diff --git a/website/docs/docs/cloud/git/setup-azure.md b/website/docs/docs/cloud/git/setup-azure.md
index c6213b49453..f54bb752937 100644
--- a/website/docs/docs/cloud/git/setup-azure.md
+++ b/website/docs/docs/cloud/git/setup-azure.md
@@ -12,15 +12,13 @@ sidebar_label: "Set up Azure DevOps"
To use our native integration with Azure DevOps in dbt Cloud, an account admin needs to set up an Microsoft Entra ID app. We recommend setting up a separate [Entra ID application than used for SSO](/docs/cloud/manage-access/set-up-sso-microsoft-entra-id).
1. [Register an Entra ID app](#register-a-microsoft-entra-id-app).
-2. [Add permissions to your new app](#add-permissions-to-your-new-app).
-3. [Add another redirect URI](#add-another-redirect-uri).
-4. [Connect Azure DevOps to your new app](#connect-azure-devops-to-your-new-app).
-5. [Add your Entra ID app to dbt Cloud](#add-your-azure-ad-app-to-dbt-cloud).
+2. [Connect Azure DevOps to your new app](#connect-azure-devops-to-your-new-app).
+3. [Add your Entra ID app to dbt Cloud](#add-your-azure-ad-app-to-dbt-cloud).
-Once the Microsoft Entra ID app is added to dbt Cloud, an account admin must also [connect a service user](/docs/cloud/git/setup-azure#connect-a-service-user) via OAuth, which will be used to power headless actions in dbt Cloud such as deployment runs and CI.
+Once the Microsoft Entra ID app is added to dbt Cloud, an account admin must also connect a [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser), which will be used to power headless actions in dbt Cloud such as deployment runs and CI.
-Once the Microsoft Entra ID app is added to dbt Cloud and the service user is connected, then dbt Cloud developers can personally authenticate in dbt Cloud from Azure DevOps. For more on this, see [Authenticate with Azure DevOps](/docs/cloud/git/authenticate-azure).
+Once the Microsoft Entra ID app is added to dbt Cloud and the service principal is connected, then dbt Cloud developers can personally authenticate in dbt Cloud from Azure DevOps. For more on this, see [Authenticate with Azure DevOps](/docs/cloud/git/authenticate-azure).
The following personas are required to complete the steps on this page:
- Microsoft Entra ID admin
@@ -38,46 +36,17 @@ A Microsoft Entra ID admin needs to perform the following steps:
4. Provide a name for your app. We recommend using, "dbt Labs Azure DevOps app".
5. Select **Accounts in any organizational directory (Any Entra ID directory - Multitenant)** as the Supported Account Types.
Many customers ask why they need to select Multitenant instead of Single tenant, and they frequently get this step wrong. Microsoft considers Azure DevOps (formerly called Visual Studio) and Microsoft Entra ID as separate tenants, and in order for this Entra ID application to work properly, you must select Multitenant.
-6. Add a redirect URI by selecting **Web** and, in the field, entering `https://YOUR_ACCESS_URL/complete/azure_active_directory`, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/access-regions-ip-addresses) for your region and plan.
-7. Click **Register**.
-
-
+6. Click **Register**.
Here's what your app should look like before registering it:
-
-## Add permissions to your new app
-
-An Entra ID admin needs to provide your new app access to Azure DevOps:
-
-1. Select **API permissions** in the left navigation panel.
-2. Remove the **Microsoft Graph / User Read** permission.
-3. Click **Add a permission**.
-4. Select **Azure DevOps**.
-5. Select the **user_impersonation** permission. This is the only permission available for Azure DevOps.
-
-
-
-## Add another redirect URI
-
-A Microsoft Entra ID admin needs to add another redirect URI to your Entra ID application. This redirect URI will be used to authenticate the service user for headless actions in deployment environments.
-
-1. Navigate to your Microsoft Entra ID application.
