Merge pull request #311748 from msmbaldwin/security-entra-link-updates-feb2026

Update Azure AD links to Microsoft Entra across security fundamentals

Author: prmerger-automator[bot]

articles/security/fundamentals/azure-domains.md

@@ -19,7 +19,7 @@ This page is a partial list of the Azure domains in use. Some of them are REST A
 |Service  |Subdomain  |
 |---------|---------|
 |[Azure Access Control Service](https://azure.microsoft.com/blog/one-month-retirement-notice-access-control-service/) (retired)|*.accesscontrol.windows.net|
-|[Microsoft Entra ID](../../active-directory/fundamentals/active-directory-whatis.md)|*.graph.windows.net / *.onmicrosoft.com|
+|[Microsoft Entra ID](/entra/fundamentals/active-directory-whatis.md)|*.graph.windows.net / *.onmicrosoft.com|
 |[Azure API Management](https://azure.microsoft.com/services/api-management/)|*.azure-api.net|
 |[Azure BizTalk Services](https://azure.microsoft.com/pricing/details/biztalk-services/) (retired)|*.biztalk.windows.net|
 |[Azure Blob storage](../../storage/blobs/storage-blobs-introduction.md)|*.blob.core.windows.net|

articles/security/fundamentals/backup-plan-to-protect-against-ransomware.md

@@ -93,7 +93,7 @@ Ransomware can attack while you're planning for an attack so your first priority
 
 In our experience, the five most important applications to customers fall into the following categories in this priority order:
 
-- Identity systems – required for users to access any systems (including all others described below) such as Active Directory, [Microsoft Entra Connect](../../active-directory/hybrid/whatis-azure-ad-connect.md), AD domain controllers
+- Identity systems – required for users to access any systems (including all others described below) such as Active Directory, [Microsoft Entra Connect](/entra/identity/hybrid/whatis-azure-ad-connect.md), AD domain controllers
 - Human life – any system that supports human life or could put it at risk such as medical or life support systems, safety systems (ambulance, dispatch systems, traffic light control), large machinery, chemical/biological systems, production of food or personal products, and others
 - Financial systems – systems that process monetary transactions and keep the business operating, such as payment systems and related databases, financial system for quarterly reporting
 - Product or service enablement – any systems that are required to provide the business services or produce/deliver physical products that your customers pay you for, factory control systems, product delivery/dispatch systems, and similar
@@ -117,7 +117,7 @@ Apply these best practices before an attack.
 | Protect (or print) supporting documents and systems required for recovery such as restoration procedure documents, CMDB, network diagrams, and SolarWinds instances. | Attackers deliberately target these resources because it impacts your ability to recover. |
 | Ensure you have well-documented procedures for engaging any third-party support, particularly support from threat intelligence providers, antimalware solution providers, and from the malware analysis provider. Protect (or print) these procedures. | Third-party contacts may be useful if the given ransomware variant has known weaknesses or decryption tools are available. |
 | Ensure backup and recovery strategy includes: <br><br>Ability to back up data to a specific point in time. <br><br>Multiple copies of backups are stored in isolated, offline (air-gapped) locations. <br><br>Recovery time objectives that establish how quickly backed up information can be retrieved and put into production environment. <br><br>Rapid restore of back up to a production environment/sandbox. | Backups are essential for resilience after an organization has been breached. Apply the 3-2-1 rule for maximum protection and availability: 3 copies (original + 2 backups), 2 storage types, and 1 offsite or cold copy. |
-| Protect backups against deliberate erasure and encryption: <br><br>Store backups in offline or off-site storage and/or immutable storage. <br><br>Require out of band steps (such as [MFA](../../active-directory/authentication/concept-mfa-howitworks.md) or a security PIN) before permitting an online backup to be modified or erased. <br><br>Create private endpoints within your Azure Virtual Network to securely back up and restore data from your Recovery Services vault. | Backups that are accessible by attackers can be rendered unusable for business recovery. <br><br>Offline storage ensures robust transfer of backup data without using any network bandwidth. Azure Backup supports [offline backup](../../backup/offline-backup-overview.md), which transfers initial backup data offline, without the use of network bandwidth. It provides a mechanism to copy backup data onto physical storage devices. The devices are then shipped to a nearby Azure datacenter and uploaded onto a [Recovery Services vault](../../backup/backup-azure-recovery-services-vault-overview.md). <br><br>Online immutable storage (such as [Azure Blob](../../storage/blobs/immutable-storage-overview.md)) enables you to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. <br><br>[Multifactor authentication (MFA)](../../active-directory/authentication/concept-mfa-howitworks.md) should be mandatory for all admin accounts and is strongly recommended for all users. The preferred method is to use an authenticator app rather than SMS or voice where possible. When you set up Azure Backup you can configure your recovery services to enable MFA using a security PIN generated in the Azure portal. This ensures that a security pin is generated to perform critical operations such as updating or removing a recovery point. |
+| Protect backups against deliberate erasure and encryption: <br><br>Store backups in offline or off-site storage and/or immutable storage. <br><br>Require out of band steps (such as [MFA](/entra/identity/authentication/concept-mfa-howitworks.md) or a security PIN) before permitting an online backup to be modified or erased. <br><br>Create private endpoints within your Azure Virtual Network to securely back up and restore data from your Recovery Services vault. | Backups that are accessible by attackers can be rendered unusable for business recovery. <br><br>Offline storage ensures robust transfer of backup data without using any network bandwidth. Azure Backup supports [offline backup](../../backup/offline-backup-overview.md), which transfers initial backup data offline, without the use of network bandwidth. It provides a mechanism to copy backup data onto physical storage devices. The devices are then shipped to a nearby Azure datacenter and uploaded onto a [Recovery Services vault](../../backup/backup-azure-recovery-services-vault-overview.md). <br><br>Online immutable storage (such as [Azure Blob](../../storage/blobs/immutable-storage-overview.md)) enables you to store business-critical data objects in a WORM (Write Once, Read Many) state. This state makes the data non-erasable and non-modifiable for a user-specified interval. <br><br>[Multifactor authentication (MFA)](/entra/identity/authentication/concept-mfa-howitworks.md) should be mandatory for all admin accounts and is strongly recommended for all users. The preferred method is to use an authenticator app rather than SMS or voice where possible. When you set up Azure Backup you can configure your recovery services to enable MFA using a security PIN generated in the Azure portal. This ensures that a security pin is generated to perform critical operations such as updating or removing a recovery point. |
 | Designate [protected folders](/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). | Makes it more difficult for unauthorized applications to modify the data in these folders. |
 | Review your permissions: <br><br>Discover broad write/delete permissions on file shares, SharePoint, and other solutions. Broad is defined as many users having write/delete permissions for business-critical data. <br><br>Reduce broad permissions while meeting business collaboration requirements. <br><br>Audit and monitor to ensure broad permissions don’t reappear. | Reduces risk from broad access-enabling ransomware activities. |
 | Protect against a phishing attempt: <br><br>Conduct security awareness training regularly to help users identify a phishing attempt and avoid clicking on something that can create an initial entry point for a compromise. <br><br>Apply security filtering controls to email to detect and minimize the likelihood of a successful phishing attempt. | The most common method used by attackers to infiltrate an organization is phishing attempts via email. [Exchange Online Protection (EOP)](/microsoft-365/security/office-365-security/exchange-online-protection-overview) is the cloud-based filtering service that protects your organization against spam, malware, and other email threats. EOP is included in all Microsoft 365 organizations with Exchange Online mailboxes. <br><br>An example of a security filtering control for email is [Safe Links](/microsoft-365/security/office-365-security/safe-links). Safe Links is a feature in Defender for Office 365 that provides scanning and rewriting of URLs and links in email messages during inbound mail flow, and time-of-click verification of URLs and links in email messages and other locations (Microsoft Teams and Office documents). Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in EOP. Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks. <br><br>Learn more about [anti-phishing protection](/microsoft-365/security/office-365-security/tuning-anti-phishing). |

