Merge branch 'production' into sthorpe-ra-title-and-update-updates

.github/CODEOWNERS

@@ -4,17 +4,17 @@
 
 # More dev-specific files
 
-/.github/ @kodster28 @pedrosousa @haleycode @kristianfreeman @GregBrimble @KianNH @maxvp @marciocloudflare
+/.github/ @kodster28 @pedrosousa @haleycode @kristianfreeman @GregBrimble @KianNH @maxvp @marciocloudflare @WalshyDev
 /.github/CODEOWNERS @cloudflare/pcx-technical-writing
 /.github/actions/assign-issue/index.js @cloudflare/pcx-technical-writing
 /.github/actions/assign-pr/index.js @cloudflare/pcx-technical-writing
 /.github/styles/cloudflare/spelling-exceptions.txt @cloudflare/pcx-technical-writing
-/src/components/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @marciocloudflare @haleycode @maxvp @GregBrimble @KianNH
-/functions/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @marciocloudflare @maxvp @GregBrimble @KianNH
-*.js @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH
-*.ts @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH
+/src/components/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @marciocloudflare @haleycode @maxvp @GregBrimble @KianNH @WalshyDev
+/functions/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @marciocloudflare @maxvp @GregBrimble @KianNH @WalshyDev
+*.js @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH @WalshyDev
+*.ts @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH @WalshyDev
 /src/content/workers-ai-models/ @kodster28 @craigsdennis @pedrosousa @cloudflare/pcx-technical-writing
-/public/_redirects @GregBrimble @KianNH @kodster28 @pedrosousa @cloudflare/pcx-technical-writing
+/public/_redirects @GregBrimble @KianNH @kodster28 @pedrosousa @WalshyDev @cloudflare/pcx-technical-writing
 
 # AI
 

astro.config.mjs

@@ -146,6 +146,7 @@ export default defineConfig({
 			},
 			sidebar: await autogenSections(),
 			customCss: [
+				"./src/asides.css",
 				"./src/headings.css",
 				"./src/input.css",
 				"./src/kbd.css",

public/_redirects

@@ -1180,8 +1180,14 @@
 /turnstile/concepts/widget-types/ /turnstile/concepts/widget/ 301
 
 # waf
-/waf/about/file-scanning/ /waf/about/content-scanning/ 301
-/waf/about/waf-ml/ /waf/about/waf-attack-score/ 301
+/waf/about/ /waf/concepts/ 301
+/waf/about/content-scanning/ /waf/detections/malicious-uploads/ 301
+/waf/about/content-scanning/get-started/ /waf/detections/malicious-uploads/get-started/ 301
+/waf/about/content-scanning/example-rules/ /waf/detections/malicious-uploads/example-rules/ 301
+/waf/about/content-scanning/api-calls/ /waf/detections/malicious-uploads/api-calls/ 301
+/waf/about/file-scanning/ /waf/detections/malicious-uploads/ 301
+/waf/about/waf-attack-score/ /waf/detections/attack-score/ 301
+/waf/about/waf-ml/ /waf/detections/attack-score/ 301
 /waf/alerts/ /waf/reference/alerts/ 301
 /waf/custom-rules/custom-firewall/ /waf/custom-rules/ 301
 /waf/custom-rules/custom-firewall/create-api/ /waf/custom-rules/create-api/ 301
@@ -1523,6 +1529,7 @@
 /cloudflare-one/analytics/access/ /cloudflare-one/insights/analytics/access/ 301
 /cloudflare-one/analytics/gateway/ /cloudflare-one/insights/analytics/gateway/ 301
 /cloudflare-one/analytics/users/ /cloudflare-one/insights/logs/users/ 301
+/cloudflare-one/api-terraform/access-api-examples/azure-group/ /cloudflare-one/api-terraform/access-api-examples/entra-group/ 301
 /cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301
 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301
 /cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301
@@ -1601,6 +1608,7 @@
 /cloudflare-one/identity/devices/require-gateway/ /cloudflare-one/identity/devices/warp-client-checks/require-gateway/ 301
 /cloudflare-one/identity/devices/require-warp/ /cloudflare-one/identity/devices/warp-client-checks/require-warp/ 301
 /cloudflare-one/identity/devices/sentinel-one/ /cloudflare-one/identity/devices/warp-client-checks/sentinel-one/ 301
+/cloudflare-one/identity/idp-integration/azuread/ /cloudflare-one/identity/entra-id/ 301
 /cloudflare-one/identity/idp-integration/one-time-pin/ /cloudflare-one/identity/one-time-pin/ 301
 /cloudflare-one/identity/idp-integration/saml-centrify/ /cloudflare-one/identity/idp-integration/centrify-saml/ 301
 /cloudflare-one/identity/idp-integration/ping-saml/ /cloudflare-one/identity/idp-integration/pingfederate-saml/ 301
@@ -1630,6 +1638,8 @@
 /support/traffic/argo-tunnel/ /cloudflare-one/connections/connect-networks/ 301
 /support/traffic/argo-tunnel/exposing-applications-running-on-microsoft-azure-with-cloudflare-argo-tunnel/ /cloudflare-one/connections/connect-apps/deployment-guides/azure/ 301
 /cloudflare-docs/content/cloudflare-one/tutorials/area-1/ /cloudflare-one/applications/configure-apps/saas-apps/area-1/ 301
+/cloudflare-docs/content/cloudflare-one/tutorials/azuread-conditional-access/ /cloudflare-docs/content/cloudflare-one/tutorials/entra-id-conditional-access/ 301
+/cloudflare-docs/content/cloudflare-one/tutorials/azuread-risky-users/ /cloudflare-docs/content/cloudflare-one/tutorials/entra-id-risky-users/ 301
 /cloudflare-one/tutorials/zendesk-sso-saas/ /cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas/ 301
 /cloudflare-one/tutorials/docusign-access/ /cloudflare-one/applications/configure-apps/saas-apps/docusign-access/ 301
 /cloudflare-one/tutorials/hubspot-saas/ /cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas/ 301

