Updates from: 05/05/2023 01:15:42
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Partner Akamai https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-akamai.md
Title: Configure Azure Active Directory B2C with Akamai Web Application Firewall
+ Title: Configure Azure Active Directory B2C with Akamai Web Application Protector
-description: Configure Akamai Web application firewall with Azure AD B2C
+description: Configure Akamai Web Application Protector with Azure AD B2C
-+ - Previously updated : 04/03/2022 Last updated : 05/04/2023
-# Configure Akamai with Azure Active Directory B2C
-
-In this sample article, learn how to enable [Akamai Web Application Firewall (WAF)](https://www.akamai.com/us/en/resources/web-application-firewall.jsp) solution for Azure Active Directory B2C (Azure AD B2C) tenant using custom domains. Akamai WAF helps organization protect their web applications from malicious attacks that aim to exploit vulnerabilities such as SQL injection and Cross site scripting.
+# Configure Azure Active Directory B2C with Akamai Web Application Protector
->[!NOTE]
->This feature is in public preview.
+Learn to enable Akamai Web Application Protector (WAP) for Azure Active Directory B2C (Azure AD B2C) tenant using custom domains. Akamai WAP helps organization protect their web applications from malicious attacks that aim to exploit vulnerabilities such as SQL injection and Cross site scripting.
-Benefits of using Akamai WAF solution:
+Learn more on akamai.com: [What Is a Web Application Firewall (WAF)?](https://www.akamai.com/glossary/what-is-a-waf)
-- An edge platform that allows traffic management to your services.
+Benefits of using WAF:
-- Can be configured in front of your Azure AD B2C tenant.
+* Control traffic management to your services
+* Configure in front of an Azure AD B2C tenant
+* Manipulate traffic to protect and secure your identity infrastructure
-- Allows fine grained manipulation of traffic to protect and secure your identity infrastructure.
+This article applies to:
-This article applies to both [Web Application Protector (WAP)](https://www.akamai.com/us/en/products/security/web-application-protector-enterprise-waf-firewall-ddos-protection.jsp) and [Kona Site Defender (KSD)](https://www.akamai.com/us/en/products/security/kona-site-defender.jsp) WAF solutions that Akamai offers.
+WAP: [Web Application Protector](https://www.akamai.com/products/web-application-protector)
+KSD: [Kona Site Defender](https://www.akamai.com/us/en/products/security/kona-site-defender.jsp)
## Prerequisites
-To get started, you'll need:
--- An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).--- [An Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.--- An [Akamai WAF](https://www.akamai.com/us/en/akamai-free-trials.jsp) account.
+* An Azure subscription
+ * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* An Azure AD B2C tenant linked to your Azure subscription
+ * See, [Tutorial: Create an Azure Active Directory B2C tenant](tutorial-create-tenant.md)
+* An Akamai WAP account
+ * Go to akamai.com for [Explore all Akamai products and trials](https://www.akamai.com/us/en/akamai-free-trials.jsp)
## Scenario description
-Akamai WAF integration includes the following components:
+Akamai WAP integration includes the following components:
-- **Azure AD B2C Tenant** ΓÇô The authorization server, responsible for verifying the userΓÇÖs credentials using the custom policies defined in the tenant. It's also known as the identity provider.--- [**Azure Front Door**](../frontdoor/front-door-overview.md) ΓÇô Responsible for enabling custom domains for Azure B2C tenant. All traffic from Akamai WAF will be routed to Azure Front Door before arriving at Azure AD B2C tenant.--- [**Akamai WAF**](https://www.akamai.com/us/en/resources/waf.jsp) ΓÇô The web application firewall, which manages all traffic that is sent to the authorization server.
+* **Azure AD B2C** ΓÇô the authorization server that verifies user credentials with custom policies in the tenant. Also known as the identity provider (IdP).
+* **Azure Front Door** ΓÇô enables custom domains for the Azure B2C tenant
+ * Traffic from Akamai WAP routs to Azure Front Door then goes to the Azure AD B2C tenant
+ * [What is Azure Front Door?](../frontdoor/front-door-overview.md)
+* **Akamai WAP** ΓÇô The web application firewall that manages traffic sent to the authorization server
+ * See, [Web Application Protector](https://www.akamai.com/us/en/resources/waf.jsp)
## Integrate with Azure AD B2C
-1. To use custom domains in Azure AD B2C, it's required to use custom domain feature provided by Azure Front Door. Learn how to [enable Azure AD B2C custom domains](./custom-domain.md?pivots=b2c-user-flow).
+For custom domains in Azure AD B2C, use the custom domain feature in Azure Front Door.
-1. After custom domain for Azure AD B2C is successfully configured using Azure Front Door, [test the custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain) before proceeding further.
+See, [Enable custom domains for Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow).
-## Onboard with Akamai
+When the custom domain for Azure AD B2C is configured using Azure Front Door, use the following instructions to test the custom domain.
-[Sign-up](https://www.akamai.com) and create an Akamai account.
+See, [Test your custom domain](./custom-domain.md?pivots=b2c-custom-policy#test-your-custom-domain), then proceed to the next section.
-### Create and configure property
+## Create an Akamai account
-1. [Create a new property](https://control.akamai.com/wh/CUSTOMER/AKAMAI/en-US/WEBHELP/property-manager/property-manager-help/GUID-14BB87F2-282F-4C4A-8043-B422344884E6.html).
+1. Go to [akamai.com](https://www.akamai.com).
+2. Select **Learn more**.
+3. On the **Cloud Computing Services** page, select **Create account**.
-1. Configure the property settings as:
+### Create and configure a property
- | Property | Value |
- |:|:|
- |Property version | Select Standard or Enhanced TLS (preferred) |
- |Property hostnames | Add a property hostname. This is the name of your custom domain, for example, `login.domain.com`. <BR> Create or modify a certificate with the appropriate settings for the custom domain name. Learn more about [creating a certificate](https://learn.akamai.com/en-us/webhelp/property-manager/https-delivery-with-property-manager/GUID-9EE0EB6A-E62B-4F5F-9340-60CBD093A429.html). |
+A property is a configuration file that tells our edge servers how to handle and respond to incoming requests from your end users. Properties are created and maintained in Property Manager.
-1. Set the origin server property configuration settings as:
+To learn more, go to techdocs.akamai.com for [What is a Property?](https://techdocs.akamai.com/start/docs/prop)
- |Property| Value |
- |:--|:--|
- | Origin type | Your origin |
- | Origin server hostname | yourafddomain.azurefd.net |
- | Forward host header | Incoming Host Header |
- | Cache key hostname| Incoming Host Header |
+1. Go to control.akamai.com to sign in: [Akamai Control Center sign in page](https://control.akamai.com/wh/CUSTOMER/AKAMAI/en-US/WEBHELP/property-manager/property-manager-help/GUID-14BB87F2-282F-4C4A-8043-B422344884E6.html).
+2. Go to Property Manager.
+3. For **Property version**, select **Standard** or **Enhanced TLS** (recommended).
+4. For **Property hostnames**, add a property hostname, your custom domain. For example, `login.domain.com`.
-### Configure DNS
+ > [!IMPORTANT]
+ > Create or modify certificates with correct custom domain name settings. </br> Go to techdocs.akamai.com for [Configure HTTPS hostnames](https://learn.akamai.com/en-us/webhelp/property-manager/https-delivery-with-property-manager/GUID-9EE0EB6A-E62B-4F5F-9340-60CBD093A429.html).
-Create a CNAME record in your DNS such as `login.domain.com` that points to the Edge hostname in the Property hostname field.
+#### Origin server property configuration settings
-### Configure Akamai WAF
+Use the following settings for origin server.
-1. [Configure Akamai WAF](https://learn.akamai.com/en-us/webhelp/kona-site-defender/kona-site-defender-quick-start/GUID-6294B96C-AE8B-4D99-8F43-11B886E6C39A.html#GUID-6294B96C-AE8B-4D99-8F43-11B886E6C39A).
+1. For **Origin type**, enter your type.
+2. For **Origin server hostname** enter your hostname. For example, `yourafddomain.azurefd.net`
+3. For **Forward host header**, use **Incoming Host Header**.
+4. For **Cache key hostname** use **Incoming Host Header**.
+
+### Configure DNS
-1. Ensure that **Rule Actions** for all items listed under the **Attack Group** are set to **Deny**.
+Create a Canonical Name (CNAME) record in your DNS, such as `login.domain.com`, which points to the Edge hostname in the **Property hostname** field.
- ![Image shows rule action set to deny](./media/partner-akamai/rule-action-deny.png)
+### Configure Akamai WAP
-Learn more about [how the control works and configuration options](https://control.akamai.com/dl/security/GUID-81C0214B-602A-4663-839D-68BCBFF41292.html).
+1. To get started with WAP configuration, go to techdocs.akamai.com for [App & API Protector](https://techdocs.akamai.com/cloud-security/docs/app-api-protector).
+2. During configuration, for items in **Attack Group**, under **Rule Actions**, select **Deny**.
-<!-- docutune:ignore "Security Center" -->
+ ![Screenshot of denied attack groups, in the Rule Action column.](./media/partner-akamai/rule-action-deny.png)
### Test the settings
-Check the following to ensure all traffic to Azure AD B2C is going through the custom domain:
+To ensure traffic to Azure AD B2C goes through the custom domain:
-- Make sure all incoming requests to Azure AD B2C custom domain are routed via Akamai WAF and using valid TLS connection.-- Ensure all cookies are set correctly by Azure AD B2C for the custom domain.-- The Akamai WAF dashboard available under Defender for Cloud console display charts for all traffic that pass through the WAF along with any attack traffic.
+* Confirm WAP routes incoming requests to the Azure AD B2C custom domain
+ * Ensure a valid TLS connection
+* Ensure Azure AD B2C sets cookies correctly for the custom domain
+* The WAP dashboard in Defender for Cloud console has WAP traffic charts
+ * Attack traffic also appears
## Next steps -- [Configure a custom domain in Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow)
+* [Enable custom domains for Azure Active Directory B2C](./custom-domain.md?pivots=b2c-user-flow)
+* [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)
-- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)
active-directory-b2c Partner Asignio https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-asignio.md
Title: Configure Azure Active Directory B2C with Asignio
+ Title: Configure Asignio with Azure Active Directory B2C for multifactor authentication
-description: Configure Azure Active Directory B2C with Asignio for multi-factor authentication
+description: Configure Azure Active Directory B2C with Asignio for multifactor authentication
--+ Previously updated : 04/20/2022 Last updated : 05/04/2023 zone_pivot_groups: b2c-policy-type
-# Configure Asignio with Azure Active Directory B2C for multi-factor authentication
----
-In this sample article, learn how to integrate Azure Active Directory (Azure AD B2C) authentication with [Asignio](https://www.asignio.com/). Using this integration, organizations can provide passwordless, soft biometric, and multi-factor authentication (MFA) experience to their customers. Asignio's user friendly, web-based solution is available on any device, anytime, and anywhere. Asignio uses a combination of the patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature eliminates passwords, fraud, phishing, and credential reuse through omni-channel authentication.
+# Configure Asignio with Azure Active Directory B2C for multifactor authentication
-## Prerequisites
-
-To get started, you'll need:
+Learn to integrate Azure Active Directory (Azure AD B2C) authentication with [Asignio](https://www.asignio.com/). With this integration, provide passwordless, soft biometric, and multifactor authentication experience to customers. Asignio uses patented Asignio Signature and live facial verification for user authentication. The changeable biometric signature helps to reduce passwords, fraud, phishing, and credential reuse through omni-channel authentication.
-- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+## Before you begin
-- An [Azure AD B2C tenant](./tutorial-create-tenant.md) that's linked to your Azure subscription.
+Choose a policy type selector to indicate the policy type setup. Azure AD B2C has two methods to define how users interact with your applications:
-- An Asignio Client ID and Client Secret that will be issued by [Asignio](https://www.asignio.com/). These tokens are obtained by registering your mobile or web applications with Asignio.
+* Predefined user flows
+* Configurable custom policies
+The steps in this article differ for each method.
-- Complete the steps in the article [get started with custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).
+Learn more:
+* [User flows and custom policies overview](user-flow-overview.md)
+* [Azure AD B2C custom policy overview](custom-policy-overview.md)
-## Scenario description
-
-This integration includes the following components:
-- **Azure AD B2C**: The authorization server, responsible for verifying the user's credentials.--- **Web or mobile applications:** The web or mobile applications you wish to secure with Asignio MFA.--- **Asignio web application:** Signature biometric collection on the user's touch device.-
-The following architecture diagram shows the implementation.
-
-![image shows the architecture diagram](./media/partner-asignio/partner-asignio-architecture-diagram.png)
-
-| Step | Description |
-|:--|:--|
-| 1. | User opens Azure AD B2C's sign in page on their mobile or web application, and then signs in or signs up by entering their username.|
-| 2. | Azure AD B2C redirects the user to Asignio using an OpenID Connect (OIDC) request. |
-| 3. | The user is redirected to the Asignio web application to complete the biometric sign in. If the user hasn't registered their Asignio Signature, they can choose to use an SMS One-Time-Password (OTP) to authenticate the immediate request. Once authenticated, user will receive a registration link to finish creating their Asignio Signature. |
-| 4. | The user authenticates via Asignio using their Asignio Signature and facial verification or voice and facial verification.|
-|5. | The challenge response is then sent back to Asignio. |
-| 6. | Asignio returns the OIDC response to Azure AD B2C sign in. |
-| 7. | Azure AD B2C sends an authentication verification request to Asignio to confirm receipt of the authentication data. |
-| 8. | The user is either granted or denied access to the application based on the authentication results. |
-
-## Step 1: Configure an application with Asignio
+## Prerequisites
-Configuring an application with Asignio is accomplished through Asignio's Partner Administration site. Contact Asignio to request access to https://partner.asignio.com for your organization. Once you've obtained credentials, sign into Asignio Partner Administration and complete the following steps:
+* An Azure AD subscription.
+* If you don't have on, get an [Azure free account](https://azure.microsoft.com/free/)
-1. Create a record for your Azure AD B2C application using your Azure AD B2C tenant. When Azure AD B2C is used with Asignio, Azure AD B2C manages your connected applications. All apps in your Azure portal are represented by a single application within Asignio.
+- An Azure AD B2C tenant linked to the Azure subscription
+- See, [Tutorial: Create an Azure Active Directory B2C tenant](./tutorial-create-tenant.md)
-1. In the Asignio Partner Administration site, generate a Client ID and Client Secret. Once generated, store Client ID and Client Secret in a secure place, you'll need them later to configure Asignio as an Identity provider. Asignio doesn't store the Client Secret.
+- An Asignio Client ID and Client Secret issued by Asignio.
+- These tokens are obtained by registering your mobile or web applications with Asignio.
-1. Supply redirect URI. This is the URI in your site to which the user is returned after a successful authentication. The URI that should be provided to Asignio for your Azure B2C follows the pattern - `[https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp]`.
+### For custom policies
-1. Upload a company logo. This logo is displayed to users on Asignio authentication when users sign into your site.
+Complete [Tutorial: Create user flows and custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
-## Step 2: Register a web application in Azure AD B2C
+## Scenario description
-Before your [applications](application-types.md) can interact with Azure AD B2C, they must be registered in a tenant that you manage.
+This integration includes the following components:
-For testing purposes like this tutorial, you're registering `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser).
+* **Azure AD B2C** - authorization server that verifies user credentials
+* **Web or mobile applications** - to secure with Asignio MFA
+* **Asignio web application** - signature biometric collection on the user touch device
-Follow the steps mentioned in [this tutorial](tutorial-register-applications.md?tabs=app-reg-ga) to **register a web application** and **enable ID token implicit grant** for testing a user flow or custom policy. There's no need to create a Client Secret at this time.
+The following diagram illustrates the implementation.
+ ![Diagram showing the implementation architecture.](./media/partner-asignio/partner-asignio-architecture-diagram.png)
-## Step 3: Configure Asignio as an identity provider in Azure AD B2C
-1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the global administrator of your Azure AD B2C tenant.
+1. User opens Azure AD B2C sign in page on their mobile or web application, and then signs in or signs up.
+2. Azure AD B2C redirects the user to Asignio using an OpenID Connect (OIDC) request.
+3. The user is redirected to the Asignio web application for biometric sign in. If the user hasn't registered their Asignio Signature, they can use an SMS One-Time-Password (OTP) to authenticate. After authentication, user receives a registration link to create their Asignio Signature.
+4. The user authenticates with Asignio Signature and facial verification, or voice and facial verification.
+5. The challenge response goes to Asignio.
+6. Asignio returns the OIDC response to Azure AD B2C sign in.
+7. Azure AD B2C sends an authentication verification request to Asignio to confirm receipt of the authentication data.
+8. The user is granted or denied access to the application.
-1. Make sure you're using the Azure Active Directory (Azure AD) tenant that contains your Azure subscription:
+## Configure an application with Asignio
- 1. In the Azure portal toolbar, select the **Directories + subscriptions** (:::image type="icon" source="./../active-directory/develop/media/common/portal-directory-subscription-filter.png" border="false":::) icon.
-
- 1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD directory in the **Directory name** list, and then select **Switch** button next to it.
+Configurating an application with Asignio is with the Asignio Partner Administration site.
-1. Select **All services** in the top-left corner of the Azure portal, search for and select **Azure AD B2C**.
+1. Go to asignio.com [Asignio Partner Administration](https://partner.asignio.com) page to request access for your organization.
+2. With credentials, sign into Asignio Partner Administration.
+3. Create a record for the Azure AD B2C application using your Azure AD B2C tenant. When you use Azure AD B2C with Asignio, Azure AD B2C manages connected applications. Asignio apps represent apps in the Azure portal.
+4. In the Asignio Partner Administration site, generate a Client ID and Client Secret.
+5. Note and store Client ID and Client Secret. You'll use them later. Asignio doesn't store Client Secrets.
+6. Enter the redirect URI in your site the user is returned to after authentication. Use the following URI pattern.
-1. In the Azure portal, search for and select **Azure AD B2C**.
+`[https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp]`.
-1. In the left menu, select **Identity providers**.
+7. Upload a company logo. It appears on Asignio authentication when users sign in.
-1. Select **New OpenID Connect Provider**.
+## Register a web application in Azure AD B2C
-1. Select **Identity provider type** > **OpenID Connect**.
+Register applications in a tenant you manage, then they can interact with Azure AD B2C.
-1. Fill out the form to set up the Identity provider
+Learn more: [Application types that can be used in Active Directory B2C](application-types.md)
- | Property | Value |
- |:--|:-|
- |Name | Login with Asignio *(or a name of your choice)*
- |Metadata URL | `https://authorization.asignio.com/.well-known/openid-configuration`|
- | Client ID | enter the client ID that you previously generated in [step 1](#step-1-configure-an-application-with-asignio)|
- |Client Secret | enter the Client secret that you previously generated in [step 1](#step-1-configure-an-application-with-asignio)|
- | Scope | openid email profile |
- | Response type | code |
- | Response mode | query |
- | Domain hint | https://asignio.com |
+For this tutorial, you're registering `https://jwt.ms`, a Microsoft web application with decoded token contents that don't leave your browser.
-1. Select **OK**.
+### Register a web application and enable ID token implicit grant
-1. Select **Map this identity provider's claims**.
+Complete [Tutorial: Register a web application in Azure Active Directory B2C](tutorial-register-applications.md?tabs=app-reg-ga)
-1. Fill out the form to map the Identity provider:
+## Configure Asignio as an identity provider in Azure AD B2C
- | Property | Value |
- |:--|:--|
- |User ID | sub |
- | Display Name | name |
- | Given Name | given_name |
- | Surname | family_name |
- | Email | email |
+For the following instructions, use the Azure AD tenant with the Azure subscription.
-1. Select **Save**.
+1. Sign in to the [Azure portal](https://portal.azure.com/#home) as the Global Administrator of the Azure AD B2C tenant.
+2. In the Azure portal toolbar, select **Directories + subscriptions**.
+3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD directory.
+4. Select **Switch**.
+5. In the top-left corner of the Azure portal, select **All services**.
+6. Search for and select **Azure AD B2C**.
+7. In the Azure portal, search for and select **Azure AD B2C**.
+8. In the left menu, select **Identity providers**.
+9. Select **New OpenID Connect Provider**.
+10. Select **Identity provider type** > **OpenID Connect**.
+11. For **Name**, enter the Asignio sign in, or a name you choose.
+12. For **Metadata URL**, enter `https://authorization.asignio.com/.well-known/openid-configuration`.
+13. For **Client ID**, enter the Client ID you generated.
+14. For **Client Secret**, enter the Client Secret you generated.
+15. For **Scope**, use **openid email profile**.
+16. For **Response type**, use **code**.
+17. For **Response mode**, use **query**.
+18. For Domain hint, use `https://asignio.com`.
+19. Select **OK**.
+20. Select **Map this identity provider's claims**.
+21. For **User ID**, use **sub**.
+22. For **Display Name**, use **name**.
+23. For **Given Name**, use **given_name**.
+24. For **Surname**, use **family_name**.
+25. For **Emai**l, use **email**.
+26. Select **Save**.
-## Step 4: Create a user flow policy
+## SCreate a user flow policy
1. In your Azure AD B2C tenant, under **Policies**, select **User flows**.
+2. Select **New user flow**.
+3. Select **Sign up and sign in** user flow type.
+4. Select **Version Recommended**.
+5. Select **Create**.
+6. Enter a user flow **Name**, such as `AsignioSignupSignin`.
+7. Under **Identity providers**, for **Local Accounts**, select **None**. This action disables email and password authentication.
+8. For **Custom identity providers**, select the created Asignio Identity provider.
+9. Select **Create**.
-1. Select **New user flow**.
-
-1. Select **Sign up and sign in** user flow type, select **Version Recommended** and then select **Create**.
-
-1. Enter a **Name** for your user flow such as `AsignioSignupSignin`.
-
-1. Under **Identity providers**:
-
- a. For **Local Accounts**, select **None** to disable email and password-based authentication.
-
- b. For **Custom identity providers**, select your newly created Asignio Identity provider such as **Login with Asignio**.
-
-1. Select **Create**.
-
-## Step 5: Test your user flow
+## Test your user flow
1. In your Azure AD B2C tenant, select **User flows**.-
-1. Select the newly created user flow such as **AsignioSignupSignin**.
-
-1. For **Application**, select the web application that you previously registered in [step 2](#step-2-register-a-web-application-in-azure-ad-b2c). The **Reply URL** should show `https://jwt.ms`.
-
-1. Select the **Run user flow** button. Your browser should be redirected to the Asignio sign in page.
-
-1. A sign in screen will be shown; at the bottom should be a button to use **Asignio** authentication.
-
-1. If you already have an Asignio Signature, you'll be prompted to authenticate using it. If not, you'll be prompted to supply the phone number of your device to authenticate via SMS OTP and then receive a link to register your Asignio Signature.
-
-1. If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
---
-## Step 3: Create Asignio policy key
-
-Store the client secret that you previously generated in [step 1](#step-1-configure-an-application-with-asignio) in your Azure AD B2C tenant.
-
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-
-1. Make sure you're using the directory that contains your Azure AD B2C tenant. Select the **Directories + subscriptions** icon in the portal toolbar.
-
-1. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-
-1. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
-
-1. On the Overview page, select **Identity Experience Framework**.
-
-1. Select **Policy Keys** and then select **Add**.
-
-1. For **Options**, choose `Manual`.
-
-1. Enter a **Name** for the policy key. For example, `AsignioClientSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
-
-1. In **Secret**, enter your client secret that you previously recorded.
-
-1. For **Key usage**, select `Signature`.
-
-1. Select **Create**.
-
-## Step 4: Configure Asignio as an Identity provider
+2. Select the created user flow.
+3. For **Application**, select the web application you registered. The **Reply URL** is `https://jwt.ms`.
+4. Select **Run user flow**.
+5. The browser is redirected to the Asignio sign in page.
+6. A sign in screen appears.
+7. At the bottom, select **Asignio** authentication.
+
+If you have an Asignio Signature, complete the prompt to authenticate. If not, supply the device phone number to authenticate via SMS OTP. Use the link to register your Asignio Signature.
+
+8. The browser is redirected to `https://jwt.ms`. The token contents returned by Azure AD B2C appear.
+
+## Create Asignio policy key
+
+1. Store the generated Client Secret in the Azure AD B2C tenant.
+2. Sign in to the [Azure portal](https://portal.azure.com/).
+3. In the portal toolbar, select the **Directories + subscriptions**.
+4. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD B2C directory.
+5. Select **Switch**.
+6. In the top-left corner of the Azure portal, select **All services**.
+7. Search for and select **Azure AD B2C**.
+8. On the Overview page, select **Identity Experience Framework**.
+9. Select **Policy Keys**.
+10. Select **Add**.
+11. For **Options**, select **Manual**.
+12. Enter a policy key **Name** for the policy key. The prefix `B2C_1A_` is appended to the key name.
+13. In **Secret**, enter the Client Secret that you noted.
+14. For **Key usage**, select **Signature**.
+15. Select **Create**.
+
+## Configure Asignio as an Identity provider
>[!TIP]
->You should have the Azure AD B2C policy configured at this point. If not, follow the [instructions](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack) on how to set up your Azure AD B2C tenant and configure policies.
+>Before you begin, ensure the Azure AD B2C policy is configured. If not, follow the instructions in [Custom policy starter pack](tutorial-create-user-flows.md?pivots=b2c-custom-policy#custom-policy-starter-pack).
-To enable users to sign in using Asignio, you need to define Asignio as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims that are used by Azure AD B2C to verify a specific user has authenticated using digital ID available on their device, proving the userΓÇÖs identity.
+For users to sign in with Asignio, define Asignio as a claims provider that Azure AD B2C communicates with through an endpoint. The endpoint provides claims Azure AD B2C uses to verify user authentication with using digital ID on the device.
-Use the following steps to add Asignio as a claims provider:
+### Add Asignio as a claims provider
-1. Get the custom policy starter packs from GitHub, then update the XML files in the LocalAccounts starter pack with your Azure AD B2C tenant name:
+Get the custom policy starter packs from GitHub, then update the XML files in the LocalAccounts starter pack with your Azure AD B2C tenant name:
- 1. [Download the .zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository:
- ```
- git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
- ```
-
- 1. In all of the files in the **LocalAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.
-
-1. Open the `LocalAccounts/ TrustFrameworkExtensions.xml`.
-
-1. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element, `TrustFrameworkPolicy`.
+1. Download the zip [active-directory-b2c-custom-policy-starterpack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository:
-1. Add a new **ClaimsProvider** similar to the one shown below:
+ ```
+ git clone https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack
+ ```
+
+2. In the files in the **LocalAccounts** directory, replace the string `yourtenant` with the Azure AD B2C tenant name.
+3. Open the **LocalAccounts/ TrustFrameworkExtensions.xml**.
+4. Find the **ClaimsProviders** element. If there isn't one, add it under the root element, `TrustFrameworkPolicy`.
+5. Add a new **ClaimsProvider** similar to the following example:
```xml <ClaimsProvider>
Use the following steps to add Asignio as a claims provider:
</ClaimsProvider> ```
-1. Set **client_id** with the Asignio Application ID that you previously recorded in [step 1](#step-1-configure-an-application-with-asignio).
-
-1. Update **client_secret** section with the name of the policy key created in [step 3](#step-3-create-asignio-policy-key). For example, `B2C_1A_AsignioSecret`:
+6. Set **client_id** with the Asignio Application ID you noted.
+7. Update **client_secret** section with the policy key you created. For example, `B2C_1A_AsignioSecret`:
```xml <Key Id="client_secret" StorageReferenceId="B2C_1A_AsignioSecret" /> ```
-1. Save the changes.
-
-## Step 5: Add a user journey
-
-At this point, you've set up the identity provider, but it's not yet available in any of the sign in pages. If you've your own custom user journey continue to [step 7](#step-6-add-the-identity-provider-to-a-user-journey), otherwise, create a duplicate of an existing template user journey as follows:
+8. Save the changes.
-1. Open the `LocalAccounts/ TrustFrameworkBase.xml` file from the starter pack.
+## Add a user journey
-1. Find and copy the entire contents of the **UserJourney** element that includes `Id=SignUpOrSignIn`.
+The identity provider isn't in the sign in pages.
-1. Open the `LocalAccounts/ TrustFrameworkExtensions.xml` and find the **UserJourneys** element. If the element doesn't exist, add one.
+1. If you have a custom user journey continue to **Configure the relying party policy**, otherwise, copy a template user journey:
+2. From the starter pack, open the **LocalAccounts/ TrustFrameworkBase.xml**.
+3. Locate and copy the contents of the **UserJourney** element that include `Id=SignUpOrSignIn`.
+4. Open the **LocalAccounts/ TrustFrameworkExtensions.xml**.
+5. Locate the **UserJourneys** element. If there isn't one, add one.
+6. Paste the UserJourney element contents as a child of the UserJourneys element.]
+7. Rename the user journey **ID**. For example, `Id=AsignioSUSI`.
-1. Paste the entire content of the UserJourney element that you copied as a child of the UserJourneys element.
+Learn more: [User journeys](custom-policy-overview.md#user-journeys)
-1. Rename the `Id` of the user journey. For example, `Id=AsignioSUSI`.
+## Add the identity provider to a user journey
-## Step 6: Add the identity provider to a user journey
+Add the new identity provider to the user journey.
-Now that you have a user journey, add the new identity provider to the user journey.
+1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element has an identity provider list that users sign in with. The order of the elements controls the order of the sign in buttons.
+2. Add a **ClaimsProviderSelection** XML element.
+3. Set the value of **TargetClaimsExchangeId** to a friendly name.
+4. Add a **ClaimsExchange** element.
+5. Set the **Id** to the value of the target claims exchange ID.
+6. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created.
-1. Find the orchestration step element that includes `Type=CombinedSignInAndSignUp`, or `Type=ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers that a user can sign in with. The order of the elements controls the order of the sign in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name, such as `AsignioExchange`.
-
-1. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID. Update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier while adding the claims provider, for example, `Asignio-Oauth2`.
-
-The following XML demonstrates orchestration steps of a user journey with the identity provider:
+The following XML demonstrates user journey orchestration with the identity provider.
```xml <UserJourney Id="AsignioSUSI">
The following XML demonstrates orchestration steps of a user journey with the id
</UserJourney> ```
-Learn more about [User Journeys](custom-policy-overview.md#user-journeys).
+## Configure the relying party policy
-## Step 7: Configure the relying party policy
+The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey Azure AD B2C executes.
-The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C will execute. Find the **DefaultUserJourney** element within relying party. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider.
+1. In the relying party, locate the **DefaultUserJourney** element.
+2. Update the **ReferenceId** to match the user journey ID, in which you added the identity provider.
In the following example, for the `AsignioSUSI` user journey, the **ReferenceId** is set to `AsignioSUSI`:
In the following example, for the `AsignioSUSI` user journey, the **ReferenceId*
```
-## Step 8: Upload the custom policy
+## Upload the custom policy
1. Sign in to the [Azure portal](https://portal.azure.com/#home).
+2. In the portal toolbar, select the **Directories + subscriptions**.
+3. On **Portal settings | Directories + subscriptions**, in the **Directory name** list, locate your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the Azure portal, search for and select **Azure AD B2C**.
+6. Under Policies, select **Identity Experience Framework**.
+7. Select **Upload Custom Policy**.
+8. Upload the two policy files you changed in the following order:
-1. Make sure you're using the directory that contains your Azure AD B2C tenant:
-
- a. Select the **Directories + subscriptions** icon in the portal toolbar.
-
- b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and then select **Switch**.
-
-1. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
-
-1. Under Policies, select **Identity Experience Framework**.
-
-1. Select **Upload Custom Policy**, and then upload the two policy files that you changed, in the following order: the extension policy, for example `TrustFrameworkExtensions.xml`, then the relying party policy, such as `SignUpOrSignin.xml`.
-
-## Step 9: Test your custom policy
-
-1. In your Azure AD B2C tenant blade, and under **Policies**, select **Identity Experience Framework**.
+ * Extension policy, for example `TrustFrameworkExtensions.xml`
+ * Relying party policy, such as `SignUpOrSignin.xml`
-1. Under **Custom policies**, select **AsignioSUSI**.
+## Test your custom policy
-1. For **Application**, select the web application that you previously registered as part of this article's prerequisites. The **Reply URL** should show `https://jwt.ms`.
+1. In your Azure AD B2C tenant, and under **Policies**, select **Identity Experience Framework**.
+2. Under **Custom policies**, select **AsignioSUSI**.
+3. For **Application**, select the web application that you registered. The **Reply URL** is `https://jwt.ms`.
+4. Select **Run now**.
+5. The browser is redirected to the Asignio sign in page.
+6. A sign in screen appears.
+7. At the bottom, select **Asignio** authentication.
-1. Select **Run now**. Your browser should be redirected to the Asignio sign in page.
+If you have an Asignio Signature, you're prompted to authenticate with your Asignio Signature. If not, supply the device phone number to authenticate via SMS OTP. Use the link to register your Asignio Signature.
-1. A sign in screen will be shown; at the bottom should be a button to use **Asignio** authentication.
-
-1. If you already have an Asignio Signature, you'll be prompted to authenticate with your Asignio Signature. If not, you'll be prompted to supply the phone number of your device to authenticate via SMS OTP and then receive a link to register your Asignio Signature.
-
-1. If the sign-in process is successful, your browser is redirected to https://jwt.ms, which displays the contents of the token returned by Azure AD B2C.
-
+8. The browser is redirected to `https://jwt.ms`. The token contents returned by Azure AD B2C appear.
## Next steps
-For additional information, review the following articles:
--- [Azure AD B2C docs](solution-articles.md)--- [Ask your question on Stackoverflow](https://stackoverflow.com/questions/tagged/azure-ad-b2c)--- [Azure AD B2C Samples](https://stackoverflow.com/questions/tagged/azure-ad-b2c)--- [Azure AD B2C YouTube training playlist](https://www.youtube.com/playlist?list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0)--- [Custom policies in Azure AD B2C](custom-policy-overview.md)--- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+* [Solutions and Training for Azure Active Directory B2C](solution-articles.md)
+* Ask questions on [Stackoverflow](https://stackoverflow.com/questions/tagged/azure-ad-b2c)
+* [Azure AD B2C Samples](https://stackoverflow.com/questions/tagged/azure-ad-b2c)
+* YouTube: [Identity Azure AD B2C Series](https://www.youtube.com/playlist?list=PL3ZTgFEc7LyuJ8YRSGXBUVItCPnQz3YX0)
+* [Azure AD B2C custom policy overview](custom-policy-overview.md)
+* [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
active-directory-b2c Partner Xid https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory-b2c/partner-xid.md
Title: Configure Azure Active Directory B2C with xID
+ Title: Configure xID with Azure Active Directory B2C for passwordless authentication
description: Configure Azure Active Directory B2C with xID for passwordless authentication
Previously updated : 04/27/2022 Last updated : 05/04/2023 # Configure xID with Azure Active Directory B2C for passwordless authentication
-In this sample tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with the xID digital ID solution. The xID app provides users with passwordless, secure, multifactor authentication. xID-authenticated users obtain their identities verified by a My Number Card, the digital ID card issued by the Japanese government. Organizations can get users verified Personal Identification Information (customer content) through the xID API. Furthermore, the xID app generates a private key in a secure area within user's mobile device, which can be used as a digital signing device.
-
+In this tutorial, learn to integrate Azure Active Directory B2C (Azure AD B2C) authentication with the xID digital ID solution. The xID app provides users with passwordless, secure, multifactor authentication. The My Number Card, the digital ID card issued by the Japanese government, verifies xID-authenticated user identities. For their users, organizations can get verified Personal Identification Information (customer content) through the xID API. Furthermore, the xID app generates a private key in a secure area in user mobile devices, making them digital signing devices.
## Prerequisites
-To get started, you'll need:
--- An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).--- An [Azure AD B2C tenant](./tutorial-create-tenant.md) that's linked to your Azure subscription.--- Your xID client information provided by xID inc. [Contact xID](https://xid.inc/contact-us) for the xID client information that should include the following parameters:
- - Client ID
- - Client Secret
- - Redirect URL
- - Scopes
-- Download and install the [xID app](https://x-id.me/) on your mobile device.
- - To complete registration, you'll need your own My Number Card.
- - If you use the UAT version of API, you'll also need UAT version of xID app. To install UAT app, [contact xID inc](https://xid.inc/contact-us).
+* An Azure AD subscription
+ * If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/)
+* An Azure AD B2C tenant linked to the Azure subscription
+ * See, [Tutorial: Create an Azure Active Directory B2C tenant](./tutorial-create-tenant.md)
+* Your xID client information provided by xID inc.
+* Go to the xid.inc [Contact Us](https://xid.inc/contact-us) page for xID client information:
+ * Client ID
+ * Client Secret
+ * Redirect URL
+ * Scopes
+* Go to x-id.me to install the [xID app](https://x-id.me/) on a mobile device:
+ * My Number Card
+ * If you use API UAT version, get the xID app UAT version. See, [Contact Us](https://xid.inc/contact-us)
## Scenario description
-The following architecture diagram shows the implementation.
-
-![image shows the architecture diagram](./media/partner-xid/partner-xid-architecture-diagram.png)
-
-| Step | Description |
-| : | :- |
-| 1. | User opens Azure AD B2C's sign-in page and then signs in or signs up by entering their username. |
-| 2. | Azure AD B2C redirects the user to xID authorize API endpoint using an OpenID Connect (OIDC) request. An OIDC endpoint is available containing information about the endpoints. xID Identity provider (IdP) redirects the user to the xID authorization sign-in page allowing the user to fill in or select their email address. |
-| 3. | xID IdP sends the push notification to the user's mobile device. |
-| 4. | The user opens the xID app, checks the request, then enters the PIN or authenticates with their biometrics. If PIN or biometrics is successfully verified, xID app activates the private key and creates an electronic signature. |
-| 5. | xID app sends the signature to xID IdP for verification. |
-| 6. | xID IdP shows a consent screen to the user, requesting authorization to give their personal information to the service they're signing in. |
-| 7. | xID IdP returns the OAuth authorization code to Azure AD B2C. |
-| 8. | Azure AD B2C sends a token request using the authorization code. |
-| 9. | xID IdP checks the token request and, if still valid, returns the OAuth access token and the ID token containing the requested user's identifier and email address. |
-| 10. | In addition, if the user's customer content is needed, Azure AD B2C calls the xID userdata API. |
-| 11. | The xID userdata API returns the user's encrypted customer content. Users can decrypt it with their private key, which they create when requesting the xID client information. |
-| 12. | User is either granted or denied access to the customer application based on the verification results. |
--
-## Onboard with xID
-
-Request API documents by filling out [the request form](https://xid.inc/contact-us). In the message field, indicate that you'd like to onboard with Azure AD B2C. Then, an xID sales representative will contact you. Follow the instructions provided in the xID API document and request an xID API client. xID tech team will send client information to you in 3-4 working days.
-Supply redirect URI. This is the URI in your site to which the user is returned after a successful authentication. The URI that should be provided to xID for your Azure AD B2C follows the pattern - `https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp`.
-
-## Step 1: Register a web application in Azure AD B2C
+The following diagram shows the architecture.
-Before your [applications](application-types.md) can interact with Azure AD B2C, they must be registered in a tenant that you manage.
+![Diagram of the xID architecture.](./media/partner-xid/partner-xid-architecture-diagram.png)
-For testing purposes like this tutorial, you're registering `https://jwt.ms`, a Microsoft-owned web application that displays the decoded contents of a token (the contents of the token never leave your browser).
+1. At the Azure AD B2C sign-in page user signs in or signs up.
+2. Azure AD B2C redirects the user to xID authorize API endpoint using an OpenID Connect (OIDC) request. An OIDC endpoint has endpoint information. xID identity provider (IdP) redirects the user to the xID authorization sign in page. User enters email address.
+3. xID IdP sends push notification to user mobile device.
+4. User opens the xID app, checks the request, enters a PIN, or uses biometrics. xID app activates the private key and creates an electronic signature.
+5. xID app sends the signature to xID IdP for verification.
+6. A consent screen appears to give personal information to the service.
+7. xID IdP returns the OAuth authorization code to Azure AD B2C.
+8. Azure AD B2C sends a token request using the authorization code.
+9. xID IdP checks the token request. If valid, OAuth access token is returned and the ID token with user identifier and email address.
+10. If user customer content is needed, Azure AD B2C calls the xID user data API.
+11. The xID user data API returns encrypted customer content. Users decrypt with a private key, created when requesting xID client information.
+12. User is granted or denied access to the customer application.
-Follow the steps mentioned in [this tutorial](tutorial-register-applications.md?tabs=app-reg-ga) to **register a web application** and **enable ID token implicit grant** for testing a user flow or custom policy. There's no need to create a Client Secret at this time.
-## Step 2: Create a xID policy key
+## Install xID
-Store the client secret that you received from xID in your Azure AD B2C tenant.
+1. To request API documents, fill out the request form. Go to [Contact Us](https://xid.inc/contact-us).
+2. In the message, indicate you're using Azure AD B2C.
+3. An xID sales representative contacts you.
+4. Follow the instructions in the xID API document.
+5. Request an xID API client.
+6. xID tech team sends client information to you in 3-4 business days.
+7. Supply a redirect URI in your site using the following pattern. Users return to it after authentication.
-1. Sign in to the [Azure portal](https://portal.azure.com/).
-
-2. Make sure you're using the directory that contains your Azure AD B2C tenant:
-
- a. Select the **Directories + subscriptions** icon in the portal toolbar.
-
- b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the Directory name list, and then select **Switch**.
-
-3. Choose **All services** in the top-left corner of the Azure portal, and then search for and select **Azure AD B2C**.
+`https://<your-b2c-domain>.b2clogin.com/<your-b2c-domain>.onmicrosoft.com/oauth2/authresp`
-4. On the Overview page, select **Identity Experience Framework**.
+## Register a web application in Azure AD B2C
-5. Select **Policy Keys** and then select **Add**.
+Register applications in a tenant you manage, then they can interact with Azure AD B2C.
-6. For **Options**, choose `Manual`.
+Learn more: [Application types that can be used in Active Directory B2C](application-types.md)
-7. Enter a **Name** for the policy key. For example, `X-IDClientSecret`. The prefix `B2C_1A_` is added automatically to the name of your key.
+For testing, you register `https://jwt.ms`, a Microsoft web application with decoded token contents, which don't leave your browser.
-8. In **Secret**, enter your client secret that you previously received from xID.
+### Register a web application and enable ID token implicit grant
-9. For **Key usage**, select `Signature`.
+Complete [Tutorial: Register a web application in Azure AD B2C](tutorial-register-applications.md?tabs=app-reg-ga)
-10. Select **Create**.
+## Create a xID policy key
->[!NOTE]
->In Azure AD B2C, [**custom policies**](./user-flow-overview.md) are designed primarily to address complex scenarios.
+Store the Client Secret from xID in your Azure AD B2C tenant. For the following instructions, use the directory with the Azure AD B2C tenant.
-## Step 3: Configure xID as an Identity provider
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+2. In the portal toolbar, select **Directories + subscriptions**.
+3. On the **Portal settings | Directories + subscriptions** page, in the Directory name list, locate your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the top-left corner of the Azure portal, select **All services**.
+6. Search for and select **Azure AD B2C**.
+7. On **Overview**, select **Identity Experience Framework**.
+8. Select **Policy Keys**.
+9. Select **Add**.
+10. For **Options**, select **Manual**.
+11. Enter a policy key **Name** for the policy key. The prefix `B2C_1A_` is appended to the key name.
+12. In **Secret**, enter the Client Secret from xID.
+13. For **Key usage**, select **Signature**.
+14. Select **Create**.
-To enable users to sign in using xID, you need to define xID as a claims provider that Azure AD B2C can communicate with through an endpoint. The endpoint provides a set of claims Azure AD B2C uses to verify that a specific user has authenticated using digital identity available on their device. Proving the user's identity.
+ >[!NOTE]
+ >In Azure AD B2C, custom policies are for complex scenarios.
+ >
+ >See, [User flows and custom policies overview](./user-flow-overview.md).
-Use the following steps to add xID as a claims provider:
-1. Get the custom policy starter packs from GitHub, then update the XML files in the SocialAccounts starter pack with your Azure AD B2C tenant name:
+## Configure xID as identity provider
- i. Download the [.zip file](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or [clone the repository](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack).
-
- ii. In all of the files in the **SocialAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, if the name of your B2C tenant is `contoso`, all instances of `yourtenant.onmicrosoft.com` become `contoso.onmicrosoft.com`.
+For users to sign in using xID, make xID a claims provider that Azure AD B2C communicates with through an endpoint. The endpoint provides claims Azure AD B2C uses to verify users authenticated with digital identity on their device.
-2. Open the `SocialAccounts/TrustFrameworkExtensions.xml`.
+### Add xID as a claims provider
-3. Find the **ClaimsProviders** element. If it doesn't exist, add it under the root element.
+Get the custom policy starter packs from GitHub, then update the XML files in the SocialAccounts starter pack with your Azure AD B2C tenant name.
-4. Add a new **ClaimsProvider** similar to the one shown below:
+1. Download the zip file [active-directory-b2c-policy-starterpack-main](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/archive/master.zip) or clone the repository. See, [Azure-Samples/active-directory-b2c-custom-policy-starterpack](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack).
+2. In the files in the **SocialAccounts** directory, replace the string `yourtenant` with the name of your Azure AD B2C tenant. For example, `yourtenant.onmicrosoft.com` becomes `contoso.onmicrosoft.com`.
+3. Open the **SocialAccounts/TrustFrameworkExtensions.xml**.
+4. Find the **ClaimsProviders** element. If there isn't one, add it under the root element.
+5. Add a new **ClaimsProvider** similar to the following example:
```xml
Use the following steps to add xID as a claims provider:
```
-4. Set **client_id** with your xID Application ID.
-
-5. Save the changes.
-
-## Step 4: Add a user journey
-
-At this point, you've set up the identity provider, but it's not yet available on any of the sign-in pages. If you have a custom user journey, continue to [step 5](#step-5-add-the-identity-provider-to-a-user-journey). Otherwise, create a duplicate of an existing template user journey as follows:
-
-1. Open the `TrustFrameworkBase.xml` file from the starter pack.
+6. Set **client_id** with your xID Application ID.
+7. Select **Save**.
-2. Find and copy the entire contents of the **UserJourneys** element that includes `ID=SignUpOrSignIn`.
+## Add a user journey
-3. Open the `TrustFrameworkExtensions.xml` and find the UserJourneys element. If the element doesn't exist, add one.
+Add an identity provider to sign-in pages.
-4. Paste the entire content of the UserJourney element that you copied as a child of the UserJourneys element.
+1. If you have a custom user journey, go to **Add the identity provider to a user journey**. Otherwise, create a duplicate of a template user journey:
+2. From the starter pack, open the **TrustFrameworkBase.xml**.
+3. Locate and copy the contents of the **UserJourneys** element that includes `ID=SignUpOrSignIn`.
+4. Open the **TrustFrameworkExtensions.xml** and locate the UserJourneys element. If there isn't one, add one.
+5. Paste the contents of the UserJourney element as a child of the UserJourneys element.
+6. Rename the user journey ID. For example, `ID=CustomSignUpSignIn`
-5. Rename the ID of the user journey. For example, `ID=CustomSignUpSignIn`
+## Add the identity provider to a user journey
-## Step 5: Add the identity provider to a user journey
+Add the new identity provider to the user journey.
-Now that you have a user journey add the new identity provider to the user journey.
+1. Locate the orchestration step element with Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element has an identity provider list for signing in. The order of the elements controls the order of the sign-in buttons.
+2. Add a **ClaimsProviderSelection** XML element.
+3. Set the value of **TargetClaimsExchangeId** to a friendly name.
+4. Add a **ClaimsExchange** element.
+5. Set the **ID** to the value of the target claims exchange ID. This change links the xID button to `X-IDExchange` action.
+6. Update the **TechnicalProfileReferenceId** value to the technical profile ID you created (`X-ID-Oauth2`).
+7. Add an Orchestration step to call xID UserInfo endpoint to return claims about the authenticated user `X-ID-Userdata`.
-1. Find the orchestration step element that includes Type=`CombinedSignInAndSignUp`, or Type=`ClaimsProviderSelection` in the user journey. It's usually the first orchestration step. The **ClaimsProviderSelections** element contains a list of identity providers used for signing in. The order of the elements controls the order of the sign-in buttons presented to the user. Add a **ClaimsProviderSelection** XML element. Set the value of **TargetClaimsExchangeId** to a friendly name, such as `X-IDExchange`.
-
-2. In the next orchestration step, add a **ClaimsExchange** element. Set the **Id** to the value of the target claims exchange ID to link the xID button to `X-IDExchange` action. Next, update the value of **TechnicalProfileReferenceId** to the ID of the technical profile you created earlier `X-ID-Oauth2`.
-
-3. Add a new Orchestration step to call xID UserInfo endpoint to return claims about the authenticated user `X-ID-Userdata`.
-
- The following XML demonstrates the orchestration steps of a user journey with xID identity provider:
+The following XML demonstrates the user journey orchestration with xID identity provider.
```xml
Now that you have a user journey add the new identity provider to the user journ
```
-There are additional identity claims that xID supports and are referenced as part of the policy. Claims schema is the place where you declare these claims. ClaimsSchema element contains list of ClaimType elements. The ClaimType element contains the Id attribute, which is the claim name.
-
-1. Open the `TrustFrameworksExtension.xml`
-
-2. Find the `BuildingBlocks` element.
+There are identity claims xID supports referenced as part of the policy. Claims schema is where you declare the claims. The ClaimsSchema element has a ClaimType element list. The ClaimType element contains the ID attribute, which is the claim name.
-3. Add the following ClaimType element in the **ClaimsSchema** element of your `TrustFrameworksExtension.xml` policy
+1. Open the **TrustFrameworksExtension.xml**.
+2. Locate the **BuildingBlocks** element.
+3. Add the following ClaimType element in the **ClaimsSchema** element of the **TrustFrameworksExtension.xml** policy
```xml <BuildingBlocks>
There are additional identity claims that xID supports and are referenced as par
</BuildingBlocks> ```
-## Step 6: Configure the relying party policy
+## Configure the relying party policy
-The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey which Azure AD B2C will execute. First, find the **DefaultUserJourney** element within the relying party. Then, update the **ReferenceId** to match the user journey ID you added to the identity provider.
+The relying party policy, for example [SignUpSignIn.xml](https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/blob/main/LocalAccounts/SignUpOrSignin.xml), specifies the user journey the Azure AD B2C executes.
-In the following example, for the xID user journey, the **ReferenceId** is set to `CombinedSignInAndSignUp`:
+1. In the relying party,locate the **DefaultUserJourney** element.
+2. Update the **ReferenceId** to match the user journey ID you added to the identity provider.
+
+In the following example, for the xID user journey, the **ReferenceId** is set to `CombinedSignInAndSignUp`.
```xml <RelyingParty>
In the following example, for the xID user journey, the **ReferenceId** is set t
```
-## Step 7: Upload the custom policy
-
-1. Sign in to the [Azure portal](https://portal.azure.com/#home).
-
-2. Make sure you're using the directory that contains your Azure AD B2C tenant:
-
- a. Select the **Directories + subscriptions** icon in the portal toolbar.
+## Upload the custom policy
- b. On the **Portal settings | Directories + subscriptions** page, find your Azure AD B2C directory in the **Directory name** list, and select **Switch**.
+For the following instructions, use the directory with the Azure AD B2C tenant.
-3. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
-
-4. Under Policies, select **Identity Experience Framework**.
-
-5. Select **Upload Custom Policy**, and then upload the files in the following order:
- 1. `TrustFrameworkBase.xml`, the base policy file
- 2. `TrustFrameworkExtensions.xml`, the extension policy
- 3. `SignUpSignIn.xml`, then the relying party policy
-
-## Step 8: Test your custom policy
+1. Sign in to the [Azure portal](https://portal.azure.com/#home).
+2. In the portal toolbar, select the **Directories + subscriptions**.
+3. On the **Portal settings | Directories + subscriptions** page, in the **Directory name** list. locate your Azure AD B2C directory.
+4. Select **Switch**.
+5. In the [Azure portal](https://portal.azure.com/#home), search for and select **Azure AD B2C**.
+6. Under Policies, select **Identity Experience Framework**.
+7. Select **Upload Custom Policy**.
+8. Upload the files in the following order:
+ * Base policy file: `TrustFrameworkBase.xml`
+ * Extension policy: `TrustFrameworkExtensions.xml`
+ * Relying party policy: `SignUpSignIn.xml`
+
+## Test the custom policy
1. In your Azure AD B2C tenant, and under **Policies**, select **Identity Experience Framework**.-
-1. Under **Custom policies**, select **CustomSignUpSignIn**.
-
-3. For **Application**, select the web application that you previously registered as part of this article's prerequisites. The **Reply URL** should show `https://jwt.ms`.
-
-4. Select **Run now**. Your browser should redirect to the xID sign in page.
-
-5. If the sign-in process is successful, your browser redirects to `https://jwt.ms`, which displays the contents of the token returned by Azure AD B2C.
+2. Under **Custom policies**, select **CustomSignUpSignIn**.
+3. For **Application**, select the web application that you registered. The **Reply URL** is `https://jwt.ms`.
+4. Select **Run now**.
+5. The browser redirects to the xID sign in page.
+6. The browser redirects to `https://jwt.ms`. The token contents returned by Azure AD B2C appear.
## Next steps
-For additional information, review the following articles:
--- [Custom policies in Azure AD B2C](custom-policy-overview.md)--- [Get started with custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+* [Azure AD B2C custom policy overview](custom-policy-overview.md)
+* [Tutorial: Create user flows and custom policies in Azure AD B2C](tutorial-create-user-flows.md?pivots=b2c-custom-policy)
active-directory Application Provisioning When Will Provisioning Finish Specific User https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md
Title: Find out when a specific user will be able to access an app in Azure Active Directory Application Provisioning
-description: How to find out when a critically important user be able to access an application you have configured for user provisioning with Azure Active Directory
+ Title: Find out when a specific user is able to access an app in Azure Active Directory Application Provisioning
+description: How to find out when a critically important user is able to access an application you have configured for user provisioning with Azure Active Directory.
Previously updated : 10/06/2022 Last updated : 05/04/2023 # Check the status of user provisioning
-The Azure AD provisioning service runs an initial provisioning cycle against the source system and target system, followed by periodic incremental cycles. When you configure provisioning for an app, you can check the current status of the provisioning service and see when a user will be able to access an app.
+The Azure AD provisioning service runs an initial provisioning cycle against the source system and target system, followed by periodic incremental cycles. When you configure provisioning for an app, you can check the current status of the provisioning service and see when a user is able to access an app.
## View the provisioning progress bar On the **Provisioning** page for an app, you can view the status of the Azure AD provisioning service. The **Current Status** section at the bottom of the page shows whether a provisioning cycle has started provisioning user accounts. You can watch the progress of the cycle, see how many users and groups have been provisioned, and see how many roles are created.
-When you first configure automatic provisioning, the **Current Status** section at the bottom of the page shows the status of the initial provisioning cycle. This section updates each time an incremental cycle runs. The following details are shown:
+When you first configure automatic provisioning, the **Current Status** section at the bottom of the page shows the status of the initial provisioning cycle. This section updates each time an incremental cycle is run. The following details are shown:
- The type of provisioning cycle (initial or incremental) that is currently running or was last completed.-- A **progress bar** showing the percentage of the provisioning cycle that has completed. The percentage reflects the count of pages provisioned. Note that each page could contain multiple users or groups, so the percentage doesn't directly correlate to the number of users, groups, or roles provisioned.
+- A **progress bar** showing the percentage of the provisioning cycle that has completed. The percentage reflects the count of pages provisioned. Each page could contain multiple users or groups, so the percentage doesn't directly correlate to the number of users, groups, or roles provisioned.
- A **Refresh** button you can use to keep the view updated.-- The number of **Users** and **Groups** in the connector data store. The count increases anytime an object is added to the scope of provisioning. The count will not go down if a user is soft-deleted or hard-deleted as this does not remove the object from the connector data store. The count will be recalculated the first sync after the CDS is [reset](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true) -- A **View Audit Logs** link, which opens the Azure AD provisioning logs for details about all operations run by the user provisioning service, including provisioning status for individual users (see the [Use provisioning logs](#use-provisioning-logs-to-check-a-users-provisioning-status) section below).
+- The number of **Users** and **Groups** in the connector data store. The count increases anytime an object is added to the scope of provisioning. The count doesn't go down if a user is soft-deleted or hard-deleted because the operation doesn't remove the object from the connector data store. The count is recalculated the first sync after the CDS is [reset](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true)
+- A **View Audit Logs** link, which opens the Azure AD provisioning logs. To learn more about operations run by the user provisioning service, including provisioning status for individual users, see [Use provisioning logs](#use-provisioning-logs-to-check-a-users-provisioning-status) later in the article.
After a provisioning cycle is complete, the **Statistics to date** section shows the cumulative numbers of users and groups that have been provisioned to date, along with the completion date and duration of the last cycle. The **Activity ID** uniquely identifies the most recent provisioning cycle. The **Job ID** is a unique identifier for the provisioning job, and is specific to the app in your tenant.
-The provisioning progress can viewed in the Azure portal, in the **Azure Active Directory &gt; Enterprise Apps &gt; \[application name\] &gt; Provisioning** tab.
+The provisioning progress is viewed in the Azure portal at **Azure Active Directory &gt; Enterprise Apps &gt; \[application name\] &gt; Provisioning**.
![Provisioning page progress bar](./media/application-provisioning-when-will-provisioning-finish-specific-user/provisioning-progress-bar-section.png) ## Use provisioning logs to check a user's provisioning status
-To see the provisioning status for a selected user, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Azure AD. All operations run by the user provisioning service are recorded in the Azure AD provisioning logs. This includes all read and write operations made to the source and target systems, and the user data that was read or written during each operation.
+To see the provisioning status for a selected user, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Azure AD. All operations run by the user provisioning service are recorded in the Azure AD provisioning logs. The logs include read and write operations made to the source and target systems. Associated user data related to read and write operations is also logged.
You can access the provisioning logs in the Azure portal by selecting **Azure Active Directory** &gt; **Enterprise Apps** &gt; **Provisioning logs (preview)** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
The provisioning logs record all the operations performed by the provisioning se
* Comparing the user objects between the system * Adding, updating, or disabling the user account in the target system based on the comparison
-For more information on how to read the provisioning logs in the Azure portal, see the [provisioning reporting guide](check-status-user-account-provisioning.md).
+For more information on how to read the provisioning logs in the Azure portal, see [provisioning reporting guide](check-status-user-account-provisioning.md).
## How long will it take to provision users?
-When using automatic user provisioning with an application, Azure AD automatically provisions and updates user accounts in an app based on things like [user and group assignment](../manage-apps/assign-user-or-group-access-portal.md) at a regularly scheduled time interval, typically every 40 minutes.
+When you're using automatic user provisioning with an application, there are some things to keep in mind. First, Azure AD automatically provisions and updates user accounts in an app based on things like [user and group assignment](../manage-apps/assign-user-or-group-access-portal.md). The sync happens at a regularly scheduled time interval, typically every 40 minutes.
The time it takes for a given user to be provisioned depends mainly on whether your provisioning job is running an initial cycle or an incremental cycle. -- For **initial cycle**, the job time depends on many factors, including the number of users and groups in scope for provisioning, and the total number of users and group in the source system. The first sync between Azure AD and an app can take anywhere from 20 minutes to several hours, depending on the size of the Azure AD directory and the number of users in scope for provisioning. A comprehensive list of factors that affect initial cycle performance are summarized later in this section.
+- For **initial cycle**, the job time depends on many factors, including the number of users and groups in scope for provisioning, and the total number of users and group in the source system. The first sync between Azure AD and an app happen as fast as 20 minutes or take as long as several hours. The time depends on the size of the Azure AD directory and the number of users in scope for provisioning. A comprehensive list of factors that affect initial cycle performance are summarized later in this section.
-- For **incremental cycles** after the initial cycle, job times tend to be faster (e.g. within 10 minutes), as the provisioning service stores watermarks that represent the state of both systems after the initial cycle, improving performance of subsequent syncs. The job time depends on the number of changes detected in that provisioning cycle. If there are fewer than 5,000 user or group membership changes, the job can finish within a single incremental provisioning cycle.
+- For **incremental cycles**, after the initial cycle, job times tend to be faster (within 10 minutes), as the provisioning service stores watermarks that represent the state of both systems after the initial cycle, improving performance of subsequent syncs. The job time depends on the number of changes detected in that provisioning cycle. If there are fewer than 5,000 user or group membership changes, the job can finish within a single incremental provisioning cycle.
The following table summarizes synchronization times for common provisioning scenarios. In these scenarios, the source system is Azure AD and the target system is a SaaS application. The sync times are derived from a statistical analysis of sync jobs for the SaaS applications ServiceNow, Workplace, Salesforce, and G Suite.
Summary of factors that influence the time it takes to complete an **initial cyc
- Request rate limits and throttling implemented by the target system. Some target systems implement request rate limits and throttling, which can impact performance during large sync operations. Under these conditions, an app that receives too many requests too fast might slow its response rate or close the connection. To improve performance, the connector needs to adjust by not sending the app requests faster than the app can process them. Provisioning connectors built by Microsoft make this adjustment. -- The number and sizes of assigned groups. Syncing assigned groups takes longer than syncing users. Both the number and the sizes of the assigned groups impact performance. If an application has [mappings enabled for group object sync](customize-application-attributes.md#editing-group-attribute-mappings), group properties such as group names and memberships are synced in addition to users. These additional syncs will take longer than only syncing user objects.
+- The number and sizes of assigned groups. Syncing assigned groups takes longer than syncing users. Both the number and the sizes of the assigned groups impact performance. If an application has [mappings enabled for group object sync](customize-application-attributes.md#editing-group-attribute-mappings), group properties such as group names and memberships are synced in addition to users. These syncs take longer than only syncing user objects.
-- If performance becomes an issue and you are attempting to provision the majority of users and groups in your tenant, use scoping filters. Scoping filters allow you to fine tune the data that the provisioning service extracts from Azure AD by filtering out users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+- If performance becomes an issue, and you're attempting to provision most users and groups in your tenant, then use scoping filters. Scoping filters allow you to fine tune the data that the provisioning service extracts from Azure AD by filtering out users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](define-conditional-rules-for-provisioning-user-accounts.md).
## Next steps
-[Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](user-provisioning.md)
+[Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](user-provisioning.md)
active-directory Check Status User Account Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/check-status-user-account-provisioning.md
Previously updated : 05/30/2022 Last updated : 05/04/2023 # Tutorial: Reporting on automatic user account provisioning
-Azure Active Directory (Azure AD) includes a [user account provisioning service](user-provisioning.md) that helps automate the provisioning de-provisioning of user accounts in SaaS apps and other systems, for the purpose of end-to-end identity lifecycle management. Azure AD supports pre-integrated user provisioning connectors for all of the applications and systems with user provisioning tutorials [here](../saas-apps/tutorial-list.md).
+Azure Active Directory (Azure AD) includes a [user account provisioning service](user-provisioning.md). The service helps automate the provisioning deprovisioning of user accounts in SaaS apps and other systems. The automation helps with end-to-end identity lifecycle management. Azure AD supports preintegrated user provisioning connectors for many applications and systems. To learn more about user provisioning tutorials, see [Provisioning Tutorials](../saas-apps/tutorial-list.md).
This article describes how to check the status of provisioning jobs after they have been set up, and how to troubleshoot the provisioning of individual users and groups. ## Overview
-Provisioning connectors are set up and configured using the [Azure portal](https://portal.azure.com), by following the [provided documentation](../saas-apps/tutorial-list.md) for the supported application. Once configured and running, provisioning jobs can be reported on using the following methods:
+Provisioning connectors are set up and configured using the [Azure portal](https://portal.azure.com), by following the [provided documentation](../saas-apps/tutorial-list.md) for the supported application. When the connector is configured and running, provisioning jobs can be reported using the following methods:
- The [Azure portal](https://portal.azure.com)
Provisioning connectors are set up and configured using the [Azure portal](https
### Definitions
-This article uses the following terms, defined below:
+This article uses the following terms:
-* **Source System** - The repository of users that the Azure AD provisioning service synchronizes from. Azure Active Directory is the source system for the majority of pre-integrated provisioning connectors, however there are some exceptions (example: Workday Inbound Synchronization).
-* **Target System** - The repository of users that the Azure AD provisioning service synchronizes to. This is typically a SaaS application (examples: Salesforce, ServiceNow, G Suite, Dropbox for Business), but in some cases can be an on-premises system such as Active Directory (example: Workday Inbound Synchronization to Active Directory).
+* **Source System** - The repository of users that the Azure AD provisioning service synchronizes from. Azure Active Directory is the source system for most preintegrated provisioning connectors, however there are some exceptions (example: Workday Inbound Synchronization).
+* **Target System** - The repository of users where the Azure AD provisioning service synchronizes. The repository is typically a SaaS application, such as Salesforce, ServiceNow, G Suite, and Dropbox for Business. In some cases the repository can be an on-premises system such as Active Directory, such as Workday Inbound Synchronization to Active Directory.
## Getting provisioning reports from the Azure portal
-To get provisioning report information for a given application, start by launching the [Azure portal](https://portal.azure.com) and **Azure Active Directory** &gt; **Enterprise Apps** &gt; **Provisioning logs** in the **Activity** section. You can also browse to the Enterprise Application for which provisioning is configured. For example, if you are provisioning users to LinkedIn Elevate, the navigation path to the application details is:
+To get provisioning report information for a given application, start by launching the [Azure portal](https://portal.azure.com) and **Azure Active Directory** &gt; **Enterprise Apps** &gt; **Provisioning logs** in the **Activity** section. You can also browse to the Enterprise Application for which provisioning is configured. For example, if you're provisioning users to LinkedIn Elevate, the navigation path to the application details is:
**Azure Active Directory > Enterprise Applications > All applications > LinkedIn Elevate**
-From here, you can access both the provisioning progress bar and the provisioning logs, described below.
+From the all applications area, you access both the provisioning progress bar and provisioning logs.
