diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md index df3ea4c6e4..e0c4a23aa5 100644 --- a/docs/source/deployment/deploy_shm.md +++ b/docs/source/deployment/deploy_shm.md @@ -19,7 +19,7 @@ Alternatively, you may run multiple SHMs concurrently, for example you may have ```{tip} - Ensure that the **Owner** of the subscription is an `Azure Security group` that contains all administrators and no-one else. - - We recommend using separate `Azure Active Directories` for users and administrators + - We recommend using separate `Microsoft Entra IDs` for users and administrators ``` - `PowerShell` @@ -94,7 +94,7 @@ The following core SHM properties are required - look in the `environment_config "timezone": "[Optional] Timezone in IANA format (e.g. 'Europe/London').", "azure": { "adminGroupName": "Azure Security Group that admins of this Safe Haven will belong to (see below for details).", - "activeDirectoryTenantId": "Tenant ID for the Azure Active Directory containing users (see below for details on how to obtain this).", + "activeDirectoryTenantId": "Tenant ID for the Microsoft Entra ID containing users (see below for details on how to obtain this). Note that we preserve the Active Directory name here for compatability with earlier DSH versions.", "location": "Azure location to deploy the management environment into (e.g. 'uksouth').", "subscriptionName": "Azure subscription to deploy the management environment into." }, @@ -126,7 +126,7 @@ The following core SHM properties are required - look in the `environment_config - This configuration file is also used when deploying an SRE environment. - We recommend that you set the fully qualified domain name to `.`. - This may require purchasing a dedicated domain so follow your organisation's guidance. -- You must ensure that the group specifed in `azure.adminGroupName` exists in the AzureAD for the tenant that you will be deploying into. Depending on your setup, this may be different from the AzureAD where your users are created. +- You must ensure that the group specifed in `azure.adminGroupName` exists in the Microsoft Entra ID for the tenant that you will be deploying into. Depending on your setup, this may be different from the Microsoft Entra ID where your users are created. ``` ```{admonition} Alan Turing Institute default @@ -162,22 +162,22 @@ PS> ./ShowConfigFile.ps1 -shmId (roles_deployer_setup_aad)= -## 3. {{file_folder}} Setup Azure Active Directory (AAD) +## 3. {{file_folder}} Setup Microsoft Entra ID ```{warning} -If you wish to reuse an existing Azure Active Directory please make sure you remove any existing `Conditional Access Policies` by going to `Security > Conditional Access > Policies` and manually removing the `Restrict Azure Active Directory access` and `Require MFA` policies. -You can then continue to the next step: {ref}`getting the Azure AD tenant ID `. +If you wish to reuse an existing Microsoft Entra ID please make sure you remove any existing `Conditional Access Policies` by going to `Security > Conditional Access > Policies` and manually removing the `Restrict Microsoft Entra ID access` and `Require MFA` policies. +You can then continue to the next step: {ref}`getting the Microsoft Entra tenant ID `. ``` -### Create a new Azure Active Directory +### Create a new Microsoft Entra ID ![Portal: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-azure&label=portal&color=blue&message=one%20minute) -- From the Azure portal, click `Create a Resource` and search for `Azure Active Directory` (AAD) +- From the Azure portal, click `Create a Resource` and search for `Microsoft Entra ID`
Screenshots ```{image} deploy_shm/AAD.png - :alt: Azure Active Directory + :alt: Microsoft Entra ID :align: center ``` @@ -191,31 +191,31 @@ You can then continue to the next step: {ref}`getting the Azure AD tenant ID Screenshots ```{image} deploy_shm/aad_creation.png - :alt: Azure Active Directory creation + :alt: Microsoft Entra ID creation :align: center ```
- Click `Create` -- Wait for the Azure Active Directory to be created +- Wait for Microsoft Entra ID to be created (roles_deployer_aad_tenant_id)= -### Get the Azure Active Directory Tenant ID +### Get the Microsoft Entra Tenant ID -![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute) +![Microsoft Entra ID: one minute](https://img.shields.io/badge/Microsoft_Entra_ID-One_minute-blue?logo=microsoft-academic) -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. You can do this by: - - Clicking the link displayed at the end of the initial AAD deployment. - - Clicking on your username and profile icon at the top left of the Azure portal, clicking `Switch directory` and selecting the AAD you have just created from the `All Directories` section of the `Directory + Subscription` panel that then displays. -- If required, click the "hamburger" menu in the top left corner (three horizontal lines) and select `Azure Active Directory` -- Click `Overview` in the left panel and copy the `Tenant ID` displayed under the AAD name and initial `something.onmicrosoft.com` domain. + - Clicking the link displayed at the end of the initial Microsoft Entra ID deployment. + - Clicking on your username and profile icon at the top left of the Azure portal, clicking `Switch directory` and selecting the Microsoft Entra ID you have just created from the `All Directories` section of the `Directory + Subscription` panel that then displays. +- If required, click the "hamburger" menu in the top left corner (three horizontal lines) and select `Microsoft Entra ID` +- Click `Overview` in the left panel and copy the `Tenant ID` displayed under the Microsoft Entra ID name and initial `something.onmicrosoft.com` domain.
