diff --git a/cspell.json b/cspell.json
index ebb62e70107..178b0f9483d 100644
--- a/cspell.json
+++ b/cspell.json
@@ -40,6 +40,7 @@
"distroless",
"dockerfiles",
"dylib",
+ "entra",
"ESRP",
"evented",
"exfiltrate",
diff --git a/documentation/compatibility/9.0/README.md b/documentation/compatibility/9.0/README.md
new file mode 100644
index 00000000000..6af76be3460
--- /dev/null
+++ b/documentation/compatibility/9.0/README.md
@@ -0,0 +1,15 @@
+# Breaking Changes in 9.0
+
+If you are migrating your usage to `dotnet monitor` 9.0, the following changes might affect you. Changes are grouped together by areas within the tool.
+
+## Changes
+
+| Area | Title | Introduced |
+|--|--|--|
+| Configuration | [`TenantId` is now required when configuring Azure Active Directory authentication](#configuration-azure-active-directory-authentication) | RC 2 |
+
+## Details
+
+### Configuration: Azure Active Directory Authentication
+
+When using Azure Active Directory (Entra ID) for authentication, setting the `TenantId` option is now **required**. See [Azure Active Directory Authentication Configuration](../../configuration/azure-ad-authentication-configuration.md#configuration-options) for more details.
diff --git a/documentation/compatibility/README.md b/documentation/compatibility/README.md
index 390dc4e2138..7f3ecfecb3e 100644
--- a/documentation/compatibility/README.md
+++ b/documentation/compatibility/README.md
@@ -2,3 +2,4 @@
- [Breaking Changes in 7.0](./7.0/README.md)
- [Breaking Changes in 8.0](./8.0/README.md)
+- [Breaking Changes in 9.0](./9.0/README.md)
diff --git a/documentation/configuration/azure-ad-authentication-configuration.md b/documentation/configuration/azure-ad-authentication-configuration.md
index 604b6e30917..f4680adc5b8 100644
--- a/documentation/configuration/azure-ad-authentication-configuration.md
+++ b/documentation/configuration/azure-ad-authentication-configuration.md
@@ -6,15 +6,19 @@ Azure Active Directory authentication must be configured before `dotnet monitor`
## Configuration Options
+> [!NOTE]
+> Starting in 9.0 RC 2, the `TenantId` option is now **required**.
+
| Name | Type | Required | Description |
|---|---|---|---|
| ClientId | string | true | The unique application (client) id assigned to the app registration in Azure Active Directory. |
| RequiredRole | string | true | The role required to be able to authenticate. |
| AppIdUri | uri | false | The App ID URI of the app registration. Defaults to `api://{ClientId}` if not specified. |
| Instance | uri | false | Specifies the Azure cloud instance users are signing in from. Can be either the Azure public cloud or one of the national clouds. Defaults to the Azure public cloud (`https://login.microsoftonline.com`). |
-| TenantId | string | false | The tenant id of the Azure Active Directory tenant, or its tenant domain. Defaults to `organizations`. |
+| TenantId (9.0 RC 2+) | string | true | The tenant id of the Azure Active Directory tenant. |
+| TenantId | string | false | The tenant id of the Azure Active Directory tenant. Defaults to `organizations`. |
-A minimal configuration requires setting just the `ClientId` and `RequiredRole`.
+A minimal configuration requires setting just the `TenantId`, `ClientId`, and `RequiredRole`.
### Example Configuration
@@ -25,6 +29,7 @@ A minimal configuration requires setting just the `ClientId` and `RequiredRole`.
{
"Authentication": {
"AzureAd": {
+ "TenantId": "6f565143-0d4c-4e44-a35b-974e4b2f78a0",
"ClientId": "5eaf6ccc-e8c1-47c6-a68c-a6453172c655",
"RequiredRole": "Application.Access"
}
@@ -37,6 +42,7 @@ A minimal configuration requires setting just the `ClientId` and `RequiredRole`.
Kubernetes ConfigMap
```yaml
+ Authentication__AzureAd__TenantId: "6f565143-0d4c-4e44-a35b-974e4b2f78a0"
Authentication__AzureAd__ClientId: "5eaf6ccc-e8c1-47c6-a68c-a6453172c655"
Authentication__AzureAd__RequiredRole: "Application.Access"
```
@@ -46,6 +52,8 @@ A minimal configuration requires setting just the `ClientId` and `RequiredRole`.
Kubernetes Environment Variables
```yaml
+ - name: DotnetMonitor_Authentication__AzureAd__TenantId
+ value: "6f565143-0d4c-4e44-a35b-974e4b2f78a0"
- name: DotnetMonitor_Authentication__AzureAd__ClientId
value: "5eaf6ccc-e8c1-47c6-a68c-a6453172c655"
- name: DotnetMonitor_Authentication__AzureAd__RequiredRole