## Provisioning progress bar
-The [provisioning progress bar](application-provisioning-when-will-provisioning-finish-specific-user.md#view-the-provisioning-progress-bar) is visible in the **Provisioning** tab for a given application. It is located in the **Current Status** section and shows the status of the current initial or incremental cycle. This section also shows:
+The [provisioning progress bar](application-provisioning-when-will-provisioning-finish-specific-user.md#view-the-provisioning-progress-bar) is visible in the **Provisioning** tab for a given application. It's located in the **Current Status** section and shows the status of the current initial or incremental cycle. This section also shows:
-* The total number of users and/groups that have been synchronized and are currently in scope for provisioning between the source system and the target system.
+* The total number of users and groups that are synchronized and currently in scope for provisioning between the source system and the target system.
* The last time the synchronization was run. Synchronizations typically occur every 20-40 minutes, after an [initial cycle](../app-provisioning/how-provisioning-works.md#provisioning-cycles-initial-and-incremental) has completed.
-* Whether or not an [initial cycle](../app-provisioning/how-provisioning-works.md#provisioning-cycles-initial-and-incremental) has been completed.
-* Whether or not the provisioning process has been placed in quarantine, and what the reason for the quarantine status is (for example, failure to communicate with target system due to invalid admin credentials).
+* The status of an [initial cycle](../app-provisioning/how-provisioning-works.md#provisioning-cycles-initial-and-incremental) and if the cycle has been completed.
+* The status of the provisioning process and if it's being placed in quarantine. The status also shows the reason for the quarantine. For example, a status might indicate a failure to communicate with the target system due to invalid admin credentials.
The **Current Status** should be the first place admins look to check on the operational health of the provisioning job.
The provisioning summary report and provisioning logs play a key role helping ad
For scenario-based guidance on how to troubleshoot automatic user provisioning, see [Problems configuring and provisioning users to an application](../app-provisioning/application-provisioning-config-problem.md).
-## Additional Resources
+## Next steps
-* [Managing user account provisioning for Enterprise Apps](configure-automatic-user-provisioning-portal.md)
-* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+- [Managing user account provisioning for Enterprise Apps](configure-automatic-user-provisioning-portal.md)
+- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
active-directory On Premises Powershell Connector https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/app-provisioning/on-premises-powershell-connector.md
+
+ Title: Azure AD Provisioning to applications via PowerShell
+description: This document describes how to configure Azure AD to provision users with external systems that offer Windows PowerShell based APIs.
+++++++ Last updated : 02/08/2022++++
+# Provisioning users into applications using PowerShell
+The following documentation provides configuration and tutorial information demonstrating how the generic PowerShell connector and the ECMA Connector Host can be used to integrate Azure AD with external systems that offer Windows PowerShell based APIs.
+
+For additional information see [Windows PowerShell Connector technical reference](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-connector-powershell)
++
+## Prerequisites for provisioning via PowerShell
+The following sections detail the prerequisites for this tutorial.
+
+### Download the PowerShell setup files
+Download the PowerShell setup files from GitHub. The setup files consist of the configuration file, the input file, schema file and the scripts used. The files are located [here for download](https://github.com/microsoft/MIMPowerShellConnectors/tree/master/src/ECMA2HostCSV).
++
+### On-premises prerequisites
+
+The connector provides a bridge between the capabilities of the ECMA Connector Host and Windows PowerShell. Before you use the Connector, make sure you have the following on the server hosting the connector
+
+- A Windows Server 2016 or a later version.
+- At least 3 GB of RAM, to host a provisioning agent.
+- .NET Framework 4.7.2
+- Windows PowerShell 2.0, 3.0, or 4.0
+- Connectivity between hosting server, the connector, and the target system that the PowerShell scripts interact with.
+- The execution policy on the server must be configured to allow the connector to run Windows PowerShell scripts. Unless the scripts the connector runs are digitally signed, configure the execution policy by running this command:
+`Set-ExecutionPolicy -ExecutionPolicy RemoteSigned`
+- Deploying this connector requires one or more PowerShell scripts. Some Microsoft products may provide scripts for use with this connector, and the support statement for those scripts would be provided by that product. If you are developing your own scripts for use with this connector, you'll need to have familiarity with the [Extensible Connectivity Management Agent API](https://msdn.microsoft.com/library/windows/desktop/hh859557.aspx) to develop and maintain those scripts. If you are integrating with third party systems using your own scripts in a production environment, we recommend you work with the third party vendor or a deployment partner for help, guidance and support for this integration.
+++
+### Cloud requirements
+
+ - An Azure AD tenant with Azure AD Premium P1 or Premium P2 (or EMS E3 or E5). [!INCLUDE [active-directory-p1-license.md](../../../includes/active-directory-p1-license.md)]
+ - The Hybrid Identity Administrator role for configuring the provisioning agent and the Application Administrator or Cloud Application Administrator roles for configuring provisioning in the Azure portal.
+ - The Azure AD users, to be provisioned, must already be populated with any attributes required by the schema.
++
+## Download, install, and configure the Azure AD Connect Provisioning Agent Package
+
+If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+
+ :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
+
+ 4. On the left, select **Agent**.
+ 5. Select **Download on-premises agent**, and select **Accept terms & download**.
+
+ >[!NOTE]
+ >Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent.
+
+ 6. Open the provisioning agent installer, agree to the terms of service, and select **next**.
+ 7. When the provisioning agent wizard opens, continue to the **Select Extension** tab and select **On-premises application provisioning** when prompted for the extension you want to enable.
+ 8. The provisioning agent uses the operating system's web browser to display a popup window for you to authenticate to Azure AD, and potentially also your organization's identity provider. If you are using Internet Explorer as the browser on Windows Server, then you may need to add Microsoft web sites to your browser's trusted site list to allow JavaScript to run correctly.
+ 9. Provide credentials for an Azure AD administrator when you're prompted to authorize. The user is required to have the Hybrid Identity Administrator or Global Administrator role.
+ 10. Select **Confirm** to confirm the setting. Once installation is successful, you can select **Exit**, and also close the Provisioning Agent Package installer.
+
+## Configure the On-premises ECMA app
+
+ 1. Sign in to the Azure portal as an administrator.
+ 2. Go to **Enterprise applications** and select **New application**.
+ 3. Search for the **On-premises ECMA app** application, give the app a name, and select **Create** to add it to your tenant.
+ 4. Navigate to the **Provisioning** page of your application.
+ 5. Select **Get started**.
+ 6. On the **Provisioning** page, change the mode to **Automatic**.
+ 7. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.
+ 8. Keep this browser window open, as you complete the next step of configuration using the configuration wizard.
+
+ ## Place the InputFile.txt and Schema.xml file in locations
+ Before you can create the PowerShell connector for this tutorial, you need to copy the InputFile.txt and Schema.xml file into the correct locations. These files are the ones you needed to download in section [Download the PowerShell setup files](#download-the-powershell-setup-files).
+
+ |File|location|
+ |--|--|
+ |InputFile.txt|`C:\Program Files\Microsoft ECMA2Host\Service\ECMA\MAData`|
+ |Schema.xml|`C:\Program Files\Microsoft ECMA2Host\Service\ECMA`|
+
+ ## Configure the Azure AD ECMA Connector Host certificate
+
+ 1. On the Windows Server where the provisioning agent is installed, right click the **Microsoft ECMA2Host Configuration Wizard** from the start menu, and run as administrator. Running as a Windows administrator is necessary for the wizard to create the necessary Windows event logs.
+ 2. After the ECMA Connector Host Configuration starts, if it's the first time you have run the wizard, it will ask you to create a certificate. Leave the default port **8585** and select **Generate certificate** to generate a certificate. The autogenerated certificate will be self-signed as part of the trusted root. The certificate SAN matches the host name.
+ 3. Select **Save**.
++
+## Create the PowerShell Connector
+
+### General Screen
+ 1. Launch the Microsoft ECMA2Host Configuration Wizard from the start menu.
+ 2. At the top, select **Import** and select the configuration.xml file from step 1.
+ 3. The new connector should be created and appear in red. Click **Edit**.
+ 4. Generate a secret token used for authenticating Azure AD to the connector. It should be 12 characters minimum and unique for each application. If you do not already have a secret generator, you can use a PowerShell command such as the following to generate an example random string.
+ ```powershell
+ -join (((48..90) + (96..122)) * 16 | Get-Random -Count 16 | % {[char]$_})
+ ```
+ 5. On the **Properties** page, all of the information should be populated. The table is provided as reference. Click **Next**.
+
+ |Property|Value|
+ |--|--|
+ |Name|The name you chose for the connector, which should be unique across all connectors in your environment. For example, `PowerShell`.|
+ |Autosync timer (minutes)|120|
+ |Secret Token|Enter your secret token here. It should be 12 characters minimum.|
+ |Extension DLL|For the PowerShell connector, select **Microsoft.IAM.Connector.PowerShell.dll**.|
++
+### Connectivity
+The connectivity tab allows you to supply configuration parameters for connecting to a remote system. Configure the connectivity tab with the information provided in the table.
+
+ - On the **Connectivity** page, all of the information should be populated. The table is provided as reference. Click **Next**.
+
+ :::image type="content" source="media/on-premises-powershell-connector/powershell-2.png" alt-text="Screenshot of the connectivity screen." lightbox="media/on-premises-powershell-connector/powershell-2.png":::
+
+|Parameter|Value|Purpose|
+|-|--|--|
+| Server | \<Blank\> | Server name that the connector should connect to. |
+| Domain | \<Blank\> |Domain of the credential to store for use when the connector is run.|
+|User| \<Blank\> | Username of the credential to store for use when the connector is run. |
+| Password | \<Blank\> | Password of the credential to store for use when the connector is run. |
+| Impersonate Connector Account |Unchecked| When true, the synchronization service runs the Windows PowerShell scripts in the context of the credentials supplied. When possible, it is recommended that the **$Credentials** parameter is passed to each script is used instead of impersonation.|
+| Load User Profile When Impersonating |Unchecked|Instructs Windows to load the user profile of the connectorΓÇÖs credentials during impersonation. If the impersonated user has a roaming profile, the connector does not load the roaming profile.|
+| Logon Type When Impersonating |None|Logon type during impersonation. For more information, see the [dwLogonType][dw] documentation. |
+|Signed Scripts Only |Unchecked| If true, the Windows PowerShell connector validates that each script has a valid digital signature. If false, ensure that the Synchronization Service serverΓÇÖs Windows PowerShell execution policy is RemoteSigned or Unrestricted.|
+|Common Module Script Name (with extension)|xADSyncPSConnectorModule.psm1|The connector allows you to store a shared Windows PowerShell module in the configuration. When the connector runs a script, the Windows PowerShell module is extracted to the file system so that it can be imported by each script.|
+|Common Module Script|[AD Sync PowerShell Connector Module code](https://github.com/microsoft/MIMPowerShellConnectors/blob/master/src/ECMA2HostCSV/Scripts/CommonModule.psm1) as value. This module will be automatically created by the ECMA2Host when the connector is running.||
+|Validation Script|\<Blank\>|The Validation Script is an optional Windows PowerShell script that can be used to ensure that connector configuration parameters supplied by the administrator are valid.|
+|Schema Script|[GetSchema code](https://github.com/microsoft/MIMPowerShellConnectors/blob/master/src/ECMA2HostCSV/Scripts/Schema%20Script.ps1) as value.||
+|Additional Config Parameter Names|FileName,Delimiter,Encoding|In addition to the standard configuration settings, you can define additional custom configuration settings that are specific to the instance of the Connector. These parameters can be specified at the connector, partition, or run step levels and accessed from the relevant Windows PowerShell script. |
+|Additional Encrypted Config Parameter Names|\<Blank\> ||
+++
+### Capabilities
+The capabilities tab defines the behavior and functionality of the connector. The selections made on this tab cannot be modified when the connector has been created. Configure the capabilities tab with the information provided in the table.
+
+- On the **Capabilities** page, all of the information should be populated. The table is provided as reference. Click **Next**.
+
+ :::image type="content" source="media/on-premises-powershell-connector/powershell-4.png" alt-text="Screenshot of the capabilities screen." lightbox="media/on-premises-powershell-connector/powershell-4.png":::
+
+|Parameter|Value|Purpose|
+|-|--|--|
+|Distinguished Name Style|None|Indicates if the connector supports distinguished names and if so, what style. |
+|Export Type|ObjectReplace|Determines the type of objects that are presented to the Export script.|
+|Data Normalization|None|Instructs the Synchronization Service to normalize anchor attributes before they are provided to scripts. |
+|Object Confirmation|Normal|This is ignored.|
+|Use DN as Anchor|Unchecked|If the Distinguished Name Style is set to LDAP, the anchor attribute for the connector space is also the distinguished name. |
+|Concurrent Operations of Several Connectors|Checked|When checked, multiple Windows PowerShell connectors can run simultaneously. |
+|Partitions|Unchecked|When checked, the connector supports multiple partitions and partition discovery. |
+|Hierarchy|Unchecked|When checked, the connector supports an LDAP style hierarchical structure. |
+|Enable Import|Checked|When checked, the connector imports data via import scripts. |
+|Enable Delta Import|Unchecked|When checked, the connector can request deltas from the import scripts. |
+|Enable Export|Checked|When checked, the connector exports data via export scripts. |
+|Enable Full Export|Checked|Not supported. This will be ignored.|
+|No Reference Values In First Export Pass|Unchecked|When checked, reference attributes are exported in a second export pass. |
+|Enable Object Rename|Unchecked|When checked, distinguished names can be modified. |
+|Delete-Add As Replace|Checked|Not supported. This will be ignored.|
+|Enable Export Password in First Pass|Checked|Not supported. This will be ignored.|
++
+### Global Parameters
+The Global Parameters tab enables you to configure the Windows PowerShell scripts that are run by the connector. You can also configure global values for custom configuration settings defined on the Connectivity tab. Configure the global parameters tab with the information provided in the table.
+
+ - On the **Global Parameters** page, all of the information should be populated. The table is provided as reference. Click **Next**.
++
+|Parameter|Value|
+|--|--|
+|Partition Script|\<Blank>|
+|Hierarchy Script|\<Blank>|
+|Begin Import Script|\<Blank>|
+|Import Script|Paste ImportData code as value|
+|End Import Script|\<Blank>|
+|Begin Export Script|Paste Begin export code as value|
+|Export Script|Paste ExportData code as value|
+|End Export Script|\<Blank>|
+|Begin Password Script|\<Blank>|
+|Password Extension Script|\<Blank>|
+|End Password Script|\<Blank>|
+|FileName_Global|InputFile.txt|
+|Delimiter_Global|;|
+|Encoding_Global|\<Blank> (defaults to UTF8)|
+
+### Partitions, Run Profiles, Export, FullImport
+Keep the defaults and click **next**.
+
+### Object types
+Configure the object types tab with the information provided in the table.
+
+- On the **Object types** page, all of the information should be populated. The table is provided as reference. Click **Next**.
++
+|Parameter|Value|
+|--|--|
+|Target Object|Person|
+|Anchor|AzureObjectID|
+|Query Attribute|AzureObjectID|
+|DN|AzureObjectID|
+
+### Select Attributes
+Ensure that the following attributes are selected:
+
+- On the **Select Attributes** page, all of the information should be populated. The table is provided as reference. Click **Next**.
+
+- AzureObjectID
+- IsActive
+- DisplayName
+- EmployeeId
+- Title
+- UserName
+- Email
++
+### Deprovisioning
+
+On the Deprovisioning page, you can specify if you wish to have Azure AD remove users from the directory when they go out of scope of the application. If so, under Disable flow, select Delete, and under Delete flow, select Delete. If Set attribute value is chosen, the attributes selected on the previous page won't be available to select on the Deprovisioning page.
+
+- On the **Deprovisioning** page, all of the information should be populated. The table is provided as reference. Click **Next**.
++
+## Ensure ECMA2Host service is running and can read from file via PowerShell
+
+Follow these steps to confirm that the connector host has started and has identified any existing users from the target system.
+
+ 1. On the server running the Azure AD ECMA Connector Host, select **Start**.
+ 2. Select **run** if needed, then enter **services.msc** in the box.
+ 3. In the **Services** list, ensure that **Microsoft ECMA2Host** is present and running. If it is not running, select **Start**.
+ 4. On the server running the Azure AD ECMA Connector Host, launch PowerShell.
+ 5. Change to the folder where the ECMA host was installed, such as `C:\Program Files\Microsoft ECMA2Host`.
+ 6. Change to the subdirectory `Troubleshooting`.
+ 7. Run the script `TestECMA2HostConnection.ps1` in the directory as shown, and provide as arguments the connector name and the `ObjectTypePath` value `cache`. If your connector host is not listening on TCP port 8585, then you may also need to provide the `-Port` argument as well. When prompted, type the secret token configured for that connector.
+ ```
+ PS C:\Program Files\Microsoft ECMA2Host\Troubleshooting> $cout = .\TestECMA2HostConnection.ps1 -ConnectorName PowerShell -ObjectTypePath cache; $cout.length -gt 9
+ Supply values for the following parameters:
+ SecretToken: ************
+ ```
+ 8. If the script displays an error or warning message, then check that the service is running, and the connector name and secret token match those values you configured in the configuration wizard.
+ 9. If the script displays the output `False`, then the connector has not seen any entries in the source target system for existing users. If this is a new target system installation, then this behavior is to be expected, and you can continue at the next section.
+ 10. However, if the target system already contains one or more users but the script displayed `False`, then this status indicates the connector could not read from the target system. If you attempt to provision, then Azure AD may not correctly match users in that source directory with users in Azure AD. Wait several minutes for the connector host to finish reading objects from the existing target system, and then rerun the script. If the output continues to be `False`, then check the configuration of your connector and the permissions in the target system are allowing the connector to read existing users.
++
+## Test the connection from Azure AD to the connector host
+ 1. Return to the web browser window where you were configuring the application provisioning in the portal.
+ >[!NOTE]
+ >If the window had timed out, then you need to re-select the agent.
+ 1. Sign in to the Azure portal.
+ 2. Go to **Enterprise applications** and the **On-premises ECMA app** application.
+ 3. Click on **Provisioning**.
+ 4. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**, and wait 10 minutes. Otherwise go to **Edit Provisioning**.
+ 2. Under the **Admin credentials** section, enter the following URL. Replace the `connectorName` portion with the name of the connector on the ECMA host, such as `PowerShell`. If you provided a certificate from your certificate authority for the ECMA host, then replace `localhost` with the host name of the server where the ECMA host is installed.
+
+ |Property|Value|
+ |--|--|
+ |Tenant URL|https://localhost:8585/ecma2host_connectorName/scim|
+
+ 3. Enter the **Secret Token** value that you defined when you created the connector.
+ >[!NOTE]
+ >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent** service, right-click the service, and restart.
+ 4. Select **Test Connection**, and wait one minute.
+ 5. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
+
+## Configure the application connection in the Azure portal
+Return to the web browser window where you were configuring the application provisioning.
+
+>[!NOTE]
+>If the window had timed out, then you need to re-select the agent.
+
+ 1. Sign in to the Azure portal.
+ 2. Go to **Enterprise applications** and the **On-premises ECMA app** application.
+ 3. Select on **Provisioning**.
+ 4. If **Get started** appears, then change the mode to **Automatic**, on the **On-Premises Connectivity** section, select the agent that you deployed and select **Assign Agent(s)**. Otherwise go to **Edit Provisioning**.
+ 5. Under the **Admin credentials** section, enter the following URL. Replace the `{connectorName}` portion with the name of the connector on the ECMA connector host, such as **CSV**. The connector name is case sensitive and should be the same case as was configured in the wizard. You can also replace `localhost` with your machine hostname.
+
+ |Property|Value|
+ |--|--|
+ |Tenant URL| `https://localhost:8585/ecma2host_CSV/scim`|
+ 6. Enter the **Secret Token** value that you defined when you created the connector.
+ >[!NOTE]
+ >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.
+ 7. Select **Test Connection**, and wait one minute.
+ 8. After the connection test is successful and indicates that the supplied credentials are authorized to enable provisioning, select **Save**.
++
+## Configure attribute mappings
+
+Now you need to map attributes between the representation of the user in Azure AD and the representation of a user in the on-premises InputFile.txt.
+
+You'll use the Azure portal to configure the mapping between the Azure AD user's attributes and the attributes that you previously selected in the ECMA Host configuration wizard.
+
+ 1. In the Azure AD portal, under **Enterprise applications**, select the **On-premises ECMA app** application, and then the **Provisioning** page.
+ 2. Select **Edit provisioning**, and wait 10 seconds.
+ 3. Expand **Mappings** and select **Provision Azure Active Directory Users**. If this is the first time you've configured the attribute mappings for this application, there will be only one mapping present, for a placeholder.
+ 4. To confirm that the schema is available in Azure AD, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed. If not, then wait several minutes for the schema to refresh, and then reload the page. Once you see the attributes listed, then cancel from this page to return to the mappings list.
+ 5. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping. This mapping is added by default when you first configure on-premises provisioning.
+ Change the value to match the following:
+
+ |Mapping type|Source attribute|Target attribute|
+ |--|--|--|
+ |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|
+ 4. Now select **Add New Mapping**, and repeat the next step for each mapping.
+ 5. Specify the source and target attributes for each of the mappings in the following table.
+
+
+ |Mapping type|Source attribute|Target attribute|
+ |--|--|--|
+ |Direct|objectId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:AzureObjectID|
+ |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:UserName|
+ |Direct|displayName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:DisplayName|
+ |Direct|employeeId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:EmployeeId|
+ |Direct|jobTitle|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Title|
+ |Direct|mail|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Email|
+ |Expression|Switch([IsSoftDeleted],, "False", "True", "True", "False")|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:IsActive|
+
+
+ 6. Once all of the mappings have been added, select **Save**.
+
+## Assign users to an application
+
+Now that you have the Azure AD ECMA Connector Host talking with Azure AD, and the attribute mapping configured, you can move on to configuring who's in scope for provisioning.
+
+>[!IMPORTANT]
+>If you were signed in using a Hybrid Identity Administrator role, you need to sign-out and sign-in with an account that has the Application Administrator, Cloud Application Administrator or Global Administrator role, for this section. The Hybrid Identity Administrator role does not have permissions to assign users to applications.
+
+If there are existing users in the InputFile.txt, then you should create application role assignments for those existing users. To learn more about how to create application role assignments in bulk, see [governing an application's existing users in Azure AD](../governance/identity-governance-applications-existing-users.md).
+
+Otherwise, if there are no current users of the application, then select a test user from Azure AD who will be provisioned to the application.
+
+ 1. Ensure that the user selected has all the properties, mapped to the required attributes of the schema.
+ 2. In the Azure portal, select **Enterprise applications**.
+ 3. Select the **On-premises ECMA app** application.
+ 4. On the left, under **Manage**, select **Users and groups**.
+ 5. Select **Add user/group**.
+ 6. Under **Users**, select **None Selected**.
+ 7. Select users from the right and select the **Select** button.
+ 8. Now select **Assign**.
+
+## Test provisioning
+
+Now that your attributes are mapped and users are assigned, you can test on-demand provisioning with one of your users.
+
+ 1. In the Azure portal, select **Enterprise applications**.
+ 2. Select the **On-premises ECMA app** application.
+ 3. On the left, select **Provisioning**.
+ 4. Select **Provision on demand**.
+ 5. Search for one of your test users, and select **Provision**.
+ 6. After several seconds, then the message **Successfully created user in target system** appears, with a list of the user attributes.
+
+## Start provisioning users
+
+1. After on-demand provisioning is successful, change back to the provisioning configuration page. Ensure that the scope is set to only assigned users and groups, turn provisioning **On**, and select **Save**.
+2. Wait several minutes for provisioning to start. It might take up to 40 minutes. After the provisioning job has been completed, as described in the next section, if you're done testing, you can change the provisioning status to **Off**, and select **Save**. This action stops the provisioning service from running in the future.
++
+## Next steps
+
+- [App provisioning](user-provisioning.md)
+- [ECMA Connector Host generic SQL connector](tutorial-ecma-sql-connector.md)
+- [ECMA Connector Host LDAP connector](on-premises-ldap-connector-configure.md)
active-directory Concept Certificate Based Authentication Mobile Android https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-mobile-android.md
Certain Exchange ActiveSync applications on Android 5.0 (Lollipop) or later are
To determine if your email application supports Azure AD CBA, contact your application developer.
-## Support for certificates on hardware security key (preview)
+## Support for certificates on hardware security key
Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. Azure AD supports CBA with YubiKey.
Before installing Microsoft Authenticator, uninstall Company Portal and install
#### Does Azure AD CBA support YubiKey via NFC?
-This feature currently only supports using YubiKey with USB and not NFC. We are working to add support for NFC.
+This feature supports using YubiKey with USB and NFC.
#### Once CBA fails, clicking on the CBA option again in the ΓÇÿOther ways to signinΓÇÖ link on the error page fails.
active-directory Concept Certificate Based Authentication Mobile Ios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-mobile-ios.md
On iOS 9 or later, the native iOS mail client is supported.
To determine if your email application supports Azure AD CBA, contact your application developer.
-## Support for certificates on hardware security key (preview)
+## Support for certificates on hardware security key
Certificates can be provisioned in external devices like hardware security keys along with a PIN to protect private key access. Microsoft's mobile certificate-based solution coupled with the hardware security keys is a simple, convenient, FIPS (Federal Information Processing Standards) certified phishing-resistant MFA method.
active-directory Concept Certificate Based Authentication Technical Deep Dive https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/concept-certificate-based-authentication-technical-deep-dive.md
The following steps are a typical flow of the CRL check:
- Azure AD will attempt to download a new CRL from the distribution point if the cached CRL document is expired. >[!NOTE]
->Azure AD will check the CRL of the issuing CA and other CAs in the PKI trust chain up to the root CA. We have a limit of up to 5 CAs from the leaf client certificate for CRL validation in the PKI chain. The limitation is to make sure a bad actor will not bring down the service by uploading a PKI chain with a huge number of CAs with a bigger CRL size.
+>Azure AD will check the CRL of the issuing CA and other CAs in the PKI trust chain up to the root CA. We have a limit of up to 10 CAs from the leaf client certificate for CRL validation in the PKI chain. The limitation is to make sure a bad actor will not bring down the service by uploading a PKI chain with a huge number of CAs with a bigger CRL size.
If the tenantΓÇÖs PKI chain has more than 5 CAs and in case of a CA compromise, the administrator should remove the compromised trusted issuer from the Azure AD tenant configuration.
active-directory Howto Sspr Windows https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/authentication/howto-sspr-windows.md
Deploying the configuration change to enable SSPR from the login screen using Mi
Select **Add**, then **Next**. 1. The policy can be assigned to specific users, devices, or groups. Assign the profile as desired for your environment, ideally to a test group of devices first, then select **Next**.
- For more information, see [Assign user and device profiles in Microsoft Microsoft Intune](/mem/intune/configuration/device-profile-assign).
+ For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
1. Configure applicability rules as desired for your environment, such as to *Assign profile if OS edition is Windows 10 Enterprise*, then select **Next**. 1. Review your profile, then select **Create**.
active-directory Concept Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/concept-attributes.md
- Title: 'Understand the Azure AD schema and custom expressions'
-description: This article describes the Azure AD schema, the attributes that the provisioning agent flows, and custom expressions.
------ Previously updated : 01/11/2023-------
-# Understand the Azure AD schema
-An object in Azure Active Directory (Azure AD), like any directory, is a programmatic high-level data construct that represents such things as users, groups, and contacts. When you create a new user or contact in Azure AD, you're creating a new instance of that object. These instances can be differentiated based on their properties.
-
-Properties in Azure AD are the elements responsible for storing information about an instance of an object in Azure AD.
-
-The Azure AD schema defines the rules for which properties might be used in an entry, the kinds of values that those properties might have, and how users might interact with those values.
-
-Azure AD has two types of properties:
-- **Built-in properties**: Properties that are predefined by the Azure AD schema. These properties provide different uses and might or might not be accessible.-- **Directory extensions**: Properties that are provided so that you can customize Azure AD for your own use. For example, if you've extended your on-premises Active Directory with a certain attribute and want to flow that attribute, you can use one of the custom properties that's provided. -
-## Attributes and expressions
-When an object such as a user is provisioned to Azure AD, a new instance of the user object is created. This creation includes the properties of that object, which are also known as attributes. Initially, the newly created object has its attributes set to values that are determined by the synchronization rules. These attributes are then kept up to date via the cloud provisioning agent.
-
-![Object provisioning](media/concept-attributes/attribute-1.png)
-
-For example, a user might be part of a Marketing department. Their Azure AD department attribute is initially created when they're provisioned, and the value is set to Marketing. Six months later if they change to Sales, their on-premises Active Directory department attribute is changed to Sales. This change synchronizes to Azure AD and is reflected in their Azure AD user object.
-
-Attribute synchronization might be direct, where the value in Azure AD is directly set to the value of the on-premises attribute. Or, a programmatic expression might handle the synchronization. A programmatic expression is needed in cases where some logic or a determination must be made to populate the value.
-
-For example, if you had the mail attribute "john.smith@contoso.com" and needed to strip out the "@contoso.com" portion and flow only the value "john.smith," you'd use something like this:
-
-`Replace([mail], "@contoso.com", , ,"", ,)`
-
-**Sample input/output:** <br>
-
-* **INPUT** (mail): "john.smith@contoso.com"
-* **OUTPUT**: "john.smith"
-
-For more information on how to write custom expressions and the syntax, see [Writing expressions for attribute mappings in Azure Active Directory](../app-provisioning/functions-for-customizing-application-data.md).
-
-The following table lists common attributes and how they're synchronized to Azure AD.
--
-|On-premises Active Directory|Mapping type|Azure AD|
-|--|--|--|
-|cn|Direct|commonName
-|countryCode|Direct|countryCode|
-|displayName|Direct|displayName|
-|givenName|Expression|givenName|
-|objectGUID|Direct|sourceAnchorBinary|
-|userprincipalName|Direct|userPrincipalName|
-|ProxyAdress|Direct|ProxyAddress|
-
-## View the schema
-> [!WARNING]
-> The cloud sync configuration creates a service principal. The service principal is visible in the Azure portal. You should not modify the attribute mappings using the service principal experience in the Azure portal. This is not supported.
-
-To view the schema and verify it, follow these steps.
-
-1. Go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
-1. Sign in with your global administrator account.
-1. On the left, select **modify permissions** and ensure that **Directory.ReadWrite.All** is *Consented*.
-1. Run the query `https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(DisplayName, ΓÇÿ{sync config name}ΓÇÖ)`. This query returns a filtered list of service principals. This can also be acquired via the App Registration node under Azure Active Directory.
-1. Locate `"appDisplayName": "Active Directory to Azure Active Directory Provisioning"` and note the value for `"id"`.
- ```
- "value": [
- {
- "id": "00d41b14-7958-45ad-9d75-d52fa29e02a1",
- "deletedDateTime": null,
- "accountEnabled": true,
- "appDisplayName": "Active Directory to Azure Active Directory Provisioning",
- "appId": "1a4721b3-e57f-4451-ae87-ef078703ec94",
- "applicationTemplateId": null,
- "appOwnerOrganizationId": "47df5bb7-e6bc-4256-afb0-dd8c8e3c1ce8",
- "appRoleAssignmentRequired": false,
- "displayName": "Active Directory to Azure Active Directory Provisioning",
- "errorUrl": null,
- "homepage": "https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=AD2AADProvisioning|ISV9.1|primary|z",
- "loginUrl": null,
- "logoutUrl": null,
- "notificationEmailAddresses": [],
- "preferredSingleSignOnMode": null,
- "preferredTokenSigningKeyEndDateTime": null,
- "preferredTokenSigningKeyThumbprint": null,
- "publisherName": "Active Directory Application Registry",
- "replyUrls": [],
- "samlMetadataUrl": null,
- "samlSingleSignOnSettings": null,
- "servicePrincipalNames": [
- "http://adapplicationregistry.onmicrosoft.com/adprovisioningtoaad/primary",
- "1a4721b3-e57f-4451-ae87-ef078703ec94"
- ],
- "signInAudience": "AzureADMultipleOrgs",
- "tags": [
- "WindowsAzureActiveDirectoryIntegratedApp"
- ],
- "addIns": [],
- "api": {
- "resourceSpecificApplicationPermissions": []
- },
- "appRoles": [
- {
- "allowedMemberTypes": [
- "User"
- ],
- "description": "msiam_access",
- "displayName": "msiam_access",
- "id": "a0326856-1f51-4311-8ae7-a034d168eedf",
- "isEnabled": true,
- "origin": "Application",
- "value": null
- }
- ],
- "info": {
- "termsOfServiceUrl": null,
- "supportUrl": null,
- "privacyStatementUrl": null,
- "marketingUrl": null,
- "logoUrl": null
- },
- "keyCredentials": [],
- "publishedPermissionScopes": [
- {
- "adminConsentDescription": "Allow the application to access Active Directory to Azure Active Directory Provisioning on behalf of the signed-in user.",
- "adminConsentDisplayName": "Access Active Directory to Azure Active Directory Provisioning",
- "id": "d40ed463-646c-4efe-bb3e-3fa7d0006688",
- "isEnabled": true,
- "type": "User",
- "userConsentDescription": "Allow the application to access Active Directory to Azure Active Directory Provisioning on your behalf.",
- "userConsentDisplayName": "Access Active Directory to Azure Active Directory Provisioning",
- "value": "user_impersonation"
- }
- ],
- "passwordCredentials": []
- },
- ```
-1. Replace `{Service Principal id}` with your value, and run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal id}/synchronization/jobs/`.
-1. Locate `"id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976"` and note the value for `"id"`.
- ```
- {
- "id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976",
- "templateId": "AD2AADProvisioning",
- "schedule": {
- "expiration": null,
- "interval": "PT2M",
- "state": "Active"
- },
- "status": {
- "countSuccessiveCompleteFailures": 0,
- "escrowsPruned": false,
- "code": "Active",
- "lastSuccessfulExecutionWithExports": null,
- "quarantine": null,
- "steadyStateFirstAchievedTime": "2019-11-08T15:48:05.7360238Z",
- "steadyStateLastAchievedTime": "2019-11-20T16:17:24.7957721Z",
- "troubleshootingUrl": "",
- "lastExecution": {
- "activityIdentifier": "2dea06a7-2960-420d-931e-f6c807ebda24",
- "countEntitled": 0,
- "countEntitledForProvisioning": 0,
- "countEscrowed": 15,
- "countEscrowedRaw": 15,
- "countExported": 0,
- "countExports": 0,
- "countImported": 0,
- "countImportedDeltas": 0,
- "countImportedReferenceDeltas": 0,
- "state": "Succeeded",
- "error": null,
- "timeBegan": "2019-11-20T16:15:21.116098Z",
- "timeEnded": "2019-11-20T16:17:24.7488681Z"
- },
- "lastSuccessfulExecution": {
- "activityIdentifier": null,
- "countEntitled": 0,
- "countEntitledForProvisioning": 0,
- "countEscrowed": 0,
- "countEscrowedRaw": 0,
- "countExported": 5,
- "countExports": 0,
- "countImported": 0,
- "countImportedDeltas": 0,
- "countImportedReferenceDeltas": 0,
- "state": "Succeeded",
- "error": null,
- "timeBegan": "0001-01-01T00:00:00Z",
- "timeEnded": "2019-11-20T14:09:46.8855027Z"
- },
- "progress": [],
- "synchronizedEntryCountByType": [
- {
- "key": "group to Group",
- "value": 33
- },
- {
- "key": "user to User",
- "value": 3
- }
- ]
- },
- "synchronizationJobSettings": [
- {
- "name": "Domain",
- "value": "{\"DomainFQDN\":\"contoso.com\",\"DomainNetBios\":\"CONTOSO\",\"ForestFQDN\":\"contoso.com\",\"ForestNetBios\":\"CONTOSO\"}"
- },
- {
- "name": "DomainFQDN",
- "value": "contoso.com"
- },
- {
- "name": "DomainNetBios",
- "value": "CONTOSO"
- },
- {
- "name": "ForestFQDN",
- "value": "contoso.com"
- },
- {
- "name": "ForestNetBios",
- "value": "CONTOSO"
- },
- {
- "name": "QuarantineTooManyDeletesThreshold",
- "value": "500"
- }
- ]
- }
- ```
-1. Now run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal Id}/synchronization/jobs/{AD2AAD Provisioning id}/schema`.
-
--
- Replace `{Service Principal Id}` and `{AD2ADD Provisioning Id}` with your values.
-
-1. This query returns the schema.
-
- ![Returned schema](media/concept-attributes/schema-1.png)
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Concept How It Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/concept-how-it-works.md
- Title: 'Azure AD Connect cloud sync deep dive - how it works'
-description: This topic provides deep dive information on how cloud sync works.
------- Previously updated : 01/11/2023-----
-# Cloud sync deep dive - how it works
-
-## Overview of components
-
-![How it works](media/concept-how-it-works/how-1.png)
-
-Cloud sync is built on top of the Azure AD services and has 2 key components:
--- **Provisioning agent**: The Azure AD Connect cloud provisioning agent is the same agent as Workday inbound and built on the same server-side technology as app proxy and Pass Through Authentication. It requires an outbound connection only and agents are auto-updated. -- **Provisioning service**: Same provisioning service as outbound provisioning and Workday inbound provisioning, which uses a scheduler-based model. Cloud sync provisions change every 2 mins.--
-## Initial setup
-During initial setup, a few things are done that makes cloud sync happen.
--- **During agent installation**: You configure the agent for the AD domains you want to provision from. This configuration registers the domains in the hybrid identity service and establishes an outbound connection to the service bus listening for requests.-- **When you enable provisioning**: You select the AD domain and enable provisioning, which runs every 2 mins. Optionally you may deselect password hash sync and define notification email. You can also manage attribute transformation using Microsoft Graph APIs.--
-## Agent installation
-The following items occur when the cloud provisioning agent is installed.
--- First, the Installer installs the Agent binaries and the Agent Service running under the Virtual Service Account (NETWORK SERVICE\AADProvisioningAgent). A virtual service account is a special type of account that doesn't have a password and is managed by Windows.-- The Installer then starts the Wizard.-- The Wizard will prompt for Azure AD credentials, will then authenticate, and retrieve a token.-- The wizard then asks for the current machine Domain Administrators credentials.-- Using these credentials, the agent general managed service account (GMSA) for this domain is either created or located and reused if it already exists.-- The agent service is now reconfigured to run under the GMSA.-- The wizard now asks for domain configuration along with the Enterprise Admin (EA)/Domain Admin(DA) Account for each domain you want the agent to service.-- The GMSA account is then updated with permissions that enable it access to each domain entered during setup.-- Next, the wizard triggers agent registration-- The agent creates a certificate and using the Azure AD token, registers itself and the certificate with the Hybrid Identity Service(HIS) Registration Service-- The Wizard triggers an AgentResourceGrouping call. This call to HIS Admin Service is to assign the agent to one or more AD Domains in the HIS configuration.-- The wizard now restarts the agent service.-- The agent calls a Bootstrap Service on restart (and every 10 mins afterwards) to check for configuration updates. The bootstrap service validates the agent identity. It also updates the last bootstrap time. This is important because if agents don't bootstrap, they aren't getting updated Service Bus endpoints and may not be able to receive requests. --
-## What is System for Cross-domain Identity Management (SCIM)?
-
-The [SCIM specification](https://tools.ietf.org/html/draft-scim-core-schema-01) is a standard that is used to automate the exchanging of user or group identity information between identity domains such as Azure AD. SCIM is becoming the de facto standard for provisioning and, when used with federation standards like SAML or OpenID Connect, provides administrators an end-to-end standards-based solution for access management.
-
-The Azure AD Connect cloud provisioning agent uses SCIM with Azure AD to provision and deprovision users and groups.
-
-## Synchronization flow
-![provisioning](media/concept-how-it-works/provisioning-4.png)
-Once you've installed the agent and enabled provisioning, the following flow occurs.
-
-1. Once configured, the Azure AD Provisioning service calls the Azure AD hybrid service to add a request to the Service bus. The agent constantly maintains an outbound connection to the Service Bus listening for requests and picks up the System for Cross-domain Identity Management (SCIM) request immediately.
-2. The agent breaks up the request into separate queries based on object type.
-3. AD returns the result to the agent and the agent filters this data before sending it to Azure AD.
-4. Agent returns the SCIM response to Azure AD. These responses are based on the filtering that happened within the agent. The agent uses scoping to filter the results.
-5. The provisioning service writes the changes to Azure AD.
-6. If a delta Sync occurs, as opposed to a full sync, then the cookie/watermark is used. New queries will get changes from that cookie/watermark onwards.
-
-## Supported scenarios:
-The following scenarios are supported for cloud sync.
---- **Existing hybrid customer with a new forest**: Azure AD Connect sync is used for primary forests. Cloud sync is used for provisioning from an AD forest (including disconnected). For more information, see the tutorial [here](tutorial-existing-forest.md).-
- ![Existing hybrid](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
-- **New hybrid customer**: Azure AD Connect sync isn't used. Cloud sync is used for provisioning from an AD forest. For more information, see the tutorial [here](tutorial-single-forest.md).
-
- ![New customers](media/tutorial-single-forest/diagram-2.png)
--- **Existing hybrid customer**: Azure AD Connect sync is used for primary forests. Cloud sync is piloted for a small set of users in the primary forests [here](tutorial-existing-forest.md).-
- ![Existing pilot](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
-
-For more information, see [Supported topologies](plan-cloud-sync-topologies.md).
---
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Custom Attribute Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/custom-attribute-mapping.md
- Title: 'Azure AD Connect cloud sync directory extensions and custom attribute mapping'
-description: This topic provides information on custom attribute mapping in cloud sync.
------- Previously updated : 01/12/2023-------
-# Cloud Sync directory extensions and custom attribute mapping
-
-## Directory extensions
-You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises.
-
-For additional information on directory extensions see [Using directory extension attributes in claims](../develop/active-directory-schema-extensions.md)
-
- You can see the available attributes by using [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). You can also use this feature to create dynamic groups in Azure AD.
-
->[!NOTE]
-> In order to discover new Active Directory extension attributes, the provisioning agent needs to be restarted. You should restart the agent after the directory extensions have been created. For Azure AD extension attributes, the agent doesn't need to be restarted.
-
-## Syncing directory extensions for Azure Active Directory Connect cloud sync
-
-You can use [directory extensions](/graph/api/resources/extensionproperty?view=graph-rest-1.0&preserve-view=true) to extend the synchronization schema directory definition in Azure Active Directory (Azure AD) with your own attributes.
-
->[!Important]
-> Directory extension for Azure Active Directory Connect cloud sync is only supported for applications with the identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥ and the [Tenant Schema Extension App](../hybrid/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Azure AD Connect
-
-### Create application and service principal for directory extension
-
-You need to create an [application](/graph/api/resources/application?view=graph-rest-1.0&preserve-view=true) with the identifier URI "api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp" if it doesn't exist and create a service principal for the application if it doesn't exist.
--
- 1. Check if application with the identifier URI "api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp" exists.
-
- - Using Microsoft Graph
-
- ```
- GET /applications?$filter=identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')
- ```
-
- For more information, see [Get application](/graph/api/application-get?view=graph-rest-1.0&tabs=http&preserve-view=true)
-
- - Using PowerShell
-
- ```
- Get-AzureADApplication -Filter "identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')"
- ```
-
- For more information, see [Get-AzureADApplication](/powershell/module/azuread/get-azureadapplication?view=azureadps-2.0&preserve-view=true)
-
- 2. If the application doesn't exist, create the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp.ΓÇ¥
-
- - Using Microsoft Graph
- ```
- POST https://graph.microsoft.com/v1.0/applications
- Content-type: application/json
-
- {
- "displayName": "CloudSyncCustomExtensionsApp",
- "identifierUris": ["api://<tenant id>/CloudSyncCustomExtensionsApp"]
- }
- ```
- For more information, see [create application](/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http&preserve-view=true)
-
- - Using PowerShell
- ```
- New-AzureADApplication -DisplayName "CloudSyncCustomExtensionsApp" -IdentifierUris "api://<tenant id>/CloudSyncCustomExtensionsApp"
- ```
- For more information, see [New-AzureADApplication](/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0&preserve-view=true)
-
-
-
- 3. Check if the service principal exists for the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥.
-
- - Using Microsoft Graph
- ```
- GET /servicePrincipals?$filter=(appId eq '{appId}')
- ```
- For more information, see [get service principal](/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http&preserve-view=true)
-
- - Using PowerShell
- ```
- Get-AzureADServicePrincipal -ObjectId '<application objectid>'
- ```
- For more information, see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal?view=azureadps-2.0&preserve-view=true&preserve-view=true)
-
-
- 4. If a service principal doesn't exist, create a new service principal for the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥
-
- - Using Microsoft Graph
- ```
- POST https://graph.microsoft.com/v1.0/servicePrincipals
- Content-type: application/json
-
- {
- "appId":
- "<application appId>"
- }
- ```
- For more information, see [create servicePrincipal](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http&preserve-view=true)
-
- - Using PowerShell
-
- ```
- New-AzureADServicePrincipal -AppId '<appId>'
- ```
- For more information, see [New-AzureADServicePrincipal](/powershell/module/azuread/new-azureadserviceprincipal?view=azureadps-2.0&preserve-view=true)
-
- 5. You can create directory extensions in Azure AD in several different ways.
-
-|Method|Description|URL|
-|--|--|--|
-|MS Graph|Create extensions using GRAPH|[Create extensionProperty](/graph/api/application-post-extensionproperty?view=graph-rest-1.0&tabs=http&preserve-view=true)|
-|PowerShell|Create extensions using PowerShell|[New-AzureADApplicationExtensionProperty](/powershell/module/azuread/new-azureadapplicationextensionproperty?view=azureadps-2.0&preserve-view=true)|
-Using Cloud Sync and Azure AD Connect|Create extensions using Azure AD Connect|[Create an extension attribute using Azure AD Connect](../app-provisioning/user-provisioning-sync-attributes-for-mapping.md#create-an-extension-attribute-using-azure-ad-connect)|
-|Customizing attributes to sync|Information on customizing which attributes to synch|[Customize which attributes to synchronize with Azure AD](../hybrid/how-to-connect-sync-feature-directory-extensions.md#customize-which-attributes-to-synchronize-with-azure-ad)
-
-## Use attribute mapping to map Directory Extensions
-If you have extended Active Directory to include custom attributes, you can add these attributes and map them to users.
-
-To discover and map attributes, click **Add attribute mapping**. The attributes will automatically be discovered and will be available in the drop-down under **source attribute**. Fill in the type of mapping you want and click **Apply**.
- [![Custom attribute mapping](media/custom-attribute-mapping/schema-1.png)](media/custom-attribute-mapping/schema-1.png#lightbox)
-
-For information on new attributes that are added and updated in Azure AD see the [user resource type](/graph/api/resources/user?view=graph-rest-1.0#properties&preserve-view=true) and consider subscribing to [change notifications](/graph/webhooks).
-
-For more information on extension attributes, see [Syncing extension attributes for Azure Active Directory Application Provisioning](../app-provisioning/user-provisioning-sync-attributes-for-mapping.md)
-
-## Additional resources
--- [Understand the Azure AD schema and custom expressions](concept-attributes.md)-- [Azure AD Connect sync: Directory extensions](../hybrid/how-to-connect-sync-feature-directory-extensions.md)-- [Attribute mapping in Azure AD Connect cloud sync](how-to-attribute-mapping.md)
active-directory How To Accidental Deletes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-accidental-deletes.md
- Title: 'Azure AD Connect cloud sync accidental deletes'
-description: This topic describes how to use the accidental delete feature to prevent deletions.
------ Previously updated : 01/11/2023-----
-# Accidental delete prevention
-
-The following document describes the accidental deletion feature for Azure AD Connect cloud sync. The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to:
--- configure the ability to prevent accidental deletes automatically. -- Set the # of objects (threshold) beyond which the configuration will take effect -- set up a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario -
-To use this feature, you set the threshold for the number of objects that, if deleted, synchronization should stop. So if this number is reached, the synchronization will stop and a notification will be sent to the email that is specified. This notification will allow you to investigate what is going on.
-
-For more information and an example, see the following video.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mV]
--
-## Configure accidental delete prevention
-To use the new feature, follow the steps below.
--
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
- 3. On the left, select **Cloud sync**.
-4. Under **Configuration**, select your configuration.
-5. Select **View default properties**.
-6. Click the pencil next to **Basics**
-5. On the right, fill in the following information.
- - **Notification email** - email used for notifications
- - **Prevent accidental deletions** - check this box to enable the feature
- - **Accidental deletion threshold** - enter the number of objects to stop synchronization and send a notification
--
-## Recovering from an accidental delete instance
-If you encounter an accidental delete you'll see this on the status of your provisioning agent configuration. It will say **Delete threshold exceeded**.
-
-![Accidental delete status](media/how-to-accidental-deletes/delete-1.png)
-
-By clicking on **Delete threshold exceeded**, you'll see the sync status info. This action will provide more details.
-
- ![Sync status](media/how-to-accidental-deletes/delete-2.png)
-
-By right-clicking on the ellipses, you'll get the following options:
-
- ![Right click](media/how-to-accidental-deletes/delete-3.png)
-
-Using **View provisioning log**, you can see the **StagedDelete** entries and review the information provided on the users that have been deleted.
-
- ![Provisioning logs](media/how-to-accidental-deletes/delete-7.png)
-
-### Allowing deletes
-
-The **Allow deletes** action will delete the objects that triggered the accidental delete threshold. Use the following procedure to accept the deletes.
-
-1. Right-click on the ellipses and select **Allow deletes**.
-2. Click **Yes** on the confirmation to allow the deletions.
-
- ![Yes on confirmation](media/how-to-accidental-deletes/delete-4.png)
-
-3. You'll see confirmation that the deletions were accepted and the status will return to healthy with the next cycle.
-
- ![Accept deletes](media/how-to-accidental-deletes/delete-8.png)
-
-### Rejecting deletions
-
-If you don't want to allow the deletions, you need to do the following:
-- investigate the source of the deletions-- fix the issue (example, OU was moved out of scope accidentally and you've now re-added it back to the scope)-- Run **Restart sync** on the agent configuration-
-## Next steps
--- [Azure AD Connect cloud sync troubleshooting?](how-to-troubleshoot.md)-- [Azure AD Connect cloud sync error codes](reference-error-codes.md)
-
-
active-directory How To Attribute Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-attribute-mapping.md
- Title: 'Attribute mapping in Azure AD Connect cloud sync'
-description: This article describes how to use the cloud sync feature of Azure AD Connect to map attributes.
------ Previously updated : 01/20/2023-----
-# Attribute mapping in Azure AD Connect cloud sync
-
-You can use the cloud sync attribute mapping feature to map attributes between your on-premises user or group objects and the objects in Azure AD.
-
- :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-1.png" alt-text="Screenshot of new UX screen attribute mapping." lightbox="media/how-to-attribute-mapping/new-ux-mapping-1.png":::
-
-You can customize (change, delete, or create) the default attribute mappings according to your business needs. For a list of attributes that are synchronized, see [Attributes synchronized to Azure Active Directory](../hybrid/reference-connect-sync-attributes-synchronized.md?context=azure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context/hybrid/reference-connect-sync-attributes-synchronized.md).
-
-> [!NOTE]
-> This article describes how to use the Azure portal to map attributes. For information on using Microsoft Graph, see [Transformations](how-to-transformation.md).
-
-## Understand types of attribute mapping
-With attribute mapping, you control how attributes are populated in Azure AD. Azure AD supports four mapping types:
-
-|Mapping Type|Description|
-|--|--|
-|**Direct**|The target attribute is populated with the value of an attribute of the linked object in Active Directory.|
-|**Constant**|The target attribute is populated with a specific string that you specify.|
-|**Expression**|The target attribute is populated based on the result of a script-like expression. For more information, see [Expression Builder](how-to-expression-builder.md) and [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).|
-|**None**|The target attribute is left unmodified. However, if the target attribute is ever empty, it's populated with the default value that you specify.|
-
-Along with these basic types, custom attribute mappings support the concept of an optional *default* value assignment. The default value assignment ensures that a target attribute is populated with a value if Azure AD or the target object doesn't have a value. The most common configuration is to leave this blank.
-
-## Schema updates and mappings
-Cloud sync will occasionally update the schema and the list of default attributes that are [synchronized](../hybrid/reference-connect-sync-attributes-synchronized.md?context=%2fazure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context). These default attribute mappings will be available for new installations but will not automatically be added to existing installations. To add these mappings you can follow the steps below.
--
- 1. Click on ΓÇ£add attribute mappingΓÇ¥
- 2. Select the Target attribute dropdown
- 3. You should see the new attributes that are available here.
-
-The following is a list of new mappings that were added.
-
-Attribute Added | Mapping Type | Added with Agent Version
-| -- | --| --|
-|preferredDatalocation|Direct|1.1.359.0|
-|EmployeeNumber|Direct|1.1.359.0|
-|UserType|Direct|1.1.359.0|
-
-For more information on how to map UserType, see [Map UserType with cloud sync](how-to-map-usertype.md).
-
-## Understand properties of attribute mappings
-
-Along with the type property, attribute mappings support certain attributes. These attributes will depend on the type of mapping you have selected. The following sections describe the supported attribute mappings for each of the individual types. The following type of attribute mapping is available.
-- Direct-- Constant-- Expression-
-### Direct mapping attributes
-The following are the attributes supported by a direct mapping:
--- **Source attribute**: The user attribute from the source system (example: Active Directory).-- **Target attribute**: The user attribute in the target system (example: Azure Active Directory).-- **Default value if null (optional)**: The value that will be passed to the target system if the source attribute is null. This value will be provisioned only when a user is created. It won't be provisioned when you're updating an existing user. -- **Apply this mapping**:
- - **Always**: Apply this mapping on both user-creation and update actions.
- - **Only during creation**: Apply this mapping only on user-creation actions.
--
-### Constant mapping attributes
-The following are the attributes supported by a constant mapping:
--- **Constant value**: The value that you want to apply to the target attribute.-- **Target attribute**: The user attribute in the target system (example: Azure Active Directory).-- **Apply this mapping**:
- - **Always**: Apply this mapping on both user-creation and update actions.
- - **Only during creation**: Apply this mapping only on user-creation actions.
-
-### Expression mapping attributes
-The following are the attributes supported by an expression mapping:
--- **Expression**: This is the expression that is going to be applied to the target attribute. For more information, see [Expression Builder](how-to-expression-builder.md) and [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).-- **Default value if null (optional)**: The value that will be passed to the target system if the source attribute is null. This value will be provisioned only when a user is created. It won't be provisioned when you're updating an existing user. -- **Target attribute**: The user attribute in the target system (example: Azure Active Directory).
-
-- **Apply this mapping**:
- - **Always**: Apply this mapping on both user-creation and update actions.
- - **Only during creation**: Apply this mapping only on user-creation actions.
-
-## Add an attribute mapping
-
-To use attribute mapping, follow these steps:
-
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
- 3. On the left, select **Cloud sync**.
-
- :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::
-
- 4. Under **Configuration**, select your configuration.
- 5. On the left, select **Attribute mapping**.
- 6. At the top, ensure that you have the correct object type selected. That is, user, group, or contact.
- 7. Click **Add attribute mapping**.
-
- :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-3.png" alt-text="Screenshot of adding an attribute mapping." lightbox="media/how-to-attribute-mapping/new-ux-mapping-3.png":::
-
- 8. Select the mapping type. This can be one of the following:
- - **Direct**: The target attribute is populated with the value of an attribute of the linked object in Active Directory.
- - **Constant**: The target attribute is populated with a specific string that you specify.
- - **Expression**: The target attribute is populated based on the result of a script-like expression.
- - **None**: The target attribute is left unmodified.
-
- 9. Depending on what you have selected in the previous step, different options will be available for filling in.
- 10. Select when to apply this mapping, and then select **Apply**.
- :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-4.png" alt-text="Screenshot of saving an attribute mapping." lightbox="media/how-to-attribute-mapping/new-ux-mapping-4.png":::
-
- 11. Back on the **Attribute mappings** screen, you should see your new attribute mapping.
- 12. Select **Save schema**. You will be notified that once you save the schema, a synchronization will occur. Click **OK**.
- :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-5.png" alt-text="Screenshot of saving schema." lightbox="media/how-to-attribute-mapping/new-ux-mapping-5.png":::
-
- 13. Once the save is successful you will see a notification on the right.
-
- :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-6.png" alt-text="Screenshot of successful schema save." lightbox="media/how-to-attribute-mapping/new-ux-mapping-6.png":::
-
-## Test your attribute mapping
-
-To test your attribute mapping, you can use [on-demand provisioning](how-to-on-demand-provision.md):
-
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
- 3. On the left, select **Cloud sync**.
- 4. Under **Configuration**, select your configuration.
- 5. On the left, select **Provision on demand**.
- 6. Enter the distinguished name of a user and select the **Provision** button.
-
- :::image type="content" source="media/how-to-on-demand-provision/new-ux-2.png" alt-text="Screenshot of user distinguished name." lightbox="media/how-to-on-demand-provision/new-ux-2.png":::
-
- 7. After provisioning finishes, a success screen appears with four green check marks. Any errors appear to the left.
-
- :::image type="content" source="media/how-to-on-demand-provision/new-ux-3.png" alt-text="Screenshot of on-demand success." lightbox="media/how-to-on-demand-provision/new-ux-3.png":::
--------
-## Next steps
--- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-- [Writing expressions for attribute mappings](reference-expressions.md)-- [How to use expression builder with cloud sync](how-to-expression-builder.md)-- [Attributes synchronized to Azure Active Directory](../hybrid/reference-connect-sync-attributes-synchronized.md?context=azure%2factive-directory%2fcloud-provisioning%2fcontext%2fcp-context/hybrid/reference-connect-sync-attributes-synchronized.md)
active-directory How To Automatic Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-automatic-upgrade.md
- Title: 'Azure AD Connect cloud provisioning agent: Automatic upgrade'
-description: This article describes the built-in automatic upgrade feature in the Azure AD Connect cloud provisioning agent.
------ Previously updated : 01/11/2023-----
-# Azure AD Connect cloud provisioning agent: Automatic upgrade
-
-Making sure your Azure Active Directory (Azure AD) Connect cloud provisioning agent installation is always up to date is easy with the automatic upgrade feature.
-
-The agent is installed here: "Program files\Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe"
-
-To verify your version, right-click the executable and select properties and then details.
-
-![Agent file version](media/how-to-automatic-upgrade/agent-1.png)
-
-The agent updater is installed here: "Program files\Azure AD Connect Provisioning Agent Updater\AzureADConnectAgentUpdater.exe"
-
-To verify your version, right-click the executable and select properties and then details.
-
-![Agent updater version](media/how-to-automatic-upgrade/agent-2.png)
-
-## Uninstall the agent
-To remove the agent, go to **Uninstall or change a program** and uninstall the following:
--- **Microsoft Azure AD Connect Agent Updater**-- **Microsoft Azure AD Connect Provisioning Agent**-- **Microsoft Azure AD Connect Provisioning Agent Package**-
-![Agent removal](media/how-to-automatic-upgrade/agent-3.png)
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-
active-directory How To Cloud Sync Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-cloud-sync-workbook.md
- Title: 'Azure AD cloud sync insights workbook'
-description: This article describes the Azure Monitor workbook for cloud sync.
------ Previously updated : 01/26/2023-------
-# Azure AD cloud sync insights workbook
-The Cloud sync workbook provides a flexible canvas for data analysis. The workbook allows you to create rich visual reports within the Azure portal. To learn more, see Azure Monitor Workbooks overview.
-
-This workbook is intended for Hybrid Identity Admins who use cloud sync to sync users from AD to Azure AD. It allows admins to gain insights into sync status and details.
-
-The workbook can be accessed by select **Insights** on the left hand side of the cloud sync page.
--
- :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-1.png" alt-text="Screenshot of the cloud sync workbook." lightbox="media/how-to-cloud-sync-workbook/workbook-1.png":::
-
->[!NOTE]
->The Insights node is available at both the all configurations level and the individual configuration level. To view information on individual configurations select the Job Id for the configuration.
-
-This workbook:
--- Provides a synchronization summary of users and groups synchronized from AD to Azure AD-- Provides a detailed view of information captured by the cloud sync provisioning logs.-- Allows you to customize the data to tailor it to your specific needs---
-|Field|Description|
-|--|--|
-|Date|The range that you want to view data on.|
-|Status|View the provisioning status such as Success or Skipped.|
-|Action|View the provisioning actions taken such as Create or Delete.|
-|Job Id|Allows you to target specific Job Ids. This can be used to see individual configuration data if you have multiple configurations.|
-|SyncType|Filter by type of synchronization such as object or password.|
--
-## Enabling provisioning logs
-
-You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](how-to-troubleshoot.md).
-
-## Sync summary
-The sync summary section provides a summary of your organizations synchronization activities. These activities include:
- - Sync actions per day by action
- - Sync actions per day by status
- - Unique sync count by status
- - Recent sync errors
---
- :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-2.png" alt-text="Screenshot of the cloud sync summary." lightbox="media/how-to-cloud-sync-workbook/workbook-2.png":::
--
-## Sync details
-The sync details tab allows you to drill into the synchronization data and get more information. This information includes:
- - Objects sync by status
- - Sync log details
-
- :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-3.png" alt-text="Screenshot of the cloud sync details." lightbox="media/how-to-cloud-sync-workbook/workbook-3.png":::
-
-You can further drill in to the sync log details for additional information.
-
- :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-4.png" alt-text="Screenshot of the log details." lightbox="media/how-to-cloud-sync-workbook/workbook-4.png":::
-
-## Job Id
-A Job Id will be created for each configuration when it runs and is populated with data. You can look at individual configuration based on Job Id.
---
-## Custom queries
-
-You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../azure-monitor/logs/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../azure-monitor/logs/log-query-overview.md).
-
-## Custom alerts
-
-Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
-
-To learn more about alerts, see [Azure Monitor Log Alerts](../../azure-monitor/alerts/alerts-log.md).
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-- [Known limitations](how-to-prerequisites.md#known-limitations)-- [Error codes](reference-error-codes.md)
active-directory How To Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-configure.md
- Title: 'Azure AD Connect cloud sync new agent configuration'
-description: This article describes how to install cloud sync.
------ Previously updated : 01/20/2023-----
-# Create a new configuration for Azure AD Connect cloud sync
-
-The following document will guide you through configuring Azure AD Connect cloud sync.
-
-The following documentation demonstrates the new guided user experience for Azure AD Connect cloud sync. If you are not seeing the images below, you need to select the **Preview features** at the top. You can select this again to revert back to the old experience.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-19.png" alt-text="Screenshot of enable preview features." lightbox="media/how-to-configure/new-ux-configure-19.png":::
-
-For additional information and an example of how to configure cloud sync, see the video below.
--
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWKact]
--
-## Configure provisioning
-To configure provisioning, follow these steps.
-
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
- 3. On the left, select **Cloud sync**.
-
- :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::
-
- 4. Select **New configuration**.
- :::image type="content" source="media/how-to-configure/new-ux-configure-1.png" alt-text="Screenshot of adding a configuration." lightbox="media/how-to-configure/new-ux-configure-1.png":::
- 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-2.png" alt-text="Screenshot of a new configuration." lightbox="media/how-to-configure/new-ux-configure-2.png":::
-
- 6. The **Get started** screen will open. From here, you can continue configuring cloud sync.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-3.png" alt-text="Screenshot of the getting started screen." lightbox="media/how-to-configure/new-ux-configure-3.png":::
-
- 7. The configuration is split in to the following 5 sections.
-
-|Section|Description|
-|--|--|
-|1. Add [scoping filters](#scope-provisioning-to-specific-users-and-groups)|Use this section to define what objects appear in Azure AD|
-|2. Map [attributes](#attribute-mapping)|Use this section to map attributes between your on-premises users/groups with Azure AD objects|
-|3. [Test](#on-demand-provisioning)|Test your configuration before deploying it|
-|4. View [default properties](#accidental-deletions-and-email-notifications)|View the default setting prior to enabling them and make changes where appropriate|
-|5. Enable [your configuration](#enable-your-configuration)|Once ready, enable the configuration and users/groups will begin synchronizing|
-
- >[!NOTE]
- > During the configuration process the synchronization service account will be created with the format **ADToAADSyncServiceAccount@[TenantID].onmicrosoft.com** and you may get an error if multi-factor authentication is enabled for the synchronization service account, or other interactive authentication policies are accidentally enabled for the synchronization account. Removing multi-factor authentication or any interactive authentication policies for the synchronization service account should resolve the error and you can complete the configuration smoothly.
--
-## Scope provisioning to specific users and groups
-You can scope the agent to synchronize specific users and groups by using on-premises Active Directory groups or organizational units.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-4.png" alt-text="Screenshot of scoping filters icon." lightbox="media/how-to-configure/new-ux-configure-4.png":::
--
-You can't configure groups and organizational units within a configuration.
- >[!NOTE]
- > You cannot use nested groups with group scoping. Nested objects beyond the first level will not be included when scoping using security groups. Only use group scope filtering for pilot scenarios as there are limitations to syncing large groups.
-
- 1. On the **Getting started** configuration screen. Click either **Add scoping filters** next to the **Add scoping filters** icon or on the click **Scoping filters** on the left under **Manage**.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-5.png" alt-text="Screenshot of scoping filters." lightbox="media/how-to-configure/new-ux-configure-5.png":::
-
- 2. Select the scoping filter. The filter can be one of the following:
- - **All users**: Scopes the configuration to apply to all users that are being synchronized.
- - **Selected security groups**: Scopes the configuration to apply to specific security groups.
- - **Selected organizational units**: Scopes the configuration to apply to specific OUs.
- 3. For security groups and organizational units, supply the appropriate distinguished name and click **Add**.
- 4. Once your scoping filters are configured, click **Save**.
- 5. After saving, you should see a message telling you what you still need to do to configure cloud sync. You can click the link to continue.
- :::image type="content" source="media/how-to-configure/new-ux-configure-16.png" alt-text="Screenshot of the nudge for scoping filters." lightbox="media/how-to-configure/new-ux-configure-16.png":::
- 7. Once you've changed the scope, you should [restart provisioning](#restart-provisioning) to initiate an immediate synchronization of the changes.
-
-## Attribute mapping
-Azure AD Connect cloud sync allows you to easily map attributes between your on-premises user/group objects and the objects in Azure AD.
---
-You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings.