Screenshots ```{image} deploy_shm/aad_tenant_id.png - :alt: AAD Tenant ID + :alt: Microsoft Entra tenant ID :align: center ``` @@ -225,7 +225,7 @@ You can then continue to the next step: {ref}`getting the Azure AD tenant ID ```` -### Add the SHM domain to the Azure Active Directory +### Add the SHM domain to the Microsoft Entra ID ![Powershell: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=powershell&label=local&color=blue&message=a%20few%20minutes) at {{file_folder}} `./deployment/safe_haven_management_environment/setup` @@ -277,10 +277,10 @@ If it exhausts the number of retries a second time, wait an hour and try again. (roles_deploy_add_additional_admins)= -## 5. {{hammer}} Create Azure Active Directory administrator accounts +## 5. {{hammer}} Create Microsoft Entra administrator accounts -A default external administrator account was automatically created for the user you were logged in as when you initially created the Azure AD. -This user should also **not be used** for administering the Azure AD. +A default external administrator account was automatically created for the user you were logged in as when you initially created the Microsoft Entra ID. +This user should also **not be used** for administering the Microsoft Entra ID. Several later steps will require the use of a **native** administrator account with a valid mobile phone and email address. You must therefore create and activate a **native** administrator account for each person who will be acting as a system administrator. @@ -298,9 +298,9 @@ In particular, it should not be used as a shared admin account for routine admin ### Create a new account for each administrator (including yourself) -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Click `Users` in the left hand sidebar and click on the `+New user` icon in the top menu above the list of users. #### Create an internal admin user: @@ -312,7 +312,7 @@ In particular, it should not be used as a shared admin account for routine admin - Search for `Global Administrator` - Check `Global Administrator` - Click the `Select` button -- Set their usage location to the country you used when creating the Safe Haven Azure AD +- Set their usage location to the country you used when creating the Safe Haven Microsoft Entra ID - Leave all other fields empty, including First name and Last name - Click `Create` @@ -341,7 +341,7 @@ In particular, it should not be used as a shared admin account for routine admin When you have finished creating administrator accounts, you will need to ensure that they are able to set their own passwords -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Click `Manage > Password Reset` on the left-hand sidebar - Click `Manage > Authentication methods` on the left-hand sidebar - Ensure that both `Email` and `Mobile phone` are enabled @@ -354,7 +354,7 @@ When you have finished creating administrator accounts, you will need to ensure ### Activate and configure your new internal admin account ```{warning} -In the next step we will delete the external admin account created for the user account you used to create the Azure AD. +In the next step we will delete the external admin account created for the user account you used to create the Microsoft Entra ID. Before you do this, you **must** configure and log into the **native** admin account you have just created for yourself. ``` @@ -363,20 +363,20 @@ Before you do this, you **must** configure and log into the **native** admin acc The administrators you have just set up can activate their accounts by following the password and MFA steps in the {ref}`user guide `. -### Remove the default external user that was used to create the Azure AD +### Remove the default external user that was used to create the Microsoft Entra ID ```{warning} Make sure you have activated your account and **successfully logged in** with the new **native** administrator account you have just created for yourself (`aad.admin.firstname.lastname@`) before deleting the default external administrator account. ``` -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) - Ensure you are logged in with the new **native** administrator account you have just created. - Click on your username at the top right corner of the screen, then `Sign in with a different user`. - Log in with the password you set for yourself when activating your admin account in the previous step -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Click `Users` in the left hand sidebar -- Select the default **external** user that was created when you created the Azure AD. +- Select the default **external** user that was created when you created the Microsoft Entra ID. - The `User principal name` field for this user will contain the **external domain** and will have `#EXT#` before the `@` sign (for example `alovelace_turing.ac.uk#EXT#@turingsafehaven.onmicrosoft.com`) - Click the `Delete user` icon in the menu bar at the top of the user list panel @@ -396,7 +396,7 @@ PS> ./Deploy_SHM.ps1 -shmId You will be prompted for credentials for: - a user with admin rights over the Azure subscriptions you plan to deploy into -- a user with Global Administrator privileges over the Azure Active Active directory you set up earlier +- a user with Global Administrator privileges over the Microsoft Entra ID you set up earlier This will perform the following actions, which can be run individually if desired: @@ -418,7 +418,7 @@ If you get an error like `Could not load file or assembly 'Microsoft.IdentityMod ``` Some (rare) operations require you to be logged in as a **native** Global Administrator. -To support these rare cases, and to allow access to the Safe Haven Azure AD in the case of loss of access to personal administrator accounts (e.g. lost access to MFA), an **emergency access** administrator account has been created by the above script. +To support these rare cases, and to allow access to the Safe Haven Microsoft Entra ID in the case of loss of access to personal administrator accounts (e.g. lost access to MFA), an **emergency access** administrator account has been created by the above script. ```{warning} Do not use this account unless absolutely required! @@ -669,10 +669,14 @@ You will need to configure your antivirus software to make an exception. (roles_deployer_shm_aad_connect)= -#### Install Azure Active Directory Connect +#### Install Microsoft Entra Connect ![Remote: ten minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-onedrive&label=remote&color=blue&message=ten%20minutes) +````{include} ../roles/system_manager/snippets/02_ms_entra_connect.partial.md +:relative-images: +```` + - Log into the **SHM primary domain controller** (`DC1-SHM-`) VM using the `private IP address`, `` and `` that you {ref}`obtained from the portal above `. - Navigate to `C:\Installation` - Run the `AzureADConnect` Windows Installer Package @@ -759,8 +763,8 @@ If you get an error that the username/password is incorrect or that the domain/d ``` ```{error} -If you have recently torn