-
-2. Select the link next to **Redirect URIs**
-3. Click **Add URI** and add the URI, replacing `YOUR_ACCESS_URL` with the [appropriate Access URL](/docs/cloud/about-cloud/access-regions-ip-addresses) for your region and plan:
-`https://YOUR_ACCESS_URL/complete/azure_active_directory_service_user`
-4. Click **Save**.
-
-
-
## Create a client secret
A Microsoft Entra ID admin needs to complete the following steps:
-1. Navigate to your Microsoft Entra ID application.
+1. Navigate to **Microsoft Entra ID**, click **App registrations**, and click on your app.
2. Select **Certificates and Secrets** from the left navigation panel.
3. Select **Client secrets** and click **New client secret**
4. Give the secret a description and select the expiration time. Click **Add**.
@@ -89,39 +58,84 @@ An Azure admin will need one of the following permissions in both the Microsoft
- Azure Service Administrator
- Azure Co-administrator
-If your Azure DevOps account is connected to Entra ID, then you can proceed to [Connect a service user](#connect-a-service-user). However, if you're just getting set up, connect Azure DevOps to the Microsoft Entra ID app you just created:
+:::note
-1. From your Azure DevOps account, select **Organization settings** in the bottom left.
-2. Navigate to Microsoft Entra ID.
-3. Click **Connect directory**.
-4. Select the directory you want to connect.
-5. Click **Connect**.
+You can only add a managed identity or service principal for the tenant to which your organization is connected. You need to add a directory to your organization so that it can access all the service principals and other identities.
+Navigate to **Organization settings** --> **Microsoft Entra** --> **Connect Directory** to connect.
-
+:::
-## Add your Microsoft Entra ID app to dbt Cloud
+1. From your Azure DevOps account organization screen, click **Organization settings** in the bottom left.
+2. Under **General** settings, click **Users**.
+3. Click **Add users**, and in the resulting panel, enter the service principal's name in the first field. Then, click the name when it appears below the field.
+4. In the **Add to projects** field, click the boxes for any projects you want to include (or select all).
+5. Set the **Azure DevOps Groups** to **Project Administrator**.
-A dbt Cloud account admin needs to perform the following steps.
+
-Once you connect your Microsoft Entra ID app and Azure DevOps, you need to provide dbt Cloud information about the app:
+## Configure the Entra ID connection
+There are two connection methods currently available for dbt Cloud and Azure DevOps:
+- **Service principal** (recommended): Create an application connection via client ID and secret for unattended authentication.
+- **Service user** (legacy): Create a user that will authenticate the connection with username and password. This configuration should be avoided.
-1. Navigate to your account settings in dbt Cloud.
-2. Select **Integrations**.
-3. Scroll to the Azure DevOps section.
-4. Complete the form:
- - **Azure DevOps Organization:** Must match the name of your Azure DevOps organization exactly. Do not include the `dev.azure.com/` prefix in this field. ✅ Use `my-devops-org` ❌ Avoid `dev.azure.com/my-devops-org`
- - **Application (client) ID:** Found in the Microsoft Entra ID app.
- - **Client Secrets:** Copy the **Value** field in the Microsoft Entra ID app client secrets and paste it in the **Client Secret** field in dbt Cloud. Entra ID admins are responsible for the Entra ID app secret expiration and dbt Admins should note the expiration date for rotation.
- - **Directory(tenant) ID:** Found in the Microsoft Entra ID app.
-
+
-Your Microsoft Entra ID app should now be added to your dbt Cloud Account. People on your team who want to develop in the dbt Cloud IDE or dbt Cloud CLI can now personally [authorize Azure DevOps from their profiles](/docs/cloud/git/authenticate-azure).
+
+
+## Create a service principal
+
+The application's service principal represents the Entra ID application object. Whereas a service user represents a real user in Azure with an Entra ID (and an applicable license), the service principal is a secure identity used by an application to access Azure resources unattended. The service principal authenticates with a client ID and secret rather than a username and password (or any other form of user auth). Service principals are the [Microsoft recommended method](https://learn.microsoft.com/en-us/entra/architecture/secure-service-accounts#types-of-microsoft-entra-service-accounts) for authenticating apps.