--
-After saving, you should see a message telling you what you still need to do to configure cloud sync. You can click the link to continue.
- :::image type="content" source="media/how-to-configure/new-ux-configure-17.png" alt-text="Screenshot of the nudge for attribute filters." lightbox="media/how-to-configure/new-ux-configure-17.png":::
--
-For more information, see [attribute mapping](how-to-attribute-mapping.md).
-
-## Directory extensions and custom attribute mapping.
-Azure AD Connect cloud sync allows you to extend the directory with extensions and provides for custom attribute mapping. For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md).
-
-## On-demand provisioning
-Azure AD Connect cloud sync allows you to test configuration changes, by applying these changes to a single user or group.
--
-You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD.
--
-After testing, you should see a message telling you what you still need to do to configure cloud sync. You can click the link to continue.
- :::image type="content" source="media/how-to-configure/new-ux-configure-18.png" alt-text="Screenshot of the nudge for testing." lightbox="media/how-to-configure/new-ux-configure-18.png":::
--
-For more information, see [on-demand provisioning](how-to-on-demand-provision.md).
-
-## Accidental deletions and email notifications
-The default properties section provides information on accidental deletions and email notifications.
--
-The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups.
-
-This feature allows you to:
--- configure the ability to prevent accidental deletes automatically. -- Set the # of objects (threshold) beyond which the configuration will take effect -- set up a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario -
-For more information, see [Accidental deletes](how-to-accidental-deletes.md)
-
-Click the **pencil** next to **Basics** to change the defaults in a configuration.
--
-## Enable your configuration
-Once you've finalized and tested your configuration, you can enable it.
--
-Click **Enable configuration** to enable it.
--
-## Quarantines
-Cloud sync monitors the health of your configuration and places unhealthy objects in a quarantine state. If most or all of the calls made against the target system consistently fail because of an error, for example, invalid admin credentials, the sync job is marked as in quarantine. For more information, see the troubleshooting section on [quarantines](how-to-troubleshoot.md#provisioning-quarantined-problems).
-
-## Restart provisioning
-If you don't want to wait for the next scheduled run, trigger the provisioning run by using the **Restart sync** button.
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
- 3. On the left, select **Cloud sync**.
- 4. Under **Configuration**, select your configuration.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-14.png" alt-text="Screenshot of restarting sync." lightbox="media/how-to-configure/new-ux-configure-14.png":::
-
- 5. At the top, select **Restart sync**.
-
-## Remove a configuration
-To delete a configuration, follow these steps.
-
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
- 3. On the left, select **Cloud sync**.
- 4. Under **Configuration**, select your configuration.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-15.png" alt-text="Screenshot of deletion." lightbox="media/how-to-configure/new-ux-configure-15.png":::
-
- 5. At the top of the configuration screen, select **Delete configuration**.
-
->[!IMPORTANT]
->There's no confirmation prior to deleting a configuration. Make sure this is the action you want to take before you select **Delete**.
--
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Gmsa Cmdlets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-gmsa-cmdlets.md
- Title: 'Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets'
-description: Learn how to use the Azure AD Connect cloud provisioning agent gMSA powershell cmdlets.
------ Previously updated : 01/11/2023-----
-# Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets
-
-The purpose of this document is to describe the Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Azure AD Connect cloud sync applies all permissions similar to Azure AD Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install.
-
-This document will cover the following cmdlets:
-
-`Set-AADCloudSyncPermissions`
-
-`Set-AADCloudSyncRestrictedPermissions`
-
-## How to use the cmdlets:
-
-The following prerequisites are required to use these cmdlets.
-
-1. Install provisioning agent.
-
-2. Import Provisioning Agent PS module into a PowerShell session.
-
- ```powershell
- Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"
- ```
-
-3. These cmdlets require a parameter called `Credential` which can be passed, or will prompt the user if not provided in the command line. Depending on the cmdlet syntax used, these credentials must be an enterprise admin account or, at a minimum, a domain administrator of the target domain where you're setting the permissions.
-
-4. To create a variable for credentials, use:
-
- `$credential = Get-Credential`
-
-5. To set Active Directory permissions for cloud provisioning agent, you can use the following cmdlet. This will grant permissions in the root of the domain allowing the service account to manage on-premises Active Directory objects. See [Using Set-AADCloudSyncPermissions](#using-set-aadcloudsyncpermissions) below for examples on setting the permissions.
-
- `Set-AADCloudSyncPermissions -EACredential $credential`
-
-6. To restrict Active Directory permissions set by default on the cloud provisioning agent account, you can use the following cmdlet. This will increase the security of the service account by disabling permission inheritance and removing all existing permissions, except SELF and Full Control for administrators. See [Using Set-AADCloudSyncRestrictedPermission](#using-set-aadcloudsyncrestrictedpermissions) below for examples on restricting the permissions.
-
- `Set-AADCloudSyncRestrictedPermission -Credential $credential`
-
-## Using Set-AADCloudSyncPermissions
-
-`Set-AADCloudSyncPermissions` supports the following permission types which are identical to the permissions used by Azure AD Connect Classic Sync (ADSync). The following permission types are supported:
-
-|Permission type|Description|
-|--|--|
-|BasicRead| See [BasicRead](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#configure-basic-read-only-permissions) permissions for Azure AD Connect|
-|PasswordHashSync|See [PasswordHashSync](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-password-hash-synchronization) permissions for Azure AD Connect|
-|PasswordWriteBack|See [PasswordWriteBack](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-password-writeback) permissions for Azure AD Connect|
-|HybridExchangePermissions|See [HybridExchangePermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-hybrid-deployment) permissions for Azure AD Connect|
-|ExchangeMailPublicFolderPermissions| See [ExchangeMailPublicFolderPermissions](../../active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-mail-public-folders) permissions for Azure AD Connect|
-|CloudHR| Applies 'Create/delete User objects' on 'This object and all descendant objects'|
-|All| Applies all the above permissions|
-
-You can use AADCloudSyncPermissions in one of two ways:
-- [Grant permissions to all configured domains](#grant-permissions-to-all-configured-domains)-- [Grant permissions to a specific domain](#grant-permissions-to-a-specific-domain)-
-## Grant permissions to all configured domains
-
-Granting certain permissions to all configured domains will require the use of an enterprise admin account.
-
-```powershell
-$credential = Get-Credential
-Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -EACredential $credential
-```
-
-## Grant permissions to a specific domain
-
-Granting certain permissions to a specific domain will require the use of a TargetDomainCredential that is enterprise admin or, domain admin of the target domain. The TargetDomain has to be already configured through wizard.
-
-```powershell
-$credential = Get-Credential
-Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -TargetDomain "FQDN of domain" -TargetDomainCredential $credential
-```
-
-## Using Set-AADCloudSyncRestrictedPermissions
-For increased security, `Set-AADCloudSyncRestrictedPermissions` will tighten the permissions set on the cloud provisioning agent account itself. Hardening permissions on the cloud provisioning agent account involves the following changes:
--- Disable inheritance-- Remove all default permissions, except ACEs specific to SELF.-- Set Full Control permissions for SYSTEM, Administrators, Domain Admins, and Enterprise Admins.-- Set Read permissions for Authenticated Users and Enterprise Domain Controllers.
-
- The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the cloud provisioning agent account. This is typically the domain or enterprise administrator.
-
-For Example:
-
-``` powershell
-$credential = Get-Credential
-Set-AADCloudSyncRestrictedPermissions -Credential $credential
-```
active-directory How To Inbound Synch Ms Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-inbound-synch-ms-graph.md
- Title: 'How to programmatically configure cloud sync using MS Graph API'
-description: This topic describes how to enable inbound synchronization using just the Graph API
------ Previously updated : 01/11/2023-----
-# How to programmatically configure cloud sync using MS Graph API
-
-The following document describes how to replicate a synchronization profile from scratch using only MSGraph APIs.
-The structure of how to do this consists of the following steps. They are:
--- [How to programmatically configure cloud sync using MS Graph API](#how-to-programmatically-configure-cloud-sync-using-ms-graph-api)
- - [Basic setup](#basic-setup)
- - [Enable tenant flags](#enable-tenant-flags)
- - [Create service principals](#create-service-principals)
- - [Create sync job](#create-sync-job)
- - [Update targeted domain](#update-targeted-domain)
- - [Enable Sync password hashes on configuration blade](#enable-sync-password-hashes-on-configuration-blade)
- - [Accidental deletes](#accidental-deletes)
- - [Enabling and setting the threshold](#enabling-and-setting-the-threshold)
- - [Allowing deletes](#allowing-deletes)
- - [Start sync job](#start-sync-job)
- - [Review status](#review-status)
- - [Next steps](#next-steps)
-
-Use these [Microsoft Azure Active Directory Module for Windows PowerShell](/powershell/module/msonline/) commands to enable synchronization for a production tenant, a pre-requisite for being able to call the Administration Web Service for that tenant.
-
-## Basic setup
-
-### Enable tenant flags
-
-```powershell
-Connect-MsolService ('-AzureEnvironment <AzureEnvironmnet>')
- Set-MsolDirSyncEnabled -EnableDirSync $true
-```
-
-The first of those two commands, require Azure Active Directory credentials. These cmdlets implicitly identify the tenant and enable it for synchronization.
-
-## Create service principals
-
-Next, we need to create the [AD2AAD application/ service principal](/graph/api/applicationtemplate-instantiate)
-
-You need to use this application ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD domain URL, if used in the portal (for example, contoso.com), but it may be named something else.
-
-```
-POST https://graph.microsoft.com/beta/applicationTemplates/1a4721b3-e57f-4451-ae87-ef078703ec94/instantiate
-Content-type: application/json
-{
- displayName: [your app name here]
-}
-```
-
-## Create sync job
-
-The output of the above command will return the objectId of the service principal that was created. For this example, the objectId is 614ac0e9-a59b-481f-bd8f-79a73d167e1c. Use Microsoft Graph to add a synchronizationJob to that service principal.
-
-Documentation for creating a sync job can be found [here](/graph/api/synchronization-synchronizationjob-post?tabs=http&view=graph-rest-beta&preserve-view=true).
-
-If you did not record the ID above, you can find the service principal by running the following MS Graph call. You'll need Directory.Read.All permissions to make that call:
-
-`GET https://graph.microsoft.com/beta/servicePrincipals`
-
-Then look for your app name in the output.
-
-Run the following two commands to create two jobs: one for user/group provisioning, and one for password hash syncing. It's the same request twice but with different template IDs.
-
-Call the following two requests:
-
-```
-POST https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs
-Content-type: application/json
-{
-"templateId":"AD2AADProvisioning"
-}
-```
-
-```
-POST https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs
-Content-type: application/json
-{
-"templateId":"AD2AADPasswordHash"
-}
-```
-
-You will need two calls if you want to create both.
-
-Example return value (for provisioning):
-
-```
-HTTP 201/Created
-{
- "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('614ac0e9-a59b-481f-bd8f-79a73d167e1c')/synchronization/jobs/$entity",
- "id": "AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da",
- "templateId": "ADDCInPassthrough",
- "schedule": {
- "expiration": null,
- "interval": "PT40M",
- "state": "Disabled"
- },
- "status": {
- "countSuccessiveCompleteFailures": 0,
- "escrowsPruned": false,
- "code": "Paused",
- "lastExecution": null,
- "lastSuccessfulExecution": null,
- "lastSuccessfulExecutionWithExports": null,
- "quarantine": null,
- "steadyStateFirstAchievedTime": "0001-01-01T00:00:00Z",
- "steadyStateLastAchievedTime": "0001-01-01T00:00:00Z",
- "troubleshootingUrl": null,
- "progress": [],
- "synchronizedEntryCountByType": []
- }
-}
-```
-
-## Update targeted domain
-
-For this tenant, the object identifier and application identifier of the service principal are as follows:
-
-ObjectId: 8895955e-2e6c-4d79-8943-4d72ca36878f
-AppId: 00000014-0000-0000-c000-000000000000
-DisplayName: testApp
-
-We're going to need to update the domain this configuration is targeting, so update the secrets for this domain.
-
-Make sure the domain name you use is the same URL you set for your on-premises domain controller.
-
-```
-PUT ΓÇô https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/secrets
-```
-
-Add the following key/value pair in the below value array based on what you're trying to do:
--- Enable both PHS and sync tenant flags
- { key: "AppKey", value: "{"appKeyScenario":"AD2AADPasswordHash"}" }
--- Enable only sync tenant flag (do not turn on PHS)
- { key: "AppKey", value: "{"appKeyScenario":"AD2AADProvisioning"}" }
-
-```
-Request body ΓÇô
-{
- "value": [
- {
- "key": "Domain",
- "value": "{\"domain\":\"ad2aadTest.com\"}"
- }
- ]
-}
-```
-
-The expected response is …
-HTTP 204/No content
-
-Here, the highlighted "Domain" value is the name of the on-premises Active Directory domain from which entries are to be provisioned to Azure Active Directory.
-
-## Enable Sync password hashes on configuration blade
-
- This section will cover enabling syncing password hashes for a particular configuration. This is different than the AppKey secret that enables the tenant-level feature flag - this is only for a single domain/config. You will need to set the application key to the PHS one for this to work end to end.
-
-1. Grab the schema (warning, it's pretty large):
-
- ```
- GET ΓÇôhttps://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ [AD2AADProvisioningJobId]/schema
- ```
-
-2. Take this CredentialData attribute mapping:
-
- ```
- {
- "defaultValue": null,
- "exportMissingReferences": false,
- "flowBehavior": "FlowWhenChanged",
- "flowType": "Always",
- "matchingPriority": 0,
- "targetAttributeName": "CredentialData",
- "source": {
- "expression": "[PasswordHash]",
- "name": "PasswordHash",
- "type": "Attribute",
- "parameters": []
- }
- ```
-
-3. Find the following object mappings with the following names in the schema
- - Provision Active Directory Users
- - Provision Active Directory inetOrgPersons
-
- Object mappings are within the schema.synchronizationRules[0].objectMappings (For now you can assume there's only 1 Synchronization Rule)
-
-4. Take the CredentialData Mapping from Step (2) and insert it into the object mappings in Step (3)
-
- Your object mapping looks something like this:
-
- ```
- {
- "enabled": true,
- "flowTypes": "Add,Update,Delete",
- "name": "Provision Active Directory users",
- "sourceObjectName": "user",
- "targetObjectName": "User",
- "attributeMappings": [
- ...
- }
- ```
-
- Copy/paste the mapping from the **Create AD2AADProvisioning and AD2AADPasswordHash jobs** step above into the attributeMappings array.
-
- Order of elements in this array doesn't matter (backend will sort for you). Be careful about adding this attribute mapping if the name exists already in the array (e.g. if there's already an item in attributeMappings that has the targetAttributeName CredentialData) - you may get conflict errors, or the preexisting and new mappings may be combined together (usually not desired outcome). Backend does not dedupe for you.
-
- Remember to do this for both Users and inetOrgpersons.
-
-5. Save the schema you've created:
-
- ```
- PUT ΓÇô
- https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ [AD2AADProvisioningJobId]/schema
- ```
-
-Add the Schema in the request body.
-
-## Accidental deletes
-
-This section will cover how to programmatically enable/disable and use [accidental deletes](how-to-accidental-deletes.md) programmatically.
-
-### Enabling and setting the threshold
-
-There are two per job settings that you can use, they are:
--- DeleteThresholdEnabled - Enables accidental delete prevention for the job when set to 'true'. Set to 'true' by default.-- DeleteThresholdValue - Defines the maximum number of deletes that will be allowed in each execution of the job when accidental deletes prevention is enabled. The value is set to 500 by default. So, if the value is set to 500, the maximum number of deletes allowed will be 499 in each execution.-
-The delete threshold settings are a part of the `SyncNotificationSettings` and can be modified via graph.
-
-We're going to need to update the SyncNotificationSettings this configuration is targeting, so update the secrets.
-
-```
-PUT ΓÇô https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/secrets
-```
-
-Add the following Key/value pair in the below value array based on what you're trying to do:
-
-```
-Request body -
-{
- "value":[
- {
- "key":"SyncNotificationSettings",
- "value": "{\"Enabled\":true,\"Recipients\":\"foobar@xyz.com\",\"DeleteThresholdEnabled\":true,\"DeleteThresholdValue\":50}"
- }
- ]
-}
-```
-
-The "Enabled" setting in the example above is for enabling/disabling notification emails when the job is quarantined.
-
-Currently, we do not support PATCH requests for secrets, so you will need to add all the values in the body of the PUT request(like in the example above) in order to preserve the other values.
-
-The existing values for all the secrets can be retrieved by using:
-
-```
-GET https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/secrets
-```
-
-### Allowing deletes
-
-To allow the deletes to flow through after the job goes into quarantine, you need to issue a restart with just "ForceDeletes" as the scope.
-
-```
-Request:
-POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{jobId}/restart
-```
-
-```
-Request Body:
-{
- "criteria": {"resetScope": "ForceDeletes"}
-}
-```
-
-## Start sync job
-
-The job can be retrieved again via the following command:
-
- `GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/`
-
-Documentation for retrieving jobs can be found [here](/graph/api/synchronization-synchronizationjob-list?tabs=http&view=graph-rest-beta&preserve-view=true).
-
-To start the job, issue this request, using the objectId of the service principal created in the first step, and the job identifier returned from the request that created the job.
-
-Documentation for how to start a job can be found [here](/graph/api/synchronization-synchronizationjob-start?tabs=http&view=graph-rest-beta&preserve-view=true).
-
-```
-POST https://graph.microsoft.com/beta/servicePrincipals/8895955e-2e6c-4d79-8943-4d72ca36878f/synchronization/jobs/AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da/start
-```
-
-The expected response is …
-HTTP 204/No content.
-
-Other commands for controlling the job are documented [here](/graph/api/resources/synchronization-synchronizationjob?view=graph-rest-beta&preserve-view=true).
-
-To restart a job, use:
-
-```
-POST https://graph.microsoft.com/beta/servicePrincipals/8895955e-2e6c-4d79-8943-4d72ca36878f/synchronization/jobs/AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da/restart
-{
- "criteria": {
- "resetScope": "Full"
- }
-}
-```
-
-## Review status
-
-Retrieve your job statuses via:
-
-```
-GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/
-```
-
-Look under the 'status' section of the return object for relevant details
-
-## Next steps
--- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-- [Transformations](how-to-transformation.md)-- [Azure AD Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)
active-directory How To Install Pshell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-install-pshell.md
- Title: 'Install the Azure AD Connect cloud provisioning agent using a command-line interface (CLI) and PowerShell'
-description: Learn how to install the Azure AD Connect cloud provisioning agent by using PowerShell cmdlets.
------ Previously updated : 01/11/2023------
-# Install the Azure AD Connect provisioning agent by using a CLI and PowerShell
-This article shows you how to install the Azure Active Directory (Azure AD) Connect provisioning agent by using PowerShell cmdlets.
-
->[!NOTE]
->This article deals with installing the provisioning agent by using the command-line interface (CLI). For information on how to install the Azure AD Connect provisioning agent by using the wizard, see [Install the Azure AD Connect provisioning agent](how-to-install.md).
-
-## Prerequisite
-
-The Windows server must have TLS 1.2 enabled before you install the Azure AD Connect provisioning agent by using PowerShell cmdlets. To enable TLS 1.2, follow the steps in [Prerequisites for Azure AD Connect cloud sync](how-to-prerequisites.md#tls-requirements).
-
->[!IMPORTANT]
->The following installation instructions assume that all the [prerequisites](how-to-prerequisites.md) were met.
-
-## Install the Azure AD Connect provisioning agent by using PowerShell cmdlets
-
- 1. Sign in to the server you'll use with enterprise admin permissions.
- 2. Sign in to the Azure portal, and then go to **Azure Active Directory**.
- 3. On the menu on the left, select **Azure AD Connect**.
- 4. Select **Manage cloud sync**.
- [![Screenshot that shows manage cloud sync](media/how-to-install/new-install-1.png)](media/how-to-install/new-install-1.png#lightbox)</br>
- 5. At the top, click **Download agent**.
- [![Screenshot that the download agent](media/how-to-install/new-install-2.png)](media/how-to-install/new-install-2.png#lightbox)</br>
- 6. On the right, click **Accept terms and download**.
- 7. For the purposes of these instructions, the agent was downloaded to the C:\temp folder.
- 8. Install ProvisioningAgent in quiet mode.
- ```
- $installerProcess = Start-Process 'c:\temp\AADConnectProvisioningAgentSetup.exe' /quiet -NoNewWindow -PassThru
- $installerProcess.WaitForExit()
-
- ```
- 9. Import the Provisioning Agent PS module.
- ```
- Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.PowerShell.dll"
- ```
- 10. Connect to Azure AD by using an account with the hybrid identity role. You can customize this section to fetch a password from a secure store.
- ```
- $hybridAdminPassword = ConvertTo-SecureString -String "Hybrid identity admin password" -AsPlainText -Force
-
- $hybridAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("HybridIDAdmin@contoso.onmicrosoft.com", $hybridAdminPassword)
-
- Connect-AADCloudSyncAzureAD -Credential $hybridAdminCreds
- ```
- 11. Add the gMSA account, and provide credentials of the domain admin to create the default gMSA account.
- ```
- $domainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force
-
- $domainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $domainAdminPassword)
-
- Add-AADCloudSyncGMSA -Credential $domainAdminCreds
- ```
- 12. Or use the preceding cmdlet to provide a pre-created gMSA account.
- ```
- Add-AADCloudSyncGMSA -CustomGMSAName preCreatedGMSAName$
- ```
- 13. Add the domain.
- ```
- $contosoDomainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force
-
- $contosoDomainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $contosoDomainAdminPassword)
-
- Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds
- ```
- 14. Or use the preceding cmdlet to configure preferred domain controllers.
- ```
- $preferredDCs = @("PreferredDC1", "PreferredDC2", "PreferredDC3")
-
- Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds -PreferredDomainControllers $preferredDCs
- ```
- 15. Repeat the previous step to add more domains. Provide the account names and domain names of the respective domains.
- 16. Restart the service.
- ```
- Restart-Service -Name AADConnectProvisioningAgent
- ```
- 17. Go to the Azure portal to create the cloud sync configuration.
-
-## Provisioning agent gMSA PowerShell cmdlets
-Now that you've installed the agent, you can apply more granular permissions to the gMSA. For information and step-by-step instructions on how to configure the permissions, see [Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md).
-
-## Installing against US govt cloud
-By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment. If you are installing the agent for use in the US government cloud do the following:
--- In step #8 above, add **ENVIRONMENTNAME=AzureUSGovernment** to the command line like the example below.
- ```
- $installerProcess = Start-Process -FilePath "c:\temp\AADConnectProvisioningAgent.Installer.exe" -ArgumentList "/quiet ENVIRONMENTNAME=AzureUSGovernment" -NoNewWindow -PassThru
- $installerProcess.WaitForExit()
- ```
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-install.md
- Title: 'Install the Azure AD Connect provisioning agent'
-description: Learn how to install the Azure AD Connect provisioning agent and how to configure it in the Azure portal.
------ Previously updated : 01/20/2023-----
-# Install the Azure AD Connect provisioning agent
-
-This article walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal.
-
-> [!IMPORTANT]
-> The following installation instructions assume that you've met all the [prerequisites](how-to-prerequisites.md).
-
->[!NOTE]
->This article deals with installing the provisioning agent by using the wizard. For information about installing the Azure AD Connect provisioning agent by using a CLI, see [Install the Azure AD Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md).
-
-For more information and an example, view the following video:
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mR]
-
-## Group Managed Service Accounts
-A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).
--
-### Update an existing agent to use the gMSA
-To update an existing agent to use the Group Managed Service Account created during installation, upgrade the agent service to the latest version by running *AADConnectProvisioningAgent.msi*. Now run through the installation wizard again and provide the credentials to create the account when you're prompted to do so.
-
-## Install the agent
--
-## Verify the agent installation
--
->[!IMPORTANT]
-> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
-
-## Enable password writeback in Azure AD Connect cloud sync
-
-To use *password writeback* and enable the self-service password reset (SSPR) service to detect the cloud sync agent, use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and the tenantΓÇÖs global administrator credentials:
-
- ```
- Import-Module "C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll"
- Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)
- ```
-
-For more information about using password writeback with Azure AD Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
-
-## Install an agent in the US government cloud
-
-By default, the Azure AD Connect provisioning agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure:
--- Instead of selecting **Open file**, select **Start** > **Run**, and then go to the *AADConnectProvisioningAgentSetup.exe* file. In the **Run** box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment**, and then select **OK**.-
- [![Screenshot that shows how to install an agent in the US government cloud.](media/how-to-install/new-install-12.png)](media/how-to-install/new-install-12.png#lightbox)
-
-## Password hash synchronization and FIPS with cloud sync
-
-If your server has been locked down according to the Federal Information Processing Standard (FIPS), MD5 (message-digest algorithm 5) is disabled.
-
-To enable MD5 for password hash synchronization, do the following:
-
-1. Go to %programfiles%\Microsoft Azure AD Connect Provisioning Agent.
-1. Open *AADConnectProvisioningAgent.exe.config*.
-1. Go to the configuration/runtime node at the top of the file.
-1. Add the `<enforceFIPSPolicy enabled="false"/>` node.
-1. Save your changes.
-
-For reference, your code should look like the following snippet:
-
-```xml
-<configuration>
- <runtime>
- <enforceFIPSPolicy enabled="false"/>
- </runtime>
-</configuration>
-```
-
-For information about security and FIPS, see [Azure AD password hash sync, encryption, and FIPS compliance](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/aad-password-sync-encryption-and-fips-compliance/ba-p/243709).
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-- [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).-
active-directory How To Manage Registry Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-manage-registry-options.md
- Title: 'Azure AD Connect cloud provisioning agent: Manage registry options'
-description: This article describes how to manage registry options in the Azure AD Connect cloud provisioning agent.
------ Previously updated : 04/03/2023------
-# Manage agent registry options
-
-This section describes registry options that you can set to control the runtime processing behavior of the Azure AD Connect provisioning agent.
-
-## Configure LDAP connection timeout
-When performing LDAP operations on configured Active Directory domain controllers, by default, the provisioning agent uses the default connection timeout value of 30 seconds. If your domain controller takes more time to respond, then you may see the following error message in the agent log file:
-
-`
-System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
-`
-
-LDAP search operations can take longer if the search attribute is not indexed. As a first step, if you get the above error, first check if the search/lookup attribute is [indexed](/windows/win32/ad/indexed-attributes). If the search attributes are indexed and the error persists, you can increase the LDAP connection timeout using the following steps:
-
-1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.
-1. Use the *Run* menu item to open the registry editor (regedit.exe)
-1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**
-1. Right-click and select "New -> String Value"
-1. Provide the name:
- `LdapConnectionTimeoutInMilliseconds`
-1. Double-click on the **Value Name** and enter the value data as `60000` milliseconds.
- > [!div class="mx-imgBorder"]
- > ![LDAP Connection Timeout](media/how-to-manage-registry-options/ldap-connection-timeout.png)
-1. Restart the Azure AD Connect Provisioning Service from the *Services* console.
-1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.
-
-## Configure referral chasing
-By default, the Azure AD Connect provisioning agent does not chase [referrals](/windows/win32/ad/referrals).
-You may want to enable referral chasing, to support certain HR inbound provisioning scenarios such as:
-* Checking uniqueness of UPN across multiple domains
-* Resolving cross-domain manager references
-
-Use the following steps to turn on referral chasing:
-
-1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.
-1. Use the *Run* menu item to open the registry editor (regedit.exe)
-1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**
-1. Right-click and select "New -> String Value"
-1. Provide the name:
- `ReferralChasingOptions`
-1. Double-click on the **Value Name** and enter the value data as `96`. This value corresponds to the constant value for `ReferralChasingOptions.All` and specifies that both subtree and base-level referrals will be followed by the agent.
- > [!div class="mx-imgBorder"]
- > ![Referral Chasing](media/how-to-manage-registry-options/referral-chasing.png)
-1. Restart the Azure AD Connect Provisioning Service from the *Services* console.
-1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.
---
-> [!NOTE]
-> You can confirm the registry options have been set by enabling [verbose logging](how-to-troubleshoot.md#log-files). The logs emitted during agent startup will display the config values picked from the registry.
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-
active-directory How To Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-prerequisites.md
- Title: 'Prerequisites for Azure AD Connect cloud sync in Azure AD'
-description: This article describes the prerequisites and hardware requirements you need for cloud sync.
------ Previously updated : 01/11/2023-----
-# Prerequisites for Azure AD Connect cloud sync
-This article provides guidance on how to choose and use Azure Active Directory (Azure AD) Connect cloud sync as your identity solution.
-
-## Cloud provisioning agent requirements
-You need the following to use Azure AD Connect cloud sync:
--- Domain Administrator or Enterprise Administrator credentials to create the Azure AD Connect Cloud Sync gMSA (group Managed Service Account) to run the agent service. -- A hybrid identity administrator account for your Azure AD tenant that is not a guest user.-- An on-premises server for the provisioning agent with Windows 2016 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). Installing the agent on a domain controller is supported.-- High availability refers to the Azure AD Connect cloud sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Azure AD Connect cloud sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability.-- On-premises firewall configurations.-
-## Group Managed Service Accounts
-A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
-
-### Prerequisites for gMSA:
-1. The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
-2. [PowerShell RSAT modules](/windows-server/remote/remote-server-administration-tools) on a domain controller
-3. At least one domain controller in the domain must be running Windows Server 2012 or later.
-4. A domain joined server where the agent is being installed needs to be either Windows Server 2016 or later.
-
-### Custom gMSA account
-If you are creating a custom gMSA account, you need to ensure that the account has the following permissions.
-
-|Type |Name |Access |Applies To|
-|--|--|--|--|
-|Allow |gMSA Account |Read all properties |Descendant device objects|
-|Allow |gMSA Account|Read all properties |Descendant InetOrgPerson objects|
-|Allow |gMSA Account |Read all properties |Descendant Computer objects|
-|Allow |gMSA Account |Read all properties |Descendant foreignSecurityPrincipal objects|
-|Allow |gMSA Account |Full control |Descendant Group objects|
-|Allow |gMSA Account |Read all properties |Descendant User objects|
-|Allow |gMSA Account |Read all properties |Descendant Contact objects|
-|Allow |gMSA Account |Create/delete User objects|This object and all descendant objects|
-
-For steps on how to upgrade an existing agent to use a gMSA account see [group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
-
-For more information on how to prepare your Active Directory for group Managed Service Account, see [group Managed Service Accounts Overview](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
-
-### In the Azure portal
-
-1. Create a cloud-only hybrid identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. Learn about how to [add a cloud-only hybrid identity administrator account](../fundamentals/add-users-azure-active-directory.md). Finishing this step is critical to ensure that you don't get locked out of your tenant.
-1. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
-
-### In your directory in Active Directory
-
-Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) to prepare the directory attributes for synchronization.
-
-### In your on-premises environment
-
-1. Identify a domain-joined host server running Windows Server 2016 or greater with a minimum of 4-GB RAM and .NET 4.7.1+ runtime.
-
-2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
-
-3. If there's a firewall between your servers and Azure AD, see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.
-
->[!NOTE]
-> Installing the cloud provisioning agent on Windows Server Core is not supported.
-
-### Additional requirements
--- [Microsoft .NET Framework 4.7.1](https://dotnet.microsoft.com/download/dotnet-framework/net471) -
-#### TLS requirements
-
-> [!NOTE]
-> Transport Layer Security (TLS) is a protocol that provides for secure communications. Changing the TLS settings affects the entire forest. For more information, see [Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi).
-
-The Windows server that hosts the Azure AD Connect cloud provisioning agent must have TLS 1.2 enabled before you install it.
-
-To enable TLS 1.2, follow these steps.
-
-1. Set the following registry keys:
-
- ```
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
- ```
-
-1. Restart the server.
-
-## Firewall and Proxy requirements
-If there's a firewall between your servers and Azure AD, configure the following items:
--- Ensure that agents can make *outbound* requests to Azure AD over the following ports:-
- | Port number | How it's used |
- | | |
- | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. |
- | **443** | Handles all outbound communication with the service. |
- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure portal. |
-
-- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.-- If your firewall or proxy allows you to specify safe suffixes, add connections: -
-#### [Public Cloud](#tab/public-cloud)
--
- |URL |How it's used|
- |--|--|
- |&#42;.msappproxy.net</br>&#42;.servicebus.windows.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
- |&#42;.microsoftonline.com</br>&#42;.microsoft.com</br>&#42;.msappproxy.com</br>&#42;.windowsazure.com|The agent uses these URLs to communicate with the Azure AD cloud service. |
- |`mscrl.microsoft.com:80` </br>`crl.microsoft.com:80` </br>`ocsp.msocsp.com:80` </br>`www.microsoft.com:80`| The agent uses these URLs to verify certificates.|
- |login.windows.net</br>|The agent uses these URLs during the registration process.
---
-#### [U.S. Government Cloud](#tab/us-government-cloud)
-
- |URL |How it's used|
- |--|--|
- |&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
- |`mscrl.microsoft.us:80` </br>`crl.microsoft.us:80` </br>`ocsp.msocsp.us:80` </br>`www.microsoft.us:80`| The agent uses these URLs to verify certificates.|
- |login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctldl.windowsupdate.us:80 </br>aadcdn.msftauthimages.us </br>*.microsoft.us </br>msauthimages.us </br>mfstauthimages.us| The agent uses these URLs during the registration process.
------ If you are unable to add connections, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.--
-## NTLM requirement
-
-You should not enable NTLM on the Windows Server that is running the Azure AD Connect Provisioning Agent and if it is enabled you should make sure you disable it.
-
-## Known limitations
-
-The following are known limitations:
-
-### Delta Synchronization
--- Group scope filtering for delta sync does not support more than 50,000 members.-- When you delete a group that's used as part of a group scoping filter, users who are members of the group, don't get deleted. -- When you rename the OU or group that's in scope, delta sync will not remove the users.-
-### Provisioning Logs
-- Provisioning logs do not clearly differentiate between create and update operations. You may see a create operation for an update and an update operation for a create.-
-### Group re-naming or OU re-naming
-- If you rename a group or OU in AD that's in scope for a given configuration, the cloud sync job will not be able to recognize the name change in AD. The job won't go into quarantine and will remain healthy.-
-### Scoping filter
-When using OU scoping filter
-- You can only sync up to 59 separate OUs or Security Groups for a given configuration. -- Nested OUs are supported (that is, you **can** sync an OU that has 130 nested OUs, but you **cannot** sync 60 separate OUs in the same configuration). -
-### Password Hash Sync
-- Using password hash sync with InetOrgPerson is not supported.--
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-sso.md
- Title: 'How to use single sign-on with cloud sync'
-description: This article describes how to install and use single sign-on with cloud sync.
------ Previously updated : 01/18/2023-----
-# Using single sign-on with cloud sync
-The following document describes how to use single sign-on with cloud sync.
------
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Transformation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/how-to-transformation.md
- Title: Azure AD Connect cloud sync transformations
-description: This article describes how to use transformations to alter the default attribute mappings.
--- Previously updated : 01/11/2023---
-# Transformations
-
-With a transformation, you can change the default behavior of how an attribute is synchronized with Azure Active Directory (Azure AD) by using cloud sync.
-
-To do this task, you need to edit the schema and then resubmit it via a web request.
-
-For more information on cloud sync attributes, see [Understanding the Azure AD schema](concept-attributes.md).
--
-## Retrieve the schema
-To retrieve the schema, follow the steps in [View the schema](concept-attributes.md#view-the-schema).
-
-## Custom attribute mapping
-To add a custom attribute mapping, follow these steps.
-
-1. Copy the schema into a text or code editor such as [Visual Studio Code](https://code.visualstudio.com/).
-1. Locate the object that you want to update in the schema.
-
- ![Object in the schema](media/how-to-transformation/transform-1.png)</br>
-1. Locate the code for `ExtensionAttribute3` under the user object.
-
- ```
- {
- "defaultValue": null,
- "exportMissingReferences": false,
- "flowBehavior": "FlowWhenChanged",
- "flowType": "Always",
- "matchingPriority": 0,
- "targetAttributeName": "ExtensionAttribute3",
- "source": {
- "expression": "Trim([extensionAttribute3])",
- "name": "Trim",
- "type": "Function",
- "parameters": [
- {
- "key": "source",
- "value": {
- "expression": "[extensionAttribute3]",
- "name": "extensionAttribute3",
- "type": "Attribute",
- "parameters": []
- }
- }
- ]
- }
- },
- ```
-1. Edit the code so that the company attribute is mapped to `ExtensionAttribute3`.
-
- ```
- {
- "defaultValue": null,
- "exportMissingReferences": false,
- "flowBehavior": "FlowWhenChanged",
- "flowType": "Always",
- "matchingPriority": 0,
- "targetAttributeName": "ExtensionAttribute3",
- "source": {
- "expression": "Trim([company])",
- "name": "Trim",
- "type": "Function",
- "parameters": [
- {
- "key": "source",
- "value": {
- "expression": "[company]",
- "name": "company",
- "type": "Attribute",
- "parameters": []
- }
- }
- ]
- }
- },
- ```
- 1. Copy the schema back into Graph Explorer, change the **Request Type** to **PUT**, and select **Run Query**.
-
- ![Run Query](media/how-to-transformation/transform-2.png)
-
- 1. Now, in the Azure portal, go to the cloud sync configuration and select **Restart provisioning**.
-
- ![Restart provisioning](media/how-to-transformation/transform-3.png)
-
- 1. After a little while, verify the attributes are being populated by running the following query in Graph Explorer: `https://graph.microsoft.com/beta/users/{Azure AD user UPN}`.
- 1. You should now see the value.
-
- ![The value appears](media/how-to-transformation/transform-4.png)
-
-## Custom attribute mapping with function
-For more advanced mapping, you can use functions that allow you to manipulate the data and create values for attributes to suit your organization's needs.
-
-To do this task, follow the previous steps and then edit the function that's used to construct the final value.
-
-For information on the syntax and examples of expressions, see [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).
--
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Migrate Azure Ad Connect To Cloud Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md
- Title: 'Migrate Azure AD Connect to Azure AD Connect cloud sync| Microsoft Docs'
-description: Describes steps to migrate Azure AD Connect to Azure AD Connect cloud sync.
------ Previously updated : 01/17/2023------
-# Migrating from Azure AD Connect to Azure AD Connect cloud sync
-
-Azure AD Connect cloud sync is the future for accomplishing your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It uses the Azure AD cloud provisioning agent instead of the Azure AD Connect application. If you're currently using Azure AD Connect and wish to move to cloud sync, the following document provides guidance.
-
-## Steps for migrating from Azure AD Connect to cloud sync
---
-|Step|Description|
-|--|--|
-|Choose the best sync tool|Before moving to cloud sync, you should verify that cloud sync is currently the best synchronization tool for you. You can do this task by going through the wizard [here](https://setup.microsoft.com/azure/add-or-sync-users-to-microsoft-365).|
-|Verify the pre-requisites for migrating|The following guidance is only for users who have installed Azure AD Connect using the Express settings and aren't synchronizing devices. Also you should verify the cloud sync [pre-requisites](how-to-prerequisites.md).|
-|Back up your Azure AD Connect configuration|Before making any changes, you should back up your Azure AD Connect configuration. This way, you can role-back. For more information, see [Import and export Azure AD Connect configuration settings](../hybrid/how-to-connect-import-export-config.md).|
-|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.|
-|Create or identify an OU for the migration|Create a new OU or identify an existing OU that contains the users you'll test migration on.|
-|Move users into new OU (optional)|If you're using a new OU, move the users that are in scope for this pilot into that OU now. Before continuing, let Azure AD Connect pick up the changes so that it's synchronizing them in the new OU.|
-|Run PowerShell on OU|You can run the following PowerShell cmdlet to get the counts of the users that are in the pilot OU. </br>`Get-ADUser -Filter * -SearchBase "<DN path of OU>"`</br> Example: `Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"`|
-|Stop the scheduler|Before creating new sync rules, you need to stop the Azure AD Connect scheduler. For more information, see [how to stop the scheduler](../hybrid/how-to-connect-sync-feature-scheduler.md#stop-the-scheduler).
-|Create the custom sync rules|In the Azure AD Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. For more information, see [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-custom-user-inbound-rule) tutorial for how to create these rules.|
-|Install the provisioning agent|If you haven't done so, install the provisioning agent. For more information, see [how to install the agent](how-to-install.md).|
-|Configure cloud sync|Once the agent is installed, you need to configure cloud sync. In the configuration, you need to create a scope to the OU that was created or identified previously. For more information, see [Configuring cloud sync](how-to-configure.md).|
-|Verify pilot users are synchronizing and being provisioned|Verify that the users are now being synchronized in the portal. You can use the PowerShell script below to get a count of the number of users that have the on-premises pilot OU in their distinguished name. This number should match the count of users in the previous step. If you create a new user in this OU, verify that it's being provisioned.|
-|Start the scheduler|Now that you've verified users are provisioning and synchronizing, you can go ahead and start the Azure AD Connect scheduler. For more information, see [how to start the scheduler](../hybrid/how-to-connect-sync-feature-scheduler.md#start-the-scheduler).
-|Schedule you remaining users|Now you should come up with a plan on migrating more users. You should use a phased approach so that you can verify that the migrations are successful.|
-|Verify all users are provisioned|As you migrate users, verify that they're provisioning and synchronizing correctly.|
-|Stop Azure AD Connect|Once you've verified that all of your users are migrated, you can turn off the Azure AD Connect synchronization service. Microsoft recommends that you leave the server is a disabled state for a period of time, so you can verify the migration was successful
-|Verify everything is good|After a period of time, verify that everything is good.|
-|Decommission the Azure AD Connect server|Once you've verified everything is good you can use the steps below to take the Azure AD Connect server offline.|
------
-## Verify Users script
-```PowerShell
-# Filename: VerifyAzureUsers.ps1
-# Description: Counts the number of users in Azure that have a specific on-premises distinguished name.
-#
-# DISCLAIMER:
-# Copyright (c) Microsoft Corporation. All rights reserved. This
-# script is made available to you without any express, implied or
-# statutory warranty, not even the implied warranty of
-# merchantability or fitness for a particular purpose, or the
-# warranty of title or non-infringement. The entire risk of the
-# use or the results from the use of this script remains with you.
-#
-#
-#
-#
--
-Connect-AzureAD -Confirm
-
-#Declare variables
-
-$Users = Get-AzureADUser -All:$true -Filter "DirSyncEnabled eq true"
-$OU = "OU=Sales,DC=contoso,DC=com"
-$counter = 0
-
-#Search users
-
-foreach ($user in $Users) {
- $test = $User.ExtensionProperty
- $DN = $test["onPremisesDistinguishedName"]
- if ($DN -match $OU)
- {
- $counter++
- }
-}
-
-Write-Host "Total Users found:" + $counter
-
-```
-## More information
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-- [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).-- [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
-``
active-directory Plan Cloud Sync Topologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/plan-cloud-sync-topologies.md
- Title: Azure AD Connect cloud sync supported topologies and scenarios
-description: Learn about various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect cloud sync.
------ Previously updated : 01/17/2023------
-# Azure AD Connect cloud sync supported topologies and scenarios
-This article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect cloud sync. This article includes only supported configurations and scenarios.
-
-> [!IMPORTANT]
-> Microsoft doesn't support modifying or operating Azure AD Connect cloud sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect cloud sync. As a result, Microsoft can't provide technical support for such deployments.
-
-For more information, see the following video.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWJ8l5]
-
-## Things to remember about all scenarios and topologies
-The information below should be kept in mind, when selecting a solution.
--- Users and groups must be uniquely identified across all forests-- Matching across forests doesn't occur with cloud sync-- The source anchor for objects is chosen automatically. It uses ms-DS-ConsistencyGuid if present, otherwise ObjectGUID is used.-- You can't change the attribute that is used for source anchor.-
-## Single forest, single Azure AD tenant
-![Diagram that shows the topology for a single forest and a single tenant.](media/tutorial-single-forest/diagram-2.png)
-
-The simplest topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For an example of this scenario see [Tutorial: A single forest with a single Azure AD tenant](tutorial-single-forest.md)
--
-## Multi-forest, single Azure AD tenant
-![Topology for a multi-forest and a single tenant](media/plan-cloud-provisioning-topologies/multi-forest-2.png)
-
-Multiple AD forests is a common topology, with one or multiple domains, and a single Azure AD tenant.
-
-## Existing forest with Azure AD Connect, new forest with cloud Provisioning
-![Diagram that shows the topology for an existing forest and a new forest.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
-
-This scenario is topology is similar to the multi-forest scenario, however this one involves an existing Azure AD Connect environment and then bringing on a new forest using Azure AD Connect cloud sync. For an example of this scenario see [Tutorial: An existing forest with a single Azure AD tenant](tutorial-existing-forest.md)
-
-## Piloting Azure AD Connect cloud sync in an existing hybrid AD forest
-![Topology for a single forest and a single tenant](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
-The piloting scenario involves the existence of both Azure AD Connect and Azure AD Connect cloud sync in the same forest and scoping the users and groups accordingly. NOTE: An object should be in scope in only one of the tools.
-
-For an example of this scenario see [Tutorial: Pilot Azure AD Connect cloud sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
-
-## Merging objects from disconnected sources
-### (Public Preview)
-![Diagram for merging objects from disconnected sources](media/plan-cloud-provisioning-topologies/attributes-multiple-sources.png)
-In this scenario, the attributes of a user are contributed to by two disconnected Active Directory forests.
-
-An example would be:
--
- Since the second forest doesn't have network connectivity to the Azure AD Connect server, the object can't be merged through Azure AD Connect. Cloud Sync in the second forest allows the attribute value to be retrieved from the second forest. The value can then be merged with the object in Azure AD that is synced by Azure AD Connect.
-
-This configuration is advanced and there are a few caveats to this topology:
-
- 1. You must use `msdsConsistencyGuid` as the source anchor in the Cloud Sync configuration.
- 2. The `msdsConsistencyGuid` of the user object in the second forest must match that of the corresponding object in Azure AD.
- 3. You must populate the `UserPrincipalName` attribute and the `Alias` attribute in the second forest and it must match the ones that are synced from the first forest.
- 4. You must remove all attributes from the attribute mapping in the Cloud Sync configuration that don't have a value or may have a different value in the second forest ΓÇô you can't have overlapping attribute mappings between the first forest and the second one.
- 5. If there's no matching object in the first forest, for an object that is synced from the second forest, then Cloud Sync will still create the object in Azure AD. The object will only have the attributes that are defined in the mapping configuration of Cloud Sync for the second forest.
- 6. If you delete the object from the second forest, it will be temporarily soft deleted in Azure AD. It will be restored automatically after the next Azure AD Connect sync cycle.
- 7. If you delete the object from the first forest, it will be soft deleted from Azure AD. The object won't be restored unless a change is made to the object in the second forest. After 30 days the object will be hard deleted from Azure AD and if a change is made to the object in the second forest it will be created as a new object in Azure AD.
-
-
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-
active-directory Reference Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/reference-error-codes.md
- Title: Azure AD Connect cloud sync error codes and descriptions
-description: reference article for cloud sync error codes
------ Previously updated : 01/18/2023-----
-# Azure AD Connect cloud sync error codes and descriptions
-The following is a list of error codes and their description
--
-## Error codes
-
-|Error code|Details|Scenario|Resolution|
-|--|--|--|--|
-|TimeOut|Error Message: We've detected a request timeout error when contacting the on-premises agent and synchronizing your configuration. For additional issues related to your cloud sync agent, please see our troubleshooting guidance.|Request to HIS timed out. Current Timeout value is 10 minutes.|See our [troubleshooting guidance](how-to-troubleshoot.md)|
-|HybridSynchronizationActiveDirectoryInternalServerError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.30b500eaf9c643b2b78804e80c1421fe.5c291d3c-d29f-4570-9d6b-f0c2fa3d5926. Additional details: Processing of the HTTP request resulted in an exception. |Couldn't process the parameters received in SCIM request to a Search request.|Please see the HTTP response returned by the 'Response' property of this exception for details.|
-|HybridIdentityServiceNoAgentsAssigned|Error Message: We're unable to find an active agent for the domain you're trying to sync. Please check to see if the agents have been removed. If so, re-install the agent again.|There are no agents running. Probably agents have been removed. Register a new agent.|"In this case, you won't see any agent assigned to the domain in portal.|
-|HybridIdentityServiceNoActiveAgents|Error Message: We're unable to find an active agent for the domain you're trying to sync. Please check to see if the agent is running by going to the server, where the agent is installed, and check to see if "Microsoft Azure AD Cloud Sync Agent" under Services is running.|"Agents aren't listening to the ServiceBus endpoint. [The agent is behind a firewall that doesn't allow connections to service bus](../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server)|
-|HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from Azure portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from Azure portal.|
-|HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus isn't able to send a message to the agent. Could be an outage in service bus, or the agent isn't responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).|
-|AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Azure Active Directory is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Azure Active Directory is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.|
-|AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Azure AD Connect Cloud Sync. You can repair the cloud service account by following the instructions at [here](./how-to-troubleshoot.md). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} doesn't exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.|
-|AzureActiveDirectoryExpiredCredentials|Error Message: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsExpired AADSTS50055: The password is expired. Trace ID: 989b1841-dbe5-49c9-ab6c-9aa25f7b0e00 Correlation ID: 1c69b196-1c3a-4381-9187-c84747807155 Timestamp: 2021-01-12 20:59:31Z | Response status code doesn't indicate success: 401 (Unauthorized).<br> Azure AD Sync service account credentials are expired.|You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988. If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Your administrative Azure Active Directory tenant credentials were exchanged for an OAuth token that has since expired."|
-|AzureActiveDirectoryAuthenticationFailed|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.60b943e88f234db2b887f8cb91dee87c.707be0d2-c6a9-405d-a3b9-de87761dc3ac. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: UnexpectedError.|Unknown error.|If this issue persists, please contact support with Job ID (from status pane of your configuration).|
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Reference Expressions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/reference-expressions.md
- Title: Azure AD Connect cloud sync expressions and function reference
-description: reference
------ Previously updated : 01/18/2023------
-# Writing expressions for attribute mappings in Azure Active Directory
-When you configure cloud sync, one of the types of attribute mappings that you can specify is an expression mapping.
-
-The expression mapping allows you to customize attributes using a script-like expression. This allows you to transform the on-premises data into a new or different value. For example, you may want to combine two attributes into a single attribute because this single attribute is used by one of your cloud applications.
-
-The following document will cover the script-like expressions that are used to transform the data. This is only part of the process. Next you will need to use this expression and place it in a web request to your tenant. For more information on that see [Transformations](how-to-transformation.md)
-
-## Syntax overview
-The syntax for Expressions for Attribute Mappings is reminiscent of Visual Basic for Applications (VBA) functions.
-
-* The entire expression must be defined in terms of functions, which consist of a name followed by arguments in parentheses: <br>
- *FunctionName(`<<argument 1>>`,`<<argument N>>`)*
-* You may nest functions within each other. For example: <br> *FunctionOne(FunctionTwo(`<<argument1>>`))*
-* You can pass three different types of arguments into functions:
-
- 1. Attributes, which must be enclosed in square brackets. For example: [attributeName]
- 2. String constants, which must be enclosed in double quotes. For example: "United States"
- 3. Other Functions. For example: FunctionOne(`<<argument1>>`, FunctionTwo(`<<argument2>>`))
-* For string constants, if you need a backslash ( \ ) or quotation mark ( " ) in the string, it must be escaped with the backslash ( \ ) symbol. For example: "Company name: \\"Contoso\\""
-
-## List of functions
-| List of functions | Description |
-|--|-|
-|[Append](#append)|Takes a source string value and appends the suffix to the end of it.|
-|[BitAnd](#bitand)|The BitAnd function sets specified bits on a value.|
-|[CBool](#cbool)|The CBool function returns a Boolean based on the evaluated expression|
-|[ConvertFromBase64](#convertfrombase64)|The ConvertFromBase64 function converts the specified base64 encoded value to a regular string.|
-|[ConvertToBase64](#converttobase64)|The ConvertToBase64 function converts a string to a Unicode base64 string. |
-|[ConvertToUTF8Hex](#converttoutf8hex)|The ConvertToUTF8Hex function converts a string to a UTF8 Hex encoded value.|
-|[Count](#count)|The Count function returns the number of elements in a multi-valued attribute|
-|[Cstr](#cstr)|The CStr function converts to a string data type.|
-|[DateFromNum](#datefromnum)|The DateFromNum function converts a value in ADΓÇÖs date format to a DateTime type.|
-|[DNComponent](#dncomponent)|The DNComponent function returns the value of a specified DN component going from left.|
-|[Error](#error)|The Error function is used to return a custom error.|
-|[FormatDateTime](#formatdatetime) |Takes a date string from one format and converts it into a different format.|
-|[GUID](#guid)|The function Guid generates a new random GUID.|
-|[IIF](#iif)|The IIF function returns one of a set of possible values based on a specified condition.|
-|[InStr](#instr)|The InStr function finds the first occurrence of a substring in a string.|
-|[IsNull](#isnull)|If the expression evaluates to Null, then the IsNull function returns true.|
-|[IsNullOrEmpty](#isnullorempty)|If the expression is null or an empty string, then the IsNullOrEmpty function returns true.|
-|[IsPresent](#ispresent)|If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true.|
-|[IsString](#isstring)|If the expression can be evaluated to a string type, then the IsString function evaluates to True.|
-|[Item](#item)|The Item function returns one item from a multi-valued string/attribute.|
-|[Join](#join) |Join() is similar to Append(), except that it can combine multiple **source** string values into a single string, and each value will be separated by a **separator** string.|
-|[Left](#left)|The Left function returns a specified number of characters from the left of a string.|
-|[Mid](#mid) |Returns a substring of the source value. A substring is a string that contains only some of the characters from the source string.|
-|[NormalizeDiacritics](#normalizediacritics)|Requires one string argument. Returns the string, but with any diacritical characters replaced with equivalent non-diacritical characters.|
-|[Not](#not) |Flips the boolean value of the **source**. If **source** value is "*True*", returns "*False*". Otherwise, returns "*True*".|
-|[RemoveDuplicates](#removeduplicates)|The RemoveDuplicates function takes a multi-valued string and make sure each value is unique.|
-|[Replace](#replace) |Replaces values within a string. |
-|[SelectUniqueValue](#selectuniquevalue)|Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory.|
-|[SingleAppRoleAssignment](#singleapproleassignment)|Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application.|
-|[Split](#split)|Splits a string into a multi-valued array, using the specified delimiter character.|
-|[StringFromSID](#stringfromsid)|The StringFromSid function converts a byte array containing a security identifier to a string.|
-|[StripSpaces](#stripspaces) |Removes all space (" ") characters from the source string.|
-|[Switch](#switch)|When **source** value matches a **key**, returns **value** for that **key**. |
-|[ToLower](#tolower)|Takes a *source* string value and converts it to lower case using the culture rules that are specified.|
-|[ToUpper](#toupper)|Takes a *source* string value and converts it to upper case using the culture rules that are specified.|
-|[Trim](#trim)|The Trim function removes leading and trailing white spaces from a string.|
-|[Word](#word)|The Word function returns a word contained within a string, based on parameters describing the delimiters to use and the word number to return.|
--
-### Append
-**Function:**<br>
-Append(source, suffix)
-
-**Description:**<br>
-Takes a source string value and appends the suffix to the end of it.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |Usually name of the attribute from the source object. |
- | **suffix** |Required |String |The string that you want to append to the end of the source value. |
--
-### BitAnd
-**Description:**
-The BitAnd function sets specified bits on a value.
-
-**Syntax:**
-`num BitAnd(num value1, num value2)`
-
-* value1, value2: numeric values that should be ANDΓÇÖed together
-
-**Remarks:**
-This function converts both parameters to the binary representation and sets a bit to:
-
-* 0 - if one or both of the corresponding bits in *value1* and *value2* are 0
-* 1 - if both of the corresponding bits are 1.
-
-In other words, it returns 0 in all cases except when the corresponding bits of both parameters are 1.
-
-**Example:**
-
- `BitAnd(&HF, &HF7)`</br>
- Returns 7 because hexadecimal "F" AND "F7" evaluate to this value.
---
-### CBool
-**Description:**
-The CBool function returns a Boolean based on the evaluated expression
-
-**Syntax:**
-`bool CBool(exp Expression)`
-
-**Remarks:**
-If the expression evaluates to a non-zero value, then CBool returns True, else it returns False.
-
-**Example:**
-`CBool([attrib1] = [attrib2])`
-
-Returns True if both attributes have the same value.
--
-### ConvertFromBase64
-**Description:**
-The ConvertFromBase64 function converts the specified base64 encoded value to a regular string.
-
-**Syntax:**
-`str ConvertFromBase64(str source)` - assumes Unicode for encoding
-`str ConvertFromBase64(str source, enum Encoding)`
-
-* source: Base64 encoded string
-* Encoding: Unicode, ASCII, UTF8
-
-**Example**
-`ConvertFromBase64("SABlAGwAbABvACAAdwBvAHIAbABkACEA")`
-`ConvertFromBase64("SGVsbG8gd29ybGQh", UTF8)`
-
-Both examples return "*Hello world!*"
--
-### ConvertToBase64
-**Description:**
-The ConvertToBase64 function converts a string to a Unicode base64 string.
-Converts the value of an array of integers to its equivalent string representation that is encoded with base-64 digits.
-
-**Syntax:**
-`str ConvertToBase64(str source)`
-
-**Example:**
-`ConvertToBase64("Hello world!")`
-Returns "SABlAGwAbABvACAAdwBvAHIAbABkACEA"
--
-### ConvertToUTF8Hex
-**Description:**
-The ConvertToUTF8Hex function converts a string to a UTF8 Hex encoded value.
-
-**Syntax:**
-`str ConvertToUTF8Hex(str source)`
-
-**Remarks:**
-The output format of this function is used by Azure Active Directory as DN attribute format.
-
-**Example:**
-`ConvertToUTF8Hex("Hello world!")`
-Returns 48656C6C6F20776F726C6421
--
-### Count
-**Description:**
-The Count function returns the number of elements in a multi-valued attribute
-
-**Syntax:**
-`num Count(mvstr attribute)`
--
-### CStr
-**Description:**
-The CStr function converts to a string data type.
-
-**Syntax:**
-`str CStr(num value)`
-`str CStr(ref value)`
-`str CStr(bool value)`
-
-* value: Can be a numeric value, reference attribute, or Boolean.
-
-**Example:**
-`CStr([dn])`
-Could return "cn=Joe,dc=contoso,dc=com"
--
-### DateFromNum
-**Description:**
-The DateFromNum function converts a value in ADΓÇÖs date format to a DateTime type.
-
-**Syntax:**
-`dt DateFromNum(num value)`
-
-**Example:**
-`DateFromNum([lastLogonTimestamp])`
-`DateFromNum(129699324000000000)`
-Returns a DateTime representing 2012-01-01 23:00:00
--
-### DNComponent
-**Description:**
-The DNComponent function returns the value of a specified DN component going from left.
-
-**Syntax:**
-`str DNComponent(ref dn, num ComponentNumber)`
-
-* dn: the reference attribute to interpret
-* ComponentNumber: The component in the DN to return
-
-**Example:**
-`DNComponent(CRef([dn]),1)`
-If dn is "cn=Joe,ou=…," it returns Joe
--
-### Error
-**Description:**
-The Error function is used to return a custom error.
-
-**Syntax:**
-`void Error(str ErrorMessage)`
-
-**Example:**
-`IIF(IsPresent([accountName]),[accountName],Error("AccountName is required"))`
-If the attribute accountName is not present, throw an error on the object.
--
-### FormatDateTime
-**Function:**<br>
-FormatDateTime(source, inputFormat, outputFormat)
-
-**Description:**<br>
-Takes a date string from one format and converts it into a different format.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |Usually name of the attribute from the source object. |
- | **inputFormat** |Required |String |Expected format of the source value. For supported formats, see [/dotnet/standard/base-types/custom-date-and-time-format-strings](/dotnet/standard/base-types/custom-date-and-time-format-strings). |
- | **outputFormat** |Required |String |Format of the output date. |
--
-### Guid
-**Description:**
-The function Guid generates a new random GUID
-
-**Syntax:**
-`str Guid()`
--
-### IIF
-**Description:**
-The IIF function returns one of a set of possible values based on a specified condition.
-
-**Syntax:**
-`var IIF(exp condition, var valueIfTrue, var valueIfFalse)`
-
-* condition: any value or expression that can be evaluated to true or false.
-* valueIfTrue: If the condition evaluates to true, the returned value.
-* valueIfFalse: If the condition evaluates to false, the returned value.
-
-**Example:**
-`IIF([employeeType]="Intern","t-" & [alias],[alias])`
- If the user is an intern, returns the alias of a user with "t-" added to the beginning of it, else returns the userΓÇÖs alias as is.
--
-### InStr
-**Description:**
-The InStr function finds the first occurrence of a substring in a string
-
-**Syntax:**
-
-`num InStr(str stringcheck, str stringmatch)`
-`num InStr(str stringcheck, str stringmatch, num start)`
-`num InStr(str stringcheck, str stringmatch, num start, enum compare)`
-
-* stringcheck: string to be searched
-* stringmatch: string to be found
-* start: starting position to find the substring
-* compare: vbTextCompare or vbBinaryCompare
-
-**Remarks:**
-Returns the position where the substring was found or 0 if not found.
-
-**Example:**
-`InStr("The quick brown fox","quick")`
-Evalues to 5
-
-`InStr("repEated","e",3,vbBinaryCompare)`
-Evaluates to 7
--
-### IsNull
-**Description:**
-If the expression evaluates to Null, then the IsNull function returns true.
-
-**Syntax:**
-`bool IsNull(var Expression)`
-
-**Remarks:**
-For an attribute, a Null is expressed by the absence of the attribute.
-
-**Example:**
-`IsNull([displayName])`
-Returns True if the attribute is not present in the CS or MV.
--
-### IsNullOrEmpty
-**Description:**
-If the expression is null or an empty string, then the IsNullOrEmpty function returns true.
-
-**Syntax:**
-`bool IsNullOrEmpty(var Expression)`
-
-**Remarks:**
-For an attribute, this would evaluate to True if the attribute is absent or is present but is an empty string.
-The inverse of this function is named IsPresent.
-
-**Example:**
-`IsNullOrEmpty([displayName])`
-Returns True if the attribute is not present or is an empty string in the CS or MV.
--
-### IsPresent
-**Description:**
-If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true.
-
-**Syntax:**
-`bool IsPresent(var expression)`
-
-**Remarks:**
-The inverse of this function is named IsNullOrEmpty.
-
-**Example:**
-`Switch(IsPresent([directManager]),[directManager], IsPresent([skiplevelManager]),[skiplevelManager], IsPresent([director]),[director])`
--
-### Item
-**Description:**
-The Item function returns one item from a multi-valued string/attribute.
-
-**Syntax:**
-`var Item(mvstr attribute, num index)`
-
-* attribute: multi-valued attribute
-* index: index to an item in the multi-valued string.
-
-**Remarks:**
-The Item function is useful together with the Contains function since the latter function returns the index to an item in the multi-valued attribute.
-
-Throws an error if index is out of bounds.
-
-**Example:**
-`Mid(Item([proxyAddresses],Contains([proxyAddresses], "SMTP:")),6)`
-Returns the primary email address.
--
-### IsString
-**Description:**
-If the expression can be evaluated to a string type, then the IsString function evaluates to True.
-
-**Syntax:**
-`bool IsString(var expression)`
-
-**Remarks:**
-Used to determine if CStr() can be successful to parse the expression.
--
-### Join
-**Function:**<br>
-Join(separator, source1, source2, …)
-
-**Description:**<br>
-Join() is similar to Append(), except that it can combine multiple **source** string values into a single string, and each value will be separated by a **separator** string.
-
-If one of the source values is a multi-value attribute, then every value in that attribute will be joined together, separated by the separator value.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **separator** |Required |String |String used to separate source values when they are concatenated into one string. Can be "" if no separator is required. |
- | **source1 … sourceN** |Required, variable-number of times |String |String values to be joined together. |
--
-### Left
-**Description:**
-The Left function returns a specified number of characters from the left of a string.
-
-**Syntax:**
-`str Left(str string, num NumChars)`
-
-* string: the string to return characters from
-* NumChars: a number identifying the number of characters to return from the beginning (left) of string
-
-**Remarks:**
-A string containing the first numChars characters in string:
-
-* If numChars = 0, return empty string.
-* If numChars < 0, return input string.
-* If string is null, return empty string.
-
-If string contains fewer characters than the number specified in numChars, a string identical to string (that is, containing all characters in parameter 1) is returned.
-
-**Example:**
-`Left("John Doe", 3)`
-Returns `Joh`.
--
-### Mid
-**Function:**<br>
-Mid(source, start, length)
-
-**Description:**<br>
-Returns a substring of the source value. A substring is a string that contains only some of the characters from the source string.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |Usually name of the attribute. |
- | **start** |Required |integer |Index in the **source** string where substring should start. First character in the string will have index of 1, second character will have index 2, and so on. |
- | **length** |Required |integer |Length of the substring. If length ends outside the **source** string, function will return substring from **start** index till end of **source** string. |
--
-### NormalizeDiacritics
-**Function:**<br>
-NormalizeDiacritics(source)
-
-**Description:**<br>
-Requires one string argument. Returns the string, but with any diacritical characters replaced with equivalent non-diacritical characters. Typically used to convert first names and last names containing diacritical characters (accent marks) into legal values that can be used in various user identifiers such as user principal names, SAM account names, and email addresses.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String | Usually a first name or last name attribute. |
--
-### Not
-**Function:**<br>
-Not(source)
-
-**Description:**<br>
-Flips the boolean value of the **source**. If **source** value is "*True*", returns "*False*". Otherwise, returns "*True*".
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |Boolean String |Expected **source** values are "True" or "False". |
--
-### RemoveDuplicates
-**Description:**
-The RemoveDuplicates function takes a multi-valued string and make sure each value is unique.
-
-**Syntax:**
-`mvstr RemoveDuplicates(mvstr attribute)`
-
-**Example:**
-`RemoveDuplicates([proxyAddresses])`
-Returns a sanitized proxyAddress attribute where all duplicate values have been removed.