down another SHM linked to the same Azure Active Directory you might see the error `Directory synchronization is currently in a pending disabled state for this directory. Please wait until directory synchronization has been fully disabled before trying again`. -You need to wait for the `Azure Active Directory` to fully disconnect - this can take up to 72 hours but is typically sooner. +If you have recently torn down another SHM linked to the same Microsoft Entra ID you might see the error `Directory synchronization is currently in a pending disabled state for this directory. Please wait until directory synchronization has been fully disabled before trying again`. +You need to wait for the `Microsoft Entra ID` to fully disconnect - this can take up to 72 hours but is typically sooner. You do not need to close the installer window while waiting. If you need to, you can disconnect from the DC and VPN and reconnect later before clicking `Retry`. ``` @@ -773,12 +777,12 @@ If you get an error that the connection to Azure Active Directory could not be m #### Update Azure Active Directory Connect rules -This step allows the locale (country code) to be pushed from the local AD to the Azure Active Directory. +This step allows the locale (country code) to be pushed from the local AD to Microsoft Entra ID. ![Remote: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-onedrive&label=remote&color=blue&message=one%20minute) - Log into the **SHM primary domain controller** (`DC1-SHM-`) VM using the `private IP address`, `` and `` that you {ref}`obtained from the portal above `. -- Run the following command on the remote domain controller VM to update the AAD rules +- Run the following command on the remote domain controller VM to update the Microsoft Entra rules ```powershell PS> C:\Installation\UpdateAADSyncRule.ps1 @@ -788,7 +792,7 @@ PS> C:\Installation\UpdateAADSyncRule.ps1 ### Validate Active Directory synchronisation -This step validates that your local Active Directory users are correctly synchronised to Azure Active Directory. +This step validates that your local Active Directory users are correctly synchronised to Microsoft Entra ID. Note that you can use the same script after deploying an SRE to add users in bulk. ![Remote: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-onedrive&label=remote&color=blue&message=one%20minute) @@ -806,10 +810,10 @@ Note that you can use the same script after deploying an SRE to add users in bul PS> C:\Installation\CreateUsers.ps1 ``` -- This script will add the users and trigger a sync with Azure Active Directory +- This script will add the users and trigger a sync with Microsoft Entra ID - Wait a few minutes for the changes to propagate -![Azure AD: a few seconds](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20seconds) +![Microsoft Entra ID: a few seconds](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20seconds) - Click `Users > All users` and confirm that the new user is shown in the user list. - The new user account should have the `On-premises sync enabled` field set to `Yes` @@ -826,9 +830,9 @@ Once you're certain that you're adding a new user, make sure that the following ### Configure AAD side of AD connect -![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute) +![Microsoft Entra ID: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=one%20minute) -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Select `Password reset` from the left hand menu - Select `On-premises integration` from the left hand side bar @@ -847,22 +851,22 @@ To enable self-service password reset (SSPR) and MFA-via-phone-call, you must ha ### Add licences that support self-service password reset -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) Click the heading that applies to you to expand the instructions for that scenario.
Test deployments -**For testing** you can enable a free trial of the P2 License (NB. it can take a while for these to appear on your AAD). +**For testing** you can enable a free trial of the P2 License (NB. it can take a while for these to appear on your Microsoft Entra ID). You can activate the trial while logged in as your deafult guest administrator account. -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Click on `Licences` in the left hand sidebar - Click on `All products` in the left hand sidebar - Click on the `+Try/Buy` text above the empty product list and add a suitable licence product. - - Expand the `Free trial` arrow under `Azure AD Premium P2` + - Expand the `Free trial` arrow under `Microsoft Entra ID P2` - Click the `Activate` button - - Wait for the `Azure Active Directory Premium P2` licence to appear on the list of `All Products` (this could take several minutes) + - Wait for the `Microsoft Entra ID P2` licence to appear on the list of `All Products` (this could take several minutes)
@@ -876,7 +880,7 @@ As activating self-service password reset requires active MFA licences, this is - Click on your username at the top right corner of the screen, then click "Sign in with a different account" - Enter `aad.admin.emergency.access@` as the username - Open a new browser tab and go to the [Azure Portal](https://portal.azure.com/) - - Change to the Azure Active Directory associated with the Safe Haven SHM subscription (e.g. an existing corporate Azure AD). + - Change to the Microsoft Entra ID associated with the Safe Haven SHM subscription (e.g. an existing corporate Microsoft Entra ID). Do this by clicking on your username at the top right corner of the screen, then `Switch directory`, then selecting the directory you wish to switch to. - Click the "hamburger" menu in the top left corner (three horizontal lines) and select `Subscriptions` - Click on the Safe Haven SHM subscription @@ -894,7 +898,7 @@ As activating self-service password reset requires active MFA licences, this is - In the "Microsoft 365 Admin Centre" portal that opens: - Expand the `Billing` section of the left hand side bar - Click on `Purchase services` - - Scroll down the list of products and select `Azure Active Directory Premium P1` and click `Buy` + - Scroll down the list of products and select `Microsoft Entra ID Premium P1` and click `Buy` - Select `Pay monthly` - Enter the number of licences required. - Leave `automatically assign all of your users with no licences` checked @@ -903,17 +907,17 @@ As activating self-service password reset requires active MFA licences, this is - Click next and enter payment details when requested - Switch back to your original administrator account - Click on your username at the top right corner of the screen, then click "Sign in with a different account" - - Log in as the user you used to create the Safe Haven Azure AD + - Log in as the user you used to create the Safe Haven Microsoft Entra ID
