diff --git a/docs/architecture/road-to-the-cloud-migrate.md b/docs/architecture/road-to-the-cloud-migrate.md index f6a49fa3aec..fbfa8b91ea5 100644 --- a/docs/architecture/road-to-the-cloud-migrate.md +++ b/docs/architecture/road-to-the-cloud-migrate.md @@ -254,7 +254,7 @@ In the most preferred approach, you undertake projects to migrate from legacy ap >[!NOTE] >* Use Microsoft Entra Domain Services if the dependencies are aligned with [common deployment scenarios for Microsoft Entra Domain Services](/entra/identity/domain-services/scenarios). ->* To validate if Microsoft Entra Domain Services is a good fit, you might use tools like [Service Map in Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.ServiceMapOMS?tab=Overview) and [automatic dependency mapping with Service Map and Live Maps](https://techcommunity.microsoft.com/t5/system-center-blog/automatic-dependency-mapping-with-service-map-and-live-maps/ba-p/351867). +>* To validate if Microsoft Entra Domain Services is a good fit, you might use tools like Azure Monitor VM insights [https://learn.microsoft.com/azure/azure-monitor/vm/vminsights-overview]. >* Validate that your SQL Server instantiations can be [migrated to a different domain](https://social.technet.microsoft.com/wiki/contents/articles/24960.migrating-sql-server-to-new-domain.aspx). If your SQL service is running in virtual machines, [use this guidance](/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide). #### Approach 2 diff --git a/docs/id-governance/apps.md b/docs/id-governance/apps.md index 3741ab37919..0c0910cb404 100644 --- a/docs/id-governance/apps.md +++ b/docs/id-governance/apps.md @@ -203,8 +203,6 @@ Microsoft Entra ID Governance can be integrated with many other applications, us | [Claromentis](../identity/saas-apps/claromentis-tutorial.md) | | ● | | [Cleanmail Swiss](../identity/saas-apps/cleanmail-swiss-provisioning-tutorial.md) | ● | | | [Clebex](../identity/saas-apps/clebex-provisioning-tutorial.md) | ● | ● | -| [Cloud Academy - SSO](../identity/saas-apps/cloud-academy-sso-provisioning-tutorial.md) | ● | ● | -| [Cloud Academy](../identity/saas-apps/cloud-academy-sso-tutorial.md) | | ● | | [Cloud Service PICCO](../identity/saas-apps/cloud-service-picco-tutorial.md) | | ● | | [CMD+CTRL Base Camp](../identity/saas-apps/cmd-ctrl-base-camp-tutorial.md) | | ● | | [Coda](../identity/saas-apps/coda-provisioning-tutorial.md) | ● | ● | @@ -624,6 +622,7 @@ Microsoft Entra ID Governance can be integrated with many other applications, us | [Proxyclick](../identity/saas-apps/proxyclick-provisioning-tutorial.md) | ● | ● | | [PurelyHR](../identity/saas-apps/purelyhr-tutorial.md) | | ● | | [pymetrics](../identity/saas-apps/pymetrics-tutorial.md) | | ● | +| [QA](../identity/saas-apps/cloud-academy-sso-provisioning-tutorial.md) | ● | ● | | [Qiita Team](../identity/saas-apps/qiita-team-tutorial.md) | | ● | | [Qmarkets Idea & Innovation Management](../identity/saas-apps/qmarkets-idea-innovation-management-tutorial.md) | | ● | | [QReserve](../identity/saas-apps/qreserve-tutorial.md) | | ● | diff --git a/docs/id-governance/privileged-identity-management/azure-pim-resource-rbac.md b/docs/id-governance/privileged-identity-management/azure-pim-resource-rbac.md index 617100a5941..8532b73c9dc 100644 --- a/docs/id-governance/privileged-identity-management/azure-pim-resource-rbac.md +++ b/docs/id-governance/privileged-identity-management/azure-pim-resource-rbac.md @@ -8,21 +8,21 @@ manager: amycolannino ms.service: entra-id-governance ms.subservice: privileged-identity-management ms.topic: how-to -ms.date: 09/12/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: shaunliu --- # View activity and audit history for Azure resource roles in Privileged Identity Management -Privileged Identity Management (PIM) in Microsoft Entra ID, enables you to view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that leverages the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to retain audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Microsoft Entra logs to an Azure storage account](~/identity/monitoring-health/howto-archive-logs-to-storage-account.md). +Privileged Identity Management (PIM) in Microsoft Entra ID, enables you to view activity, activations, and audit history for Azure resources roles within your organization. This includes subscriptions, resource groups, and even virtual machines. Any resource within the Microsoft Entra admin center that uses the Azure role-based access control functionality can take advantage of the security and lifecycle management capabilities in Privileged Identity Management. If you want to keep audit data for longer than the default retention period, you can use Azure Monitor to route it to an Azure storage account. For more information, see [Archive Microsoft Entra logs to an Azure storage account](~/identity/monitoring-health/howto-archive-logs-to-storage-account.md). > [!NOTE] > If your organization has outsourced management functions to a service provider who uses [Azure Lighthouse](/azure/lighthouse/overview), role assignments authorized by that service provider won't be shown here. ## View activity and activations -To see what actions a specific user took in various resources, you can view the Azure resource activity that's associated with a given activation period. +To see the actions a specific user took in various resources, view the Azure resource activity associated with their activation period. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Privileged Role Administrator](~/identity/role-based-access-control/permissions-reference.md#privileged-role-administrator). @@ -132,7 +132,7 @@ My audit enables you to view your personal role activity. :::image type="content" source="media/azure-pim-resource-rbac/audit-event-target-type.png" alt-text="Screenshot showing how to check the target type."::: -Typically, the log event immediately above the approval event is an event for "Add member to role completed" where the **Initiated by (actor)** is the requester. In most cases, you won't need to find the requester in the approval request from an auditing perspective. +Typically, the log event immediately above the approval event is an event for **Add member to role completed** where the **Initiated by (actor)** is the requester. In most cases, you won't need to find the requester in the approval request from an auditing perspective. ## Next steps diff --git a/docs/id-governance/privileged-identity-management/groups-activate-roles.md b/docs/id-governance/privileged-identity-management/groups-activate-roles.md index 2a181ccd1f3..c9a439c9ad1 100644 --- a/docs/id-governance/privileged-identity-management/groups-activate-roles.md +++ b/docs/id-governance/privileged-identity-management/groups-activate-roles.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id-governance ms.topic: how-to ms.subservice: privileged-identity-management -ms.date: 09/12/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: ilyal ms.custom: pim @@ -41,7 +41,7 @@ When you need to take on a group membership or ownership, you can request activa 1. Select **Activate** for the eligible assignment you want to activate. -1. Depending on the group’s setting, you may be asked to provide multi-factor authentication or another form of credential. +1. Depending on the group’s setting, you may be asked to provide multifactor authentication or another form of credential. 1. If necessary, specify a custom activation start time. The membership or ownership is to be activated only after the selected time. @@ -55,7 +55,7 @@ If the [role requires approval](pim-resource-roles-approval-workflow.md) to acti ## View the status of your requests -You can view the status of your pending requests to activate. It is important when your requests undergo approval of another person. +You can view the status of your pending requests to activate. n It is important when your requests undergo approval of another person. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). diff --git a/docs/id-governance/privileged-identity-management/groups-approval-workflow.md b/docs/id-governance/privileged-identity-management/groups-approval-workflow.md index 3169f609bba..ab0cca2d3f5 100644 --- a/docs/id-governance/privileged-identity-management/groups-approval-workflow.md +++ b/docs/id-governance/privileged-identity-management/groups-approval-workflow.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id-governance ms.topic: conceptual ms.subservice: privileged-identity-management -ms.date: 09/12/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: ilyal ms.custom: pim diff --git a/docs/id-governance/privileged-identity-management/groups-role-settings.md b/docs/id-governance/privileged-identity-management/groups-role-settings.md index a30b9cbd586..974c9b7edf0 100644 --- a/docs/id-governance/privileged-identity-management/groups-role-settings.md +++ b/docs/id-governance/privileged-identity-management/groups-role-settings.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id-governance ms.topic: how-to ms.subservice: privileged-identity-management -ms.date: 09/12/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.custom: pim diff --git a/docs/id-governance/privileged-identity-management/index.yml b/docs/id-governance/privileged-identity-management/index.yml index 0c56363f41d..5b2775e8bdb 100644 --- a/docs/id-governance/privileged-identity-management/index.yml +++ b/docs/id-governance/privileged-identity-management/index.yml @@ -12,7 +12,7 @@ metadata: ms.collection: author: barclayn ms.author: barclayn - ms.date: 09/12/2023 + ms.date: 12/13/2024 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new diff --git a/docs/id-governance/privileged-identity-management/pim-apis.md b/docs/id-governance/privileged-identity-management/pim-apis.md index 2dc7b2d730d..45128080ad5 100644 --- a/docs/id-governance/privileged-identity-management/pim-apis.md +++ b/docs/id-governance/privileged-identity-management/pim-apis.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id-governance ms.subservice: privileged-identity-management ms.topic: how-to -ms.date: 09/12/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: shaunliu ms.custom: pim @@ -48,11 +48,11 @@ Under the `/beta/privilegedAccess` endpoint, Microsoft supported both `/aadRoles -### Iteration 3 (Current) – PIM for Microsoft Entra roles, groups in Microsoft Graph API, and for Azure resources in ARM API +### Iteration 3 (Current) – PIM for Microsoft Entra roles, groups in Microsoft Graph API, and for Azure resources in Azure Resource Manager API This is the final iteration of the PIM API. It includes: - PIM for Microsoft Entra roles in Microsoft Graph API - Generally available. - - PIM for Azure resources in ARM API - Generally available. + - PIM for Azure resources in Azure Resource Manager API - Generally available. - PIM for groups in Microsoft Graph API - Generally available. - PIM alerts for Microsoft Entra roles in Microsoft Graph API - Preview. - PIM alerts for Azure Resources in ARM API - Preview. @@ -66,7 +66,7 @@ Having PIM for Microsoft Entra roles in Microsoft Graph API and PIM for Azure Re ### Overview of PIM API iteration 3 -PIM APIs across providers (both Microsoft Graph APIs and ARM APIs) follow the same principles. +PIM APIs across providers (both Microsoft Graph APIs and Azure Resource Manager APIs) follow the same principles. #### Assignments management To create assignment (active or eligible), renew, extend, of update assignment (active or eligible), activate eligible assignment, deactivate eligible assignment, use resources **\*AssignmentScheduleRequest** and **\*EligibilityScheduleRequest**: diff --git a/docs/id-governance/privileged-identity-management/pim-approval-workflow.md b/docs/id-governance/privileged-identity-management/pim-approval-workflow.md index bdbeae744a3..d94d2fb269d 100644 --- a/docs/id-governance/privileged-identity-management/pim-approval-workflow.md +++ b/docs/id-governance/privileged-identity-management/pim-approval-workflow.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id-governance ms.subservice: privileged-identity-management ms.topic: how-to -ms.date: 09/12/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.custom: pim @@ -15,7 +15,7 @@ ms.custom: pim # Approve or deny requests for Microsoft Entra roles in Privileged Identity Management -With Privileged Identity Management (PIM) in Microsoft Entra ID you can configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window isn't configurable. +Privileged Identity Management (PIM) in Microsoft Entra ID allows you to configure roles to require approval for activation, and choose one or multiple users or groups as delegated approvers. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window isn't configurable. @@ -29,9 +29,9 @@ As a delegated approver, you receive an email notification when a Microsoft Entr 1. Browse to **Identity governance** > **Privileged Identity Management** > **Approve requests**. - :::image type="content" source="./media/azure-ad-pim-approval-workflow/resources-approve-pane.png" alt-text="Screenshot showing the approve requests page showing request to review Microsoft Entra roles."::: + :::image type="content" source="./media/azure-ad-pim-approval-workflow/resources-approve-pane.png" alt-text="Screenshot showing the **Approve requests** page showing request to review Microsoft Entra roles."::: - In the **Requests for role activations** section, you'll see a list of requests pending your approval. + In the **Requests for role activations** section, you can see a list of requests pending your approval. ## View pending requests using Microsoft Graph API @@ -96,7 +96,7 @@ GET https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignmentSche 1. Find and select the request that you want to approve. An approve or deny page appears. 2. In the **Justification** box, enter the business justification. - 3. Select **Submit**. You will receive an Azure notification of your approval. + 3. Select **Submit**. At this point, the system sends an Azure notification of your approval. ## Approve pending requests using Microsoft Graph API @@ -164,7 +164,7 @@ Here's some information about workflow notifications: - Approvers are notified by email when a request for a role is pending their review. Email notifications include a direct link to the request, where the approver can approve or deny. - Requests are resolved by the first approver who approves or denies. -- When an approver responds to the request, all approvers are notified of the action. +- All approvers are notified when an approver responds to an approval request. - Global Administrators and Privileged Role Administrators are notified when an approved user becomes active in their role. >[!NOTE] diff --git a/docs/id-governance/privileged-identity-management/pim-how-to-use-audit-log.md b/docs/id-governance/privileged-identity-management/pim-how-to-use-audit-log.md index 6b396dee7e4..278a9bbb9da 100644 --- a/docs/id-governance/privileged-identity-management/pim-how-to-use-audit-log.md +++ b/docs/id-governance/privileged-identity-management/pim-how-to-use-audit-log.md @@ -1,18 +1,16 @@ --- title: View audit log report for Microsoft Entra roles in Microsoft Entra PIM description: Learn how to view the audit log history for Microsoft Entra roles in Microsoft Entra Privileged Identity Management (PIM). - author: barclayn manager: amycolannino ms.service: entra-id-governance ms.topic: how-to ms.subservice: privileged-identity-management -ms.date: 09/13/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: shaunliu ms.custom: pim - --- # View audit history for Microsoft Entra roles in Privileged Identity Management diff --git a/docs/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review.md b/docs/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review.md index 864fd5be5d9..d6545bd6b51 100644 --- a/docs/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review.md +++ b/docs/id-governance/privileged-identity-management/pim-perform-roles-and-resource-roles-review.md @@ -1,13 +1,12 @@ --- title: Perform an access review of Azure resource and Microsoft Entra roles in PIM description: Learn how to review access of Azure resource and Microsoft Entra roles in Privileged Identity Management (PIM). - author: barclayn manager: amycolannino ms.service: entra-id-governance ms.topic: how-to ms.subservice: privileged-identity-management -ms.date: 09/13/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.custom: pim @@ -23,10 +22,10 @@ If you're at least a Privileged Role Administrator interested in access reviews, ## Approve or deny access -You can approve or deny access based on whether the user still needs access to the role. Choose **Approve** if you want them to stay in the role, or **Deny** if they don't need the access anymore. The users' assignment status won't change until the review closes and the administrator applies the results. Common scenarios in which certain denied users can't have results applied to them may include the following: +You can approve or deny access based on whether the user still needs access to the role. Choose **Approve** if you want them to stay in the role, or **Deny** if they don't need the access anymore. The users' assignment status doesn't change until the review closes and the administrator applies the results. Common scenarios in which certain denied users can't have results applied to them may include the following: - **Reviewing members of a synced on-premises Windows AD group**: If the group is synced from an on-premises Windows AD, the group can't be managed in Microsoft Entra ID, and therefore membership can't be changed. -- **Reviewing a role with nested groups assigned**: For users who have membership through a nested group, the access review won't remove their membership to the nested group and therefore they retain access to the role being reviewed. +- **Reviewing a role with nested groups assigned**: For users who have membership through a nested group, the access review doesn't remove their membership to the nested group and therefore they retain access to the role being reviewed. - **User not found or other errors**: These may also result in an apply result not being supported. Follow these steps to find and complete the access review: diff --git a/docs/id-governance/privileged-identity-management/pim-resource-roles-approval-workflow.md b/docs/id-governance/privileged-identity-management/pim-resource-roles-approval-workflow.md index 988eb9c07e7..6bf90a51479 100644 --- a/docs/id-governance/privileged-identity-management/pim-resource-roles-approval-workflow.md +++ b/docs/id-governance/privileged-identity-management/pim-resource-roles-approval-workflow.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id-governance ms.topic: how-to ms.subservice: privileged-identity-management -ms.date: 09/14/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: shaunliu ms.custom: pim @@ -16,7 +16,7 @@ ms.custom: pim # Approve or deny requests for Azure resource roles in Privileged Identity Management -Microsoft Entra Privileged Identity Management (PIM) enables you to configure roles so that they require approval for activation, and choose users or groups from your Microsoft Entra organization as delegated approvers. We recommend selecting two or more approvers for each role to reduce workload for the Privileged Role Administrator. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must re-submit a new request. The 24 hour approval time window isn't configurable. +Microsoft Entra Privileged Identity Management (PIM) enables you to configure roles so that they require approval for activation, and choose users or groups from your Microsoft Entra organization as delegated approvers. We recommend selecting two or more approvers for each role to reduce workload for the Privileged Role Administrator. Delegated approvers have 24 hours to approve requests. If a request isn't approved within 24 hours, then the eligible user must resubmit a new request. The 24 hour approval time window isn't configurable. Follow the steps in this article to approve or deny requests for Azure resource roles. @@ -30,7 +30,7 @@ As a delegated approver, you receive an email notification when an Azure resourc 1. Browse to **Identity governance** > **Privileged Identity Management** > **Approve requests**. - :::image type="content" source="./media/pim-resource-roles-approval-workflow/resources-approve-requests.png" alt-text="Screenshot of the Approve requests - Azure resources page showing request to review."::: + :::image type="content" source="./media/pim-resource-roles-approval-workflow/resources-approve-requests.png" alt-text="Screenshot of the **Approve requests - Azure resources page** showing request to review."::: In the **Requests for role activations** section, you see a list of requests pending your approval. @@ -39,10 +39,10 @@ As a delegated approver, you receive an email notification when an Azure resourc 1. Find and select the request that you want to approve. An approve or deny page appears. 