--
-### Replace
-**Function:**<br>
-Replace(source, oldValue, regexPattern, regexGroupName, replacementValue, replacementAttributeName, template)
-
-**Description:**<br>
-Replaces values within a string. It works differently depending on the parameters provided:
-
-* When **oldValue** and **replacementValue** are provided:
-
- * Replaces all occurrences of **oldValue** in the **source** with **replacementValue**
-* When **oldValue** and **template** are provided:
-
- * Replaces all occurrences of the **oldValue** in the **template** with the **source** value
-* When **regexPattern** and **replacementValue** are provided:
-
- * The function applies the **regexPattern** to the **source** string and you can use the regex group names to construct the string for **replacementValue**
-* When **regexPattern**, **regexGroupName**, **replacementValue** are provided:
-
- * The function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with **replacementValue**
-* When **regexPattern**, **regexGroupName**, **replacementAttributeName** are provided:
-
- * If **source** has no value, **source** is returned
- * If **source** has a value, the function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with the value associated with **replacementAttributeName**
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |Usually name of the attribute from the **source** object. |
- | **oldValue** |Optional |String |Value to be replaced in **source** or **template**. |
- | **regexPattern** |Optional |String |Regex pattern for the value to be replaced in **source**. Or, when **replacementPropertyName** is used, pattern to extract value from **replacementPropertyName**. |
- | **regexGroupName** |Optional |String |Name of the group inside **regexPattern**. Only when **replacementPropertyName** is used, we will extract value of this group as **replacementValue** from **replacementPropertyName**. |
- | **replacementValue** |Optional |String |New value to replace old one with. |
- | **replacementAttributeName** |Optional |String |Name of the attribute to be used for replacement value |
- | **template** |Optional |String |When **template** value is provided, we will look for **oldValue** inside the template and replace it with **source** value. |
--
-### SelectUniqueValue
-**Function:**<br>
-SelectUniqueValue(uniqueValueRule1, uniqueValueRule2, uniqueValueRule3, …)
-
-**Description:**<br>
-Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory. The first unique value found will be the one returned. If all of the values already exist in the target, the entry will get escrowed and the reason gets logged in the audit logs. There is no upper bound to the number of arguments that can be provided.
-
-> [!NOTE]
-> - This is a top-level function, it cannot be nested.
-> - This function cannot be applied to attributes that have a matching precedence.
-> - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
-> - This function is currently only supported for "Workday and SuccessFactors to Active Directory User Provisioning". It cannot be used with other provisioning applications.
--
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **uniqueValueRule1 … uniqueValueRuleN** |At least 2 are required, no upper bound |String | List of unique value generation rules to evaluate. |
---
-### SingleAppRoleAssignment
-**Function:**<br>
-SingleAppRoleAssignment([appRoleAssignments])
-
-**Description:**<br>
-Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. Note that the best practice is to ensure only one appRoleAssignment is assigned to one user at a time, and if multiple roles are assigned the role string returned may not be predictable.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **[appRoleAssignments]** |Required |String |**[appRoleAssignments]** object. |
--
-### Split
-**Function:**<br>
-Split(source, delimiter)
-
-**Description:**<br>
-Splits a string into a multi-valued array, using the specified delimiter character.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |**source** value to update. |
- | **delimiter** |Required |String |Specifies the character that will be used to split the string (example: ",") |
--
-### StringFromSid
-**Description:**
-The StringFromSid function converts a byte array containing a security identifier to a string.
-
-**Syntax:**
-`str StringFromSid(bin ObjectSID)`
--
-### StripSpaces
-**Function:**<br>
-StripSpaces(source)
-
-**Description:**<br>
-Removes all space (" ") characters from the source string.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |**source** value to update. |
--
-### Switch
-**Function:**<br>
-Switch(source, defaultValue, key1, value1, key2, value2, …)
-
-**Description:**<br>
-When **source** value matches a **key**, returns **value** for that **key**. If **source** value doesn't match any keys, returns **defaultValue**. **Key** and **value** parameters must always come in pairs. The function always expects an even number of parameters.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |**Source** value to check. |
- | **defaultValue** |Optional |String |Default value to be used when source doesn't match any keys. Can be empty string (""). |
- | **key** |Required |String |**Key** to compare **source** value with. |
- | **value** |Required |String |Replacement value for the **source** matching the key. |
--
-### ToLower
-**Function:**<br>
-ToLower(source, culture)
-
-**Description:**<br>
-Takes a *source* string value and converts it to lower case using the culture rules that are specified. If there is no *culture* info specified, then it will use Invariant culture.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |Usually name of the attribute from the source object |
- | **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code is not available, a three-letter code derived from ISO 639-2 is used.|
---
-### ToUpper
-**Function:**<br>
-ToUpper(source, culture)
-
-**Description:**<br>
-Takes a *source* string value and converts it to upper case using the culture rules that are specified. If there is no *culture* info specified, then it will use Invariant culture.
-
-**Parameters:**<br>
-
- | Name | Required/ Repeating | Type | Notes |
- | | | | |
- | **source** |Required |String |Usually name of the attribute from the source object. |
- | **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code is not available, a three-letter code derived from ISO 639-2 is used.|
---
-### Trim
-**Description:**
-The Trim function removes leading and trailing white spaces from a string.
-
-**Syntax:**
-`str Trim(str value)`
-
-**Example:**
-`Trim(" Test ")`
-Returns "Test".
-
-`Trim([proxyAddresses])`
-Removes leading and trailing spaces for each value in the proxyAddress attribute.
--
-### Word
-**Description:**
-The Word function returns a word contained within a string, based on parameters describing the delimiters to use and the word number to return.
-
-**Syntax:**
-`str Word(str string, num WordNumber, str delimiters)`
-
-* string: the string to return a word from.
-* WordNumber: a number identifying which word number should return.
-* delimiters: a string representing the delimiter(s) that should be used to identify words
-
-**Remarks:**
-Each string of characters in string separated by the one of the characters in delimiters are identified as words:
-
-* If number < 1, returns empty string.
-* If string is null, returns empty string.
-
-If string contains less than number words, or string does not contain any words identified by delimiters, an empty string is returned.
-
-**Example:**
-`Word("The quick brown fox",3," ")`
-Returns "brown"
-
-`Word("This,string!has&many separators",3,",!&#")`
-Would return "has"
-
-## Examples
-### Strip known domain name
-You need to strip a known domain name from a userΓÇÖs email to obtain a user name. <br>
-For example, if the domain is "contoso.com", then you could use the following expression:
-
-**Expression:** <br>
-`Replace([mail], "@contoso.com", , ,"", ,)`
-
-**Sample input / output:** <br>
-
-* **INPUT** (mail): "john.doe@contoso.com"
-* **OUTPUT**: "john.doe"
-
-### Append constant suffix to user name
-If you are using a Salesforce Sandbox, you might need to append an additional suffix to all your user names before synchronizing them.
-
-**Expression:** <br>
-`Append([userPrincipalName], ".test")`
-
-**Sample input/output:** <br>
-
-* **INPUT**: (userPrincipalName): "John.Doe@contoso.com"
-* **OUTPUT**: "John.Doe@contoso.com.test"
-
-### Generate user alias by concatenating parts of first and last name
-You need to generate a user alias by taking first 3 letters of user's first name and first 5 letters of user's last name.
-
-**Expression:** <br>
-`Append(Mid([givenName], 1, 3), Mid([surname], 1, 5))`
-
-**Sample input/output:** <br>
-
-* **INPUT** (givenName): "John"
-* **INPUT** (surname): "Doe"
-* **OUTPUT**: "JohDoe"
-
-### Remove diacritics from a string
-You need to replace characters containing accent marks with equivalent characters that don't contain accent marks.
-
-**Expression:** <br>
-NormalizeDiacritics([givenName])
-
-**Sample input/output:** <br>
-
-* **INPUT** (givenName): "Zoë"
-* **OUTPUT**: "Zoe"
-
-### Split a string into a multi-valued array
-You need to take a comma-delimited list of strings, and split them into an array that can be plugged into a multi-value attribute like Salesforce's PermissionSets attribute. In this example, a list of permission sets has been populated in extensionAttribute5 in Azure AD.
-
-**Expression:** <br>
-Split([extensionAttribute5], ",")
-
-**Sample input/output:** <br>
-
-* **INPUT** (extensionAttribute5): "PermissionSetOne, PermissionSetTwo"
-* **OUTPUT**: ["PermissionSetOne", "PermissionSetTwo"]
-
-### Output date as a string in a certain format
-You want to send dates to a SaaS application in a certain format. <br>
-For example, you want to format dates for ServiceNow.
-
-**Expression:** <br>
-
-`FormatDateTime([extensionAttribute1], "yyyyMMddHHmmss.fZ", "yyyy-MM-dd")`
-
-**Sample input/output:**
-
-* **INPUT** (extensionAttribute1): "20150123105347.1Z"
-* **OUTPUT**: "2015-01-23"
-
-### Replace a value based on predefined set of options
-
-You need to define the time zone of the user based on the state code stored in Azure AD. <br>
-If the state code doesn't match any of the predefined options, use default value of "Australia/Sydney".
-
-**Expression:** <br>
-`Switch([state], "Australia/Sydney", "NSW", "Australia/Sydney","QLD", "Australia/Brisbane", "SA", "Australia/Adelaide")`
-
-**Sample input/output:**
-
-* **INPUT** (state): "QLD"
-* **OUTPUT**: "Australia/Brisbane"
-
-### Replace characters using a regular expression
-You need to find characters that match a regular expression value and remove them.
-
-**Expression:** <br>
-
-Replace([mailNickname], , "[a-zA-Z_]*", , "", , )
-
-**Sample input/output:**
-
-* **INPUT** (mailNickname: "john_doe72"
-* **OUTPUT**: "72"
-
-### Convert generated userPrincipalName (UPN) value to lower case
-In the example below, the UPN value is generated by concatenating the PreferredFirstName and PreferredLastName source fields and the ToLower function operates on the generated string to convert all characters to lower case.
-
-`ToLower(Join("@", NormalizeDiacritics(StripSpaces(Join(".", [PreferredFirstName], [PreferredLastName]))), "contoso.com"))`
-
-**Sample input/output:**
-
-* **INPUT** (PreferredFirstName): "John"
-* **INPUT** (PreferredLastName): "Smith"
-* **OUTPUT**: "john.smith@contoso.com"
-
-### Generate unique value for userPrincipalName (UPN) attribute
-Based on the user's first name, middle name and last name, you need to generate a value for the UPN attribute and check for its uniqueness in the target AD directory before assigning the value to the UPN attribute.
-
-**Expression:** <br>
-
-```ad-attr-mapping-expr
- SelectUniqueValue(
- Join("@", NormalizeDiacritics(StripSpaces(Join(".", [PreferredFirstName], [PreferredLastName]))), "contoso.com"),
- Join("@", NormalizeDiacritics(StripSpaces(Join(".", Mid([PreferredFirstName], 1, 1), [PreferredLastName]))), "contoso.com"),
- Join("@", NormalizeDiacritics(StripSpaces(Join(".", Mid([PreferredFirstName], 1, 2), [PreferredLastName]))), "contoso.com")
- )
-```
-
-**Sample input/output:**
-
-* **INPUT** (PreferredFirstName): "John"
-* **INPUT** (PreferredLastName): "Smith"
-* **OUTPUT**: "John.Smith@contoso.com" if UPN value of John.Smith@contoso.com doesn't already exist in the directory
-* **OUTPUT**: "J.Smith@contoso.com" if UPN value of John.Smith@contoso.com already exists in the directory
-* **OUTPUT**: "Jo.Smith@contoso.com" if the above two UPN values already exist in the directory
--
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/reference-powershell.md
- Title: 'AADCloudSyncTools PowerShell module for Azure AD Connect cloud sync'
-description: This article describes how to install the Azure AD Connect cloud provisioning agent.
------ Previously updated : 01/17/2023-----
-# AADCloudSyncTools PowerShell module for Azure AD Connect cloud sync
-
-The AADCloudSyncTools module provides a set of useful tools that can help you manage your deployments of Azure Active Directory Connect (Azure AD Connect) cloud sync.
-
-## Prerequisites
-
-You can automatically install all the prerequisites for the AADCloudSyncTools module by using `Install-AADCloudSyncToolsPrerequisites`. You'll do that in the next section of this article.
-
-Here are some details about what you need:
--- The AADCloudSyncTools module uses Microsoft Authentication Library (MSAL) authentication, so it requires installation of the MSAL.PS module. To verify the installation, in a PowerShell window, run `Get-module MSAL.PS -ListAvailable`. If the module is installed correctly, you'll get a response. If necessary, you can use `Install-AADCloudSyncToolsPrerequisites` to install the latest version of MSAL.PS.-- Although the Azure AD PowerShell module is not required for any functionality of the AADCloudSyncTools module, it is useful. So it's automatically installed when you use `Install-AADCloudSyncToolsPrerequisites`. -- Installing modules from the PowerShell Gallery requires Transport Layer Security (TLS) 1.2 enforcement. The cmdlet `Install-AADCloudSyncToolsPrerequisites` sets TLS 1.2 enforcement before installing all the prerequisites. To ensure that you can manually install modules, set the following in the PowerShell session before using the cmdlet:-
- ```
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
- ```
-- The AADCloudSyncTools module might not work correctly if the Azure AD Connect cloud provisioning agent is not running or the configuration wizard has not finished successfully.-
-## Install the AADCloudSyncTools PowerShell module
-
-1. Open Windows PowerShell with administrative privileges.
-2. Run `Import-module -Name "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"`.
-3. To verify that the module was imported, run `Get-module AADCloudSyncTools`.
-
- You should now see information about the module.
-4. To install the AADCloudSyncTools module prerequisites, run `Install-AADCloudSyncToolsPrerequisites`.
-5. On the first run, the PowerShellGet module will be installed if it's not present. To load the new PowerShellGet module, close the PowerShell window and open a new PowerShell session with administrative privileges.
-6. Import the module again by running `Import-module -Name "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"`.
-7. Run `Install-AADCloudSyncToolsPrerequisites` again to install the MSAL and Azure AD modules.
-
- All prerequisites should now be installed.
-
- ![Screenshot of the notification in the PowerShell window that says the prerequisites were installed successfully.](media/reference-powershell/install-1.png)
-8. Every time you want to use the AADCloudSyncTools module in a new PowerShell session, run the following command:
-
- ```
- Import-module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"
- ```
-
-## AADCloudSyncTools cmdlets
-
-> [!NOTE]
-> Before using AADCloudSyncTools module make sure the Azure AD Connect cloud provisioning agent is running and the configuration wizard has finished successfully. To troubleshoot wizard issues, you can find trace logs in the folder *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*, see [Cloud sync troubleshooting](how-to-troubleshoot.md) for more information.
-
-### Connect-AADCloudSyncTools
-
-This cmdlet uses the MSAL.PS module to request a token for the Azure AD administrator to access Microsoft Graph.
-
-### Export-AADCloudSyncToolsLogs
-
-This cmdlet exports and packages all the troubleshooting data in a compressed file, as follows:
-
-1. Sets verbose tracing and starts collecting data from the provisioning agent (same as `Start-AADCloudSyncToolsVerboseLogs`).
-2. Stops data collection after three minutes and disables verbose tracing (same as `Stop-AADCloudSyncToolsVerboseLogs`).
-3. Collects Event Viewer logs for the last 24 hours.
-4. Compresses all the agent logs, verbose logs, and Event Viewer logs into a .zip file in the user's *Documents* folder.
-
-You can use the following options to fine-tune your data collection:
--- `SkipVerboseTrace` to only export current logs without capturing verbose logs (default = false).-- `TracingDurationMins` to specify a different capture duration (default = 3 minutes).-- `OutputPath` to specify a different output path (default = userΓÇÖs Documents folder).-
-### Get-AADCloudSyncToolsInfo
-
-This cmdlet shows Azure AD tenant details and the state of internal variables.
-
-### Get-AADCloudSyncToolsJob
-
-This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's information. You can also call it by using the specific sync job ID as a parameter.
-
-### Get-AADCloudSyncToolsJobSchedule
-
-This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's schedule. You can also call it by using the specific sync job ID as a parameter.
-
-### Get-AADCloudSyncToolsJobSchema
-
-This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's schema.
-
-### Get-AADCloudSyncToolsJobScope
-
-This cmdlet uses Microsoft Graph to get the sync job's schema for the provided sync job ID and outputs all filter groups' scopes.
-
-### Get-AADCloudSyncToolsJobSettings
-
-This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's settings. You can also call it by using the specific sync job ID as a parameter.
-
-### Get-AADCloudSyncToolsJobStatus
-
-This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's status. You can also call it by using the specific sync job ID as a parameter.
-
-### Get-AADCloudSyncToolsServicePrincipal
-
-This cmdlet uses Microsoft Graph to get the service principals for Azure AD and/or Azure Service Fabric. Without parameters, it will return only Azure AD service principals.
-
-### Install-AADCloudSyncToolsPrerequisites
-
-This cmdlet checks for the presence of PowerShellGet v2.2.4.1 or later, the Azure AD module, and the MSAL.PS module. It installs these items if they're missing.
-
-### Invoke-AADCloudSyncToolsGraphQuery
-
-This cmdlet invokes a web request for the URI, method, and body specified as parameters.
-
-### Repair-AADCloudSyncToolsAccount
-
-This cmdlet uses Azure AD PowerShell to delete the current account (if present). It then resets the sync account authentication with a new sync account in Azure AD.
-
-### Restart-AADCloudSyncToolsJob
-
-This cmdlet restarts a full synchronization.
-
-### Resume-AADCloudSyncToolsJob
-
-This cmdlet continues synchronization from the previous watermark.
-
-### Start-AADCloudSyncToolsVerboseLogs
-
-This cmdlet modifies *AADConnectProvisioningAgent.exe.config* to enable verbose tracing and restarts the AADConnectProvisioningAgent service. You can use `-SkipServiceRestart` to prevent service restart, but any configuration changes will not take effect. You can find these trace logs in the folder *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*.
-
-### Stop-AADCloudSyncToolsVerboseLogs
-
-This cmdlet modifies *AADConnectProvisioningAgent.exe.config* to disable verbose tracing and restarts the AADConnectProvisioningAgent service. You can use `-SkipServiceRestart` to prevent service restart, but any configuration changes will not take effect.
-
-### Suspend-AADCloudSyncToolsJob
-
-This cmdlet pauses synchronization.
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Reference Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/reference-version-history.md
- Title: 'Azure AD Connect cloud provisioning agent: Version release history'
-description: This article lists all releases of Azure AD Connect cloud provisioning agent and describes new features and fixed issues
------ Previously updated : 01/17/2023-----
-# Azure AD Connect cloud provisioning agent: Version release history
-
active-directory Tutorial Basic Ad Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/tutorial-basic-ad-azure.md
- Title: Tutorial - Basic Active Directory on-premises and Azure AD environment.-
-description: Learn how to create a basic AD and Azure AD environment.
----- Previously updated : 01/18/2023-----
-# Tutorial: Basic Active Directory environment
-
-This tutorial walks you through creating a basic Active Directory environment.
-
-![Diagram that shows a basic Azure A D environment.](media/tutorial-single-forest/diagram-2.png)
-
-You can use the environment you create in the tutorial to test various aspects of hybrid identity scenarios and will be a prerequisite for some of the tutorials. If you already have an existing Active Directory environment you can use that as a substitute. This information is provided for individuals who may be starting from nothing.
-
-This tutorial consists of
-## Prerequisites
-The following are prerequisites required for completing this tutorial
-- A computer with [Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) installed. It's suggested to do this on either a [Windows 10](/virtualization/hyper-v-on-windows/about/supported-guest-os) or a [Windows Server 2016](/windows-server/virtualization/hyper-v/supported-windows-guest-operating-systems-for-hyper-v-on-windows) computer.-- An [external network adapter](/virtualization/hyper-v-on-windows/quick-start/connect-to-network) to allow the virtual machine to communicate with the internet.-- An [Azure subscription](https://azure.microsoft.com/free)-- A copy of Windows Server 2016-- [Microsoft .NET framework 4.7.1](https://dotnet.microsoft.com/download/dotnet-framework/net471)-
-> [!NOTE]
-> This tutorial uses PowerShell scripts so that you can create the tutorial environment in the quickest amount of time. Each of the scripts uses variables that are declared at the beginning of the scripts. You can and should change the variables to reflect your environment.
->
->The scripts used create a general Active Directory environment prior to installing the Azure AD Connect cloud provisioning agent. They are relevant for all of the tutorials.
->
-> Copies of the PowerShell scripts that are used in this tutorial are available on GitHub [here](https://github.com/billmath/tutorial-phs).
-
-## Create a virtual machine
-The first thing that you need to do, in order to get our hybrid identity environment up and running is to create a virtual machine that will be used as our on-premises Active Directory server. Do the following:
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- #Declare variables
- $VMName = 'DC1'
- $Switch = 'External'
- $InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
- $Path = 'D:\VM'
- $VHDPath = 'D:\VM\DC1\DC1.vhdx'
- $VHDSize = '64424509440'
-
- #Create New Virtual Machine
- New-VM -Name $VMName -MemoryStartupBytes 16GB -BootDevice VHD -Path $Path -NewVHDPath $VHDPath -NewVHDSizeBytes $VHDSize -Generation 2 -Switch $Switch
-
- #Set the memory to be non-dynamic
- Set-VMMemory $VMName -DynamicMemoryEnabled $false
-
- #Add DVD Drive to Virtual Machine
- Add-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1 -Path $InstallMedia
-
- #Mount Installation Media
- $DVDDrive = Get-VMDvdDrive -VMName $VMName
-
- #Configure Virtual Machine to Boot from DVD
- Set-VMFirmware -VMName $VMName -FirstBootDevice $DVDDrive
- ```
-
-## Complete the operating system deployment
-In order to finish building the virtual machine, you need to finish the operating system installation.
-
-1. Hyper-V Manager, double-click on the virtual machine
-2. Click on the Start button.
-3. You'll be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.
-4. On the Windows Server start up screen select your language and click **Next**.
-5. Click **Install Now**.
-6. Enter your license key and click **Next**.
-7. Check **I accept the license terms and click **Next**.
-8. Select **Custom: Install Windows Only (Advanced)**
-9. Click **Next**
-10. Once the installation has completed, restart the virtual machine, sign-in and run Windows updates to ensure the VM is the most up-to-date. Install the latest updates.
-
-## Install Active Directory prerequisites
-Now that you have a virtual machine up, you need to do a few things prior to installing Active Directory. That is, you need to rename the virtual machine, set a static IP address and DNS information, and install the Remote Server Administration tools. Do the following:
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- #Declare variables
- $ipaddress = "10.0.1.117"
- $ipprefix = "24"
- $ipgw = "10.0.1.1"
- $ipdns = "10.0.1.117"
- $ipdns2 = "8.8.8.8"
- $ipif = (Get-NetAdapter).ifIndex
- $featureLogPath = "c:\poshlog\featurelog.txt"
- $newname = "DC1"
- $addsTools = "RSAT-AD-Tools"
-
- #Set static IP address
- New-NetIPAddress -IPAddress $ipaddress -PrefixLength $ipprefix -InterfaceIndex $ipif -DefaultGateway $ipgw
-
- # Set the DNS servers
- Set-DnsClientServerAddress -InterfaceIndex $ipif -ServerAddresses ($ipdns, $ipdns2)
-
- #Rename the computer
- Rename-Computer -NewName $newname -force
-
- #Install features
- New-Item $featureLogPath -ItemType file -Force
- Add-WindowsFeature $addsTools
- Get-WindowsFeature | Where installed >>$featureLogPath
-
- #Restart the computer
- Restart-Computer
- ```
-
-## Create a Windows Server AD environment
-Now that you have the VM created and it has been renamed and has a static IP address, you can go ahead and install and configure Active Directory Domain Services. Do the following:
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- #Declare variables
- $DatabasePath = "c:\windows\NTDS"
- $DomainMode = "WinThreshold"
- $DomainName = "contoso.com"
- $DomaninNetBIOSName = "CONTOSO"
- $ForestMode = "WinThreshold"
- $LogPath = "c:\windows\NTDS"
- $SysVolPath = "c:\windows\SYSVOL"
- $featureLogPath = "c:\poshlog\featurelog.txt"
- $Password = "Pass1w0rd"
- $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
-
- #Install AD DS, DNS and GPMC
- start-job -Name addFeature -ScriptBlock {
- Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
- Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
- Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools }
- Wait-Job -Name addFeature
- Get-WindowsFeature | Where installed >>$featureLogPath
-
- #Create New AD Forest
- Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath $DatabasePath -DomainMode $DomainMode -DomainName $DomainName -SafeModeAdministratorPassword $SecureString -DomainNetbiosName $DomainNetBIOSName -ForestMode $ForestMode -InstallDns:$true -LogPath $LogPath -NoRebootOnCompletion:$false -SysvolPath $SysVolPath -Force:$true
- ```
-
-## Create a Windows Server AD user
-Now that you have our Active Directory environment, you need to a test account. This account will be created in our on-premises AD environment and then synchronized to Azure AD. Do the following:
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- # Filename: 4_CreateUser.ps1
- # Description: Creates a user in Active Directory. This is part of
- # the Azure AD Connect password hash sync tutorial.
- #
- # DISCLAIMER:
- # Copyright (c) Microsoft Corporation. All rights reserved. This
- # script is made available to you without any express, implied or
- # statutory warranty, not even the implied warranty of
- # merchantability or fitness for a particular purpose, or the
- # warranty of title or non-infringement. The entire risk of the
- # use or the results from the use of this script remains with you.
- #
- #
- #
- #
- #Declare variables
- $Givenname = "Allie"
- $Surname = "McCray"
- $Displayname = "Allie McCray"
- $Name = "amccray"
- $Password = "Pass1w0rd"
- $Identity = "CN=ammccray,CN=Users,DC=contoso,DC=com"
- $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
--
- #Create the user
- New-ADUser -Name $Name -GivenName $Givenname -Surname $Surname -DisplayName $Displayname -AccountPassword $SecureString
-
- #Set the password to never expire
- Set-ADUser -Identity $Identity -PasswordNeverExpires $true -ChangePasswordAtLogon $false -Enabled $true
- ```
--
-## Create an Azure AD tenant
-Now you need to create an Azure AD tenant so that you can synchronize our users to the cloud. To create a new Azure AD tenant, do the following.
-
-1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
-2. Select the **plus icon (+)** and search for **Azure Active Directory**.
-3. Select **Azure Active Directory** in the search results.
-4. Select **Create**.</br>
-![Screenshot that shows the Azure Active Directory page in the Azure portal.](media/tutorial-single-forest/create-1.png)</br>
-5. Provide a **name for the organization** along with the **initial domain name**. Then select **Create**. This will create your directory.
-6. Once this has completed, click the **here** link, to manage the directory.
-
-## Create a global administrator in Azure AD
-Now that you have an Azure AD tenant, you'll create a global administrator account. To create the global administrator account do the following.
-
-1. Under **Manage**, select **Users**.</br>
-![Screenshot that shows the "Overview" menu with "Users" selected.](media/tutorial-single-forest/administrator-1.png)</br>
-2. Select **All users** and then select **+ New user**.
-3. Provide a name and username for this user. This will be your Global Administrator for the tenant. You'll also want to change the **Directory role** to **Global administrator.** You can also show the temporary password. When you're done, select **Create**.</br>
-![Create](media/tutorial-single-forest/administrator-2.png)</br>
-4. Once this has completed, open a new web browser and sign-in to myapps.microsoft.com using the new global administrator account and the temporary password.
-5. Change the password for the global administrator to something that you'll remember.
-
-## Optional: Additional server and forest
-The following is an optional section that provides steps to creating an additional server and or forest. This can be used in some of the more advanced tutorials such as [Pilot for Azure AD Connect to cloud sync](tutorial-pilot-aadc-aadccp.md).
-
-If you only need an additional server, you can stop after the - **Create the virtual machine** step and join the server to the existing domain that was created above.
-
-### Create a virtual machine
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- # Filename: 1_CreateVM_CP.ps1
- # Description: Creates a VM to be used in the tutorial.
- #
- # DISCLAIMER:
- # Copyright (c) Microsoft Corporation. All rights reserved. #This script is made available to you without any express, implied or statutory warranty, not even the implied warranty of merchantability or fitness for a particular purpose, or the warranty of title or non-infringement. The entire risk of the use or the results from the use of this script remains with you.
- #
- #
- #
- #
- #Declare variables
- $VMName = 'CP1'
- $Switch = 'External'
- $InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
- $Path = 'D:\VM'
- $VHDPath = 'D:\VM\CP1\CP1.vhdx'
- $VHDSize = '64424509440'
-
- #Create New Virtual Machine
- New-VM -Name $VMName -MemoryStartupBytes 16GB -BootDevice VHD -Path $Path -NewVHDPath $VHDPath -NewVHDSizeBytes $VHDSize -Generation 2 -Switch $Switch
-
- #Set the memory to be non-dynamic
- Set-VMMemory $VMName -DynamicMemoryEnabled $false
-
- #Add DVD Drive to Virtual Machine
- Add-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1 -Path $InstallMedia
-
- #Mount Installation Media
- $DVDDrive = Get-VMDvdDrive -VMName $VMName
-
- #Configure Virtual Machine to Boot from DVD
- Set-VMFirmware -VMName $VMName -FirstBootDevice $DVDDrive
- ```
-
-### Complete the operating system deployment
-In order to finish building the virtual machine, you need to finish the operating system installation.
-
-1. Hyper-V Manager, double-click on the virtual machine
-2. Click on the Start button.
-3. You'll be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.
-4. On the Windows Server start up screen select your language and click **Next**.
-5. Click **Install Now**.
-6. Enter your license key and click **Next**.
-7. Check **I accept the license terms and click **Next**.
-8. Select **Custom: Install Windows Only (Advanced)**
-9. Click **Next**
-10. Once the installation has completed, restart the virtual machine, sign-in and run Windows updates to ensure the VM is the most up-to-date. Install the latest updates.
-
-### Install Active Directory prerequisites
-Now that you have a virtual machine up, you need to do a few things prior to installing Active Directory. That is, you need to rename the virtual machine, set a static IP address and DNS information, and install the Remote Server Administration tools. Do the following:
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- # Filename: 2_ADPrep_CP.ps1
- # Description: Prepares your environment for Active Directory. This is part of
- # the Azure AD Connect password hash sync tutorial.
- #
- # DISCLAIMER:
- # Copyright (c) Microsoft Corporation. All rights reserved. This
- # script is made available to you without any express, implied or
- # statutory warranty, not even the implied warranty of
- # merchantability or fitness for a particular purpose, or the
- # warranty of title or non-infringement. The entire risk of the
- # use or the results from the use of this script remains with you.
- #
- #
- #
- #
- #Declare variables
- $ipaddress = "10.0.1.118"
- $ipprefix = "24"
- $ipgw = "10.0.1.1"
- $ipdns = "10.0.1.118"
- $ipdns2 = "8.8.8.8"
- $ipif = (Get-NetAdapter).ifIndex
- $featureLogPath = "c:\poshlog\featurelog.txt"
- $newname = "CP1"
- $addsTools = "RSAT-AD-Tools"
-
- #Set static IP address
- New-NetIPAddress -IPAddress $ipaddress -PrefixLength $ipprefix -InterfaceIndex $ipif -DefaultGateway $ipgw
-
- #Set the DNS servers
- Set-DnsClientServerAddress -InterfaceIndex $ipif -ServerAddresses ($ipdns, $ipdns2)
-
- #Rename the computer
- Rename-Computer -NewName $newname -force
-
- #Install features
- New-Item $featureLogPath -ItemType file -Force
- Add-WindowsFeature $addsTools
- Get-WindowsFeature | Where installed >>$featureLogPath
-
- #Restart the computer
- Restart-Computer
- ```
-### Create a Windows Server AD environment
-Now that you have the VM created and it has been renamed and has a static IP address, you can go ahead and install and configure Active Directory Domain Services. Do the following:
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- # Filename: 3_InstallAD_CP.ps1
- # Description: Creates an on-premises AD environment. This is part of
- # the Azure AD Connect password hash sync tutorial.
- #
- # DISCLAIMER:
- # Copyright (c) Microsoft Corporation. All rights reserved. This
- # script is made available to you without any express, implied or
- # statutory warranty, not even the implied warranty of
- # merchantability or fitness for a particular purpose, or the
- # warranty of title or non-infringement. The entire risk of the
- # use or the results from the use of this script remains with you.
- #
- #
- #
- #
- #Declare variables
- $DatabasePath = "c:\windows\NTDS"
- $DomainMode = "WinThreshold"
- $DomainName = "fabrikam.com"
- $DomaninNetBIOSName = "FABRIKAM"
- $ForestMode = "WinThreshold"
- $LogPath = "c:\windows\NTDS"
- $SysVolPath = "c:\windows\SYSVOL"
- $featureLogPath = "c:\poshlog\featurelog.txt"
- $Password = "Pass1w0rd"
- $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
-
- #Install AD DS, DNS and GPMC
- start-job -Name addFeature -ScriptBlock {
- Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
- Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
- Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools }
- Wait-Job -Name addFeature
- Get-WindowsFeature | Where installed >>$featureLogPath
-
- #Create New AD Forest
- Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath $DatabasePath -DomainMode $DomainMode -DomainName $DomainName -SafeModeAdministratorPassword $SecureString -DomainNetbiosName $DomainNetBIOSName -ForestMode $ForestMode -InstallDns:$true -LogPath $LogPath -NoRebootOnCompletion:$false -SysvolPath $SysVolPath -Force:$true
- ```
-
-### Create a Windows Server AD user
-Now that you have our Active Directory environment, you need to a test account. This account will be created in our on-premises AD environment and then synchronized to Azure AD. Do the following:
-
-1. Open up the PowerShell ISE as Administrator.
-2. Run the following script.
-
- ```powershell
- # Filename: 4_CreateUser_CP.ps1
- # Description: Creates a user in Active Directory. This is part of
- # the Azure AD Connect password hash sync tutorial.
- #
- # DISCLAIMER:
- # Copyright (c) Microsoft Corporation. All rights reserved. This
- # script is made available to you without any express, implied or
- # statutory warranty, not even the implied warranty of
- # merchantability or fitness for a particular purpose, or the
- # warranty of title or non-infringement. The entire risk of the
- # use or the results from the use of this script remains with you.
- #
- #
- #
- #
- #Declare variables
- $Givenname = "Anna"
- $Surname = "Ringdal"
- $Displayname = "Anna Ringdal"
- $Name = "aringdal"
- $Password = "Pass1w0rd"
- $Identity = "CN=aringdal,CN=Users,DC=fabrikam,DC=com"
- $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
--
- #Create the user
- New-ADUser -Name $Name -GivenName $Givenname -Surname $Surname -DisplayName $Displayname -AccountPassword $SecureString
-
- #Set the password to never expire
- Set-ADUser -Identity $Identity -PasswordNeverExpires $true -ChangePasswordAtLogon $false -Enabled $true
- ```
-
-## Conclusion
-Now you have an environment that can be used for existing tutorials and to test additional features cloud sync provides.
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Tutorial Existing Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/tutorial-existing-forest.md
- Title: Tutorial - Integrate an existing forest and a new forest with a single Azure AD tenant using Azure AD Connect cloud sync.
-description: Learn how to add cloud sync to an existing hybrid identity environment.
------ Previously updated : 01/17/2023-----
-# Integrate an existing forest and a new forest with a single Azure AD tenant
-
-This tutorial walks you through adding cloud sync to an existing hybrid identity environment.
-
-![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
-
-You can use the environment you create in this tutorial for testing or for getting more familiar with how a hybrid identity works.
-
-In this scenario, there's an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You'll set up cloud sync for the new forest.
-
-## Prerequisites
-### In the Azure portal
-
-1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.
-2. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
-
-### In your on-premises environment
-
-1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime
-
-2. If there's a firewall between your servers and Azure AD, configure the following items:
- - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
-
- | Port number | How it's used |
- | | |
- | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
- | **443** | Handles all outbound communication with the service |
- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |
-
- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
- - If your firewall or proxy allows you to specify safe suffixes, then add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
- - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
- - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.
-
-## Install the Azure AD Connect provisioning agent
-
-If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:
---
-## Verify agent installation
--
-## Configure Azure AD Connect cloud sync
- Use the following steps to configure provisioning
-
-1. Sign in to the Azure portal.
-2. Select **Azure Active Directory**
-3. Select **Azure AD Connect**
-4. Select **Manage cloud sync**
-
- ![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
-
-5. Select **New Configuration**
-
- ![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
-
-7. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.
-
- ![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)
-
-1. The configuration status should now be **Healthy**.
-
- ![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)
-
-## Verify users are created and synchronization is occurring
-
-You'll now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant. This process may take a few hours to complete. To verify users are synchronized, do the following:
--
-1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
-2. On the left, select **Azure Active Directory**
-3. Under **Manage**, select **Users**.
-4. Verify that you see the new users in our tenant
-
-## Test signing in with one of our users
-
-1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
-2. Sign in with a user account that was created in our new tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.
-
- ![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png)
-
-You have now successfully set up a hybrid identity environment that you can use to test and familiarize yourself with what Azure has to offer.
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Tutorial Pilot Aadc Aadccp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/tutorial-pilot-aadc-aadccp.md
- Title: Tutorial - Migrate to Azure AD Connect cloud sync for an existing synced AD forest
-description: Learn how to pilot cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
------ Previously updated : 01/23/2023------
-# Migrate to Azure AD Connect cloud sync for an existing synced AD forest
-
-This tutorial walks you through how you would migrate to cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
-
-> [!NOTE]
-> This article provides information for a basic migration and you should review the [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
-
-![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
-
-## Considerations
-
-Before you try this tutorial, consider the following items:
-
- 1. Ensure that you're familiar with basics of cloud sync.
- 2. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented.
- 3. When piloting, you'll be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.
-
- - User objects, the objects in Azure AD are soft-deleted and can be restored.
- - Group objects, the objects in Azure AD are hard-deleted and can't be restored.
-
- A new link type has been introduced in Azure AD Connect sync, which will prevent the deletion in a piloting scenario.
-
- 4. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.
-
- > [!NOTE]
- > Azure AD Connect sync does not populate *ms-ds-consistencyGUID* by default for group objects.
-
- 5. This configuration is for advanced scenarios. Ensure that you follow the steps documented in this tutorial precisely.
-
-## Prerequisites
-
-The following are prerequisites required for completing this tutorial
--- A test environment with Azure AD Connect sync version 1.4.32.0 or later-- An OU or group that is in scope of sync and can be used the pilot. We recommend starting with a small set of objects.-- A server running Windows Server 2016 or later that will host the provisioning agent.-- Source anchor for Azure AD Connect sync should be either *objectGuid* or *ms-ds-consistencyGUID*-
-## Update Azure AD Connect
-
-As a minimum, you should have [Azure AD connect](https://www.microsoft.com/download/details.aspx?id=47594) 1.4.32.0. To update Azure AD Connect sync, complete the steps in [Azure AD Connect: Upgrade to the latest version](../hybrid/how-to-upgrade-previous-version.md).
-
-## Back up your Azure AD Connect configuration
-Before making any changes, you should back up your Azure AD Connect configuration. This way, you can roll back to your previous configuration. See [Import and export Azure AD Connect configuration settings](../hybrid/how-to-connect-import-export-config.md) for more information.
-
-## Stop the scheduler
-
-Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. In order to modify and add custom rules, you want to disable the scheduler so that synchronizations won't run while you're working making the changes. To stop the scheduler, use the following steps:
-
-1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges.
-2. Run `Stop-ADSyncSyncCycle`. Hit Enter.
-3. Run `Set-ADSyncScheduler -SyncCycleEnabled $false`.
-
->[!NOTE]
->If you are running your own custom scheduler for Azure AD Connect sync, then please disable the scheduler.
-
-## Create custom user inbound rule
-In the Azure AD Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. This rule tells Azure AD Connect not to synchronize attributes for these users. For more information, see [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
-
- 1. Launch the synchronization editor from the application menu in desktop as shown below:
-
- ![Screenshot of the synchronization rule editor menu.](media/tutorial-migrate-aadc-aadccp/user-8.png)
-
- 2. Select **Inbound** from the drop-down list for Direction and select **Add new rule**.
-
- ![Screenshot that shows the "View and manage your synchronization rules" window with "Inbound" and the "Add new rule" button selected.](media/tutorial-migrate-aadc-aadccp/user-1.png)
-
- 3. On the **Description** page, enter the following and select **Next**:
-
- - **Name:** Give the rule a meaningful name
- - **Description:** Add a meaningful description
- - **Connected System:** Choose the AD connector that you're writing the custom sync rule for
- - **Connected System Object Type:** User
- - **Metaverse Object Type:** Person
- - **Link Type:** Join
- - **Precedence:** Provide a value that is unique in the system
- - **Tag:** Leave this empty
-
- ![Screenshot that shows the "Create inbound synchronization rule - Description" page with values entered.](media/tutorial-migrate-aadc-aadccp/user-2.png)
-
- 4. On the **Scoping filter** page, enter the OU or security group that you want the pilot based off. To filter on OU, add the OU portion of the distinguished name. This rule will be applied to all users who are in that OU. So, if DN ends with "OU=CPUsers,DC=contoso,DC=com, you would add this filter. Then select **Next**.
-
- |Rule|Attribute|Operator|Value|
- |--|-|-|--|
- |Scoping OU|DN|ENDSWITH|Distinguished name of the OU.|
- |Scoping group||ISMEMBEROF|Distinguished name of the security group.|
-
- ![Screenshot that shows the **Create inbound synchronization rule - Scoping filter** page with a scoping filter value entered.](media/tutorial-migrate-aadc-aadccp/user-3.png)
-
- 5. On the **Join** rules page, select **Next**.
- 6. On the **Transformations** page, add a Constant transformation: flow True to cloudNoFlow attribute. Select **Add**.
-
- ![Screenshot that shows the **Create inbound synchronization rule - Transformations** page with a **Constant transformation** flow added.](media/tutorial-migrate-aadc-aadccp/user-4.png)
-
-Same steps need to be followed for all object types (user, group and contact). Repeat steps per configured AD Connector / per AD forest.
-
-## Create custom user outbound rule
-You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. This rule tells Azure AD Connect not to synchronize attributes for these users. For more information, see [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
-
- 1. Select **Outbound** from the drop-down list for Direction and select **Add rule**.
-
- ![Screenshot that shows the **Outbound** Direction selected and the **Add new rule** button highlighted.](media/tutorial-migrate-aadc-aadccp/user-5.png)
-
- 2. On the **Description** page, enter the following and select **Next**:
-
- - **Name:** Give the rule a meaningful name
- - **Description:** Add a meaningful description
- - **Connected System:** Choose the Azure AD connector that you're writing the custom sync rule for
- - **Connected System Object Type:** User
- - **Metaverse Object Type:** Person
- - **Link Type:** JoinNoFlow
- - **Precedence:** Provide a value that is unique in the system<br>
- - **Tag:** Leave this empty
-
- ![Screenshot that shows the **Description** page with properties entered.](media/tutorial-migrate-aadc-aadccp/user-6.png)
-
- 3. On the **Scoping filter** page, choose **cloudNoFlow** equal **True**. Then select **Next**.
-
- ![Screenshot that shows a custom rule.](media/tutorial-migrate-aadc-aadccp/user-7.png)
-
- 4. On the **Join** rules page, select **Next**.
- 5. On the **Transformations** page, select **Add**.
-
-Same steps need to be followed for all object types (user, group and contact).
-
-## Install the Azure AD Connect provisioning agent
-
-If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be CP1. To install the agent, follow these steps:
--
-## Verify agent installation
--
-## Configure Azure AD Connect cloud sync
-
-Use the following steps to configure provisioning:
-
- 1. In the Azure portal, select **Azure Active Directory**.
- 2. On the left, select **Azure AD Connect**.
- 3. On the left, select **Cloud sync**.
-
- :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX cloud sync screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::
-
- 4. Select **New configuration**.
- :::image type="content" source="media/how-to-configure/new-ux-configure-1.png" alt-text="Screenshot of adding a configuration." lightbox="media/how-to-configure/new-ux-configure-1.png":::
- 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-2.png" alt-text="Screenshot of a new configuration." lightbox="media/how-to-configure/new-ux-configure-2.png":::
-
- 6. The **Get started** screen will open.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-3.png" alt-text="Screenshot of the getting started screen." lightbox="media/how-to-configure/new-ux-configure-3.png":::
-
- 7. On the **Get started** screen, click either **Add scoping filters** next to the **Add scoping filters** icon or on the click **Scoping filters** on the left under **Manage**.
-
- :::image type="content" source="media/how-to-configure/new-ux-configure-5.png" alt-text="Screenshot of scoping filters." lightbox="media/how-to-configure/new-ux-configure-5.png":::
-
- 8. Select the scoping filter. For this tutorial select:
- - **Selected organizational units**: Scopes the configuration to apply to specific OUs.
- 9. In the box, enter "OU=CPUsers,DC=contoso,DC=com".
-
- :::image type="content" source="media/tutorial-migrate-aadc-aadccp/configure-1.png" alt-text="Screenshot of the scoping filter." lightbox="media/tutorial-migrate-aadc-aadccp/configure-1.png":::
-
- 10. Click **Add**. Click **Save**.
----
-
-
-## Start the scheduler
-
-Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. Now that you've modified the rules, you can restart the scheduler. Use the following steps:
-
-1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges
-2. Run `Set-ADSyncScheduler -SyncCycleEnabled $true`.
-3. Run `Start-ADSyncSyncCycle`, then press <kbd>Enter</kbd>.
-
-> [!NOTE]
-> If you are running your own custom scheduler for Azure AD Connect sync, then please enable the scheduler.
-
-Once the scheduler is enabled, Azure AD Connect will stop exporting any changes on objects with `cloudNoFlow=true` in the metaverse, unless any reference attribute (such as `manager`) is being updated. In case there's any reference attribute update on the object, Azure AD Connect will ignore the `cloudNoFlow` signal and export all updates on the object.
-
-## Something went wrong
-
-In case the pilot doesn't work as expected, you can go back to the Azure AD Connect sync setup by following the steps below:
-
-1. Disable provisioning configuration in the Azure portal.
-2. Disable all the custom sync rules created for Cloud Provisioning using the Sync Rule Editor tool. Disabling should cause full sync on all the connectors.
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Tutorial Single Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/tutorial-single-forest.md
- Title: Tutorial - Integrate a single forest with a single Azure AD tenant
-description: This topic describes the pre-requisites and the hardware requirements cloud sync.
------ Previously updated : 01/17/2023-----
-# Tutorial: Integrate a single forest with a single Azure AD tenant
-
-This tutorial walks you through creating a hybrid identity environment using Azure Active Directory (Azure AD) Connect cloud sync.
-
-![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-single-forest/diagram-2.png)
-
-You can use the environment you create in this tutorial for testing or for getting more familiar with cloud sync.
-
-## Prerequisites
-
-### In the Azure portal
-
-1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.
-2. Add one or more [custom domain names](../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
-
-### In your on-premises environment
-
-1. Identify a domain-joined host server running Windows Server 2016 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime
-
-2. If there's a firewall between your servers and Azure AD, configure the following items:
- - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
-
- | Port number | How it's used |
- | | |
- | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
- | **443** | Handles all outbound communication with the service |
- | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |
-
- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
- - If your firewall or proxy allows you to specify safe suffixes, then add connections t to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
- - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
- - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.
-
-## Install the Azure AD Connect provisioning agent
-
-If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:
--
-## Verify agent installation
--
-## Configure Azure AD Connect cloud sync
-
-Use the following steps to configure and start the provisioning:
-
-1. Sign in to the Azure portal.
-1. Select **Azure Active Directory**
-1. Select **Azure AD Connect**
-1. Select **Manage cloud sync**
-
- ![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
-
-1. Select **New Configuration**
-
- [![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)](media/tutorial-single-forest/configure-1.png#lightbox)
-
-1. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.
-
- [![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)](media/how-to-configure/configure-2.png#lightbox)
-
-1. The configuration status should now be **Healthy**.
-
- [![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)](media/how-to-configure/manage-4.png#lightbox)
-
-## Verify users are created and synchronization is occurring
-
-You'll now verify that the users that you had in your on-premises directory have been synchronized and now exist in your Azure AD tenant. The sync operation may take a few hours to complete. To verify users are synchronized, follow these steps:
--
-1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
-2. On the left, select **Azure Active Directory**
-3. Under **Manage**, select **Users**.
-4. Verify that the new users appear in your tenant
-
-## Test signing in with one of your users
-
-1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
-
-1. Sign in with a user account that was created in your tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.
-
- ![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png)
-
-You've now successfully configured a hybrid identity environment using Azure AD Connect cloud sync.
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [What is Azure AD Connect cloud provisioning?](what-is-cloud-sync.md)
active-directory What Is Cloud Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/what-is-cloud-sync.md
- Title: 'What is Azure AD Connect cloud sync?'
-description: Describes Azure AD Connect cloud sync.
------ Previously updated : 01/17/2023-----
-# What is Azure AD Connect cloud sync?
-Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application. However, it can be used alongside Azure AD Connect sync and it provides the following benefits:
-
-- Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition (where the acquired company's AD forests are isolated from the parent company's AD forests), and companies that have historically had multiple AD forests.-- Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud. -- Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.-- Support for large groups with up to 50,000 members. It's recommended to use only the OU scoping filter when synchronizing large groups.-
-![What is Azure AD Connect](media/what-is-cloud-sync/architecture-1.png)
-
-## How is Azure AD Connect cloud sync different from Azure AD Connect sync?
-With Azure AD Connect cloud sync, provisioning from AD to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Azure AD and AD. The provisioning configuration is stored in Azure AD and managed as part of the service.
-
-## Azure AD Connect cloud sync video
-The following short video provides an excellent overview of Azure AD Connect cloud sync:
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWJ8l5]
--
-## Comparison between Azure AD Connect and cloud sync
-
-The following table provides a comparison between Azure AD Connect and Azure AD Connect cloud sync:
-
-| Feature | Azure Active Directory Connect sync| Azure Active Directory Connect cloud sync |
-|: |::|::|
-|Connect to single on-premises AD forest|ΓùÅ |ΓùÅ |
-| Connect to multiple on-premises AD forests |ΓùÅ |ΓùÅ |
-| Connect to multiple disconnected on-premises AD forests | |ΓùÅ |
-| Lightweight agent installation model | |ΓùÅ |
-| Multiple active agents for high availability | |ΓùÅ |
-| Connect to LDAP directories|ΓùÅ| |
-| Support for user objects |ΓùÅ |ΓùÅ |
-| Support for group objects |ΓùÅ |ΓùÅ |
-| Support for contact objects |ΓùÅ |ΓùÅ |
-| Support for device objects |ΓùÅ | |
-| Allow basic customization for attribute flows |ΓùÅ |ΓùÅ |
-| Synchronize Exchange online attributes |ΓùÅ |ΓùÅ |
-| Synchronize extension attributes 1-15 |ΓùÅ |ΓùÅ |
-| Synchronize customer defined AD attributes (directory extensions) |ΓùÅ|ΓùÅ|
-| Support for Password Hash Sync |ΓùÅ|ΓùÅ|
-| Support for Pass-Through Authentication |ΓùÅ||
-| Support for federation |ΓùÅ|ΓùÅ|
-| Seamless Single Sign-on|ΓùÅ |ΓùÅ|
-| Supports installation on a Domain Controller |ΓùÅ |ΓùÅ |
-| Support for Windows Server 2016|ΓùÅ |ΓùÅ |
-| Filter on Domains/OUs/groups |ΓùÅ |ΓùÅ |
-| Filter on objects' attribute values |ΓùÅ | |
-| Allow minimal set of attributes to be synchronized (MinSync) |ΓùÅ |ΓùÅ |
-| Allow removing attributes from flowing from AD to Azure AD |ΓùÅ |ΓùÅ |
-| Allow advanced customization for attribute flows |ΓùÅ | |
-| Support for password writeback |ΓùÅ |ΓùÅ |
-| Support for device writeback|ΓùÅ |Customers should use [Cloud Kerberos trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune) for this moving forward|
-| Support for group writeback|ΓùÅ | |
-| Support for merging user attributes from multiple domains|ΓùÅ | |
-| Azure AD Domain Services support|ΓùÅ | |
-| [Exchange hybrid writeback](../hybrid/reference-connect-sync-attributes-synchronized.md#exchange-hybrid-writeback) |ΓùÅ | |
-| Unlimited number of objects per AD domain |ΓùÅ | |
-| Support for up to 150,000 objects per AD domain |ΓùÅ |ΓùÅ |
-| Groups with up to 50,000 members |ΓùÅ |ΓùÅ |
-| Large groups with up to 250,000 members |ΓùÅ | |
-| Cross domain references|ΓùÅ |ΓùÅ |
-| On-demand provisioning| |ΓùÅ |
-| Support for US Government|ΓùÅ |ΓùÅ |
-
-## Next steps
--- [What is provisioning?](what-is-provisioning.md)-- [Install cloud sync](how-to-install.md)
active-directory What Is Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/cloud-sync/what-is-provisioning.md
- Title: 'What is identity provisioning with Azure AD?'
-description: Describes overview of identity provisioning.
------ Previously updated : 01/17/2023-----
-# What is identity provisioning?
-
-Today, businesses, and corporations are becoming more and more a mixture of on-premises and cloud applications. Users require access to applications both on-premises and in the cloud. There is need to have a single identity across these various applications (on-premises as well as cloud).
-
-Provisioning is the process of creating an object based on certain conditions, keeping the object up to date and deleting the object when conditions are no longer met. For example, when a new user joins your organization, that user is entered in to the HR system. At that point, provisioning can create a corresponding user account in the cloud, in Active Directory, and different applications that the user needs access to. This allows the user to start work and have access to the applications and systems they need on day one.
-
-![Diagram that shows cloud provisioning with Azure Active Directory.](media/what-is-provisioning/cloud-1.png)
-
-With regard to Azure Active Directory, provisioning can be broken down in to the following key scenarios.
--- **[HR-driven provisioning](#hr-driven-provisioning)** -- **[App provisioning](#app-provisioning)** -- **[Directory provisioning](#directory-provisioning)** -
-## HR-driven provisioning
-
-![Diagram that shows HR-driven provisioning with Cloud HR, On-premises HR, and Azure Active Directory.](media/what-is-provisioning/cloud-2.png)
-
-Provisioning from HR to the cloud involves the creation of objects (users, roles, groups, etc.) based on the information that is in your HR system.
-
-The most common scenario would be, when a new employee joins your company, they are entered into the HR system. Once that occurs, they are provisioned to the cloud. In this case, Azure AD. Provisioning from HR can cover the following scenarios.
--- **Hiring new employees** - When a new employee is added to cloud HR, a user account is automatically created in Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD, with write-back of the email address to Cloud HR.-- **Employee attribute and profile updates** - When an employee record is updated in cloud HR (such as their name, title, or manager), their user account will be automatically updated in Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD.-- **Employee terminations** - When an employee is terminated in cloud HR, their user account is automatically disabled in Active Directory, Azure Active Directory, and optionally Office 365 and other SaaS applications supported by Azure AD.-- **Employee rehires** - When an employee is rehired in cloud HR, their old account can be automatically reactivated or re-provisioned (depending on your preference) to Active Directory, Azure Active Directory, and optionally Microsoft 365 and other SaaS applications supported by Azure AD.--
-## App provisioning
-
-![Diagram that shows App provisioning with On-premises apps, Non-Microsoft cloud apps, and Azure Active Directory.](media/what-is-provisioning/cloud-3.png)
-
-In Azure Active Directory (Azure AD), the term **[app provisioning](../app-provisioning/user-provisioning.md)** refers to automatically creating user identities and roles in the cloud applications that users need access to. In addition to creating user identities, automatic provisioning includes the maintenance and removal of user identities as status or roles change. Common scenarios include provisioning an Azure AD user into applications like [Dropbox](../saas-apps/dropboxforbusiness-provisioning-tutorial.md), [Salesforce](../saas-apps/salesforce-provisioning-tutorial.md), [ServiceNow](../saas-apps/servicenow-provisioning-tutorial.md), and more.
-
-## Directory provisioning
-
-![cloud provisioning](media/what-is-provisioning/cloud-4.png)
-
-On-premises provisioning involves provisioning from on-premises sources (like Active Directory) to Azure AD.
-
-The most common scenario would be, when a user in Active Directory (AD) is provisioned into Azure AD.
-
-This has been accomplished by Azure AD Connect sync, Azure AD Connect cloud provisioning and Microsoft Identity Manager.
-
-## Next steps
--- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)-- [Install cloud provisioning](how-to-install.md)
active-directory Howto Convert App To Be Multi Tenant https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/develop/howto-convert-app-to-be-multi-tenant.md
To learn more about making API calls to Azure AD and Microsoft 365 services like
<!--Reference style links IN USE --> [AAD-Access-Panel]: https://myapps.microsoft.com
-[AAD-App-Branding]:howto-add-branding-in-azure-ad-apps.md
+[AAD-App-Branding]:howto-add-branding-in-apps.md
[AAD-App-Manifest]:reference-azure-ad-app-manifest.md [AAD-App-SP-Objects]:app-objects-and-service-principals.md [AAD-Auth-Scenarios]:authentication-scenarios.md
active-directory Licensing Service Plan Reference https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/enterprise-users/licensing-service-plan-reference.md
Previously updated : 05/03/2023 Last updated : 05/04/2023
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
- **Service plans included (friendly names)**: A list of service plans (friendly names) in the product that correspond to the string ID and GUID >[!NOTE]
->This information last updated on May 3rd, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).
+>This information last updated on May 4th, 2023.<br/>You can also download a CSV version of this table [here](https://download.microsoft.com/download/e/3/e/e3e9faf2-f28b-490a-9ada-c6089a1fc5b0/Product%20names%20and%20service%20plan%20identifiers%20for%20licensing.csv).