### Enable self-service password reset -![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute) +![Microsoft Entra ID: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=one%20minute) -- Ensure your Azure Portal session is using the new Safe Haven Management (SHM) AAD directory. +- Ensure your Azure Portal session is using the new Safe Haven Management (SHM) Microsoft Entra ID. The name of the current directory is under your username in the top right corner of the Azure portal screen. To change directories click on your username at the top right corner of the screen, then `Switch directory`, then the name of the new SHM directory. -- Click the "hamburger" menu in the top left corner (three horizontal lines) and select `Azure Active Directory` +- Click the "hamburger" menu in the top left corner (three horizontal lines) and select `Microsoft Entra ID` - Click `Password reset` in the left hand sidebar - Set the `Self service password reset enabled` toggle to `All` @@ -928,11 +932,11 @@ As activating self-service password reset requires active MFA licences, this is If you see a message about buying licences, you may need to refresh the page for the password reset option to show. ``` -### Configure MFA on Azure Active Directory +### Configure MFA on Microsoft Entra ID -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Click `Users` in the left hand sidebar - Click the `Per-user MFA` icon in the top bar of the users list. - Click on `Service settings` at the top of the panel @@ -964,9 +968,9 @@ If you see a message about buying licences, you may need to refresh the page for Before completing this step, **make sure you have confirmed you are able to successfully log in as the emergency access admin**, as this account will be the only one excluded from the MFA requirement. ``` -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Click `Properties` in the left hand sidebar and **disable** security defaults as shown in the screenshot [here](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) - Select `NO` from `Enable Security defaults` - Select `My organization is using Conditional Access` and hit the `Save` button @@ -1002,14 +1006,14 @@ Before completing this step, **make sure you have confirmed you are able to succ Most users have no reason to access the Azure portal using the SHM tenant. Therefore we will block access for all users other than Global Administrators. -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) -- From the Azure portal, navigate to the AAD you have created. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. - Click `Security` in the left hand sidebar - Click `Conditional Access` in the left hand sidebar - Click on `New Policy` at the top of the panel - Configure the policy as follows - - In the `Name` field enter `Restrict Azure Active Directory access` + - In the `Name` field enter `Restrict Microsoft Entra ID access` - Under `Users or workload identities` set the `Users and groups` condition to: - **Include**: Select `All users` - **Exclude**: @@ -1042,16 +1046,16 @@ However, when you create non-admin users they will need to be assigned an Azure ### Assigning MFA licences -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) - Ensure you are logged in to the Azure Portal in with the **native** administrator account you created. -- Ensure your session is using the new Safe Haven Management (SHM) AAD directory. +- Ensure your session is using the new Safe Haven Management (SHM) Microsoft Entra ID. The name of the current directory is under your username in the top right corner of the Azure portal screen. To change directories click on your username at the top right corner of the screen, then `Switch directory`, then the name of the new SHM directory. -- Click the "hamburger" menu in the top left corner (three horizontal lines) and select `Azure Active Directory` +- Click the "hamburger" menu in the top left corner (three horizontal lines) and select `Microsoft Entra ID` - Click `Licences` in the left hand sidebar - Click `All products` in the left hand sidebar -- Click the relevant licence product [`Azure Active Directory Premium P1` (production) or `Azure Active Directory Premium P2` (test)] +- Click the relevant licence product [`Microsoft Entra ID P1` (production) or `Microsoft Entra ID P2` (test)] - Click `Licensed users` in the left hand sidebar - Click the `+Assign` icon in the top bar above the list of user licence assignments - Click `+ Add users and groups` under `Users and groups` diff --git a/docs/source/deployment/deploy_shm/enable_password_writeback.png b/docs/source/deployment/deploy_shm/enable_password_writeback.png index d2e10dd26e..42d7e28a28 100644 Binary files a/docs/source/deployment/deploy_shm/enable_password_writeback.png and b/docs/source/deployment/deploy_shm/enable_password_writeback.png differ diff --git a/docs/source/deployment/deploy_sre.md b/docs/source/deployment/deploy_sre.md index 74f909bb48..9be11aae15 100644 --- a/docs/source/deployment/deploy_sre.md +++ b/docs/source/deployment/deploy_sre.md @@ -32,13 +32,13 @@ PS> ./Deploy_SRE.ps1 -shmId -sreId -VMs - where `` is the {ref}`management environment ID ` for this SHM - where `` is the {ref}`secure research environment ID ` for this SRE -- where `` is a list of [Azure VM sizes](https://docs.microsoft.com/en-us/azure/virtual-machines/sizes) that you want to create. For example `'Standard_D2s_v3', 'default', 'Standard_NC6s_v3'`. If you are unsure of the appropriate VM sizes, run the script with a single `'default'`. +- where `` is a list of [Azure VM sizes](https://docs.microsoft.com/en-us/azure/virtual-machines/sizes) that you want to create. For example `'Standard_D2s_v3', 'default', 'Standard_NC6s_v3'`. If you are unsure of the appropriate VM sizes, run the script with a single `'default'`. The default VM size is `Standard_D2s_v3`. - VMs can be resized after deployment. See how to do so in the {ref}`System Manager instructions `. You will be prompted for credentials for: - a user with admin rights over the Azure subscriptions you plan to deploy into -- a user with Global Administrator privileges over the SHM Azure Active Active directory +- a user with Global Administrator privileges over the SHM Microsoft Entra ID This will perform the following actions, which can be run individually if desired: @@ -251,23 +251,24 @@ For example, if you have authorised a corporate VPN, check that you have correct ``` ````{error} -If you see an error like the following when attempting to log in, it is likely that the AzureAD application is not registered as an `ID token` provider. +If you see an error like the following when attempting to log in, it is likely that the Microsoft Entra application is not registered as an `ID token` provider. ```{image} deploy_sre/guacamole_aad_idtoken_failure.png :alt: AAD ID token failure :align: center ``` -
Register AzureAD application +
