Merge pull request #226346 from rolyon/rolyon-mto-graph-explorer-test-steps

[Azure AD MTO] Update configure steps, roles, and permissions

Author: v-dirichards

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure-graph.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: multi-tenant-organizations
 ms.topic: how-to
-ms.date: 02/01/2023
+ms.date: 02/06/2023
 ms.author: rolyon
 ms.custom: it-pro
 
@@ -27,33 +27,62 @@ This article describes the key steps to configure cross-tenant synchronization u
 
 ## Prerequisites
 
-- A source [Azure AD tenant](../develop/quickstart-create-new-tenant.md) with a Premium P1 or P2 license
-- A target [Azure AD tenant](../develop/quickstart-create-new-tenant.md) with a Premium P1 or P2 license
-- An account in the source tenant with the [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure cross-tenant provisioning
-- An account in the target tenant with the [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure the cross-tenant synchronization policy
+### Source tenant
 
-## Step 1: Sign in to the target tenant and consent to permissions
+- Azure AD Premium P1 or P2 license
+- [Security Administrator](../roles/permissions-reference.md#security-administrator) role to configure cross-tenant access settings
+- [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure cross-tenant synchronization
+- [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator) or [Application Administrator](../roles/permissions-reference.md#application-administrator) role to assign users to a configuration and to delete a configuration
+- [Global Administrator](../roles/permissions-reference.md#global-administrator) role to consent to required permissions
 
-![Icon for the target tenant.](./media/common/icon-tenant-target.png)<br/>**Target tenant**
+### Target tenant
+
+- Azure AD Premium P1 or P2 license
+- [Security Administrator](../roles/permissions-reference.md#security-administrator) role to configure cross-tenant access settings
+- [Global Administrator](../roles/permissions-reference.md#global-administrator) role to consent to required permissions
+
+## Step 1: Sign in to tenants and consent to permissions
+
+![Icon for the source tenant.](./media/common/icon-tenant-source.png) ![Icon for the target tenant.](./media/common/icon-tenant-target.png)<br/>**Source and target tenants**
 
 These steps describe how to use Microsoft Graph Explorer (recommended), but you can also use Postman, or another REST API client.
 
 1. Start [Microsoft Graph Explorer tool](https://aka.ms/ge).
 
-1. Sign in to the target tenant.
+1. Sign in to the source tenant.
+
+1. Select your profile and then select **Consent to permissions**.
 
-1. Select **Modify permissions**.
+    :::image type="content" source="./media/cross-tenant-synchronization-configure-graph/graph-explorer-profile.png" alt-text="Screenshot of Graph Explorer profile with Consent to permissions link." lightbox="./media/cross-tenant-synchronization-configure-graph/graph-explorer-profile.png":::
 
 1. Consent to the following required permissions:
 
     - `Policy.Read.All`
     - `Policy.ReadWrite.CrossTenantAccess`
+    - `Application.ReadWrite.All`
+    - `Directory.ReadWrite.All`
+
+    If you see a **Need admin approval** page, you'll need to sign in with a user that has been assigned the Global Administrator role to consent.
+
+1. Start another instance of [Microsoft Graph Explorer tool](https://aka.ms/ge).
+
+1. Sign in to the source tenant.
+
+1. Consent to the following required permissions:
+
+    - `Policy.Read.All`
+    - `Policy.ReadWrite.CrossTenantAccess`
+
+1. Get the tenant ID of the source and target tenants. The example configuration described in this article uses the following tenant IDs:
+
+    - Source tenant ID: 3d0f5dec-5d3d-455c-8016-e2af1ae4d31a
+    - Target tenant ID: 376a1f89-b02f-4a85-8252-2974d1984d14
 
 ## Step 2: Enable user synchronization in the target tenant
 
 ![Icon for the target tenant.](./media/common/icon-tenant-target.png)<br/>**Target tenant**
 
-1. Use the [Create crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicy-post-partners?view=graph-rest-beta&preserve-view=true) API to create a new partner configuration in a cross-tenant access policy between the target tenant and the source tenant.
+1. In the target tenant, use the [Create crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicy-post-partners?view=graph-rest-beta&preserve-view=true) API to create a new partner configuration in a cross-tenant access policy between the target tenant and the source tenant. Use the source tenant ID in the request.
 
     **Request**
 
@@ -73,6 +102,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
     Content-Type: application/json
     
     {
+      "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/crossTenantAccessPolicy/partners/$entity",
       "tenantId": "3d0f5dec-5d3d-455c-8016-e2af1ae4d31a",
       "isServiceProvider": null,
       "inboundTrust": null,
@@ -103,6 +133,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
     Content-type: application/json
     
     {
+       "displayName": "Fabrikam",
        "userSyncInbound": 
         {
           "isSyncAllowed": true
@@ -120,7 +151,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
 
 ![Icon for the target tenant.](./media/common/icon-tenant-target.png)<br/>**Target tenant**
 
-1. Use the [Update crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicyconfigurationpartner-update?view=graph-rest-beta&preserve-view=true) API to automatically redeem invitations and suppress consent prompts for inbound access.
+1. In the target tenant, use the [Update crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicyconfigurationpartner-update?view=graph-rest-beta&preserve-view=true) API to automatically redeem invitations and suppress consent prompts for inbound access.
 