><br/> | Product name | String ID | GUID | Service plans included | Service plans included (friendly names) |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Common Data Service Database Capacity for Government | CDS_DB_CAPACITY_GOV | eddf428b-da0e-4115-accf-b29eb0b83965 | CDS_DB_CAPACITY_GOV (1ddffef6-4f69-455e-89c7-d5d72105f915)<br/>EXCHANGE_S_FOUNDATION_GOV (922ba911-5694-4e99-a794-73aed9bfeec8) | Common Data Service for Apps Database Capacity for Government (1ddffef6-4f69-455e-89c7-d5d72105f915)<br/>Exchange Foundation for Government (922ba911-5694-4e99-a794-73aed9bfeec8)| | Common Data Service Log Capacity | CDS_LOG_CAPACITY | 448b063f-9cc6-42fc-a0e6-40e08724a395 | CDS_LOG_CAPACITY (dc48f5c5-e87d-43d6-b884-7ac4a59e7ee9)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Common Data Service for Apps Log Capacity (dc48f5c5-e87d-43d6-b884-7ac4a59e7ee9)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) | | Communications Credits | MCOPSTNC | 47794cd0-f0e5-45c5-9033-2eb6b5fc84e0 | MCOPSTNC (505e180f-f7e0-4b65-91d4-00d670bbd18c) | COMMUNICATIONS CREDITS (505e180f-f7e0-4b65-91d4-00d670bbd18c) |
+| Compliance Manager Premium Assessment Add-On | CMPA_addon | 8a5fbbed-8b8c-41e5-907e-c50c471340fd | COMPLIANCE_MANAGER_PREMIUM_ASSESSMENT_ADDON (3a117d30-cfac-4f00-84ac-54f8b6a18d78) | Compliance Manager Premium Assessment Add-On (3a117d30-cfac-4f00-84ac-54f8b6a18d78) |
| Compliance Manager Premium Assessment Add-On for GCC | CMPA_addon_GCC | a9d7ef53-9bea-4a2a-9650-fa7df58fe094 | COMPLIANCE_MANAGER_PREMIUM_ASSESSMENT_ADDON (3a117d30-cfac-4f00-84ac-54f8b6a18d78) | Compliance Manager Premium Assessment Add-On (3a117d30-cfac-4f00-84ac-54f8b6a18d78) |
+| Defender Threat Intelligence | Defender_Threat_Intelligence | a9c51c15-ffad-4c66-88c0-8771455c832d | THREAT_INTELLIGENCE_APP (fbdb91e6-7bfd-4a1f-8f7a-d27f4ef39702) | Defender Threat Intelligence (fbdb91e6-7bfd-4a1f-8f7a-d27f4ef39702) |
| Dynamics 365 - Additional Database Storage (Qualified Offer) | CRMSTORAGE | 328dc228-00bc-48c6-8b09-1fbc8bc3435d | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CRMSTORAGE (77866113-0f3e-4e6e-9666-b1e25c6f99b0) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Dynamics CRM Online Storage Add-On (77866113-0f3e-4e6e-9666-b1e25c6f99b0) | | Dynamics 365 - Additional Production Instance (Qualified Offer) | CRMINSTANCE | 9d776713-14cb-4697-a21d-9a52455c738a | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>CRMINSTANCE (eeea837a-c885-4167-b3d5-ddde30cbd85f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Dynamics CRM Online Instance (eeea837a-c885-4167-b3d5-ddde30cbd85f) | | Dynamics 365 - Additional Non-Production Instance (Qualified Offer) | CRMTESTINSTANCE | e06abcc2-7ec5-4a79-b08b-d9c282376f72 | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/> CRMTESTINSTANCE (a98b7619-66c7-4885-bdfc-1d9c8c3d279f) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Dynamics CRM Online Additional Test Instance (a98b7619-66c7-4885-bdfc-1d9c8c3d279f) |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Dynamics 365 Field Service Viral Trial | Dynamics_365_Field_Service_Enterprise_viral_trial | 29fcd665-d8d1-4f34-8eed-3811e3fca7b3 | CUSTOMER_VOICE_DYN365_VIRAL_TRIAL (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>DYN365_FS_ENTERPRISE_VIRAL_TRIAL (20d1455b-72b2-4725-8354-a177845ab77d)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>POWER_APPS_DYN365_VIRAL_TRIAL (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>POWER_AUTOMATE_DYN365_VIRAL_TRIAL (81d4ecb8-0481-42fb-8868-51536c5aceeb) | Customer Voice for Dynamics 365 vTrial (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>Dynamics 365 Field Service Enterprise vTrial (20d1455b-72b2-4725-8354-a177845ab77d)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power Apps for Dynamics 365 vTrial (54b37829-818e-4e3c-a08a-3ea66ab9b45d)<br/>Power Automate for Dynamics 365 vTrial (81d4ecb8-0481-42fb-8868-51536c5aceeb) | | Dynamics 365 Finance | DYN365_FINANCE | 55c9eb4e-c746-45b4-b255-9ab6b19d5c62 | DYN365_CDS_FINANCE (e95d7060-d4d9-400a-a2bd-a244bf0b609e)<br/>DYN365_REGULATORY_SERVICE (c7657ae3-c0b0-4eed-8c1d-6a7967bd9c65)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>D365_Finance (9f0e1b4e-9b33-4300-b451-b2c662cd4ff7)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Common Data Service for Dynamics 365 Finance (e95d7060-d4d9-400a-a2bd-a244bf0b609e)<br/>Dynamics 365 for Finance and Operations, Enterprise edition - Regulatory Service (c7657ae3-c0b0-4eed-8c1d-6a7967bd9c65)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Dynamics 365 for Finance (9f0e1b4e-9b33-4300-b451-b2c662cd4ff7)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) | | Dynamics 365 for Case Management Enterprise Edition | DYN365_ENTERPRISE_CASE_MANAGEMENT | d39fb075-21ae-42d0-af80-22a2599749e0 | DYN365_ENTERPRISE_CASE_MANAGEMENT (2822a3a1-9b8f-4432-8989-e11669a60dc8)<br/>NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Dynamics 365 for Case Management (2822a3a1-9b8f-4432-8989-e11669a60dc8)<br/>Microsoft Social Engagement (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) |
+| Dynamics 365 Customer Service Enterprise Admin | Dynamics_365_Customer_Service_Enterprise_admin_trial | 94a6fbd4-6a2f-4990-b356-dc7dd8bed08a | CUSTOMER_VOICE_DYN365_VIRAL_TRIAL (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>DYN365_CS_MESSAGING_TPS (47c2b191-a5fb-4129-b690-00c474d2f623)<br/>D365_CSI_EMBED_CSEnterprise (5b1e5982-0e88-47bb-a95e-ae6085eda612)<br/>DYN365_ENTERPRISE_CUSTOMER_SERVICE (99340b49-fb81-4b1e-976b-8f2ae8e9394f)<br/>DYN365_CS_VOICE (f6ec6dfa-2402-468d-a455-89be11116d43)<br/>POWER_VIRTUAL_AGENTS_D365_CS_VOICE (a3dce1be-e9ca-453a-9483-e69a5b46ce98)<br/>POWER_VIRTUAL_AGENTS_D365_CS_MESSAGING (2d2f174c-c3cc-4abe-9ce8-4dd86f469ab1)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Customer Voice for Dynamics 365 vTrial (dbe07046-af68-4861-a20d-1c8cbda9194f)<br/>Dynamics 365 Customer Service Digital Messaging add-on (47c2b191-a5fb-4129-b690-00c474d2f623)<br/>Dynamics 365 Customer Service Insights for CS Enterprise (5b1e5982-0e88-47bb-a95e-ae6085eda612)<br/>Dynamics 365 for Customer Service (99340b49-fb81-4b1e-976b-8f2ae8e9394f)<br/>Dynamics 365 for Customer Service Voice Add-in (f6ec6dfa-2402-468d-a455-89be11116d43)<br/>Power Virtual Agents for Customer Service Voice (a3dce1be-e9ca-453a-9483-e69a5b46ce98)<br/>Power Virtual Agents for Digital Messaging (2d2f174c-c3cc-4abe-9ce8-4dd86f469ab1)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) |
| Dynamics 365 for Customer Service Enterprise Edition | DYN365_ENTERPRISE_CUSTOMER_SERVICE | 749742bf-0d37-4158-a120-33567104deeb | D365_CSI_EMBED_CSEnterprise (5b1e5982-0e88-47bb-a95e-ae6085eda612)<br/>DYN365_ENTERPRISE_CUSTOMER_SERVICE (99340b49-fb81-4b1e-976b-8f2ae8e9394f)<br/>Forms_Pro_Service (67bf4812-f90b-4db9-97e7-c0bbbf7b2d09)<br/>NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Dynamics 365 Customer Service Insights for CS Enterprise (5b1e5982-0e88-47bb-a95e-ae6085eda612)<br/>Dynamics 365 for Customer Service (99340b49-fb81-4b1e-976b-8f2ae8e9394f)<br/>Microsoft Dynamics 365 Customer Voice for Customer Service Enterprise (67bf4812-f90b-4db9-97e7-c0bbbf7b2d09)<br/>Microsoft Social Engagement (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) | | Dynamics 365 for Customer Service Chat | DYN365_CS_CHAT | 7d7af6c2-0be6-46df-84d1-c181b0272909 |DYN365_CS_CHAT_FPA (426ec19c-d5b1-4548-b894-6fe75028c30d)<br/>DYN365_CS_CHAT (f69129db-6dc1-4107-855e-0aaebbcd9dd4)<br/>POWER_VIRTUAL_AGENTS_D365_CS_CHAT (19e4c3a8-3ebe-455f-a294-4f3479873ae3)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 Customer Service Chat Application Integration (426ec19c-d5b1-4548-b894-6fe75028c30d)<br/>Dynamics 365 for Customer Service Chat (f69129db-6dc1-4107-855e-0aaebbcd9dd4)<br/>Power Virtual Agents for Chat (19e4c3a8-3ebe-455f-a294-4f3479873ae3)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) | | Dynamics 365 for Field Service Attach to Qualifying Dynamics 365 Base Offer | D365_FIELD_SERVICE_ATTACH | a36cdaa2-a806-4b6e-9ae0-28dbd993c20e | D365_FIELD_SERVICE_ATTACH (55c9148b-d5f0-4101-b5a0-b2727cfc0916)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Field Service Attach (55c9148b-d5f0-4101-b5a0-b2727cfc0916)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) | | Dynamics 365 for Field Service Enterprise Edition | DYN365_ENTERPRISE_FIELD_SERVICE | c7d15985-e746-4f01-b113-20b575898250 | DYN365_ENTERPRISE_FIELD_SERVICE (8c66ef8a-177f-4c0d-853c-d4f219331d09)<br/>Forms_Pro_FS (9c439259-63b0-46cc-a258-72be4313a42d)<br/>NBENTERPRISE (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>PROJECT_ESSENTIALS (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SHAREPOINTENTERPRISE (5dbe027f-2339-4123-9542-606e4d348a72)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba) | Dynamics 365 for Field Service (8c66ef8a-177f-4c0d-853c-d4f219331d09)<br/>Microsoft Dynamics 365 Customer Voice for Field Service (9c439259-63b0-46cc-a258-72be4313a42d)<br/>Microsoft Social Engagement (03acaee3-9492-4f40-aed4-bcb6b32981b6)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Project Online Essentials (1259157c-8581-4875-bca7-2ffb18c51bda)<br/>SharePoint (Plan 2) (5dbe027f-2339-4123-9542-606e4d348a72)<br/>Power Apps for Dynamics 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>Power Automate for Dynamics 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba) |
+| Dynamics 365 Field Service, Enterprise Edition - Resource Scheduling Optimization | CRM_AUTO_ROUTING_ADDON | 977464c4-bfaf-4b67-b761-a9bb735a2196 | CRM_AUTO_ROUTING_ENGINE_ADDON (24435e4b-87d0-4d7d-8beb-63a9b1573022)<br/>CRM_AUTO_ROUTING_ADDON (2ba394e0-6f18-4b77-b45f-a5663bbab540)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Field Service ΓÇô Automated Routing Engine Add-On (24435e4b-87d0-4d7d-8beb-63a9b1573022)<br/>Field Service ΓÇô Automated Routing Engine Add-On (2ba394e0-6f18-4b77-b45f-a5663bbab540)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |
| Dynamics 365 for Financials Business Edition | DYN365_FINANCIALS_BUSINESS_SKU | cc13a803-544e-4464-b4e4-6d6169a138fa | DYN365_FINANCIALS_BUSINESS (920656a2-7dd8-4c83-97b6-a356414dbd36)<br/>FLOW_DYN_APPS (7e6d7d78-73de-46ba-83b1-6d25117334ba)<br/>POWERAPPS_DYN_APPS (874fc546-6efe-4d22-90b8-5c4e7aa59f4b) |FLOW FOR DYNAMICS 365 (7e6d7d78-73de-46ba-83b1-6d25117334ba)<br/>POWERAPPS FOR DYNAMICS 365 (874fc546-6efe-4d22-90b8-5c4e7aa59f4b)<br/>DYNAMICS 365 FOR FINANCIALS (920656a2-7dd8-4c83-97b6-a356414dbd36) | | Dynamics 365 Hybrid Connector | CRM_HYBRIDCONNECTOR | de176c31-616d-4eae-829a-718918d7ec23 | CRM_HYBRIDCONNECTOR (0210d5c8-49d2-4dd1-a01b-a91c7c14e0bf)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | CRM Hybrid Connector (0210d5c8-49d2-4dd1-a01b-a91c7c14e0bf)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) | | Dynamics 365 for Marketing Additional Application | DYN365_MARKETING_APPLICATION_ADDON | 99c5688b-6c75-4496-876f-07f0fbd69add | DYN365_MARKETING_APPLICATION_ADDON (51cf0638-4861-40c0-8b20-1161ab2f80be)<br/>EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318) | Dynamics 365 for Marketing Additional Application (51cf0638-4861-40c0-8b20-1161ab2f80be)<br/>Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318) |
When managing licenses in [the Azure portal](https://portal.azure.com/#blade/Mic
| Microsoft Teams Rooms Basic without Audio Conferencing | Microsoft_Teams_Rooms_Basic_without_Audio_Conferencing | 50509a35-f0bd-4c5e-89ac-22f0e16a00f8 | TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) | | Microsoft Teams Rooms Pro | Microsoft_Teams_Rooms_Pro | 4cde982a-ede4-4409-9ae6-b003453c8ea6 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) | | Microsoft Teams Rooms Pro without Audio Conferencing | Microsoft_Teams_Rooms_Pro_without_Audio_Conferencing | 21943e3a-2429-4f83-84c1-02735cd49e78 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af) | Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af) |
+| Microsoft Teams Rooms Standard | MEETING_ROOM | 6070a4c8-34c6-4937-8dfb-39bbc6397a60 | AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>MCOMEETADV (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Teams_Room_Standard (92c6b761-01de-457a-9dd9-793a975238f7)<br/>WHITEBOARD_PLAN3 (4a51bca5-1eff-43f5-878c-177680f191af)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) | Azure Active Directory Premium Plan 1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Microsoft 365 Audio Conferencing (3e26ee1f-8a5f-4d52-aee2-b81ce45c8f40)<br/>Microsoft 365 Phone System (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Skype for Business Online (Plan 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Teams Room Standard (92c6b761-01de-457a-9dd9-793a975238f7)<br/>Whiteboard (Plan 3) (4a51bca5-1eff-43f5-878c-177680f191af)<br/>Microsoft Intune Plan 1 (c1ec4a95-1f05-45b3-a911-aa3fa01094f5) |
| Microsoft Teams Shared Devices | MCOCAP | 295a8eb0-f78d-45c7-8b5b-1eed5ed02dff | MCOEV (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>MCOSTANDARD (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>EXCHANGE_S_ENTERPRISE (efb87545-963c-4e0d-99df-69c6916d9eb0) | MICROSOFT 365 PHONE SYSTEM (4828c8ec-dc2e-4779-b502-87ac9ce28ab7)<br/>MICROSOFT TEAMS (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>SKYPE FOR BUSINESS ONLINE (PLAN 2) (0feaeb32-d00e-4d66-bd5a-43b5b83db82c)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Exchange Online (Plan 2) (efb87545-963c-4e0d-99df-69c6916d9eb0) | | Microsoft Teams Shared Devices for GCC | MCOCAP_GOV | b1511558-69bd-4e1b-8270-59ca96dba0f3 | MCOEV_GOV (db23fce2-a974-42ef-9002-d78dd42a0f22)<br/>TEAMS_GOV (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>MCOSTANDARD_GOV (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>INTUNE_A (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>AAD_PREMIUM (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>EXCHANGE_S_ENTERPRISE_GOV (8c3069c0-ccdb-44be-ab77-986203a67df2) | Microsoft 365 Phone System for Government (db23fce2-a974-42ef-9002-d78dd42a0f22)<br/>Microsoft Teams for Government (304767db-7d23-49e8-a945-4a7eb65f9f28)<br/>Skype for Business Online (Plan 2) for Government (a31ef4a2-f787-435e-8335-e47eb0cafc94)<br/>Microsoft Intune (c1ec4a95-1f05-45b3-a911-aa3fa01094f5)<br/>Azure Active Directory Premium P1 (41781fb2-bc02-4b7c-bd55-b576c07bb09d)<br/>Exchange Online (Plan 2) for Government (8c3069c0-ccdb-44be-ab77-986203a67df2) | | Microsoft Teams Trial | MS_TEAMS_IW | 74fbf1bb-47c6-4796-9623-77dc7371723b | EXCHANGE_S_FOUNDATION (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>PROJECTWORKMANAGEMENT (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>MCO_TEAMS_IW (42a3ec34-28ba-46b6-992f-db53a675ac5b)<br/>TEAMS1 (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>SHAREPOINTWAC (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>POWERAPPS_O365_P1 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>FLOW_O365_P1 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>SHAREPOINTDESKLESS (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>SWAY (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>YAMMER_ENTERPRISE (7547a3fe-08ee-4ccb-b430-5077c5041653) | Exchange Foundation (113feb6c-3fe4-4440-bddc-54d774bf0318)<br/>Microsoft Planner (b737dad2-2f6c-4c65-90e3-ca563267e8b9)<br/>Microsoft Teams (42a3ec34-28ba-46b6-992f-db53a675ac5b)<br/>Microsoft Teams (57ff2da0-773e-42df-b2af-ffb7a2317929)<br/>Office for the Web (e95bec33-7c88-4a70-8e19-b10bd9d0c014)<br/>Power Apps for Office 365 (92f7a6f3-b89b-4bbd-8c30-809e6da5ad1c)<br/>Power Automate for Office 365 (0f9b09cb-62d1-4ff4-9129-43f4996f83f4)<br/>SharePoint Kiosk (902b47e5-dcb2-4fdc-858b-c63a90a2bdb9)<br/>Sway (a23b959c-7ce8-4e57-9140-b90eb88a9e97)<br/>Yammer Enterprise (7547a3fe-08ee-4ccb-b430-5077c5041653) |
active-directory Accidental Deletes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/accidental-deletes.md
+
+ Title: 'Configure accidental deletion prevention with Active Directory'
+description: This article describes how you can configure accidental deletion prevention for the synchronization tools with Active Directory.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 05/02/2023+++++
+# How to prevent accidental deletions
+
+When installing either cloud sync or Azure AD Connect, this feature is enabled by default and configured to not allow an export with more than 500 deletes. This feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and other objects.
+
+You can change the default behavior and tailor it to your organizations needs.
+
+## Configure accidental delete prevention with cloud sync
+To use the new feature, follow the steps below.
++
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+ 4. Under **Configuration**, select your configuration.
+ 5. Select **View default properties**.
+ 6. Click the pencil next to **Basics**
+ 5. On the right, fill in the following information.
+ - **Notification email** - email used for notifications
+ - **Prevent accidental deletions** - check this box to enable the feature
+ - **Accidental deletion threshold** - enter the number of objects to stop synchronization and send a notification
+
+For more information, see [Accidental delete prevention with cloud sync](cloud-sync/how-to-accidental-deletes.md)
++
+## Configure accidental delete prevention with Azure AD Connect
+The default value of 500 objects can be changed with PowerShell using `Enable-ADSyncExportDeletionThreshold`, which is part of the [AD Sync module](connect/reference-connect-adsync.md) installed with Azure Active Directory Connect. You should configure this value to fit the size of your organization. Since the sync scheduler runs every 30 minutes, the value is the number of deletes seen within 30 minutes.
+
+For more information, see [Accidental delete prevention with Azure AD Connect](connect/how-to-connect-sync-feature-prevent-accidental-deletes.md).
active-directory Accounts https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/accounts.md
+
+ Title: 'Accounts for integrating with Active Directory'
+description: This article describes the required accounts for each of the synchronization tools.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 04/04/2023+++++
+# Accounts for integrating with Active Directory
+
+The following article describes the accounts that are required for each of the two synchronization tools. Use these sections as a reference when configuring and setting up your environment.
+
+## Accounts for installing and running cloud sync
+
+|Requirement|Description and more requirements|
+|--|--|
+|Domain/Enterprise administrator|Required to install the agent on the server and create the gMSA service account.|
+|Hybrid Identity administrator|Required to configure cloud sync. This account cannot be a guest account.|
+|gMSA service account|Required to run the agent.|
+
+For more information, on cloud sync accounts, and how to set up a custom gMSA account, see [Cloud sync prerequisites](cloud-sync/how-to-prerequisites.md).
+
+## Accounts for installing and running Azure AD Connect
+
+Azure AD Connect uses three accounts to *synchronize information* from on-premises Windows Server Active Directory (Windows Server AD) to Azure Active Directory (Azure AD):
++
+|Requirement|Description and additional requirements|
+|--|--|
+|AD DS Connector account|Used to read and write information to Windows Server AD by using Active Directory Domain Services (AD DS).|
+|ADSync service account|Used to run the sync service and access the SQL Server database.|
+|Azure AD Connector account|Used to write information to Azure AD.|
+|Local Administrator account|The administrator who is installing Azure AD Connect and who has local Administrator permissions on the computer.|
+|AD DS Enterprise Administrator account|Optionally used to create the required AD DS Connector account.|
+|Azure AD Global Administrator account|Used to create the Azure AD Connector account and to configure Azure AD. You can view Global Administrator and Hybrid Identity Administrator accounts in the Azure portal. See [List Azure AD role assignments](../roles/view-assignments.md).|
+|SQL SA account (optional)|Used to create the ADSync database when you use the full version of SQL Server. The instance of SQL Server can be local or remote to the Azure AD Connect installation. This account can be the same account as the Enterprise Administrator account.|
+
+For more information, on Azure AD Connet accounts, and how to configure them, see [Accounts and permissions](connect/reference-connect-accounts-permissions.md).
++++
active-directory Choose Ad Authn https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/choose-ad-authn.md
- Title: Authentication for Azure AD hybrid identity solutions
-description: This guide helps CEOs, CIOs, CISOs, Chief Identity Architects, Enterprise Architects, and Security and IT decision makers responsible for choosing an authentication method for their Azure AD hybrid identity solution in medium to large organizations.
-keywords:
-- Previously updated : 03/11/2023------
-# Choose the right authentication method for your Azure Active Directory hybrid identity solution
-
-Choosing the correct authentication method is the first concern for organizations wanting to move their apps to the cloud. Don't take this decision lightly, for the following reasons:
-
-1. It's the first decision for an organization that wants to move to the cloud.
-
-2. The authentication method is a critical component of an organization's presence in the cloud. It controls access to all cloud data and resources.
-
-3. It's the foundation of all the other advanced security and user experience features in Azure AD.
-
-Identity is the new control plane of IT security, so authentication is an organization's access guard to the new cloud world. Organizations need an identity control plane that strengthens their security and keeps their cloud apps safe from intruders.
-
-> [!NOTE]
-> Changing your authentication method requires planning, testing, and potentially downtime. [Staged rollout](./how-to-connect-staged-rollout.md) is a great way to test users' migration from federation to cloud authentication.
-
-### Out of scope
-Organizations that don't have an existing on-premises directory footprint aren't the focus of this article. Typically, those businesses create identities only in the cloud, which doesn't require a hybrid identity solution. Cloud-only identities exist solely in the cloud and aren't associated with corresponding on-premises identities.
-
-## Authentication methods
-When the Azure AD hybrid identity solution is your new control plane, authentication is the foundation of cloud access. Choosing the correct authentication method is a crucial first decision in setting up an Azure AD hybrid identity solution. The authentication method you choose, is configured by using Azure AD Connect, which also provisions users in the cloud.
-
-To choose an authentication method, you need to consider the time, existing infrastructure, complexity, and cost of implementing your choice. These factors are different for every organization and might change over time.
-
->[!VIDEO https://www.youtube.com/embed/YtW2cmVqSEw]
-
-Azure AD supports the following authentication methods for hybrid identity solutions.
-
-### Cloud authentication
-When you choose this authentication method, Azure AD handles users' sign-in process. Coupled with single sign-on (SSO), users can sign in to cloud apps without having to reenter their credentials. With cloud authentication, you can choose from two options:
-
-**Azure AD password hash synchronization**. The simplest way to enable authentication for on-premises directory objects in Azure AD. Users can use the same username and password that they use on-premises without having to deploy any other infrastructure. Some premium features of Azure AD, like Identity Protection and [Azure AD Domain Services](../../active-directory-domain-services/tutorial-create-instance.md), require password hash synchronization, no matter which authentication method you choose.
-
-> [!NOTE]
-> Passwords are never stored in clear text or encrypted with a reversible algorithm in Azure AD. For more information on the actual process of password hash synchronization, see [Implement password hash synchronization with Azure AD Connect sync](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md).
-
-**Azure AD Pass-through Authentication**. Provides a simple password validation for Azure AD authentication services by using a software agent that runs on one or more on-premises servers. The servers validate the users directly with your on-premises Active Directory, which ensures that the password validation doesn't happen in the cloud.
-
-Companies with a security requirement to immediately enforce on-premises user account states, password policies, and sign-in hours might use this authentication method. For more information on the actual pass-through authentication process, see [User sign-in with Azure AD pass-through authentication](../../active-directory/hybrid/how-to-connect-pta.md).
-
-### Federated authentication
-When you choose this authentication method, Azure AD hands off the authentication process to a separate trusted authentication system, such as on-premises Active Directory Federation Services (AD FS), to validate the user's password.
-
-The authentication system can provide other advanced authentication requirements, for example, third-party multifactor authentication.
-
-The following section helps you decide which authentication method is right for you by using a decision tree. It helps you determine whether to deploy cloud or federated authentication for your Azure AD hybrid identity solution.
-
-## Decision tree
-
-![Azure AD authentication decision tree](./media/choose-ad-authn/azure-ad-authn-image1.png)
-
-Details on decision questions:
-
-1. Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
-2. Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft's AD FS.
-3. If you need to apply, user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.
-4. Sign-in features not natively supported by Azure AD:
- * Sign-in using third-party authentication solution.
- * Multi-site on-premises authentication solution.
-5. Azure AD Identity Protection requires Password Hash Sync regardless of which sign-in method you choose, to provide the *Users with leaked credentials* report. Organizations can fail over to Password Hash Sync if their primary sign-in method fails and it was configured before the failure event.
-
-> [!NOTE]
-> Azure AD Identity Protection require [Azure AD Premium P2](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) licenses.
-
-## Detailed considerations
-
-### Cloud authentication: Password hash synchronization
-
-* **Effort**. Password hash synchronization requires the least effort regarding deployment, maintenance, and infrastructure. This level of effort typically applies to organizations that only need their users to sign in to Microsoft 365, SaaS apps, and other Azure AD-based resources. When turned on, password hash synchronization is part of the Azure AD Connect sync process and runs every two minutes.
-
-* **User experience**. To improve users' sign-in experience, use [Azure AD joined devices (AADJ)](../../active-directory/devices/concept-azure-ad-join.md) or [Hybrid Azure AD joined devices (HAADJ)](../../active-directory/devices/howto-hybrid-azure-ad-join.md). If you can't join your Windows devices to Azure AD, we recommend deploying seamless SSO with password hash synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
-
-* **Advanced scenarios**. If organizations choose to, it's possible to use insights from identities with Azure AD Identity Protection reports with Azure AD Premium P2. An example is the leaked credentials report. Windows Hello for Business has [specific requirements when you use password hash synchronization](/windows/access-protection/hello-for-business/hello-identity-verification). [Azure AD Domain Services](../../active-directory-domain-services/tutorial-create-instance.md) requires password hash synchronization to provision users with their corporate credentials in the managed domain.
-
- Organizations that require multi-factor authentication with password hash synchronization must use Azure AD Multi-Factor Authentication or [Conditional Access custom controls](../../active-directory/conditional-access/controls.md#custom-controls-preview). Those organizations can't use third-party or on-premises multifactor authentication methods that rely on federation.
-
-> [!NOTE]
-> Azure AD Conditional Access require [Azure AD Premium P1](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) licenses.
-
-* **Business continuity**. Using password hash synchronization with cloud authentication is highly available as a cloud service that scales to all Microsoft datacenters. To make sure password hash synchronization doesn't go down for extended periods, deploy a second Azure AD Connect server in staging mode in a standby configuration.
-
-* **Considerations**. Currently, password hash synchronization doesn't immediately enforce changes in on-premises account states. In this situation, a user has access to cloud apps until the user account state is synchronized to Azure AD. Organizations might want to overcome this limitation by running a new synchronization cycle after administrators do bulk updates to on-premises user account states. An example is disabling accounts.
-
-> [!NOTE]
-> The password expired and account locked-out states aren't currently synced to Azure AD with Azure AD Connect. When you change a user's password and set the *user must change password at next logon* flag, the password hash will not be synced to Azure AD with Azure AD Connect until the user changes their password.
-
-Refer to [implementing password hash synchronization](../../active-directory/hybrid/how-to-connect-password-hash-synchronization.md) for deployment steps.
-
-### Cloud authentication: Pass-through Authentication
-
-* **Effort**. For pass-through authentication, you need one or more (we recommend three) lightweight agents installed on existing servers. These agents must have access to your on-premises Active Directory Domain Services, including your on-premises AD domain controllers. They need outbound access to the Internet and access to your domain controllers. For this reason, it's not supported to deploy the agents in a perimeter network.
-
- Pass-through Authentication requires unconstrained network access to domain controllers. All network traffic is encrypted and limited to authentication requests. For more information on this process, see the [security deep dive](../../active-directory/hybrid/how-to-connect-pta-security-deep-dive.md) on pass-through authentication.
-
-* **User experience**. To improve users' sign-in experience, use [Azure AD joined devices (AADJ)](../../active-directory/devices/concept-azure-ad-join.md) or [Hybrid Azure AD joined devices (HAADJ)](../../active-directory/devices/howto-hybrid-azure-ad-join.md). If you can't join your Windows devices to Azure AD, we recommend deploying seamless SSO with password hash synchronization. Seamless SSO eliminates unnecessary prompts when users are signed in.
-
-* **Advanced scenarios**. Pass-through Authentication enforces the on-premises account policy at the time of sign-in. For example, access is denied when an on-premises user's account state is disabled, locked out, or their [password expires](../../active-directory/hybrid/how-to-connect-pta-faq.yml#what-happens-if-my-user-s-password-has-expired-and-they-try-to-sign-in-by-using-pass-through-authentication-) or the logon attempt falls outside the hours when the user is allowed to sign in.
-
- Organizations that require multi-factor authentication with pass-through authentication must use Azure AD Multi-Factor Authentication (MFA) or [Conditional Access custom controls](../../active-directory/conditional-access/controls.md#custom-controls-preview). Those organizations can't use a third-party or on-premises multifactor authentication method that relies on federation. Advanced features require that password hash synchronization is deployed whether or not you choose pass-through authentication. An example is the leaked credentials report of Identity Protection.
-
-* **Business continuity**. We recommend that you deploy two extra pass-through authentication agents. These extras are in addition to the first agent on the Azure AD Connect server. This other deployment ensures high availability of authentication requests. When you have three agents deployed, one agent can still fail when another agent is down for maintenance.
-
- There's another benefit to deploying password hash synchronization in addition to pass-through authentication. It acts as a backup authentication method when the primary authentication method is no longer available.
-
-* **Considerations**. You can use password hash synchronization as a backup authentication method for pass-through authentication, when the agents can't validate a user's credentials due to a significant on-premises failure. Fail over to password hash synchronization doesn't happen automatically and you must use Azure AD Connect to switch the sign-on method manually.
-
- For other considerations on Pass-through Authentication, including Alternate ID support, see [frequently asked questions](../../active-directory/hybrid/how-to-connect-pta-faq.yml).
-
-Refer to [implementing pass-through authentication](../../active-directory/hybrid/how-to-connect-pta.md) for deployment steps.
-
-### Federated authentication
-
-* **Effort**. A federated authentication system relies on an external trusted system to authenticate users. Some companies want to reuse their existing federated system investment with their Azure AD hybrid identity solution. The maintenance and management of the federated system falls outside the control of Azure AD. It's up to the organization by using the federated system to make sure it's deployed securely and can handle the authentication load.
-
-* **User experience**. The user experience of federated authentication depends on the implementation of the features, topology, and configuration of the federation farm. Some organizations need this flexibility to adapt and configure the access to the federation farm to suit their security requirements. For example, it's possible to configure internally connected users and devices to sign in users automatically, without prompting them for credentials. This configuration works because they already signed in to their devices. If necessary, some advanced security features make users' sign-in process more difficult.
-
-* **Advanced scenarios**. A federated authentication solution is required when customers have an authentication requirement that Azure AD doesn't support natively. See detailed information to help you [choose the right sign-in option](/archive/blogs/samueld/choosing-the-right-sign-in-option-to-connect-to-azure-ad-office-365). Consider the following common requirements:
-
- * Third-party multifactor providers requiring a federated identity provider.
- * Authentication by using third-party authentication solutions. See the [Azure AD federation compatibility list](../../active-directory/hybrid/how-to-connect-fed-compatibility.md).
- * Sign in that requires a sAMAccountName, for example DOMAIN\username, instead of a User Principal Name (UPN), for example, user@domain.com.
-
-* **Business continuity**. Federated systems typically require a load-balanced array of servers, known as a farm. This farm is configured in an internal network and perimeter network topology to ensure high availability for authentication requests.
-
- Deploy password hash synchronization along with federated authentication as a backup authentication method when the primary authentication method is no longer available. An example is when the on-premises servers aren't available. Some large enterprise organizations require a federation solution to support multiple Internet ingress points configured with geo-DNS for low-latency authentication requests.
-
-* **Considerations**. Federated systems typically require a more significant investment in on-premises infrastructure. Most organizations choose this option if they already have an on-premises federation investment. And if it's a strong business requirement to use a single-identity provider. Federation is more complex to operate and troubleshoot compared to cloud authentication solutions.
-
-For a nonroutable domain that can't be verified in Azure AD, you need extra configuration to implement user ID sign in. This requirement is known as Alternate login ID support. See [Configuring Alternate Login ID](/windows-server/identity/ad-fs/operations/configuring-alternate-login-id) for limitations and requirements. If you choose to use a third-party multi-factor authentication provider with federation, ensure the provider supports WS-Trust to allow devices to join Azure AD.
-
-Refer to [Deploying Federation Servers](/windows-server/identity/ad-fs/deployment/deploying-federation-servers) for deployment steps.
-
-> [!NOTE]
-> When you deploy your Azure AD hybrid identity solution, you must implement one of the supported topologies of Azure AD Connect. Learn more about supported and unsupported configurations at [Topologies for Azure AD Connect](../../active-directory/hybrid/plan-connect-topologies.md).
-
-## Architecture diagrams
-
-The following diagrams outline the high-level architecture components required for each authentication method you can use with your Azure AD hybrid identity solution. They provide an overview to help you compare the differences between the solutions.
-
-* Simplicity of a password hash synchronization solution:
-
- ![Azure AD hybrid identity with Password hash synchronization](./media/choose-ad-authn/azure-ad-authn-image2.png)
-
-* Agent requirements of pass-through authentication, using two agents for redundancy:
-
- ![Azure AD hybrid identity with Pass-through Authentication](./media/choose-ad-authn/azure-ad-authn-image3.png)
-
-* Components required for federation in your perimeter and internal network of your organization:
-
- ![Azure AD hybrid identity with federated authentication](./media/choose-ad-authn/azure-ad-authn-image4.png)
-
-## Comparing methods
-
-|Consideration|Password hash synchronization|Pass-through Authentication|Federation with AD FS|
-|:--|:--|:--|:--|
-|Where does authentication happen?|In the cloud|In the cloud, after a secure password verification exchange with the on-premises authentication agent|On-premises|
-|What are the on-premises server requirements beyond the provisioning system: Azure AD Connect?|None|One server for each additional authentication agent|Two or more AD FS servers<br><br>Two or more WAP servers in the perimeter/DMZ network|
-|What are the requirements for on-premises Internet and networking beyond the provisioning system?|None|[Outbound Internet access](../../active-directory/hybrid/how-to-connect-pta-quick-start.md) from the servers running authentication agents|[Inbound Internet access](/windows-server/identity/ad-fs/overview/ad-fs-requirements) to WAP servers in the perimeter<br><br>Inbound network access to AD FS servers from WAP servers in the perimeter<br><br>Network load balancing|
-|Is there a TLS/SSL certificate requirement?|No|No|Yes|
-|Is there a health monitoring solution?|Not required|Agent status provided by [Azure portal](../../active-directory/hybrid/tshoot-connect-pass-through-authentication.md)|[Azure AD Connect Health](../../active-directory/hybrid/how-to-connect-health-adfs.md)|
-|Do users get single sign-on to cloud resources from domain-joined devices within the company network?|Yes with [Azure AD joined devices (AADJ)](../../active-directory/devices/concept-azure-ad-join.md), [Hybrid Azure AD joined devices (HAADJ)](../../active-directory/devices/howto-hybrid-azure-ad-join.md), the [Microsoft Enterprise SSO plug-in for Apple devices](../../active-directory/develop/apple-sso-plugin.md), or [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)|Yes with [Azure AD joined devices (AADJ)](../../active-directory/devices/concept-azure-ad-join.md), [Hybrid Azure AD joined devices (HAADJ)](../../active-directory/devices/howto-hybrid-azure-ad-join.md), the [Microsoft Enterprise SSO plug-in for Apple devices](../../active-directory/develop/apple-sso-plugin.md), or [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)|Yes|
-|What sign-in types are supported?|UserPrincipalName + password<br><br>Windows-Integrated Authentication by using [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)<br><br>[Alternate login ID](../../active-directory/hybrid/how-to-connect-install-custom.md)<br><br>[Azure AD Joined Devices](../../active-directory/devices/concept-azure-ad-join.md)<br><br>[Hybrid Azure AD joined devices (HAADJ)](../../active-directory/devices/howto-hybrid-azure-ad-join.md)<br><br>[Certificate and smart card authentication](../../active-directory/authentication/concept-certificate-based-authentication-smartcard.md)|UserPrincipalName + password<br><br>Windows-Integrated Authentication by using [Seamless SSO](../../active-directory/hybrid/how-to-connect-sso.md)<br><br>[Alternate login ID](../../active-directory/hybrid/how-to-connect-pta-faq.yml)<br><br>[Azure AD Joined Devices](../../active-directory/devices/concept-azure-ad-join.md)<br><br>[Hybrid Azure AD joined devices (HAADJ)](../../active-directory/devices/howto-hybrid-azure-ad-join.md)<br><br>[Certificate and smart card authentication](../../active-directory/authentication/concept-certificate-based-authentication-smartcard.md)|UserPrincipalName + password<br><br>sAMAccountName + password<br><br>Windows-Integrated Authentication<br><br>[Certificate and smart card authentication](/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication)<br><br>[Alternate login ID](/windows-server/identity/ad-fs/operations/configuring-alternate-login-id)|
-|Is Windows Hello for Business supported?|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)<br><br>*Both require Windows Server 2016 Domain functional level*|[Key trust model](/windows/security/identity-protection/hello-for-business/hello-identity-verification)<br><br>[Hybrid Cloud Trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust)<br><br>[Certificate trust model](/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs)|
-|What are the multifactor authentication options?|[Azure AD MFA](/azure/multi-factor-authentication/)<br><br>[Custom Controls with Conditional Access*](../../active-directory/conditional-access/controls.md)|[Azure AD MFA](/azure/multi-factor-authentication/)<br><br>[Custom Controls with Conditional Access*](../../active-directory/conditional-access/controls.md)|[Azure AD MFA](/azure/multi-factor-authentication/)<br><br>[Third-party MFA](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs)<br><br>[Custom Controls with Conditional Access*](../../active-directory/conditional-access/controls.md)|
-|What user account states are supported?|Disabled accounts<br>(up to 30-minute delay)|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours|Disabled accounts<br><br>Account locked out<br><br>Account expired<br><br>Password expired<br><br>Sign-in hours|
-|What are the Conditional Access options?|[Azure AD Conditional Access, with Azure AD Premium](../../active-directory/conditional-access/overview.md)|[Azure AD Conditional Access, with Azure AD Premium](../../active-directory/conditional-access/overview.md)|[Azure AD Conditional Access, with Azure AD Premium](../../active-directory/conditional-access/overview.md)<br><br>[AD FS claim rules](https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator)|
-|Is blocking legacy protocols supported?|[Yes](../../active-directory/conditional-access/overview.md)|[Yes](../../active-directory/conditional-access/overview.md)|[Yes](/windows-server/identity/ad-fs/operations/access-control-policies-w2k12)|
-|Can you customize the logo, image, and description on the sign-in pages?|[Yes, with Azure AD Premium](../../active-directory/fundamentals/customize-branding.md)|[Yes, with Azure AD Premium](../../active-directory/fundamentals/customize-branding.md)|[Yes](../../active-directory/hybrid/how-to-connect-fed-management.md)|
-|What advanced scenarios are supported?|[Smart password lockout](../../active-directory/authentication/howto-password-smart-lockout.md)<br><br>[Leaked credentials reports, with Azure AD Premium P2](../identity-protection/overview-identity-protection.md)|[Smart password lockout](../../active-directory/authentication/howto-password-smart-lockout.md)|Multisite low-latency authentication system<br><br>[AD FS extranet lockout](/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection)<br><br>[Integration with third-party identity systems](../../active-directory/hybrid/how-to-connect-fed-compatibility.md)|
-
-> [!NOTE]
-> Custom controls in Azure AD Conditional Access do not currently support device registration.
-
-## Recommendations
-Your identity system ensures your users' access to apps that you migrate and make available in the cloud. Use or enable password hash synchronization with whichever authentication method you choose, for the following reasons:
-
-1. **High availability and disaster recovery**. Pass-through Authentication and federation rely on on-premises infrastructure. For pass-through authentication, the on-premises footprint includes the server hardware and networking the Pass-through Authentication agents require. For federation, the on-premises footprint is even larger. It requires servers in your perimeter network to proxy authentication requests and the internal federation servers.
-
- To avoid single points of failure, deploy redundant servers. Then authentication requests will always be serviced if any component fails. Both pass-through authentication and federation also rely on domain controllers to respond to authentication requests, which can also fail. Many of these components need maintenance to stay healthy. Outages are more likely when maintenance isn't planned and implemented correctly.
-
-2. **On-premises outage survival**. The consequences of an on-premises outage due to a cyber-attack or disaster can be substantial, ranging from reputational brand damage to a paralyzed organization unable to deal with the attack. Recently, many organizations were victims of malware attacks, including targeted ransomware, which caused their on-premises servers to go down. When Microsoft helps customers deal with these kinds of attacks, it sees two categories of organizations:
-
- * Organizations that previously also turned on password hash synchronization on top of federated or pass-through authentication changed their primary authentication method to then use password hash synchronization. They were back online in a matter of hours. By using access to email via Microsoft 365, they worked to resolve issues and access other cloud-based workloads.
-
- * Organizations that didn't previously enable password hash synchronization had to resort to untrusted external consumer email systems for communications to resolve issues. In those cases, it took them weeks to restore their on-premises identity infrastructure, before users were able to sign in to cloud-based apps again.
-
-3. **Identity protection**. One of the best ways to protect users in the cloud is Azure AD Identity Protection with Azure AD Premium P2. Microsoft continually scans the Internet for user and password lists that bad actors sell and make available on the dark web. Azure AD can use this information to verify if any of the usernames and passwords in your organization are compromised. Therefore, it's critical to enable password hash synchronization no matter which authentication method you use, whether it's federated or pass-through authentication. Leaked credentials are presented as a report. Use this information to block or force users to change their passwords when they try to sign in with leaked passwords.
-
-## Conclusion
-
-This article outlines various authentication options that organizations can configure and deploy to support access to cloud apps. To meet various business, security, and technical requirements, organizations can choose between password hash synchronization, Pass-through Authentication, and federation.
-
-Consider each authentication method. Does the effort to deploy the solution, and the user's experience of the sign-in process address your business requirements? Evaluate whether your organization needs the advanced scenarios and business continuity features of each authentication method. Finally, evaluate the considerations of each authentication method. Do any of them prevent you from implementing your choice?
-
-## Next steps
-
-In today's world, threats are present 24 hours a day and come from everywhere. Implement the correct authentication method, and it will mitigate your security risks and protect your identities.
-
-[Get started](../fundamentals/active-directory-whatis.md) with Azure AD and deploy the right authentication solution for your organization.
-
-If you're thinking about migrating from federated to cloud authentication, learn more about [changing the sign-in method](../../active-directory/hybrid/plan-connect-user-signin.md). To help you plan and implement the migration, use [these project deployment plans](../fundamentals/active-directory-deployment-plans.md), or consider using the new [Staged Rollout](../../active-directory/hybrid/how-to-connect-staged-rollout.md) feature to migrate federated users to using cloud authentication in a staged approach.
active-directory Cloud Governed Management For On Premises https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-governed-management-for-on-premises.md
- Title: 'Azure AD Cloud Governed Management for On-Premises Workloads - Azure'
-description: This topic describes cloud governed management for on-premises workloads.
------ Previously updated : 01/26/2023-----
-# How Azure AD Delivers Cloud Governed Management for On-Premises Workloads
-
-Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS) solution used by millions of organizations that span all aspects of identity, access management, and security. Azure AD holds more than a billion user identities and helps users sign in and securely access both:
-
-* External resources, such as Microsoft 365, the Azure portal, and thousands of other Software-as-a-Service (SaaS) applications.
-* Internal resources, such as applications on an organization's corporate network and intranet, along with any cloud applications developed by that organization.
-
-Organizations can use Azure AD if they are 'pure cloud,' or as a 'hybrid' deployment if they have on-premises workloads. A hybrid deployment of Azure AD can be part of a strategy for an organization to migrate its IT assets to the cloud, or to continue to integrate existing on-premises infrastructure alongside new cloud services.
-
-Historically, 'hybrid' organizations have seen Azure AD as an extension of their existing on-premises infrastructure. In these deployments, the on-premises identity governance administration, Windows Server Active Directory or other in-house directory systems, are the control points, and users and groups are synced from those systems to a cloud directory such as Azure AD. Once those identities are in the cloud, they can be made available to Microsoft 365, Azure, and other applications.
-
-![Identity lifecycle](media/cloud-governed-management-for-on-premises//image1.png)
-
-As organizations move more of their IT infrastructure along with their applications to the cloud, many are looking for the improved security and simplified management capabilities of identity management as a service. The cloud-delivered IDaaS features in Azure AD accelerate the transition to cloud governed management by providing the solutions and capabilities that allow organizations to quickly adopt and move more of their identity management from traditional on-premises systems to Azure AD, while continuing to support existing as well as new applications.
-
-This paper outlines Microsoft's strategy for hybrid IDaaS and describes how organizations can use Azure AD for their existing applications.
-
-## The Azure AD approach to cloud governed identity management
-
-As organizations transition to the cloud, they need assurances that they have controls over their complete environment - more security and more visibility into activities, supported by automation, and proactive insights. "**Cloud governed management**" describes how organizations manage and govern their users, applications, groups, and devices from the cloud.
-
-In this modern world, organizations need to be able to manage effectively at scale, because of the proliferation of SaaS applications and the increasing role of collaboration and external identities. The new risk landscape of the cloud means an organization must be more responsive - a malicious actor who compromises a cloud user could affect cloud and on-premises applications.
-
-In particular, hybrid organizations need to be able to delegate and automate tasks, which historically IT did manually. To automate tasks, they need APIs and processes that orchestrate the lifecycle of the different identity-related resources (users, groups, applications, devices), so they can delegate the day-to-day management of those resources to more individuals outside of core IT staff. Azure AD addresses these requirements through user account management and native authentication for users without requiring on-premises identity infrastructure. Not building out on-premises infrastructure can benefit organizations that have new communities of users, such as business partners, which didn't originate in their on-premises directory, but whose access management is critical to achieving business outcomes.
-
-In addition, management isn't complete without governance and governance in this new world is an integrated part of the identity system rather than an add-on. Identity governance gives organizations the ability to manage the identity and access lifecycle across employees, business partners and vendors, and services and applications.
-
-Incorporating identity governance makes it easier to enable the organization to transition to cloud governed management, allows IT to scale, addresses new challenges with guests and provides deeper insights and automation than what customers had with on-premises infrastructure. Governance in this new world means the ability for an organization to have transparency, visibility, and proper controls on the access to resources within the organization. With Azure AD, security operations and audit teams have visibility into who has and who should have - access to what resources in the organization (on what devices), what those users are doing with that access, and whether the organization has and uses appropriate controls to remove or restrict access in accordance with company or regulatory policies.
-
-The new management model benefits organizations with both SaaS and line-of-business (LOB) applications, as they are more easily able to manage and secure access to those applications. By integrating applications with Azure AD, organizations will be able to use and manage access across both cloud and on-premises originated identities consistently. Application lifecycle management becomes more automated, and Azure AD provides rich insights into application usage that wasn't easily achievable in on-premises identity management. Through the Azure AD, Microsoft 365 groups and Teams self-service features, organizations can easily create groups for access management and collaboration and add or remove users in the cloud to enable collaboration and access management requirements.
-
-Selecting the right Azure AD capabilities for cloud governed management depends upon the applications to be used, and how those applications will be integrated with Azure AD. The following sections outline the approaches to take for AD-integrated applications, and applications that use federation protocols (for example, SAML, OAuth, or OpenID Connect).
-
-## Cloud governed management for AD-integrated applications
-
-Azure AD improves the management for an organization's on-premises Active Directory-integrated applications through secure remote access and Conditional Access to those applications. In addition, Azure AD also provides account lifecycle management and credential management for the user's existing AD accounts, including:
-
-* **Secure remote access and Conditional Access for on-premises applications**
-
-For many organizations, the first step in managing access from the cloud for on-premises AD-integrated web and remote desktop-based applications is to deploy the [application proxy](../app-proxy/application-proxy.md) in front of those applications to provide secure remote access.
-
-After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal. For example, Application Proxy provides remote access and single sign-on to Remote Desktop, SharePoint, as well as apps such as Tableau and Qlik, and line of business (LOB) applications. Furthermore, Conditional Access policies can include displaying the [terms of use](../conditional-access/terms-of-use.md) and [ensuring the user has agreed to them](../conditional-access/require-tou.md) before being able to access an application.
-
-![App Proxy architecture](media/cloud-governed-management-for-on-premises/image2.png)
-
-* **Automatic lifecycle management for Active Directory accounts**
-
-Identity governance helps organizations achieve a balance between *productivity* how quickly can a person have access to the resources they need, such as when they join the organization? and *security* how should their access change over time, such as when that person's employment status changes? Identity lifecycle management is the foundation for identity governance, and effective governance at scale requires modernizing the identity lifecycle management infrastructure for applications.
-
-For many organizations, identity lifecycle for employees is tied to the representation of that user in a human capital management (HCM) system. For organizations using Workday as their HCM system, Azure AD can ensure user accounts in AD are [automatically provisioned and deprovisioned for workers in Workday](../saas-apps/workday-inbound-tutorial.md). Doing so leads to improved user productivity through automation of birthright accounts and manages risk by ensuring application access is automatically updated when a user changes roles or leaves the organization. The Workday-driven user provisioning [deployment plan](https://aka.ms/WorkdayDeploymentPlan) is a step-by-step guide that walks organizations through the best practices implementation of Workday to Active Directory User Provisioning solution in a five-step process.
-
-Azure AD Premium also includes Microsoft Identity Manager, which can import records from other on-premises HCM systems, including SAP, Oracle eBusiness, and Oracle PeopleSoft.
-
-Business-to-business collaboration increasingly requires granting access to people outside your organization. [Azure AD B2B](/azure/active-directory/b2b/) collaboration enables organizations to securely share their applications and services with guest users and external partners while maintaining control over their own corporate data.
-
-Azure AD can [automatically create accounts in AD for guest users](../external-identities/hybrid-cloud-to-on-premises.md) as needed, enabling business guests to access on-premises AD-integrated applications without needing another password. Organizations can set up [multi-factor authentication (MFA) policies for guest user](../external-identities/authentication-conditional-access.md)s so MFA checks are done during application proxy authentication. Also, any [access reviews](../governance/manage-guest-access-with-access-reviews.md) that are done on cloud B2B users apply to on-premises users. For example, if the cloud user is deleted through lifecycle management policies, the on-premises user is also deleted.
-
-**Credential management for Active Directory accounts**
-Azure AD's self-service password reset allows users who have forgotten their passwords to be reauthenticated and reset their passwords, with the changed passwords [written to on-premises Active Directory](../authentication/concept-sspr-writeback.md). The password reset process can also use the on-premises Active Directory password policies: When a user resets their password, it's checked to ensure it meets the on-premises Active Directory policy before committing it to that directory. The self-service password reset [deployment plan](../authentication/howto-sspr-deployment.md) outlines best practices to roll out self-service password reset to users via web and Windows-integrated experiences.
-
-![Azure AD SSPR architecture](media/cloud-governed-management-for-on-premises/image3.png)
-
-Finally, for organizations that permit users to change their passwords in AD, AD can be configured to use the same password policy as the organization is using in Azure AD through the [Azure AD password protection feature](../authentication/concept-password-ban-bad-on-premises.md), currently in public preview.
-
-When an organization is ready to move an AD-integrated application to the cloud by moving the operating system hosting the application to Azure, [Azure AD Domain Services](../../active-directory-domain-services/overview.md) provides AD-compatible domain services (such as domain join, group policy, LDAP, and Kerberos/NTLM authentication). Azure AD Domain Services integrates with the organization's existing Azure AD tenant, making it possible for users to sign in using their corporate credentials. Additionally, existing groups and user accounts can be used to secure access to resources, ensuring a smoother 'lift-and-shift' of on-premises resources to Azure infrastructure services.
-
-![Azure AD Domain Services](media/cloud-governed-management-for-on-premises/image4.png)
-
-## Cloud governed management for on-premises federation-based applications
-
-For an organization that already uses an on-premises identity provider, moving applications to Azure AD enables more secure access and an easier administrative experience for federation management. Azure AD enables configuring granular per-application access controls, including Azure AD Multi-Factor Authentication, by using Azure AD Conditional Access. Azure AD supports more capabilities, including application-specific token signing certificates and configurable certificate expiration dates. These capabilities, tools, and guidance enable organizations to retire their on-premises identity providers. Microsoft's own IT, for one example, has moved 17,987 applications from Microsoft's internal Active Directory Federation Services (AD FS) to Azure AD.
-
-![Azure AD evolution](media/cloud-governed-management-for-on-premises/image5.png)
-
-To begin migrating federated applications to Azure AD as the identity provider, refer to https://aka.ms/migrateapps that includes links to:
-
-* The white paper [Migrating Your Applications to Azure Active Directory](https://aka.ms/migrateapps/whitepaper), which presents the benefits of migration and describes how to plan for migration in four clearly-outlined phases: discovery, classification, migration, and ongoing management. You'll be guided through how to think about the process and break down your project into easy-to-consume pieces. Throughout the document are links to important resources that will help you along the way.
-
-* The solution guide [Migrating Application Authentication from Active Directory Federation Services to Azure Active Directory](../manage-apps/migrate-adfs-apps-to-azure.md) explores in more detail the same four phases of planning and executing an application migration project. In this guide, you'll learn how to apply those phases to the specific goal of moving an application from Active Directory Federation Services (AD FS) to Azure AD.
-
-* The [Active Directory Federation Services Migration Readiness Script](https://aka.ms/migrateapps/adfstools) can be run on existing on-premises Active Directory Federation Services (AD FS) servers to determine the readiness of applications for migration to Azure AD.
-
-## Ongoing access management across cloud and on-premises applications
-
-Organizations need a process to manage access that is scalable. Users continue to accumulate access rights and end up with beyond what was initially provisioned for them. Furthermore, enterprise organizations need to be able to scale efficiently to develop and enforce access policy and controls on an ongoing basis.
-
-Typically, IT delegates access approval decisions to business decision makers. Furthermore, IT can involve the users themselves. For example, users that access confidential customer data in a company's marketing application in Europe need to know the company's policies. Guest users also may be unaware of the handling requirements for data in an organization to which they've been invited.
-
-Organizations can automate the access lifecycle process through technologies such as [dynamic groups](../enterprise-users/groups-dynamic-membership.md), coupled with user provisioning to [SaaS applications](../saas-apps/tutorial-list.md), or [applications integrated using the System for Cross-Domain Identity Management (SCIM)](../app-provisioning/use-scim-to-provision-users-and-groups.md)) standard. Organizations also can control which [guest users have access to on-premises applications](../external-identities/hybrid-cloud-to-on-premises.md). These access rights can then be regularly reviewed using recurring [Azure AD access reviews](../governance/access-reviews-overview.md).
-
-## Future directions
-
-In hybrid environments, Microsoft's strategy is to enable deployments where the **cloud is the control plane for identity**, and on-premises directories and other identity systems, such as Active Directory and other on-premises applications, are the target for provisioning users with access. This strategy will continue to ensure the rights, identities, and access in those applications and workloads that rely upon them. At this end state, organizations will be able to drive end-user productivity entirely from the cloud.
-
-![Azure AD architecture](media/cloud-governed-management-for-on-premises/image6.png)
-
-## Next steps
-
-For more information on how to get started on this journey, see the [Azure AD deployment plans](https://aka.ms/deploymentplans). These plans provide end-to-end guidance for deploying Azure Active Directory (Azure AD) capabilities. Each plan explains the business value, planning considerations, design, and operational procedures needed to successfully roll out common Azure AD capabilities. Microsoft continually updates the deployment plans with best practices learned from customer deployments and other feedback when we add new capabilities to managing from the cloud with Azure AD.
active-directory Concept Attributes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/concept-attributes.md
+
+ Title: 'Understand the Azure AD schema and custom expressions'
+description: This article describes the Azure AD schema, the attributes that the provisioning agent flows, and custom expressions.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 01/11/2023+++++++
+# Understand the Azure AD schema
+An object in Azure Active Directory (Azure AD), like any directory, is a programmatic high-level data construct that represents such things as users, groups, and contacts. When you create a new user or contact in Azure AD, you're creating a new instance of that object. These instances can be differentiated based on their properties.
+
+Properties in Azure AD are the elements responsible for storing information about an instance of an object in Azure AD.
+
+The Azure AD schema defines the rules for which properties might be used in an entry, the kinds of values that those properties might have, and how users might interact with those values.
+
+Azure AD has two types of properties:
+- **Built-in properties**: Properties that are predefined by the Azure AD schema. These properties provide different uses and might or might not be accessible.
+- **Directory extensions**: Properties that are provided so that you can customize Azure AD for your own use. For example, if you've extended your on-premises Active Directory with a certain attribute and want to flow that attribute, you can use one of the custom properties that's provided.
+
+## Attributes and expressions
+When an object such as a user is provisioned to Azure AD, a new instance of the user object is created. This creation includes the properties of that object, which are also known as attributes. Initially, the newly created object has its attributes set to values that are determined by the synchronization rules. These attributes are then kept up to date via the cloud provisioning agent.
+
+![Object provisioning](media/concept-attributes/attribute-1.png)
+
+For example, a user might be part of a Marketing department. Their Azure AD department attribute is initially created when they're provisioned, and the value is set to Marketing. Six months later if they change to Sales, their on-premises Active Directory department attribute is changed to Sales. This change synchronizes to Azure AD and is reflected in their Azure AD user object.
+
+Attribute synchronization might be direct, where the value in Azure AD is directly set to the value of the on-premises attribute. Or, a programmatic expression might handle the synchronization. A programmatic expression is needed in cases where some logic or a determination must be made to populate the value.
+
+For example, if you had the mail attribute "john.smith@contoso.com" and needed to strip out the "@contoso.com" portion and flow only the value "john.smith," you'd use something like this:
+
+`Replace([mail], "@contoso.com", , ,"", ,)`
+
+**Sample input/output:** <br>
+
+* **INPUT** (mail): "john.smith@contoso.com"
+* **OUTPUT**: "john.smith"
+
+For more information on how to write custom expressions and the syntax, see [Writing expressions for attribute mappings in Azure Active Directory](../../app-provisioning/functions-for-customizing-application-data.md).
+
+The following table lists common attributes and how they're synchronized to Azure AD.
++
+|On-premises Active Directory|Mapping type|Azure AD|
+|--|--|--|
+|cn|Direct|commonName
+|countryCode|Direct|countryCode|
+|displayName|Direct|displayName|
+|givenName|Expression|givenName|
+|objectGUID|Direct|sourceAnchorBinary|
+|userprincipalName|Direct|userPrincipalName|
+|ProxyAdress|Direct|ProxyAddress|
+
+## View the schema
+> [!WARNING]
+> The cloud sync configuration creates a service principal. The service principal is visible in the Azure portal. You should not modify the attribute mappings using the service principal experience in the Azure portal. This is not supported.
+
+To view the schema and verify it, follow these steps.
+
+1. Go to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
+1. Sign in with your global administrator account.
+1. On the left, select **modify permissions** and ensure that **Directory.ReadWrite.All** is *Consented*.
+1. Run the query `https://graph.microsoft.com/beta/serviceprincipals/?$filter=startswith(DisplayName, ΓÇÿ{sync config name}ΓÇÖ)`. This query returns a filtered list of service principals. This can also be acquired via the App Registration node under Azure Active Directory.
+1. Locate `"appDisplayName": "Active Directory to Azure Active Directory Provisioning"` and note the value for `"id"`.
+ ```
+ "value": [
+ {
+ "id": "00d41b14-7958-45ad-9d75-d52fa29e02a1",
+ "deletedDateTime": null,
+ "accountEnabled": true,
+ "appDisplayName": "Active Directory to Azure Active Directory Provisioning",
+ "appId": "1a4721b3-e57f-4451-ae87-ef078703ec94",
+ "applicationTemplateId": null,
+ "appOwnerOrganizationId": "47df5bb7-e6bc-4256-afb0-dd8c8e3c1ce8",
+ "appRoleAssignmentRequired": false,
+ "displayName": "Active Directory to Azure Active Directory Provisioning",
+ "errorUrl": null,
+ "homepage": "https://account.activedirectory.windowsazure.com:444/applications/default.aspx?metadata=AD2AADProvisioning|ISV9.1|primary|z",
+ "loginUrl": null,
+ "logoutUrl": null,
+ "notificationEmailAddresses": [],
+ "preferredSingleSignOnMode": null,
+ "preferredTokenSigningKeyEndDateTime": null,
+ "preferredTokenSigningKeyThumbprint": null,
+ "publisherName": "Active Directory Application Registry",
+ "replyUrls": [],
+ "samlMetadataUrl": null,
+ "samlSingleSignOnSettings": null,
+ "servicePrincipalNames": [
+ "http://adapplicationregistry.onmicrosoft.com/adprovisioningtoaad/primary",
+ "1a4721b3-e57f-4451-ae87-ef078703ec94"
+ ],
+ "signInAudience": "AzureADMultipleOrgs",
+ "tags": [
+ "WindowsAzureActiveDirectoryIntegratedApp"
+ ],
+ "addIns": [],
+ "api": {
+ "resourceSpecificApplicationPermissions": []
+ },
+ "appRoles": [
+ {
+ "allowedMemberTypes": [
+ "User"
+ ],
+ "description": "msiam_access",
+ "displayName": "msiam_access",
+ "id": "a0326856-1f51-4311-8ae7-a034d168eedf",
+ "isEnabled": true,
+ "origin": "Application",
+ "value": null
+ }
+ ],
+ "info": {
+ "termsOfServiceUrl": null,
+ "supportUrl": null,
+ "privacyStatementUrl": null,
+ "marketingUrl": null,
+ "logoUrl": null
+ },
+ "keyCredentials": [],
+ "publishedPermissionScopes": [
+ {
+ "adminConsentDescription": "Allow the application to access Active Directory to Azure Active Directory Provisioning on behalf of the signed-in user.",
+ "adminConsentDisplayName": "Access Active Directory to Azure Active Directory Provisioning",
+ "id": "d40ed463-646c-4efe-bb3e-3fa7d0006688",
+ "isEnabled": true,
+ "type": "User",
+ "userConsentDescription": "Allow the application to access Active Directory to Azure Active Directory Provisioning on your behalf.",
+ "userConsentDisplayName": "Access Active Directory to Azure Active Directory Provisioning",
+ "value": "user_impersonation"
+ }
+ ],
+ "passwordCredentials": []
+ },
+ ```
+1. Replace `{Service Principal id}` with your value, and run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal id}/synchronization/jobs/`.
+1. Locate `"id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976"` and note the value for `"id"`.
+ ```
+ {
+ "id": "AD2AADProvisioning.fd1c9b9e8077402c8bc03a7186c8f976",
+ "templateId": "AD2AADProvisioning",
+ "schedule": {
+ "expiration": null,
+ "interval": "PT2M",
+ "state": "Active"
+ },
+ "status": {
+ "countSuccessiveCompleteFailures": 0,
+ "escrowsPruned": false,
+ "code": "Active",
+ "lastSuccessfulExecutionWithExports": null,
+ "quarantine": null,
+ "steadyStateFirstAchievedTime": "2019-11-08T15:48:05.7360238Z",
+ "steadyStateLastAchievedTime": "2019-11-20T16:17:24.7957721Z",
+ "troubleshootingUrl": "",
+ "lastExecution": {
+ "activityIdentifier": "2dea06a7-2960-420d-931e-f6c807ebda24",
+ "countEntitled": 0,
+ "countEntitledForProvisioning": 0,
+ "countEscrowed": 15,
+ "countEscrowedRaw": 15,
+ "countExported": 0,
+ "countExports": 0,
+ "countImported": 0,
+ "countImportedDeltas": 0,
+ "countImportedReferenceDeltas": 0,
+ "state": "Succeeded",
+ "error": null,
+ "timeBegan": "2019-11-20T16:15:21.116098Z",
+ "timeEnded": "2019-11-20T16:17:24.7488681Z"
+ },
+ "lastSuccessfulExecution": {
+ "activityIdentifier": null,
+ "countEntitled": 0,
+ "countEntitledForProvisioning": 0,
+ "countEscrowed": 0,
+ "countEscrowedRaw": 0,
+ "countExported": 5,
+ "countExports": 0,
+ "countImported": 0,
+ "countImportedDeltas": 0,
+ "countImportedReferenceDeltas": 0,
+ "state": "Succeeded",
+ "error": null,
+ "timeBegan": "0001-01-01T00:00:00Z",
+ "timeEnded": "2019-11-20T14:09:46.8855027Z"
+ },
+ "progress": [],
+ "synchronizedEntryCountByType": [
+ {
+ "key": "group to Group",
+ "value": 33
+ },
+ {
+ "key": "user to User",
+ "value": 3
+ }
+ ]
+ },
+ "synchronizationJobSettings": [
+ {
+ "name": "Domain",
+ "value": "{\"DomainFQDN\":\"contoso.com\",\"DomainNetBios\":\"CONTOSO\",\"ForestFQDN\":\"contoso.com\",\"ForestNetBios\":\"CONTOSO\"}"
+ },
+ {
+ "name": "DomainFQDN",
+ "value": "contoso.com"
+ },
+ {
+ "name": "DomainNetBios",
+ "value": "CONTOSO"
+ },
+ {
+ "name": "ForestFQDN",
+ "value": "contoso.com"
+ },
+ {
+ "name": "ForestNetBios",
+ "value": "CONTOSO"
+ },
+ {
+ "name": "QuarantineTooManyDeletesThreshold",
+ "value": "500"
+ }
+ ]
+ }
+ ```
+1. Now run the query `https://graph.microsoft.com/beta/serviceprincipals/{Service Principal Id}/synchronization/jobs/{AD2AAD Provisioning id}/schema`.
+
++
+ Replace `{Service Principal Id}` and `{AD2ADD Provisioning Id}` with your values.
+
+1. This query returns the schema.
+
+ ![Returned schema](media/concept-attributes/schema-1.png)
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Concept How It Works https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/concept-how-it-works.md
+
+ Title: 'Azure AD Connect cloud sync deep dive - how it works'
+description: This topic provides deep dive information on how cloud sync works.
+++++++ Last updated : 01/11/2023+++++
+# Cloud sync deep dive - how it works
+
+## Overview of components
+
+![How it works](media/concept-how-it-works/how-1.png)
+
+Cloud sync is built on top of the Azure AD services and has 2 key components:
+
+- **Provisioning agent**: The Azure AD Connect cloud provisioning agent is the same agent as Workday inbound and built on the same server-side technology as app proxy and Pass Through Authentication. It requires an outbound connection only and agents are auto-updated.
+- **Provisioning service**: Same provisioning service as outbound provisioning and Workday inbound provisioning, which uses a scheduler-based model. Cloud sync provisions change every 2 mins.
++
+## Initial setup
+During initial setup, a few things are done that makes cloud sync happen.
+
+- **During agent installation**: You configure the agent for the AD domains you want to provision from. This configuration registers the domains in the hybrid identity service and establishes an outbound connection to the service bus listening for requests.
+- **When you enable provisioning**: You select the AD domain and enable provisioning, which runs every 2 mins. Optionally you may deselect password hash sync and define notification email. You can also manage attribute transformation using Microsoft Graph APIs.
++
+## Agent installation
+The following items occur when the cloud provisioning agent is installed.
+
+- First, the Installer installs the Agent binaries and the Agent Service running under the Virtual Service Account (NETWORK SERVICE\AADProvisioningAgent). A virtual service account is a special type of account that doesn't have a password and is managed by Windows.
+- The Installer then starts the Wizard.
+- The Wizard will prompt for Azure AD credentials, will then authenticate, and retrieve a token.
+- The wizard then asks for the current machine Domain Administrators credentials.
+- Using these credentials, the agent general managed service account (GMSA) for this domain is either created or located and reused if it already exists.
+- The agent service is now reconfigured to run under the GMSA.
+- The wizard now asks for domain configuration along with the Enterprise Admin (EA)/Domain Admin(DA) Account for each domain you want the agent to service.
+- The GMSA account is then updated with permissions that enable it access to each domain entered during setup.
+- Next, the wizard triggers agent registration
+- The agent creates a certificate and using the Azure AD token, registers itself and the certificate with the Hybrid Identity Service(HIS) Registration Service
+- The Wizard triggers an AgentResourceGrouping call. This call to HIS Admin Service is to assign the agent to one or more AD Domains in the HIS configuration.
+- The wizard now restarts the agent service.
+- The agent calls a Bootstrap Service on restart (and every 10 mins afterwards) to check for configuration updates. The bootstrap service validates the agent identity. It also updates the last bootstrap time. This is important because if agents don't bootstrap, they aren't getting updated Service Bus endpoints and may not be able to receive requests.
++
+## What is System for Cross-domain Identity Management (SCIM)?
+
+The [SCIM specification](https://tools.ietf.org/html/draft-scim-core-schema-01) is a standard that is used to automate the exchanging of user or group identity information between identity domains such as Azure AD. SCIM is becoming the de facto standard for provisioning and, when used with federation standards like SAML or OpenID Connect, provides administrators an end-to-end standards-based solution for access management.
+
+The Azure AD Connect cloud provisioning agent uses SCIM with Azure AD to provision and deprovision users and groups.
+
+## Synchronization flow
+![provisioning](media/concept-how-it-works/provisioning-4.png)
+Once you've installed the agent and enabled provisioning, the following flow occurs.
+
+1. Once configured, the Azure AD Provisioning service calls the Azure AD hybrid service to add a request to the Service bus. The agent constantly maintains an outbound connection to the Service Bus listening for requests and picks up the System for Cross-domain Identity Management (SCIM) request immediately.
+2. The agent breaks up the request into separate queries based on object type.
+3. AD returns the result to the agent and the agent filters this data before sending it to Azure AD.
+4. Agent returns the SCIM response to Azure AD. These responses are based on the filtering that happened within the agent. The agent uses scoping to filter the results.
+5. The provisioning service writes the changes to Azure AD.
+6. If a delta Sync occurs, as opposed to a full sync, then the cookie/watermark is used. New queries will get changes from that cookie/watermark onwards.
+
+## Supported scenarios:
+The following scenarios are supported for cloud sync.
++
+- **Existing hybrid customer with a new forest**: Azure AD Connect sync is used for primary forests. Cloud sync is used for provisioning from an AD forest (including disconnected). For more information, see the tutorial [here](tutorial-existing-forest.md).
+
+ ![Existing hybrid](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+- **New hybrid customer**: Azure AD Connect sync isn't used. Cloud sync is used for provisioning from an AD forest. For more information, see the tutorial [here](tutorial-single-forest.md).
+
+ ![New customers](media/tutorial-single-forest/diagram-2.png)
+
+- **Existing hybrid customer**: Azure AD Connect sync is used for primary forests. Cloud sync is piloted for a small set of users in the primary forests [here](tutorial-existing-forest.md).
+
+ ![Existing pilot](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
+
+For more information, see [Supported topologies](plan-cloud-sync-topologies.md).
+++
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Custom Attribute Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/custom-attribute-mapping.md
+
+ Title: 'Azure AD Connect cloud sync directory extensions and custom attribute mapping'
+description: This topic provides information on custom attribute mapping in cloud sync.
+++++++ Last updated : 01/12/2023+++++++
+# Cloud Sync directory extensions and custom attribute mapping
+
+## Directory extensions
+You can use directory extensions to extend the schema in Azure Active Directory (Azure AD) with your own attributes from on-premises Active Directory. This feature enables you to build LOB apps by consuming attributes that you continue to manage on-premises.
+
+For additional information on directory extensions see [Using directory extension attributes in claims](../../develop/active-directory-schema-extensions.md)
+
+ You can see the available attributes by using [Microsoft Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). You can also use this feature to create dynamic groups in Azure AD.
+
+>[!NOTE]
+> In order to discover new Active Directory extension attributes, the provisioning agent needs to be restarted. You should restart the agent after the directory extensions have been created. For Azure AD extension attributes, the agent doesn't need to be restarted.
+
+## Syncing directory extensions for Azure Active Directory Connect cloud sync
+
+You can use [directory extensions](/graph/api/resources/extensionproperty?view=graph-rest-1.0&preserve-view=true) to extend the synchronization schema directory definition in Azure Active Directory (Azure AD) with your own attributes.
