters=%5B%22Azure+Bastion%22%5D) page.
-
 ## Bastion FAQ
 
 For frequently asked questions, see the Bastion [FAQ](bastion-faq.md).

articles/bastion/secure-bastion.md

@@ -15,6 +15,8 @@ ai-usage: ai-assisted
 Azure Bastion is a fully managed platform-as-a-service (PaaS) that provides secure and seamless RDP and SSH connectivity to virtual machines directly in the Azure portal over TLS. Because Bastion acts as a critical gateway to your virtual networks and VMs, securing your deployment is essential to protect your infrastructure from unauthorized access and network threats.
 
 This article provides guidance on how to best secure your Azure Bastion deployment.
+> [!NOTE]
+> Entra ID authentication for RDP connections is now available in public preview! See [Microsoft Entra ID](bastion-connect-vm-rdp-windows.md#microsoft-entra-id-authentication-preview) for details.
 
 ## Network security
 

articles/bastion/session-recording.md

@@ -22,8 +22,9 @@ The following sections outline considerations, limitations, and prerequisites fo
 **Considerations and limitations**
 
 * The Premium SKU is required for this feature.
+* Entra ID support for RDP sessions in portal cannot be used concurrently with graphical session recording at this time.
 * Session recording isn't available via native client at this time.
-* Immutabale storage policies must not be present
+* Immutable storage policies must not be present
 * Session recording supports one container/storage account at a time.
 * Changing storage containers while a session is active may cause disruptions to the session.
 * Blob versioning on the recordings must not be present

articles/bastion/vm-about.md

@@ -16,6 +16,8 @@ ms.author: abell
 The sections in this article show you various features and settings that are available when you connect to a VM using Azure Bastion.
 
 ## <a name="connect"></a>Connect to a VM
+> [!NOTE]
+> Entra ID authentication for RDP connections is now available in public preview! See [Microsoft Entra ID](bastion-connect-vm-rdp-windows.md#microsoft-entra-id-authentication-preview) for details.
 
 You can use various different methods to connect to a target VM. Some connection types require Bastion to be configured with the Standard SKU. Use the following articles to connect.
 

articles/bastion/whats-new.md

@@ -23,7 +23,9 @@ You can also find the latest Bastion updates and subscribe to the RSS feed [here
 
 | Type |  Name | Description | Date added | Limitations |
 |---|---|---|---|---|
-|Feature | [Graphical session recording](session-recording.md) | Graphical session recording is now generally available in all regions that Bastion is available in. | November 2024 | Can't currently be used with native client.
+|Feature|[Microsoft Entra ID support for portal (RDP)](bastion-connect-vm-rdp-windows.md#microsoft-entra-id-authentication-preview)|Microsoft Entra ID support for RDP connections in portal is now in public preview in public cloud. |November 2025|Cannot be used concurrently with graphical session recording.|
+|Feature |[Connectivity to AKS private clusters](bastion-connect-to-aks-private-cluster.md)|Connect to your private AKS clusters using the tunneling command with Bastion|August 2025|N/A|
+|Feature | [Graphical session recording](session-recording.md) | Graphical session recording is now generally available in all regions that Bastion is available in. | November 2024 | Cannot be used concurrently with native client.
 | Feature | [Private Only Bastion](private-only-deployment.md)| Private Only Bastion is now generally available in all regions that Bastion is available in.| November 2024 | N/A|
 | SKU | [Bastion Premium SKU](bastion-overview.md#sku)| Bastion Premium SKU is now generally available in all regions that Bastion is available in. | June 2024 | N/A|
 | Feature | [Microsoft Entra ID support for portal (SSH)](bastion-connect-vm-ssh-linux.md#microsoft-entra-id-authentication)  |Microsoft Entra ID support for SSH connections in portal is now GA. | November 2024 | N/A|