     **Request**
     
@@ -147,9 +178,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
 
 ![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
 
-1. Sign in to the source tenant.
-
-2. Use the [Create crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicy-post-partners?view=graph-rest-beta&preserve-view=true) API to create a new partner configuration in a cross-tenant access policy between the source tenant and the target tenant.
+1. In the source tenant, use the [Create crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicy-post-partners?view=graph-rest-beta&preserve-view=true) API to create a new partner configuration in a cross-tenant access policy between the source tenant and the target tenant. Use the target tenant ID in the request.
 
     **Request**
 
@@ -169,6 +198,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
     Content-Type: application/json
     
     {
+      "@odata.context": "https://graph.microsoft.com/beta/$metadata#policies/crossTenantAccessPolicy/partners/$entity",
       "tenantId": "376a1f89-b02f-4a85-8252-2974d1984d14",
       "isServiceProvider": null,
       "inboundTrust": null,
@@ -190,7 +220,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
     }
     ```
 
-3. Use the [Update crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicyconfigurationpartner-update?view=graph-rest-beta&preserve-view=true) API to automatically redeem invitations and suppress consent prompts for outbound access.
+1. Use the [Update crossTenantAccessPolicyConfigurationPartner](/graph/api/crosstenantaccesspolicyconfigurationpartner-update?view=graph-rest-beta&preserve-view=true) API to automatically redeem invitations and suppress consent prompts for outbound access.
 
     **Request**
     
@@ -236,6 +266,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
     Content-type: application/json
     
     {
+        "@odata.context": "https://graph.microsoft.com/beta/$metadata#microsoft.graph.applicationServicePrincipal",
         "application": {
             "objectId": "{objectId}",
             "appId": "{appId}",
@@ -327,47 +358,7 @@ These steps describe how to use Microsoft Graph Explorer (recommended), but you
     HTTP/1.1 204 No Content
     ```
 
-## Step 7: Assign a user to the configuration
-
-![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
-
-For cross-tenant synchronization to work, at least one internal user must be assigned to the configuration.
-
-1. In the source tenant, use the [Grant an appRoleAssignment for a service principal](/graph/api/serviceprincipal-post-approleassignedto) API to assign an internal user to the configuration.
-
-    **Request**
-    
-    ```http
-    POST https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalId}/appRoleAssignedTo
-    Content-type: application/json
-    
-    {
-        "appRoleId": "{appRoleId}",
-        "resourceId": "{servicePrincipalId}",
-        "principalId": "{principalId}"
-    }
-    ```
-
-    **Response**
-    
-    ```http
-    HTTP/1.1 201 Created
-    Content-Type: application/json
-    {
-        "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('{servicePrincipalId}')/appRoleAssignedTo/$entity",
-        "id": "{keyId}",
-        "deletedDateTime": null,
-        "appRoleId": "{appRoleId}",
-        "createdDateTime": "2022-11-27T22:23:48.6541804Z",
-        "principalDisplayName": "User1",
-        "principalId": "{principalId}",
-        "principalType": "User",
-        "resourceDisplayName": "Fabrikam",
-        "resourceId": "{servicePrincipalId}"
-    }
-    ```
-
-## Step 8: Create a provisioning job in the source tenant
+## Step 7: Create a provisioning job in the source tenant
 
 ![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
 
@@ -397,6 +388,7 @@ In the source tenant, to enable provisioning, create a provisioning job.
     Content-type: application/json
     
     {
+        "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('{servicePrincipalId}')/synchronization/jobs/$entity",
         "id": "{jobId}",
         "templateId": "Azure2Azure",
         "schedule": {
@@ -431,11 +423,11 @@ In the source tenant, to enable provisioning, create a provisioning job.
     }
     ```
 
-## Step 9: Save your credentials
+## Step 8: Save your credentials
 
 ![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
 
-1. Use the [synchronization: secrets](/graph/api/synchronization-synchronization-secrets?view=graph-rest-beta&preserve-view=true) API to save your credentials.
+1. In the source tenant, use the [synchronization: secrets](/graph/api/synchronization-synchronization-secrets?view=graph-rest-beta&preserve-view=true) API to save your credentials.
 
