Entra ID replacements and clearer wording of token

data-api-builder/TOC.yml

@@ -290,7 +290,7 @@
     - name: Authentication and authorization
       items:
         - name: Azure authentication
-          displayName: AAD, AD, Azure Active Directory, Microsoft Entra Identity, Entra ID
+          displayName: EntraId, AAD, AD, Azure Active Directory, Microsoft Entra ID
           href: authentication-azure.md
         - name: Local authentication
           href: authentication-local.md

data-api-builder/authentication-azure.md

@@ -23,7 +23,7 @@ The supported identity provider configuration options are:
 
 ## In Development (AZ Login)
 
-Using `Authentication='Active Directory Default'` in Azure SQL Database connection strings means the client will authenticate using Microsoft Entra credentials. The exact authentication method is determined by the environment. When a developer runs `az login`, the Azure CLI opens a browser window prompting the user to sign in with a Microsoft account or corporate credentials. Once authenticated, Azure CLI retrieves and caches the token linked to the Microsoft Entra identity. This token is then used to authenticate requests to Azure services without requiring credentials in the connection string.
+Using `Authentication='Active Directory Default'` in Azure SQL Database connection strings means the client will authenticate using Microsoft Entra credentials. The exact authentication method is determined by the environment. When a developer runs `az login`, the Azure CLI opens a browser window prompting the user to sign in with a Microsoft account or corporate credentials. Once authenticated, Azure CLI retrieves and caches the token linked to the identity in Microsoft Entra ID. This token is then used to authenticate requests to Azure services without requiring credentials in the connection string.
 
 ```json
 "data-source": {
@@ -57,7 +57,7 @@ To use the JWT provider, you need to configure the `runtime.host.authentication`
 
 ```json
 "authentication": {
-    "provider": "AzureAD",
+    "provider": "EntraId",
     "jwt": {
         "audience": "<APP_ID>",
         "issuer": "https://login.microsoftonline.com/<AZURE_AD_TENANT_ID>/v2.0"
@@ -75,7 +75,7 @@ Requests can also be made without being authenticated. In such cases, the reques
 
 ## X-MS-API-ROLE request header
 
-Data API builder requires the header `X-MS-API-ROLE` to authorize requests using custom roles. The value of `X-MS-API-ROLE` must match a role specified in the token. For example, if the token has the role **Sample.Role**, then X-MS-API-ROLE should also be **Sample.Role**. For more information, see [authorization user roles](./authorization.md#user-roles).
+Data API builder requires the header `X-MS-API-ROLE` to authorize requests using custom roles. The value of `X-MS-API-ROLE` must match a role specified in the access token's `roles` claim. For example, if the access token has the role **Sample.Role**, then `X-MS-API-ROLE` should also be **Sample.Role**. For more information, see [authorization user roles](./authorization.md#user-roles).
 