src/asides.css

@@ -0,0 +1,36 @@
+.starlight-aside {
+	border: unset;
+	border-radius: 4px;
+
+	&.starlight-aside--note {
+		background-color: rgb(236, 244, 255);
+	}
+
+	&.starlight-aside--caution {
+		background-color: rgb(255, 248, 228);
+
+	}
+
+	.starlight-aside__title {
+		margin-left: 30px;
+
+		svg {
+			margin-left: -30px;
+		}
+	}
+
+	.starlight-aside__content {
+		margin-top: unset;
+		margin-left: 30px;
+	}
+}
+
+:root[data-theme="dark"] {
+	.starlight-aside--note {
+		background-color: rgb(0, 28, 67);
+	}
+
+	.starlight-aside--caution {
+		background-color: rgb(98, 73, 10);
+	}
+}

src/components/overrides/Sidebar.astro

@@ -86,6 +86,7 @@ async function handleGroup(group: Group): Promise<SidebarEntry> {
 
 	group.label = frontmatter.sidebar.group?.label ?? frontmatter.title;
 	group.order = frontmatter.sidebar.order ?? Number.MAX_VALUE;
+	group.badge = frontmatter.sidebar.group?.badge;
 
 	if (frontmatter.hideChildren) {
 		return {
@@ -205,20 +206,46 @@ const lookupProductTitle = async (slug: string) => {
 
 <style is:global>
 	:root {
-		a[aria-current="page"] {
-			background-color: var(--sidebar-blue-accent-600) !important;
-			border: 1px solid !important;
-			border-color: var(--blue-accent-900) !important;
-			color: var(--sidebar-blue-text) !important;
+		.sidebar-content {
+			--sl-color-hairline-light: #cacaca !important;
+
+			& > * {
+				a {
+					padding: 0.2375em var(--sl-sidebar-item-padding-inline) !important;
+
+					&[aria-current="page"] {
+						background-color: unset !important;
+						border: unset !important;
+						border-color: unset !important;
+						color: var(--sl-color-accent) !important;
+						font-weight: 600 !important;
+					}
+				}
+
+				summary {
+					padding: 0.1375em var(--sl-sidebar-item-padding-inline) !important;
+				}
+
+				.large {
+					color: var(--sl-color-gray-2) !important;
+					font-weight: unset !important;
+					font-size: unset !important;
+
+					@media (min-width: 50rem) {
+						font-size: var(--sl-text-sm) !important;
+					}
+				}
+
+				.caret {
+					font-size: 1rem !important;
+				}
+			}
 		}
 	}
 
 	:root[data-theme="dark"] {
-		a[aria-current="page"] {
-			background-color: var(--sidebar-orange-accent-600) !important;
-			border: 1px solid !important;
-			border-color: var(--orange-accent-200) !important;
-			color: var(--sl-color-white) !important;
+		.sidebar-content {
+			--sl-color-hairline-light: #444444 !important;
 		}
 	}
 </style>

src/content/changelogs/security-center.yaml

@@ -12,3 +12,7 @@ entries:
   - publish_date: "2024-09-19"
     description: |-
       - Customers can now create a `security.txt` file file to provide the security research team with a standardized way to report vulnerabilities. 
+
+  - publish_date: "2024-09-23"
+    description: |-
+      - Customers can now export all matches from a saved query. Select your **Query name** > select the three dots > **Export matches**.