+
+### Add a role to the Service Principal
+
+In your Azure account:
+
+1. Navigate to **Subscriptions** and click on the appropriate subscription name for the application environment.
+2. From the left-side menu of the subscription window, click **Access control (IAM)**.
+3. From the top menu, click **Add** and select **Add role assignment** from the dropdown.
+
+
+
+4. In the **Role** tab, select a role with appropriate permissions to assign the service principal.
+5. Click the **Members** tab. You must set **Assign access to** to **User, group, or service principal**.
+6. Click **Select members** and search for your app name in the window. Once it appears, click your app, which will appear in the **Selected members** section. Click **Select** at the bottom to save your selection.
+
+
+
+5. Confirm the correct details and click **Review + assign**.
+
-## Connect a service user
+Navigate back to the **App registrations** screen and click the app. On the left menu, click **Roles and administrators**, and you will see the app role assignment.
-Because Azure DevOps forces all authentication to be linked to a user's permissions, we recommend an Azure DevOps admin create a "service user" in Azure DevOps whose permissions will be used to power headless actions in dbt Cloud such as dbt Cloud project repo selection, deployment runs, and CI. A service user is a pseudo user set up in the same way an admin would set up a real user, but it's given permissions specifically scoped for service to service interactions. You should avoid linking authentication to a real Azure DevOps user because if this person leaves your organization, dbt Cloud will lose privileges to the dbt Azure DevOps repositories, causing production runs to fail.
+### Migrate to service principal
+
+If your dbt Cloud app does not have a service principal, take the following actions in your Azure account:
+
+1. Navigate to **Microsoft Entra ID**.
+2. Under **Manage** on the left-side menu, click **App registrations**.
+3. Click the app for the dbt Cloud and Azure DevOps integration.
+4. Locate the **Managed application in local directory** field and click **Create Service Principal**.
+
+
+
+5. Follow the instructions in [Add role to service principal](#add-a-role-to-the-service-principal) if the app doesn't already have them assigned.
+6. In dbt Cloud, navigate to **Account settings** --> **Integrations** and edit the **Azure DevOps** integration.
+7. Click the **Service principal** option, fill out the fields, and click **Save**. The services will continue to function uninterrupted.
+
+
+
+
+
+
+:::important
+
+Service users are no longer a recommended method for authentication and accounts using them should [migrate](#migrate-to-service-principal) to Entra ID [service principals](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals) in the future. Service prinicpals are the [Microsoft recommended service account type](https://learn.microsoft.com/en-us/entra/architecture/secure-service-accounts#types-of-microsoft-entra-service-accounts) for app authentication.
+
+:::
+
+An Azure DevOps admin can create a "service user (not recommended)" in Azure DevOps whose permissions will be used to power headless actions in dbt Cloud such as dbt Cloud project repo selection, deployment runs, and CI. A service user is a pseudo user set up in the same way an admin would set up a real user, but it's given permissions specifically scoped for service to service interactions. You should avoid linking authentication to a real Azure DevOps user because if this person leaves your organization, dbt Cloud will lose privileges to the dbt Azure DevOps repositories, causing production runs to fail.
:::info Service user authentication expiration
dbt Cloud will refresh the authentication for the service user on each run triggered by the scheduler, API, or CI. If your account does not have any active runs for over 90 days, an admin will need to manually refresh the authentication of the service user by disconnecting and reconnecting the service user's profile via the OAuth flow described above in order to resume headless interactions like project set up, deployment runs, and CI.
@@ -393,3 +407,25 @@ These tokens are limited to the following [scopes](https://learn.microsoft.com/e
- `vso.project`: Grants the ability to read projects and teams.