     **Request**
     
@@ -471,13 +463,53 @@ In the source tenant, to enable provisioning, create a provisioning job.
     HTTP/1.1 204 No Content
     ```
 
+## Step 9: Assign a user to the configuration
+
+![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
+
+For cross-tenant synchronization to work, at least one internal user must be assigned to the configuration.
+
+1. In the source tenant, use the [Grant an appRoleAssignment for a service principal](/graph/api/serviceprincipal-post-approleassignedto) API to assign an internal user to the configuration.
+
+    **Request**
+    
+    ```http
+    POST https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalId}/appRoleAssignedTo
+    Content-type: application/json
+    
+    {
+        "appRoleId": "{appRoleId}",
+        "resourceId": "{servicePrincipalId}",
+        "principalId": "{principalId}"
+    }
+    ```
+
+    **Response**
+    
+    ```http
+    HTTP/1.1 201 Created
+    Content-Type: application/json
+    {
+        "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('{servicePrincipalId}')/appRoleAssignedTo/$entity",
+        "id": "{keyId}",
+        "deletedDateTime": null,
+        "appRoleId": "{appRoleId}",
+        "createdDateTime": "2022-11-27T22:23:48.6541804Z",
+        "principalDisplayName": "User1",
+        "principalId": "{principalId}",
+        "principalType": "User",
+        "resourceDisplayName": "Fabrikam",
+        "resourceId": "{servicePrincipalId}"
+    }
+    ```
+
 ## Step 10: Test provision on demand
 
 ![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
 
 Now that you have a configuration, you can test on-demand provisioning with one of your users.
 
-1. Use the [synchronizationJob: provisionOnDemand](/graph/api/synchronization-synchronizationjob-provision-on-demand?view=graph-rest-beta&preserve-view=true) API to provision a test user on demand.
+1. In the source tenant, use the [synchronizationJob: provisionOnDemand](/graph/api/synchronization-synchronizationjob-provision-on-demand?view=graph-rest-beta&preserve-view=true) API to provision a test user on demand.
 
     **Request**
     
@@ -504,7 +536,7 @@ Now that you have a configuration, you can test on-demand provisioning with one
 
 ![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
 
-1. Now that the provisioning job is configured, use the [Start synchronizationJob](/graph/api/synchronization-synchronizationjob-start?view=graph-rest-beta&preserve-view=true) API to start the provisioning job.
+1. Now that the provisioning job is configured, in the source tenant, use the [Start synchronizationJob](/graph/api/synchronization-synchronizationjob-start?view=graph-rest-beta&preserve-view=true) API to start the provisioning job.
 
     **Request**
     
@@ -523,7 +555,7 @@ Now that you have a configuration, you can test on-demand provisioning with one
 
 ![Icon for the source tenant.](./media/common/icon-tenant-source.png)<br/>**Source tenant**
 
-1. Now that the provisioning job is running, use the [Get synchronizationJob](/graph/api/synchronization-synchronizationjob-get?view=graph-rest-beta&preserve-view=true) API to monitor the progress of the current provisioning cycle as well as statistics to date such as the number of users and groups that have been created in the target system.
+1. Now that the provisioning job is running, in the source tenant, use the [Get synchronizationJob](/graph/api/synchronization-synchronizationjob-get?view=graph-rest-beta&preserve-view=true) API to monitor the progress of the current provisioning cycle as well as statistics to date such as the number of users and groups that have been created in the target system.
 
     **Request**
     
@@ -721,12 +753,9 @@ Either the signed-in user doesn't have sufficient privileges, or you need to con
 
 **Solution**
 
-1. Make sure you're assigned the [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role or another Azure AD role with privileges.
+1. Make sure you're assigned the required roles. See [Prerequisites](#prerequisites) earlier in this article.
 
-2. In [Microsoft Graph Explorer tool](https://aka.ms/ge), make sure you consent to the required permissions:
-
-    - `Policy.Read.All`
-    - `Policy.ReadWrite.CrossTenantAccess`
+2. In [Microsoft Graph Explorer tool](https://aka.ms/ge), make sure you consent to the required permissions. See [Step 1: Sign in to tenants and consent to permissions](#step-1-sign-in-to-tenants-and-consent-to-permissions) earlier in this article.
 
 ## Next steps
 

articles/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: multi-tenant-organizations
 ms.topic: how-to
-ms.date: 02/03/2023
+ms.date: 02/06/2023
 ms.author: rolyon
 ms.custom: it-pro
 
@@ -35,10 +35,17 @@ By the end of this article, you'll be able to:
 
 ## Prerequisites
 
-- A source [Azure AD tenant](../develop/quickstart-create-new-tenant.md) with a Premium P1 or P2 license
-- A target [Azure AD tenant](../develop/quickstart-create-new-tenant.md) with a Premium P1 or P2 license
-- An account in the source tenant with the [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure cross-tenant provisioning
-- An account in the target tenant with the [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure the cross-tenant synchronization policy
+### Source tenant
+
+- Azure AD Premium P1 or P2 license
+- [Security Administrator](../roles/permissions-reference.md#security-administrator) role to configure cross-tenant access settings
+- [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure cross-tenant synchronization
+- [Cloud Application Administrator](../roles/permissions-reference.md#cloud-application-administrator) or [Application Administrator](../roles/permissions-reference.md#application-administrator) role to assign users to a configuration and to delete a configuration
+
+### Target tenant
+
+- Azure AD Premium P1 or P2 license
+- [Security Administrator](../roles/permissions-reference.md#security-administrator) role to configure cross-tenant access settings
 
 ## Step 1: Plan your provisioning deployment