2. In the **Justification** box, enter the business justification. - 3. Select **Approve**. You will receive an Azure notification of your approval. + 3. Select **Approve**. You receive an Azure notification of your approval. -## Approve pending requests using Microsoft ARM API +## Approve pending requests using Microsoft Azure Resource Manager API >[!NOTE] > Approval for **extend and renew** requests is currently not supported by the Microsoft ARM API diff --git a/docs/id-governance/privileged-identity-management/pim-resource-roles-renew-extend.md b/docs/id-governance/privileged-identity-management/pim-resource-roles-renew-extend.md index 3aea819835d..fd052585f06 100644 --- a/docs/id-governance/privileged-identity-management/pim-resource-roles-renew-extend.md +++ b/docs/id-governance/privileged-identity-management/pim-resource-roles-renew-extend.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id-governance ms.topic: how-to ms.subservice: privileged-identity-management -ms.date: 09/13/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: shaunliu ms.custom: pim @@ -18,7 +18,7 @@ ms.custom: pim # Extend or renew Azure resource role assignments in Privileged Identity Management -Microsoft Entra Privileged Identity Management (PIM), provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access is not extended. +Microsoft Entra Privileged Identity Management (PIM), provides controls to manage the access and assignment lifecycle for Azure resources. Administrators can assign roles using start and end date-time properties. When the assignment end approaches, Privileged Identity Management sends email notifications to the affected users or groups. It also sends email notifications to administrators of the resource to ensure that appropriate access is maintained. Assignments might be renewed and remain visible in an expired state for up to 30 days, even if access isn't extended. ## Who can extend and renew? @@ -100,11 +100,11 @@ Users who can no longer access resources can access up to 30 days of expired ass The list of roles shown defaults to **Eligible roles**. Use the drop-down menu to toggle between Eligible and Active assigned roles. -To request renewal for any of the role assignments in the list, select the **Renew** action. Then provide a reason for the request. It's helpful to provide a duration in addition to any additional context or a business justification that can help the resource administrator decide to approve or deny. +To request renewal for any of the role assignments in the list, select the **Renew** action. Then provide a reason for the request. It's helpful to provide a duration in addition to any other context or a business justification that can help the resource administrator decide to approve or deny. :::image type="content" source="media/pim-resource-roles-renew-extend/aadpim-rbac-renew-request-form.png" alt-text="Screenshot of Renew role assignment pane showing Reason box."::: -After the request has been submitted, resource administrators are notified of a pending request to renew a role assignment. +After the request is submitted, resource administrators are notified of a pending request to renew a role assignment. ### Admin approves diff --git a/docs/id-governance/privileged-identity-management/pim-roles.md b/docs/id-governance/privileged-identity-management/pim-roles.md index df781773880..3a238d58772 100644 --- a/docs/id-governance/privileged-identity-management/pim-roles.md +++ b/docs/id-governance/privileged-identity-management/pim-roles.md @@ -1,6 +1,6 @@ --- -title: Roles you cannot manage in Privileged Identity Management -description: Describes the roles you cannot manage in Microsoft Entra Privileged Identity Management (PIM). +title: Roles you can't manage in Privileged Identity Management +description: Describes the roles you can't manage in Microsoft Entra Privileged Identity Management (PIM). author: barclayn manager: amycolannino @@ -8,10 +8,9 @@ manager: amycolannino ms.service: entra-id-governance ms.topic: conceptual ms.subservice: privileged-identity-management -ms.date: 11/28/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: shaunliu -ms.custom: pim ; H1Hack27Feb2017;oldportal;it-pro; --- @@ -21,7 +20,7 @@ You can manage just-in-time assignments to all [Microsoft Entra roles](~/identit ## Classic subscription administrator roles -You cannot manage the following classic subscription administrator roles in Privileged Identity Management: +You can't manage the following classic subscription administrator roles in Privileged Identity Management: - Account Administrator - Service Administrator diff --git a/docs/identity/app-provisioning/how-provisioning-works.md b/docs/identity/app-provisioning/how-provisioning-works.md index e34729fc6af..167a61e8c0b 100644 --- a/docs/identity/app-provisioning/how-provisioning-works.md +++ b/docs/identity/app-provisioning/how-provisioning-works.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: app-provisioning ms.topic: conceptual -ms.date: 08/25/2024 +ms.date: 12/13/2024 ms.author: kenwith ms.reviewer: arvinh --- diff --git a/docs/identity/app-provisioning/on-premises-application-provisioning-architecture.md b/docs/identity/app-provisioning/on-premises-application-provisioning-architecture.md index 007ef0ebc59..2031423f51c 100644 --- a/docs/identity/app-provisioning/on-premises-application-provisioning-architecture.md +++ b/docs/identity/app-provisioning/on-premises-application-provisioning-architecture.md @@ -6,7 +6,7 @@ author: billmath manager: amycolannino ms.service: entra-id ms.topic: overview -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.subservice: hybrid ms.author: billmath ms.collection: M365-identity-device-management @@ -39,7 +39,7 @@ You don't need to open inbound connections to the corporate network. The provisi The required outbound endpoints for the provisioning agents are detailed [here](~/identity/hybrid/cloud-sync/how-to-prerequisites.md#firewall-and-proxy-requirements). ## ECMA Connector Host architecture -The ECMA Connector Host has several areas it uses to achieve on-premises provisioning. The diagram below is a conceptual drawing that presents these individual areas. The table below describes the areas in more detail. +The ECMA Connector Host has several areas it uses to achieve on-premises provisioning. The following diagram is a conceptual drawing that presents these individual areas. The table below describes the areas in more detail. [![ECMA connector host](./media/on-premises-application-provisioning-architecture/ecma-2.png)](./media/on-premises-application-provisioning-architecture/ecma-2.png#lightbox) @@ -53,7 +53,7 @@ The ECMA Connector Host has several areas it uses to achieve on-premises provisi |Business logic|Used to coordinate all of the ECMA Connector Host activities. The Autosync time is configurable in the ECMA host. This is in the properties page.| ### About anchor attributes and distinguished names -The following information is provided to better explain the anchor attributes and the distinguished names, particularly used by the genericSQL connector. +The following information is provided to better explain the anchor attributes and the distinguished names used by the genericSQL connector. The anchor attribute is a unique attribute of an object type that doesn't change and represents that object in the ECMA Connector Host in-memory cache. @@ -79,7 +79,7 @@ Since ECMA Connector Host currently only supports the USER object type, the OBJE ### User creation workflow 1. The Microsoft Entra provisioning service queries the ECMA Connector Host to see if the user exists. It uses the **matching attribute** as the filter. This attribute is defined in the Azure portal under Enterprise applications -> On-premises provisioning -> provisioning -> attribute matching. It's denoted by the 1 for matching precedence. -You can define one or more matching attribute(s) and prioritize them based on the precedence. Should you want to change the matching attribute you can also do so. +You can define one or more matching attributes and prioritize them based on the precedence. Should you want to change the matching attribute you can also do so. [![Matching attribute](./media/on-premises-application-provisioning-architecture/match-1.png)](./media/on-premises-application-provisioning-architecture/match-1.png#lightbox) 2. ECMA Connector Host receives the GET request and queries its internal cache to see if the user exists and has based imported. This is done using the matching attribute(s) above. If you define multiple matching attributes, the Microsoft Entra provisioning service sends a GET request for each attribute and the ECMA host checks its cache for a match until it finds one. @@ -91,7 +91,7 @@ You can define one or more matching attribute(s) and prioritize them based on th ## Agent best practices - Using the same agent for the on-premises provisioning feature along with Workday / SuccessFactors / Microsoft Entra Connect cloud sync is currently unsupported. We're actively working to support on-premises provisioning on the same agent as the other provisioning scenarios. - - Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow. -- The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by: +- The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Ways you can optimize each connection include: - Reducing the distance between the two ends of the hop. - Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links. - The agent and ECMA Host rely on a certificate for communication. The self-signed certificate generated by the ECMA host should only be used for testing purposes. The self-signed certificate expires in two years by default and can't be revoked. Microsoft recommends using a certificate from a trusted CA for production use cases. @@ -100,7 +100,7 @@ You can define one or more matching attribute(s) and prioritize them based on th ## High availability The following information is provided for high availability / failover scenarios. -For on-premises apps using the ECMA connector: The recommendation is having 1 active agent and 1 passive agent (configured, but stopped, not assigned to the enterprise app in Entra) per data center. +For on-premises apps using the ECMA connector: The recommendation is having one active agent and one passive agent (configured, but stopped, not assigned to the enterprise app in Microsoft Entra) per data center. When doing a failover, it's recommended to do the following: 1. Stop the active agent (A). @@ -110,7 +110,7 @@ When doing a failover, it's recommended to do the following: :::image type="content" source="media/on-premises-application-provisioning-architecture/high-availability-1.png" alt-text="Diagram of high availability with ECMA connector." lightbox="media/on-premises-application-provisioning-architecture/high-availability-1.png"::: -For on-premises apps using the SCIM connector: The recommendation is having 2 active agents per application. +For on-premises apps using the SCIM connector: The recommendation is having two active agents per application. :::image type="content" source="media/on-premises-application-provisioning-architecture/high-availability-2.png" alt-text="Diagram of high availability with SCIM connector." lightbox="media/on-premises-application-provisioning-architecture/high-availability-2.png"::: @@ -169,7 +169,7 @@ On-premises app provisioning has been rolled into the provisioning agent and is ### 1.1.892.0 -May 20th, 2022 - released for download +May 20, 2022 - released for download #### Fixed issues @@ -177,7 +177,7 @@ May 20th, 2022 - released for download ### 1.1.846.0 -April 11th, 2022 - released for download +April 11, 2022 - released for download #### Fixed issues diff --git a/docs/identity/app-provisioning/on-premises-custom-connector.md b/docs/identity/app-provisioning/on-premises-custom-connector.md index a2169df035d..cf0756b1a66 100644 --- a/docs/identity/app-provisioning/on-premises-custom-connector.md +++ b/docs/identity/app-provisioning/on-premises-custom-connector.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: app-provisioning ms.topic: how-to -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.author: billmath ms.reviewer: arvinh --- @@ -25,13 +25,13 @@ Microsoft Entra ID includes connectivity to provision into applications that sup > - [SOAP](on-premises-web-services-connector.md) > - [PowerShell](on-premises-powershell-connector.md) -For connectivity to applications that don't support one of the aforementioned protocols and interfaces, customers and [partners](/archive/technet-wiki/1589.fim-2010-mim-2016-management-agents-from-partners) have built custom [ECMA 2.0](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for use with Microsoft Identity Manager (MIM) 2016. These same ECMA2 connectors can be used to provision into apps with the Microsoft Entra provisioning agent and Extensible Connectivity(ECMA) Connector host, without needing MIM sync deployed. +For connectivity to applications that don't support one of the aforementioned protocols and interfaces, customers and [partners](/archive/technet-wiki/1589.fim-2010-mim-2016-management-agents-from-partners) have built custom [ECMA 2.0](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)) connectors for use with Microsoft Identity Manager (MIM) 2016. ECMA2 connectors can be used to provision into apps with the Microsoft Entra provisioning agent and Extensible Connectivity(ECMA) Connector host, without needing MIM sync deployed. ## Exporting and importing a MIM connector -If you have a custom ECMA 2.0 connector in MIM, you can export its configuration by following the instructions [here](on-premises-migrate-microsoft-identity-manager.md#export-a-connector-configuration-from-mim-sync). You need to save the XML file, the DLL, and related software for your connector. +If you have a custom ECMA 2.0 connector in MIM, you can export its configuration by following the instructions [here](on-premises-migrate-microsoft-identity-manager.md#export-a-connector-configuration-from-mim-sync). You need to save the XML file, the DLL, and related software for your connector. -To import your connector, you can use the instructions [here](on-premises-migrate-microsoft-identity-manager.md#import-a-connector-configuration). You will need to copy the DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory. After the xml has been imported, continue through the wizard and ensure that all the required fields are populated. +To import your connector, you can use the instructions [here](on-premises-migrate-microsoft-identity-manager.md#import-a-connector-configuration). You need to copy the DLL for your connector, and any of its prerequisite DLLs, to that same ECMA subdirectory of the Service directory. After the xml import, continue through the wizard and ensure that all the required fields are populated. ## Updating a custom connector DLL When updating a connector with a newer build, ensure that the DLL is updated in all the required locations. Use these steps to properly update your custom connector DLL: @@ -44,11 +44,11 @@ When updating a connector with a newer build, ensure that the DLL is updated in 4. Start the Microsoft ECMA2Host service. > [!NOTE] - > If multiple connectors are using the same custom DLL, you will need to complete step 3.ii and 3.iii for each connector. + > If multiple connectors are using the same custom DLL, complete step 3.ii and 3.iii for each connector. ## Troubleshooting -Custom connectors built for MIM rely on the [ECMA framework](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)). If you are having difficulties importing and using a connector, please ensure that you are following best practices: +Custom connectors built for MIM rely on the [ECMA framework](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)). If you're having difficulties importing and using a connector, please ensure that you're following best practices: * Ensuring that methods in your connector are declared as public * Excluding prefixes from method names. For example: * **Correct:** public Schema GetSchema (KeyedCollection configParameters) diff --git a/docs/identity/app-provisioning/on-premises-ecma-troubleshoot.md b/docs/identity/app-provisioning/on-premises-ecma-troubleshoot.md index 00b897cbf38..1129b929c3e 100644 --- a/docs/identity/app-provisioning/on-premises-ecma-troubleshoot.md +++ b/docs/identity/app-provisioning/on-premises-ecma-troubleshoot.md @@ -6,7 +6,7 @@ author: billmath manager: amycolannino ms.service: entra-id ms.topic: troubleshooting -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.subservice: hybrid ms.author: billmath ms.collection: M365-identity-device-management @@ -49,7 +49,7 @@ After you configure the provisioning agent and the Extensible Connectivity(ECMA) ``` https://localhost:8585/ecma2host_connectorName/scim ``` - 1. Navigate to the following folder to review the provisoning agent logs: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace + 1. Navigate to the following folder to review the provisioning agent logs: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace 1. If you see the following error, please add the service account "NT SERVICE\AADConnectProvisioningAgent" to the local group called "Performance Log Users". This eliminates the "Unable to initialize metrics collector" exception error by allowing the account to access the desired registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib ``` diff --git a/docs/identity/app-provisioning/on-premises-ldap-connector-configure.md b/docs/identity/app-provisioning/on-premises-ldap-connector-configure.md index c1dbafed591..75865c75f18 100644 --- a/docs/identity/app-provisioning/on-premises-ldap-connector-configure.md +++ b/docs/identity/app-provisioning/on-premises-ldap-connector-configure.