 ## Related content
 

data-api-builder/authorization.md

@@ -109,7 +109,7 @@ When a client app sends an authenticated request to Data API builder [deployed u
 
 ```json
 {
-  "identityProvider": "azuread",
+  "identityProvider": "EntraId",
   "userId": "d75b260a64504067bfc5b2905e3b8182",
   "userDetails": "username",
   "userRoles": ["anonymous", "authenticated", "author"]

data-api-builder/overview.md

@@ -24,7 +24,8 @@ ms.date: 06/11/2025
   :::column-end:::
 :::row-end:::
 
-Data API builder is designed for developers. DAB features a cross-platform CLI, Open Telemetry, and Health Checks with native OpenAPI, Swagger for REST endpoints, and Nitro (previously called Banana Cake Pop) for GraphQL endpoints. Its stateless, Docker-friendly container can be secured with EasyAuth, Microsoft Entra Identity, or any JSON Web Token (JWT) server an enterprise chooses. It has a flexible policy engine, granular security controls, and automatically passes claims data to the SQL session context.
+Data API builder is designed for developers. Data API builder features a cross-platform CLI, native OpenAPI, Swagger for REST endpoints, and Banana Cake Pop for GraphQL endpoints. Its stateless, Docker-friendly container can be secured with EasyAuth, Microsoft Entra ID, or any JSON Web Token (JWT) server an enterprise chooses. It has a flexible policy engine, granular security controls, and automatically passes claims data to the SQL session context.
+
 
 Data API builder (DAB) supports multiple backend data sources simultaneously, including relational and NoSQL sources. DAB also integrates seamlessly with Application Insights. The configuration file can reflect relationships in the database or define new, virtual ones with support for hot reloading. GraphQL endpoints allow multiple nested Create statements within a single transaction, while REST endpoints feature in-memory caching and rich support for OData-like query string keywords.
 
@@ -56,7 +57,7 @@ This diagram breaks down the relationship between all of the components of the D
 - Support for relational tables, views, and stored procedures
 - Support multiple, simultaneous data sources
 - Support for authentication via OAuth2/JWT
-- Support for EasyAuth and Microsoft Entra Identity
+- Support for EasyAuth and Microsoft Entra ID
 - Role-based authorization using received claims
 - Item-level security via policy expressions
 - REST endpoints

data-api-builder/reference-command-line-interface.md

@@ -259,7 +259,7 @@ dab configure --runtime.rest.enabled true
 | runtime.<br/>host.mode                                                  | <nobr>--runtime.host.mode</nobr>                                   | String: `Development`, `Production` Default: `Development` | ❌ | Set the host running mode of DAB in Development or Production. |
 | runtime.<br/>host.cors.origins                                          | <nobr>--runtime.host.cors.origins</nobr>                           | Array of strings | ✅ | Use this to Overwrite Allowed Origins in CORS. Default: [] (Space separated array of strings). |
 | runtime.<br/>host.cors.allow-credentials                                | <nobr>--runtime.host.cors.allow-credentials</nobr>                 | Boolean: `true`, `false` (default: `false`) | ✅ | Set value for Access-Control Allow-Credentials header in --host.cors.allow-credentials . |
-| runtime.<br/>host.authentication.provider                               | <nobr>--runtime.host.authentication.provider</nobr>                | String: `StaticWebApps`, `AppService`, `AzureAD`, `Jwt` | ✅ | Configure the name of authentication provider. Default: `StaticWebApps`. |
+| runtime.<br/>host.authentication.provider                               | <nobr>--runtime.host.authentication.provider</nobr>                | String: `StaticWebApps`, `AppService`, `EntraId`, `Jwt` | ✅ | Configure the name of authentication provider. Default: `StaticWebApps`. |
 | runtime.<br/>host.authentication.jwt.audience                           | <nobr>--runtime.host.authentication.jwt.audience</nobr>            | Array of strings | ✅ | Use this to Configure the intended recipient(s) of the Jwt Token. |
 | runtime.<br/>host.authentication.jwt.issuer                             | <nobr>--runtime.host.authentication.jwt.issuer</nobr>              | String    | ✅       | This refers to the entity that issued the Jwt Token. |
 | runtime.<br/>cache.enabled                                              | <nobr>--runtime.cache.enabled</nobr>                               | Boolean: `true`, `false` (default: `false`) | ✅ | Enable/Disable DAB's cache globally. (You must also enable each entity's cache separately.). |

data-api-builder/reference-configuration.md

@@ -1434,7 +1434,7 @@ The `authentication.provider` setting within the `host` configuration defines th
 |-|-|
 | `StaticWebApps` | Instructs Data API builder to look for a set of HTTP headers only present when running within a Static Web Apps environment. |
 | `AppService` | When the runtime is hosted in Azure AppService with AppService Authentication enabled and configured (EasyAuth). |
-| `AzureAd` | Microsoft Entra Identity needs to be configured so that it can authenticate a request sent to Data API builder (the "Server App"). For more information, see [Microsoft Entra ID authentication](authentication-azure-ad.md). |