+
+>[!Important]
+> Directory extension for Azure Active Directory Connect cloud sync is only supported for applications with the identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥ and the [Tenant Schema Extension App](../connect/how-to-connect-sync-feature-directory-extensions.md#configuration-changes-in-azure-ad-made-by-the-wizard) created by Azure AD Connect
+
+### Create application and service principal for directory extension
+
+You need to create an [application](/graph/api/resources/application?view=graph-rest-1.0&preserve-view=true) with the identifier URI "api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp" if it doesn't exist and create a service principal for the application if it doesn't exist.
++
+ 1. Check if application with the identifier URI "api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp" exists.
+
+ - Using Microsoft Graph
+
+ ```
+ GET /applications?$filter=identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')
+ ```
+
+ For more information, see [Get application](/graph/api/application-get?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+ - Using PowerShell
+
+ ```
+ Get-AzureADApplication -Filter "identifierUris/any(uri:uri eq 'api://<tenantId>/CloudSyncCustomExtensionsApp')"
+ ```
+
+ For more information, see [Get-AzureADApplication](/powershell/module/azuread/get-azureadapplication?view=azureadps-2.0&preserve-view=true)
+
+ 2. If the application doesn't exist, create the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsApp.ΓÇ¥
+
+ - Using Microsoft Graph
+ ```
+ POST https://graph.microsoft.com/v1.0/applications
+ Content-type: application/json
+
+ {
+ "displayName": "CloudSyncCustomExtensionsApp",
+ "identifierUris": ["api://<tenant id>/CloudSyncCustomExtensionsApp"]
+ }
+ ```
+ For more information, see [create application](/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+ - Using PowerShell
+ ```
+ New-AzureADApplication -DisplayName "CloudSyncCustomExtensionsApp" -IdentifierUris "api://<tenant id>/CloudSyncCustomExtensionsApp"
+ ```
+ For more information, see [New-AzureADApplication](/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0&preserve-view=true)
+
+
+
+ 3. Check if the service principal exists for the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥.
+
+ - Using Microsoft Graph
+ ```
+ GET /servicePrincipals?$filter=(appId eq '{appId}')
+ ```
+ For more information, see [get service principal](/graph/api/serviceprincipal-get?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+ - Using PowerShell
+ ```
+ Get-AzureADServicePrincipal -ObjectId '<application objectid>'
+ ```
+ For more information, see [Get-AzureADServicePrincipal](/powershell/module/azuread/get-azureadserviceprincipal?view=azureadps-2.0&preserve-view=true&preserve-view=true)
+
+
+ 4. If a service principal doesn't exist, create a new service principal for the application with identifier URI ΓÇ£api://&LT;tenantId&GT;/CloudSyncCustomExtensionsAppΓÇ¥
+
+ - Using Microsoft Graph
+ ```
+ POST https://graph.microsoft.com/v1.0/servicePrincipals
+ Content-type: application/json
+
+ {
+ "appId":
+ "<application appId>"
+ }
+ ```
+ For more information, see [create servicePrincipal](/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http&preserve-view=true)
+
+ - Using PowerShell
+
+ ```
+ New-AzureADServicePrincipal -AppId '<appId>'
+ ```
+ For more information, see [New-AzureADServicePrincipal](/powershell/module/azuread/new-azureadserviceprincipal?view=azureadps-2.0&preserve-view=true)
+
+ 5. You can create directory extensions in Azure AD in several different ways.
+
+|Method|Description|URL|
+|--|--|--|
+|MS Graph|Create extensions using GRAPH|[Create extensionProperty](/graph/api/application-post-extensionproperty?view=graph-rest-1.0&tabs=http&preserve-view=true)|
+|PowerShell|Create extensions using PowerShell|[New-AzureADApplicationExtensionProperty](/powershell/module/azuread/new-azureadapplicationextensionproperty?view=azureadps-2.0&preserve-view=true)|
+Using Cloud Sync and Azure AD Connect|Create extensions using Azure AD Connect|[Create an extension attribute using Azure AD Connect](../../app-provisioning/user-provisioning-sync-attributes-for-mapping.md#create-an-extension-attribute-using-azure-ad-connect)|
+|Customizing attributes to sync|Information on customizing which attributes to synch|[Customize which attributes to synchronize with Azure AD](../connect/how-to-connect-sync-feature-directory-extensions.md#customize-which-attributes-to-synchronize-with-azure-ad)
+
+## Use attribute mapping to map Directory Extensions
+If you have extended Active Directory to include custom attributes, you can add these attributes and map them to users.
+
+To discover and map attributes, click **Add attribute mapping**. The attributes will automatically be discovered and will be available in the drop-down under **source attribute**. Fill in the type of mapping you want and click **Apply**.
+ [![Custom attribute mapping](media/custom-attribute-mapping/schema-1.png)](media/custom-attribute-mapping/schema-1.png#lightbox)
+
+For information on new attributes that are added and updated in Azure AD see the [user resource type](/graph/api/resources/user?view=graph-rest-1.0#properties&preserve-view=true) and consider subscribing to [change notifications](/graph/webhooks).
+
+For more information on extension attributes, see [Syncing extension attributes for Azure Active Directory Application Provisioning](../../app-provisioning/user-provisioning-sync-attributes-for-mapping.md)
+
+## Additional resources
+
+- [Understand the Azure AD schema and custom expressions](concept-attributes.md)
+- [Azure AD Connect sync: Directory extensions](../connect/how-to-connect-sync-feature-directory-extensions.md)
+- [Attribute mapping in Azure AD Connect cloud sync](how-to-attribute-mapping.md)
active-directory How To Accidental Deletes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-accidental-deletes.md
+
+ Title: 'Azure AD Connect cloud sync accidental deletes'
+description: This topic describes how to use the accidental delete feature to prevent deletions.
++++++ Last updated : 01/11/2023+++++
+# Accidental delete prevention
+
+The following document describes the accidental deletion feature for Azure AD Connect cloud sync. The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups. This feature allows you to:
+
+- configure the ability to prevent accidental deletes automatically.
+- Set the # of objects (threshold) beyond which the configuration takes effect
+- set up a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario
+
+To use this feature, you set the threshold for the number of objects that, if deleted, synchronization should stop. So if this number is reached, the synchronization stops and a notification is sent to the email that is specified. This notification allows you to investigate what is going on.
+
+For more information and an example, see the following video.
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mV]
++
+## Configure accidental delete prevention
+To use the new feature, follow the steps below.
++
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+4. Under **Configuration**, select your configuration.
+5. Select **View default properties**.
+6. Click the pencil next to **Basics**
+5. On the right, fill in the following information.
+ - **Notification email** - email used for notifications
+ - **Prevent accidental deletions** - check this box to enable the feature
+ - **Accidental deletion threshold** - enter the number of objects to stop synchronization and send a notification
++
+## Recovering from an accidental delete instance
+If you encounter an accidental delete you see this message on the status of your provisioning agent configuration. It says **Delete threshold exceeded**.
+
+![Accidental delete status](media/how-to-accidental-deletes/delete-1.png)
+
+By clicking on **Delete threshold exceeded**, you'll see the sync status info. This action will provide more details.
+
+ ![Sync status](media/how-to-accidental-deletes/delete-2.png)
+
+By right-clicking on the ellipses, you get the following options:
+ - View provisioning log
+ - View agent
+ - Allow deletes
+
+ ![Right click](media/how-to-accidental-deletes/delete-3.png)
+
+Using **View provisioning log**, you can see the **StagedDelete** entries and review the information provided on the users that have been deleted.
+
+ ![Provisioning logs](media/how-to-accidental-deletes/delete-7.png)
+
+### Allowing deletes
+
+The **Allow deletes** action, deletes the objects that triggered the accidental delete threshold. Use the following procedure to accept these deletes.
+
+1. Right-click on the ellipses and select **Allow deletes**.
+2. Click **Yes** on the confirmation to allow the deletions.
+
+ ![Yes on confirmation](media/how-to-accidental-deletes/delete-4.png)
+
+3. You'll see confirmation that the deletions were accepted and the status will return to healthy with the next cycle.
+
+ ![Accept deletes](media/how-to-accidental-deletes/delete-8.png)
+
+### Rejecting deletions
+
+If you don't want to allow the deletions, you need to do the following actions:
+- investigate the source of the deletions
+- fix the issue (example, OU was moved out of scope accidentally and you've now readded it back to the scope)
+- Run **Restart sync** on the agent configuration
+
+## Next steps
+
+- [Azure AD Connect cloud sync troubleshooting?](how-to-troubleshoot.md)
+- [Azure AD Connect cloud sync error codes](reference-error-codes.md)
+
+
active-directory How To Attribute Mapping https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-attribute-mapping.md
+
+ Title: 'Attribute mapping in Azure AD Connect cloud sync'
+description: This article describes how to use the cloud sync feature of Azure AD Connect to map attributes.
++++++ Last updated : 01/20/2023+++++
+# Attribute mapping in Azure AD Connect cloud sync
+
+You can use the cloud sync attribute mapping feature to map attributes between your on-premises user or group objects and the objects in Azure AD.
+
+ :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-1.png" alt-text="Screenshot of new UX screen attribute mapping." lightbox="media/how-to-attribute-mapping/new-ux-mapping-1.png":::
+
+You can customize (change, delete, or create) the default attribute mappings according to your business needs. For a list of attributes that are synchronized, see [Attributes synchronized to Azure Active Directory](../connect/reference-connect-sync-attributes-synchronized.md).
+
+> [!NOTE]
+> This article describes how to use the Azure portal to map attributes. For information on using Microsoft Graph, see [Transformations](how-to-transformation.md).
+
+## Understand types of attribute mapping
+With attribute mapping, you control how attributes are populated in Azure AD. Azure AD supports four mapping types:
+
+|Mapping Type|Description|
+|--|--|
+|**Direct**|The target attribute is populated with the value of an attribute of the linked object in Active Directory.|
+|**Constant**|The target attribute is populated with a specific string that you specify.|
+|**Expression**|The target attribute is populated based on the result of a script-like expression. For more information, see [Expression Builder](how-to-expression-builder.md) and [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).|
+|**None**|The target attribute is left unmodified. However, if the target attribute is ever empty, it's populated with the default value that you specify.|
+
+Along with these basic types, custom attribute mappings support the concept of an optional *default* value assignment. The default value assignment ensures that a target attribute is populated with a value if Azure AD or the target object doesn't have a value. The most common configuration is to leave this blank.
+
+## Schema updates and mappings
+Cloud sync will occasionally update the schema and the list of default attributes that are [synchronized](../connect/reference-connect-sync-attributes-synchronized.md). These default attribute mappings will be available for new installations but will not automatically be added to existing installations. To add these mappings you can follow the steps below.
++
+ 1. Click on ΓÇ£add attribute mappingΓÇ¥
+ 2. Select the Target attribute dropdown
+ 3. You should see the new attributes that are available here.
+
+The following is a list of new mappings that were added.
+
+Attribute Added | Mapping Type | Added with Agent Version
+| -- | --| --|
+|preferredDatalocation|Direct|1.1.359.0|
+|EmployeeNumber|Direct|1.1.359.0|
+|UserType|Direct|1.1.359.0|
+
+For more information on how to map UserType, see [Map UserType with cloud sync](how-to-map-usertype.md).
+
+## Understand properties of attribute mappings
+
+Along with the type property, attribute mappings support certain attributes. These attributes will depend on the type of mapping you have selected. The following sections describe the supported attribute mappings for each of the individual types. The following type of attribute mapping is available.
+- Direct
+- Constant
+- Expression
+
+### Direct mapping attributes
+The following are the attributes supported by a direct mapping:
+
+- **Source attribute**: The user attribute from the source system (example: Active Directory).
+- **Target attribute**: The user attribute in the target system (example: Azure Active Directory).
+- **Default value if null (optional)**: The value that will be passed to the target system if the source attribute is null. This value will be provisioned only when a user is created. It won't be provisioned when you're updating an existing user.
+- **Apply this mapping**:
+ - **Always**: Apply this mapping on both user-creation and update actions.
+ - **Only during creation**: Apply this mapping only on user-creation actions.
++
+### Constant mapping attributes
+The following are the attributes supported by a constant mapping:
+
+- **Constant value**: The value that you want to apply to the target attribute.
+- **Target attribute**: The user attribute in the target system (example: Azure Active Directory).
+- **Apply this mapping**:
+ - **Always**: Apply this mapping on both user-creation and update actions.
+ - **Only during creation**: Apply this mapping only on user-creation actions.
+
+### Expression mapping attributes
+The following are the attributes supported by an expression mapping:
+
+- **Expression**: This is the expression that is going to be applied to the target attribute. For more information, see [Expression Builder](how-to-expression-builder.md) and [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).
+- **Default value if null (optional)**: The value that will be passed to the target system if the source attribute is null. This value will be provisioned only when a user is created. It won't be provisioned when you're updating an existing user.
+- **Target attribute**: The user attribute in the target system (example: Azure Active Directory).
+
+- **Apply this mapping**:
+ - **Always**: Apply this mapping on both user-creation and update actions.
+ - **Only during creation**: Apply this mapping only on user-creation actions.
+
+## Add an attribute mapping
+
+To use attribute mapping, follow these steps:
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::
+
+ 4. Under **Configuration**, select your configuration.
+ 5. On the left, select **Attribute mapping**.
+ 6. At the top, ensure that you have the correct object type selected. That is, user, group, or contact.
+ 7. Click **Add attribute mapping**.
+
+ :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-3.png" alt-text="Screenshot of adding an attribute mapping." lightbox="media/how-to-attribute-mapping/new-ux-mapping-3.png":::
+
+ 8. Select the mapping type. This can be one of the following:
+ - **Direct**: The target attribute is populated with the value of an attribute of the linked object in Active Directory.
+ - **Constant**: The target attribute is populated with a specific string that you specify.
+ - **Expression**: The target attribute is populated based on the result of a script-like expression.
+ - **None**: The target attribute is left unmodified.
+
+ 9. Depending on what you have selected in the previous step, different options will be available for filling in.
+ 10. Select when to apply this mapping, and then select **Apply**.
+ :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-4.png" alt-text="Screenshot of saving an attribute mapping." lightbox="media/how-to-attribute-mapping/new-ux-mapping-4.png":::
+
+ 11. Back on the **Attribute mappings** screen, you should see your new attribute mapping.
+ 12. Select **Save schema**. You will be notified that once you save the schema, a synchronization will occur. Click **OK**.
+ :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-5.png" alt-text="Screenshot of saving schema." lightbox="media/how-to-attribute-mapping/new-ux-mapping-5.png":::
+
+ 13. Once the save is successful you will see a notification on the right.
+
+ :::image type="content" source="media/how-to-attribute-mapping/new-ux-mapping-6.png" alt-text="Screenshot of successful schema save." lightbox="media/how-to-attribute-mapping/new-ux-mapping-6.png":::
+
+## Test your attribute mapping
+
+To test your attribute mapping, you can use [on-demand provisioning](how-to-on-demand-provision.md):
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+ 4. Under **Configuration**, select your configuration.
+ 5. On the left, select **Provision on demand**.
+ 6. Enter the distinguished name of a user and select the **Provision** button.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-2.png" alt-text="Screenshot of user distinguished name." lightbox="media/how-to-on-demand-provision/new-ux-2.png":::
+
+ 7. After provisioning finishes, a success screen appears with four green check marks. Any errors appear to the left.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-3.png" alt-text="Screenshot of on-demand success." lightbox="media/how-to-on-demand-provision/new-ux-3.png":::
++++++++
+## Next steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Writing expressions for attribute mappings](reference-expressions.md)
+- [How to use expression builder with cloud sync](how-to-expression-builder.md)
+- [Attributes synchronized to Azure Active Directory](../connect/reference-connect-sync-attributes-synchronized.md)
active-directory How To Automatic Upgrade https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-automatic-upgrade.md
+
+ Title: 'Azure AD Connect cloud provisioning agent: Automatic upgrade'
+description: This article describes the built-in automatic upgrade feature in the Azure AD Connect cloud provisioning agent.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 01/11/2023+++++
+# Azure AD Connect cloud provisioning agent: Automatic upgrade
+
+Making sure your Azure Active Directory (Azure AD) Connect cloud provisioning agent installation is always up to date is easy with the automatic upgrade feature.
+
+The agent is installed here: "Program files\Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe"
+
+To verify your version, right-click the executable and select properties and then details.
+
+![Agent file version](media/how-to-automatic-upgrade/agent-1.png)
+
+The agent updater is installed here: "Program files\Azure AD Connect Provisioning Agent Updater\AzureADConnectAgentUpdater.exe"
+
+To verify your version, right-click the executable and select properties and then details.
+
+![Agent updater version](media/how-to-automatic-upgrade/agent-2.png)
+
+## Uninstall the agent
+To remove the agent, go to **Uninstall or change a program** and uninstall the following:
+
+- **Microsoft Azure AD Connect Agent Updater**
+- **Microsoft Azure AD Connect Provisioning Agent**
+- **Microsoft Azure AD Connect Provisioning Agent Package**
+
+![Agent removal](media/how-to-automatic-upgrade/agent-3.png)
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory How To Cloud Sync Workbook https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-cloud-sync-workbook.md
+
+ Title: 'Azure AD cloud sync insights workbook'
+description: This article describes the Azure Monitor workbook for cloud sync.
++++++ Last updated : 01/26/2023+++++++
+# Azure AD cloud sync insights workbook
+The Cloud sync workbook provides a flexible canvas for data analysis. The workbook allows you to create rich visual reports within the Azure portal. To learn more, see Azure Monitor Workbooks overview.
+
+This workbook is intended for Hybrid Identity Admins who use cloud sync to sync users from AD to Azure AD. It allows admins to gain insights into sync status and details.
+
+The workbook can be accessed by select **Insights** on the left hand side of the cloud sync page.
++
+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-1.png" alt-text="Screenshot of the cloud sync workbook." lightbox="media/how-to-cloud-sync-workbook/workbook-1.png":::
+
+>[!NOTE]
+>The Insights node is available at both the all configurations level and the individual configuration level. To view information on individual configurations select the Job Id for the configuration.
+
+This workbook:
+
+- Provides a synchronization summary of users and groups synchronized from AD to Azure AD
+- Provides a detailed view of information captured by the cloud sync provisioning logs.
+- Allows you to customize the data to tailor it to your specific needs
+++
+|Field|Description|
+|--|--|
+|Date|The range that you want to view data on.|
+|Status|View the provisioning status such as Success or Skipped.|
+|Action|View the provisioning actions taken such as Create or Delete.|
+|Job Id|Allows you to target specific Job Ids. This can be used to see individual configuration data if you have multiple configurations.|
+|SyncType|Filter by type of synchronization such as object or password.|
++
+## Enabling provisioning logs
+
+You should already be familiar with Azure monitoring and Log Analytics. If not, jump over to learn about them and then come back to learn about application provisioning logs. To learn more about Azure monitoring, see [Azure Monitor overview](../../../azure-monitor/overview.md). To learn more about Azure Monitor logs and Log Analytics, see [Overview of log queries in Azure Monitor](../../../azure-monitor/logs/log-query-overview.md) and [Provisioning Logs for troubleshooting cloud sync](how-to-troubleshoot.md).
+
+## Sync summary
+The sync summary section provides a summary of your organizations synchronization activities. These activities include:
+ - Sync actions per day by action
+ - Sync actions per day by status
+ - Unique sync count by status
+ - Recent sync errors
+++
+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-2.png" alt-text="Screenshot of the cloud sync summary." lightbox="media/how-to-cloud-sync-workbook/workbook-2.png":::
++
+## Sync details
+The sync details tab allows you to drill into the synchronization data and get more information. This information includes:
+ - Objects sync by status
+ - Sync log details
+
+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-3.png" alt-text="Screenshot of the cloud sync details." lightbox="media/how-to-cloud-sync-workbook/workbook-3.png":::
+
+You can further drill in to the sync log details for additional information.
+
+ :::image type="content" source="media/how-to-cloud-sync-workbook/workbook-4.png" alt-text="Screenshot of the log details." lightbox="media/how-to-cloud-sync-workbook/workbook-4.png":::
+
+## Job Id
+A Job Id will be created for each configuration when it runs and is populated with data. You can look at individual configuration based on Job Id.
+++
+## Custom queries
+
+You can create custom queries and show the data on Azure dashboards. To learn how, see [Create and share dashboards of Log Analytics data](../../../azure-monitor/logs/get-started-queries.md). Also, be sure to check out [Overview of log queries in Azure Monitor](../../../azure-monitor/logs/log-query-overview.md).
+
+## Custom alerts
+
+Azure Monitor lets you configure custom alerts so that you can get notified about key events related to Provisioning. For example, you might want to receive an alert on spikes in failures. Or perhaps spikes in disables or deletes. Another example of where you might want to be alerted is a lack of any provisioning, which indicates something is wrong.
+
+To learn more about alerts, see [Azure Monitor Log Alerts](../../../azure-monitor/alerts/alerts-log.md).
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Known limitations](how-to-prerequisites.md#known-limitations)
+- [Error codes](reference-error-codes.md)
active-directory How To Configure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-configure.md
+
+ Title: 'Azure AD Connect cloud sync new agent configuration'
+description: This article describes how to install cloud sync.
++++++ Last updated : 01/20/2023+++++
+# Create a new configuration for Azure AD Connect cloud sync
+
+The following document will guide you through configuring Azure AD Connect cloud sync.
+
+The following documentation demonstrates the new guided user experience for Azure AD Connect cloud sync. If you are not seeing the images below, you need to select the **Preview features** at the top. You can select this again to revert back to the old experience.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-19.png" alt-text="Screenshot of enable preview features." lightbox="media/how-to-configure/new-ux-configure-19.png":::
+
+For additional information and an example of how to configure cloud sync, see the video below.
++
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWKact]
++
+## Configure provisioning
+To configure provisioning, follow these steps.
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::
+
+ 4. Select **New configuration**.
+ :::image type="content" source="media/how-to-configure/new-ux-configure-1.png" alt-text="Screenshot of adding a configuration." lightbox="media/how-to-configure/new-ux-configure-1.png":::
+ 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-2.png" alt-text="Screenshot of a new configuration." lightbox="media/how-to-configure/new-ux-configure-2.png":::
+
+ 6. The **Get started** screen will open. From here, you can continue configuring cloud sync.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-3.png" alt-text="Screenshot of the getting started screen." lightbox="media/how-to-configure/new-ux-configure-3.png":::
+
+ 7. The configuration is split in to the following 5 sections.
+
+|Section|Description|
+|--|--|
+|1. Add [scoping filters](#scope-provisioning-to-specific-users-and-groups)|Use this section to define what objects appear in Azure AD|
+|2. Map [attributes](#attribute-mapping)|Use this section to map attributes between your on-premises users/groups with Azure AD objects|
+|3. [Test](#on-demand-provisioning)|Test your configuration before deploying it|
+|4. View [default properties](#accidental-deletions-and-email-notifications)|View the default setting prior to enabling them and make changes where appropriate|
+|5. Enable [your configuration](#enable-your-configuration)|Once ready, enable the configuration and users/groups will begin synchronizing|
+
+ >[!NOTE]
+ > During the configuration process the synchronization service account will be created with the format **ADToAADSyncServiceAccount@[TenantID].onmicrosoft.com** and you may get an error if multi-factor authentication is enabled for the synchronization service account, or other interactive authentication policies are accidentally enabled for the synchronization account. Removing multi-factor authentication or any interactive authentication policies for the synchronization service account should resolve the error and you can complete the configuration smoothly.
++
+## Scope provisioning to specific users and groups
+You can scope the agent to synchronize specific users and groups by using on-premises Active Directory groups or organizational units.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-4.png" alt-text="Screenshot of scoping filters icon." lightbox="media/how-to-configure/new-ux-configure-4.png":::
++
+You can't configure groups and organizational units within a configuration.
+ >[!NOTE]
+ > You cannot use nested groups with group scoping. Nested objects beyond the first level will not be included when scoping using security groups. Only use group scope filtering for pilot scenarios as there are limitations to syncing large groups.
+
+ 1. On the **Getting started** configuration screen. Click either **Add scoping filters** next to the **Add scoping filters** icon or on the click **Scoping filters** on the left under **Manage**.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-5.png" alt-text="Screenshot of scoping filters." lightbox="media/how-to-configure/new-ux-configure-5.png":::
+
+ 2. Select the scoping filter. The filter can be one of the following:
+ - **All users**: Scopes the configuration to apply to all users that are being synchronized.
+ - **Selected security groups**: Scopes the configuration to apply to specific security groups.
+ - **Selected organizational units**: Scopes the configuration to apply to specific OUs.
+ 3. For security groups and organizational units, supply the appropriate distinguished name and click **Add**.
+ 4. Once your scoping filters are configured, click **Save**.
+ 5. After saving, you should see a message telling you what you still need to do to configure cloud sync. You can click the link to continue.
+ :::image type="content" source="media/how-to-configure/new-ux-configure-16.png" alt-text="Screenshot of the nudge for scoping filters." lightbox="media/how-to-configure/new-ux-configure-16.png":::
+ 7. Once you've changed the scope, you should [restart provisioning](#restart-provisioning) to initiate an immediate synchronization of the changes.
+
+## Attribute mapping
+Azure AD Connect cloud sync allows you to easily map attributes between your on-premises user/group objects and the objects in Azure AD.
+++
+You can customize the default attribute-mappings according to your business needs. So, you can change or delete existing attribute-mappings, or create new attribute-mappings.
++
+After saving, you should see a message telling you what you still need to do to configure cloud sync. You can click the link to continue.
+ :::image type="content" source="media/how-to-configure/new-ux-configure-17.png" alt-text="Screenshot of the nudge for attribute filters." lightbox="media/how-to-configure/new-ux-configure-17.png":::
++
+For more information, see [attribute mapping](how-to-attribute-mapping.md).
+
+## Directory extensions and custom attribute mapping.
+Azure AD Connect cloud sync allows you to extend the directory with extensions and provides for custom attribute mapping. For more information see [Directory extensions and custom attribute mapping](custom-attribute-mapping.md).
+
+## On-demand provisioning
+Azure AD Connect cloud sync allows you to test configuration changes, by applying these changes to a single user or group.
++
+You can use this to validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD.
++
+After testing, you should see a message telling you what you still need to do to configure cloud sync. You can click the link to continue.
+ :::image type="content" source="media/how-to-configure/new-ux-configure-18.png" alt-text="Screenshot of the nudge for testing." lightbox="media/how-to-configure/new-ux-configure-18.png":::
++
+For more information, see [on-demand provisioning](how-to-on-demand-provision.md).
+
+## Accidental deletions and email notifications
+The default properties section provides information on accidental deletions and email notifications.
++
+The accidental delete feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and groups.
+
+This feature allows you to:
+
+- configure the ability to prevent accidental deletes automatically.
+- Set the # of objects (threshold) beyond which the configuration will take effect
+- set up a notification email address so they can get an email notification once the sync job in question is put in quarantine for this scenario
+
+For more information, see [Accidental deletes](how-to-accidental-deletes.md)
+
+Click the **pencil** next to **Basics** to change the defaults in a configuration.
++
+## Enable your configuration
+Once you've finalized and tested your configuration, you can enable it.
++
+Click **Enable configuration** to enable it.
++
+## Quarantines
+Cloud sync monitors the health of your configuration and places unhealthy objects in a quarantine state. If most or all of the calls made against the target system consistently fail because of an error, for example, invalid admin credentials, the sync job is marked as in quarantine. For more information, see the troubleshooting section on [quarantines](how-to-troubleshoot.md#provisioning-quarantined-problems).
+
+## Restart provisioning
+If you don't want to wait for the next scheduled run, trigger the provisioning run by using the **Restart sync** button.
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+ 4. Under **Configuration**, select your configuration.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-14.png" alt-text="Screenshot of restarting sync." lightbox="media/how-to-configure/new-ux-configure-14.png":::
+
+ 5. At the top, select **Restart sync**.
+
+## Remove a configuration
+To delete a configuration, follow these steps.
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+ 4. Under **Configuration**, select your configuration.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-15.png" alt-text="Screenshot of deletion." lightbox="media/how-to-configure/new-ux-configure-15.png":::
+
+ 5. At the top of the configuration screen, select **Delete configuration**.
+
+>[!IMPORTANT]
+>There's no confirmation prior to deleting a configuration. Make sure this is the action you want to take before you select **Delete**.
++
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Expression Builder https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-expression-builder.md
+
+ Title: 'Use the expression builder with Azure AD Connect cloud sync'
+description: This article describes how to use the expression builder with cloud sync.
++++++ Last updated : 01/11/2023+++++
+# Expression builder with cloud sync
+The expression builder is a new function in Azure located under cloud sync. It helps you build complex expressions. You can use it to test these expressions before you apply them to your cloud sync environment.
+
+## Use the expression builder
+To access the expression builder:
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 1. Select **Azure AD Connect**.
+ 1. Select **Manage cloud sync**.
+ 1. Under **Configuration**, select your configuration.
+ 1. Under **Manage attributes**, select **Click to edit mappings**.
+ 1. On the **Edit attribute mappings** pane, select **Add attribute mapping**.
+ 1. Under **Mapping type**, select **Expression**.
+ 1. Select **Try the expression builder (Preview)**.
+
+ ![Screenshot that shows using expression builder.](media/how-to-expression-builder/expression-1.png)
+
+## Build an expression
+In this section, you use the dropdown list to select from supported functions. Then you fill in more boxes, depending on the function selected. After you select **Apply expression**, the syntax appears in the **Expression input** box.
+
+For example, by selecting **Replace** from the dropdown list, more boxes are provided. The syntax for the function is displayed in the light blue box. The boxes that are displayed correspond to the syntax of the function you selected. Replace works differently depending on the parameters provided.
+
+For this example, when **oldValue** and **replacementValue** are provided, all occurrences of **oldValue** are replaced in the source with **replacementValue**.
+
+For more information, see [Replace](reference-expressions.md#replace).
+
+The first thing you need to do is select the attribute that's the source for the replace function. In this example, the **mail** attribute is selected.
+
+Next, find the box for **oldValue** and enter **@fabrikam.com**. Finally, in the box for **replacementValue**, fill in the value **@contoso.com**.
+
+The expression basically says, replace the mail attribute on user objects that have a value of @fabrikam.com with the @contoso.com value. When you select **Add expression**, you can see the syntax in the **Expression input** box.
+
+>[!NOTE]
+>Be sure to place the values in the boxes that would correspond with **oldValue** and **replacementValue** based on the syntax that occurs when you've selected **Replace**.
+
+For more information on supported expressions, see [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).
+
+### Information on expression builder input boxes
+Depending on which function you selected, the boxes provided by the expression builder will accept multiple values. For example, the JOIN function will accept strings or the value that's associated with a given attribute. For example, we can use the value contained in the attribute value of **[givenName]** and join it with a string value of **@contoso.com** to create an email address.
+
+ ![Screenshot that shows input box values.](media/how-to-expression-builder/expression-8.png)
+
+For more information on acceptable values and how to write expressions, see [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).
+
+## Test an expression
+In this section, you can test your expressions. From the dropdown list, select the **mail** attribute. Fill in the value with **@fabrikam.com**, and select **Test expression**.
+
+The value **@contoso.com** appears in the **View expression output** box.
+
+ ![Screenshot that shows testing your expression.](media/how-to-expression-builder/expression-4.png)
+
+## Deploy the expression
+After you're satisfied with the expression, select **Apply expression**.
+
+![Screenshot that shows adding your expression.](media/how-to-expression-builder/expression-5.png)
+
+This action adds the expression to the agent configuration.
+
+![Screenshot that shows agent configuration.](media/how-to-expression-builder/expression-6.png)
+
+## Set a NULL value on an expression
+To set an attribute's value to NULL, use an expression with the value of `""`. This expression will flow the NULL value to the target attribute.
+
+![Screenshot that shows a NULL value.](media/how-to-expression-builder/expression-7.png)
++
+## Next steps
+
+- [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md)
+- [Cloud sync configuration](how-to-configure.md)
active-directory How To Gmsa Cmdlets https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-gmsa-cmdlets.md
+
+ Title: 'Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets'
+description: Learn how to use the Azure AD Connect cloud provisioning agent gMSA powershell cmdlets.
++++++ Last updated : 01/11/2023+++++
+# Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets
+
+The purpose of this document is to describe the Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets. These cmdlets allow you to have more granularity on the permissions that are applied on the service account (gMSA). By default, Azure AD Connect cloud sync applies all permissions similar to Azure AD Connect on the default gMSA or a custom gMSA, during cloud provisioning agent install.
+
+This document will cover the following cmdlets:
+
+`Set-AADCloudSyncPermissions`
+
+`Set-AADCloudSyncRestrictedPermissions`
+
+## How to use the cmdlets:
+
+The following prerequisites are required to use these cmdlets.
+
+1. Install provisioning agent.
+
+2. Import Provisioning Agent PS module into a PowerShell session.
+
+ ```powershell
+ Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.Powershell.dll"
+ ```
+
+3. These cmdlets require a parameter called `Credential` which can be passed, or will prompt the user if not provided in the command line. Depending on the cmdlet syntax used, these credentials must be an enterprise admin account or, at a minimum, a domain administrator of the target domain where you're setting the permissions.
+
+4. To create a variable for credentials, use:
+
+ `$credential = Get-Credential`
+
+5. To set Active Directory permissions for cloud provisioning agent, you can use the following cmdlet. This will grant permissions in the root of the domain allowing the service account to manage on-premises Active Directory objects. See [Using Set-AADCloudSyncPermissions](#using-set-aadcloudsyncpermissions) below for examples on setting the permissions.
+
+ `Set-AADCloudSyncPermissions -EACredential $credential`
+
+6. To restrict Active Directory permissions set by default on the cloud provisioning agent account, you can use the following cmdlet. This will increase the security of the service account by disabling permission inheritance and removing all existing permissions, except SELF and Full Control for administrators. See [Using Set-AADCloudSyncRestrictedPermission](#using-set-aadcloudsyncrestrictedpermissions) below for examples on restricting the permissions.
+
+ `Set-AADCloudSyncRestrictedPermission -Credential $credential`
+
+## Using Set-AADCloudSyncPermissions
+
+`Set-AADCloudSyncPermissions` supports the following permission types which are identical to the permissions used by Azure AD Connect Classic Sync (ADSync). The following permission types are supported:
+
+|Permission type|Description|
+|--|--|
+|BasicRead| See [BasicRead](../connect/how-to-connect-configure-ad-ds-connector-account.md#configure-basic-read-only-permissions) permissions for Azure AD Connect|
+|PasswordHashSync|See [PasswordHashSync](../connect/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-password-hash-synchronization) permissions for Azure AD Connect|
+|PasswordWriteBack|See [PasswordWriteBack](../connect/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-password-writeback) permissions for Azure AD Connect|
+|HybridExchangePermissions|See [HybridExchangePermissions](../connect/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-hybrid-deployment) permissions for Azure AD Connect|
+|ExchangeMailPublicFolderPermissions| See [ExchangeMailPublicFolderPermissions](../connect/how-to-connect-configure-ad-ds-connector-account.md#permissions-for-exchange-mail-public-folders) permissions for Azure AD Connect|
+|CloudHR| Applies 'Create/delete User objects' on 'This object and all descendant objects'|
+|All| Applies all the above permissions|
+
+You can use AADCloudSyncPermissions in one of two ways:
+- [Grant permissions to all configured domains](#grant-permissions-to-all-configured-domains)
+- [Grant permissions to a specific domain](#grant-permissions-to-a-specific-domain)
+
+## Grant permissions to all configured domains
+
+Granting certain permissions to all configured domains will require the use of an enterprise admin account.
+
+```powershell
+$credential = Get-Credential
+Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -EACredential $credential
+```
+
+## Grant permissions to a specific domain
+
+Granting certain permissions to a specific domain will require the use of a TargetDomainCredential that is enterprise admin or, domain admin of the target domain. The TargetDomain has to be already configured through wizard.
+
+```powershell
+$credential = Get-Credential
+Set-AADCloudSyncPermissions -PermissionType "Any mentioned above" -TargetDomain "FQDN of domain" -TargetDomainCredential $credential
+```
+
+## Using Set-AADCloudSyncRestrictedPermissions
+For increased security, `Set-AADCloudSyncRestrictedPermissions` will tighten the permissions set on the cloud provisioning agent account itself. Hardening permissions on the cloud provisioning agent account involves the following changes:
+
+- Disable inheritance
+- Remove all default permissions, except ACEs specific to SELF.
+- Set Full Control permissions for SYSTEM, Administrators, Domain Admins, and Enterprise Admins.
+- Set Read permissions for Authenticated Users and Enterprise Domain Controllers.
+
+ The -Credential parameter is necessary to specify the Administrator account that has the necessary privileges to restrict Active Directory permissions on the cloud provisioning agent account. This is typically the domain or enterprise administrator.
+
+For Example:
+
+``` powershell
+$credential = Get-Credential
+Set-AADCloudSyncRestrictedPermissions -Credential $credential
+```
active-directory How To Inbound Synch Ms Graph https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-inbound-synch-ms-graph.md
+
+ Title: 'How to programmatically configure cloud sync using MS Graph API'
+description: This topic describes how to enable inbound synchronization using just the Graph API
++++++ Last updated : 01/11/2023+++++
+# How to programmatically configure cloud sync using MS Graph API
+
+The following document describes how to replicate a synchronization profile from scratch using only MSGraph APIs.
+The structure of how to do this consists of the following steps. They are:
+
+- [How to programmatically configure cloud sync using MS Graph API](#how-to-programmatically-configure-cloud-sync-using-ms-graph-api)
+ - [Basic setup](#basic-setup)
+ - [Enable tenant flags](#enable-tenant-flags)
+ - [Create service principals](#create-service-principals)
+ - [Create sync job](#create-sync-job)
+ - [Update targeted domain](#update-targeted-domain)
+ - [Enable Sync password hashes on configuration blade](#enable-sync-password-hashes-on-configuration-blade)
+ - [Accidental deletes](#accidental-deletes)
+ - [Enabling and setting the threshold](#enabling-and-setting-the-threshold)
+ - [Allowing deletes](#allowing-deletes)
+ - [Start sync job](#start-sync-job)
+ - [Review status](#review-status)
+ - [Next steps](#next-steps)
+
+Use these [Microsoft Azure Active Directory Module for Windows PowerShell](/powershell/module/msonline/) commands to enable synchronization for a production tenant, a prerequisite for being able to call the Administration Web Service for that tenant.
+
+## Basic setup
+
+### Enable tenant flags
+
+```powershell
+Connect-MsolService ('-AzureEnvironment <AzureEnvironmnet>')
+ Set-MsolDirSyncEnabled -EnableDirSync $true
+```
+
+The first of those two commands, require Azure Active Directory credentials. These cmdlets implicitly identify the tenant and enable it for synchronization.
+
+## Create service principals
+
+Next, we need to create the [AD2AAD application/ service principal](/graph/api/applicationtemplate-instantiate)
+
+You need to use this application ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD domain URL, if used in the portal (for example, contoso.com), but it may be named something else.
+
+```
+POST https://graph.microsoft.com/beta/applicationTemplates/1a4721b3-e57f-4451-ae87-ef078703ec94/instantiate
+Content-type: application/json
+{
+ displayName: [your app name here]
+}
+```
+
+## Create sync job
+
+The output of the above command returns the objectId of the service principal that was created. For this example, the objectId is 614ac0e9-a59b-481f-bd8f-79a73d167e1c. Use Microsoft Graph to add a synchronizationJob to that service principal.
+
+Documentation for creating a sync job can be found [here](/graph/api/synchronization-synchronizationjob-post?tabs=http&view=graph-rest-beta&preserve-view=true).
+
+If you did not record the ID above, you can find the service principal by running the following MS Graph call. You'll need Directory.Read.All permissions to make that call:
+
+`GET https://graph.microsoft.com/beta/servicePrincipals`
+
+Then look for your app name in the output.
+
+Run the following two commands to create two jobs: one for user/group provisioning, and one for password hash syncing. It's the same request twice but with different template IDs.
+
+Call the following two requests:
+
+```
+POST https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs
+Content-type: application/json
+{
+"templateId":"AD2AADProvisioning"
+}
+```
+
+```
+POST https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs
+Content-type: application/json
+{
+"templateId":"AD2AADPasswordHash"
+}
+```
+
+You need two calls if you want to create both.
+
+Example return value (for provisioning):
+
+```
+HTTP 201/Created
+{
+ "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('614ac0e9-a59b-481f-bd8f-79a73d167e1c')/synchronization/jobs/$entity",
+ "id": "AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da",
+ "templateId": "ADDCInPassthrough",
+ "schedule": {
+ "expiration": null,
+ "interval": "PT40M",
+ "state": "Disabled"
+ },
+ "status": {
+ "countSuccessiveCompleteFailures": 0,
+ "escrowsPruned": false,
+ "code": "Paused",
+ "lastExecution": null,
+ "lastSuccessfulExecution": null,
+ "lastSuccessfulExecutionWithExports": null,
+ "quarantine": null,
+ "steadyStateFirstAchievedTime": "0001-01-01T00:00:00Z",
+ "steadyStateLastAchievedTime": "0001-01-01T00:00:00Z",
+ "troubleshootingUrl": null,
+ "progress": [],
+ "synchronizedEntryCountByType": []
+ }
+}
+```
+
+## Update targeted domain
+
+For this tenant, the object identifier and application identifier of the service principal are as follows:
+
+ObjectId: 8895955e-2e6c-4d79-8943-4d72ca36878f
+AppId: 00000014-0000-0000-c000-000000000000
+DisplayName: testApp
+
+We're going to need to update the domain this configuration is targeting, so update the secrets for this domain.
+
+Make sure the domain name you use is the same URL you set for your on-premises domain controller.
+
+```
+PUT ΓÇô https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/secrets
+```
+
+Add the following key/value pair in the below value array based on what you're trying to do:
+
+- Enable both PHS and sync tenant flags
+ { key: "AppKey", value: "{"appKeyScenario":"AD2AADPasswordHash"}" }
+
+- Enable only sync tenant flag (do not turn on PHS)
+ { key: "AppKey", value: "{"appKeyScenario":"AD2AADProvisioning"}" }
+
+```
+Request body ΓÇô
+{
+ "value": [
+ {
+ "key": "Domain",
+ "value": "{\"domain\":\"ad2aadTest.com\"}"
+ }
+ ]
+}
+```
+
+The expected response is …
+HTTP 204/No content
+
+Here, the highlighted "Domain" value is the name of the on-premises Active Directory domain from which entries are to be provisioned to Azure Active Directory.
+
+## Enable Sync password hashes on configuration blade
+
+ This section covers enabling syncing password hashes for a particular configuration. This is different than the AppKey secret that enables the tenant-level feature flag - this is only for a single domain/config. You need to set the application key to the PHS one for this to work end to end.
+
+1. Grab the schema (warning, it's pretty large):
+
+ ```
+ GET ΓÇôhttps://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ [AD2AADProvisioningJobId]/schema
+ ```
+
+2. Take this CredentialData attribute mapping:
+
+ ```
+ {
+ "defaultValue": null,
+ "exportMissingReferences": false,
+ "flowBehavior": "FlowWhenChanged",
+ "flowType": "Always",
+ "matchingPriority": 0,
+ "targetAttributeName": "CredentialData",
+ "source": {
+ "expression": "[PasswordHash]",
+ "name": "PasswordHash",
+ "type": "Attribute",
+ "parameters": []
+ }
+ ```
+
+3. Find the following object mappings with the following names in the schema
+ - Provision Active Directory Users
+ - Provision Active Directory inetOrgPersons
+
+ Object mappings are within the schema.synchronizationRules[0].objectMappings (For now you can assume there's only one Synchronization Rule)
+
+4. Take the CredentialData Mapping from Step (2) and insert it into the object mappings in Step (3)
+
+ Your object mapping looks something like this:
+
+ ```
+ {
+ "enabled": true,
+ "flowTypes": "Add,Update,Delete",
+ "name": "Provision Active Directory users",
+ "sourceObjectName": "user",
+ "targetObjectName": "User",
+ "attributeMappings": [
+ ...
+ }
+ ```
+
+ Copy/paste the mapping from the **Create AD2AADProvisioning and AD2AADPasswordHash jobs** step above into the attributeMappings array.
+
+ Order of elements in this array doesn't matter (the backend sorts for you). Be careful about adding this attribute mapping if the name exists already in the array (e.g. if there's already an item in attributeMappings that has the targetAttributeName CredentialData) - you may get conflict errors, or the pre-existing and new mappings may be combined together (usually not desired outcome). Backend does not dedupe for you.
+
+ Remember to do this for both Users and inetOrgpersons.
+
+5. Save the schema you've created:
+
+ ```
+ PUT ΓÇô
+ https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/ [AD2AADProvisioningJobId]/schema
+ ```
+
+Add the Schema in the request body.
+
+## Accidental deletes
+
+This section covers how to programmatically enable/disable and use [accidental deletes](how-to-accidental-deletes.md) programmatically.
+
+### Enabling and setting the threshold
+
+There are two per job settings that you can use, they are:
+
+- DeleteThresholdEnabled - Enables accidental delete prevention for the job when set to 'true'. Set to 'true' by default.
+- DeleteThresholdValue - Defines the maximum number of deletes that is allowed in each execution of the job when accidental deletes prevention is enabled. The value is set to 500 by default. So, if the value is set to 500, the maximum number of deletes allowed is 499 in each execution.
+
+The delete threshold settings are a part of the `SyncNotificationSettings` and can be modified via graph.
+
+We're going to need to update the SyncNotificationSettings this configuration is targeting, so update the secrets.
+
+```
+PUT ΓÇô https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/secrets
+```
+
+Add the following Key/value pair in the below value array based on what you're trying to do:
+
+```
+Request body -
+{
+ "value":[
+ {
+ "key":"SyncNotificationSettings",
+ "value": "{\"Enabled\":true,\"Recipients\":\"foobar@xyz.com\",\"DeleteThresholdEnabled\":true,\"DeleteThresholdValue\":50}"
+ }
+ ]
+}
+```
+
+The "Enabled" setting in the example is for enabling/disabling notification emails when the job is quarantined.
+
+Currently, we do not support PATCH requests for secrets, so you need to add all the values in the body of the PUT request(like in the example) in order to preserve the other values.
+
+The existing values for all the secrets can be retrieved by using:
+
+```
+GET https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/secrets
+```
+
+### Allowing deletes
+
+To allow these deletes to flow through after the job goes into quarantine, you need to issue a restart with just "ForceDeletes" as the scope.
+
+```
+Request:
+POST https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{jobId}/restart
+```
+
+```
+Request Body:
+{
+ "criteria": {"resetScope": "ForceDeletes"}
+}
+```
+
+## Start sync job
+
+The job can be retrieved again via the following command:
+
+ `GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/`
+
+Documentation for retrieving jobs can be found [here](/graph/api/synchronization-synchronizationjob-list?tabs=http&view=graph-rest-beta&preserve-view=true).
+
+To start the job, issue this request, using the objectId of the service principal created in the first step, and the job identifier returned from the request that created the job.
+
+Documentation for how to start a job can be found [here](/graph/api/synchronization-synchronizationjob-start?tabs=http&view=graph-rest-beta&preserve-view=true).
+
+```
+POST https://graph.microsoft.com/beta/servicePrincipals/8895955e-2e6c-4d79-8943-4d72ca36878f/synchronization/jobs/AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da/start
+```
+
+The expected response is …
+HTTP 204/No content.
+
+Other commands for controlling the job are documented [here](/graph/api/resources/synchronization-synchronizationjob?view=graph-rest-beta&preserve-view=true).
+
+To restart a job, use:
+
+```
+POST https://graph.microsoft.com/beta/servicePrincipals/8895955e-2e6c-4d79-8943-4d72ca36878f/synchronization/jobs/AD2AADProvisioning.fc96887f36da47508c935c28a0c0b6da/restart
+{
+ "criteria": {
+ "resetScope": "Full"
+ }
+}
+```
+
+## Review status
+
+Retrieve your job statuses via:
+
+```
+GET https://graph.microsoft.com/beta/servicePrincipals/[SERVICE_PRINCIPAL_ID]/synchronization/jobs/
+```
+
+Look under the 'status' section of the return object for relevant details
+
+## Next steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Transformations](how-to-transformation.md)
+- [Azure AD Synchronization API](/graph/api/resources/synchronization-overview?view=graph-rest-beta&preserve-view=true)
active-directory How To Install Pshell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-install-pshell.md
+
+ Title: 'Install the Azure AD Connect cloud provisioning agent using a command-line interface (CLI) and PowerShell'
+description: Learn how to install the Azure AD Connect cloud provisioning agent by using PowerShell cmdlets.
++++++ Last updated : 01/11/2023++++++
+# Install the Azure AD Connect provisioning agent by using a CLI and PowerShell
+This article shows you how to install the Azure Active Directory (Azure AD) Connect provisioning agent by using PowerShell cmdlets.
+
+>[!NOTE]
+>This article deals with installing the provisioning agent by using the command-line interface (CLI). For information on how to install the Azure AD Connect provisioning agent by using the wizard, see [Install the Azure AD Connect provisioning agent](how-to-install.md).
+
+## Prerequisite
+
+The Windows server must have TLS 1.2 enabled before you install the Azure AD Connect provisioning agent by using PowerShell cmdlets. To enable TLS 1.2, follow the steps in [Prerequisites for Azure AD Connect cloud sync](how-to-prerequisites.md#tls-requirements).
+
+>[!IMPORTANT]
+>The following installation instructions assume that all the [prerequisites](how-to-prerequisites.md) were met.
+
+## Install the Azure AD Connect provisioning agent by using PowerShell cmdlets
+
+ 1. Sign in to the server you use with enterprise admin permissions.
+ 2. Sign in to the Azure portal, and then go to **Azure Active Directory**.
+ 3. On the menu on the left, select **Azure AD Connect**.
+ 4. Select **Manage cloud sync**.
+ [![Screenshot that shows manage cloud sync](media/how-to-install/new-install-1.png)](media/how-to-install/new-install-1.png#lightbox)</br>
+ 5. At the top, click **Download agent**.
+ [![Screenshot that the download agent](media/how-to-install/new-install-2.png)](media/how-to-install/new-install-2.png#lightbox)</br>
+ 6. On the right, click **Accept terms and download**.
+ 7. For the purposes of these instructions, the agent was downloaded to the C:\temp folder.
+ 8. Install ProvisioningAgent in quiet mode.
+ ```
+ $installerProcess = Start-Process 'c:\temp\AADConnectProvisioningAgentSetup.exe' /quiet -NoNewWindow -PassThru
+ $installerProcess.WaitForExit()
+
+ ```
+ 9. Import the Provisioning Agent PS module.
+ ```
+ Import-Module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Microsoft.CloudSync.PowerShell.dll"
+ ```
+ 10. Connect to Azure AD by using an account with the hybrid identity role. You can customize this section to fetch a password from a secure store.
+ ```
+ $hybridAdminPassword = ConvertTo-SecureString -String "Hybrid identity admin password" -AsPlainText -Force
+
+ $hybridAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("HybridIDAdmin@contoso.onmicrosoft.com", $hybridAdminPassword)
+
+ Connect-AADCloudSyncAzureAD -Credential $hybridAdminCreds
+ ```
+ 11. Add the gMSA account, and provide credentials of the domain admin to create the default gMSA account.
+ ```
+ $domainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force
+
+ $domainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $domainAdminPassword)
+
+ Add-AADCloudSyncGMSA -Credential $domainAdminCreds
+ ```
+ 12. Or use the preceding cmdlet to provide a precreated gMSA account.
+ ```
+ Add-AADCloudSyncGMSA -CustomGMSAName preCreatedGMSAName$
+ ```
+ 13. Add the domain.
+ ```
+ $contosoDomainAdminPassword = ConvertTo-SecureString -String "Domain admin password" -AsPlainText -Force
+
+ $contosoDomainAdminCreds = New-Object System.Management.Automation.PSCredential -ArgumentList ("DomainName\DomainAdminAccountName", $contosoDomainAdminPassword)
+
+ Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds
+ ```
+ 14. Or use the preceding cmdlet to configure preferred domain controllers.
+ ```
+ $preferredDCs = @("PreferredDC1", "PreferredDC2", "PreferredDC3")
+
+ Add-AADCloudSyncADDomain -DomainName contoso.com -Credential $contosoDomainAdminCreds -PreferredDomainControllers $preferredDCs
+ ```
+ 15. Repeat the previous step to add more domains. Provide the account names and domain names of the respective domains.
+ 16. Restart the service.
+ ```
+ Restart-Service -Name AADConnectProvisioningAgent
+ ```
+ 17. Go to the Azure portal to create the cloud sync configuration.
+
+## Provisioning agent gMSA PowerShell cmdlets
+Now that you've installed the agent, you can apply more granular permissions to the gMSA. For information and step-by-step instructions on how to configure the permissions, see [Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md).
+
+## Installing against US government cloud
+By default, the Azure Active Directory (Azure AD) Connect provisioning agent installs against the default Azure cloud environment. If you are installing the agent for use in the US government cloud do the following:
+
+- In step #8, add **ENVIRONMENTNAME=AzureUSGovernment** to the command line like the example.
+ ```
+ $installerProcess = Start-Process -FilePath "c:\temp\AADConnectProvisioningAgent.Installer.exe" -ArgumentList "/quiet ENVIRONMENTNAME=AzureUSGovernment" -NoNewWindow -PassThru
+ $installerProcess.WaitForExit()
+ ```
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [Azure AD Connect cloud provisioning agent gMSA PowerShell cmdlets](how-to-gmsa-cmdlets.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Install https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-install.md
+
+ Title: 'Install the Azure AD Connect provisioning agent'
+description: Learn how to install the Azure AD Connect provisioning agent and how to configure it in the Azure portal.
++++++ Last updated : 01/20/2023+++++
+# Install the Azure AD Connect provisioning agent
+
+This article walks you through the installation process for the Azure Active Directory (Azure AD) Connect provisioning agent and how to initially configure it in the Azure portal.
+
+> [!IMPORTANT]
+> The following installation instructions assume that you've met all the [prerequisites](how-to-prerequisites.md).
+
+>[!NOTE]
+>This article deals with installing the provisioning agent by using the wizard. For information about installing the Azure AD Connect provisioning agent by using a CLI, see [Install the Azure AD Connect provisioning agent by using a CLI and PowerShell](how-to-install-pshell.md).
+
+For more information and an example, view the following video:
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mR]
+
+## Group Managed Service Accounts
+A group Managed Service Account (gMSA) is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, and the ability to delegate the management to other administrators. A gMSA also extends this functionality over multiple servers. Azure AD Connect cloud sync supports and recommends the use of a gMSA for running the agent. For more information, see [Group Managed Service Accounts](how-to-prerequisites.md#group-managed-service-accounts).
++
+### Update an existing agent to use the gMSA
+To update an existing agent to use the Group Managed Service Account created during installation, upgrade the agent service to the latest version by running *AADConnectProvisioningAgent.msi*. Now run through the installation wizard again and provide the credentials to create the account when you're prompted to do so.
+
+## Install the agent
++
+## Verify the agent installation
++
+>[!IMPORTANT]
+> After you've installed the agent, you must configure and enable it before it will start synchronizing users. To configure a new agent, see [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
+
+## Enable password writeback in Azure AD Connect cloud sync
+
+To use *password writeback* and enable the self-service password reset (SSPR) service to detect the cloud sync agent, use the `Set-AADCloudSyncPasswordWritebackConfiguration` cmdlet and the tenantΓÇÖs global administrator credentials:
+
+ ```
+ Import-Module "C:\\Program Files\\Microsoft Azure AD Connect Provisioning Agent\\Microsoft.CloudSync.Powershell.dll"
+ Set-AADCloudSyncPasswordWritebackConfiguration -Enable $true -Credential $(Get-Credential)
+ ```
+
+For more information about using password writeback with Azure AD Connect cloud sync, see [Tutorial: Enable cloud sync self-service password reset writeback to an on-premises environment (preview)](../../../active-directory/authentication/tutorial-enable-cloud-sync-sspr-writeback.md).
+
+## Install an agent in the US government cloud
+
+By default, the Azure AD Connect provisioning agent is installed in the default Azure environment. If you're installing the agent for US government use, make this change in step 7 of the preceding installation procedure:
+
+- Instead of selecting **Open file**, select **Start** > **Run**, and then go to the *AADConnectProvisioningAgentSetup.exe* file. In the **Run** box, after the executable, enter **ENVIRONMENTNAME=AzureUSGovernment**, and then select **OK**.
+
+ [![Screenshot that shows how to install an agent in the US government cloud.](media/how-to-install/new-install-12.png)](media/how-to-install/new-install-12.png#lightbox)
+
+## Password hash synchronization and FIPS with cloud sync
+
+If your server has been locked down according to the Federal Information Processing Standard (FIPS), MD5 (message-digest algorithm 5) is disabled.
+
+To enable MD5 for password hash synchronization, do the following:
+
+1. Go to %programfiles%\Microsoft Azure AD Connect Provisioning Agent.
+1. Open *AADConnectProvisioningAgent.exe.config*.
+1. Go to the configuration/runtime node at the top of the file.
+1. Add the `<enforceFIPSPolicy enabled="false"/>` node.
+1. Save your changes.
+
+For reference, your code should look like the following snippet:
+
+```xml
+<configuration>
+ <runtime>
+ <enforceFIPSPolicy enabled="false"/>
+ </runtime>
+</configuration>
+```
+
+For information about security and FIPS, see [Azure AD password hash sync, encryption, and FIPS compliance](https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/aad-password-sync-encryption-and-fips-compliance/ba-p/243709).
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
+
active-directory How To Manage Registry Options https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-manage-registry-options.md
+
+ Title: 'Azure AD Connect cloud provisioning agent: Manage registry options'
+description: This article describes how to manage registry options in the Azure AD Connect cloud provisioning agent.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 04/03/2023++++++
+# Manage agent registry options
+
+This section describes registry options that you can set to control the runtime processing behavior of the Azure AD Connect provisioning agent.
+
+## Configure LDAP connection timeout
+When performing LDAP operations on configured Active Directory domain controllers, by default, the provisioning agent uses the default connection timeout value of 30 seconds. If your domain controller takes more time to respond, then you may see the following error message in the agent log file:
+
+`
+System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
+`
+
+LDAP search operations can take longer if the search attribute is not indexed. As a first step, if you get the above error, first check if the search/lookup attribute is [indexed](/windows/win32/ad/indexed-attributes). If the search attributes are indexed and the error persists, you can increase the LDAP connection timeout using the following steps:
+
+1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.
+1. Use the *Run* menu item to open the registry editor (regedit.exe)
+1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**
+1. Right-click and select "New -> String Value"
+1. Provide the name:
+ `LdapConnectionTimeoutInMilliseconds`
+1. Double-click on the **Value Name** and enter the value data as `60000` milliseconds.
+ > [!div class="mx-imgBorder"]
+ > ![LDAP Connection Timeout](media/how-to-manage-registry-options/ldap-connection-timeout.png)
+1. Restart the Azure AD Connect Provisioning Service from the *Services* console.
+1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.
+
+## Configure referral chasing
+By default, the Azure AD Connect provisioning agent does not chase [referrals](/windows/win32/ad/referrals).
+You may want to enable referral chasing, to support certain HR inbound provisioning scenarios such as:
+* Checking uniqueness of UPN across multiple domains
+* Resolving cross-domain manager references
+
+Use the following steps to turn on referral chasing:
+
+1. Log on as Administrator on the Windows server running the Azure AD Connect Provisioning Agent.
+1. Use the *Run* menu item to open the registry editor (regedit.exe)
+1. Locate the key folder **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Azure AD Connect Agents\Azure AD Connect Provisioning Agent**
+1. Right-click and select "New -> String Value"
+1. Provide the name:
+ `ReferralChasingOptions`
+1. Double-click on the **Value Name** and enter the value data as `96`. This value corresponds to the constant value for `ReferralChasingOptions.All` and specifies that both subtree and base-level referrals will be followed by the agent.
+ > [!div class="mx-imgBorder"]
+ > ![Referral Chasing](media/how-to-manage-registry-options/referral-chasing.png)
+1. Restart the Azure AD Connect Provisioning Service from the *Services* console.
+1. If you have deployed multiple provisioning agents, apply this registry change to all agents for consistency.
+++
+> [!NOTE]
+> You can confirm the registry options have been set by enabling [verbose logging](how-to-troubleshoot.md#log-files). The logs emitted during agent startup will display the config values picked from the registry.
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory How To Map Usertype https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-map-usertype.md
+
+ Title: 'Use map UserType with Azure AD Connect cloud sync'
+description: This article describes how to map the UserType attribute with cloud sync.
++++++ Last updated : 01/11/2023+++++
+# Map UserType with cloud sync
+
+Cloud sync supports synchronization of the **UserType** attribute for User objects.
+
+By default, the **UserType** attribute isn't enabled for synchronization because there's no corresponding **UserType** attribute in on-premises Active Directory. You must manually add this mapping for synchronization. Before you do this step, you must take note of the following behavior enforced by Azure Active Directory (Azure AD):
+
+- Azure AD only accepts two values for the **UserType** attribute: Member and Guest.
+- If the **UserType** attribute isn't mapped in cloud sync, Azure AD users created through directory synchronization would have the **UserType** attribute set to Member.
+
+Before you add a mapping for the **UserType** attribute, you must first decide how the attribute is derived from on-premises Active Directory. The following approaches are the most common:
+
+ - Designate an unused on-premises Active Directory attribute, such as extensionAttribute1, to be used as the source attribute. The designated on-premises Active Directory attribute should be of the type string, be single-valued, and contain the value Member or Guest.
+ - If you choose this approach, you must ensure that the designated attribute is populated with the correct value for all existing user objects in on-premises Active Directory that are synchronized to Azure AD before you enable synchronization of the **UserType** attribute.
+
+## Add the UserType mapping
+To add the **UserType** mapping:
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 1. Select **Azure AD Connect**.
+ 1. Select **Manage cloud sync**.
+ 1. Under **Configuration**, select your configuration.
+ 1. Under **Manage attributes**, select **Click to edit mappings**.
+
+ ![Screenshot that shows editing the attribute mappings.](media/how-to-map-usertype/usertype-1.png)
+
+ 1. Select **Add attribute mapping**.
+
+ ![Screenshot that shows adding a new attribute mapping.](media/how-to-map-usertype/usertype-2.png)
+1. Select the mapping type. You can do the mapping in one of three ways:
+ - A direct mapping, for example, from an Active Directory attribute
+ - An expression, such as IIF(InStr([userPrincipalName], "@partners") > 0,"Guest","Member")
+ - A constant, for example, make all user objects as Guest
+
+ ![Screenshot that shows adding a UserType attribute.](media/how-to-map-usertype/usertype-3.png)
+
+1. In the **Target attribute** dropdown box, select **UserType**.
+1. Select **Apply** at the bottom of the page to create a mapping for the Azure AD **UserType** attribute.
+
+## Next steps
+
+- [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md)
+- [Cloud sync configuration](how-to-configure.md)
active-directory How To On Demand Provision https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-on-demand-provision.md
+
+ Title: 'On-demand provisioning in Azure AD Connect cloud sync'
+description: This article describes how to use the cloud sync feature of Azure AD Connect to test configuration changes.
++++++ Last updated : 01/11/2023+++++
+# On-demand provisioning in Azure AD Connect cloud sync
+
+You can use the cloud sync feature of Azure Active Directory (Azure AD) Connect to test configuration changes by applying these changes to a single user. This on-demand provisioning helps you validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD.
+
+> [!IMPORTANT]
+> When you use on-demand provisioning, the scoping filters are not applied to the user that you selected. You can use on-demand provisioning on users who are outside the organization units that you specified.
+
+For additional information and an example see the following video.
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWK5mW]
+
+## Validate a user
+To use on-demand provisioning, follow these steps:
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::
+
+ 4. Under **Configuration**, select your configuration.
+ 5. On the left, select **Provision on demand**.
+ 6. Enter the distinguished name of a user and select the **Provision** button.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-2.png" alt-text="Screenshot of user distinguished name." lightbox="media/how-to-on-demand-provision/new-ux-2.png":::
+
+ 7. After provisioning finishes, a success screen appears with four green check marks. Any errors appear to the left.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-3.png" alt-text="Screenshot of on-demand success." lightbox="media/how-to-on-demand-provision/new-ux-3.png":::
+
+## Get details about provisioning
+Now you can look at the user information and determine if the changes that you made in the configuration have been applied. The rest of this article describes the individual sections that appear in the details of a successfully synchronized user.
+
+### Import user
+The **Import user** section provides information on the user who was imported from Active Directory. This is what the user looks like before provisioning into Azure AD. Select the **View details** link to display this information.
+
+By using this information, you can see the various attributes (and their values) that were imported. If you created a custom attribute mapping, you can see the value here.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-4.png" alt-text="Screenshot of import user." lightbox="media/how-to-on-demand-provision/new-ux-4.png":::
+
+### Determine if user is in scope
+The **Determine if user is in scope** section provides information on whether the user who was imported to Azure AD is in scope. Select the **View details** link to display this information.
+
+By using this information, you can see if the user is in scope.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-5.png" alt-text="Screenshot of scope determination." lightbox="media/how-to-on-demand-provision/new-ux-5.png":::
+
+### Match user between source and target system
+The **Match user between source and target system** section provides information on whether the user already exists in Azure AD and whether a join should occur instead of provisioning a new user. Select the **View details** link to display this information.
+
+By using this information, you can see whether a match was found or if a new user is going to be created.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-6.png" alt-text="Screenshot of matching user." lightbox="media/how-to-on-demand-provision/new-ux-6.png":::
+
+The matching details show a message with one of the three following operations:
+- **Create**: A user is created in Azure AD.
+- **Update**: A user is updated based on a change made in the configuration.
+- **Delete**: A user is removed from Azure AD.
+
+Depending on the type of operation that you've performed, the message will vary.
+
+### Perform action
+The **Perform action** section provides information on the user who was provisioned or exported into Azure AD after the configuration was applied. This is what the user looks like after provisioning into Azure AD. Select the **View details** link to display this information.
+
+By using this information, you can see the values of the attributes after the configuration was applied. Do they look similar to what was imported, or are they different? Was the configuration applied successfully?