articles/security/fundamentals/iaas.md

@@ -24,7 +24,7 @@ In most infrastructure as a service (IaaS) scenarios, [Azure virtual machines (V
 To protect your VMs, ensure that only authorized users can set up new VMs and access existing VMs.
 
 > [!NOTE]
-> To improve the security of Linux VMs on Azure, you can integrate with Microsoft Entra authentication. When you use [Microsoft Entra authentication for Linux VMs](../../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md), you centrally control and enforce policies that allow or deny access to the VMs.
+> To improve the security of Linux VMs on Azure, you can integrate with Microsoft Entra authentication. When you use [Microsoft Entra authentication for Linux VMs](/entra/identity/devices/howto-vm-sign-in-azure-ad-linux.md), you centrally control and enforce policies that allow or deny access to the VMs.
 
 **Best practice**: Control VM access.
 **Detail**: Use [Azure policies](../../governance/policy/overview.md) to establish conventions for resources in your organization and create customized policies. Apply these policies to resources, such as [resource groups](../../azure-resource-manager/management/overview.md). VMs that belong to a resource group inherit its policies.
@@ -143,7 +143,7 @@ Encrypt your virtual hard disks (VHDs) to help protect your boot volume and data
 The following best practices help you use encryption at host:
 
 **Best practice**: Enable encryption at host on VMs by default.   
-**Detail**: Encryption at host is enabled by default for new VMs and provides transparent encryption by using platform-managed keys without requiring extra configuration. If you choose to use customer-managed keys, store them in Azure Key Vault or Azure Key Vault Managed HSM. Microsoft Entra authentication is required for access. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Microsoft Entra authentication](../../active-directory/authentication/active-directory-certificate-based-authentication-get-started.md).
+**Detail**: Encryption at host is enabled by default for new VMs and provides transparent encryption by using platform-managed keys without requiring extra configuration. If you choose to use customer-managed keys, store them in Azure Key Vault or Azure Key Vault Managed HSM. Microsoft Entra authentication is required for access. For authentication purposes, you can use either client secret-based authentication or [client certificate-based Microsoft Entra authentication](/entra/identity/authentication/active-directory-certificate-based-authentication-get-started.md).
 
 **Best practice**: When using customer-managed keys, use a key encryption key (KEK) for an extra layer of security for encryption keys.   
 **Detail**: When using customer-managed keys, use the [Add-AzKeyVaultKey](/powershell/module/az.keyvault/add-azkeyvaultkey) cmdlet to create a key encryption key in Azure Key Vault or Managed HSM. You can also import a KEK from your on-premises hardware security module (HSM). For more information, see the [Key Vault documentation](/azure/key-vault/keys/hsm-protected-keys). When you specify a key encryption key, encryption at host uses that key to wrap the encryption secrets. Keeping an escrow copy of this key in an on-premises key management HSM offers extra protection against accidental deletion of keys.