+| `EntraId` | Microsoft Entra ID needs to be configured so that it can authenticate a request sent to Data API builder (the "Server App"). For more information, see [Microsoft Entra ID authentication](authentication-azure-ad.md). |
 | `Simulator` | A configurable authentication provider that instructs the Data API builder engine to treat all requests as authenticated. For more information, see [local authentication](local-authentication.md). |
 
 #### Format
@@ -1459,7 +1459,7 @@ Here's a list of allowed values for this property:
 |-|-|
 | **`StaticWebApps`** | Azure Static Web Apps |
 | **`AppService`** | Azure App Service |
-| **`AzureAD`** | Microsoft Entra ID |
+| **`EntraId`** (formerly **`AzureAd`**) | Microsoft Entra ID |
 | **`Simulator`** | Simulator |
 
 ### JSON Web Tokens (Host runtime)
@@ -1470,13 +1470,13 @@ Here's a list of allowed values for this property:
 |-|-|-|-|-|
 | `runtime.host.authentication` | `jwt` | object | ❌ No | None |
 
-If the authentication provider is set to `AzureAD` (Microsoft Entra ID), then this section is required to specify the audience and issuers for the JSOn Web Tokens (JWT) token. This data is used to validate the tokens against your Microsoft Entra tenant.
+If the authentication provider is set to `EntraId` (Microsoft Entra ID), then this section is required to specify the audience and issuers for the JSOn Web Tokens (JWT) token. This data is used to validate the tokens against your Microsoft Entra tenant.
 
-Required if the authentication provider is `AzureAD` for Microsoft Entra ID. This section must specify the `audience` and `issuer` to validate the received JWT token against the intended `AzureAD` tenant for authentication.
+Required if the authentication provider is `EntraId` for Microsoft Entra ID. This section must specify the `audience` and `issuer` to validate the received JWT token against the intended `EntraId` tenant for authentication.
 
 | Setting | Description |
 |-|-|
-| audience | Identifies the intended recipient of the token; typically the application's identifier registered in Microsoft Entra Identity (or your identity provider), ensuring that the token was indeed issued for your application. |
+| audience | Identifies the intended recipient of the token; typically the application's identifier registered in Microsoft Entra ID (or your identity provider), ensuring that the token was indeed issued for your application. |
 | issuer | Specifies the issuing authority's URL, which is the token service that issued the JWT. This URL should match the identity provider's issuer URL from which the JWT was obtained, validating the token's origin. |
 
 #### Format
@@ -1506,7 +1506,7 @@ Required if the authentication provider is `AzureAD` for Microsoft Entra ID. Thi
 
 #### Examples
 
-The Data API builder (DAB) offers flexible authentication support, integrating with Microsoft Entra Identity and custom JSON Web Token (JWT) servers. In this image, the **JWT Server** represents the authentication service that issues JWT tokens to clients upon successful sign-in. The client then passes the token to DAB, which can interrogate its claims and properties.
+The Data API builder (DAB) offers flexible authentication support, integrating with Microsoft Entra ID and custom JSON Web Token (JWT) servers. In this image, the **JWT Server** represents the authentication service that issues JWT tokens to clients upon successful sign-in. The client then passes the token to DAB, which can interrogate its claims and properties.
 
 ![Diagram of JSON web tokens support in Data API builder.](media/jwt-server.png)
 
@@ -1565,7 +1565,7 @@ Authentication is delegated to a supported identity provider where access token
    "credentials": true
   },
   "authentication": {
-   "provider": "AzureAD",
+   "provider": "EntraId",
    "jwt": {
     "audience": "c123d456-a789-0abc-a12b-3c4d56e78f90",
     "issuer": "https://login.microsoftonline.com/98765f43-21ba-400c-a5de-1f2a3d4e5f6a/v2.0"

data-api-builder/whats-new/version-0.md

@@ -564,7 +564,7 @@ query ($id: ID, $partitionKeyValue: String) {
 - Authentication details such as the provider, audience, and issuer can be configured using the options `--auth.provider`, `--auth.audience`, and `--auth.issuer.` in the `init` command. A sample command is shown in this sample:
 
   ```bash
-  dab init --database-type mssql --auth.provider AzureAD --auth.audience "audience" --auth.issuer "issuer"
+  dab init --database-type mssql --auth.provider EntraId --auth.audience "audience" --auth.issuer "issuer"
   ```
 
 - User friendly error messaging when the entity name isn't specified.

data-api-builder/whats-new/version-1-5.md

@@ -146,4 +146,4 @@ These metrics improve visibility into runtime behavior and lay the foundation fo
 
 DAB originally used the `AzureAd` enum to configure Azure Active Directory. Microsoft has since renamed it to Entra ID.
 
-This release introduces `EntraId` as the preferred value. The old enum (`AzureAd`) still works for backward compatibility, but `EntraId` aligns with current branding.
+This release introduces `EntraId` as the preferred value. The old enum (`AzureAd`) still works for backward compatibility, but `EntraId` aligns with current branding.