+
+This process enables you to trace the attribute transformation as it moves through the cloud and into your Azure AD tenant.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-7.png" alt-text="Screenshot of perform action." lightbox="media/how-to-on-demand-provision/new-ux-7.png":::
+
+## Next steps
+
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Install Azure AD Connect cloud sync](how-to-install.md)
+
active-directory How To Prerequisites https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-prerequisites.md
+
+ Title: 'Prerequisites for Azure AD Connect cloud sync in Azure AD'
+description: This article describes the prerequisites and hardware requirements you need for cloud sync.
++++++ Last updated : 01/11/2023+++++
+# Prerequisites for Azure AD Connect cloud sync
+This article provides guidance on how to choose and use Azure Active Directory (Azure AD) Connect cloud sync as your identity solution.
+
+## Cloud provisioning agent requirements
+You need the following to use Azure AD Connect cloud sync:
+
+- Domain Administrator or Enterprise Administrator credentials to create the Azure AD Connect Cloud Sync gMSA (group Managed Service Account) to run the agent service.
+- A hybrid identity administrator account for your Azure AD tenant that is not a guest user.
+- An on-premises server for the provisioning agent with Windows 2016 or later. This server should be a tier 0 server based on the [Active Directory administrative tier model](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material). Installing the agent on a domain controller is supported.
+- High availability refers to the Azure AD Connect cloud sync's ability to operate continuously without failure for a long time. By having multiple active agents installed and running, Azure AD Connect cloud sync can continue to function even if one agent should fail. Microsoft recommends having 3 active agents installed for high availability.
+- On-premises firewall configurations.
+
+## Group Managed Service Accounts
+A group Managed Service Account is a managed domain account that provides automatic password management, simplified service principal name (SPN) management, the ability to delegate the management to other administrators, and also extends this functionality over multiple servers. Azure AD Connect Cloud Sync supports and uses a gMSA for running the agent. You will be prompted for administrative credentials during setup, in order to create this account. The account will appear as (domain\provAgentgMSA$). For more information on a gMSA, see [group Managed Service Accounts](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)
+
+### Prerequisites for gMSA:
+1. The Active Directory schema in the gMSA domain's forest needs to be updated to Windows Server 2012 or later.
+2. [PowerShell RSAT modules](/windows-server/remote/remote-server-administration-tools) on a domain controller
+3. At least one domain controller in the domain must be running Windows Server 2012 or later.
+4. A domain joined server where the agent is being installed needs to be either Windows Server 2016 or later.
+
+### Custom gMSA account
+If you are creating a custom gMSA account, you need to ensure that the account has the following permissions.
+
+|Type |Name |Access |Applies To|
+|--|--|--|--|
+|Allow |gMSA Account |Read all properties |Descendant device objects|
+|Allow |gMSA Account|Read all properties |Descendant InetOrgPerson objects|
+|Allow |gMSA Account |Read all properties |Descendant Computer objects|
+|Allow |gMSA Account |Read all properties |Descendant foreignSecurityPrincipal objects|
+|Allow |gMSA Account |Full control |Descendant Group objects|
+|Allow |gMSA Account |Read all properties |Descendant User objects|
+|Allow |gMSA Account |Read all properties |Descendant Contact objects|
+|Allow |gMSA Account |Create/delete User objects|This object and all descendant objects|
+
+For steps on how to upgrade an existing agent to use a gMSA account see [group Managed Service Accounts](how-to-install.md#group-managed-service-accounts).
+
+For more information on how to prepare your Active Directory for group Managed Service Account, see [group Managed Service Accounts Overview](/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
+
+### In the Azure portal
+
+1. Create a cloud-only hybrid identity administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant if your on-premises services fail or become unavailable. Learn about how to [add a cloud-only hybrid identity administrator account](../../fundamentals/add-users-azure-active-directory.md). Finishing this step is critical to ensure that you don't get locked out of your tenant.
+1. Add one or more [custom domain names](../../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
+
+### In your directory in Active Directory
+
+Run the [IdFix tool](/office365/enterprise/prepare-directory-attributes-for-synch-with-idfix) to prepare the directory attributes for synchronization.
+
+### In your on-premises environment
+
+1. Identify a domain-joined host server running Windows Server 2016 or greater with a minimum of 4-GB RAM and .NET 4.7.1+ runtime.
+
+2. The PowerShell execution policy on the local server must be set to Undefined or RemoteSigned.
+
+3. If there's a firewall between your servers and Azure AD, see [Firewall and proxy requirements](#firewall-and-proxy-requirements) below.
+
+>[!NOTE]
+> Installing the cloud provisioning agent on Windows Server Core is not supported.
+
+### Additional requirements
+
+- [Microsoft .NET Framework 4.7.1](https://dotnet.microsoft.com/download/dotnet-framework/net471)
+
+#### TLS requirements
+
+> [!NOTE]
+> Transport Layer Security (TLS) is a protocol that provides for secure communications. Changing the TLS settings affects the entire forest. For more information, see [Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows](https://support.microsoft.com/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi).
+
+The Windows server that hosts the Azure AD Connect cloud provisioning agent must have TLS 1.2 enabled before you install it.
+
+To enable TLS 1.2, follow these steps.
+
+1. Set the following registry keys:
+
+ ```
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
+ [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001
+ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001
+ ```
+
+1. Restart the server.
+
+## Firewall and Proxy requirements
+If there's a firewall between your servers and Azure AD, configure the following items:
+
+- Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+ | Port number | How it's used |
+ | | |
+ | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate. |
+ | **443** | Handles all outbound communication with the service. |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed in the Azure portal. |
+
+- If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+- If your firewall or proxy allows you to specify safe suffixes, add connections:
+
+#### [Public Cloud](#tab/public-cloud)
++
+ |URL |How it's used|
+ |--|--|
+ |&#42;.msappproxy.net</br>&#42;.servicebus.windows.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+ |&#42;.microsoftonline.com</br>&#42;.microsoft.com</br>&#42;.msappproxy.com</br>&#42;.windowsazure.com|The agent uses these URLs to communicate with the Azure AD cloud service. |
+ |`mscrl.microsoft.com:80` </br>`crl.microsoft.com:80` </br>`ocsp.msocsp.com:80` </br>`www.microsoft.com:80`| The agent uses these URLs to verify certificates.|
+ |login.windows.net</br>|The agent uses these URLs during the registration process.
+++
+#### [U.S. Government Cloud](#tab/us-government-cloud)
+
+ |URL |How it's used|
+ |--|--|
+ |&#42;.msappproxy.us</br>&#42;.servicebus.usgovcloudapi.net|The agent uses these URLs to communicate with the Azure AD cloud service. |
+ |`mscrl.microsoft.us:80` </br>`crl.microsoft.us:80` </br>`ocsp.msocsp.us:80` </br>`www.microsoft.us:80`| The agent uses these URLs to verify certificates.|
+ |login.windows.us </br>secure.aadcdn.microsoftonline-p.com </br>&#42;.microsoftonline.us </br>&#42;.microsoftonline-p.us </br>&#42;.msauth.net </br>&#42;.msauthimages.net </br>&#42;.msecnd.net</br>&#42;.msftauth.net </br>&#42;.msftauthimages.net</br>&#42;.phonefactor.net </br>enterpriseregistration.windows.net</br>management.azure.com </br>policykeyservice.dc.ad.msft.net</br>ctldl.windowsupdate.us:80 </br>aadcdn.msftauthimages.us </br>*.microsoft.us </br>msauthimages.us </br>mfstauthimages.us| The agent uses these URLs during the registration process.
++++
+- If you are unable to add connections, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
++
+## NTLM requirement
+
+You should not enable NTLM on the Windows Server that is running the Azure AD Connect Provisioning Agent and if it is enabled you should make sure you disable it.
+
+## Known limitations
+
+The following are known limitations:
+
+### Delta Synchronization
+
+- Group scope filtering for delta sync does not support more than 50,000 members.
+- When you delete a group that's used as part of a group scoping filter, users who are members of the group, don't get deleted.
+- When you rename the OU or group that's in scope, delta sync will not remove the users.
+
+### Provisioning Logs
+- Provisioning logs do not clearly differentiate between create and update operations. You may see a create operation for an update and an update operation for a create.
+
+### Group re-naming or OU re-naming
+- If you rename a group or OU in AD that's in scope for a given configuration, the cloud sync job will not be able to recognize the name change in AD. The job won't go into quarantine and will remain healthy.
+
+### Scoping filter
+When using OU scoping filter
+- You can only sync up to 59 separate OUs or Security Groups for a given configuration.
+- Nested OUs are supported (that is, you **can** sync an OU that has 130 nested OUs, but you **cannot** sync 60 separate OUs in the same configuration).
+
+### Password Hash Sync
+- Using password hash sync with InetOrgPerson is not supported.
++
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Sso https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-sso.md
+
+ Title: 'How to use single sign-on with cloud sync'
+description: This article describes how to install and use single sign-on with cloud sync.
++++++ Last updated : 01/18/2023+++++
+# Using single sign-on with cloud sync
+The following document describes how to use single sign-on with cloud sync.
++++++
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Transformation https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-transformation.md
+
+ Title: Azure AD Connect cloud sync transformations
+description: This article describes how to use transformations to alter the default attribute mappings.
+++ Last updated : 01/11/2023+
+ms.technology: identity-adfs
++
+# Transformations
+
+With a transformation, you can change the default behavior of how an attribute is synchronized with Azure Active Directory (Azure AD) by using cloud sync.
+
+To do this task, you need to edit the schema and then resubmit it via a web request.
+
+For more information on cloud sync attributes, see [Understanding the Azure AD schema](concept-attributes.md).
++
+## Retrieve the schema
+To retrieve the schema, follow the steps in [View the schema](concept-attributes.md#view-the-schema).
+
+## Custom attribute mapping
+To add a custom attribute mapping, follow these steps.
+
+1. Copy the schema into a text or code editor such as [Visual Studio Code](https://code.visualstudio.com/).
+1. Locate the object that you want to update in the schema.
+
+ ![Object in the schema](media/how-to-transformation/transform-1.png)</br>
+1. Locate the code for `ExtensionAttribute3` under the user object.
+
+ ```
+ {
+ "defaultValue": null,
+ "exportMissingReferences": false,
+ "flowBehavior": "FlowWhenChanged",
+ "flowType": "Always",
+ "matchingPriority": 0,
+ "targetAttributeName": "ExtensionAttribute3",
+ "source": {
+ "expression": "Trim([extensionAttribute3])",
+ "name": "Trim",
+ "type": "Function",
+ "parameters": [
+ {
+ "key": "source",
+ "value": {
+ "expression": "[extensionAttribute3]",
+ "name": "extensionAttribute3",
+ "type": "Attribute",
+ "parameters": []
+ }
+ }
+ ]
+ }
+ },
+ ```
+1. Edit the code so that the company attribute is mapped to `ExtensionAttribute3`.
+
+ ```
+ {
+ "defaultValue": null,
+ "exportMissingReferences": false,
+ "flowBehavior": "FlowWhenChanged",
+ "flowType": "Always",
+ "matchingPriority": 0,
+ "targetAttributeName": "ExtensionAttribute3",
+ "source": {
+ "expression": "Trim([company])",
+ "name": "Trim",
+ "type": "Function",
+ "parameters": [
+ {
+ "key": "source",
+ "value": {
+ "expression": "[company]",
+ "name": "company",
+ "type": "Attribute",
+ "parameters": []
+ }
+ }
+ ]
+ }
+ },
+ ```
+ 1. Copy the schema back into Graph Explorer, change the **Request Type** to **PUT**, and select **Run Query**.
+
+ ![Run Query](media/how-to-transformation/transform-2.png)
+
+ 1. Now, in the Azure portal, go to the cloud sync configuration and select **Restart provisioning**.
+
+ ![Restart provisioning](media/how-to-transformation/transform-3.png)
+
+ 1. After a little while, verify the attributes are being populated by running the following query in Graph Explorer: `https://graph.microsoft.com/beta/users/{Azure AD user UPN}`.
+ 1. You should now see the value.
+
+ ![The value appears](media/how-to-transformation/transform-4.png)
+
+## Custom attribute mapping with function
+For more advanced mapping, you can use functions that allow you to manipulate the data and create values for attributes to suit your organization's needs.
+
+To do this task, follow the previous steps and then edit the function that's used to construct the final value.
+
+For information on the syntax and examples of expressions, see [Writing expressions for attribute mappings in Azure Active Directory](reference-expressions.md).
++
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory How To Troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/how-to-troubleshoot.md
+
+ Title: Azure AD Connect cloud sync troubleshooting
+description: This article describes how to troubleshoot problems that might arise with the cloud provisioning agent.
+++ Last updated : 01/18/2023+
+ms.technology: identity-adfs
++
+# Cloud sync troubleshooting
+
+Cloud sync has many different dependencies and interactions, which can give rise to various problems. This article helps you troubleshoot these problems. It introduces the typical areas for you to focus on, how to gather additional information, and the various techniques you can use to track down problems.
+
+## Agent problems
+
+When you troubleshoot agent problems, you verify that the agent was installed correctly, and that it communicates with Azure Active Directory (Azure AD). In particular, some of the first things that you want to verify with the agent are:
+
+- Is it installed?
+- Is the agent running locally?
+- Is the agent in the portal?
+- Is the agent marked as healthy?
+
+You can verify these items in the Azure portal and on the local server that's running the agent.
+
+### Azure portal agent verification
+
+To verify that Azure detects the agent, and that the agent is healthy, follow these steps:
+
+1. Sign in to the Azure portal.
+1. On the left, select **Azure Active Directory** > **Azure AD Connect**. In the center, select **Manage sync**.
+1. On the **Azure AD Connect cloud sync** screen, select **Review all agents**.
+
+ ![Screenshot that shows the option to review all agents.](media/how-to-install/install-7.png)
+
+1. On the **On-premises provisioning agents** screen, you see the agents you've installed. Verify that the agent in question is there. If all is well, you will see the *active* (green) status for the agent.
+
+ ![Screenshot that shows the installed agent, and its status.](media/how-to-install/install-8.png)
+
+### Verify the required open ports
+
+Verify that the Azure AD Connect provisioning agent is able to communicate successfully with Azure datacenters. If there's a firewall in the path, make sure that the following ports to outbound traffic are open:
+
+| Port number | How it's used |
+| -- | |
+| 80 | Downloading certificate revocation lists (CRLs), while validating the TLS/SSL certificate. |
+| 443 | Handling all outbound communication with the Application Proxy service. |
+
+If your firewall enforces traffic according to originating users, also open ports 80 and 443 for traffic from Windows services that run as a network service.
+
+### Allow access to URLs
+
+Allow access to the following URLs:
+
+| URL | Port | How it's used |
+| | | |
+| `*.msappproxy.net` <br> `*.servicebus.windows.net` | 443/HTTPS | Communication between the connector and the Application Proxy cloud service. |
+| `crl3.digicert.com` <br> `crl4.digicert.com` <br> `ocsp.digicert.com` <br> `crl.microsoft.com` <br> `oneocsp.microsoft.com` <br> `ocsp.msocsp.com`<br> | 80/HTTP | The connector uses these URLs to verify certificates. |
+| `login.windows.net` <br> `secure.aadcdn.microsoftonline-p.com` <br> `*.microsoftonline.com` <br> `*.microsoftonline-p.com` <br> `*.msauth.net` <br> `*.msauthimages.net` <br> `*.msecnd.net` <br> `*.msftauth.net` <br> `*.msftauthimages.net` <br> `*.phonefactor.net` <br> `enterpriseregistration.windows.net` <br> `management.azure.com` <br> `policykeyservice.dc.ad.msft.net` <br> `ctldl.windowsupdate.com` <br> `www.microsoft.com/pkiops` | 443/HTTPS | The connector uses these URLs during the registration process. |
+| `ctldl.windowsupdate.com` | 80/HTTP | The connector uses this URL during the registration process. |
+
+You can allow connections to `*.msappproxy.net`, `*.servicebus.windows.net`, and other of the preceding URLs, if your firewall or proxy lets you configure access rules based on domain suffixes. If not, you need to allow access to the [Azure IP ranges and service tags - public cloud](https://www.microsoft.com/download/details.aspx?id=56519). The IP ranges are updated each week.
+
+> [!IMPORTANT]
+> Avoid all forms of inline inspection and termination on outbound TLS communications between Azure AD Application Proxy connectors and Azure AD Application Proxy cloud services.
+
+### DNS name resolution for Azure AD Application Proxy endpoints
+
+Public DNS records for Azure AD Application Proxy endpoints are chained CNAME records, pointing to an A record. This ensures fault tolerance and flexibility. ItΓÇÖs guaranteed that the Azure AD Application Proxy connector always accesses host names with the domain suffixes `*.msappproxy.net` or `*.servicebus.windows.net`.
+
+However, during the name resolution, the CNAME records might contain DNS records with different host names and suffixes. Due to this, you must ensure that the device can resolve all the records in the chain, and allows connection to the resolved IP addresses. Because the DNS records in the chain might be changed from time to time, we can't provide you with any list DNS records.
+
+### On the local server
+
+To verify that the agent is running, follow these steps:
+
+1. On the server with the agent installed, open **Services**. Do this by going to **Start** > **Run** > **Services.msc**.
+1. Under **Services**, make sure **Microsoft Azure AD Connect Agent Updater** and **Microsoft Azure AD Connect Provisioning Agent** are there. Also confirm that their status is *Running*.
+
+ ![Screenshot of local services and their status.](media/how-to-troubleshoot/troubleshoot-1.png)
+
+### Common agent installation problems
+
+The following sections describe some common agent installation problems, and typical resolutions of those problems.
+
+#### Agent failed to start
+
+You might receive an error message that states:
+
+*Service 'Microsoft Azure AD Connect Provisioning Agent' failed to start. Verify that you have sufficient privileges to start the system services.*
+
+This problem is typically caused by a group policy. The policy prevented permissions from being applied to the local NT Service sign-in account created by the installer (`NT SERVICE\AADConnectProvisioningAgent`). These permissions are required to start the service.
+
+To resolve this problem, follow these steps:
+
+1. Sign in to the server with an administrator account.
+1. Open **Services** by going to **Start** > **Run** > **Services.msc**.
+1. Under **Services**, double-click **Microsoft Azure AD Connect Provisioning Agent**.
+1. On the **Log On** tab, change **This account** to a domain admin. Then restart the service.
+
+ ![Screenshot that shows options available from the log on tab.](media/how-to-troubleshoot/troubleshoot-3.png)
+
+#### Agent times out or certificate isn't valid
+
+You might get the following error message when you attempt to register the agent.
+
+![Screenshot that shows a time-out error message.](media/how-to-troubleshoot/troubleshoot-4.png)
+
+This problem is usually caused by the agent being unable to connect to the hybrid identity service. To resolve this problem, configure an outbound proxy.
+
+The provisioning agent supports the use of an outbound proxy. You can configure it by editing the following agent .config file: *C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe.config*.
+
+Add the following lines into it, toward the end of the file, just before the closing `</configuration>` tag. Replace the variables `[proxy-server]` and `[proxy-port]` with your proxy server name and port values.
+
+```xml
+ <system.net>
+ <defaultProxy enabled="true" useDefaultCredentials="true">
+ <proxy
+ usesystemdefault="true"
+ proxyaddress="http://[proxy-server]:[proxy-port]"
+ bypassonlocal="true"
+ />
+ </defaultProxy>
+ </system.net>
+```
+
+#### Agent registration fails with security error
+
+You might get an error message when you install the cloud provisioning agent. This problem is typically caused by the agent being unable to run the PowerShell registration scripts, due to local PowerShell execution policies.
+
+To resolve this problem, change the PowerShell execution policies on the server. You need to have machine and user policies set as `Undefined` or `RemoteSigned`. If they're set as `Unrestricted`, you'll see this error. For more information, see [PowerShell execution policies](/powershell/module/microsoft.powershell.core/about/about_execution_policies).
+
+### Log files
+
+By default, the agent emits minimal error messages and stack trace information. You can find these trace logs in the following folder: *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*.
+
+To gather additional details for troubleshooting agent-related problems, follow these steps.
+
+1. [Install the AADCloudSyncTools PowerShell module](reference-powershell.md#install-the-aadcloudsynctools-powershell-module).
+1. Use the `Export-AADCloudSyncToolsLogs` PowerShell cmdlet to capture the information. You can use the following options to fine-tune your data collection.
+ - `SkipVerboseTrace` to only export current logs without capturing verbose logs (default = false).
+ - `TracingDurationMins` to specify a different capture duration (default = 3 minutes).
+ - `OutputPath` to specify a different output path (default = userΓÇÖs Documents folder).
+
+## Object synchronization problems
+
+In the Azure portal, you can use provisioning logs to help track down and troubleshoot object synchronization problems. To view the logs, select **Logs**.
+
+![Screenshot that shows the logs button.](media/how-to-troubleshoot/log-1.png)
+
+Provisioning logs provide a wealth of information on the state of the objects being synchronized between your on-premises Active Directory environment and Azure.
+
+![Screenshot that shows information about provisioning logs.](media/how-to-troubleshoot/log-2.png)
+
+You can filter the view to focus on specific problems, such as dates. Double-click an individual event to see additional information.
+
+![Screenshot that shows the provisioning logs dropdown list information.](media/how-to-troubleshoot/log-3.png)
+
+This information provides detailed steps and where the synchronization problem is occurring. In this way, you can pinpoint the exact spot of the problem.
+
+## Provisioning quarantined problems
+
+Cloud sync monitors the health of your configuration, and places unhealthy objects in a quarantine state. If most or all of the calls made against the target system consistently fail because of an error (for example, invalid admin credentials), the sync job is marked as in quarantine.
+
+![Screenshot that shows the quarantine status.](media/how-to-troubleshoot/quarantine-1.png)
+
+By selecting the status, you can see additional information about the quarantine. You can also obtain the error code and message.
+
+![Screenshot that shows additional information about the quarantine.](media/how-to-troubleshoot/quarantine-2.png)
+
+Right-clicking on the status will bring up additional options to:
+
+- View the provisioning logs.
+- View the agents.
+- Clear the quarantine.
+
+![Screenshot that shows the right-click menu options.](media/how-to-troubleshoot/quarantine-4.png)
+
+### Resolve a quarantine
+
+There are two different ways to resolve a quarantine. You can clear the quarantine, or you can restart the provisioning job.
+
+#### Clear the quarantine
+
+To clear the watermark and run a delta sync on the provisioning job after you have verified it, simply right-click on the status and select **Clear quarantine**.
+
+You should see a notice that the quarantine is clearing.
+
+![Screenshot that shows the notice that the quarantine is clearing.](media/how-to-troubleshoot/quarantine-5.png)
+
+Then you should see the status on your agent as healthy.
+
+![Screenshot that shows the agent status is healthy.](media/how-to-troubleshoot/quarantine-6.png)
+
+#### Restart the provisioning job
+
+Use the Azure portal to restart the provisioning job. On the agent configuration page, select **Restart sync**.
+
+ ![Screenshot that shows options on the agent configuration page.](media/how-to-troubleshoot/quarantine-3.png)
+
+Alternatively, you can use Microsoft Graph to [restart the provisioning job](/graph/api/synchronization-synchronizationjob-restart?tabs=http&view=graph-rest-beta&preserve-view=true). You have full control over what you restart. You can choose to clear:
+
+- Escrows, to restart the escrow counter that accrues toward quarantine status.
+- Quarantine, to remove the application from quarantine.
+- Watermarks.
+
+Use the following request:
+
+ `POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart`
+
+## Repair the cloud sync service account
+
+If you need to repair the cloud sync service account, you can use the `Repair-AADCloudSyncToolsAccount` command.
+
+ 1. [Install the AADCloudSyncTools PowerShell module](reference-powershell.md#install-the-aadcloudsynctools-powershell-module).
+
+ 1. From a PowerShell session with administrative privileges, type, or copy and paste, the following:
+
+ ```powershell
+ Connect-AADCloudSyncTools
+ ```
+
+ 1. Enter your Azure AD Global Administrator credentials.
+
+ 1. Type, or copy and paste, the following:
+
+ ```powershell
+ Repair-AADCloudSyncToolsAccount
+ ```
+
+ 1. After this completes, it should say that the account was repaired successfully.
+
+## Password writeback
+
+To enable and use password writeback with cloud sync, keep the following in mind:
+
+- If you need to update the [gMSA permissions](how-to-gmsa-cmdlets.md#using-set-aadcloudsyncpermissions), it might take an hour or more for these permissions to replicate to all the objects in your directory. If you don't assign these permissions, writeback can appear to be configured correctly, but users might encounter errors when they update their on-premises passwords from the cloud. Permissions must be applied to **This object and all descendant objects** for **Unexpire Password** to appear.
+- If passwords for some user accounts aren't written back to the on-premises directory, make sure that inheritance isn't disabled for the account in the on-premises Active Directory Domain Services (AD DS) environment. Write permissions for passwords must be applied to descendant objects for the feature to work correctly.
+- Password policies in the on-premises AD DS environment might prevent password resets from being correctly processed. If you're testing this feature and want to reset passwords for users more than once per day, the group policy for the minimum password age must be set to 0. You can find this setting in the following location: **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Account Policies**, within **gpmc.msc**.
+ - If you update the group policy, wait for the updated policy to replicate, or use the `gpupdate /force` command.
+ - For passwords to be changed immediately, the minimum password age must be set to 0. However, if users adhere to the on-premises policies, and the minimum password age is set to a value greater than 0, password writeback doesn't work after the on-premises policies are evaluated.
+
+## Next steps
+
+- [Known limitations](how-to-prerequisites.md#known-limitations)
+- [Error codes](reference-error-codes.md)
active-directory Migrate Azure Ad Connect To Cloud Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/migrate-azure-ad-connect-to-cloud-sync.md
+
+ Title: 'Migrate Azure AD Connect to Azure AD Connect cloud sync| Microsoft Docs'
+description: Describes steps to migrate Azure AD Connect to Azure AD Connect cloud sync.
++++++ Last updated : 01/17/2023++++++
+# Migrating from Azure AD Connect to Azure AD Connect cloud sync
+
+Azure AD Connect cloud sync is the future for accomplishing your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It uses the Azure AD cloud provisioning agent instead of the Azure AD Connect application. If you're currently using Azure AD Connect and wish to move to cloud sync, the following document provides guidance.
+
+## Steps for migrating from Azure AD Connect to cloud sync
+++
+|Step|Description|
+|--|--|
+|Choose the best sync tool|Before moving to cloud sync, you should verify that cloud sync is currently the best synchronization tool for you. You can do this task by going through the wizard [here](https://setup.microsoft.com/azure/add-or-sync-users-to-microsoft-365).|
+|Verify the pre-requisites for migrating|The following guidance is only for users who have installed Azure AD Connect using the Express settings and aren't synchronizing devices. Also you should verify the cloud sync [pre-requisites](how-to-prerequisites.md).|
+|Back up your Azure AD Connect configuration|Before making any changes, you should back up your Azure AD Connect configuration. This way, you can role-back. For more information, see [Import and export Azure AD Connect configuration settings](../connect/how-to-connect-import-export-config.md).|
+|Review the migration tutorial|To become familiar with the migration process, review the [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md) tutorial. This tutorial guides you through the migration process in a sandbox environment.|
+|Create or identify an OU for the migration|Create a new OU or identify an existing OU that contains the users you'll test migration on.|
+|Move users into new OU (optional)|If you're using a new OU, move the users that are in scope for this pilot into that OU now. Before continuing, let Azure AD Connect pick up the changes so that it's synchronizing them in the new OU.|
+|Run PowerShell on OU|You can run the following PowerShell cmdlet to get the counts of the users that are in the pilot OU. </br>`Get-ADUser -Filter * -SearchBase "<DN path of OU>"`</br> Example: `Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"`|
+|Stop the scheduler|Before creating new sync rules, you need to stop the Azure AD Connect scheduler. For more information, see [how to stop the scheduler](../connect/how-to-connect-sync-feature-scheduler.md#stop-the-scheduler).
+|Create the custom sync rules|In the Azure AD Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you created or identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. For more information, see [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md#create-custom-user-inbound-rule) tutorial for how to create these rules.|
+|Install the provisioning agent|If you haven't done so, install the provisioning agent. For more information, see [how to install the agent](how-to-install.md).|
+|Configure cloud sync|Once the agent is installed, you need to configure cloud sync. In the configuration, you need to create a scope to the OU that was created or identified previously. For more information, see [Configuring cloud sync](how-to-configure.md).|
+|Verify pilot users are synchronizing and being provisioned|Verify that the users are now being synchronized in the portal. You can use the PowerShell script below to get a count of the number of users that have the on-premises pilot OU in their distinguished name. This number should match the count of users in the previous step. If you create a new user in this OU, verify that it's being provisioned.|
+|Start the scheduler|Now that you've verified users are provisioning and synchronizing, you can go ahead and start the Azure AD Connect scheduler. For more information, see [how to start the scheduler](../connect/how-to-connect-sync-feature-scheduler.md#start-the-scheduler).
+|Schedule you remaining users|Now you should come up with a plan on migrating more users. You should use a phased approach so that you can verify that the migrations are successful.|
+|Verify all users are provisioned|As you migrate users, verify that they're provisioning and synchronizing correctly.|
+|Stop Azure AD Connect|Once you've verified that all of your users are migrated, you can turn off the Azure AD Connect synchronization service. Microsoft recommends that you leave the server is a disabled state for a period of time, so you can verify the migration was successful
+|Verify everything is good|After a period of time, verify that everything is good.|
+|Decommission the Azure AD Connect server|Once you've verified everything is good you can use the steps below to take the Azure AD Connect server offline.|
++++++
+## Verify Users script
+```PowerShell
+# Filename: VerifyAzureUsers.ps1
+# Description: Counts the number of users in Azure that have a specific on-premises distinguished name.
+#
+# DISCLAIMER:
+# Copyright (c) Microsoft Corporation. All rights reserved. This
+# script is made available to you without any express, implied or
+# statutory warranty, not even the implied warranty of
+# merchantability or fitness for a particular purpose, or the
+# warranty of title or non-infringement. The entire risk of the
+# use or the results from the use of this script remains with you.
+#
+#
+#
+#
++
+Connect-AzureAD -Confirm
+
+#Declare variables
+
+$Users = Get-AzureADUser -All:$true -Filter "DirSyncEnabled eq true"
+$OU = "OU=Sales,DC=contoso,DC=com"
+$counter = 0
+
+#Search users
+
+foreach ($user in $Users) {
+ $test = $User.ExtensionProperty
+ $DN = $test["onPremisesDistinguishedName"]
+ if ($DN -match $OU)
+ {
+ $counter++
+ }
+}
+
+Write-Host "Total Users found:" + $counter
+
+```
+## More information
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+- [Create a new configuration for Azure AD Connect cloud sync](how-to-configure.md).
+- [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
+``
active-directory Plan Cloud Sync Topologies https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/plan-cloud-sync-topologies.md
+
+ Title: Azure AD Connect cloud sync supported topologies and scenarios
+description: Learn about various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect cloud sync.
++++++ Last updated : 01/17/2023++++++
+# Azure AD Connect cloud sync supported topologies and scenarios
+This article describes various on-premises and Azure Active Directory (Azure AD) topologies that use Azure AD Connect cloud sync. This article includes only supported configurations and scenarios.
+
+> [!IMPORTANT]
+> Microsoft doesn't support modifying or operating Azure AD Connect cloud sync outside of the configurations or actions that are formally documented. Any of these configurations or actions might result in an inconsistent or unsupported state of Azure AD Connect cloud sync. As a result, Microsoft can't provide technical support for such deployments.
+
+For more information, see the following video.
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWJ8l5]
+
+## Things to remember about all scenarios and topologies
+The information below should be kept in mind, when selecting a solution.
+
+- Users and groups must be uniquely identified across all forests
+- Matching across forests doesn't occur with cloud sync
+- The source anchor for objects is chosen automatically. It uses ms-DS-ConsistencyGuid if present, otherwise ObjectGUID is used.
+- You can't change the attribute that is used for source anchor.
+
+## Single forest, single Azure AD tenant
+![Diagram that shows the topology for a single forest and a single tenant.](media/tutorial-single-forest/diagram-2.png)
+
+The simplest topology is a single on-premises forest, with one or multiple domains, and a single Azure AD tenant. For an example of this scenario see [Tutorial: A single forest with a single Azure AD tenant](tutorial-single-forest.md)
++
+## Multi-forest, single Azure AD tenant
+![Topology for a multi-forest and a single tenant](media/plan-cloud-provisioning-topologies/multi-forest-2.png)
+
+Multiple AD forests is a common topology, with one or multiple domains, and a single Azure AD tenant.
+
+## Existing forest with Azure AD Connect, new forest with cloud Provisioning
+![Diagram that shows the topology for an existing forest and a new forest.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+
+This scenario is topology is similar to the multi-forest scenario, however this one involves an existing Azure AD Connect environment and then bringing on a new forest using Azure AD Connect cloud sync. For an example of this scenario see [Tutorial: An existing forest with a single Azure AD tenant](tutorial-existing-forest.md)
+
+## Piloting Azure AD Connect cloud sync in an existing hybrid AD forest
+![Topology for a single forest and a single tenant](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
+The piloting scenario involves the existence of both Azure AD Connect and Azure AD Connect cloud sync in the same forest and scoping the users and groups accordingly. NOTE: An object should be in scope in only one of the tools.
+
+For an example of this scenario see [Tutorial: Pilot Azure AD Connect cloud sync in an existing synced AD forest](tutorial-pilot-aadc-aadccp.md)
+
+## Merging objects from disconnected sources
+### (Public Preview)
+![Diagram for merging objects from disconnected sources](media/plan-cloud-provisioning-topologies/attributes-multiple-sources.png)
+In this scenario, the attributes of a user are contributed to by two disconnected Active Directory forests.
+
+An example would be:
+
+ - one forest (1) contains most of the attributes
+ - a second forest (2) contains a few attributes
+
+ Since the second forest doesn't have network connectivity to the Azure AD Connect server, the object can't be merged through Azure AD Connect. Cloud Sync in the second forest allows the attribute value to be retrieved from the second forest. The value can then be merged with the object in Azure AD that is synced by Azure AD Connect.
+
+This configuration is advanced and there are a few caveats to this topology:
+
+ 1. You must use `msdsConsistencyGuid` as the source anchor in the Cloud Sync configuration.
+ 2. The `msdsConsistencyGuid` of the user object in the second forest must match that of the corresponding object in Azure AD.
+ 3. You must populate the `UserPrincipalName` attribute and the `Alias` attribute in the second forest and it must match the ones that are synced from the first forest.
+ 4. You must remove all attributes from the attribute mapping in the Cloud Sync configuration that don't have a value or may have a different value in the second forest ΓÇô you can't have overlapping attribute mappings between the first forest and the second one.
+ 5. If there's no matching object in the first forest, for an object that is synced from the second forest, then Cloud Sync will still create the object in Azure AD. The object will only have the attributes that are defined in the mapping configuration of Cloud Sync for the second forest.
+ 6. If you delete the object from the second forest, it will be temporarily soft deleted in Azure AD. It will be restored automatically after the next Azure AD Connect sync cycle.
+ 7. If you delete the object from the first forest, it will be soft deleted from Azure AD. The object won't be restored unless a change is made to the object in the second forest. After 30 days the object will be hard deleted from Azure AD and if a change is made to the object in the second forest it will be created as a new object in Azure AD.
+
+
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
+
active-directory Reference Error Codes https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-error-codes.md
+
+ Title: Azure AD Connect cloud sync error codes and descriptions
+description: reference article for cloud sync error codes
++++++ Last updated : 01/18/2023+++++
+# Azure AD Connect cloud sync error codes and descriptions
+The following is a list of error codes and their description
++
+## Error codes
+
+|Error code|Details|Scenario|Resolution|
+|--|--|--|--|
+|TimeOut|Error Message: We've detected a request timeout error when contacting the on-premises agent and synchronizing your configuration. For additional issues related to your cloud sync agent, please see our troubleshooting guidance.|Request to HIS timed out. Current Timeout value is 10 minutes.|See our [troubleshooting guidance](how-to-troubleshoot.md)|
+|HybridSynchronizationActiveDirectoryInternalServerError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.30b500eaf9c643b2b78804e80c1421fe.5c291d3c-d29f-4570-9d6b-f0c2fa3d5926. Additional details: Processing of the HTTP request resulted in an exception. |Couldn't process the parameters received in SCIM request to a Search request.|Please see the HTTP response returned by the 'Response' property of this exception for details.|
+|HybridIdentityServiceNoAgentsAssigned|Error Message: We're unable to find an active agent for the domain you're trying to sync. Please check to see if the agents have been removed. If so, re-install the agent again.|There are no agents running. Probably agents have been removed. Register a new agent.|"In this case, you won't see any agent assigned to the domain in portal.|
+|HybridIdentityServiceNoActiveAgents|Error Message: We're unable to find an active agent for the domain you're trying to sync. Please check to see if the agent is running by going to the server, where the agent is installed, and check to see if "Microsoft Azure AD Cloud Sync Agent" under Services is running.|"Agents aren't listening to the ServiceBus endpoint. [The agent is behind a firewall that doesn't allow connections to service bus](../../app-proxy/application-proxy-configure-connectors-with-proxy-servers.md#use-the-outbound-proxy-server)|
+|HybridIdentityServiceInvalidResource|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.3a2a0d8418f34f54a03da5b70b1f7b0c.d583d090-9cd3-4d0a-aee6-8d666658c3e9. Additional details: There seems to be an issue with your cloud sync setup. Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from Azure portal.|The resource name must be set so HIS knows which agent to contact.|Please re-register your cloud sync agent on your on-premises AD domain and restart configuration from Azure portal.|
+|HybridIdentityServiceAgentSignalingError|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.92d2e8750f37407fa2301c9e52ad7e9b.efb835ef-62e8-42e3-b495-18d5272eb3f9. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration).|Service Bus isn't able to send a message to the agent. Could be an outage in service bus, or the agent isn't responsive.|If this issue persists, please contact support with Job ID (from status pane of your configuration).|
+|AzureDirectoryServiceServerBusy|Error Message: An error occurred. Error Code: 81. Error Description: Azure Active Directory is currently busy. This operation will be retried automatically. If this issue persists for more than 24 hours, contact Technical Support. Tracking ID: 8a4ab3b5-3664-4278-ab64-9cff37fd3f4f Server Name:|Azure Active Directory is currently busy.|If this issue persists for more than 24 hours, contact Technical Support.|
+|AzureActiveDirectoryInvalidCredential|Error Message: We found an issue with the service account that is used to run Azure AD Connect Cloud Sync. You can repair the cloud service account by following the instructions at [here](./how-to-troubleshoot.md). If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsInvalid AADSTS50034: The user account {EmailHidden} doesn't exist in the skydrive365.onmicrosoft.com directory. To sign into this application, the account must be added to the directory. Trace ID: 14b63033-3bc9-4bd4-b871-5eb4b3500200 Correlation ID: 57d93ed1-be4d-483c-997c-a3b6f03deb00 Timestamp: 2021-01-12 21:08:29Z |This error is thrown when the sync service account ADToAADSyncServiceAccount doesn't exist in the tenant. It can be due to accidental deletion of the account.|Use [Repair-AADCloudSyncToolsAccount](reference-powershell.md#repair-aadcloudsynctoolsaccount) to fix the service account.|
+|AzureActiveDirectoryExpiredCredentials|Error Message: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: CredentialsExpired AADSTS50055: The password is expired. Trace ID: 989b1841-dbe5-49c9-ab6c-9aa25f7b0e00 Correlation ID: 1c69b196-1c3a-4381-9187-c84747807155 Timestamp: 2021-01-12 20:59:31Z | Response status code doesn't indicate success: 401 (Unauthorized).<br> Azure AD Sync service account credentials are expired.|You can repair the cloud service account by following the instructions at https://go.microsoft.com/fwlink/?linkid=2150988. If the error persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: Your administrative Azure Active Directory tenant credentials were exchanged for an OAuth token that has since expired."|
+|AzureActiveDirectoryAuthenticationFailed|Error Message: We were unable to process this request at this point. If this issue persists, please contact support and provide the following job identifier: AD2AADProvisioning.60b943e88f234db2b887f8cb91dee87c.707be0d2-c6a9-405d-a3b9-de87761dc3ac. Additional details: We were unable to process this request at this point. If this issue persists, please contact support with Job ID (from status pane of your configuration). Additional Error Details: UnexpectedError.|Unknown error.|If this issue persists, please contact support with Job ID (from status pane of your configuration).|
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Reference Expressions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-expressions.md
+
+ Title: Azure AD Connect cloud sync expressions and function reference
+description: reference
++++++ Last updated : 01/18/2023++++++
+# Writing expressions for attribute mappings in Azure Active Directory
+When you configure cloud sync, one of the types of attribute mappings that you can specify is an expression mapping.
+
+The expression mapping allows you to customize attributes using a script-like expression. This allows you to transform the on-premises data into a new or different value. For example, you may want to combine two attributes into a single attribute because this single attribute is used by one of your cloud applications.
+
+The following document will cover the script-like expressions that are used to transform the data. This is only part of the process. Next you will need to use this expression and place it in a web request to your tenant. For more information on that see [Transformations](how-to-transformation.md)
+
+## Syntax overview
+The syntax for Expressions for Attribute Mappings is reminiscent of Visual Basic for Applications (VBA) functions.
+
+* The entire expression must be defined in terms of functions, which consist of a name followed by arguments in parentheses: <br>
+ *FunctionName(`<<argument 1>>`,`<<argument N>>`)*
+* You may nest functions within each other. For example: <br> *FunctionOne(FunctionTwo(`<<argument1>>`))*
+* You can pass three different types of arguments into functions:
+
+ 1. Attributes, which must be enclosed in square brackets. For example: [attributeName]
+ 2. String constants, which must be enclosed in double quotes. For example: "United States"
+ 3. Other Functions. For example: FunctionOne(`<<argument1>>`, FunctionTwo(`<<argument2>>`))
+* For string constants, if you need a backslash ( \ ) or quotation mark ( " ) in the string, it must be escaped with the backslash ( \ ) symbol. For example: "Company name: \\"Contoso\\""
+
+## List of functions
+| List of functions | Description |
+|--|-|
+|[Append](#append)|Takes a source string value and appends the suffix to the end of it.|
+|[BitAnd](#bitand)|The BitAnd function sets specified bits on a value.|
+|[CBool](#cbool)|The CBool function returns a Boolean based on the evaluated expression|
+|[ConvertFromBase64](#convertfrombase64)|The ConvertFromBase64 function converts the specified base64 encoded value to a regular string.|
+|[ConvertToBase64](#converttobase64)|The ConvertToBase64 function converts a string to a Unicode base64 string. |
+|[ConvertToUTF8Hex](#converttoutf8hex)|The ConvertToUTF8Hex function converts a string to a UTF8 Hex encoded value.|
+|[Count](#count)|The Count function returns the number of elements in a multi-valued attribute|
+|[Cstr](#cstr)|The CStr function converts to a string data type.|
+|[DateFromNum](#datefromnum)|The DateFromNum function converts a value in ADΓÇÖs date format to a DateTime type.|
+|[DNComponent](#dncomponent)|The DNComponent function returns the value of a specified DN component going from left.|
+|[Error](#error)|The Error function is used to return a custom error.|
+|[FormatDateTime](#formatdatetime) |Takes a date string from one format and converts it into a different format.|
+|[GUID](#guid)|The function Guid generates a new random GUID.|
+|[IIF](#iif)|The IIF function returns one of a set of possible values based on a specified condition.|
+|[InStr](#instr)|The InStr function finds the first occurrence of a substring in a string.|
+|[IsNull](#isnull)|If the expression evaluates to Null, then the IsNull function returns true.|
+|[IsNullOrEmpty](#isnullorempty)|If the expression is null or an empty string, then the IsNullOrEmpty function returns true.|
+|[IsPresent](#ispresent)|If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true.|
+|[IsString](#isstring)|If the expression can be evaluated to a string type, then the IsString function evaluates to True.|
+|[Item](#item)|The Item function returns one item from a multi-valued string/attribute.|
+|[Join](#join) |Join() is similar to Append(), except that it can combine multiple **source** string values into a single string, and each value will be separated by a **separator** string.|
+|[Left](#left)|The Left function returns a specified number of characters from the left of a string.|
+|[Mid](#mid) |Returns a substring of the source value. A substring is a string that contains only some of the characters from the source string.|
+|[NormalizeDiacritics](#normalizediacritics)|Requires one string argument. Returns the string, but with any diacritical characters replaced with equivalent non-diacritical characters.|
+|[Not](#not) |Flips the boolean value of the **source**. If **source** value is "*True*", returns "*False*". Otherwise, returns "*True*".|
+|[RemoveDuplicates](#removeduplicates)|The RemoveDuplicates function takes a multi-valued string and make sure each value is unique.|
+|[Replace](#replace) |Replaces values within a string. |
+|[SelectUniqueValue](#selectuniquevalue)|Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory.|
+|[SingleAppRoleAssignment](#singleapproleassignment)|Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application.|
+|[Split](#split)|Splits a string into a multi-valued array, using the specified delimiter character.|
+|[StringFromSID](#stringfromsid)|The StringFromSid function converts a byte array containing a security identifier to a string.|
+|[StripSpaces](#stripspaces) |Removes all space (" ") characters from the source string.|
+|[Switch](#switch)|When **source** value matches a **key**, returns **value** for that **key**. |
+|[ToLower](#tolower)|Takes a *source* string value and converts it to lower case using the culture rules that are specified.|
+|[ToUpper](#toupper)|Takes a *source* string value and converts it to upper case using the culture rules that are specified.|
+|[Trim](#trim)|The Trim function removes leading and trailing white spaces from a string.|
+|[Word](#word)|The Word function returns a word contained within a string, based on parameters describing the delimiters to use and the word number to return.|
++
+### Append
+**Function:**<br>
+Append(source, suffix)
+
+**Description:**<br>
+Takes a source string value and appends the suffix to the end of it.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |Usually name of the attribute from the source object. |
+ | **suffix** |Required |String |The string that you want to append to the end of the source value. |
++
+### BitAnd
+**Description:**
+The BitAnd function sets specified bits on a value.
+
+**Syntax:**
+`num BitAnd(num value1, num value2)`
+
+* value1, value2: numeric values that should be ANDΓÇÖed together
+
+**Remarks:**
+This function converts both parameters to the binary representation and sets a bit to:
+
+* 0 - if one or both of the corresponding bits in *value1* and *value2* are 0
+* 1 - if both of the corresponding bits are 1.
+
+In other words, it returns 0 in all cases except when the corresponding bits of both parameters are 1.
+
+**Example:**
+
+ `BitAnd(&HF, &HF7)`</br>
+ Returns 7 because hexadecimal "F" AND "F7" evaluate to this value.
+++
+### CBool
+**Description:**
+The CBool function returns a Boolean based on the evaluated expression
+
+**Syntax:**
+`bool CBool(exp Expression)`
+
+**Remarks:**
+If the expression evaluates to a non-zero value, then CBool returns True, else it returns False.
+
+**Example:**
+`CBool([attrib1] = [attrib2])`
+
+Returns True if both attributes have the same value.
++
+### ConvertFromBase64
+**Description:**
+The ConvertFromBase64 function converts the specified base64 encoded value to a regular string.
+
+**Syntax:**
+`str ConvertFromBase64(str source)` - assumes Unicode for encoding
+`str ConvertFromBase64(str source, enum Encoding)`
+
+* source: Base64 encoded string
+* Encoding: Unicode, ASCII, UTF8
+
+**Example**
+`ConvertFromBase64("SABlAGwAbABvACAAdwBvAHIAbABkACEA")`
+`ConvertFromBase64("SGVsbG8gd29ybGQh", UTF8)`
+
+Both examples return "*Hello world!*"
++
+### ConvertToBase64
+**Description:**
+The ConvertToBase64 function converts a string to a Unicode base64 string.
+Converts the value of an array of integers to its equivalent string representation that is encoded with base-64 digits.
+
+**Syntax:**
+`str ConvertToBase64(str source)`
+
+**Example:**
+`ConvertToBase64("Hello world!")`
+Returns "SABlAGwAbABvACAAdwBvAHIAbABkACEA"
++
+### ConvertToUTF8Hex
+**Description:**
+The ConvertToUTF8Hex function converts a string to a UTF8 Hex encoded value.
+
+**Syntax:**
+`str ConvertToUTF8Hex(str source)`
+
+**Remarks:**
+The output format of this function is used by Azure Active Directory as DN attribute format.
+
+**Example:**
+`ConvertToUTF8Hex("Hello world!")`
+Returns 48656C6C6F20776F726C6421
++
+### Count
+**Description:**
+The Count function returns the number of elements in a multi-valued attribute
+
+**Syntax:**
+`num Count(mvstr attribute)`
++
+### CStr
+**Description:**
+The CStr function converts to a string data type.
+
+**Syntax:**
+`str CStr(num value)`
+`str CStr(ref value)`
+`str CStr(bool value)`
+
+* value: Can be a numeric value, reference attribute, or Boolean.
+
+**Example:**
+`CStr([dn])`
+Could return "cn=Joe,dc=contoso,dc=com"
++
+### DateFromNum
+**Description:**
+The DateFromNum function converts a value in ADΓÇÖs date format to a DateTime type.
+
+**Syntax:**
+`dt DateFromNum(num value)`
+
+**Example:**
+`DateFromNum([lastLogonTimestamp])`
+`DateFromNum(129699324000000000)`
+Returns a DateTime representing 2012-01-01 23:00:00
++
+### DNComponent
+**Description:**
+The DNComponent function returns the value of a specified DN component going from left.
+
+**Syntax:**
+`str DNComponent(ref dn, num ComponentNumber)`
+
+* dn: the reference attribute to interpret
+* ComponentNumber: The component in the DN to return
+
+**Example:**
+`DNComponent(CRef([dn]),1)`
+If dn is "cn=Joe,ou=…," it returns Joe
++
+### Error
+**Description:**
+The Error function is used to return a custom error.
+
+**Syntax:**
+`void Error(str ErrorMessage)`
+
+**Example:**
+`IIF(IsPresent([accountName]),[accountName],Error("AccountName is required"))`
+If the attribute accountName is not present, throw an error on the object.
++
+### FormatDateTime
+**Function:**<br>
+FormatDateTime(source, inputFormat, outputFormat)
+
+**Description:**<br>
+Takes a date string from one format and converts it into a different format.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |Usually name of the attribute from the source object. |
+ | **inputFormat** |Required |String |Expected format of the source value. For supported formats, see [/dotnet/standard/base-types/custom-date-and-time-format-strings](/dotnet/standard/base-types/custom-date-and-time-format-strings). |
+ | **outputFormat** |Required |String |Format of the output date. |
++
+### Guid
+**Description:**
+The function Guid generates a new random GUID
+
+**Syntax:**
+`str Guid()`
++
+### IIF
+**Description:**
+The IIF function returns one of a set of possible values based on a specified condition.
+
+**Syntax:**
+`var IIF(exp condition, var valueIfTrue, var valueIfFalse)`
+
+* condition: any value or expression that can be evaluated to true or false.
+* valueIfTrue: If the condition evaluates to true, the returned value.
+* valueIfFalse: If the condition evaluates to false, the returned value.
+
+**Example:**
+`IIF([employeeType]="Intern","t-" & [alias],[alias])`
+ If the user is an intern, returns the alias of a user with "t-" added to the beginning of it, else returns the userΓÇÖs alias as is.
++
+### InStr
+**Description:**
+The InStr function finds the first occurrence of a substring in a string
+
+**Syntax:**
+
+`num InStr(str stringcheck, str stringmatch)`
+`num InStr(str stringcheck, str stringmatch, num start)`
+`num InStr(str stringcheck, str stringmatch, num start, enum compare)`
+
+* stringcheck: string to be searched
+* stringmatch: string to be found
+* start: starting position to find the substring
+* compare: vbTextCompare or vbBinaryCompare
+
+**Remarks:**
+Returns the position where the substring was found or 0 if not found.
+
+**Example:**
+`InStr("The quick brown fox","quick")`
+Evalues to 5
+
+`InStr("repEated","e",3,vbBinaryCompare)`
+Evaluates to 7
++
+### IsNull
+**Description:**
+If the expression evaluates to Null, then the IsNull function returns true.
+
+**Syntax:**
+`bool IsNull(var Expression)`
+
+**Remarks:**
+For an attribute, a Null is expressed by the absence of the attribute.
+
+**Example:**
+`IsNull([displayName])`
+Returns True if the attribute is not present in the CS or MV.
++
+### IsNullOrEmpty
+**Description:**
+If the expression is null or an empty string, then the IsNullOrEmpty function returns true.
+
+**Syntax:**
+`bool IsNullOrEmpty(var Expression)`
+
+**Remarks:**
+For an attribute, this would evaluate to True if the attribute is absent or is present but is an empty string.
+The inverse of this function is named IsPresent.
+
+**Example:**
+`IsNullOrEmpty([displayName])`
+Returns True if the attribute is not present or is an empty string in the CS or MV.
++
+### IsPresent
+**Description:**
+If the expression evaluates to a string that is not Null and is not empty, then the IsPresent function returns true.
+
+**Syntax:**
+`bool IsPresent(var expression)`
+
+**Remarks:**
+The inverse of this function is named IsNullOrEmpty.
+
+**Example:**
+`Switch(IsPresent([directManager]),[directManager], IsPresent([skiplevelManager]),[skiplevelManager], IsPresent([director]),[director])`
++
+### Item
+**Description:**
+The Item function returns one item from a multi-valued string/attribute.
+
+**Syntax:**
+`var Item(mvstr attribute, num index)`
+
+* attribute: multi-valued attribute
+* index: index to an item in the multi-valued string.
+
+**Remarks:**
+The Item function is useful together with the Contains function since the latter function returns the index to an item in the multi-valued attribute.
+
+Throws an error if index is out of bounds.
+
+**Example:**
+`Mid(Item([proxyAddresses],Contains([proxyAddresses], "SMTP:")),6)`
+Returns the primary email address.
++
+### IsString
+**Description:**
+If the expression can be evaluated to a string type, then the IsString function evaluates to True.
+
+**Syntax:**
+`bool IsString(var expression)`
+
+**Remarks:**
+Used to determine if CStr() can be successful to parse the expression.
++
+### Join
+**Function:**<br>
+Join(separator, source1, source2, …)
+
+**Description:**<br>
+Join() is similar to Append(), except that it can combine multiple **source** string values into a single string, and each value will be separated by a **separator** string.
+
+If one of the source values is a multi-value attribute, then every value in that attribute will be joined together, separated by the separator value.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **separator** |Required |String |String used to separate source values when they are concatenated into one string. Can be "" if no separator is required. |
+ | **source1 … sourceN** |Required, variable-number of times |String |String values to be joined together. |
++
+### Left
+**Description:**
+The Left function returns a specified number of characters from the left of a string.
+
+**Syntax:**
+`str Left(str string, num NumChars)`
+
+* string: the string to return characters from
+* NumChars: a number identifying the number of characters to return from the beginning (left) of string
+
+**Remarks:**
+A string containing the first numChars characters in string:
+
+* If numChars = 0, return empty string.
+* If numChars < 0, return input string.
+* If string is null, return empty string.
+
+If string contains fewer characters than the number specified in numChars, a string identical to string (that is, containing all characters in parameter 1) is returned.
+
+**Example:**
+`Left("John Doe", 3)`
+Returns `Joh`.
++
+### Mid
+**Function:**<br>
+Mid(source, start, length)
+
+**Description:**<br>
+Returns a substring of the source value. A substring is a string that contains only some of the characters from the source string.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |Usually name of the attribute. |
+ | **start** |Required |integer |Index in the **source** string where substring should start. First character in the string will have index of 1, second character will have index 2, and so on. |
+ | **length** |Required |integer |Length of the substring. If length ends outside the **source** string, function will return substring from **start** index till end of **source** string. |
++
+### NormalizeDiacritics
+**Function:**<br>
+NormalizeDiacritics(source)
+
+**Description:**<br>
+Requires one string argument. Returns the string, but with any diacritical characters replaced with equivalent non-diacritical characters. Typically used to convert first names and last names containing diacritical characters (accent marks) into legal values that can be used in various user identifiers such as user principal names, SAM account names, and email addresses.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String | Usually a first name or last name attribute. |
++
+### Not
+**Function:**<br>
+Not(source)
+
+**Description:**<br>
+Flips the boolean value of the **source**. If **source** value is "*True*", returns "*False*". Otherwise, returns "*True*".
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |Boolean String |Expected **source** values are "True" or "False". |
++
+### RemoveDuplicates
+**Description:**
+The RemoveDuplicates function takes a multi-valued string and make sure each value is unique.
+
+**Syntax:**
+`mvstr RemoveDuplicates(mvstr attribute)`
+
+**Example:**
+`RemoveDuplicates([proxyAddresses])`
+Returns a sanitized proxyAddress attribute where all duplicate values have been removed.
++
+### Replace
+**Function:**<br>
+Replace(source, oldValue, regexPattern, regexGroupName, replacementValue, replacementAttributeName, template)
+
+**Description:**<br>
+Replaces values within a string. It works differently depending on the parameters provided:
+
+* When **oldValue** and **replacementValue** are provided:
+
+ * Replaces all occurrences of **oldValue** in the **source** with **replacementValue**
+* When **oldValue** and **template** are provided:
+
+ * Replaces all occurrences of the **oldValue** in the **template** with the **source** value
+* When **regexPattern** and **replacementValue** are provided:
+
+ * The function applies the **regexPattern** to the **source** string and you can use the regex group names to construct the string for **replacementValue**
+* When **regexPattern**, **regexGroupName**, **replacementValue** are provided:
+
+ * The function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with **replacementValue**
+* When **regexPattern**, **regexGroupName**, **replacementAttributeName** are provided:
+
+ * If **source** has no value, **source** is returned
+ * If **source** has a value, the function applies the **regexPattern** to the **source** string and replaces all values matching **regexGroupName** with the value associated with **replacementAttributeName**
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |Usually name of the attribute from the **source** object. |
+ | **oldValue** |Optional |String |Value to be replaced in **source** or **template**. |
+ | **regexPattern** |Optional |String |Regex pattern for the value to be replaced in **source**. Or, when **replacementPropertyName** is used, pattern to extract value from **replacementPropertyName**. |
+ | **regexGroupName** |Optional |String |Name of the group inside **regexPattern**. Only when **replacementPropertyName** is used, we will extract value of this group as **replacementValue** from **replacementPropertyName**. |
+ | **replacementValue** |Optional |String |New value to replace old one with. |
+ | **replacementAttributeName** |Optional |String |Name of the attribute to be used for replacement value |
+ | **template** |Optional |String |When **template** value is provided, we will look for **oldValue** inside the template and replace it with **source** value. |
++
+### SelectUniqueValue
+**Function:**<br>
+SelectUniqueValue(uniqueValueRule1, uniqueValueRule2, uniqueValueRule3, …)
+
+**Description:**<br>
+Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory. The first unique value found will be the one returned. If all of the values already exist in the target, the entry will get escrowed and the reason gets logged in the audit logs. There is no upper bound to the number of arguments that can be provided.
+
+> [!NOTE]
+> - This is a top-level function, it cannot be nested.
+> - This function cannot be applied to attributes that have a matching precedence.
+> - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
+> - This function is currently only supported for "Workday and SuccessFactors to Active Directory User Provisioning". It cannot be used with other provisioning applications.
++
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **uniqueValueRule1 … uniqueValueRuleN** |At least 2 are required, no upper bound |String | List of unique value generation rules to evaluate. |
+++
+### SingleAppRoleAssignment
+**Function:**<br>
+SingleAppRoleAssignment([appRoleAssignments])
+
+**Description:**<br>
+Returns a single appRoleAssignment from the list of all appRoleAssignments assigned to a user for a given application. This function is required to convert the appRoleAssignments object into a single role name string. Note that the best practice is to ensure only one appRoleAssignment is assigned to one user at a time, and if multiple roles are assigned the role string returned may not be predictable.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **[appRoleAssignments]** |Required |String |**[appRoleAssignments]** object. |
++
+### Split
+**Function:**<br>
+Split(source, delimiter)
+
+**Description:**<br>
+Splits a string into a multi-valued array, using the specified delimiter character.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |**source** value to update. |
+ | **delimiter** |Required |String |Specifies the character that will be used to split the string (example: ",") |
++
+### StringFromSid
+**Description:**
+The StringFromSid function converts a byte array containing a security identifier to a string.
+
+**Syntax:**
+`str StringFromSid(bin ObjectSID)`
++
+### StripSpaces
+**Function:**<br>
+StripSpaces(source)
+
+**Description:**<br>
+Removes all space (" ") characters from the source string.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |**source** value to update. |
++
+### Switch
+**Function:**<br>
+Switch(source, defaultValue, key1, value1, key2, value2, …)
+
+**Description:**<br>
+When **source** value matches a **key**, returns **value** for that **key**. If **source** value doesn't match any keys, returns **defaultValue**. **Key** and **value** parameters must always come in pairs. The function always expects an even number of parameters.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |**Source** value to check. |
+ | **defaultValue** |Optional |String |Default value to be used when source doesn't match any keys. Can be empty string (""). |
+ | **key** |Required |String |**Key** to compare **source** value with. |
+ | **value** |Required |String |Replacement value for the **source** matching the key. |
++
+### ToLower
+**Function:**<br>
+ToLower(source, culture)
+
+**Description:**<br>
+Takes a *source* string value and converts it to lower case using the culture rules that are specified. If there is no *culture* info specified, then it will use Invariant culture.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |Usually name of the attribute from the source object |
+ | **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code is not available, a three-letter code derived from ISO 639-2 is used.|
+++
+### ToUpper
+**Function:**<br>
+ToUpper(source, culture)
+
+**Description:**<br>
+Takes a *source* string value and converts it to upper case using the culture rules that are specified. If there is no *culture* info specified, then it will use Invariant culture.
+
+**Parameters:**<br>
+
+ | Name | Required/ Repeating | Type | Notes |
+ | | | | |
+ | **source** |Required |String |Usually name of the attribute from the source object. |
+ | **culture** |Optional |String |The format for the culture name based on RFC 4646 is *languagecode2-country/regioncode2*, where *languagecode2* is the two-letter language code and *country/regioncode2* is the two-letter subculture code. Examples include ja-JP for Japanese (Japan) and en-US for English (United States). In cases where a two-letter language code is not available, a three-letter code derived from ISO 639-2 is used.|
+++
+### Trim
+**Description:**
+The Trim function removes leading and trailing white spaces from a string.
+
+**Syntax:**
+`str Trim(str value)`
+
+**Example:**
+`Trim(" Test ")`
+Returns "Test".
+
+`Trim([proxyAddresses])`
+Removes leading and trailing spaces for each value in the proxyAddress attribute.
++
+### Word
+**Description:**
+The Word function returns a word contained within a string, based on parameters describing the delimiters to use and the word number to return.
+
+**Syntax:**
+`str Word(str string, num WordNumber, str delimiters)`
+
+* string: the string to return a word from.
+* WordNumber: a number identifying which word number should return.
+* delimiters: a string representing the delimiter(s) that should be used to identify words
+
+**Remarks:**
+Each string of characters in string separated by the one of the characters in delimiters are identified as words:
+
+* If number < 1, returns empty string.
+* If string is null, returns empty string.
+
+If string contains less than number words, or string does not contain any words identified by delimiters, an empty string is returned.
+
+**Example:**
+`Word("The quick brown fox",3," ")`
+Returns "brown"
+
+`Word("This,string!has&many separators",3,",!&#")`
+Would return "has"
+
+## Examples
+### Strip known domain name
+You need to strip a known domain name from a userΓÇÖs email to obtain a user name. <br>
+For example, if the domain is "contoso.com", then you could use the following expression:
+
+**Expression:** <br>
+`Replace([mail], "@contoso.com", , ,"", ,)`
+
+**Sample input / output:** <br>
+
+* **INPUT** (mail): "john.doe@contoso.com"
+* **OUTPUT**: "john.doe"
+
+### Append constant suffix to user name
+If you are using a Salesforce Sandbox, you might need to append an additional suffix to all your user names before synchronizing them.
+
+**Expression:** <br>
+`Append([userPrincipalName], ".test")`
+
+**Sample input/output:** <br>
+
+* **INPUT**: (userPrincipalName): "John.Doe@contoso.com"
+* **OUTPUT**: "John.Doe@contoso.com.test"
+
+### Generate user alias by concatenating parts of first and last name
+You need to generate a user alias by taking first 3 letters of user's first name and first 5 letters of user's last name.
+
+**Expression:** <br>
+`Append(Mid([givenName], 1, 3), Mid([surname], 1, 5))`
+
+**Sample input/output:** <br>
+
+* **INPUT** (givenName): "John"
+* **INPUT** (surname): "Doe"
+* **OUTPUT**: "JohDoe"
+
+### Remove diacritics from a string
+You need to replace characters containing accent marks with equivalent characters that don't contain accent marks.
+
+**Expression:** <br>
+NormalizeDiacritics([givenName])
+
+**Sample input/output:** <br>
+
+* **INPUT** (givenName): "Zoë"
+* **OUTPUT**: "Zoe"
+
+### Split a string into a multi-valued array
+You need to take a comma-delimited list of strings, and split them into an array that can be plugged into a multi-value attribute like Salesforce's PermissionSets attribute. In this example, a list of permission sets has been populated in extensionAttribute5 in Azure AD.
+
+**Expression:** <br>
+Split([extensionAttribute5], ",")
+
+**Sample input/output:** <br>
+
+* **INPUT** (extensionAttribute5): "PermissionSetOne, PermissionSetTwo"
+* **OUTPUT**: ["PermissionSetOne", "PermissionSetTwo"]
+
+### Output date as a string in a certain format
+You want to send dates to a SaaS application in a certain format. <br>
+For example, you want to format dates for ServiceNow.
+
+**Expression:** <br>
+
+`FormatDateTime([extensionAttribute1], "yyyyMMddHHmmss.fZ", "yyyy-MM-dd")`
+
+**Sample input/output:**
+
+* **INPUT** (extensionAttribute1): "20150123105347.1Z"
+* **OUTPUT**: "2015-01-23"
+
+### Replace a value based on predefined set of options
+
+You need to define the time zone of the user based on the state code stored in Azure AD. <br>
+If the state code doesn't match any of the predefined options, use default value of "Australia/Sydney".