- `vso.build_execute`: Grants the ability to access build artifacts, including build results, definitions, and requests, and the ability to queue a build, update build properties, and the ability to receive notifications about build events with service hooks.
:::
+
+
+
+
+## Add your Microsoft Entra ID app to dbt Cloud
+
+A dbt Cloud account admin must take the following actions.
+
+Once you connect your Microsoft Entra ID app and Azure DevOps, you need to provide dbt Cloud information about the app:
+
+1. Navigate to your account settings in dbt Cloud.
+2. Select **Integrations**.
+3. Scroll to the Azure DevOps section.
+4. Complete the form:
+ - **Azure DevOps Organization:** Must match the name of your Azure DevOps organization exactly. Do not include the `dev.azure.com/` prefix in this field. ✅ Use `my-devops-org` ❌ Avoid `dev.azure.com/my-devops-org`
+ - **Application (client) ID:** Found in the Microsoft Entra ID app.
+ - **Client Secrets:** Copy the **Value** field in the Microsoft Entra ID app client secrets and paste it in the **Client Secret** field in dbt Cloud. Entra ID admins are responsible for the Entra ID app secret expiration and dbt Admins should note the expiration date for rotation.
+ - **Directory(tenant) ID:** Found in the Microsoft Entra ID app.
+
+ - **Redirect URI (Service users only)**: Copy this field to **Redirect URIs** field in your Entra ID app.
+
+Your Microsoft Entra ID app should now be added to your dbt Cloud Account. People on your team who want to develop in the dbt Cloud IDE or dbt Cloud CLI can now personally [authorize Azure DevOps from their profiles](/docs/cloud/git/authenticate-azure).
diff --git a/website/docs/docs/cloud/manage-access/auth0-migration.md b/website/docs/docs/cloud/manage-access/auth0-migration.md
index 2f45ad7dcc8..f961201e153 100644
--- a/website/docs/docs/cloud/manage-access/auth0-migration.md
+++ b/website/docs/docs/cloud/manage-access/auth0-migration.md
@@ -19,6 +19,12 @@ Alternatively, you can start the process from the **Settings** page in the **Sin
+There are two fields in these settings that you will need for the migration:
+- **Single sign-on URL:** This will be in the format of your login URL `https:///login/callback?connection=`
+- **Audience URI (SP Entity ID):** This will be in the format `urn:auth0::`
+
+Replace `` with your accounts login slug.
+
Once you have opted to begin the migration process, the following steps will vary depending on the configured identity provider. You can just skip to the section that's right for your environment. These steps only apply to customers going through the migration; new setups will use the existing [setup instructions](/docs/cloud/manage-access/sso-overview).
:::warning Login \{slug\}
@@ -30,17 +36,19 @@ After changing the slug, admins must share the new login URL with their dbt Clou
:::
-## SAML 2.0 and Okta
+## SAML 2.0
SAML 2.0 users must update a few fields in the SSO app configuration to match the new Auth0 URL and URI. You can approach this by editing the existing SSO app settings or creating a new one to accommodate the Auth0 settings. One approach isn't inherently better, so you can choose whichever works best for your organization.
-The fields that will be updated are:
-- Single sign-on URL — `https:///login/callback?connection={slug}`
-- Audience URI (SP Entity ID) — `urn:auth0::{slug}`
+### SAML 2.0 and Okta
+
+The Okta fields that will be updated are:
+- Single sign-on URL — `https:///login/callback?connection=`
+- Audience URI (SP Entity ID) — `urn:auth0::`
Below are sample steps to update. You must complete all of them to ensure uninterrupted access to dbt Cloud and you should coordinate with your identity provider admin when making these changes.
-1. Replace `{slug}` with your organization’s login slug. It must be unique across all dbt Cloud instances and is usually something like your company name separated by dashes (for example, `dbt-labs`).
+1. Replace `` with your organization’s login slug. It must be unique across all dbt Cloud instances and is usually something like your company name separated by dashes (for example, `dbt-labs`).