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: app-provisioning ms.topic: how-to -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.author: billmath ms.reviewer: arvinh --- diff --git a/docs/identity/app-provisioning/on-premises-ldap-connector-linux.md b/docs/identity/app-provisioning/on-premises-ldap-connector-linux.md index 7782a1a0b35..b5231954240 100644 --- a/docs/identity/app-provisioning/on-premises-ldap-connector-linux.md +++ b/docs/identity/app-provisioning/on-premises-ldap-connector-linux.md @@ -9,17 +9,17 @@ ms.subservice: app-provisioning ms.custom: - linux-related-content ms.topic: how-to -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.author: billmath ms.reviewer: arvinh --- # Configuring Microsoft Entra ID to provision users into an LDAP directory for Linux authentication -The following documentation is a tutorial demonstrating how to govern access to a Linux system. This is implemented by Microsoft Entra provisioning users into an on-premises LDAP directory trusted by that Linux system, so that those users can subsequently log into a Linux system that relies upon that LDAP directory for user authentication. And when a user is removed from Microsoft Entra ID, they are subsequently no longer able to log into a Linux system. +The following documentation is a tutorial demonstrating how to govern access to a Linux system. Microsoft Entra provisions users into an on-premises LDAP directory trusted by that Linux system. This allows users to log into a Linux system that relies upon that LDAP directory for user authentication. When a user is removed from Microsoft Entra ID, they're no longer able to log into a Linux system. >[!NOTE] -> The scenario described in this article is only applicable for existing Linux systems that already rely upon a Name Services Switch (NSS) or Pluggable Authentication Modules (PAM) LDAP module for user identification and authentication. Linux VMs in Azure or that are Azure Arc-enabled should be instead integrated with Microsoft Entra authentication. You can now use Microsoft Entra ID as a core authentication platform and a certificate authority to SSH into a Linux VM by using Microsoft Entra ID and OpenSSH certificate-based authentication, as described in [Log in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH](/entra/identity/devices/howto-vm-sign-in-azure-ad-linux). +> The scenario described in this article is only applicable for existing Linux systems that already rely upon a Name Services Switch (NSS) or Pluggable Authentication Modules (PAM) LDAP module for user identification and authentication. Linux VMs in Azure or that are Azure Arc-enabled should be instead integrated with Microsoft Entra authentication. You can now use Microsoft Entra ID as a core authentication platform and a certificate authority to SSH into a Linux VM by using Microsoft Entra ID and OpenSSH certificate-based authentication, as described in [Log in to a Linux virtual machine in Azure by using Microsoft Entra ID and OpenSSH](/entra/identity/devices/howto-vm-sign-in-azure-ad-linux). For other scenarios involving provisioning users into LDAP directories, other than for Linux authentication, see [configuring Microsoft Entra ID to provision users into LDAP directories](on-premises-ldap-connector-configure.md). @@ -33,8 +33,8 @@ This article assumes that the LDAP server is already present in the on-premises - A Linux or other POSIX Server that replies upon a directory server using a PAM or NSS module. - An LDAP directory server that supports the POSIX schema, such as OpenLDAP, in which users can be created, updated, and deleted. For more information on supported directory servers, see the [Generic LDAP Connector reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap). - - A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target directory server, and with outbound connectivity to login.microsoftonline.com, [other Microsoft Online Services](/microsoft-365/enterprise/urls-and-ip-address-ranges) and [Azure](/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud) domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy. The .NET Framework 4.7.2 needs to be installed on that server. - - Optional: Although it is not required, it is recommended to download [Microsoft Edge for Windows Server](https://www.microsoft.com/en-us/edge?r=1) and use it in-place of Internet Explorer. + - A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server. It should also have connectivity to the target directory server and outbound connectivity to login.microsoftonline.com, [other Microsoft Online Services](/microsoft-365/enterprise/urls-and-ip-address-ranges) and [Azure](/azure/azure-portal/azure-portal-safelist-urls?tabs=public-cloud) domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy. The .NET Framework 4.7.2 needs to be installed on that server. + - Optional: Although not required, it's recommended to download [Microsoft Edge for Windows Server](https://www.microsoft.com/en-us/edge?r=1) and use it in-place of Internet Explorer. ### Cloud requirements @@ -43,20 +43,28 @@ This article assumes that the LDAP server is already present in the on-premises [!INCLUDE [active-directory-p1-license.md](~/includes/entra-p1-license.md)] - The Hybrid Identity Administrator role for configuring the provisioning agent. - The Application Administrator or Cloud Application Administrator roles for configuring provisioning in the Azure portal or Microsoft Entra admin center. - - The Microsoft Entra users to be provisioned to the LDAP directory must already be populated with the attributes that will be required by the directory server schema and are specific to each user. In particular, each user is required to have a unique number as their User ID number. Before deploying the provisioning agent and assigning users to the directory, you would need to either generate that number from an existing attribute on the user, or extend the Microsoft Entra schema and populate that attribute on the users in scope. See [Graph extensibility](/graph/extensibility-overview?tabs=http#directory-azure-ad-extensions) for how to create additional directory extensions. + - The directory server schema requires specific attributes for each Microsoft Entra user to be provisioned to the LDAP directory, and these attributes must already be populated. In particular, each user is required to have a unique number as their User ID number. Before deploying the provisioning agent and assigning users to the directory, you need to either generate that number from an existing attribute on the user, or extend the Microsoft Entra schema. Then, you can populate that attribute on the users in scope. See [Graph extensibility](/graph/extensibility-overview?tabs=http#directory-azure-ad-extensions) for how to create additional directory extensions. ### More recommendations and limitations The following bullet points are more recommendations and limitations. -- It is not recommended to use the same agent for cloud sync and on-premises app provisioning. Microsoft recommends using a separate agent for cloud sync and one for on-premises app provisioning. -- For AD LDS currently, users cannot be provisioned with passwords. So you will need to either disable the password policy for AD LDS or provision the users in a disabled state. -- For other directory servers, an initial random password can be set, but it is not possible to provision a Microsoft Entra user's password to a directory server. -- Provisioning users from LDAP to Microsoft Entra ID is not supported. -- Provisioning groups and user memberships to a directory server is not supported. +- It's not recommended to use the same agent for cloud sync and on-premises app provisioning. Microsoft recommends using a separate agent for cloud sync and one for on-premises app provisioning. +- For AD LDS currently, users can't be provisioned with passwords. So you need to either disable the password policy for AD LDS or provision the users in a disabled state. +- For other directory servers, an initial random password can be set, but it's not possible to provision a Microsoft Entra user's password to a directory server. +- Provisioning users from LDAP to Microsoft Entra ID isn't supported. +- Provisioning groups and user memberships to a directory server isn't supported. ## Determine how the Microsoft Entra LDAP Connector will interact with the directory server -Before deploying the connector to an existing directory server, you'll need to discuss with the directory server operator in your organization how to integrate with their directory server. The information you'll gather includes the network information of how to connect to the directory server, how the connector should authenticate itself to the directory server, what schema the directory server has selected to model users, the naming context's base distinguished name and directory hierarchy rules, how to associate users in the directory server with users in Microsoft Entra ID, and what should happen when a user goes out of scope in Microsoft Entra ID. Deploying this connector may require changes to the configuration of the directory server as well as configuration changes to Microsoft Entra ID. For deployments involving integrating Microsoft Entra ID with a third-party directory server in a production environment, we recommend customers work with their directory server vendor, or a deployment partner for help, guidance, and support for this integration. This article uses the following sample values for OpenLDAP. +Before deploying the connector to an existing directory server, you need to discuss with the directory server operator in your organization how to integrate with their directory server. The information to gather includes: +- The network information of how to connect to the directory server. +- How the connector should authenticate itself to the directory server. +- What schema the directory server has selected to model users. +- The naming context's base distinguished name and directory hierarchy rules. +- How to associate users in the directory server with users in Microsoft Entra ID. +- What should happen when a user goes out of scope in Microsoft Entra ID. + +Deploying this connector may require changes to the configuration of the directory server as well as configuration changes to Microsoft Entra ID. For deployments involving integrating Microsoft Entra ID with a third-party directory server in a production environment, we recommend customers work with their directory server vendor, or a deployment partner for help, guidance, and support for this integration. This article uses the following sample values for OpenLDAP. |Configuration setting|Where the value is set| Example value| |-----|-----|-----| @@ -71,11 +79,13 @@ Before deploying the connector to an existing directory server, you'll need to d | attributes for correlating users across Microsoft Entra ID and the directory server | Azure portal **Provisioning** page attribute mappings | `mail` | | deprovisioning behavior when a user goes out of scope in Microsoft Entra ID |Configuration wizard **Deprovisioning** page | Delete the user from the directory server | -The network address of a directory server is a hostname and a TCP port number, typically port 389 or 636. Except where the directory server is co-located with the connector on the same Windows Server, or you're using network level security, the network connections from the connector to a directory server need to be protected using SSL or TLS. The connector supports connecting to a directory server on port 389, and using Start TLS to enable TLS within the session. The connector also supports connecting to a directory server on port 636 for LDAPS - LDAP over TLS. +The network address of a directory server is a hostname and a TCP port number, typically port 389 or 636. Except where the directory server is co-located with the connector on the same Windows Server, or you're using network level security, the network connections from the connector to a directory server need to be protected using SSL or TLS. The connector supports connecting to a directory server on port 389, and using Start TLS to enable TLS within the session. The connector also supports connecting to a directory server on port 636 for LDAPS - LDAP over TLS. + +You need to have an identified account for the connector to authenticate to the directory server already configured in the directory server. This account is typically identified with a distinguished name and has an associated password or client certificate. To perform import and export operations on the objects in the connected directory, the connector account must have sufficient permissions within the directory's access control model. The connector needs to have **write** permissions to be able to export, and **read** permissions to be able to import. Permission configuration is performed within the management experiences of the target directory itself. -You'll need to have an identified account for the connector to authenticate to the directory server already configured in the directory server. This account is typically identified with a distinguished name and has an associated password or client certificate. To perform import and export operations on the objects in the connected directory, the connector account must have sufficient permissions within the directory's access control model. The connector needs to have **write** permissions to be able to export, and **read** permissions to be able to import. Permission configuration is performed within the management experiences of the target directory itself. +A directory schema specifies the object classes and attributes that represent a real-world entity in the directory. The connector supports a user being represented with a structural object class, such as `inetOrgPerson`, and optionally additional auxiliary object classes. For the connector to be able to provision users into the directory server, during configuration in the Azure portal you define mappings from the Microsoft Entra schema to all of the mandatory attributes. This includes the mandatory attributes of the structural object class, any superclasses of that structural object class, and the mandatory attributes of any auxiliary object classes. -A directory schema specifies the object classes and attributes that represent a real-world entity in the directory. The connector supports a user being represented with a structural object class, such as `inetOrgPerson`, and optionally additional auxiliary object classes. In order for the connector to be able to provision users into the directory server, during configuration in the Azure portal you will define mappings from the Microsoft Entra schema to all of the mandatory attributes. This includes the mandatory attributes of the structural object class, any superclasses of that structural object class, and the mandatory attributes of any auxiliary object classes. In addition, you will likely also configure mappings to some of the optional attributes of these classes. An OpenLDAP directory server with the POSIX schema to support Linux authentication might require an object for a new user to have attributes like the following example. +You'll likely also configure mappings to some of the optional attributes of these classes. An OpenLDAP directory server with the POSIX schema to support Linux authentication might require an object for a new user to have attributes like the following example. ``` dn: cn=bsimon,dc=Contoso,dc=lab @@ -92,13 +102,17 @@ mail: bsimon@contoso.com userPassword: initial-password ``` -The directory hierarchy rules implemented by a directory server describe how the objects for each user relate to each other and to existing objects in the directory. In most deployments, the organization chose to have a flat hierarchy in their directory server, in which each object for a user is located immediately below a common base object. For example, if the base distinguished name for the naming context in a directory server is `dc=contoso,dc=com` then a new user would have a distinguished name like `cn=alice,dc=contoso,dc=com`. However, some organizations may have a more complex directory hierarchy, in which case you'll need to implement the rules when specifying the distinguished name mapping for the connector. For example, a directory server may expect users to be in organizational units by department, so a new user would have a distinguished name like `cn=alice,ou=London,dc=contoso,dc=com`. Since the connector does not create intermediate objects for organizational units, any intermediate objects the directory server rule hierarchy expects must already exist in the directory server. +The directory hierarchy rules implemented by a directory server describe how the objects for each user relate to each other and to existing objects in the directory. In most deployments, the organization chose to have a flat hierarchy in their directory server, in which each object for a user is located immediately below a common base object. For example, if the base distinguished name for the naming context in a directory server is `dc=contoso,dc=com` then a new user would have a distinguished name like `cn=alice,dc=contoso,dc=com`. + +However, some organizations may have a more complex directory hierarchy, in which case you'll need to implement the rules when specifying the distinguished name mapping for the connector. For example, a directory server may expect users to be in organizational units by department, so a new user would have a distinguished name like `cn=alice,ou=London,dc=contoso,dc=com`. Since the connector doesn't create intermediate objects for organizational units, any intermediate objects the directory server rule hierarchy expects must already exist in the directory server. + +Next, you'll need to define the rules for how the connector should determine if there's already a user in the directory server corresponding to a Microsoft Entra user. Every LDAP directory has a distinguished name that is unique for each object in the directory server, however that distinguished name is often not present for users in Microsoft Entra ID. Instead, an organization may have a different attribute, such as `mail` or `employeeId`, in their directory server schema that is also present on their users in Microsoft Entra ID. Then, when the connector is provisioning a new user into a directory server, the connector can search whether there's already a user in that directory that has a specific value of that attribute, and only create a new user in the directory server if one isn't present. -Next, you'll need to define the rules for how the connector should determine if there is already a user in the directory server corresponding to a Microsoft Entra user. Every LDAP directory has a distinguished name that is unique for each object in the directory server, however that distinguished name is often not present for users in Microsoft Entra ID. Instead, an organization may have a different attribute, such as `mail` or `employeeId`, in their directory server schema that is also present on their users in Microsoft Entra ID. Then, when the connector is provisioning a new user into a directory server, the connector can search whether there is already a user in that directory that has a specific value of that attribute, and only create a new user in the directory server if one is not present. +If your scenario involves creating new users in the LDAP directory, not just updating or deleting existing users, then you'll need to also determine how the Linux systems using that directory server handles authentication. Some systems can query a user's SSH public key or certificate from the directory, which may be appropriate of the users already hold credentials of those forms. However, if your application that relies upon the directory server doesn't support modern authentication protocols or stronger credentials, then you need to set an application-specific password when creating a new user in the directory, as Microsoft Entra ID doesn't support provisioning a user's Microsoft Entra password. -If your scenario involves creating new users in the LDAP directory, not just updating or deleting existing users, then you'll need to also determine how the Linux systems that use that directory server will handle authentication. Some systems can query a user's SSH public key or certificate from the directory, which may be appropriate of the users already hold credentials of those forms. However, if your application that relies upon the directory server does not support modern authentication protocols or stronger credentials, then you will need to set an application-specific password when creating a new user in the directory, as Microsoft Entra ID does not support provisioning a user's Microsoft Entra password. +Finally, you'll need to agree on the deprovisioning behavior. When the connector is configured, and Microsoft Entra ID has linked between a user in Microsoft Entra ID and a user in the directory, either for a user already in the directory or a new user, then Microsoft Entra ID can provision attribute changes from the Microsoft Entra user into the directory. -Finally, you'll need to agree on the deprovisioning behavior. When the connector is configured, and Microsoft Entra ID has established a link between a user in Microsoft Entra ID and a user in the directory, either for a user already in the directory or a new user, then Microsoft Entra ID can provision attribute changes from the Microsoft Entra user into the directory. If a user that is assigned to the application is deleted in Microsoft Entra ID, then Microsoft Entra ID will send a delete operation to the directory server. You may also wish to have Microsoft Entra ID update the object in the directory server when a user goes out of scope of being able to use the application. This behavior depends upon the application that will be using the directory server, as many directories, such as OpenLDAP, may not have a default way of indicating a user's account is inactivated. +If a user that is assigned to the application is deleted in Microsoft Entra ID, then Microsoft Entra ID sends a delete operation to the directory server. You may also wish to have Microsoft Entra ID update the object in the directory server when a user goes out of scope of being able to use the application. This behavior depends upon the application that'll be using the directory server, as many directories, such as OpenLDAP, may not have a default way of indicating a user's account is inactivated. ## Install and configure the Microsoft Entra Connect Provisioning Agent @@ -119,7 +133,7 @@ Finally, you'll need to agree on the deprovisioning behavior. When the connecto 8. Leave the portal and run the provisioning agent installer, agree to the terms of service, and select **Install**. 9. Wait for the Microsoft Entra provisioning agent configuration wizard and then select **Next**. 10. In the **Select Extension** step, select **On-premises application provisioning** and then select **Next**. - 11. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. + 11. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you're using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. 12. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have at least the [Hybrid Identity Administrator](/entra/identity/role-based-access-control/permissions-reference#hybrid-identity-administrator) role. 13. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer. @@ -132,24 +146,24 @@ Finally, you'll need to agree on the deprovisioning behavior. When the connecto 2. Keep this browser window open, as you complete the next step of configuration using the configuration wizard. ## Configure the Microsoft Entra ECMA Connector Host certificate - 1. On the Windows Server where the provisioning agent is installed, right click the Microsoft ECMA2Host Configuration Wizard from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs. - 2. After the ECMA Connector Host Configuration starts, if this is the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The SAN matches the host name. + 1. On the Windows Server where the provisioning agent is installed, right select the Microsoft ECMA2Host Configuration Wizard from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs. + 2. After the ECMA Connector Host Configuration starts, if this is the first time you've run the wizard, it asks you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate is self-signed as part of the trusted root. The SAN matches the host name. [![Screenshot that shows configuring your settings.](~/includes/media/app-provisioning-sql/configure-1.png)](~/includes/media/app-provisioning-sql/configure-1.png#lightbox) 3. Select **Save**. >[!NOTE] - >If you have chosen to generate a new certificate, please record the certificate expiration date, to ensure that you schedule to return to the configuration wizard and re-generate the certificate before it expires. + >If you've chosen to generate a new certificate, please record the certificate expiration date, to ensure that you schedule to return to the configuration wizard and re-generate the certificate before it expires. ## Configure the generic LDAP connector Depending on the options you select, some of the wizard screens might not be available and the information might be slightly different. Use the following information to guide you in your configuration. - 1. Generate a secret token that will be used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string. + 1. Generate a secret token that'll be used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you don't already have a secret generator, you can use a PowerShell command such as the following to generate an example random string. ```powershell -join (((48..90) + (96..122)) * 16 | Get-Random -Count 16 | % {[char]$_}) ``` - 1. If you have not already done so, launch the Microsoft ECMA2Host Configuration Wizard from the start menu. + 1. If you haven't already done so, launch the Microsoft ECMA2Host Configuration Wizard from the start menu. 2. Select **New Connector**. [![Screenshot that shows choosing New Connector.](~/includes/media/app-provisioning-sql/sql-3.png)](~/includes/media/app-provisioning-sql/sql-3.png#lightbox)
