Skip to content

Commit 3987832

Browse files
authored
Merge pull request #177169 from MicrosoftDocs/master
10/22 AM Publish
2 parents 2234823 + c59eb86 commit 3987832

File tree

88 files changed

+1424
-361
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

88 files changed

+1424
-361
lines changed

.github/workflows/stale.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,8 @@ jobs:
1919
close-pr-label: auto-close
2020
exempt-pr-labels: keep-open
2121
operations-per-run: 1200
22-
ascending: false
22+
ascending: true
23+
start-date: '2021-08-10'
2324
stale-pr-message: >
2425
This pull request has been inactive for at least 14 days.
2526
If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

articles/active-directory/cloud-sync/how-to-install.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ manager: daveba
77
ms.service: active-directory
88
ms.workload: identity
99
ms.topic: how-to
10-
ms.date: 09/10/2021
10+
ms.date: 10/19/2021
1111
ms.subservice: hybrid
1212
ms.author: billmath
1313
ms.collection: M365-identity-device-management
@@ -27,7 +27,7 @@ For additional information and an example, see the following video.
2727
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mR]
2828
2929
## Group Managed Service Accounts
30-
A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. It also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a group Managed Service Account for running the agent. For more information on a group Managed Service Account, see [Group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
30+
A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. It also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a group Managed Service Account for running the agent. For more information on a group Managed Service Account, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).
3131

3232

3333
### Upgrade an existing agent to use the gMSA

articles/active-directory/cloud-sync/how-to-prerequisites.md

Lines changed: 38 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ manager: daveba
77
ms.service: active-directory
88
ms.workload: identity
99
ms.topic: how-to
10-
ms.date: 10/18/2021
10+
ms.date: 10/19/2021
1111
ms.subservice: hybrid
1212
ms.author: billmath
1313
ms.collection: M365-identity-device-management
@@ -50,6 +50,43 @@ If you are creating a custom gMSA account, you need to ensure that the account h
5050

5151
For steps on how to upgrade an existing agent to use a gMSA account see [Group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
5252

53+
#### Create gMSA account with PowerShell
54+
You can use the following PowerShell script to create a custom gMSA account. Then you can use the [cloud sync gMSA cmdlets](how-to-gmsa-cmdlets.md) to apply more granular permissions.
55+
```powershell
56+
# Filename: 1_SetupgMSA.ps1
57+
# Description: Creates and installs a custom gMSA account for use with Azure AD Connect cloud sync.
58+
#
59+
# DISCLAIMER:
60+
# Copyright (c) Microsoft Corporation. All rights reserved. This
61+
# script is made available to you without any express, implied or
62+
# statutory warranty, not even the implied warranty of
63+
# merchantability or fitness for a particular purpose, or the
64+
# warranty of title or non-infringement. The entire risk of the
65+
# use or the results from the use of this script remains with you.
66+
#
67+
#
68+
#
69+
#
70+
# Declare variables
71+
$Name = 'provAPP1gMSA'
72+
$Description = "Azure AD Cloud Sync service account for APP1 server"
73+
$Server = "APP1.contoso.com"
74+
$Principal = Get-ADGroup 'Domain Computers'
75+
76+
# Create service account in Active Directory
77+
New-ADServiceAccount -Name $Name `
78+
-Description $Description `
79+
-DNSHostName $Server `
80+
-ManagedPasswordIntervalInDays 30 `
81+
-PrincipalsAllowedToRetrieveManagedPassword $Principal `
82+
-Enabled $True `
83+
-PassThru
84+
85+
# Install the new service account on Azure AD Cloud Sync server
86+
Install-ADServiceAccount -Identity $Name
87+
```
88+
For additional information on the cmdlets above, see [Getting Started with Group Managed Service Accounts](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)?redirectedfrom=MSDN).
89+
5390
### In the Azure Active Directory admin center
5491