Register Microsoft Entra application -![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute) +![Microsoft Entra ID: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%2 +0ID&color=blue&message=one%20minute) -- From the Azure portal, navigate to the AAD you have created. -- Navigate to `Azure Active Directory > App registrations`, and select the application called `Guacamole SRE `. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. +- Navigate to `Microsoft Entra ID > App registrations`, and select the application called `Guacamole SRE `. - Click on `Authentication` on the left-hand sidebar - Ensure that the `ID tokens` checkbox is ticked and click on the `Save` icon if you had to make any changes ```{image} deploy_sre/guacamole_aad_app_registration_idtoken.png - :alt: AAD app registration + :alt: Microsoft Entra app registration :align: center ```
diff --git a/docs/source/deployment/index.md b/docs/source/deployment/index.md index 47d26fb893..78c8df303e 100644 --- a/docs/source/deployment/index.md +++ b/docs/source/deployment/index.md @@ -32,3 +32,12 @@ For instructions on removing deployed resources, refer to the guide for {ref}`Sy [Security checklist](security_checklist.md) : an example security checklist used at the Alan Turing Institute to help evaluate the security of our deployments. + +````{warning} +Microsoft have renamed Azure Active Directory to [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/new-name). +We have updated these guides in the light of this change. +However, as of February 2024, Microsoft have not completed the renaming process. +Some software and documentation retains the old Azure Active Directory name. +Our documentation reflects the name that is currently in use, rather than the name that will be used once the renaming process is complete. +Where we use the name "Azure Active Directory", if the corresponding software, menu option, or documentation cannot be found, look instead for a version using the Microsoft Entra ID name. +```` diff --git a/docs/source/deployment/snippets/00_symbols.partial.md b/docs/source/deployment/snippets/00_symbols.partial.md index 71df005251..975fbf6e4d 100644 --- a/docs/source/deployment/snippets/00_symbols.partial.md +++ b/docs/source/deployment/snippets/00_symbols.partial.md @@ -41,11 +41,11 @@ If you see a warning dialog that the certificate cannot be verified as root, acc - You will need to login to the portal using an account with privileges to make the necessary changes to the resources you are altering ``` -```{admonition} Azure Active Directory operation -![Azure AD: estimate of time needed](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=estimate%20of%20time%20needed) +```{admonition} Microsoft Entra ID operation +![Microsoft Entra ID: estimate of time needed](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=estimate%20of%20time%20needed) - This indicates an operation which needs to be carried out in the [`Azure Portal`](https://portal.azure.com) using a web browser on your local machine. -- You will need to login to the portal using an account with administrative privileges on the `Azure Active Directory` that you are altering. +- You will need to login to the portal using an account with administrative privileges on the `Microsoft Entra ID` that you are altering. - Note that this might be different from the account which is able to create/alter resources in the Azure subscription where you are building the Safe Haven. ``` diff --git a/docs/source/deployment/snippets/01_prerequisites.partial.md b/docs/source/deployment/snippets/01_prerequisites.partial.md index 3f3cf684c7..28110e94c3 100644 --- a/docs/source/deployment/snippets/01_prerequisites.partial.md +++ b/docs/source/deployment/snippets/01_prerequisites.partial.md @@ -6,15 +6,15 @@ ```{tip} - Ensure that the **Owner** of the subscription is an `Azure Security group` that contains all administrators and no-one else. - - We recommend using separate `Azure Active Directories` for users and administrators + - We recommend using separate `Microsoft Entra IDs` for users and administrators ``` -- Access to a **global administrator** account on the SHM Azure Active Directory +- Access to a **global administrator** account on the SHM Microsoft Entra ID ### {{beginner}} Software - `PowerShell` with support for Azure - - We recommend [installing](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell) the [latest stable release](https://learn.microsoft.com/en-us/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3) of Powershell. We have most recently tested deployment using version `7.3.2`. + - We recommend [installing](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell) the [latest stable release](https://learn.microsoft.com/en-us/powershell/scripting/install/powershell-support-lifecycle?view=powershell-7.3) of Powershell. We have most recently tested deployment using version `7.3.9`. - Install the [Azure PowerShell Module](https://docs.microsoft.com/en-us/powershell/azure/install-az-ps) using `Install-Module -Name Az -RequiredVersion 5.0.0 -Repository PSGallery` - `Microsoft Remote Desktop` - On macOS this can be installed from the [Apple store](https://www.apple.com/app-store/) diff --git a/docs/source/deployment/snippets/06_01_create_user_account.partial.md b/docs/source/deployment/snippets/06_01_create_user_account.partial.md index 08262a76c7..5b94280c6d 100644 --- a/docs/source/deployment/snippets/06_01_create_user_account.partial.md +++ b/docs/source/deployment/snippets/06_01_create_user_account.partial.md @@ -1,5 +1,5 @@ These steps ensure that you have created a non-privileged user account that you can use for testing. -You must ensure that you have assigned a licence to this user in the Azure Active Directory so that MFA will work correctly. +You must ensure that you have assigned a licence to this user in the Microsoft Entra ID so that MFA will work correctly. You should have already set up a non-privileged user account upon setting up the SHM, when {ref}`validating the active directory synchronisation `, but you may wish to set up another or verify that you have set one up already: @@ -31,7 +31,7 @@ You should have already set up a non-privileged user account upon setting up the - Enter the start of your username and click `Check names` - Select your username and click `Ok` - Click `Ok` again to exit the `Add users` dialogue -- Synchronise with Azure Active Directory by running following the `Powershell` command on the SHM primary domain controller +- Synchronise with Microsoft Entra ID by running following the `Powershell` command on the SHM primary domain controller ```powershell PS> C:\Installation\Run_ADSync.ps1 @@ -39,12 +39,12 @@ PS> C:\Installation\Run_ADSync.ps1 ### {{closed_lock_with_key}} Ensure that your non-privileged user account has MFA enabled -Switch to your custom Azure Active Directory in the Azure portal and make the following checks: +Switch to your custom Microsoft Entra ID in the Azure portal and make the following checks: -![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute) +![Microsoft Entra ID: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=one%20minute) -- From the Azure portal, navigate to the AAD you have created. -- The `Usage Location` must be set in Azure Active Directory (should be