src/content/changelogs/waf-general.yaml

@@ -10,8 +10,8 @@ entries:
   - publish_date: "2024-08-29"
     title: Fixed occasional attack score mismatches
     description: |-
-      Fixed an issue causing score mismatches between the global [WAF attack score](/waf/about/waf-attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives.
+      Fixed an issue causing score mismatches between the global [WAF attack score](/waf/detections/attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives.
   - publish_date: "2024-05-23"
     title: Improved detection capabilities
     description: |-
-      [WAF attack score](/waf/about/waf-attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers).
+      [WAF attack score](/waf/detections/attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers).

src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx

@@ -0,0 +1,22 @@
+---
+type: example
+summary: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID.
+tags:
+  - Microsoft Entra Group
+title: Microsoft Entra Group
+pcx_content_type: example
+sidebar:
+  order: 4
+description: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID.
+---
+
+Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID:
+
+```json
+{
+	"azureAD": {
+		"id": "86773093-5feb-48dd-814b-7ccd3676ff50",
+		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
+	}
+}
+```

src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx

@@ -2,20 +2,19 @@
 type: example
 summary: Allow members of a specific GitHub organization.
 tags:
-  - GitHub™ Organization
+  - GitHub Organization
 title: GitHub™ Organization
 pcx_content_type: example
 sidebar:
   order: 4
 description: Allow members of a specific GitHub organization.
-
 ---
 
 ```json
 {
-  "github-organization": {
-    "name": "cloudflare",
-    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-  }
+	"github-organization": {
+		"name": "cloudflare",
+		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
+	}
 }
 ```

src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx

@@ -2,20 +2,19 @@
 type: example
 summary: Allow members of a specific G Suite group.
 tags:
-  - G Suite® Group
-title: G Suite® Group
+  - G Suite Group
+title: G Suite Group
 pcx_content_type: example
 sidebar:
   order: 4
 description: Allow members of a specific G Suite group.
-
 ---
 
 ```json
 {
-  "gsuite": {
-    "email": "admins@mycompanygsuite.com",
-    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-  }
+	"gsuite": {
+		"email": "admins@mycompanygsuite.com",
+		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
+	}
 }
 ```

src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx

@@ -2,20 +2,19 @@
 type: example
 summary: Allow members of an Okta Group.
 tags:
-  - Okta® Group
-title: Okta® Group
+  - Okta Group
+title: Okta Group
 pcx_content_type: example
 sidebar:
   order: 4
 description: Allow members of an Okta Group.
-
 ---
 
 ```json
 {
-  "okta": {
-    "name": "admins",
-    "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-  }
+	"okta": {
+		"name": "admins",
+		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
+	}
 }
 ```

src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx

@@ -45,7 +45,7 @@ Obtain the following URLs from your SaaS application account:
 
 :::note[IdP groups]
 
-If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values.
+If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values.
 :::
 
 11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -8,7 +8,7 @@ sidebar:
     text: New
 ---
 
-import { Badge, Details, Tabs, TabItem, Render } from "~/components"
+import { Badge, Details, Tabs, TabItem, Render } from "~/components";
 
 Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
 
@@ -37,13 +37,14 @@ Access for Infrastructure is available in early access and currently only suppor
 ### Selectors
 
 The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications:
+
 - Email
 - Emails ending in
 - SAML group
 - Country
 - Authentication method
 - Device posture
-- Azure group, GitHub organization, Google Workspace group, Okta group
+- Entra group, GitHub organization, Google Workspace group, Okta group
 
 ## 4. Configure the server
 
@@ -63,8 +64,6 @@ To connect to targets that are in different VNETS, users will need to [switch th
 If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs.
 :::
 
-
 ## Revoke a user's session
 
 To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
-

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx

@@ -3,10 +3,9 @@ pcx_content_type: how-to
 title: WARP sessions
 sidebar:
   order: 12
-
 ---
 
-import { Render, Badge } from "~/components"
+import { Render, Badge } from "~/components";
 
 Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your [Access applications](#configure-warp-sessions-in-access) or as part of your [Gateway policies](#configure-warp-sessions-in-gateway).
 
@@ -52,10 +51,10 @@ If the user has an active browser session with the IdP, WARP will use the existi
 
 ### Supported IdPs
 
-* [Azure AD](/cloudflare-one/identity/idp-integration/azuread/#force-user-interaction-during-warp-reauthentication)
+- [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/#force-user-interaction-during-warp-reauthentication)
 
 ## Limitations
 
-* **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/).
-* **Active connections are not terminated** — Active sessions such as SSH and RDP will remain connected beyond the timeout limit.
-* **Binding Cookie is not supported** - WARP authentication will not work for Access applications that have the [Binding Cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) enabled.
+- **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/).
+- **Active connections are not terminated** — Active sessions such as SSH and RDP will remain connected beyond the timeout limit.
+- **Binding Cookie is not supported** - WARP authentication will not work for Access applications that have the [Binding Cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) enabled.