5592
1. Create a cloud-only hybrid identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. Learn about how to [add a cloud-only hybrid identity administrator account](../fundamentals/add-users-azure-active-directory.md). Finishing this step is critical to ensure that you don't get locked out of your tenant.

articles/active-directory/devices/hybrid-azuread-join-managed-domains.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ services: active-directory
66
ms.service: active-directory
77
ms.subservice: devices
88
ms.topic: tutorial
9-
ms.date: 01/26/2021
9+
ms.date: 10/22/2021
1010

1111
ms.author: joflore
1212
author: MicrosoftGuyJFlo
@@ -71,6 +71,7 @@ Hybrid Azure AD join requires devices to have access to the following Microsoft
7171
- `https://login.microsoftonline.com`
7272
- `https://device.login.microsoftonline.com`
7373
- `https://autologon.microsoftazuread-sso.com` (If you use or plan to use seamless SSO)
74+
- `https://enterpriseregistration.windows.net`
7475

7576
> [!WARNING]
7677
> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to 'https://device.login.microsoftonline.com' is excluded from TLS break-and-inspect. Failure to exclude 'https://device.login.microsoftonline.com' may cause interference with client certificate authentication, causing issues with device registration and device-based Conditional Access.
4.61 KB
Loading
15 KB
Loading
21.2 KB
Loading
2.6 KB
Loading
Lines changed: 161 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,161 @@
1+
---
2+
title: 'Tutorial: Configure Peripass for automatic user provisioning with Azure Active Directory | Microsoft Docs'
3+
description: Learn how to automatically provision and de-provision user accounts from Azure AD to Peripass.
4+
services: active-directory
5+
author: twimmers
6+
writer: twimmers
7+
manager: beatrizd
8+
ms.assetid: 1d036aa3-4e07-4f48-a6ae-40fc6c066e42
9+
ms.service: active-directory
10+
ms.subservice: saas-app-tutorial
11+
ms.workload: identity
12+
ms.topic: tutorial
13+
ms.date: 09/27/2021
14+
ms.author: thwimmer
15+
---
16+
17+
# Tutorial: Configure Peripass for automatic user provisioning
18+
19+
This tutorial describes the steps you need to perform in both Peripass and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Peripass](https://www.peripass.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
20+
21+
22+
## Capabilities Supported
23+
> [!div class="checklist"]
24+
> * Create users in Peripass
25+
> * Remove users in Peripass when they do not require access anymore
26+
> * Keep user attributes synchronized between Azure AD and Peripass
27+
> * [Single sign-on](../manage-apps/add-application-portal-setup-oidc-sso.md) to Peripass (recommended)
28+
29+
## Prerequisites
30+
31+
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
32+
33+
* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
34+
* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
35+
* A Peripass tenant - contact [Peripass](https://www.peripass.com/) to set up your tenant.
36+
* A Peripass user with permissions to the tenant's configuration.
37+
38+
## Step 1. Plan your provisioning deployment
39+
1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
40+
2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
41+
3. Determine what data to [map between Azure AD and Peripass](../app-provisioning/customize-application-attributes.md).
42+
43+
## Step 2. Configure Peripass to support provisioning with Azure AD
44+
45+
1. Sign in to Peripass using your tenant's sign-in url.
46+
47+
2. Go to your tenant's **Configuration**.
48+
49+
![Screenshot of Peripass main menu](media/peripass-provisioning-tutorial/peripass-main-menu.png)
50+
51+
3. Open the **Identity providers & provisioning** settings.
52+
53+
![Screenshot of Peripass tenant configuration](media/peripass-provisioning-tutorial/peripass-configuration.png)
54+
55+
4. Give a **Provider name** to the identity provider you're configuring.
56+
57+
5. Pick the **User role** that should be assigned to the provisioned users.
58+
59+
6. Note down your tenant's **SCIM Endpoint** and **SCIM Token** (you will need it later on when configuring the user provisioning in the Azure AD Enterprise Applications and use it as **Peripass Tenant URL** and **Secret Token**).
60+
61+
![Screenshot of Peripass id provider settings](media/peripass-provisioning-tutorial/peripass-id-provider-settings.png)
62+
63+
7. **Save your changes** in the configuration.
64+
65+