3. On the **Properties** page, fill in the boxes with the values specified in the table that follows the image and select **Next**. @@ -161,38 +175,38 @@ Depending on the options you select, some of the wizard screens might not be ava |Autosync timer (minutes)|120| |Secret Token|Enter your secret token here. It should be 12 characters minimum.| |Extension DLL|For the generic LDAP connector, select **Microsoft.IAM.Connector.GenericLdap.dll**.| -4. On the **Connectivity** page, you will configure how the ECMA Connector Host will communicate with the directory server, and set some of the configuration options. Fill in the boxes with the values specified in the table that follows the image and select **Next**. When you select **Next**, the connector will query the directory server for its configuration. +4. On the **Connectivity** page, you'll configure how the ECMA Connector Host communicates with the directory server, and set some of the configuration options. Fill in the boxes with the values specified in the table that follows the image and select **Next**. When you select **Next**, the connector queries the directory server for its configuration. [![Screenshot that shows the Connectivity page.](~/includes/media/app-provisioning-ldap/create-2.png)](~/includes/media/app-provisioning-ldap/create-2.png#lightbox)
|Property|Description| |-----|-----| |Host|The host name where the LDAP server is located. This sample uses `APP3` as the example hostname.| - |Port|The TCP port number. If the directory server is configured for LDAP over SSL, use port 636. For `Start TLS`, or if you are using network-level security, use port 389.| + |Port|The TCP port number. If the directory server is configured for LDAP over SSL, use port 636. For `Start TLS`, or if you're using network-level security, use port 389.| |Connection Timeout|180| - |Binding|This property specifies how the connector will authenticate to the directory server. With the `Basic` setting, or with the `SSL` or `TLS` setting and no client certificate configured, the connector will send an LDAP simple bind to authenticate with a distinguished name and a password. With the `SSL` or `TLS` setting and a client certificate specified, the connector will send an LDAP SASL `EXTERNAL` bind to authenticate with a client certificate. | - |User Name|How the ECMA Connector will authenticate itself to the directory server. In this example, `cn=admin,dc=contoso,dc=lab`| - |Password|The password of the user that the ECMA Connector will authenticate itself to the directory server.| + |Binding|This property specifies how the connector authenticates to the directory server. With the `Basic` setting, or with the `SSL` or `TLS` setting and no client certificate configured, the connector sends an LDAP simple bind to authenticate with a distinguished name and a password. With the `SSL` or `TLS` setting and a client certificate specified, the connector sends an LDAP SASL `EXTERNAL` bind to authenticate with a client certificate. | + |User Name|How the ECMA Connector authenticates itself to the directory server. In this example, `cn=admin,dc=contoso,dc=lab`| + |Password|The password of the user that the ECMA Connector authenticates itself to the directory server.| |Realm/Domain|This setting is only required if you selected `Kerberos` as the Binding option, to provide the Realm/Domain of the user.| |Certificate|The settings in this section are only used if you selected `SSL` or `TLS` as the Binding option.| - |Attribute Aliases|The attribute aliases text box is used for attributes defined in the schema with RFC4522 syntax. These attributes cannot be detected during schema detection and the connector needs help with identifying those attributes. For example, if the directory server does not publish `userCertificate;binary` and you wish to provision that attribute, the following string must be entered in the attribute aliases box to correctly identify the userCertificate attribute as a binary attribute: `userCertificate;binary`. If you do not require any special attributes not in the schema, you can leave this blank.| + |Attribute Aliases|The attribute aliases text box is used for attributes defined in the schema with RFC4522 syntax. These attributes can't be detected during schema detection and the connector needs help with identifying those attributes. For example, if the directory server doesn't publish `userCertificate;binary` and you wish to provision that attribute, the following string must be entered in the attribute aliases box to correctly identify the userCertificate attribute as a binary attribute: `userCertificate;binary`. If you don't require any special attributes not in the schema, you can leave this blank.| |Include operational attributes|Select the `Include operational attributes in schema` checkbox to also include attributes created by the directory server. These include attributes such as when the object was created and last update time.| |Include extensible attributes|Select the `Include extensible attributes in schema` checkbox if extensible objects (RFC4512/4.3) are used in the directory server. Enabling this option allows every attribute to be used on all object. Selecting this option makes the schema very large so unless the connected directory is using this feature the recommendation is to keep the option unselected.| |Allow manual anchor selection|Leave unchecked.| >[!NOTE] - >If you experience an issue trying to connect, and cannot proceed to the **Global** page, ensure that the service account in the directory server is enabled. + >If you experience an issue trying to connect, and can't proceed to the **Global** page, ensure that the service account in the directory server is enabled. - 5. On the **Global** page, you will configure the distinguished name of the delta change log, if needed, and additional LDAP features. The page is pre-populated with the information provided by the LDAP server. Review the values shown, and then select **Next**. + 5. On the **Global** page, you'll configure the distinguished name of the delta change log, if needed, and additional LDAP features. The page is pre-populated with the information provided by the LDAP server. Review the values shown, and then select **Next**. |Property|Description| |-----|-----| |Supported SASL Mechanisms|The top section shows information provided by the server itself, including the list of SASL mechanisms. | - |Server Certificate Details|If `SSL` or `TLS` was specified, the wizard will display the certificate returned by the directory server. Confirm that the issuer, subject and thumbprint are for the correct directory server.| - |Mandatory Features Found|The connector also verifies that the mandatory controls are present in the Root DSE. If these controls are not listed, a warning is presented. Some LDAP directories do not list all features in the Root DSE and it is possible that the connector works without issues even if a warning is present.| + |Server Certificate Details|If `SSL` or `TLS` was specified, the wizard displays the certificate returned by the directory server. Confirm that the issuer, subject, and thumbprint are for the correct directory server.| + |Mandatory Features Found|The connector also verifies that the mandatory controls are present in the Root DSE. If these controls aren't listed, a warning is presented. Some LDAP directories don't list all features in the Root DSE and it's possible that the connector works without issues even if a warning is present.| |Supported Controls|The **supported controls** checkboxes control the behavior for certain operations| - |Delta Import|The change log DN is the naming context used by the delta change log, for example **cn=changelog**. This value must be specified to be able to do delta import. If you do not need to implement delta import, then this field can be blank.| + |Delta Import|The change log DN is the naming context used by the delta change log, for example **cn=changelog**. This value must be specified to be able to do delta import. If you don't need to implement delta import, then this field can be blank.| |Password Attribute|If the directory server supports a different password attribute or password hashing, you can specify the destination for password changes.| - |Partition Names|In the additional partitions list, it is possible to add additional namespaces not automatically detected. For example, this setting can be used if several servers make up a logical cluster, which should all be imported at the same time. Just as Active Directory can have multiple domains in one forest but all domains share one schema, the same can be simulated by entering the additional namespaces in this box. Each namespace can import from different servers and is further configured on the **Configure Partitions and Hierarchies** page.| + |Partition Names|In the additional partitions list, it's possible to add additional namespaces not automatically detected. For example, this setting can be used if several servers make up a logical cluster, which should all be imported at the same time. Just as Active Directory can have multiple domains in one forest but all domains share one schema, the same can be simulated by entering the additional namespaces in this box. Each namespace can import from different servers and is further configured on the **Configure Partitions and Hierarchies** page.| 1. On the **Partitions** page, keep the default and select **Next**. 1. On the **Run Profiles** page, ensure the **Export** checkbox and the **Full import** checkbox are both selected. Then select **Next**. @@ -200,18 +214,18 @@ Depending on the options you select, some of the wizard screens might not be ava |Property|Description| |-----|-----| - |Export|Run profile that will export data to the LDAP directory server. This run profile is required.| - |Full import|Run profile that will import all data from LDAP sources specified earlier. This run profile is required.| - |Delta import|Run profile that will import only changes from LDAP since the last full or delta import. Only enable this run profile if you have confirmed that the directory server meets the necessary requirements. For more information, see the [Generic LDAP Connector reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap). | - 12. On the **Export** page, leave the defaults unchanged and click **Next**. - 13. On the **Full Import** page, leave the defaults unchanged and click **Next**. - 1. On the **DeltaImport** page, if present, leave the defaults unchanged and click **Next**. + |Export|Run profile that exports data to the LDAP directory server. This run profile is required.| + |Full import|Run profile that imports all data from LDAP sources specified earlier. This run profile is required.| + |Delta import|Run profile that imports only changes from LDAP since the last full or delta import. Only enable this run profile if you've confirmed that the directory server meets the necessary requirements. For more information, see the [Generic LDAP Connector reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-genericldap). | + 12. On the **Export** page, leave the defaults unchanged and select **Next**. + 13. On the **Full Import** page, leave the defaults unchanged and select **Next**. + 1. On the **DeltaImport** page, if present, leave the defaults unchanged and select **Next**. 1. On the **Object Types** page, fill in the boxes and select **Next**. |Property|Description| |-----|-----| - |Target object|This value is the structural object class of a user in the LDAP directory server. Use `inetOrgPerson`, and do not specify an auxiliary object class in this field. If the directory server requires auxiliary object classes, they'll be configured with the attribute mappings in the Azure portal.| - |Anchor|The values of this attribute should be unique for each object in the target directory. The Microsoft Entra provisioning service will query the ECMA connector host by using this attribute after the initial cycle. Typically use the distinguished named, which may be selected as `-dn-`. Multi-valued attributes, such as the `uid` attribute in the OpenLDAP schema, cannot be used as anchors.| + |Target object|This value is the structural object class of a user in the LDAP directory server. Use `inetOrgPerson`, and don't specify an auxiliary object class in this field. If the directory server requires auxiliary object classes, they'll be configured with the attribute mappings in the Azure portal.| + |Anchor|The values of this attribute should be unique for each object in the target directory. The Microsoft Entra provisioning service queries the ECMA connector host by using this attribute after the initial cycle. Typically use the distinguished named, which may be selected as `-dn-`. Multi-valued attributes, such as the `uid` attribute in the OpenLDAP schema, can't be used as anchors.| |Query Attribute|This attribute should be the same as the Anchor.| |DN|The distinguishedName of the target object. Keep `-dn-`.| |Autogenerated|unchecked| @@ -252,34 +266,34 @@ Depending on the options you select, some of the wizard screens might not be ava ## Ensure ECMA2Host service is running and can read from the directory server -Follow these steps to confirm that the connector host has started and has identified any existing users from the directory server. +Follow these steps to confirm that the connector host is started and has identified any existing users from the directory server. 1. On the server running the Microsoft Entra ECMA Connector Host, select **Start**. 2. Select **run** if needed, then enter **services.msc** in the box. - 3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it is not running, select **Start**. + 3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it's not running, select **Start**. [![Screenshot that shows the service is running.](~/includes/media/app-provisioning-sql/configure-2.png)](~/includes/media/app-provisioning-sql/configure-2.png#lightbox) - 1. If you have recently started the service, and have many user objects in the directory server, then wait several minutes for the connector to establish a connection with the directory server. + 1. If you've recently started the service, and have many user objects in the directory server, then wait several minutes for the connector to establish a connection with the directory server. 1. On the server running the Microsoft Entra ECMA Connector Host, launch PowerShell. 1. Change to the folder where the ECMA host was installed, such as `C:\Program Files\Microsoft ECMA2Host`. 1. Change to the subdirectory `Troubleshooting`. - 1. Run the script `TestECMA2HostConnection.ps1` in that directory as shown below, and provide as arguments the connector name and the `ObjectTypePath` value `cache`. If your connector host is not listening on TCP port 8585, then you may also need to provide the `-Port` argument as well. When prompted, type the secret token configured for that connector. + 1. Run the script `TestECMA2HostConnection.ps1` in that directory as shown, and provide as arguments the connector name and the `ObjectTypePath` value `cache`. If your connector host isn't listening on TCP port 8585, then you may also need to provide the `-Port` argument as well. When prompted, type the secret token configured for that connector. ``` PS C:\Program Files\Microsoft ECMA2Host\Troubleshooting> $cout = .\TestECMA2HostConnection.ps1 -ConnectorName LDAP -ObjectTypePath cache; $cout.length -gt 9 Supply values for the following parameters: SecretToken: ************ ``` 1. If the script displays an error or warning message, then check that the service is running, and the connector name and secret token match those values you configured in the configuration wizard. - 1. If the script displays the output `False`, then the connector has not seen any entries in the source directory server for existing users. If this is a new directory server installation, then this behavior is to be expected, and you can continue at the next section. + 1. If the script displays the output `False`, then the connector hasn't seen any entries in the source directory server for existing users. If this is a new directory server installation, then this behavior is to be expected, and you can continue at the next section. 1. However, if the directory server already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the directory server. If you attempt to provision, then Microsoft Entra ID may not correctly match users in that source directory with users in Microsoft Entra ID. Wait several minutes for the connector host to finish reading objects from the existing directory server, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the directory server are allowing the connector to read existing users. ## Test the connection from Microsoft Entra ID to the connector host 1. Return to the web browser window where you were configuring the application provisioning in the portal. >[!NOTE] - >If the window had timed out, then you will need to re-select the agent. + >If the window had timed out, then you'll need to re-select the agent. 1. Sign in to the Azure portal. 1. Go to **Enterprise applications** and the **On-premises ECMA app** application. - 1. Click on **Provisioning**. + 1. Select on **Provisioning**. 1. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**, and wait 10 minutes. Otherwise go to **Edit Provisioning**. 2. Under the **Admin credentials** section, enter the following URL. Replace the `connectorName` portion with the name of the connector on the ECMA host, such as `LDAP`. If you provided a certificate from your certificate authority for the ECMA host, then replace `localhost` with the host name of the server where the ECMA host is installed. @@ -289,7 +303,7 @@ Follow these steps to confirm that the connector host has started and has identi 3. Enter the **Secret Token** value that you defined when you created the connector. >[!NOTE] - >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent** service, right-click the service, and restart. + >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent** service, right-select the service, and restart. 4. Select **Test Connection**, and wait one minute. 5. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