Here is an example of an updated SAML 2.0 setup in Okta.
@@ -56,39 +64,37 @@ Here is an example of an updated SAML 2.0 setup in Okta.
4. Save the settings and test the new configuration using the SSO login URL provided on the settings page.
-## Google Workspace
+### SAML 2.0 and Entra ID
-Google Workspace admins updating their SSO APIs with the Auth0 URL won't have to do much if it is an existing setup. This can be done as a new project or by editing an existing SSO setup. No additional scopes are needed since this is migrating from an existing setup. All scopes were defined during the initial configuration.
+The Entra ID fields that will be updated are:
+- Single sign-on URL — `https:///login/callback?connection=`
+- Audience URI (SP Entity ID) — `urn:auth0::`
-Below are steps to update. You must complete all of them to ensure uninterrupted access to dbt Cloud and you should coordinate with your identity provider admin when making these changes.
+The new values for these fields can be found in dbt Cloud by navigating to **Account settting** --> **Single sign-on**.
-1. Open the [Google Cloud console](https://console.cloud.google.com/) and select the project with your dbt Cloud single sign-on settings. From the project page **Quick Access**, select **APIs and Services**
-
-
-
-2. Click **Credentials** from the left side pane and click the appropriate name from **OAuth 2.0 Client IDs**
-
-
+1. Replace `` with your organization’s login slug. It must be unique across all dbt Cloud instances and is usually something like your company name separated by dashes (for example, `dbt-labs`).
-3. In the **Client ID for Web application** window, find the **Authorized Redirect URIs** field and click **Add URI** and enter `https:///login/callback`.
+2. Locate your dbt Cloud SAML2.0 app in the **Enterprise applications** section of Azure. Click **Single sign-on** on the left side menu.
-Click **Save** once you are done.
+3. Edit the **Basic SAML configuration** tile and enter the values from your account:
+ - Entra ID **Identifier (Entity ID)** = dbt Cloud **Audience URI (SP Entity ID)**
+ - Entra ID **Reply URL (Assertion Consumer Service URL)** = dbt Cloud **Single sign-on URL**
-
+
-4. _You will need a person with Google Workspace admin privileges to complete these steps in dbt Cloud_. In dbt Cloud, navigate to the **Account Settings**, click on **Single Sign-on**, and then click **Edit** on the right side of the SSO pane. Toggle the **Enable New SSO Authentication** option and select **Save**. This will trigger an authorization window from Google that will require admin credentials. _The migration action is final and cannot be undone_. Once the authentication has gone through, test the new configuration using the SSO login URL provided on the settings page.
+4. Save the fields and the completed configuration will look something like this:
-:::warning Domain authorization
+
-You must complete the domain authorization before you toggle `Enable New SSO Authentication`, or the migration will not complete successfully.
+3. Toggle the `Enable new SSO authentication` option to ensure the traffic is routed correctly. _The new SSO migration action is final and cannot be undone_
-:::
+
-
+4. Save the settings and test the new configuration using the SSO login URL provided on the settings page.
## Microsoft Entra ID
-Microsoft Entra ID admins will need to make a slight adjustment to the existing authentication app in the Azure portal. This migration does not require that the entire app be deleted or recreated; you can edit the existing app. Start by opening the Azure portal and navigating to the Microsoft Entra ID overview.
+Microsoft Entra ID admins using OpenID Connect (ODIC) will need to make a slight adjustment to the existing authentication app in the Azure portal. This migration does not require that the entire app be deleted or recreated; you can edit the existing app. Start by opening the Azure portal and navigating to the Microsoft Entra ID overview.
Below are steps to update. You must complete all of them to ensure uninterrupted access to dbt Cloud and you should coordinate with your identity provider admin when making these changes.
@@ -113,3 +119,32 @@ You must complete the domain authorization before you toggle `Enable New SSO Aut
:::
+
+## Google Workspace
+
+Google Workspace admins updating their SSO APIs with the Auth0 URL won't have to do much if it is an existing setup. This can be done as a new project or by editing an existing SSO setup. No additional scopes are needed since this is migrating from an existing setup. All scopes were defined during the initial configuration.