automatically synchronised from the local Active Directory if it was correctly set there) - - Navigate to `Azure Active Directory > Manage / Users > (user account)`, and ensure that `Settings > Usage Location` is set. +- From the Azure portal, navigate to the Microsoft Entra ID you have created. +- The `Usage Location` must be set in Microsoft Entra ID (should be automatically synchronised from the local Active Directory if it was correctly set there) + - Navigate to `Microsoft Entra ID > Manage / Users > (user account)`, and ensure that `Settings > Usage Location` is set. - A licence must be assigned to the user. - - Navigate to `Azure Active Directory > Manage / Users > (user account) > Licenses` and verify that a license is assigned and the appropriate MFA service enabled. + - Navigate to `Microsoft Entra ID > Manage / Users > (user account) > Licenses` and verify that a license is assigned and the appropriate MFA service enabled. diff --git a/docs/source/design/architecture/index.md b/docs/source/design/architecture/index.md index 3082243051..bf8802d8f8 100644 --- a/docs/source/design/architecture/index.md +++ b/docs/source/design/architecture/index.md @@ -23,7 +23,7 @@ Each deployment of the Data Safe Haven consists of two components: ``` The SHM controls the authentication process for the infrastructure. -The identity provider is Microsoft Active Directory, which is synchronised with AzureAD to provide cloud and multifactor authentication into the individual project Secure Research Environment (SRE). +The identity provider is Microsoft Active Directory, which is synchronized with Microsoft Entra ID to provide cloud and multifactor authentication into the individual project Secure Research Environment (SRE). The SHM is connected to each SRE through virtual network peering, which allows authentication requests from the SRE servers to be resolved by the SHM Active Directory. Although all SREs are peered with the SHM, they are not able to connect directly to one another, ensuring the isolation of each project. diff --git a/docs/source/design/architecture/shm_details.md b/docs/source/design/architecture/shm_details.md index 636cafc67f..49ca48d487 100644 --- a/docs/source/design/architecture/shm_details.md +++ b/docs/source/design/architecture/shm_details.md @@ -14,7 +14,7 @@ This provides a centralised management facility, ensuring consistency across all Within the Management segment all authentication services are contained within a single virtual network (VNet). The Windows Servers are running Active Directory and are acting as Domain Controllers. They are configured within an Azure availability set to ensure maximum up time. -The Domain Controllers synchronise user details to the Azure Active Directory that is associated with the Management subscription to support self-service account activation and password reset. +The Domain Controllers synchronise user details to the Microsoft Entra ID that is associated with the Management subscription to support self-service account activation and password reset. Network security is provided by Azure Network Security Groups that ensure that inbound connections from the SREs are limited to Active Directory and RADIUS traffic. diff --git a/docs/source/design/security/reference_configuration.md b/docs/source/design/security/reference_configuration.md index 14e6ac5d6e..8e8a751bb3 100644 --- a/docs/source/design/security/reference_configuration.md +++ b/docs/source/design/security/reference_configuration.md @@ -10,7 +10,7 @@ The set of controls applied at the Alan Turing Institute are discussed here, tog - Users must set up MFA before accessing the secure analysis environment. - Users cannot access the environment without MFA. -- Users are required to create passwords that meet the [Azure Active Directory policy](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy) requirements. +- Users are required to create passwords that meet the [Microsoft Entra policy](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy) requirements. ### Implication: diff --git a/docs/source/processes/data_access_controls.md b/docs/source/processes/data_access_controls.md index d03cf858ab..412d1d8bfe 100644 --- a/docs/source/processes/data_access_controls.md +++ b/docs/source/processes/data_access_controls.md @@ -6,7 +6,7 @@ However, some manual configuration steps are required and each organisation is r ## Administrative access -Access to all Data Safe Haven Azure resources is controlled via `Azure Active Directory` (Azure AD) and Role-Based Access Control (RBAC). +Access to all Data Safe Haven Azure resources is controlled via `Microsoft Entra ID` and Role-Based Access Control (RBAC). By default, only members of a specific administrator security group have administrative access to any element of the Safe Haven. ```{important} @@ -23,13 +23,13 @@ These comprise the software defined infrastructure of the Data Safe Haven, such - virtual networks - network security groups - virtual machines -- `Azure Active Directory` +- `Microsoft Entra ID` Access to the underlying Azure resources requires administrators to log into Azure. ```{hint} Data Safe Haven administrator accounts should be separate from accounts used for any other purpose, including accessing the Data Safe Haven in any other role (e.g. as a {ref}`Researcher `). -At the Turing, Data Safe Haven administrator accounts are configured on a separate institutional `Azure Active Directory` to the Data Safe Haven `Azure Active Directory`. +At the Turing, Data Safe Haven administrator accounts are configured on a separate institutional `Microsoft Entra ID` to the Data Safe Haven `Microsoft Entra ID`. Other organisations may wish to follow the same model. ``` diff --git a/docs/source/roles/researcher/user_guide.md b/docs/source/roles/researcher/user_guide.md index d610c21d71..551ff761b3 100644 --- a/docs/source/roles/researcher/user_guide.md +++ b/docs/source/roles/researcher/user_guide.md @@ -212,7 +212,7 @@ Please follow these steps carefully. The virtual keyboard inside the SRE may not be the same as your physical keyboard and this can make it difficult to type some symbols. ``` - Note that this will also ensure that it passes the [Microsoft Azure AD password requirements](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy). + Note that this will also ensure that it passes the [Microsoft Entra password requirements](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy). ```{tip} We recommend using a password generator [like this one](https://bitwarden.com/password-generator/) to create a password that meets these requirements. diff --git a/docs/source/roles/system_manager/manage_deployments.md b/docs/source/roles/system_manager/manage_deployments.md index a740ca067a..d57b8929e5 100644 --- a/docs/source/roles/system_manager/manage_deployments.md +++ b/docs/source/roles/system_manager/manage_deployments.md @@ -193,7 +193,7 @@ The storage account can be found under `RG_SHM__PERSISTENT_DATA`, with a Deleting the SRE