[![Screenshot that shows testing an agent.](~/includes/media/app-provisioning-sql/configure-9.png)](~/includes/media/app-provisioning-sql/configure-9.png#lightbox) @@ -297,36 +311,36 @@ Follow these steps to confirm that the connector host has started and has identi ## Extend the Microsoft Entra schema -If your directory server requires additional attributes that are not part of the default Microsoft Entra schema for users, then when provisioning you can configure to supply values of those attributes from a constant, from an expression transformed from other Microsoft Entra attributes, or by extending the Microsoft Entra schema. +If your directory server requires additional attributes that aren't part of the default Microsoft Entra schema for users, then when provisioning you can configure to supply values of those attributes from a constant, from an expression transformed from other Microsoft Entra attributes, or by extending the Microsoft Entra schema. -If the directory server requires users to have an attribute, such as `uidNumber` for the OpenLDAP POSIX schema, and that attribute is not already part of your Microsoft Entra schema for a user, and must be unique for each user, then you will need to either generate that attribute from other attributes of the user via an [expression](~/identity/app-provisioning/functions-for-customizing-application-data.md), or use the [directory extension feature](~/identity/app-provisioning/user-provisioning-sync-attributes-for-mapping.md) to add that attribute as an extension. +If the directory server requires users to have an attribute, such as `uidNumber` for the OpenLDAP POSIX schema, and that attribute isn't already part of your Microsoft Entra schema for a user, and must be unique for each user, then you need to either generate that attribute from other attributes of the user via an [expression](~/identity/app-provisioning/functions-for-customizing-application-data.md), or use the [directory extension feature](~/identity/app-provisioning/user-provisioning-sync-attributes-for-mapping.md) to add that attribute as an extension. -If your users originate in Active Directory Domain Services, and has the attribute in that directory, then you can use Microsoft Entra Connect or Microsoft Entra Connect cloud sync to configure that the attribute should be synched from Active Directory Domain Services to Microsoft Entra ID, so that it is available for provisioning to other systems. +If your users originate in Active Directory Domain Services and have the attribute in that directory, you can use Microsoft Entra Connect or Microsoft Entra Connect cloud sync. This will configure the attribute to be synched from Active Directory Domain Services to Microsoft Entra ID, making it available for provisioning to other systems. -If your users originate in Microsoft Entra ID, then for each new attribute you will need to store on a user, you will need to [define a directory extension](/graph/extensibility-overview?tabs=http#define-the-directory-extension). Then, [update the Microsoft Entra users](/graph/extensibility-overview?tabs=http#update-or-delete-directory-extensions) that are planned to be provisioned, to give each user a value of those attributes. +If your users originate in Microsoft Entra ID, you need to [define a directory extension](/graph/extensibility-overview?tabs=http#define-the-directory-extension) for each new attribute to store on a user. Then, [update the Microsoft Entra users](/graph/extensibility-overview?tabs=http#update-or-delete-directory-extensions) that are planned to be provisioned, to give each user a value of those attributes. ## Configure attribute mapping -In this section, you'll configure the mapping between the Microsoft Entra user's attributes and the attributes that you previously selected in the ECMA Host configuration wizard. Later when the connector creates an object in a directory server, the attributes of a Microsoft Entra user will then be sent through the connector to the directory server to be part of that new object. +In this section, you'll configure the mapping between the Microsoft Entra user's attributes and the attributes that you previously selected in the ECMA Host configuration wizard. Later, when the connector creates an object in a directory server, the Microsoft Entra user attributes are sent through the connector to the directory server to be part of that new object. 1. In the Microsoft Entra admin center, under **Enterprise applications**, select the **On-premises ECMA app** application, and then select the **Provisioning** page. 2. Select **Edit provisioning**. - 3. Expand **Mappings** and select **Provision Microsoft Entra users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder. + 3. Expand **Mappings** and select **Provision Microsoft Entra users**. If this is the first time you've configured the attribute mappings for this application, there's only one mapping present as a placeholder. 1. To confirm that the schema of the directory server is available in Microsoft Entra ID, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, then select **Attribute Mapping** in the navigation line, and then select **Edit attribute list for ScimOnPremises** again to reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list. - 1. Every user in a directory must have a unique distinguished name. You can specify how the connector should construct a distinguished name by using an attribute mapping. Select **Add New Mapping**. Use the values below to create the mapping, changing the distinguished names in the expression to match that of the organizational unit or other container in your target directory. + 1. Every user in a directory must have a unique distinguished name. You can specify how the connector should construct a distinguished name by using an attribute mapping. Select **Add New Mapping**. Use the following values to create the mapping, changing the distinguished names in the expression to match that of the organizational unit or other container in your target directory. - Mapping type: expression - Expression: `Join("", "CN=", Word([userPrincipalName], 1, "@"), ",DC=Contoso,DC=lab")` - Target attribute: `urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:-dn-` - Apply this mapping: only during object creation - 1. If the directory server requires multiple structural object class values, or auxiliary object class values, to be supplied in the `objectClass` attribute, then add a mapping to that attribute. To add a mapping for `objectClass`, select **Add New Mapping**. Use the values below to create the mapping, changing the object class names in the expression to match that of the target directory schema. + 1. If the directory server requires multiple structural object class values, or auxiliary object class values, to be supplied in the `objectClass` attribute, then add a mapping to that attribute. To add a mapping for `objectClass`, select **Add New Mapping**. Use the following values to create the mapping, changing the object class names in the expression to match that of the target directory schema. - Mapping type: expression - Expression, if provisioning the POSIX schema: `Split("inetOrgPerson,posixAccount,shadowAccount",",")` - Target attribute: `urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:objectClass` - Apply this mapping: only during object creation - 1. For each of the mappings in the following table for your directory server, Select **Add New Mapping**, and specify the source and target attributes. If you are provisioning into an existing directory with existing users, you will need to edit the mapping for the attribute that is in common to set the **Match objects using this attribute** for that attribute. Learn more about attribute mapping [here](~/identity/app-provisioning/customize-application-attributes.md#understanding-attribute-mapping-properties). + 1. For each of the mappings in the following table for your directory server, Select **Add New Mapping**, and specify the source and target attributes. If you're provisioning into an existing directory with existing users, you need to edit the mapping for the attribute that is in common to set the **Match objects using this attribute** for that attribute. Learn more about attribute mapping [here](~/identity/app-provisioning/customize-application-attributes.md#understanding-attribute-mapping-properties). - For OpenLDAP with the POSIX schema, you will also need to supply the `gidNumber`, `homeDirectory`, `uid` and `uidNumber` attributes. Each user requires a unique `uid` and a unique `uidNumber`. Typically the `homeDirectory` is set by an expression derived from the user's userID. For example, if the `uid` of a user is generated by an expression derived from their user principal name, then the value for that user's home directory could be generated by a similar expression also derived from their user principal name. And depending on your use case you may wish to have all the users be in the same group, so would assign the `gidNumber` from a constant. + For OpenLDAP with the POSIX schema, you'll also need to supply the `gidNumber`, `homeDirectory`, `uid` and `uidNumber` attributes. Each user requires a unique `uid` and a unique `uidNumber`. Typically the `homeDirectory` is set by an expression derived from the user's userID. For example, if the `uid` of a user is generated by an expression derived from their user principal name, then the value for that user's home directory could be generated by a similar expression also derived from their user principal name. And depending on your use case you may wish to have all the users be in the same group, so would assign the `gidNumber` from a constant. |Mapping type|Source attribute|Target attribute| |-----|-----|-----| @@ -344,20 +358,20 @@ In this section, you'll configure the mapping between the Microsoft Entra user's ## Ensure users to be provisioned to the directory have required attributes -If there are people who have existing user accounts in the LDAP directory, then you will need to ensure that the Microsoft Entra user representation has the attributes required for matching. +If there are people who have existing user accounts in the LDAP directory, then you need to ensure that the Microsoft Entra user representation has the attributes required for matching. -If you are planning on creating new users in the LDAP directory, then you will need to ensure that the Microsoft Entra representations of those users have the source attributes required by the user schema of the target directory. Each user requires a unique `uid` and a unique `uidNumber`. +If you're planning on creating new users in the LDAP directory, then you need to ensure that the Microsoft Entra representations of those users have the source attributes required by the user schema of the target directory. Each user requires a unique `uid` and a unique `uidNumber`. -If your users originate in Active Directory Domain Services, and has the attribute in that directory, then you can use Microsoft Entra Connect or Microsoft Entra Connect cloud sync to configure that the attribute should be synched from Active Directory Domain Services to Microsoft Entra ID, so that it is available for provisioning to other systems. +If your users originate in Active Directory Domain Services, and has the attribute in that directory, then you can use Microsoft Entra Connect or Microsoft Entra Connect cloud sync to configure that the attribute should be synched from Active Directory Domain Services to Microsoft Entra ID, so that it's available for provisioning to other systems. -If your users originate in Microsoft Entra ID, then for each new attribute you will need to store on a user, you will need to [define a directory extension](/graph/extensibility-overview?tabs=http#define-the-directory-extension). Then, [update the Microsoft Entra users](/graph/extensibility-overview?tabs=http#update-or-delete-directory-extensions) that are planned to be provisioned, to give each user a value of those attributes. +If your users originate in Microsoft Entra ID, then for each new attribute you need to store on a user, you'll [define a directory extension](/graph/extensibility-overview?tabs=http#define-the-directory-extension). Then, [update the Microsoft Entra users](/graph/extensibility-overview?tabs=http#update-or-delete-directory-extensions) that are planned to be provisioned, to give each user a value of those attributes. ### Confirming users via PowerShell -Once you have the users updated in Microsoft Entra ID, you can use the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) to automate checking users have all the required attributes. +Once you've the users updated in Microsoft Entra ID, you can use the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) to automate checking users have all the required attributes. -For example, suppose your provisioning required users to have three attributes `DisplayName`,`surname` and `extension_656b1c479a814b1789844e76b2f459c3_MyNewProperty`. This third attribute will be used to contain the `uidNumber`. You could use the `Get-MgUser` cmdlet to retrieve each user and check if the required attributes are present. Note that the Graph v1.0 `Get-MgUser` cmdlet does not by default return any of a user's directory extension attributes, unless the attributes are specified in the request as one of the properties to return. +For example, suppose your provisioning required users to have three attributes `DisplayName`,`surname` and `extension_656b1c479a814b1789844e76b2f459c3_MyNewProperty`. This third attribute is used to contain the `uidNumber`. You could use the `Get-MgUser` cmdlet to retrieve each user and check if the required attributes are present. Note that the Graph v1.0 `Get-MgUser` cmdlet, by default, doesn't return any of a user's directory extension attributes, unless the attributes are specified in the request as one of the properties to return. This section shows how to interact with Microsoft Entra ID by using [Microsoft Graph PowerShell](https://www.powershellgallery.com/packages/Microsoft.Graph) cmdlets. @@ -416,23 +430,23 @@ The first time your organization uses these cmdlets for this scenario, you need 1. Identify which of the users in that directory are in scope for being users with Linux authentication. This choice will depend on your Linux system's configuration. For some configurations, any user who exists in an LDAP directory is a valid user. Other configurations might require the user to have a particular attribute or be a member of a group in that directory. -1. Run a command that retrieves that subset of users from your LDAP directory into a CSV file. Ensure that the output includes the attributes of users that will be used for matching with Microsoft Entra ID. Examples of these attributes are employee ID, account name or `uid`, and email address. +1. Run a command that retrieves that subset of users from your LDAP directory into a CSV file. Ensure that the output includes the attributes of users that are used for matching with Microsoft Entra ID. Examples of these attributes are employee ID, account name or `uid`, and email address. 1. If needed, transfer the CSV file that contains the list of users to a system with the [Microsoft Graph PowerShell cmdlets](https://www.powershellgallery.com/packages/Microsoft.Graph) installed. -1. Now that you have a list of all the users obtained from the directory, you'll match those users from the directory with users in Microsoft Entra ID. Before you proceed, review the information about [matching users in the source and target systems](~/identity/app-provisioning/customize-application-attributes.md#matching-users-in-the-source-and-target--systems). +1. Now that you've a list of all the users obtained from the directory, you'll match those users from the directory with users in Microsoft Entra ID. Before you proceed, review the information about [matching users in the source and target systems](~/identity/app-provisioning/customize-application-attributes.md#matching-users-in-the-source-and-target--systems). [!INCLUDE [active-directory-identity-governance-applications-retrieve-users.md](~/includes/entra-identity-governance-applications-retrieve-users.md)] ## Assign users to the application in Microsoft Entra ID -Now that you have the Microsoft Entra ECMA Connector Host talking with Microsoft Entra ID, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning. +Now that you've the Microsoft Entra ECMA Connector Host talking with Microsoft Entra ID, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning. >[!IMPORTANT] >If you were signed in using a Hybrid Identity Administrator role, you need to sign-out and sign-in with an account that has at least the Application Administrator role for this section. The Hybrid Identity Administrator role doesn't have permissions to assign users to applications. If there are existing users in the LDAP directory, then you should create application role assignments for those existing users. To learn more about how to create application role assignments in bulk using `New-MgServicePrincipalAppRoleAssignedTo`, see [governing an application's existing users in Microsoft Entra ID](~/id-governance/identity-governance-applications-existing-users.md). -If you do not wish to update existing users in the LDAP directory yet, then select a test user from Microsoft Entra ID who has the required attributes and will be provisioned to the directory server. +If you don't wish to update existing users in the LDAP directory yet, then select a test user from Microsoft Entra ID who has the required attributes and will be provisioned to the directory server. 1. Ensure that the user will select has all the properties that will be mapped to the required attributes of the directory server schema. 1. In the Azure portal, select **Enterprise applications**. @@ -480,7 +494,7 @@ After the test of on-demand provisioning is successful, add the remaining users. ## Troubleshooting provisioning errors -If an error is shown, then select **View provisioning logs**. Look in the log for a row in which the Status is **Failure**, and click on that row. +If an error is shown, then select **View provisioning logs**. Look in the log for a row in which the Status is **Failure**, and select on that row. If the error message is **Failed to create User**, then check the attributes that are shown against the requirements of the directory schema. diff --git a/docs/identity/app-provisioning/on-premises-ldap-connector-prepare-directory.md b/docs/identity/app-provisioning/on-premises-ldap-connector-prepare-directory.md index 8b024df5d4b..e5c7b2531c7 100644 --- a/docs/identity/app-provisioning/on-premises-ldap-connector-prepare-directory.md +++ b/docs/identity/app-provisioning/on-premises-ldap-connector-prepare-directory.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: app-provisioning ms.topic: how-to -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.author: billmath ms.reviewer: arvinh --- @@ -24,7 +24,7 @@ If you already have AD LDS or another directory server, you can skip this conten ### Create an SSL certificate, a test directory and install AD LDS. Use the PowerShell script from [Appendix A](#appendix-a---install-ad-lds-powershell-script). The script performs the following actions: - 1. Creates a self-signed certificate that will be used by the LDAP connector. + 1. Creates a self-signed certificate the LDAP connector uses. 2. Creates a directory for the feature install log. 3. Exports the certificate in the personal store to the directory. 4. Imports the certificate to the trusted root of the local machine. @@ -33,7 +33,7 @@ Use the PowerShell script from [Appendix A](#appendix-a---install-ad-lds-powersh On the Windows Server virtual machine where you're using to test the LDAP connector, edit the script to match your computer name, and then run the script using Windows PowerShell with administrative privileges. ### Create an instance of AD LDS -Now that the role has been installed, you need to create an instance of AD LDS. To create an instance, you can use the answer file provided below. This file will install the instance quietly without using the UI. +Now that the role is installed, you need to create an instance of AD LDS. To create an instance, you can use the following answer file provided. This file installs the instance quietly without using the UI. Copy the contents of [Appendix B](#appendix-b---answer-file) in to notepad and save it as **answer.txt** in **"C:\Windows\ADAM"**. @@ -45,8 +45,8 @@ C:\Windows\ADAM> ADAMInstall.exe /answer:answer.txt ### Create containers and a service account for AD LDS The use the PowerShell script from [Appendix C](#appendix-c---populate-ad-lds-powershell-script). The script performs the following actions: - 1. Creates a container for the service account that will be used with the LDAP connector. - 2. Creates a container for the cloud users, where users will be provisioned to. + 1. Creates a container for the service account that is used with the LDAP connector. + 2. Creates a container for the cloud users, where users are provisioned. 3. Creates the service account in AD LDS. 4. Enables the service account. 5. Adds the service account to the AD LDS Administrators role. @@ -57,33 +57,33 @@ On the Windows Server virtual machine, you're using to test the LDAP connector r In order to enable SSL to work, you need to grant the NETWORK SERVICE read permissions to our newly created certificate. To grant permissions, use the following steps. 1. Navigate to **C:\Program Data\Microsoft\Crypto\Keys**. - 2. Right-click on the system file located here. It will be a guid. This container is storing our certificate. + 2. Right-select on the system file located here. It will be a guid. This container is storing our certificate. 3. Select properties. 4. At the top, select the **Security** tab. 5. Select **Edit**. - 6. Click **Add**. + 6. Select **Add**. 7. In the box, enter **Network Service** and select **Check Names**. - 8. Select **NETWORK SERVICE** from the list and click **OK**. - 9. Click **Ok**. - 10. Ensure the Network service account has read and read & execute permissions and click **Apply** and **OK**. + 8. Select **NETWORK SERVICE** from the list and select **OK**. + 9. Select **Ok**. + 10. Ensure the Network service account has read and read & execute permissions and select **Apply** and **OK**. ### Verify SSL connectivity with AD LDS Now that we have configured the certificate and granted the network service account permissions, test the connectivity to verify that it's working. - 1. Open Server Manager and select AD LDS on the left - 2. Right-click your instance of AD LDS and select ldp.exe from the pop-up. + 1. Open Server Manager and select AD LDS. + 2. Right-select your instance of AD LDS and select ldp.exe from the pop-up. [![Screenshot that shows the Ldp tool location.](~/includes/media/app-provisioning-ldap/ldp-1.png)](~/includes/media/app-provisioning-ldap/ldp-1.png#lightbox)