+
+Below are steps to update. You must complete all of them to ensure uninterrupted access to dbt Cloud and you should coordinate with your identity provider admin when making these changes.
+
+1. Open the [Google Cloud console](https://console.cloud.google.com/) and select the project with your dbt Cloud single sign-on settings. From the project page **Quick Access**, select **APIs and Services**
+
+
+
+2. Click **Credentials** from the left side pane and click the appropriate name from **OAuth 2.0 Client IDs**
+
+
+
+3. In the **Client ID for Web application** window, find the **Authorized Redirect URIs** field and click **Add URI** and enter `https:///login/callback`.
+
+Click **Save** once you are done.
+
+4. _You will need a person with Google Workspace admin privileges to complete these steps in dbt Cloud_. In dbt Cloud, navigate to the **Account Settings**, click on **Single Sign-on**, and then click **Edit** on the right side of the SSO pane. Toggle the **Enable New SSO Authentication** option and select **Save**. This will trigger an authorization window from Google that will require admin credentials. _The migration action is final and cannot be undone_. Once the authentication has gone through, test the new configuration using the SSO login URL provided on the settings page.
+
+:::warning Domain authorization
+
+You must complete the domain authorization before you toggle `Enable New SSO Authentication`, or the migration will not complete successfully.
+
+:::
+
+
+
diff --git a/website/docs/docs/cloud/manage-access/set-up-sso-saml-2.0.md b/website/docs/docs/cloud/manage-access/set-up-sso-saml-2.0.md
index 96b87dee7a6..992e4ca2967 100644
--- a/website/docs/docs/cloud/manage-access/set-up-sso-saml-2.0.md
+++ b/website/docs/docs/cloud/manage-access/set-up-sso-saml-2.0.md
@@ -355,7 +355,13 @@ From the Set up Single Sign-On with SAML page:
### Finish setup
-9. After creating the Azure application, follow the instructions in the [dbt Cloud Setup](#dbt-cloud-setup) section to complete the integration.
+9. After creating the Azure application, follow the instructions in the [dbt Cloud Setup](#dbt-cloud-setup) section to complete the integration. The names for fields in dbt Cloud vary from those in the Entra ID app. They're mapped as follows:
+
+ | dbt Cloud field | Corresponding Entra ID field |
+ | ----- | ----- |
+ | **Identity Provider SSO URL** | Login URL |
+ | **Identity Provider Issuer** | Microsoft Entra Identifier |
+
## OneLogin integration
diff --git a/website/static/img/docs/cloud-integrations/assign-app-to-members.png b/website/static/img/docs/cloud-integrations/assign-app-to-members.png
new file mode 100644
index 00000000000..dac1b415d30
Binary files /dev/null and b/website/static/img/docs/cloud-integrations/assign-app-to-members.png differ
diff --git a/website/static/img/docs/cloud-integrations/azure-subscription.png b/website/static/img/docs/cloud-integrations/azure-subscription.png
new file mode 100644
index 00000000000..4ef347906a6
Binary files /dev/null and b/website/static/img/docs/cloud-integrations/azure-subscription.png differ
diff --git a/website/static/img/docs/cloud-integrations/create-service-principal.png b/website/static/img/docs/cloud-integrations/create-service-principal.png
new file mode 100644
index 00000000000..a072c92b3ef
Binary files /dev/null and b/website/static/img/docs/cloud-integrations/create-service-principal.png differ
diff --git a/website/static/img/docs/cloud-integrations/review-and-assign.png b/website/static/img/docs/cloud-integrations/review-and-assign.png
new file mode 100644
index 00000000000..570717daeda
Binary files /dev/null and b/website/static/img/docs/cloud-integrations/review-and-assign.png differ
diff --git a/website/static/img/docs/cloud-integrations/service-principal-fields.png b/website/static/img/docs/cloud-integrations/service-principal-fields.png