![Screenshot of saving the provider](media/peripass-provisioning-tutorial/peripass-save-changes.png)
66+
67+
## Step 3. Add Peripass from the Azure AD application gallery
68+
69+
Add Peripass from the Azure AD application gallery to start managing provisioning to Peripass. If you have previously setup Peripass for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
70+
71+
## Step 4. Define who will be in scope for provisioning
72+
73+
The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
74+
75+
* When assigning users and groups to Peripass, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.
76+
77+
* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control it by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
78+
79+
80+
## Step 5. Configure automatic user provisioning to Peripass
81+
82+
This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
83+
84+
### To configure automatic user provisioning for Peripass in Azure AD:
85+
86+
1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
87+
88+
![Enterprise applications blade](common/enterprise-applications.png)
89+
90+
2. In the applications list, select **Peripass**.
91+
92+
![The Peripass link in the Applications list](common/all-applications.png)
93+
94+
3. Select the **Provisioning** tab.
95+
96+
![Provision tab](common/provisioning.png)
97+
98+
4. Set the **Provisioning Mode** to **Automatic**.
99+
100+
![Provisioning tab](common/provisioning-automatic.png)
101+
102+
5. Under the **Admin Credentials** section, input your Peripass Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Peripass. If the connection fails, ensure your Peripass account has Admin permissions and try again.
103+
104+
![Token](common/provisioning-testconnection-tenanturltoken.png)
105+
106+
6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
107+
108+
![Notification Email](common/provisioning-notification-email.png)
109+
110+
7. Select **Save**.
111+
112+
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Peripass**.
113+
114+
9. Review the user attributes that are synchronized from Azure AD to Peripass in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Peripass for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Peripass API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
115+
116+
|Attribute|Type|Supported for filtering|
117+
|---|---|---|
118+
|userName|String|✓
119+
|active|Boolean|
120+
|displayName|String|
121+
|externalId|String|
122+
|preferredLanguage|String|
123+
|name.givenName|String|
124+
|name.familyName|String|
125+
|name.formatted|String|
126+
|phoneNumbers[type eq "mobile"].value|String|
127+
|emails[type eq "work"].value|String|
128+
129+
10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
130+
131+
11. To enable the Azure AD provisioning service for Peripass, change the **Provisioning Status** to **On** in the **Settings** section.
132+
133+
![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
134+
135+
12. Define the users and/or groups that you would like to provision to Peripass by choosing the desired values in **Scope** in the **Settings** section.
136+
137+
![Provisioning Scope](common/provisioning-scope.png)
138+
139+
13. When you are ready to provision, click **Save**.
140+
141+
![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
142+
143+
This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running.
144+
145+
## Step 6. Monitor your deployment
146+
Once you've configured provisioning, use the following resources to monitor your deployment:
147+
148+
1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
149+
2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
150+
3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
151+
152+
153+
154+
## More resources
155+
156+
* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
157+
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
158+
159+
## Next steps
160+
161+
* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

articles/active-directory/saas-apps/toc.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2616,7 +2616,9 @@
26162616
- name: PaperCut Cloud Print Management
26172617
href: papercut-cloud-print-management-provisioning-tutorial.md
26182618
- name: Parsable
2619-
href: parsable-provisioning-tutorial.md
2619+
href: parsable-provisioning-tutorial.md
2620+
- name: Peripass
2621+
href: peripass-provisioning-tutorial.md
26202622
- name: Pingboard
26212623
href: pingboard-provisioning-tutorial.md
26222624
- name: Playvox

0 commit comments

Comments
 (0)