3. At the top of ldp.exe, select **Connection** and **Connect**. - 4. Enter the following information and click **OK**. + 4. Enter the following information and select **OK**. - Server: APP3 - Port: 636 - Place a check in the SSL box [![Screenshot that shows the Ldp tool connection configuration.](~/includes/media/app-provisioning-ldap/ldp-2.png)](~/includes/media/app-provisioning-ldap/ldp-2.png#lightbox) - 5. You should see a response similar to the screenshot below. + 5. You should see a response similar to the following screenshot. [![Screenshot that shows the Ldp tool connection configuration success.](~/includes/media/app-provisioning-ldap/ldp-3.png)](~/includes/media/app-provisioning-ldap/ldp-3.png#lightbox)
6. At the top, under **Connection** select **Bind**. - 7. Leave the defaults and click **OK**. + 7. Leave the defaults and select **OK**. [![Screenshot that shows the Ldp tool bind operation.](~/includes/media/app-provisioning-ldap/ldp-4.png)](~/includes/media/app-provisioning-ldap/ldp-4.png#lightbox)
- 8. You should now, successfully bind to the instance. + 8. You should now successfully bind to the instance. [![Screenshot that shows the Ldp tool bind success.](~/includes/media/app-provisioning-ldap/ldp-5.png)](~/includes/media/app-provisioning-ldap/ldp-5.png#lightbox)
### Disable the local password policy @@ -92,11 +92,11 @@ Currently, the LDAP connector provisions users with a blank password. This provi >[!IMPORTANT] >Because on-going password sync is not a feature of on-premises LDAP provisioning, Microsoft recommends that AD LDS is used specifically with federated applications, when used in conjunction with AD DS, or when updating existing users in an instance of AD LDS. - 1. On the server, click **Start**, **Run**, and then **gpedit.msc** + 1. On the server, select **Start**, **Run**, and then **gpedit.msc** 2. On the **Local Group Policy editor**, navigate to Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy - 3. On the right, double-click **Password must meet complexity requirements** and select **Disabled**. + 3. On the right, double-select **Password must meet complexity requirements** and select **Disabled**. [![Screenshot of the complexity requirements setting.](~/includes/media/app-provisioning-ldap/local-1.png)](~/includes/media/app-provisioning-ldap/local-1.png#lightbox)
- 5. Click **Apply** and **Ok** + 5. Select **Apply** and **Ok** 6. Close the Local Group Policy editor diff --git a/docs/identity/app-provisioning/on-premises-migrate-microsoft-identity-manager.md b/docs/identity/app-provisioning/on-premises-migrate-microsoft-identity-manager.md index 358f6e9de20..242c8750121 100644 --- a/docs/identity/app-provisioning/on-premises-migrate-microsoft-identity-manager.md +++ b/docs/identity/app-provisioning/on-premises-migrate-microsoft-identity-manager.md @@ -6,7 +6,7 @@ author: billmath manager: amycolannino ms.service: entra-id ms.topic: how-to -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.subservice: hybrid ms.author: billmath ms.collection: M365-identity-device-management diff --git a/docs/identity/app-provisioning/on-premises-powershell-connector.md b/docs/identity/app-provisioning/on-premises-powershell-connector.md index e83a1adbc9b..5c33f324f99 100644 --- a/docs/identity/app-provisioning/on-premises-powershell-connector.md +++ b/docs/identity/app-provisioning/on-premises-powershell-connector.md @@ -7,14 +7,14 @@ manager: amycolannino ms.service: entra-id ms.subservice: app-provisioning ms.topic: how-to -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.author: billmath ms.reviewer: arvinh --- # Provisioning users into applications using PowerShell -The following documentation provides configuration and tutorial information demonstrating how the generic PowerShell connector and the Extensible Connectivity(ECMA) Connector host can be used to integrate Microsoft Entra ID with external systems that offer Windows PowerShell based APIs. +The following documentation provides configuration and tutorial information. It demonstrates how the generic PowerShell connector and the Extensible Connectivity (ECMA) Connector host are used to integrate Microsoft Entra ID with external systems that offer Windows PowerShell-based APIs. -For additional information see [Windows PowerShell Connector technical reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-powershell) +For additional information, see [Windows PowerShell Connector technical reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-powershell) ## Prerequisites for provisioning via PowerShell @@ -35,7 +35,7 @@ The connector provides a bridge between the capabilities of the ECMA Connector H - Connectivity between hosting server, the connector, and the target system that the PowerShell scripts interact with. - The execution policy on the server must be configured to allow the connector to run Windows PowerShell scripts. Unless the scripts the connector runs are digitally signed, configure the execution policy by running this command: `Set-ExecutionPolicy -ExecutionPolicy RemoteSigned` -- Deploying this connector requires one or more PowerShell scripts. Some Microsoft products may provide scripts for use with this connector, and the support statement for those scripts would be provided by that product. If you are developing your own scripts for use with this connector, you'll need to have familiarity with the [Extensible Connectivity Management Agent API](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)?redirectedfrom=MSDN) to develop and maintain those scripts. If you are integrating with third party systems using your own scripts in a production environment, we recommend you work with the third party vendor or a deployment partner for help, guidance and support for this integration. +- Deploying this connector requires one or more PowerShell scripts. Some Microsoft products may provide scripts for use with this connector, and the support statement for those scripts would be provided by that product. If you're developing your own scripts for use with this connector, you need to have familiarity with the [Extensible Connectivity Management Agent API](/previous-versions/windows/desktop/forefront-2010/hh859557(v=vs.100)?redirectedfrom=MSDN) to develop and maintain those scripts. If you're integrating with third party systems using your own scripts in a production environment, we recommend you work with the third party vendor or a deployment partner for help, guidance and support for this integration. ### Cloud requirements @@ -48,7 +48,7 @@ The connector provides a bridge between the capabilities of the ECMA Connector H ## Download, install, and configure the Microsoft Entra Connect Provisioning Agent Package -If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section. +If you've downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section. 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](~/identity/role-based-access-control/permissions-reference.md#hybrid-identity-administrator). 1. Browse to **Identity** > **Hybrid management** > **Microsoft Entra Connect** > **Cloud sync** > **Agents**. @@ -62,7 +62,7 @@ If you have already downloaded the provisioning agent and configured it for anot 1. Open the provisioning agent installer, agree to the terms of service, and select **Install**. 1. When the Microsoft Entra provisioning agent configuration wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable. -1. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. +1. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you're using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. 1. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have at least the [Hybrid Identity Administrator](/entra/identity/role-based-access-control/permissions-reference#hybrid-identity-administrator) role. 1. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer. @@ -93,8 +93,8 @@ Before you can create the PowerShell connector for this tutorial, you need to co ## Configure the Microsoft Entra ECMA Connector Host certificate -1. On the Windows Server where the provisioning agent is installed, right click the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs. -2. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The certificate SAN matches the host name. +1. On the Windows Server where the provisioning agent is installed, right select the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs. +2. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate self-signs as part of the trusted root. The certificate SAN matches the host name. 3. Select **Save**. ## Create the PowerShell Connector @@ -102,12 +102,12 @@ Before you can create the PowerShell connector for this tutorial, you need to co ### General Screen 1. Launch the Microsoft ECMA2Host Configuration Wizard from the start menu. 2. At the top, select **Import** and select the configuration.xml file from step 1. -3. The new connector should be created and appear in red. Click **Edit**. -4. Generate a secret token used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string. +3. The new connector should be created and appear in red. Select **Edit**. +4. Generate a secret token used for authenticating Microsoft Entra ID to the connector. It should be 12 characters minimum and unique for each application. If you don't already have a secret generator, you can use a PowerShell command such as the following to generate an example random string. ```powershell -join (((48..90) + (96..122)) * 16 | Get-Random -Count 16 | % {[char]$_}) ``` -5. On the **Properties** page, all of the information should be populated. The table is provided as reference. Click **Next**. +5. On the **Properties** page, all of the information should be populated. The table is provided as reference. Select **Next**. |Property|Value| |-----|-----| @@ -122,7 +122,7 @@ Before you can create the PowerShell connector for this tutorial, you need to co The connectivity tab allows you to supply configuration parameters for connecting to a remote system. Configure the connectivity tab with the information provided in the table. -- On the **Connectivity** page, all of the information should be populated. The table is provided as reference. Click **Next**. +- On the **Connectivity** page, all of the information should be populated. The table is provided as reference. Select **Next**. :::image type="content" source="media/on-premises-powershell-connector/powershell-2.png" alt-text="Screenshot of the connectivity screen." lightbox="media/on-premises-powershell-connector/powershell-2.png"::: @@ -132,11 +132,11 @@ The connectivity tab allows you to supply configuration parameters for connectin | Domain | \ |Domain of the credential to store for use when the connector is run.| |User| \ | Username of the credential to store for use when the connector is run. | | Password | \ | Password of the credential to store for use when the connector is run. | -| Impersonate Connector Account |Unchecked| When true, the synchronization service runs the Windows PowerShell scripts in the context of the credentials supplied. When possible, it is recommended that the **$Credentials** parameter is passed to each script is used instead of impersonation.| -| Load User Profile When Impersonating |Unchecked|Instructs Windows to load the user profile of the connector’s credentials during impersonation. If the impersonated user has a roaming profile, the connector does not load the roaming profile.| +| Impersonate Connector Account |Unchecked| When true, the synchronization service runs the Windows PowerShell scripts in the context of the credentials supplied. When possible, it's recommended that the **$Credentials** parameter is passed to each script is used instead of impersonation.| +| Load User Profile When Impersonating |Unchecked|Instructs Windows to load the user profile of the connector’s credentials during impersonation. If the impersonated user has a roaming profile, the connector doesn't load the roaming profile.| | Logon Type When Impersonating |None|Logon type during impersonation. For more information, see the [dwLogonType](/windows/win32/api/winbase/nf-winbase-logonusera#parameters) documentation. | |Signed Scripts Only |Unchecked| If true, the Windows PowerShell connector validates that each script has a valid digital signature. If false, ensure that the Synchronization Service server’s Windows PowerShell execution policy is RemoteSigned or Unrestricted.| -|Common Module Script Name (with extension)|xADSyncPSConnectorModule.psm1|The connector allows you to store a shared Windows PowerShell module in the configuration. When the connector runs a script, the Windows PowerShell module is extracted to the file system so that it can be imported by each script.| +|Common Module Script Name (with extension)|xADSyncPSConnectorModule.psm1|The connector allows you to store a shared Windows PowerShell module in the configuration. When the connector runs a script, it extracts the Windows PowerShell module to the file system so that each script can import it.| |Common Module Script|[AD Sync PowerShell Connector Module code](https://github.com/microsoft/MIMPowerShellConnectors/blob/master/src/ECMA2HostCSV/Scripts/CommonModule.psm1) as value. This module will be automatically created by the ECMA2Host when the connector is running.|| |Validation Script|\|The Validation Script is an optional Windows PowerShell script that can be used to ensure that connector configuration parameters supplied by the administrator are valid.| |Schema Script|[GetSchema code](https://github.com/microsoft/MIMPowerShellConnectors/blob/master/src/ECMA2HostCSV/Scripts/Schema%20Script.ps1) as value.|| @@ -147,9 +147,9 @@ The connectivity tab allows you to supply configuration parameters for connectin ### Capabilities -The capabilities tab defines the behavior and functionality of the connector. The selections made on this tab cannot be modified when the connector has been created. Configure the capabilities tab with the information provided in the table. +The capabilities tab defines the behavior and functionality of the connector. The selections made on this tab can't be modified when the connector is created. Configure the capabilities tab with the information provided in the table. -- On the **Capabilities** page, all of the information should be populated. The table is provided as reference. Click **Next**. +- On the **Capabilities** page, all of the information should be populated. The table is provided as reference. Select **Next**. :::image type="content" source="media/on-premises-powershell-connector/powershell-4.png" alt-text="Screenshot of the capabilities screen." lightbox="media/on-premises-powershell-connector/powershell-4.png"::: @@ -174,9 +174,9 @@ The capabilities tab defines the behavior and functionality of the connector. Th ### Global Parameters -The Global Parameters tab enables you to configure the Windows PowerShell scripts that are run by the connector. You can also configure global values for custom configuration settings defined on the Connectivity tab. Configure the global parameters tab with the information provided in the table. +The Global Parameters tab enables you to configure the Windows PowerShell scripts the connector runs. You can also configure global values for custom configuration settings defined on the Connectivity tab. Configure the global parameters tab with the information provided in the table. -- On the **Global Parameters** page, all of the information should be populated. The table is provided as reference. Click **Next**. +- On the **Global Parameters** page, all of the information should be populated. The table is provided as reference. Select **Next**. :::image type="content" source="media/on-premises-powershell-connector/powershell-5.png" alt-text="Screenshot of the global screen." lightbox="media/on-premises-powershell-connector/powershell-5.png"::: @@ -199,13 +199,13 @@ The Global Parameters tab enables you to configure the Windows PowerShell script ### Partitions, Run Profiles, Export, FullImport -Keep the defaults and click **next**. +Keep the defaults and select **next**. ### Object types Configure the object types tab with the information provided in the table. -- On the **Object types** page, all of the information should be populated. The table is provided as reference. Click **Next**. +- On the **Object types** page, all of the information should be populated. The table is provided as reference. Select **Next**. :::image type="content" source="media/on-premises-powershell-connector/powershell-13.png" alt-text="Screenshot of the object types screen." lightbox="media/on-premises-powershell-connector/powershell-13.png"::: @@ -220,7 +220,7 @@ Configure the object types tab with the information provided in the table. Ensure that the following attributes are selected: -- On the **Select Attributes** page, all of the information should be populated. The table is provided as reference. Click **Next**. +- On the **Select Attributes** page, all of the information should be populated. The table is provided as reference. Select **Next**. - AzureObjectID - IsActive @@ -236,17 +236,17 @@ Ensure that the following attributes are selected: On the Deprovisioning page, you can specify if you wish to have Microsoft Entra ID remove users from the directory when they go out of scope of the application. If so, under Disable flow, select Delete, and under Delete flow, select Delete. If Set attribute value is chosen, the attributes selected on the previous page won't be available to select on the Deprovisioning page. -- On the **Deprovisioning** page, all of the information should be populated. The table is provided as reference. Click **Next**. +- On the **Deprovisioning** page, all of the information should be populated. The table is provided as reference. Select **Next**. :::image type="content" source="media/on-premises-powershell-connector/powershell-16.png" alt-text="Screenshot of the deprovisioning screen." lightbox="media/on-premises-powershell-connector/powershell-16.png"::: ## Ensure ECMA2Host service is running and can read from file via PowerShell -Follow these steps to confirm that the connector host has started and has identified any existing users from the target system. +Follow these steps to confirm the connector host is started and has identified any existing users from the target system. 1. On the server running the Microsoft Entra ECMA Connector Host, select **Start**. 2. Select **run** if needed, then enter **services.msc** in the box. -3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it is not running, select **Start**. +3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it's not running, select **Start**. 4. On the server running the Microsoft Entra ECMA Connector Host, launch PowerShell. 5. Change to the folder where the ECMA host was installed, such as `C:\Program Files\Microsoft ECMA2Host`. 