storage account from `RG_SHM__PERSISTENT_DATA` will delete any work that was done in the SRE. ``` -### {{unlock}} Disconnect from the Azure Active Directory +### {{unlock}} Disconnect from the Microsoft Entra ID Connect to the **SHM Domain Controller (DC1)** via Remote Desktop Client over the SHM VPN connection @@ -205,8 +205,8 @@ Connect to the **SHM Domain Controller (DC1)** via Remote Desktop Client over th - You will need to provide login credentials (including MFA if set up) for `@` ```{attention} -Full disconnection of the Azure Active Directory can take up to 72 hours but is typically less. -If you are planning to install a new SHM connected to the same Azure Active Directory you may find the `AzureADConnect` installation step requires you to wait for the previous disconnection to complete. +Full disconnection of the Microsoft Entra ID can take up to 72 hours but is typically less. +If you are planning to install a new SHM connected to the same Microsoft Entra ID you may find the `AzureADConnect` installation step requires you to wait for the previous disconnection to complete. ``` ### {{bomb}} Tear down the SHM diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index e2bac7c6f7..20fb8f12fa 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -10,7 +10,7 @@ This document assumes that you already have access to a {ref}`Safe Haven Managem ## {{beginner}} Create new users -Users should be created on the main domain controller (DC1) in the SHM and synchronised to Azure Active Directory. +Users should be created on the main domain controller (DC1) in the SHM and synchronised to Microsoft Entra ID. A helper script for doing this is already uploaded to the domain controller - you will need to prepare a `CSV` file in the appropriate format for it. (security_groups)= @@ -59,7 +59,7 @@ This can be done by copying and pasting the file from your deployment device to - Log into the **SHM primary domain controller** (`DC1-SHM-`) VM using the login credentials {ref}`stored in Azure Key Vault ` - Open a `Powershell` command window with elevated privileges - Run `C:\Installation\CreateUsers.ps1 ` -- This script will add the users and trigger synchronisation with Azure Active Directory +- This script will add the users and trigger synchronisation with Microsoft Entra ID - It will still take around 5 minutes for the changes to propagate ```{error} @@ -102,7 +102,7 @@ Users may have been added to one or more {ref}`security_groups` through setting ### {{iphone}} Edit user details -The `DC1` is the source of truth for user details. If these details need to be changed, they should be changed in the `DC1` and then synchronised to Azure AD. +The `DC1` is the source of truth for user details. If these details need to be changed, they should be changed in the `DC1` and then synchronised to Microsoft Entra ID. - Log into the **SHM primary domain controller** (`DC1-SHM-`) VM using the login credentials {ref}`stored in Azure Key Vault ` - In Server Manager click `Tools > Active Directory Users and Computers` @@ -120,10 +120,10 @@ The `DC1` is the source of truth for user details. If these details need to be c - Create a new csv (or edit an existing) one with the correct user details (see {ref}`create_new_users`) - Run `C:\Installation\CreateUsers.ps1 ` - Run `C:\Installation\Run_ADSync.ps1` -- You can check the changes you made were successful by logging into the Azure Portal as the AAD admin - - Open `Azure Active Directory` +- You can check the changes you made were successful by logging into the Azure Portal as the Microsoft Entra admin + - Open `Microsoft Entra ID` - Click on `Users` under `Manage` and search for the user - - Click on the user and then `Edit properties` and confirm your changes propagated to Azure AD + - Click on the user and then `Edit properties` and confirm your changes propagated to Microsoft Entra ID (deleting_users)= @@ -136,7 +136,7 @@ The `DC1` is the source of truth for user details. If these details need to be c - Open a `Powershell` command window with elevated privileges - Run `C:\Installation\Run_ADSync.ps1` - You can check the user is deleted by logging into the Azure Portal as the AAD admin - - Open `Azure Active Directory` + - Open `Microsoft Entra ID` - Click on `Users` under `Manage` and search for the user - Confirm the user is no longer present @@ -152,8 +152,8 @@ In some situations, such as at the end of a project after an SRE has been torn d ### {{hand}} Manually add licence to each user -- Login into the Azure Portal and connect to the correct AAD -- Open `Azure Active Directory` +- Login into the Azure Portal and connect to the correct Microsoft Entra ID +- Open `Microsoft Entra ID` - Select `Manage > Licenses > All Products` - Click `Azure Active Directory Premium P1` - Click `Assign` @@ -161,9 +161,13 @@ In some situations, such as at the end of a project after an SRE has been torn d - Select the users you have recently created and click `Select` - Click `Assign` to complete the process +```{note} +`Azure Active Directory Premium P1` is being renamed to `Microsoft Entra ID P1` and may appear as such when performing the assignment process in future. +``` + ### {{car}} Automatically assign licences to users -To automatically assign licences to all local `Active Directory` users that do not currently have a licence in `Azure Active Directory`. +To automatically assign licences to all local `Active Directory` users that do not currently have a licence in `Microsoft Entra ID`: - Ensure you have the same version of the Data Safe Haven repository as was used by your deployment team - Open a `Powershell` terminal and navigate to the `deployment/administration` directory within the Data Safe Haven repository diff --git a/docs/source/roles/system_manager/migrate_an_shm.md b/docs/source/roles/system_manager/migrate_an_shm.md index fe6aa47a1b..0feb2c8648 100644 --- a/docs/source/roles/system_manager/migrate_an_shm.md +++ b/docs/source/roles/system_manager/migrate_an_shm.md @@ -22,9 +22,9 @@ The following variables will be used during deploying - ``: the {ref}`management environment ID ` for the previously deployed SHM - ``: the {ref}`management environment ID ` for the new SHM you want to deploy -- ``: the {ref}`Tenant ID ` for the `Azure Active Directory` that your previously deployed SHM is connected to +- ``: the {ref}`Tenant ID ` for the `Microsoft Entra ID` that your previously deployed SHM is connected to -## 2. {{unlock}} Disconnect the old domain controller from the Azure Active Directory +## 2. {{unlock}} Disconnect the old domain controller from the Microsoft Entra ID ![Remote: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-onedrive&label=remote&color=blue&message=one%20minute) @@ -35,11 +35,11 @@ The following variables will be used during deploying - You will need to provide login credentials (including MFA if set up) for `@` ```{warning} -Do not attempt to add users to the old SHM after this point as they will not be synchronised to the `Azure` Active