new file mode 100644
index 00000000000..eb391ab122d
Binary files /dev/null and b/website/static/img/docs/cloud-integrations/service-principal-fields.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/azure-enable.png b/website/static/img/docs/dbt-cloud/access-control/azure-enable.png
index 8d95a5cb9fe..7f79bcb3c7c 100644
Binary files a/website/static/img/docs/dbt-cloud/access-control/azure-enable.png and b/website/static/img/docs/dbt-cloud/access-control/azure-enable.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/edit-entra-saml.png b/website/static/img/docs/dbt-cloud/access-control/edit-entra-saml.png
new file mode 100644
index 00000000000..ceda1ee0bcc
Binary files /dev/null and b/website/static/img/docs/dbt-cloud/access-control/edit-entra-saml.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/entra-id-saml.png b/website/static/img/docs/dbt-cloud/access-control/entra-id-saml.png
new file mode 100644
index 00000000000..01ab65cef27
Binary files /dev/null and b/website/static/img/docs/dbt-cloud/access-control/entra-id-saml.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/google-enable.png b/website/static/img/docs/dbt-cloud/access-control/google-enable.png
index 0c46cac6d6e..a2ffd42fb50 100644
Binary files a/website/static/img/docs/dbt-cloud/access-control/google-enable.png and b/website/static/img/docs/dbt-cloud/access-control/google-enable.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/new-okta-completed.png b/website/static/img/docs/dbt-cloud/access-control/new-okta-completed.png
index 7da82285a20..89c246ffc45 100644
Binary files a/website/static/img/docs/dbt-cloud/access-control/new-okta-completed.png and b/website/static/img/docs/dbt-cloud/access-control/new-okta-completed.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/new-okta-config.png b/website/static/img/docs/dbt-cloud/access-control/new-okta-config.png
index c7018a64327..342e89ca631 100644
Binary files a/website/static/img/docs/dbt-cloud/access-control/new-okta-config.png and b/website/static/img/docs/dbt-cloud/access-control/new-okta-config.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/saml-enable-entra.png b/website/static/img/docs/dbt-cloud/access-control/saml-enable-entra.png
new file mode 100644
index 00000000000..e0a71da007b
Binary files /dev/null and b/website/static/img/docs/dbt-cloud/access-control/saml-enable-entra.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/saml-enable.png b/website/static/img/docs/dbt-cloud/access-control/saml-enable.png
index a165a3ee59b..212afeb7fef 100644
Binary files a/website/static/img/docs/dbt-cloud/access-control/saml-enable.png and b/website/static/img/docs/dbt-cloud/access-control/saml-enable.png differ
diff --git a/website/static/img/docs/dbt-cloud/access-control/sso-uri.png b/website/static/img/docs/dbt-cloud/access-control/sso-uri.png
index c557b903e57..87787184974 100644
Binary files a/website/static/img/docs/dbt-cloud/access-control/sso-uri.png and b/website/static/img/docs/dbt-cloud/access-control/sso-uri.png differ
diff --git a/website/static/img/docs/dbt-cloud/connecting-azure-devops/AD app.png b/website/static/img/docs/dbt-cloud/connecting-azure-devops/AD app.png
index 01536bab17f..a921c8544b5 100644
Binary files a/website/static/img/docs/dbt-cloud/connecting-azure-devops/AD app.png and b/website/static/img/docs/dbt-cloud/connecting-azure-devops/AD app.png differ
diff --git a/website/static/img/docs/dbt-cloud/connecting-azure-devops/add-service-principal.png b/website/static/img/docs/dbt-cloud/connecting-azure-devops/add-service-principal.png
new file mode 100644
index 00000000000..7b9065df74d
Binary files /dev/null and b/website/static/img/docs/dbt-cloud/connecting-azure-devops/add-service-principal.png differ