6. Change to the subdirectory `Troubleshooting`. @@ -257,8 +257,8 @@ Follow these steps to confirm that the connector host has started and has identi SecretToken: ************ ``` 8. If the script displays an error or warning message, then check that the service is running, and the connector name and secret token match those values you configured in the configuration wizard. -9. If the script displays the output `False`, then the connector has not seen any entries in the source target system for existing users. If this is a new target system installation, then this behavior is to be expected, and you can continue at the next section. -10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the target system. If you attempt to provision, then Microsoft Entra ID may not correctly match users in that source directory with users in Microsoft Entra ID. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users. +9. If the script displays the output `False`, then the connector hasn't seen any entries in the source target system for existing users. If this is a new target system installation, then this behavior is to be expected, and you can continue at the next section. +10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector couldn't read from the target system. If you attempt to provision, then Microsoft Entra ID may not correctly match users in that source directory with users in Microsoft Entra ID. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users. @@ -285,7 +285,7 @@ Follow these steps to confirm that the connector host has started and has identi 1. Enter the **Secret Token** value that you defined when you created the connector. > [!NOTE] - > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent** service, right-click the service, and restart. + > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent** service, right-select the service, and restart. 1. Select **Test Connection**, and wait one minute. 1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**. @@ -311,7 +311,7 @@ Return to the web browser window where you were configuring the application prov 1. Enter the **Secret Token** value that you defined when you created the connector. > [!NOTE] - > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent Service**, right-click the service, and restart. + > If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Microsoft Entra Connect Provisioning Agent Service**, right-select the service, and restart. 1. Select **Test Connection**, and wait one minute. 1. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**. @@ -330,7 +330,7 @@ You'll use the Azure portal to configure the mapping between the Microsoft Entra 1. Select **Edit provisioning**, and wait 10 seconds. 1. Expand **Mappings** and select **Provision Microsoft Entra users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder. 1. To confirm that the schema is available in Microsoft Entra ID, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list. -1. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning. Change the value to match the following: +1. Now, on the select on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning. Change the value to match the following: |Mapping type|Source attribute|Target attribute| |-----|-----|-----| @@ -358,7 +358,7 @@ You'll use the Azure portal to configure the mapping between the Microsoft Entra Now that you have the Microsoft Entra ECMA Connector Host talking with Microsoft Entra ID, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning. >[!IMPORTANT] ->If you were signed in using a Hybrid Identity Administrator role, you need to sign-out and sign-in with an account that has at least the Application Administrator role for this section. The Hybrid Identity Administrator role doesn't have permissions to assign users to applications. +>If you were signed in using a Hybrid Identity Administrator role, you need to sign-out and sign-in with an account that's at least the Application Administrator role for this section. The Hybrid Identity Administrator role doesn't have permissions to assign users to applications. If there are existing users in the InputFile.txt, then you should create application role assignments for those existing users. To learn more about how to create application role assignments in bulk, see [governing an application's existing users in Microsoft Entra ID](~/id-governance/identity-governance-applications-existing-users.md). @@ -389,7 +389,7 @@ Now that your attributes are mapped and users are assigned, you can test on-dema ## Start provisioning users 1. After on-demand provisioning is successful, change back to the provisioning configuration page. Ensure that the scope is set to only assigned users and groups, turn provisioning **On**, and select **Save**. -2. Wait several minutes for provisioning to start. It might take up to 40 minutes. After the provisioning job has been completed, as described in the next section, if you're done testing, you can change the provisioning status to **Off**, and select **Save**. This action stops the provisioning service from running in the future. +2. Wait several minutes for provisioning to start. It might take up to 40 minutes. After the provisioning job is completed, as described in the next section, if you're done testing, you can change the provisioning status to **Off**, and select **Save**. This action stops the provisioning service from running in the future. ## Next steps diff --git a/docs/identity/app-provisioning/on-premises-sap-connector-configure.md b/docs/identity/app-provisioning/on-premises-sap-connector-configure.md index 90edc1e5551..718c15c3d55 100644 --- a/docs/identity/app-provisioning/on-premises-sap-connector-configure.md +++ b/docs/identity/app-provisioning/on-premises-sap-connector-configure.md @@ -7,13 +7,13 @@ manager: amycolannino ms.service: entra-id ms.subservice: app-provisioning ms.topic: how-to -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.author: billmath ms.reviewer: arvinh --- # Configuring Microsoft Entra ID to provision users into SAP ECC with NetWeaver AS ABAP 7.0 or later -The following documentation provides configuration and tutorial information demonstrating how to provision users from Microsoft Entra ID into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you are using other versions of SAP R/3, you can still use the guides provided in the [Connectors for Microsoft Identity Manager 2016](https://www.microsoft.com/download/details.aspx?id=51495) download as a reference to build your own template for provisioning. If you are using SAP S/4HANA or other SAP SaaS applications, follow the [tutorial to configure SAP Cloud Identity Services for automatic user provisioning](~/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) instead. For more information on the SAP integrations, see [manage access to your SAP applications](~/id-governance/sap.md). +The following documentation provides configuration and tutorial information demonstrating how to provision users from Microsoft Entra ID into SAP ERP Central Component (SAP ECC, formerly SAP R/3) with NetWeaver 7.0 or later. If you're using other versions of SAP R/3, you can still use the guides provided in the [Connectors for Microsoft Identity Manager 2016](https://www.microsoft.com/download/details.aspx?id=51495) download as a reference to build your own template for provisioning. If you are using SAP S/4HANA or other SAP SaaS applications, follow the [tutorial to configure SAP Cloud Identity Services for automatic user provisioning](~/identity/saas-apps/sap-cloud-platform-identity-authentication-provisioning-tutorial.md) instead. For more information on the SAP integrations, see [manage access to your SAP applications](~/id-governance/sap.md). [!INCLUDE [app-provisioning-sap.md](~/includes/app-provisioning-sap.md)] diff --git a/docs/identity/app-provisioning/on-premises-scim-provisioning.md b/docs/identity/app-provisioning/on-premises-scim-provisioning.md index 7e3883f9e3e..b769bc164db 100644 --- a/docs/identity/app-provisioning/on-premises-scim-provisioning.md +++ b/docs/identity/app-provisioning/on-premises-scim-provisioning.md @@ -6,7 +6,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: app-provisioning ms.topic: conceptual -ms.date: 02/13/2024 +ms.date: 12/13/2024 ms.author: billmath ms.reviewer: arvinh --- @@ -21,7 +21,7 @@ The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu - A Microsoft Entra tenant with Microsoft Entra ID P1 or Premium P2 (or EMS E3 or E5). [!INCLUDE [active-directory-p1-license.md](~/includes/entra-p1-license.md)] - Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's at least a Hybrid Identity Administrator. - Administrators must be at least an Application Administrator, Cloud Application Administrator, or a custom role with permissions. -- A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy. +- A computer with at least 3 GB of RAM, to host a provisioning agent. The computer should have Windows Server 2016 or a later version of Windows Server, with connectivity to the target application, and with outbound connectivity to login.microsoftonline.com, other Microsoft Online Services, and Azure domains. An example is a Windows Server 2016 virtual machine hosted in Azure IaaS or behind a proxy. - Ensure your [SCIM](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Microsoft Entra SCIM requirements](use-scim-to-provision-users-and-groups.md). Microsoft Entra ID offers open-source [reference code](https://github.com/AzureAD/SCIMReferenceCode/wiki) that developers can use to bootstrap their SCIM implementation, as described in [Tutorial: Develop a sample SCIM endpoint in Microsoft Entra ID](use-scim-to-build-users-and-groups-endpoints.md). - Support the /schemas endpoint to reduce configuration required in the Azure portal. @@ -45,7 +45,7 @@ The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu 8. Leave the portal and open the provisioning agent installer, agree to the terms of service, and select **Install**. 9. Wait for the Microsoft Entra provisioning agent configuration wizard and then select **Next**. 10. In the **Select Extension** step, select **On-premises application provisioning** and then select **Next**. - 11. The provisioning agent will use the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. + 11. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Microsoft Entra ID, and potentially also your organization's identity provider. If you're using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly. 12. Provide credentials for a Microsoft Entra administrator when you're prompted to authorize. The user is required to have at least the [Hybrid Identity Administrator](/entra/identity/role-based-access-control/permissions-reference#hybrid-identity-administrator) role. 13. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer. diff --git a/docs/identity/multi-tenant-organizations/cross-tenant-synchronization-overview.md b/docs/identity/multi-tenant-organizations/cross-tenant-synchronization-overview.md index bd22dc64649..dc1fc99c08f 100644 --- a/docs/identity/multi-tenant-organizations/cross-tenant-synchronization-overview.md +++ b/docs/identity/multi-tenant-organizations/cross-tenant-synchronization-overview.md @@ -127,7 +127,7 @@ Which clouds can cross-tenant synchronization be used in? - Cross-tenant synchronization is supported within the commercial cloud and Azure Government. - Cross-tenant synchronization isn't supported within the Microsoft Azure operated by 21Vianet cloud. -- Synchronization is only supported between two tenants in the same Azure cloud. To see the relationship between the Azure Cloud environments and M365 (GCC, GCCH) see [here](https://learn.microsoft.com/azure/security/fundamentals/feature-availability#microsoft-365-integration). Synchronization between commercial and GCC is supported. +- Synchronization is only supported between two tenants in the same Azure cloud. For information about the relationship between the Azure Cloud environments and Microsoft 365 (GCC, GCCH), see [Microsoft 365 integration](/azure/security/fundamentals/feature-availability#microsoft-365-integration). Synchronization between commercial and GCC is supported. - Cross-cloud (such as public cloud to Azure Government) isn't currently supported. #### Existing B2B users diff --git a/docs/identity/users/directory-delegated-administration-primer.md b/docs/identity/users/directory-delegated-administration-primer.md index 53e526246d0..09b8a709d99 100644 --- a/docs/identity/users/directory-delegated-administration-primer.md +++ b/docs/identity/users/directory-delegated-administration-primer.md @@ -6,7 +6,7 @@ author: barclayn manager: amycolannino ms.author: barclayn ms.reviewer: yuank -ms.date: 03/13/2023 +ms.date: 12/13/2024 ms.topic: overview ms.service: entra-id ms.subservice: users @@ -26,20 +26,19 @@ Delegated administration relationships enable technicians at a Microsoft CSP to There are two types of delegated administration relationships that are visible in the Azure portal experience. The newer type of delegated admin relationship is known as Granular Delegated Admin Permission. The older type of relationship is known as Delegated Admin Permission. You can see both types of relationship if you sign in to the Azure portal and then select **Delegated administration**. ## Granular delegated admin permission +When a Microsoft CSP creates a GDAP relationship request for your tenant, a Global Administrator needs to approve the request. The GDAP relationship request specifies: -When a Microsoft CSP creates a GDAP relationship request for your tenant a Global Administrator needs to approve the request. The GDAP relationship request specifies: +- The CSP partner tenant +- The roles that the partner needs to delegate to their technicians +- The expiration date -* The CSP partner tenant -* The roles that the partner needs to delegate to their technicians -* The expiration date - -If you have GDAP relationships in your tenant, you will see a notification banner on the **Delegated Administration** page in the Microsoft Entra admin center. Select the notification banner to see and manage GDAP relationships in the **Partners** page in Microsoft Admin Center. +If you have GDAP relationships in your tenant, you see a notification banner on the **Delegated Administration** page in the Microsoft Entra admin center. Select the notification banner to see and manage GDAP relationships in the **Partners** page in Microsoft Admin Center. ## Delegated admin permission -All DAP relationships enable the CSP to delegate Global Administrator and Helpdesk Administrator roles to their technicians. Unlike a GDAP relationship, a DAP relationship persists until they are revoked either by you or by your CSP. +All DAP relationships enable the CSP to delegate Global Administrator and Helpdesk Administrator roles to their technicians. Unlike a GDAP relationship, a DAP relationship persists until you or your CSP revokes them. -If you have any DAP relationships in your tenant, you will see them in the list on the Delegated Administration page in the Azure portal. To remove a DAP relationship for a CSP, follow the link to the Partners page in the Microsoft Admin Center. +If you have any DAP relationships in your tenant, you can see them in the list on the Delegated Administration page in the Azure portal. To remove a DAP relationship for a CSP, follow the link to the Partners page in the Microsoft Admin Center. ## Next steps diff --git a/docs/identity/users/directory-self-service-signup.md b/docs/identity/users/directory-self-service-signup.md index 5053357216d..9b9a747eef9 100644 --- a/docs/identity/users/directory-self-service-signup.md +++ b/docs/identity/users/directory-self-service-signup.md @@ -1,17 +1,14 @@ --- title: Self-service sign up for email-verified users description: Use self-service sign-up in a Microsoft Entra organization - author: barclayn manager: amycolannino - ms.service: entra-id ms.subservice: users ms.topic: overview ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: elkuzmen -ms.custom: it-pro, has-azure-ad-ps-ref --- # What is self-service sign-up for Microsoft Entra ID? @@ -28,8 +25,9 @@ This article explains how to use self-service sign-up to populate an organizatio ## Terms and definitions * **Self-service sign-up** is the method by which a user signs up for a cloud service and has an identity automatically created for them in Microsoft Entra ID based on their email domain. -* **Unmanaged Microsoft Entra tenant** is the tenant where that identity is created. An unmanaged tenant is a tenant that has no Global Administrator. -* **Email-verified user** is a type of user account in Microsoft Entra ID. A user who has an identity created automatically after signing up for a self-service offer is known as an email-verified user. An email-verified user is a regular member of a tenant tagged with creationmethod=EmailVerified. +* An **unmanaged Microsoft Entra tenant** is the tenant where that identity is created. An unmanaged tenant is a tenant that has no Global Administrator. +* An **email-verified user** is a type of user account in Microsoft Entra ID. A user who has an identity created automatically after signing up for a self-service offer is known as an email-verified user. An email-verified user is a regular member of a tenant tagged with creationmethod=EmailVerified. + ## How do I control self-service settings? @@ -76,7 +74,8 @@ Update-MgPolicyAuthorizationPolicy -BodyParameter $param The following flowchart explains the different combinations for these parameters and the resulting conditions for the tenant and self-service sign-up. -:::image type="content" source="./media/directory-self-service-signup/SelfServiceSignUpControls.png" alt-text="Flowchart of self-service sign up controls."::: + +:::image type="content" source="./media/directory-self-service-signup/SelfServiceSignUpControls.png" alt-text="flowchart of self-service sign up controls."::: You can retrieve this setting's details using the PowerShell cmdlet Get-MgPolicyAuthorizationPolicy. For more information, see [Get-MgPolicyAuthorizationPolicy](/powershell/module/microsoft.graph.identity.signins/get-mgpolicyauthorizationpolicy). diff --git a/docs/identity/users/groups-saasapps.md b/docs/identity/users/groups-saasapps.md index 90816b78118..320740f44c3 100644 --- a/docs/identity/users/groups-saasapps.md +++ b/docs/identity/users/groups-saasapps.md @@ -7,14 +7,14 @@ manager: amycolannino ms.service: entra-id ms.subservice: users ms.topic: how-to -ms.date: 11/15/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: krbain ms.custom: it-pro --- # Use a group to manage access to SaaS applications -When you use Microsoft Entra ID with a Microsoft Entra ID P1 or P2 license plan, you can use groups to assign access to a software as a service (SaaS) application that's integrated with Microsoft Entra ID. +When you use Microsoft Entra ID with a Microsoft Entra ID P1 or P2 license plan, you can use groups to assign access to software as a service (SaaS) applications integrated with Microsoft Entra ID. For example, if you want to assign access for a marketing department to use five different SaaS applications, you can create an Office 365 or security group that contains the users in the marketing department. Then you can assign that group to the five SaaS applications that the marketing department needs. @@ -39,7 +39,7 @@ With Microsoft Entra ID, you can save time by managing the membership of the mar 1. Select an application that you added from the Application Gallery to open it. 1. On the left pane, select **Users and groups**, and then select **Add user/group**. 1. On **Add Assignment**, select **Users and groups** to open the **Users and groups** selection list. -1. Select as many groups or users as you want, and then click or tap **Select** to add them to the **Add Assignment** list. You can also assign a role to a user at this stage. +1. Select as many groups or users as you want, and then select or tap **Select** to add them to the **Add Assignment** list. You can also assign a role to a user at this stage. 1. Select **Assign** to assign the users or groups to the selected enterprise application. ## Next steps diff --git a/docs/identity/users/groups-write-back-portal.md b/docs/identity/users/groups-write-back-portal.md index 25aeeb674ea..7a525be5f5f 100644 --- a/docs/identity/users/groups-write-back-portal.md +++ b/docs/identity/users/groups-write-back-portal.md @@ -6,7 +6,7 @@ author: barclayn manager: amycolannino ms.author: barclayn ms.reviewer: jordan.dahl -ms.date: 11/15/2023 +ms.date: 12/13/2024 ms.topic: how-to ms.service: entra-id ms.subservice: users @@ -36,8 +36,8 @@ To understand the behavior of `No writeback` in the portal, you can view the wri | Portal | Microsoft Graph| Behavior| |--------|---------|---------| -| Writeback | isEnabled = null or true | The group will be written back. | -| No writeback | isEnabled = false | The group won't be written back.| +| Writeback | isEnabled = null or true | The group is written back. | +| No writeback | isEnabled = false | The group is not written back.| | No writeback | IsEnabled = null & onPremisesGroupType = null | If it's a Microsoft 365 group, it's written back to on-premises Active Directory as a distribution group.