Directory! +Do not attempt to add users to the old SHM after this point as they will not be synchronised to the `Microsoft Entra ID`! ``` ```{attention} -Full disconnection of the `Azure` Active Directory can take up to 72 hours but will typically take around one day. +Full disconnection of the `Microsoft Entra ID` can take up to 72 hours but will typically take around one day. ``` ## 3. {{clipboard}} Safe Haven Management configuration @@ -62,14 +62,14 @@ Full disconnection of the `Azure` Active Directory can take up to 72 hours but w See the {ref}`Safe Haven Management documentation ` for more details. -## 5. {{file_folder}} Ensure the Azure Active Directory domain is registered +## 5. {{file_folder}} Ensure the Microsoft Entra domain is registered ![Powershell: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=powershell&label=local&color=blue&message=a%20few%20minutes) at {{file_folder}} `./deployment/safe_haven_management_environment/setup` See the {ref}`Safe Haven Management documentation ` for more details. ```{note} -You will need to use an AAD global admin when the `AzureAD` module asks you to sign-in. +You will need to use a Microsoft Entra global admin when the `AzureAD` module asks you to sign-in. ``` ## 6. {{key}} Deploy Key Vault for SHM secrets and create emergency admin account @@ -79,7 +79,7 @@ You will need to use an AAD global admin when the `AzureAD` module asks you to s See the {ref}`Safe Haven Management documentation ` for more details. ```{note} -You will need to use an AAD global admin when the `AzureAD` module asks you to sign-in. +You will need to use a Microsoft Entra global admin when the `AzureAD` module asks you to sign-in. ``` ## 7. {{station}} Deploy network and VPN gateway @@ -102,7 +102,7 @@ Do **not** run any of the domain controller configuration steps yet ### {{lock_with_ink_pen}} Suspend MFA for all users -![Azure AD: under a minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=under%20a%20minute) +![Microsoft Entra ID: under a minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=under%20a%20minute) - From the `Azure` portal, navigate to the AAD. - Click `Security` in the left hand sidebar @@ -135,11 +135,11 @@ Run the following `Powershell` commands $userOuPath = (Get-ADObject -Filter * | Where-Object { $_.Name -eq "Safe Haven Research Users" }).DistinguishedName $users = Get-ADUser -Filter * -SearchBase "$userOuPath" -Properties * -# Connect to AzureAD -# Use the credentials for an AzureAD global admin (eg. `aad.admin.firstname.surname@`) +# Connect to Microsoft Entra ID +# Use the credentials for a Microsoft Entra global admin (eg. `aad.admin.firstname.surname@`) Connect-MsolService -# Reset source anchor for AzureAD users +# Reset source anchor for Microsoft Entra users foreach ($user in $users) { $immutableId = [System.Convert]::ToBase64String($user.ObjectGUID.ToByteArray()) Set-MsolUser -UserPrincipalName $($user.UserPrincipalName) -immutableID $immutableId @@ -151,14 +151,18 @@ foreach ($user in $users) { All research users in this SHM will have to go to `https://aka.ms/sspr` to reset their passwords although their MFA configuration will stay the same. ``` -### {{train}} Install Azure Active Directory Connect +### {{train}} Install Microsoft Entra Connect ![Remote: ten minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-onedrive&label=remote&color=blue&message=ten%20minutes) See the {ref}`Safe Haven Management documentation ` for more details. +````{include} snippets/02_ms_entra_connect.partial.md +:relative-images: +```` + ````{error} -Since you are trying to connect the new SHM to an `Azure` Active Directory that was already synchronised, you may find the `AzureADConnect` installation fails due to a `Directory synchronisation failure`. +Since you are trying to connect the new SHM to an Microsoft Entra ID that was already synchronised, you may find the `AzureADConnect` installation fails due to a `Directory synchronisation failure`. ```{image} migrate_shm/aad_connection_failure.png :alt: AAD connection failure @@ -168,22 +172,23 @@ Since you are trying to connect the new SHM to an `Azure` Active Directory that If this happens then you will need to wait for the previous disconnection to complete, which may take up to 72 hours. ```` -### {{recycle}} Update Azure Active Directory Connect rules +### {{recycle}} Update Microsoft Entra Connect rules ![Remote: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-onedrive&label=remote&color=blue&message=one%20minute) See the {ref}`Safe Haven Management documentation ` for more details. -### {{put_litter_in_its_place}} Unregister the old domain controller in `Azure` Active Directory +### {{put_litter_in_its_place}} Unregister the old domain controller in Microsoft Entra ID -![Azure AD: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=one%20minute) +![Microsoft Entra ID: one minute](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=one%20minute) -- From the `Azure` portal, navigate to the AAD you have created. -- Select `Azure AD Connect` from the left hand menu -- Under `Health And Analytics` click `Azure AD Connect Health` +- From the `Azure` portal, navigate to the Microsoft Entra ID you have created. +- Select `Microsoft Entra Connect` from the left hand menu +- Select `Connect Sync` from the left hand menu +- Under `Health And Analytics` click `Microsoft Entra Connect Health` - Select `Sync services` from the left hand menu - Click on `.onmicrosoft.com` -- Click on the `Azure Active Directory Connect Server` that corresponds to the **old** DC (marked as `Unhealthy`) +- Click on the `Microsoft Entra Connect Server` that corresponds to the **old** DC (marked as `Unhealthy`) - Click `Delete` in the top bar, type the server name when prompted then click `Delete` ### {{ballot_box_with_check}} Validate Active Directory synchronisation @@ -200,7 +205,7 @@ See the {ref}`Safe Haven Management documentation ` f ## 11. {{closed_lock_with_key}} Require MFA for all users -![Azure AD: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Azure%20AD&color=blue&message=a%20few%20minutes) +![Microsoft Entra ID: a few minutes](https://img.shields.io/static/v1?style=for-the-badge&logo=microsoft-academic&label=Microsoft%20Entra%20ID&color=blue&message=a%20few%20minutes) See the {ref}`Safe Haven Management documentation ` for more details. diff --git a/docs/source/roles/system_manager/snippets/02_ms_entra_connect.partial.md b/docs/source/roles/system_manager/snippets/02_ms_entra_connect.partial.md new file mode 100644 index 0000000000..aafeda4d79 --- /dev/null +++ b/docs/source/roles/system_manager/snippets/02_ms_entra_connect.partial.md @@ -0,0 +1,3 @@ +````{note} +Microsoft Entra Connect is the new name for Azure AD Connect. However, although all Microsoft documentation and entries in the Azure portal now refer to Microsoft Entra Connect, as of this release of the Data Safe Haven, the software itself is still named `Azure AD Connect`. It will appear as such on your Domain Controller. +````