Merge pull request #6600 from MicrosoftDocs/main

1/17/2025 AM Publish

docs/identity/hybrid/connect/how-to-connect-fed-management.md

@@ -39,12 +39,16 @@ You'll also learn about other common AD FS tasks that you might need to perform
 
 You can perform various AD FS-related tasks in Microsoft Entra Connect with minimal user intervention by using the Microsoft Entra Connect wizard. After you've finished installing Microsoft Entra Connect by running the wizard, you can run it again to perform other tasks.
 
+>[!IMPORTANT]
+>Please note that if you are configuring federation with AD FS or PingFederate you will need either an account with the global administrator role or an account that has the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) and [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) roles. The configurations related to federation require permissions that the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) currently doesn't have but the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) role does.
+
 <a name="repairthetrust"></a>
 
 ## Repair the trust 
 
 You can use Microsoft Entra Connect to check the current health of the AD FS and Microsoft Entra ID trust and then take appropriate actions to repair the trust. To repair your Microsoft Entra ID and AD FS trust, do the following:
 
+
 1. Select **Repair Microsoft Entra ID and ADFS Trust** from the list of tasks.
 
    ![Screenshot of the "Additional tasks" page for repairing the Microsoft Entra ID and AD FS trust.](./media/how-to-connect-fed-management/RepairADTrust1.PNG)

docs/identity/hybrid/connect/how-to-connect-install-prerequisites.md

@@ -73,6 +73,7 @@ To read more about securing your Active Directory environment, see [Best practic
     - The servers where AD FS or Web Application Proxy are installed must be Windows Server 2012 R2 or later. Windows remote management must be enabled on these servers for remote installation. You might need [a paid support program](/lifecycle/policies/fixed#extended-support) if you require support for Windows Server 2016 and older.
     - You must configure TLS/SSL certificates. For more information, see [Managing SSL/TLS protocols and cipher suites for AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs) and [Managing SSL certificates in AD FS](/windows-server/identity/ad-fs/operations/manage-ssl-certificates-ad-fs-wap).
     - You must configure name resolution. 
+    - You'll need either an account with the global administrator role or an account that has the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) and the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) roles.  The configurations related to federation require permissions that the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) currently doesn't have but the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) role does.
 - It isn't supported to break and analyze traffic between Microsoft Entra Connect and Microsoft Entra ID. Doing so could disrupt the service.
 - If your Hybrid Identity Administrators have MFA enabled, the URL `https://secure.aadcdn.microsoftonline-p.com` *must* be in the trusted sites list. You're prompted to add this site to the trusted sites list when you're prompted for an MFA challenge and it isn't yet added. You can use Internet Explorer to add it to your trusted sites.
 - If you plan to use Microsoft Entra Connect Health for syncing, you need to use a global administrator account to install Microsoft Entra Connect Sync. If you use a hybrid administrator account, the agent is installed but in a disabled state. For more information, see [Microsoft Entra Connect Health agent installation](how-to-connect-health-agent-install.md).
@@ -106,11 +107,12 @@ We recommend that you harden your Microsoft Entra Connect server to decrease the
   * Maintain ODBC Driver for SQL Server version 17 and OLE DB Driver for SQL Server version 18 that are bundled with Microsoft Entra Connect. Upgrading ODBC/OLE DB drivers' major or minor versions isn't supported. Microsoft Entra Connect product group team includes new ODBC/OLE DB drivers as these become available and have a requirement to be updated.
 
 > [!NOTE]
-> If you're installing SQL on the same server as Microsoft Entra Connect, we recommend to configure SQL to limit the maximum memory that it can use from the system.
+> If you're installing SQL on the same server as Microsoft Entra Connect, we recommend configuring SQL to limit the maximum memory that it can use from the system.
 > Follow [SQL best practices](/sql/database-engine/configure-windows/server-memory-server-configuration-options?view=sql-server-ver16#recommendations) for memory configuration.
 
 ### Accounts
 * You must have a Microsoft Entra Global Administrator account or Hybrid Identity Administrator account for the Microsoft Entra tenant you want to integrate with. This account must be a *school or organization account* and can't be a *Microsoft account*.
+* If you're configuring federation with AD FS or PingFederate you'll need either an account with the global administrator role or an account that has the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) and the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) roles. The configurations related to federation require permissions that the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) currently doesn't have but the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) role does.
 * If you use [express settings](reference-connect-accounts-permissions.md#express-settings-installation) or upgrade from DirSync, you must have an Enterprise Administrator account for your on-premises Active Directory.
 * If you use the custom settings installation path, you have more options. For more information, see [Custom installation settings](reference-connect-accounts-permissions.md#custom-installation-settings).
 
@@ -163,7 +165,7 @@ We recommend that you harden your Microsoft Entra Connect server to decrease the
     ```
 
 * If the proxy configuration is being done in an existing setup, the **Microsoft Entra ID Sync service** needs to be restarted once for the Microsoft Entra Connect to read the proxy configuration and update the behavior. 
-* When Microsoft Entra Connect sends a web request to Microsoft Entra ID as part of directory synchronization, Microsoft Entra ID can take up to 5 minutes to respond. It's common for proxy servers to have connection idle timeout configuration. Ensure the configuration is set to at least 6 minutes or more.
+* When Microsoft Entra Connect sends a web request to Microsoft Entra ID as part of directory synchronization, Microsoft Entra ID can take up to 5 minutes to respond. It's common for proxy servers to have connection idle time-out configuration. Ensure the configuration is set to at least 6 minutes or more.
 
 For more information, see MSDN about the [default proxy element](/dotnet/framework/configure-apps/file-schema/network/defaultproxy-element-network-settings).
 For more information when you have problems with connectivity, see [Troubleshoot connectivity problems](tshoot-connect-connectivity.md).
@@ -215,6 +217,10 @@ Under this registry key, Microsoft Entra Connect checks to see if the following
 - [DefaultLaunchPermission](/windows/win32/com/defaultlaunchpermission)
 
 ## Prerequisites for federation installation and configuration
+
+>[!IMPORTANT]
+>Please note that if you are configuring federation with AD FS or PingFederate you will need either an account with the global administrator role or an account that has the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) and [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) roles. The configurations related to federation require permissions that the [hybrid identity administrator](../../role-based-access-control/permissions-reference.md#hybrid-identity-administrator) currently doesn't have but the [domain name administrator](../../role-based-access-control/permissions-reference.md#domain-name-administrator) role does.
+
 ### Windows Remote Management
 When you use Microsoft Entra Connect to deploy AD FS or the Web Application Proxy (WAP), check these requirements:
 
@@ -231,6 +237,8 @@ When you use Microsoft Entra Connect to deploy AD FS or the Web Application Prox
       * On the **Server Manager All Servers** tab, right-click the WAP server, and select **Manage As**. Enter local (not domain) credentials for the WAP machine.
       * To validate remote PowerShell connectivity, on the **Server Manager All Servers** tab, right-click the WAP server and select **Windows PowerShell**. A remote PowerShell session should open to ensure remote PowerShell sessions can be established.
 
+
+
 ### TLS/SSL certificate requirements
 * We recommend that you use the same TLS/SSL certificate across all nodes of your AD FS farm and all Web Application Proxy servers.
 * The certificate must be an X509 certificate.