If it's a Microsoft Entra security group, it's written back to on-premises Active Directory. | By default, the **Group writeback state** of groups is set to **No writeback**. This means: diff --git a/docs/identity/users/linkedin-integration.md b/docs/identity/users/linkedin-integration.md index 8d2fa12cc27..30de5b33eaa 100644 --- a/docs/identity/users/linkedin-integration.md +++ b/docs/identity/users/linkedin-integration.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: users ms.topic: how-to -ms.date: 11/21/2023 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: beengen ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done @@ -52,7 +52,7 @@ You can enable LinkedIn account connections for only the users you want to have ### Assign selected users with a group -We have replaced the 'Selected' option that specifies a list of users with the option to select a group of users so that you can enable the ability to connect LinkedIn and Microsoft accounts for a single group instead of many individual users. If you don't have LinkedIn account connections enabled for selected individual users, you don't need to do anything. If you have previously enabled LinkedIn account connections for selected individual users, you should: +We replaced the 'Selected' option that specifies a list of users with the option to select a group of users so that you can enable the ability to connect LinkedIn and Microsoft accounts for a single group instead of many individual users. If you don't have LinkedIn account connections enabled for selected individual users, you don't need to do anything. If you have previously enabled LinkedIn account connections for selected individual users, you should: 1. Get the current list of individual users. 1. Move the currently enabled individual users to a group. diff --git a/docs/identity/users/users-sharing-accounts.md b/docs/identity/users/users-sharing-accounts.md index a0dd09b8f6e..167644dceb1 100644 --- a/docs/identity/users/users-sharing-accounts.md +++ b/docs/identity/users/users-sharing-accounts.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-id ms.subservice: users ms.topic: how-to -ms.date: 06/24/2022 +ms.date: 12/13/2024 ms.author: barclayn ms.reviewer: krbain ms.custom: it-pro @@ -42,7 +42,7 @@ The Microsoft Entra administrator configures which applications a user can acces Users sign in once with their organizational account. This account is the same one they regularly use to access their desktop or email. They can discover and access only those applications that they're assigned to. With shared accounts, this list of applications can include any number of shared credentials. The end-user doesn't need to remember or write down the various accounts they might be using. -Shared accounts not only increase oversight and improve usability, they also enhance your security. Users with permissions to use the credentials don't see the shared password, but rather get permissions to use the password as part of an orchestrated authentication flow. Further, some password SSO applications give you the option of using Microsoft Entra ID to periodically rollover (update) passwords. The system uses large, complex passwords, which increase account security. The administrator can easily grant or revoke access to an application, knows who has access to the account, and who accessed it in the past. +Shared accounts increase oversight, improve usability, and enhance your security. Users with permissions to use the credentials don't see the shared password, but rather get permissions to use the password as part of an orchestrated authentication flow. Further, some password SSO applications give you the option of using Microsoft Entra ID to periodically rollover (update) passwords. The system uses large, complex passwords, which increase account security. The administrator can easily grant or revoke access to an application, knows who has access to the account, and who accessed it in the past. Microsoft Entra ID supports shared accounts for any Enterprise Mobility Suite (EMS) or Microsoft Entra ID P1 or P2 license plan, across all types of password single sign-on applications. You can share accounts for any of thousands of preintegrated applications in the application gallery and can add your own password-authenticating application with [custom SSO apps](~/identity/enterprise-apps/what-is-single-sign-on.md). diff --git a/docs/verified-id/credential-design.md b/docs/verified-id/credential-design.md index 39e6fa66c9f..d8c9c2dc56a 100644 --- a/docs/verified-id/credential-design.md +++ b/docs/verified-id/credential-design.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-verified-id ms.topic: how-to -ms.date: 06/22/2022 +ms.date: 12/13/2024 ms.author: barclayn # Customer intent: As a developer, I am looking for information about how to enable my users to control their own information. --- @@ -15,7 +15,7 @@ ms.author: barclayn # Customize your verifiable credentials -Verifiable credentials definitions are made up of two components, *display* definitions and *rules* definitions. A display definition controls the branding of the credential and styling of the claims. A rules definition determines what users need to provide before they receive a verifiable credential. +Verifiable credentials (VC)s definitions are made up of two components, *display* definitions and *rules* definitions. A display definition controls the branding of the credential and styling of the claims. A rules definition determines what users need to provide before they receive a verifiable credential. This article explains how to modify both types of definitions to meet the requirements of your organization. @@ -95,14 +95,14 @@ The rules definition is a simple JSON document that describes important properti The following four attestation types are currently available to be configured in the rules definition. They are different ways of providing claims used by the Microsoft Entra Verified ID issuing service to be inserted into a verifiable credential and attest to that information with your decentralized identifier (DID). Multiple attestation types can be used in the rules definition. -* **ID token**: When this option is configured, you'll need to provide an OpenID Connect configuration URI and include the claims that should be included in the verifiable credential. Users are prompted to 'Sign in' on the Authenticator app to meet this requirement and add the associated claims from their account. To configure this option, see this [how to guide](how-to-use-quickstart-idtoken.md) +* **ID token**: When this option is configured, you need to provide an OpenID Connect configuration URI and include the claims that should be included in the verifiable credential. Users are prompted to 'Sign in' on the Authenticator app to meet this requirement and add the associated claims from their account. To configure this option, see this [how to guide](how-to-use-quickstart-idtoken.md) -* **ID token hint**: The sample App and Tutorial use the ID token Hint. When this option is configured, the relying party app will need to provide claims that should be included in the verifiable credential in the Request Service API issuance request. Where the relying party app gets the claims from is up to the app, but it can come from the current sign-in session, from backend CRM systems or even from self asserted user input. To configure this option, please see this [how to guide](how-to-use-quickstart.md) +* **ID token hint**: The sample App and Tutorial use the ID token Hint. When this option is configured, the relying party app needs to provide claims that should be included in the verifiable credential in the Request Service API issuance request. Where the relying party app gets the claims from is up to the app, but it can come from the current sign-in session, from backend CRM systems or even from self asserted user input. To configure this option, see this [how to guide](how-to-use-quickstart.md) -* **Verifiable credentials**: The end result of an issuance flow is to produce a verifiable credential but you may also ask the user to Present a verifiable credential in order to issue one. The rules definition is able to take specific claims from the presented verifiable credential and include those claims in the newly issued verifiable credential from your organization. To configure this option, please see this [how to guide](how-to-use-quickstart-presentation.md) +* **Verifiable credentials**: The end result of an issuance flow is to produce a verifiable credential but you may also ask the user to Present a verifiable credential in order to issue one. The rules definition is able to take specific claims from the presented verifiable credential and include those claims in the newly issued verifiable credential from your organization. To configure this option, see this [how to guide](how-to-use-quickstart-presentation.md) -* **Self-attested claims**: When this option is selected, the user can type information directly into Authenticator. At this time, strings are the only supported input for self attested claims. To configure this option, please see this [how to guide](how-to-use-quickstart-selfissued.md) +* **Self-attested claims**: When this option is selected, the user can type information directly into Authenticator. At this time, strings are the only supported input for self attested claims. To configure this option, see this [how to guide](how-to-use-quickstart-selfissued.md) For more information about the rules JSON model, see [rulesModel type](rules-and-display-definitions-model.md#rulesmodel-type). diff --git a/docs/verified-id/get-started-request-api.md b/docs/verified-id/get-started-request-api.md index 0680be737ff..37fe25b938a 100644 --- a/docs/verified-id/get-started-request-api.md +++ b/docs/verified-id/get-started-request-api.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-verified-id ms.topic: how-to -ms.date: 06/16/2022 +ms.date: 12/13/2024 ms.author: barclayn #Customer intent: As an administrator, I'm trying to learn how to use the Request Service API and integrate it into my business application. @@ -465,7 +465,7 @@ Presentation request with [claims constraints](presentation-request-api.md#const # [With FaceCheck](#tab/facecheck) -Presentation request with FaceCheck. When using FaceCheck, the `includeReceipt` must be false as receipt is not supported then. +Presentation request with FaceCheck. When using FaceCheck, the `includeReceipt` must be false as receipt isn't supported then. ```JSON { diff --git a/docs/verified-id/helpdesk-with-verified-id.md b/docs/verified-id/helpdesk-with-verified-id.md index 08c1fb1bd4d..24b27dcb5cc 100644 --- a/docs/verified-id/helpdesk-with-verified-id.md +++ b/docs/verified-id/helpdesk-with-verified-id.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-verified-id ms.topic: conceptual -ms.date: 04/06/2023 +ms.date: 12/13/2024 ms.author: barclayn --- @@ -49,7 +49,7 @@ You first select who can request issuance of a Verified ID by selecting all user An enterprise can set up Microsoft Entra Verified ID integration by either: 1. Adding it as an inline process like a `Get Verified` button in the Service desk webapp, follow the steps to add a Presentation request to verify Verified ID with Face Check. Steps are mentioned in the link [https://aka.ms/verifiedidfacecheck](https://aka.ms/verifiedidfacecheck) -1. Setting up a dedicated web application that could accept Microsoft Entra Verified ID `VerifiedEmployee` with [Face Check](using-facecheck.md). Use the GitHub [sample](https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet/tree/main/6-woodgrove-helpdesk) to deploy the custom webapp. Click `Deploy to Azure` to deploy the [ARM template](/azure/azure-resource-manager/templates/) that uses Managed Identity. +1. Setting up a dedicated web application that could accept Microsoft Entra Verified ID `VerifiedEmployee` with [Face Check](using-facecheck.md). Use the GitHub [sample](https://github.com/Azure-Samples/active-directory-verifiable-credentials-dotnet/tree/main/6-woodgrove-helpdesk) to deploy the custom webapp. Select `Deploy to Azure` to deploy the [ARM template](/azure/azure-resource-manager/templates/) that uses Managed Identity. :::image type="content" source="media/helpdesk-with-verified-id/deploy-to-azure.png" alt-text="Screenshot of Deploy to Azure using ARM template."::: diff --git a/docs/verified-id/how-to-create-a-free-developer-account.md b/docs/verified-id/how-to-create-a-free-developer-account.md index b4ea0cb00e4..e53bcdf75b3 100644 --- a/docs/verified-id/how-to-create-a-free-developer-account.md +++ b/docs/verified-id/how-to-create-a-free-developer-account.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-verified-id ms.topic: how-to -ms.date: 01/26/2023 +ms.date: 12/13/2024 ms.author: barclayn # Customer intent: As a developer, I want to learn how to create a developer Microsoft Entra account so I can participate in the preview with a P2 license. --- diff --git a/docs/verified-id/linkedin-employment-verification.md b/docs/verified-id/linkedin-employment-verification.md index 11c46ab7315..65b9ef3988e 100644 --- a/docs/verified-id/linkedin-employment-verification.md +++ b/docs/verified-id/linkedin-employment-verification.md @@ -7,7 +7,7 @@ manager: amycolannino ms.service: entra-verified-id ms.topic: conceptual -ms.date: 10/03/2023 +ms.date: 12/13/2024 ms.author: barclayn --- diff --git a/docs/verified-id/partner-gallery.md b/docs/verified-id/partner-gallery.md index e2397f3f685..0e7591f3957 100644 --- a/docs/verified-id/partner-gallery.md +++ b/docs/verified-id/partner-gallery.md @@ -6,7 +6,7 @@ ms.service: entra-verified-id author: barclayn manager: amycolannino ms.topic: how-to -ms.date: 10/12/2023 +ms.date: 12/13/2024 ms.author: barclayn --- diff --git a/docs/verified-id/using-facecheck.md b/docs/verified-id/using-facecheck.md index 76f881ce292..26fd84aca61 100644 --- a/docs/verified-id/using-facecheck.md +++ b/docs/verified-id/using-facecheck.md @@ -7,7 +7,7 @@ author: barclayn manager: amycolannino ms.author: barclayn ms.topic: tutorial -ms.date: 10/06/2023 +ms.date: 12/13/2024 # Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials. --- @@ -28,7 +28,7 @@ Face Check is a premium feature within Verified ID. You need to enable the Face ## Setting up Face Check with Microsoft Entra Verified ID -The Face Check Add-on can be enabled in two ways from the Microsoft Entra Admin Center or by using the [Azure Resource Manager (ARM) Rest API](/rest/api/resources) via CLI. If you're going to use Face Check in a tenant with the [Microsoft Entra Suite license](/entra/fundamentals/try-microsoft-entra-suite), Face Check is enabled at the tenant level, and the configuration applies to all authorities within that tenant. For any other licenses you can enable Face Check individually by each authority on your tenant using the Azure Resource Manager (ARM) Rest API. +The Face Check Add-on can be enabled in two ways from the Microsoft Entra Admin Center or by using the [Azure Resource Manager (ARM) Rest API](/rest/api/resources) via CLI. If you're going to use Face Check in a tenant with the [Microsoft Entra Suite license](/entra/fundamentals/try-microsoft-entra-suite), Face Check is enabled at the tenant level, and the configuration applies to all authorities within that tenant. For any other licenses, you can enable Face Check individually by each authority on your tenant using the Azure Resource Manager (ARM) Rest API. > [!NOTE] > The ARM Rest API for Microsoft Entra Verified ID is currently in public preview. @@ -53,7 +53,7 @@ Now you can start using Face Check in your enterprise applications. > [!NOTE] > The ARM Rest API for Microsoft Entra Verified ID is currently in public preview. -To set up the Face Check Add-on on a given authority, you must have the [Azure PowerShell tools](/powershell/azure/install-azps-windows) in your machine. The below mechanism wraps the REST call. You can alternatively use the Azure Resource Manager (ARM) Rest API PUT accordingly +To set up the Face Check Add-on on a given authority, you must have the [Azure PowerShell tools](/powershell/azure/install-azps-windows) in your machine. This mechanism wraps the REST call. You can alternatively use the Azure Resource Manager (ARM) Rest API PUT accordingly 1. Run the following command in PowerShell ```http @@ -65,7 +65,7 @@ To set up the Face Check Add-on on a given authority, you must have the [Azure P ```http az rest --method PUT --uri /subscriptions//resourceGroups//providers/Microsoft.VerifiedId/authorities/?api-version=2024-01-26-preview --body "{'location':''}" ``` -- replace `` with your subscription id +- replace `` with your subscription ID - replace `` with your resource group name - replace `` with your authority ID. You can obtain the `authority-id` using the [GET Authorities](admin-api.md#get-authority) call from the Admin API. - replace `` using one of the following two values: @@ -266,7 +266,7 @@ The Verified ID service executes the verification process in the cloud, not on t ### What are the requirements for the photo in the Verified ID? -The photo should be clear and sharp in quality and no smaller than 200 pixels x 200 pixels. The face should be centered within the image and unobstructed from view. The maximum size of the photo in the credential is 1MB. Please note that having a larger image does not guarantee a better result. A good smaller photo is better than a large bad one. +The photo should be clear and sharp in quality and no smaller than 200 pixels x 200 pixels. The face should be centered within the image and unobstructed from view. The maximum size of the photo in the credential is 1 MB. Note that having a larger image doesn't guarantee a better result. A good smaller photo is better than a large bad one. More information on how to improve the photo processing accuracy can be found [here](/legal/cognitive-services/face/characteristics-and-limitations?#best-practices-for-improving-accuracy) diff --git a/docs/verified-id/verifiable-credentials-configure-issuer.md b/docs/verified-id/verifiable-credentials-configure-issuer.md index 194bb50853a..0eba6549558 100644 --- a/docs/verified-id/verifiable-credentials-configure-issuer.md +++ b/docs/verified-id/verifiable-credentials-configure-issuer.md @@ -7,7 +7,7 @@ author: barclayn manager: amycolannino ms.author: barclayn ms.topic: tutorial -ms.date: 09/15/2023 +ms.date: 12/13/2024 # Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials. --- @@ -51,7 +51,7 @@ In this step, you create the verified credential expert card by using Microsoft 1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Administrator](~/identity/role-based-access-control/permissions-reference.md#global-administrator). 1. Select **Verifiable credentials**. 1. After you [set up your tenant](verifiable-credentials-configure-tenant.md), the **Create credential** should appear. Alternatively, you can select **Credentials** in the left hand menu and select **+ Add a credential**. -1. In **Create credential**, select **Custom Credential** and click **Next**: +1. In **Create credential**, select **Custom Credential** and select **Next**: 1. For **Credential name**, enter **VerifiedCredentialExpert**. This name is used in the portal to identify your verifiable credentials. It's included as part of the verifiable credentials contract. @@ -183,7 +183,7 @@ At this point, you should have all the required information that you need to set ## Update the sample application -Now you'll make modifications to the sample app's issuer code to update it with your verifiable credential URL. This step allows you to issue verifiable credentials by using your own tenant. +Now you make modifications to the sample app's issuer code to update it with your verifiable credential URL. This step allows you to issue verifiable credentials by using your own tenant. 1. Under the *active-directory-verifiable-credentials-dotnet-main* folder, open Visual Studio Code, and select the project inside the *1-asp-net-core-api-idtokenhint* folder. @@ -247,11 +247,11 @@ Now you're ready to issue your first verified credential expert card by running :::image type="content" source="media/verifiable-credentials-configure-issuer/get-credentials.png" alt-text="Screenshot that shows how to choose to get the credential from the sample app."::: -1. Using your mobile device, scan the QR code with the Authenticator app. For more info on scanning the QR code, please see the [FAQ section](verifiable-credentials-faq.md#scanning-the-qr-code). +1. Using your mobile device, scan the QR code with the Authenticator app. For more info on scanning the QR code, see the [FAQ section](verifiable-credentials-faq.md#scanning-the-qr-code). :::image type="content" source="media/verifiable-credentials-configure-issuer/scan-issuer-qr-code.png" alt-text="Screenshot that shows how to scan the QR code."::: -1. At this time, you'll see a message warning that this app or website might be risky. Select **Advanced**. +1. At this time, you see a message warning that this app or website might be risky. Select **Advanced**. :::image type="content" source="media/verifiable-credentials-configure-issuer/at-risk.png" alt-text="Screenshot that shows how to respond to the warning message."::: @@ -259,7 +259,7 @@ Now you're ready to issue your first verified credential expert card by running :::image type="content" source="media/verifiable-credentials-configure-issuer/proceed-anyway.png" alt-text="Screenshot that shows how to proceed with the risky warning."::: -1. You'll be prompted to enter a PIN code that is displayed in the screen where you scanned the QR code. The PIN adds an extra layer of protection to the issuance. The PIN code is randomly generated every time an issuance QR code is displayed. +1. You are prompted to enter a PIN code that is displayed in the screen where you scanned the QR code. The PIN adds an extra layer of protection to the issuance. The PIN code is randomly generated every time an issuance QR code is displayed. :::image type="content" source="media/verifiable-credentials-configure-issuer/enter-verification-code.png" alt-text="Screenshot that shows how to type the pin code."::: diff --git a/docs/verified-id/verifiable-credentials-configure-verifier.md b/docs/verified-id/verifiable-credentials-configure-verifier.md index 5989f341d13..c53aa77a52f 100644 --- a/docs/verified-id/verifiable-credentials-configure-verifier.md +++ b/docs/verified-id/verifiable-credentials-configure-verifier.md @@ -7,7 +7,7 @@ author: barclayn manager: amycolannino ms.author: barclayn ms.topic: tutorial -ms.date: 08/16/2022 +ms.date: 12/13/2024 # Customer intent: As an enterprise, we want to enable customers to manage information about themselves by using verifiable credentials. --- @@ -15,7 +15,7 @@ ms.date: 08/16/2022 # Configure Microsoft Entra Verified ID verifier -In [Issue Microsoft Entra Verified ID credentials from an application](verifiable-credentials-configure-issuer.md), you learn how to issue and verify credentials by using the same Microsoft Entra tenant. In a real-world scenario, where the issuer and verifier are separate organizations, the verifier uses *their own* Microsoft Entra tenant to perform the verification of the credential that was issued by the other organization. In this tutorial, you go over the steps needed to present and verify your first verifiable credential: a verified credential expert card. +In [Issue Microsoft Entra Verified ID credentials from an application](verifiable-credentials-configure-issuer.md), you learn how to issue and verify credentials by using the same Microsoft Entra tenant. In a real-world scenario, where the issuer and verifier are separate organizations, the verifier uses *their own* Microsoft Entra tenant to perform the verification of the credential that issued by the other organization. In this tutorial, you go over the steps needed to present and verify your first verifiable credential: a verified credential expert card. As a verifier, you unlock privileges to subjects that possess verified credential expert cards. In this tutorial, you run a sample application from your local computer that asks you to present a verified credential expert card, and then verifies it. @@ -149,7 +149,7 @@ Now you are ready to present and verify your first verified credential expert ca :::image type="content" source="media/verifiable-credentials-configure-verifier/verify-credential.png" alt-text="Screenshot showing how to verify credential from the sample app."::: -1. Using your mobile device, scan the QR code with the Authenticator app. For more info on scanning the QR code, please see the [FAQ section](verifiable-credentials-faq.md#scanning-the-qr-code). +1. Using your mobile device, scan the QR code with the Authenticator app. For more info on scanning the QR code, see the [FAQ section](verifiable-credentials-faq.md#scanning-the-qr-code). 1. When you see the warning message, *This app or website may be risky*, select **Advanced**. You are seeing this warning because your domain isn't verified. For this tutorial, you can skip the domain registration. diff --git a/docs/verified-id/verifiable-credentials-faq.md b/docs/verified-id/verifiable-credentials-faq.md index fc40494d812..b6cc78e4d96 100644 --- a/docs/verified-id/verifiable-credentials-faq.md +++ b/docs/verified-id/verifiable-credentials-faq.md @@ -6,7 +6,7 @@ manager: amycolannino ms.service: entra-verified-id ms.topic: faq -ms.date: 08/11/2022 +ms.date: 12/13/2024 ms.author: barclayn # Customer intent: As a developer I am looking for information on how to enable my users to control their own information ---