+
+**Expression:** <br>
+`Switch([state], "Australia/Sydney", "NSW", "Australia/Sydney","QLD", "Australia/Brisbane", "SA", "Australia/Adelaide")`
+
+**Sample input/output:**
+
+* **INPUT** (state): "QLD"
+* **OUTPUT**: "Australia/Brisbane"
+
+### Replace characters using a regular expression
+You need to find characters that match a regular expression value and remove them.
+
+**Expression:** <br>
+
+Replace([mailNickname], , "[a-zA-Z_]*", , "", , )
+
+**Sample input/output:**
+
+* **INPUT** (mailNickname: "john_doe72"
+* **OUTPUT**: "72"
+
+### Convert generated userPrincipalName (UPN) value to lower case
+In the example below, the UPN value is generated by concatenating the PreferredFirstName and PreferredLastName source fields and the ToLower function operates on the generated string to convert all characters to lower case.
+
+`ToLower(Join("@", NormalizeDiacritics(StripSpaces(Join(".", [PreferredFirstName], [PreferredLastName]))), "contoso.com"))`
+
+**Sample input/output:**
+
+* **INPUT** (PreferredFirstName): "John"
+* **INPUT** (PreferredLastName): "Smith"
+* **OUTPUT**: "john.smith@contoso.com"
+
+### Generate unique value for userPrincipalName (UPN) attribute
+Based on the user's first name, middle name and last name, you need to generate a value for the UPN attribute and check for its uniqueness in the target AD directory before assigning the value to the UPN attribute.
+
+**Expression:** <br>
+
+```ad-attr-mapping-expr
+ SelectUniqueValue(
+ Join("@", NormalizeDiacritics(StripSpaces(Join(".", [PreferredFirstName], [PreferredLastName]))), "contoso.com"),
+ Join("@", NormalizeDiacritics(StripSpaces(Join(".", Mid([PreferredFirstName], 1, 1), [PreferredLastName]))), "contoso.com"),
+ Join("@", NormalizeDiacritics(StripSpaces(Join(".", Mid([PreferredFirstName], 1, 2), [PreferredLastName]))), "contoso.com")
+ )
+```
+
+**Sample input/output:**
+
+* **INPUT** (PreferredFirstName): "John"
+* **INPUT** (PreferredLastName): "Smith"
+* **OUTPUT**: "John.Smith@contoso.com" if UPN value of John.Smith@contoso.com doesn't already exist in the directory
+* **OUTPUT**: "J.Smith@contoso.com" if UPN value of John.Smith@contoso.com already exists in the directory
+* **OUTPUT**: "Jo.Smith@contoso.com" if the above two UPN values already exist in the directory
++
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Reference Powershell https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-powershell.md
+
+ Title: 'AADCloudSyncTools PowerShell module for Azure AD Connect cloud sync'
+description: This article describes how to install the Azure AD Connect cloud provisioning agent.
++++++ Last updated : 01/17/2023+++++
+# AADCloudSyncTools PowerShell module for Azure AD Connect cloud sync
+
+The AADCloudSyncTools module provides a set of useful tools that can help you manage your deployments of Azure Active Directory Connect (Azure AD Connect) cloud sync.
+
+## Prerequisites
+
+You can automatically install all the prerequisites for the AADCloudSyncTools module by using `Install-AADCloudSyncToolsPrerequisites`. You'll do that in the next section of this article.
+
+Here are some details about what you need:
+
+- The AADCloudSyncTools module uses Microsoft Authentication Library (MSAL) authentication, so it requires installation of the MSAL.PS module. To verify the installation, in a PowerShell window, run `Get-module MSAL.PS -ListAvailable`. If the module is installed correctly, you'll get a response. If necessary, you can use `Install-AADCloudSyncToolsPrerequisites` to install the latest version of MSAL.PS.
+- Although the Azure AD PowerShell module is not required for any functionality of the AADCloudSyncTools module, it is useful. So it's automatically installed when you use `Install-AADCloudSyncToolsPrerequisites`.
+- Installing modules from the PowerShell Gallery requires Transport Layer Security (TLS) 1.2 enforcement. The cmdlet `Install-AADCloudSyncToolsPrerequisites` sets TLS 1.2 enforcement before installing all the prerequisites. To ensure that you can manually install modules, set the following in the PowerShell session before using the cmdlet:
+
+ ```
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ ```
+- The AADCloudSyncTools module might not work correctly if the Azure AD Connect cloud provisioning agent is not running or the configuration wizard has not finished successfully.
+
+## Install the AADCloudSyncTools PowerShell module
+
+1. Open Windows PowerShell with administrative privileges.
+2. Run `Import-module -Name "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"`.
+3. To verify that the module was imported, run `Get-module AADCloudSyncTools`.
+
+ You should now see information about the module.
+4. To install the AADCloudSyncTools module prerequisites, run `Install-AADCloudSyncToolsPrerequisites`.
+5. On the first run, the PowerShellGet module will be installed if it's not present. To load the new PowerShellGet module, close the PowerShell window and open a new PowerShell session with administrative privileges.
+6. Import the module again by running `Import-module -Name "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"`.
+7. Run `Install-AADCloudSyncToolsPrerequisites` again to install the MSAL and Azure AD modules.
+
+ All prerequisites should now be installed.
+
+ ![Screenshot of the notification in the PowerShell window that says the prerequisites were installed successfully.](media/reference-powershell/install-1.png)
+8. Every time you want to use the AADCloudSyncTools module in a new PowerShell session, run the following command:
+
+ ```
+ Import-module "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\Utility\AADCloudSyncTools"
+ ```
+
+## AADCloudSyncTools cmdlets
+
+> [!NOTE]
+> Before using AADCloudSyncTools module make sure the Azure AD Connect cloud provisioning agent is running and the configuration wizard has finished successfully. To troubleshoot wizard issues, you can find trace logs in the folder *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*, see [Cloud sync troubleshooting](how-to-troubleshoot.md) for more information.
+
+### Connect-AADCloudSyncTools
+
+This cmdlet uses the MSAL.PS module to request a token for the Azure AD administrator to access Microsoft Graph.
+
+### Export-AADCloudSyncToolsLogs
+
+This cmdlet exports and packages all the troubleshooting data in a compressed file, as follows:
+
+1. Sets verbose tracing and starts collecting data from the provisioning agent (same as `Start-AADCloudSyncToolsVerboseLogs`).
+2. Stops data collection after three minutes and disables verbose tracing (same as `Stop-AADCloudSyncToolsVerboseLogs`).
+3. Collects Event Viewer logs for the last 24 hours.
+4. Compresses all the agent logs, verbose logs, and Event Viewer logs into a .zip file in the user's *Documents* folder.
+
+You can use the following options to fine-tune your data collection:
+
+- `SkipVerboseTrace` to only export current logs without capturing verbose logs (default = false).
+- `TracingDurationMins` to specify a different capture duration (default = 3 minutes).
+- `OutputPath` to specify a different output path (default = userΓÇÖs Documents folder).
+
+### Get-AADCloudSyncToolsInfo
+
+This cmdlet shows Azure AD tenant details and the state of internal variables.
+
+### Get-AADCloudSyncToolsJob
+
+This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's information. You can also call it by using the specific sync job ID as a parameter.
+
+### Get-AADCloudSyncToolsJobSchedule
+
+This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's schedule. You can also call it by using the specific sync job ID as a parameter.
+
+### Get-AADCloudSyncToolsJobSchema
+
+This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's schema.
+
+### Get-AADCloudSyncToolsJobScope
+
+This cmdlet uses Microsoft Graph to get the sync job's schema for the provided sync job ID and outputs all filter groups' scopes.
+
+### Get-AADCloudSyncToolsJobSettings
+
+This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's settings. You can also call it by using the specific sync job ID as a parameter.
+
+### Get-AADCloudSyncToolsJobStatus
+
+This cmdlet uses Microsoft Graph to get Azure AD service principals and returns the sync job's status. You can also call it by using the specific sync job ID as a parameter.
+
+### Get-AADCloudSyncToolsServicePrincipal
+
+This cmdlet uses Microsoft Graph to get the service principals for Azure AD and/or Azure Service Fabric. Without parameters, it will return only Azure AD service principals.
+
+### Install-AADCloudSyncToolsPrerequisites
+
+This cmdlet checks for the presence of PowerShellGet v2.2.4.1 or later, the Azure AD module, and the MSAL.PS module. It installs these items if they're missing.
+
+### Invoke-AADCloudSyncToolsGraphQuery
+
+This cmdlet invokes a web request for the URI, method, and body specified as parameters.
+
+### Repair-AADCloudSyncToolsAccount
+
+This cmdlet uses Azure AD PowerShell to delete the current account (if present). It then resets the sync account authentication with a new sync account in Azure AD.
+
+### Restart-AADCloudSyncToolsJob
+
+This cmdlet restarts a full synchronization.
+
+### Resume-AADCloudSyncToolsJob
+
+This cmdlet continues synchronization from the previous watermark.
+
+### Start-AADCloudSyncToolsVerboseLogs
+
+This cmdlet modifies *AADConnectProvisioningAgent.exe.config* to enable verbose tracing and restarts the AADConnectProvisioningAgent service. You can use `-SkipServiceRestart` to prevent service restart, but any configuration changes will not take effect. You can find these trace logs in the folder *C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace*.
+
+### Stop-AADCloudSyncToolsVerboseLogs
+
+This cmdlet modifies *AADConnectProvisioningAgent.exe.config* to disable verbose tracing and restarts the AADConnectProvisioningAgent service. You can use `-SkipServiceRestart` to prevent service restart, but any configuration changes will not take effect.
+
+### Suspend-AADCloudSyncToolsJob
+
+This cmdlet pauses synchronization.
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Reference Version History https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/reference-version-history.md
+
+ Title: 'Azure AD Connect cloud provisioning agent: Version release history'
+description: This article lists all releases of Azure AD Connect cloud provisioning agent and describes new features and fixed issues
++++++ Last updated : 01/17/2023+++++
+# Azure AD Connect cloud provisioning agent: Version release history
+
active-directory Tutorial Basic Ad Azure https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-basic-ad-azure.md
+
+ Title: Tutorial - Basic Active Directory on-premises and Azure AD environment.
+
+description: Learn how to create a basic AD and Azure AD environment.
+++++ Last updated : 01/18/2023+++++
+# Tutorial: Basic Active Directory environment
+
+This tutorial walks you through creating a basic Active Directory environment.
+
+![Diagram that shows a basic Azure A D environment.](media/tutorial-single-forest/diagram-2.png)
+
+You can use the environment you create in the tutorial to test various aspects of hybrid identity scenarios and will be a prerequisite for some of the tutorials. If you already have an existing Active Directory environment you can use that as a substitute. This information is provided for individuals who may be starting from nothing.
+
+This tutorial consists of
+## Prerequisites
+The following are prerequisites required for completing this tutorial
+- A computer with [Hyper-V](/windows-server/virtualization/hyper-v/hyper-v-technology-overview) installed. It's suggested to do this on either a [Windows 10](/virtualization/hyper-v-on-windows/about/supported-guest-os) or a [Windows Server 2016](/windows-server/virtualization/hyper-v/supported-windows-guest-operating-systems-for-hyper-v-on-windows) computer.
+- An [external network adapter](/virtualization/hyper-v-on-windows/quick-start/connect-to-network) to allow the virtual machine to communicate with the internet.
+- An [Azure subscription](https://azure.microsoft.com/free)
+- A copy of Windows Server 2016
+- [Microsoft .NET framework 4.7.1](https://dotnet.microsoft.com/download/dotnet-framework/net471)
+
+> [!NOTE]
+> This tutorial uses PowerShell scripts so that you can create the tutorial environment in the quickest amount of time. Each of the scripts uses variables that are declared at the beginning of the scripts. You can and should change the variables to reflect your environment.
+>
+>The scripts used create a general Active Directory environment prior to installing the Azure AD Connect cloud provisioning agent. They are relevant for all of the tutorials.
+>
+> Copies of the PowerShell scripts that are used in this tutorial are available on GitHub [here](https://github.com/billmath/tutorial-phs).
+
+## Create a virtual machine
+The first thing that you need to do, in order to get our hybrid identity environment up and running is to create a virtual machine that will be used as our on-premises Active Directory server. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ #Declare variables
+ $VMName = 'DC1'
+ $Switch = 'External'
+ $InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
+ $Path = 'D:\VM'
+ $VHDPath = 'D:\VM\DC1\DC1.vhdx'
+ $VHDSize = '64424509440'
+
+ #Create New Virtual Machine
+ New-VM -Name $VMName -MemoryStartupBytes 16GB -BootDevice VHD -Path $Path -NewVHDPath $VHDPath -NewVHDSizeBytes $VHDSize -Generation 2 -Switch $Switch
+
+ #Set the memory to be non-dynamic
+ Set-VMMemory $VMName -DynamicMemoryEnabled $false
+
+ #Add DVD Drive to Virtual Machine
+ Add-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1 -Path $InstallMedia
+
+ #Mount Installation Media
+ $DVDDrive = Get-VMDvdDrive -VMName $VMName
+
+ #Configure Virtual Machine to Boot from DVD
+ Set-VMFirmware -VMName $VMName -FirstBootDevice $DVDDrive
+ ```
+
+## Complete the operating system deployment
+In order to finish building the virtual machine, you need to finish the operating system installation.
+
+1. Hyper-V Manager, double-click on the virtual machine
+2. Click on the Start button.
+3. You'll be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.
+4. On the Windows Server start up screen select your language and click **Next**.
+5. Click **Install Now**.
+6. Enter your license key and click **Next**.
+7. Check **I accept the license terms and click **Next**.
+8. Select **Custom: Install Windows Only (Advanced)**
+9. Click **Next**
+10. Once the installation has completed, restart the virtual machine, sign-in and run Windows updates to ensure the VM is the most up-to-date. Install the latest updates.
+
+## Install Active Directory prerequisites
+Now that you have a virtual machine up, you need to do a few things prior to installing Active Directory. That is, you need to rename the virtual machine, set a static IP address and DNS information, and install the Remote Server Administration tools. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ #Declare variables
+ $ipaddress = "10.0.1.117"
+ $ipprefix = "24"
+ $ipgw = "10.0.1.1"
+ $ipdns = "10.0.1.117"
+ $ipdns2 = "8.8.8.8"
+ $ipif = (Get-NetAdapter).ifIndex
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $newname = "DC1"
+ $addsTools = "RSAT-AD-Tools"
+
+ #Set static IP address
+ New-NetIPAddress -IPAddress $ipaddress -PrefixLength $ipprefix -InterfaceIndex $ipif -DefaultGateway $ipgw
+
+ # Set the DNS servers
+ Set-DnsClientServerAddress -InterfaceIndex $ipif -ServerAddresses ($ipdns, $ipdns2)
+
+ #Rename the computer
+ Rename-Computer -NewName $newname -force
+
+ #Install features
+ New-Item $featureLogPath -ItemType file -Force
+ Add-WindowsFeature $addsTools
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Restart the computer
+ Restart-Computer
+ ```
+
+## Create a Windows Server AD environment
+Now that you have the VM created and it has been renamed and has a static IP address, you can go ahead and install and configure Active Directory Domain Services. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ #Declare variables
+ $DatabasePath = "c:\windows\NTDS"
+ $DomainMode = "WinThreshold"
+ $DomainName = "contoso.com"
+ $DomaninNetBIOSName = "CONTOSO"
+ $ForestMode = "WinThreshold"
+ $LogPath = "c:\windows\NTDS"
+ $SysVolPath = "c:\windows\SYSVOL"
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $Password = "Pass1w0rd"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
+
+ #Install AD DS, DNS and GPMC
+ start-job -Name addFeature -ScriptBlock {
+ Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools }
+ Wait-Job -Name addFeature
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Create New AD Forest
+ Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath $DatabasePath -DomainMode $DomainMode -DomainName $DomainName -SafeModeAdministratorPassword $SecureString -DomainNetbiosName $DomainNetBIOSName -ForestMode $ForestMode -InstallDns:$true -LogPath $LogPath -NoRebootOnCompletion:$false -SysvolPath $SysVolPath -Force:$true
+ ```
+
+## Create a Windows Server AD user
+Now that you have our Active Directory environment, you need to a test account. This account will be created in our on-premises AD environment and then synchronized to Azure AD. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 4_CreateUser.ps1
+ # Description: Creates a user in Active Directory. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $Givenname = "Allie"
+ $Surname = "McCray"
+ $Displayname = "Allie McCray"
+ $Name = "amccray"
+ $Password = "Pass1w0rd"
+ $Identity = "CN=ammccray,CN=Users,DC=contoso,DC=com"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
++
+ #Create the user
+ New-ADUser -Name $Name -GivenName $Givenname -Surname $Surname -DisplayName $Displayname -AccountPassword $SecureString
+
+ #Set the password to never expire
+ Set-ADUser -Identity $Identity -PasswordNeverExpires $true -ChangePasswordAtLogon $false -Enabled $true
+ ```
++
+## Create an Azure AD tenant
+Now you need to create an Azure AD tenant so that you can synchronize our users to the cloud. To create a new Azure AD tenant, do the following.
+
+1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
+2. Select the **plus icon (+)** and search for **Azure Active Directory**.
+3. Select **Azure Active Directory** in the search results.
+4. Select **Create**.</br>
+![Screenshot that shows the Azure Active Directory page in the Azure portal.](media/tutorial-single-forest/create-1.png)</br>
+5. Provide a **name for the organization** along with the **initial domain name**. Then select **Create**. This will create your directory.
+6. Once this has completed, click the **here** link, to manage the directory.
+
+## Create a global administrator in Azure AD
+Now that you have an Azure AD tenant, you'll create a global administrator account. To create the global administrator account do the following.
+
+1. Under **Manage**, select **Users**.</br>
+![Screenshot that shows the "Overview" menu with "Users" selected.](media/tutorial-single-forest/administrator-1.png)</br>
+2. Select **All users** and then select **+ New user**.
+3. Provide a name and username for this user. This will be your Global Administrator for the tenant. You'll also want to change the **Directory role** to **Global administrator.** You can also show the temporary password. When you're done, select **Create**.</br>
+![Create](media/tutorial-single-forest/administrator-2.png)</br>
+4. Once this has completed, open a new web browser and sign-in to myapps.microsoft.com using the new global administrator account and the temporary password.
+5. Change the password for the global administrator to something that you'll remember.
+
+## Optional: Additional server and forest
+The following is an optional section that provides steps to creating an additional server and or forest. This can be used in some of the more advanced tutorials such as [Pilot for Azure AD Connect to cloud sync](tutorial-pilot-aadc-aadccp.md).
+
+If you only need an additional server, you can stop after the - **Create the virtual machine** step and join the server to the existing domain that was created above.
+
+### Create a virtual machine
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 1_CreateVM_CP.ps1
+ # Description: Creates a VM to be used in the tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. #This script is made available to you without any express, implied or statutory warranty, not even the implied warranty of merchantability or fitness for a particular purpose, or the warranty of title or non-infringement. The entire risk of the use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $VMName = 'CP1'
+ $Switch = 'External'
+ $InstallMedia = 'D:\ISO\en_windows_server_2016_updated_feb_2018_x64_dvd_11636692.iso'
+ $Path = 'D:\VM'
+ $VHDPath = 'D:\VM\CP1\CP1.vhdx'
+ $VHDSize = '64424509440'
+
+ #Create New Virtual Machine
+ New-VM -Name $VMName -MemoryStartupBytes 16GB -BootDevice VHD -Path $Path -NewVHDPath $VHDPath -NewVHDSizeBytes $VHDSize -Generation 2 -Switch $Switch
+
+ #Set the memory to be non-dynamic
+ Set-VMMemory $VMName -DynamicMemoryEnabled $false
+
+ #Add DVD Drive to Virtual Machine
+ Add-VMDvdDrive -VMName $VMName -ControllerNumber 0 -ControllerLocation 1 -Path $InstallMedia
+
+ #Mount Installation Media
+ $DVDDrive = Get-VMDvdDrive -VMName $VMName
+
+ #Configure Virtual Machine to Boot from DVD
+ Set-VMFirmware -VMName $VMName -FirstBootDevice $DVDDrive
+ ```
+
+### Complete the operating system deployment
+In order to finish building the virtual machine, you need to finish the operating system installation.
+
+1. Hyper-V Manager, double-click on the virtual machine
+2. Click on the Start button.
+3. You'll be prompted to ΓÇÿPress any key to boot from CD or DVDΓÇÖ. Go ahead and do so.
+4. On the Windows Server start up screen select your language and click **Next**.
+5. Click **Install Now**.
+6. Enter your license key and click **Next**.
+7. Check **I accept the license terms and click **Next**.
+8. Select **Custom: Install Windows Only (Advanced)**
+9. Click **Next**
+10. Once the installation has completed, restart the virtual machine, sign-in and run Windows updates to ensure the VM is the most up-to-date. Install the latest updates.
+
+### Install Active Directory prerequisites
+Now that you have a virtual machine up, you need to do a few things prior to installing Active Directory. That is, you need to rename the virtual machine, set a static IP address and DNS information, and install the Remote Server Administration tools. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 2_ADPrep_CP.ps1
+ # Description: Prepares your environment for Active Directory. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $ipaddress = "10.0.1.118"
+ $ipprefix = "24"
+ $ipgw = "10.0.1.1"
+ $ipdns = "10.0.1.118"
+ $ipdns2 = "8.8.8.8"
+ $ipif = (Get-NetAdapter).ifIndex
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $newname = "CP1"
+ $addsTools = "RSAT-AD-Tools"
+
+ #Set static IP address
+ New-NetIPAddress -IPAddress $ipaddress -PrefixLength $ipprefix -InterfaceIndex $ipif -DefaultGateway $ipgw
+
+ #Set the DNS servers
+ Set-DnsClientServerAddress -InterfaceIndex $ipif -ServerAddresses ($ipdns, $ipdns2)
+
+ #Rename the computer
+ Rename-Computer -NewName $newname -force
+
+ #Install features
+ New-Item $featureLogPath -ItemType file -Force
+ Add-WindowsFeature $addsTools
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Restart the computer
+ Restart-Computer
+ ```
+### Create a Windows Server AD environment
+Now that you have the VM created and it has been renamed and has a static IP address, you can go ahead and install and configure Active Directory Domain Services. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 3_InstallAD_CP.ps1
+ # Description: Creates an on-premises AD environment. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $DatabasePath = "c:\windows\NTDS"
+ $DomainMode = "WinThreshold"
+ $DomainName = "fabrikam.com"
+ $DomaninNetBIOSName = "FABRIKAM"
+ $ForestMode = "WinThreshold"
+ $LogPath = "c:\windows\NTDS"
+ $SysVolPath = "c:\windows\SYSVOL"
+ $featureLogPath = "c:\poshlog\featurelog.txt"
+ $Password = "Pass1w0rd"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
+
+ #Install AD DS, DNS and GPMC
+ start-job -Name addFeature -ScriptBlock {
+ Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
+ Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools }
+ Wait-Job -Name addFeature
+ Get-WindowsFeature | Where installed >>$featureLogPath
+
+ #Create New AD Forest
+ Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath $DatabasePath -DomainMode $DomainMode -DomainName $DomainName -SafeModeAdministratorPassword $SecureString -DomainNetbiosName $DomainNetBIOSName -ForestMode $ForestMode -InstallDns:$true -LogPath $LogPath -NoRebootOnCompletion:$false -SysvolPath $SysVolPath -Force:$true
+ ```
+
+### Create a Windows Server AD user
+Now that you have our Active Directory environment, you need to a test account. This account will be created in our on-premises AD environment and then synchronized to Azure AD. Do the following:
+
+1. Open up the PowerShell ISE as Administrator.
+2. Run the following script.
+
+ ```powershell
+ # Filename: 4_CreateUser_CP.ps1
+ # Description: Creates a user in Active Directory. This is part of
+ # the Azure AD Connect password hash sync tutorial.
+ #
+ # DISCLAIMER:
+ # Copyright (c) Microsoft Corporation. All rights reserved. This
+ # script is made available to you without any express, implied or
+ # statutory warranty, not even the implied warranty of
+ # merchantability or fitness for a particular purpose, or the
+ # warranty of title or non-infringement. The entire risk of the
+ # use or the results from the use of this script remains with you.
+ #
+ #
+ #
+ #
+ #Declare variables
+ $Givenname = "Anna"
+ $Surname = "Ringdal"
+ $Displayname = "Anna Ringdal"
+ $Name = "aringdal"
+ $Password = "Pass1w0rd"
+ $Identity = "CN=aringdal,CN=Users,DC=fabrikam,DC=com"
+ $SecureString = ConvertTo-SecureString $Password -AsPlainText -Force
++
+ #Create the user
+ New-ADUser -Name $Name -GivenName $Givenname -Surname $Surname -DisplayName $Displayname -AccountPassword $SecureString
+
+ #Set the password to never expire
+ Set-ADUser -Identity $Identity -PasswordNeverExpires $true -ChangePasswordAtLogon $false -Enabled $true
+ ```
+
+## Conclusion
+Now you have an environment that can be used for existing tutorials and to test additional features cloud sync provides.
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Tutorial Existing Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-existing-forest.md
+
+ Title: Tutorial - Integrate an existing forest and a new forest with a single Azure AD tenant using Azure AD Connect cloud sync.
+description: Learn how to add cloud sync to an existing hybrid identity environment.
++++++ Last updated : 01/17/2023+++++
+# Integrate an existing forest and a new forest with a single Azure AD tenant
+
+This tutorial walks you through adding cloud sync to an existing hybrid identity environment.
+
+![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-existing-forest/existing-forest-new-forest-2.png)
+
+You can use the environment you create in this tutorial for testing or for getting more familiar with how a hybrid identity works.
+
+In this scenario, there's an existing forest synced using Azure AD Connect sync to an Azure AD tenant. And you have a new forest that you want to sync to the same Azure AD tenant. You'll set up cloud sync for the new forest.
+
+## Prerequisites
+### In the Azure portal
+
+1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.
+2. Add one or more [custom domain names](../../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
+
+### In your on-premises environment
+
+1. Identify a domain-joined host server running Windows Server 2012 R2 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime
+
+2. If there's a firewall between your servers and Azure AD, configure the following items:
+ - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+ | Port number | How it's used |
+ | | |
+ | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
+ | **443** | Handles all outbound communication with the service |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |
+
+ If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+ - If your firewall or proxy allows you to specify safe suffixes, then add connections to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+ - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
+ - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.
+
+## Install the Azure AD Connect provisioning agent
+
+If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:
+++
+## Verify agent installation
++
+## Configure Azure AD Connect cloud sync
+ Use the following steps to configure provisioning
+
+1. Sign in to the Azure portal.
+2. Select **Azure Active Directory**
+3. Select **Azure AD Connect**
+4. Select **Manage cloud sync**
+
+ ![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
+
+5. Select **New Configuration**
+
+ ![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)
+
+7. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.
+
+ ![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)
+
+1. The configuration status should now be **Healthy**.
+
+ ![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)
+
+## Verify users are created and synchronization is occurring
+
+You'll now verify that the users that you had in our on-premises directory have been synchronized and now exist in our Azure AD tenant. This process may take a few hours to complete. To verify users are synchronized, do the following:
++
+1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
+2. On the left, select **Azure Active Directory**
+3. Under **Manage**, select **Users**.
+4. Verify that you see the new users in our tenant
+
+## Test signing in with one of our users
+
+1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
+2. Sign in with a user account that was created in our new tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.
+
+ ![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png)
+
+You have now successfully set up a hybrid identity environment that you can use to test and familiarize yourself with what Azure has to offer.
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Tutorial Pilot Aadc Aadccp https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-pilot-aadc-aadccp.md
+
+ Title: Tutorial - Migrate to Azure AD Connect cloud sync for an existing synced AD forest
+description: Learn how to pilot cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
++++++ Last updated : 01/23/2023++++++
+# Migrate to Azure AD Connect cloud sync for an existing synced AD forest
+
+This tutorial walks you through how you would migrate to cloud sync for a test Active Directory forest that is already synced using Azure Active Directory (Azure AD) Connect sync.
+
+> [!NOTE]
+> This article provides information for a basic migration and you should review the [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
+
+![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-migrate-aadc-aadccp/diagram-2.png)
+
+## Considerations
+
+Before you try this tutorial, consider the following items:
+
+ 1. Ensure that you're familiar with basics of cloud sync.
+ 2. Ensure that you're running Azure AD Connect sync version 1.4.32.0 or later and have configured the sync rules as documented.
+ 3. When piloting, you'll be removing a test OU or group from Azure AD Connect sync scope. Moving objects out of scope leads to deletion of those objects in Azure AD.
+
+ - User objects, the objects in Azure AD are soft-deleted and can be restored.
+ - Group objects, the objects in Azure AD are hard-deleted and can't be restored.
+
+ A new link type has been introduced in Azure AD Connect sync, which will prevent the deletion in a piloting scenario.
+
+ 4. Ensure that the objects in the pilot scope have ms-ds-consistencyGUID populated so cloud sync hard matches the objects.
+
+ > [!NOTE]
+ > Azure AD Connect sync does not populate *ms-ds-consistencyGUID* by default for group objects.
+
+ 5. This configuration is for advanced scenarios. Ensure that you follow the steps documented in this tutorial precisely.
+
+## Prerequisites
+
+The following are prerequisites required for completing this tutorial
+
+- A test environment with Azure AD Connect sync version 1.4.32.0 or later
+- An OU or group that is in scope of sync and can be used the pilot. We recommend starting with a small set of objects.
+- A server running Windows Server 2016 or later that will host the provisioning agent.
+- Source anchor for Azure AD Connect sync should be either *objectGuid* or *ms-ds-consistencyGUID*
+
+## Update Azure AD Connect
+
+As a minimum, you should have [Azure AD connect](https://www.microsoft.com/download/details.aspx?id=47594) 1.4.32.0. To update Azure AD Connect sync, complete the steps in [Azure AD Connect: Upgrade to the latest version](../connect/how-to-upgrade-previous-version.md).
+
+## Back up your Azure AD Connect configuration
+Before making any changes, you should back up your Azure AD Connect configuration. This way, you can roll back to your previous configuration. See [Import and export Azure AD Connect configuration settings](../connect/how-to-connect-import-export-config.md) for more information.
+
+## Stop the scheduler
+
+Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. In order to modify and add custom rules, you want to disable the scheduler so that synchronizations won't run while you're working making the changes. To stop the scheduler, use the following steps:
+
+1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges.
+2. Run `Stop-ADSyncSyncCycle`. Hit Enter.
+3. Run `Set-ADSyncScheduler -SyncCycleEnabled $false`.
+
+>[!NOTE]
+>If you are running your own custom scheduler for Azure AD Connect sync, then please disable the scheduler.
+
+## Create custom user inbound rule
+In the Azure AD Connect Synchronization Rules editor, you need to create an inbound sync rule that filters out users in the OU you identified previously. The inbound sync rule is a join rule with a target attribute of cloudNoFlow. This rule tells Azure AD Connect not to synchronize attributes for these users. For more information, see [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
+
+ 1. Launch the synchronization editor from the application menu in desktop as shown below:
+
+ ![Screenshot of the synchronization rule editor menu.](media/tutorial-migrate-aadc-aadccp/user-8.png)
+
+ 2. Select **Inbound** from the drop-down list for Direction and select **Add new rule**.
+
+ ![Screenshot that shows the "View and manage your synchronization rules" window with "Inbound" and the "Add new rule" button selected.](media/tutorial-migrate-aadc-aadccp/user-1.png)
+
+ 3. On the **Description** page, enter the following and select **Next**:
+
+ - **Name:** Give the rule a meaningful name
+ - **Description:** Add a meaningful description
+ - **Connected System:** Choose the AD connector that you're writing the custom sync rule for
+ - **Connected System Object Type:** User
+ - **Metaverse Object Type:** Person
+ - **Link Type:** Join
+ - **Precedence:** Provide a value that is unique in the system
+ - **Tag:** Leave this empty
+
+ ![Screenshot that shows the "Create inbound synchronization rule - Description" page with values entered.](media/tutorial-migrate-aadc-aadccp/user-2.png)
+
+ 4. On the **Scoping filter** page, enter the OU or security group that you want the pilot based off. To filter on OU, add the OU portion of the distinguished name. This rule will be applied to all users who are in that OU. So, if DN ends with "OU=CPUsers,DC=contoso,DC=com, you would add this filter. Then select **Next**.
+
+ |Rule|Attribute|Operator|Value|
+ |--|-|-|--|
+ |Scoping OU|DN|ENDSWITH|Distinguished name of the OU.|
+ |Scoping group||ISMEMBEROF|Distinguished name of the security group.|
+
+ ![Screenshot that shows the **Create inbound synchronization rule - Scoping filter** page with a scoping filter value entered.](media/tutorial-migrate-aadc-aadccp/user-3.png)
+
+ 5. On the **Join** rules page, select **Next**.
+ 6. On the **Transformations** page, add a Constant transformation: flow True to cloudNoFlow attribute. Select **Add**.
+
+ ![Screenshot that shows the **Create inbound synchronization rule - Transformations** page with a **Constant transformation** flow added.](media/tutorial-migrate-aadc-aadccp/user-4.png)
+
+Same steps need to be followed for all object types (user, group and contact). Repeat steps per configured AD Connector / per AD forest.
+
+## Create custom user outbound rule
+You'll also need an outbound sync rule with a link type of JoinNoFlow and the scoping filter that has the cloudNoFlow attribute set to True. This rule tells Azure AD Connect not to synchronize attributes for these users. For more information, see [Migrating to cloud sync](migrate-azure-ad-connect-to-cloud-sync.md) documentation before attempting to migrate your production environment.
+
+ 1. Select **Outbound** from the drop-down list for Direction and select **Add rule**.
+
+ ![Screenshot that shows the **Outbound** Direction selected and the **Add new rule** button highlighted.](media/tutorial-migrate-aadc-aadccp/user-5.png)
+
+ 2. On the **Description** page, enter the following and select **Next**:
+
+ - **Name:** Give the rule a meaningful name
+ - **Description:** Add a meaningful description
+ - **Connected System:** Choose the Azure AD connector that you're writing the custom sync rule for
+ - **Connected System Object Type:** User
+ - **Metaverse Object Type:** Person
+ - **Link Type:** JoinNoFlow
+ - **Precedence:** Provide a value that is unique in the system<br>
+ - **Tag:** Leave this empty
+
+ ![Screenshot that shows the **Description** page with properties entered.](media/tutorial-migrate-aadc-aadccp/user-6.png)
+
+ 3. On the **Scoping filter** page, choose **cloudNoFlow** equal **True**. Then select **Next**.
+
+ ![Screenshot that shows a custom rule.](media/tutorial-migrate-aadc-aadccp/user-7.png)
+
+ 4. On the **Join** rules page, select **Next**.
+ 5. On the **Transformations** page, select **Add**.
+
+Same steps need to be followed for all object types (user, group and contact).
+
+## Install the Azure AD Connect provisioning agent
+
+If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be CP1. To install the agent, follow these steps:
++
+## Verify agent installation
++
+## Configure Azure AD Connect cloud sync
+
+Use the following steps to configure provisioning:
+
+ 1. In the Azure portal, select **Azure Active Directory**.
+ 2. On the left, select **Azure AD Connect**.
+ 3. On the left, select **Cloud sync**.
+
+ :::image type="content" source="media/how-to-on-demand-provision/new-ux-1.png" alt-text="Screenshot of new UX cloud sync screen." lightbox="media/how-to-on-demand-provision/new-ux-1.png":::
+
+ 4. Select **New configuration**.
+ :::image type="content" source="media/how-to-configure/new-ux-configure-1.png" alt-text="Screenshot of adding a configuration." lightbox="media/how-to-configure/new-ux-configure-1.png":::
+ 5. On the configuration screen, select your domain and whether to enable password hash sync. Click **Create**.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-2.png" alt-text="Screenshot of a new configuration." lightbox="media/how-to-configure/new-ux-configure-2.png":::
+
+ 6. The **Get started** screen will open.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-3.png" alt-text="Screenshot of the getting started screen." lightbox="media/how-to-configure/new-ux-configure-3.png":::
+
+ 7. On the **Get started** screen, click either **Add scoping filters** next to the **Add scoping filters** icon or on the click **Scoping filters** on the left under **Manage**.
+
+ :::image type="content" source="media/how-to-configure/new-ux-configure-5.png" alt-text="Screenshot of scoping filters." lightbox="media/how-to-configure/new-ux-configure-5.png":::
+
+ 8. Select the scoping filter. For this tutorial select:
+ - **Selected organizational units**: Scopes the configuration to apply to specific OUs.
+ 9. In the box, enter "OU=CPUsers,DC=contoso,DC=com".
+
+ :::image type="content" source="media/tutorial-migrate-aadc-aadccp/configure-1.png" alt-text="Screenshot of the scoping filter." lightbox="media/tutorial-migrate-aadc-aadccp/configure-1.png":::
+
+ 10. Click **Add**. Click **Save**.
++++
+
+
+## Start the scheduler
+
+Azure AD Connect sync synchronizes changes occurring in your on-premises directory using a scheduler. Now that you've modified the rules, you can restart the scheduler. Use the following steps:
+
+1. On the server that is running Azure AD Connect sync open PowerShell with Administrative Privileges
+2. Run `Set-ADSyncScheduler -SyncCycleEnabled $true`.
+3. Run `Start-ADSyncSyncCycle`, then press <kbd>Enter</kbd>.
+
+> [!NOTE]
+> If you are running your own custom scheduler for Azure AD Connect sync, then please enable the scheduler.
+
+Once the scheduler is enabled, Azure AD Connect will stop exporting any changes on objects with `cloudNoFlow=true` in the metaverse, unless any reference attribute (such as `manager`) is being updated. In case there's any reference attribute update on the object, Azure AD Connect will ignore the `cloudNoFlow` signal and export all updates on the object.
+
+## Something went wrong
+
+In case the pilot doesn't work as expected, you can go back to the Azure AD Connect sync setup by following the steps below:
+
+1. Disable provisioning configuration in the Azure portal.
+2. Disable all the custom sync rules created for Cloud Provisioning using the Sync Rule Editor tool. Disabling should cause full sync on all the connectors.
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud sync?](what-is-cloud-sync.md)
active-directory Tutorial Single Forest https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/tutorial-single-forest.md
+
+ Title: Tutorial - Integrate a single forest with a single Azure AD tenant
+description: This topic describes the pre-requisites and the hardware requirements cloud sync.
++++++ Last updated : 01/17/2023+++++
+# Tutorial: Integrate a single forest with a single Azure AD tenant
+
+This tutorial walks you through creating a hybrid identity environment using Azure Active Directory (Azure AD) Connect cloud sync.
+
+![Diagram that shows the Azure AD Connect cloud sync flow.](media/tutorial-single-forest/diagram-2.png)
+
+You can use the environment you create in this tutorial for testing or for getting more familiar with cloud sync.
+
+## Prerequisites
+
+### In the Azure portal
+
+1. Create a cloud-only global administrator account on your Azure AD tenant. This way, you can manage the configuration of your tenant should your on-premises services fail or become unavailable. Learn about [adding a cloud-only global administrator account](../../fundamentals/add-users-azure-active-directory.md). Completing this step is critical to ensure that you don't get locked out of your tenant.
+2. Add one or more [custom domain names](../../fundamentals/add-custom-domain.md) to your Azure AD tenant. Your users can sign in with one of these domain names.
+
+### In your on-premises environment
+
+1. Identify a domain-joined host server running Windows Server 2016 or greater with minimum of 4-GB RAM and .NET 4.7.1+ runtime
+
+2. If there's a firewall between your servers and Azure AD, configure the following items:
+ - Ensure that agents can make *outbound* requests to Azure AD over the following ports:
+
+ | Port number | How it's used |
+ | | |
+ | **80** | Downloads the certificate revocation lists (CRLs) while validating the TLS/SSL certificate |
+ | **443** | Handles all outbound communication with the service |
+ | **8080** (optional) | Agents report their status every 10 minutes over port 8080, if port 443 is unavailable. This status is displayed on the Azure portal. |
+
+ If your firewall enforces rules according to the originating users, open these ports for traffic from Windows services that run as a network service.
+ - If your firewall or proxy allows you to specify safe suffixes, then add connections t to **\*.msappproxy.net** and **\*.servicebus.windows.net**. If not, allow access to the [Azure datacenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653), which are updated weekly.
+ - Your agents need access to **login.windows.net** and **login.microsoftonline.com** for initial registration. Open your firewall for those URLs as well.
+ - For certificate validation, unblock the following URLs: **mscrl.microsoft.com:80**, **crl.microsoft.com:80**, **ocsp.msocsp.com:80**, and **www\.microsoft.com:80**. Since these URLs are used for certificate validation with other Microsoft products, you may already have these URLs unblocked.
+
+## Install the Azure AD Connect provisioning agent
+
+If you're using the [Basic AD and Azure environment](tutorial-basic-ad-azure.md) tutorial, it would be DC1. To install the agent, follow these steps:
++
+## Verify agent installation
++
+## Configure Azure AD Connect cloud sync
+
+Use the following steps to configure and start the provisioning:
+
+1. Sign in to the Azure portal.
+1. Select **Azure Active Directory**
+1. Select **Azure AD Connect**
+1. Select **Manage cloud sync**
+
+ ![Screenshot showing "Manage cloud sync" link.](media/how-to-configure/manage-1.png)
+
+1. Select **New Configuration**
+
+ [![Screenshot of Azure AD Connect cloud sync screen with "New configuration" link highlighted.](media/tutorial-single-forest/configure-1.png)](media/tutorial-single-forest/configure-1.png#lightbox)
+
+1. On the configuration screen, enter a **Notification email**, move the selector to **Enable** and select **Save**.
+
+ [![Screenshot of Configure screen with Notification email filled in and Enable selected.](media/how-to-configure/configure-2.png)](media/how-to-configure/configure-2.png#lightbox)
+
+1. The configuration status should now be **Healthy**.
+
+ [![Screenshot of Azure AD Connect cloud sync screen showing Healthy status.](media/how-to-configure/manage-4.png)](media/how-to-configure/manage-4.png#lightbox)
+
+## Verify users are created and synchronization is occurring
+
+You'll now verify that the users that you had in your on-premises directory have been synchronized and now exist in your Azure AD tenant. The sync operation may take a few hours to complete. To verify users are synchronized, follow these steps:
++
+1. Browse to the [Azure portal](https://portal.azure.com) and sign in with an account that has an Azure subscription.
+2. On the left, select **Azure Active Directory**
+3. Under **Manage**, select **Users**.
+4. Verify that the new users appear in your tenant
+
+## Test signing in with one of your users
+
+1. Browse to [https://myapps.microsoft.com](https://myapps.microsoft.com)
+
+1. Sign in with a user account that was created in your tenant. You'll need to sign in using the following format: (user@domain.onmicrosoft.com). Use the same password that the user uses to sign in on-premises.
+
+ ![Screenshot that shows the my apps portal with a signed in users.](media/tutorial-single-forest/verify-1.png)
+
+You've now successfully configured a hybrid identity environment using Azure AD Connect cloud sync.
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [What is Azure AD Connect cloud provisioning?](what-is-cloud-sync.md)
active-directory What Is Cloud Sync https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/what-is-cloud-sync.md
+
+ Title: 'What is Azure AD Connect cloud sync?'
+description: Describes Azure AD Connect cloud sync.
++++++ Last updated : 01/17/2023+++++
+# What is Azure AD Connect cloud sync?
+Azure AD Connect cloud sync is a new offering from Microsoft designed to meet and accomplish your hybrid identity goals for synchronization of users, groups, and contacts to Azure AD. It accomplishes this by using the Azure AD cloud provisioning agent instead of the Azure AD Connect application. However, it can be used alongside Azure AD Connect sync and it provides the following benefits:
+
+- Support for synchronizing to an Azure AD tenant from a multi-forest disconnected Active Directory forest environment: The common scenarios include merger & acquisition (where the acquired company's AD forests are isolated from the parent company's AD forests), and companies that have historically had multiple AD forests.
+- Simplified installation with light-weight provisioning agents: The agents act as a bridge from AD to Azure AD, with all the sync configuration managed in the cloud.
+- Multiple provisioning agents can be used to simplify high availability deployments, particularly critical for organizations relying upon password hash synchronization from AD to Azure AD.
+- Support for large groups with up to 50,000 members. It's recommended to use only the OU scoping filter when synchronizing large groups.
+
+![What is Azure AD Connect](media/what-is-cloud-sync/architecture-1.png)
+
+## How is Azure AD Connect cloud sync different from Azure AD Connect sync?
+With Azure AD Connect cloud sync, provisioning from AD to Azure AD is orchestrated in Microsoft Online Services. An organization only needs to deploy, in their on-premises or IaaS-hosted environment, a light-weight agent that acts as a bridge between Azure AD and AD. The provisioning configuration is stored in Azure AD and managed as part of the service.
+
+## Azure AD Connect cloud sync video
+The following short video provides an excellent overview of Azure AD Connect cloud sync:
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWJ8l5]
++
+## Comparison between Azure AD Connect and cloud sync
+
+The following table provides a comparison between Azure AD Connect and Azure AD Connect cloud sync:
+
+| Feature | Azure Active Directory Connect sync| Azure Active Directory Connect cloud sync |
+|: |::|::|
+|Connect to single on-premises AD forest|ΓùÅ |ΓùÅ |
+| Connect to multiple on-premises AD forests |ΓùÅ |ΓùÅ |
+| Connect to multiple disconnected on-premises AD forests | |ΓùÅ |
+| Lightweight agent installation model | |ΓùÅ |
+| Multiple active agents for high availability | |ΓùÅ |
+| Connect to LDAP directories|ΓùÅ| |
+| Support for user objects |ΓùÅ |ΓùÅ |
+| Support for group objects |ΓùÅ |ΓùÅ |
+| Support for contact objects |ΓùÅ |ΓùÅ |
+| Support for device objects |ΓùÅ | |
+| Allow basic customization for attribute flows |ΓùÅ |ΓùÅ |
+| Synchronize Exchange online attributes |ΓùÅ |ΓùÅ |
+| Synchronize extension attributes 1-15 |ΓùÅ |ΓùÅ |
+| Synchronize customer defined AD attributes (directory extensions) |ΓùÅ|ΓùÅ|
+| Support for Password Hash Sync |ΓùÅ|ΓùÅ|
+| Support for Pass-Through Authentication |ΓùÅ||
+| Support for federation |ΓùÅ|ΓùÅ|
+| Seamless Single Sign-on|ΓùÅ |ΓùÅ|
+| Supports installation on a Domain Controller |ΓùÅ |ΓùÅ |
+| Support for Windows Server 2016|ΓùÅ |ΓùÅ |
+| Filter on Domains/OUs/groups |ΓùÅ |ΓùÅ |
+| Filter on objects' attribute values |ΓùÅ | |
+| Allow minimal set of attributes to be synchronized (MinSync) |ΓùÅ |ΓùÅ |
+| Allow removing attributes from flowing from AD to Azure AD |ΓùÅ |ΓùÅ |
+| Allow advanced customization for attribute flows |ΓùÅ | |
+| Support for password writeback |ΓùÅ |ΓùÅ |
+| Support for device writeback|ΓùÅ |Customers should use [Cloud Kerberos trust](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune) for this moving forward|
+| Support for group writeback|ΓùÅ | |
+| Support for merging user attributes from multiple domains|ΓùÅ | |
+| Azure AD Domain Services support|ΓùÅ | |
+| [Exchange hybrid writeback](../connect/reference-connect-sync-attributes-synchronized.md#exchange-hybrid-writeback) |ΓùÅ | |
+| Unlimited number of objects per AD domain |ΓùÅ | |
+| Support for up to 150,000 objects per AD domain |ΓùÅ |ΓùÅ |
+| Groups with up to 50,000 members |ΓùÅ |ΓùÅ |
+| Large groups with up to 250,000 members |ΓùÅ | |
+| Cross domain references|ΓùÅ |ΓùÅ |
+| On-demand provisioning| |ΓùÅ |
+| Support for US Government|ΓùÅ |ΓùÅ |
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [Install cloud sync](how-to-install.md)
active-directory What Is Provisioning Agent https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/cloud-sync/what-is-provisioning-agent.md
+
+ Title: 'What is the provisioning agent?'
+description: This article describes the provisioning agent used by cloud sync and on-premsises app provisioning.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 01/11/2023++++++
+# What is the Azure AD provisioning agent?
+
+The provisioning agent is the synchronization tool that is used to deliver several features for use with Azure AD and is managed from the cloud.
+
+The provisioning agent provides connectivity between Azure Active Directory (Azure AD) and your on-premises environment.
++
+ These features include:
+
+ - cloud sync
+ - on-premises app provisioning
+
+## How it works
+The provisioning agent uses SCIM ([System for Cross-domain Identity Management (SCIM) 2.0](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010)). The SCIM specification provides a common user schema to help users move into, out of, and around apps. SCIM is becoming the de facto standard for provisioning and, when used in conjunction with federation standards like SAML or OpenID Connect, provides administrators an end-to-end standards-based solution for access management.
+
+## Next steps
+
+- [What is provisioning?](../what-is-provisioning.md)
+- [Install cloud sync](how-to-install.md)
active-directory Common Scenarios https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/common-scenarios.md
+
+ Title: 'Common hybrid scenarios with Azure AD'
+description: This article describes the common scenarios for using Azure AD Connect cloud sync and Azure AD Connect.
+
+documentationcenter: ''
++
+editor: ''
++
+ na
+ Last updated : 04/25/2023+++++
+# Hybrid scenarios
+The following document describes the common and supported hybrid sync scenarios.
+
+## Supported sync scenarios
+The following table outlines the most common and supported sync scenarios.
+
+|Scenario|Supported with cloud sync|Supported with connect sync|Supported with MIM and the Graph Connector|Supported with ECMA Host connector|
+|--|--|--|--|--|
+|New Hybrid customers managing identities|ΓùÅ|ΓùÅ|ΓùÅ|N/A|
+|Mergers and acquisitions (disconnected forest)|ΓùÅ|N/A|ΓùÅ|N/A|
+|High availability - latency (I need high availability)|ΓùÅ|N/A|ΓùÅ|N/A|
+|Migration from connect sync to cloud sync|ΓùÅ|ΓùÅ|N/A|N/A|
+|Hybrid Azure AD Join|N/A|ΓùÅ|N/A|N/A|
+|Exchange hybrid|N/A|ΓùÅ|N/A|N/A|
+|User accounts in one forest / mailboxes in resource forest|N/A|ΓùÅ|N/A|N/A|
+|Sync large domains with more than 250K objects|N/A|ΓùÅ|ΓùÅ|N/A|
+|Filter directory objects based on attribute values|N/A|ΓùÅ|ΓùÅ|N/A|
+|Windows Hello for Business|N/A|ΓùÅ|N/A|N/A|
+|Synchronize from cloud to on-premises AD|N/A|N/A|ΓùÅ|N/A|
+|Synchronize from cloud to on-premises LDAP|N/A|N/A|ΓùÅ|ΓùÅ|
+|Synchronize from cloud to on-premises SQL|N/A|N/A|ΓùÅ|ΓùÅ|
+
+For additional information, see [Supported topologies for cloud sync](cloud-sync/plan-cloud-sync-topologies.md) and [Supported topologies for connect sync](connect/plan-connect-topologies.md)
++
+## Additional information
+- You can sync users & groups from the same domain using Connect Sync and Cloud Sync if:
+ - Scoping filters in each sync is mutually exclusive
+ - If inclusive, donΓÇÖt have the same attributes values clashing (Precedence isnΓÇÖt supported)
+- You can sync users & groups using Connect Sync while using Cloud SyncΓÇÖs net new capabilities (*called out in Roadmap)
+- You can sync objects from a single AD to multiple Azure ADs if writeback capabilities are enabled only in a single Azure AD tenant.
++
+## Cloud sync and connect sync in parallel
+You can run cloud sync and Azure AD Connect in the same forest. You can use cloud sync to manage your users and groups and use Azure AD Connect for devices, for example. You may decide to do allow cloud sync to handle 80% and use Azure AD Connect for some of your more obscure, 20% scenarios. The tutorial, [Migrate to Azure AD Connect cloud sync for an existing synced AD forest](cloud-sync/tutorial-pilot-aadc-aadccp.md) shows an example of how you would run each.
+
+## Common authentication methods and scenarios
+
+Hybrid identity scenarios use one of three authentication methods. The three methods are:
+
+- **[Password hash synchronization (PHS)](connect/whatis-phs.md)**
+- **[Pass-through authentication (PTA)](connect/how-to-connect-pta.md)**
+- **[Federation (AD FS)](connect/whatis-fed.md)**
+
+These authentication methods also provide [single-sign on](connect/how-to-connect-sso.md) capabilities. Single-sign on automatically signs your users in when they are on their corporate devices, connected to your corporate network.
+
+For additional information, see [Choose the right authentication method for your Azure Active Directory hybrid identity solution](connect/choose-ad-authn.md).
+
+|I need to:|PHS and SSO| PTA and SSO|Federation|
+|--|--|--|--|
+|Sync new user, contact, and group accounts created in my on-premises Active Directory to the cloud automatically.|ΓùÅ| ΓùÅ |ΓùÅ|
+|Set up my tenant for Microsoft 365 hybrid scenarios.|ΓùÅ| ΓùÅ |ΓùÅ|
+|Enable my users to sign in and access cloud services using their on-premises password.|ΓùÅ| ΓùÅ |ΓùÅ|
+|Implement single sign-on using corporate credentials.|ΓùÅ| ΓùÅ |ΓùÅ|
+|Ensure no password hashes are stored in the cloud.| |ΓùÅ|ΓùÅ|
+|Enable cloud-based multi-factor authentication solutions.|ΓùÅ|ΓùÅ|ΓùÅ|
+|Enable on-premises multi-factor authentication solutions.| | |ΓùÅ|
+|Support smartcard authentication for my users.| | |ΓùÅ|
+
+## Next steps
+- [Tools for synchronization](sync-tools.md)
+- [Choosing the right sync tool](https://setup.microsoft.com/azure/add-or-sync-users-to-azure-ad)
+- [Steps to start](get-started.md)
+- [Prerequisites](prerequisites.md)
active-directory Concept Adsync Service Account https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/concept-adsync-service-account.md
- Title: 'Azure AD Connect: ADSync service account'
-description: This topic describes the ADSync service account and provides best practices regarding the account.
------ Previously updated : 01/27/2023-----
-# ADSync service account
-Azure AD Connect installs an on-premises service which orchestrates synchronization between Active Directory and Azure Active Directory. The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements. These credentials aren't used to connect to your on-premises forests or Azure Active Directory.
-
-Choosing the ADSync service account is an important planning decision to make prior to installing Azure AD Connect. Any attempt to change the credentials after installation will result in the service failing to start, losing access to the synchronization database, and failing to authenticate with your connected directories (Azure and AD DS). No synchronization will occur until the original credentials are restored.
-
-The sync service can run under different accounts. It can run under a Virtual Service Account (VSA), a Managed Service Account (gMSA/sMSA), or a regular User Account. The supported options were changed with the 2017 April release and 2021 March release of Azure AD Connect when you do a fresh installation. If you upgrade from an earlier release of Azure AD Connect, these additional options aren't available.
--
-|Type of account|Installation option|Description|
-|--||--|
-|Virtual Service Account|Express and custom, 2017 April and later| A Virtual Service Account is used for all express installations, except for installations on a Domain Controller. When using custom installation, it's the default option unless another option is used.|
-|Managed Service Account|Custom, 2017 April and later|If you use a remote SQL Server, then we recommend using a group managed service account. |
-|Managed Service Account|Express and custom, 2021 March and later|A standalone Managed Service Account prefixed with ADSyncMSA_ is created during installation for express installations when installed on a Domain Controller. When using custom installation, it's the default option unless another option is used.|
-|User Account|Express and custom, 2017 April to 2021 March|A User Account prefixed with AAD_ is created during installation for express installations when installed on a Domain Controller. When using custom installation, it's the default option unless another option is used.|
-|User Account|Express and custom, 2017 March and earlier|A User Account prefixed with AAD_ is created during installation for express installations. When using custom installation, another account can be specified.|
-
->[!IMPORTANT]
-> If you use Connect with a build from 2017 March or earlier, then you should not reset the password on the service account since Windows destroys the encryption keys for security reasons. You can't change the account to any other account without reinstalling Azure AD Connect. If you upgrade to a build from 2017 April or later, then it's supported to change the password on the service account, but you can't change the account used.
-
-> [!IMPORTANT]
-> You can only set the service account on first installation. It isn't supported to change the service account after the installation has been completed. If you need to change the service account password, this is supported and instructions can be found [here](how-to-connect-sync-change-serviceacct-pass.md).
-
-The following is a table of the default, recommended, and supported options for the sync service account.
-
-Legend:
--- **Bold** indicates the default option and, in most cases, the recommended option. -- *Italic* indicates the recommended option when it's not the default option. -- Non-bold - Supported option -- Local account - Local user account on the server -- Domain account - Domain user account -- sMSA - [standalone Managed Service account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10))-- gMSA - [group managed service account](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)) -
-|Machine type |**LocalDB</br> Express**|**LocalDB/LocalSQL</br> Custom**|**Remote SQL</br> Custom**|
-|--|--|--|--|
-|**domain-joined machine**|**VSA**|**VSA**</br> *sMSA*</br> *gMSA*</br> Local account</br> Domain account| *gMSA* </br>Domain account|
-|Domain Controller| **sMSA**|**sMSA** </br>*gMSA*</br> Domain account|*gMSA*</br>Domain account|
-
-## Virtual Service Account
-
-A Virtual Service Account is a special type of managed local account that doesn't have a password and is automatically managed by Windows.
-
- ![Virtual service account](media/concept-adsync-service-account/account-1.png)
-
-The Virtual Service Account is intended to be used with scenarios where the sync engine and SQL are on the same server. If you use remote SQL, then we recommend using a group managed service account instead.
-
-The Virtual Service Account can't be used on a Domain Controller due to [Windows Data Protection API (DPAPI)](/previous-versions/ms995355(v=msdn.10)) issues.
-
-## Managed Service Account
-
-If you use a remote SQL Server, then we recommend to using a group managed service account. For more information on how to prepare your Active Directory for group managed service account, see [Group Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)).
-
-To use this option, on the [Install required components](how-to-connect-install-custom.md#install-required-components) page, select **Use an existing service account**, and select **Managed Service Account**.
-
- ![managed service account](media/concept-adsync-service-account/account-2.png)
-
-It is also supported to use a standalone managed service account. However, these can only be used on the local machine and there's no benefit to using them over the default Virtual Service Account.
-
-### Auto-generated standalone Managed Service Account
-
-If you install Azure AD Connect on a Domain Controller, a standalone Managed Service Account is created by the installation wizard (unless you specify the account to use in custom settings). The account is prefixed **ADSyncMSA_** and used for the actual sync service to run as.
-
-This account is a managed domain account that doesn't have a password and is automatically managed by Windows.
-
-This account is intended to be used with scenarios where the sync engine and SQL are on the Domain Controller.
-
-## User Account
-
-A local service account is created by the installation wizard (unless you specify the account to use in custom settings). The account is prefixed AAD_ and used for the actual sync service to run as. If you install Azure AD Connect on a Domain Controller, the account is created in the domain. The AAD_ service account must be located in the domain if:
-- You use a remote server running SQL Server -- You use a proxy that requires authentication -
- ![user account](media/concept-adsync-service-account/account-3.png)
-
-The account is created with a long complex password that doesn't expire.
-
-This account is used to store passwords for the other accounts in a secure way. These other accounts passwords are stored encrypted in the database. The private keys for the encryption keys are protected with the cryptographic services secret-key encryption using Windows Data Protection API (DPAPI).
-
-If you use a full SQL Server, then the service account is the DBO of the created database for the sync engine. The service won't function as intended with any other permission. A SQL login is also created.
-
-The account is also granted permission to files, registry keys, and other objects related to the Sync Engine.
--
-## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory Concept Azure Ad Connect Sync Architecture https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/concept-azure-ad-connect-sync-architecture.md
- Title: 'Azure AD Connect sync: Understanding the architecture - Azure'
-description: This topic describes the architecture of Azure AD Connect sync and explains the terms used.
------- Previously updated : 01/26/2023-----
-# Azure AD Connect sync: Understanding the architecture
-This topic covers the basic architecture for Azure AD Connect sync. In many aspects, it is similar to its predecessors MIIS 2003, ILM 2007, and FIM 2010. Azure AD Connect sync is the evolution of these technologies. If you are familiar with any of these earlier technologies, the content of this topic will be familiar to you as well. If you are new to synchronization, then this topic is for you. It is however not a requirement to know the details of this topic to be successful in making customizations to Azure AD Connect sync (called sync engine in this topic).
-
-## Architecture
-The sync engine creates an integrated view of objects that are stored in multiple connected data sources and manages identity information in those data sources. This integrated view is determined by the identity information retrieved from connected data sources and a set of rules that determine how to process this information.
-
-### Connected Data Sources and Connectors
-The sync engine processes identity information from different data repositories, such as Active Directory or a SQL Server database. Every data repository that organizes its data in a database-like format and that provides standard data-access methods is a potential data source candidate for the sync engine. The data repositories that are synchronized by sync engine are called **connected data sources** or **connected directories** (CD).
-
-The sync engine encapsulates interaction with a connected data source within a module called a **Connector**. Each type of connected data source has a specific Connector. The Connector translates a required operation into the format that the connected data source understands.
-
-Connectors make API calls to exchange identity information (both read and write) with a connected data source. It is also possible to add a custom Connector using the extensible connectivity framework. The following illustration shows how a Connector connects a connected data source to the sync engine.
-
-![Diagram shows a connected data source and a sync engine associated by a line called Connector.](./media/concept-azure-ad-connect-sync-architecture/arch1.png)
-
-Data can flow in either direction, but it cannot flow in both directions simultaneously. In other words, a Connector can be configured to allow data to flow from the connected data source to sync engine or from sync engine to the connected data source, but only one of those operations can occur at any one time for one object and attribute. The direction can be different for different objects and for different attributes.
-
-To configure a Connector, you specify the object types that you want to synchronize. Specifying the object types defines the scope of objects that are included in the synchronization process. The next step is to select the attributes to synchronize, which is known as an attribute inclusion list. These settings can be changed any time in response to changes to your business rules. When you use the Azure AD Connect installation wizard, these settings are configured for you.
-
-To export objects to a connected data source, the attribute inclusion list must include at least the minimum attributes required to create a specific object type in a connected data source. For example, the **sAMAccountName** attribute must be included in the attribute inclusion list to export a user object to Active Directory because all user objects in Active Directory must have a **sAMAccountName** attribute defined. Again, the installation wizard does this configuration for you.
-
-If the connected data source uses structural components, such as partitions or containers to organize objects, you can limit the areas in the connected data source that are used for a given solution.
-
-### Internal structure of the sync engine namespace
-The entire sync engine namespace consists of two namespaces that store the identity information. The two namespaces are:
-
-* The connector space (CS)
-* The metaverse (MV)
-
-The **connector space** is a staging area that contains representations of the designated objects from a connected data source and the attributes specified in the attribute inclusion list. The sync engine uses the connector space to determine what has changed in the connected data source and to stage incoming changes. The sync engine also uses the connector space to stage outgoing changes for export to the connected data source. The sync engine maintains a distinct connector space as a staging area for each Connector.
-
-By using a staging area, the sync engine remains independent of the connected data sources and is not affected by their availability and accessibility. As a result, you can process identity information at any time by using the data in the staging area. The sync engine can request only the changes made inside the connected data source since the last communication session terminated or push out only the changes to identity information that the connected data source has not yet received, which reduces the network traffic between the sync engine and the connected data source.
-
-In addition, sync engine stores status information about all objects that it stages in the connector space. When new data is received, sync engine always evaluates whether the data has already been synchronized.
-
-The **metaverse** is a storage area that contains the aggregated identity information from multiple connected data sources, providing a single global, integrated view of all combined objects. Metaverse objects are created based on the identity information that is retrieved from the connected data sources and a set of rules that allow you to customize the synchronization process.
-
-The following illustration shows the connector space namespace and the metaverse namespace within the sync engine.
-
-![Diagram shows a connected data source and a sync engine, which is separated into connector space and metaverse namespaces, associated by a line called Connector.](./media/concept-azure-ad-connect-sync-architecture/arch2.png)
-
-## Sync engine identity objects
-The objects in the sync engine are representations of either objects in the connected data source or the integrated view that sync engine has of those objects. Every sync engine object must have a globally unique identifier (GUID). GUIDs provide data integrity and express relationships between objects.
-
-### Connector space objects
-When sync engine communicates with a connected data source, it reads the identity information in the connected data source and uses that information to create a representation of the identity object in the connector space. You cannot create or delete these objects individually. However, you can manually delete all objects in a connector space.
-
-All objects in the connector space have two attributes:
-
-* A globally unique identifier (GUID)
-* A distinguished name (also known as DN)
-
-If the connected data source assigns a unique attribute to the object, then objects in the connector space can also have an anchor attribute. The anchor attribute uniquely identifies an object in the connected data source. The sync engine uses the anchor to locate the corresponding representation of this object in the connected data source. Sync engine assumes that the anchor of an object never changes over the lifetime of the object.
-
-Many of the Connectors use a known unique identifier to generate an anchor automatically for each object when it is imported. For example, the Active Directory Connector uses the **objectGUID** attribute for an anchor. For connected data sources that do not provide a clearly defined unique identifier, you can specify anchor generation as part of the Connector configuration.
-
-In that case, the anchor is built from one or more unique attributes of an object type, neither of which changes, and that uniquely identifies the object in the connector space (for example, an employee number or a user ID).
-
-A connector space object can be one of the following:
-
-* A staging object
-* A placeholder
-
-### Staging Objects
-A staging object represents an instance of the designated object types from the connected data source. In addition to the GUID and the distinguished name, a staging object always has a value that indicates the object type.
-
-Staging objects that have been imported always have a value for the anchor attribute. Staging objects that have been newly provisioned by sync engine and are in the process of being created in the connected data source do not have a value for the anchor attribute.
-
-Staging objects also carry current values of business attributes, and operational information needed by sync engine to perform the synchronization process. Operational information includes flags that indicate the type of updates that are staged on the staging object. If a staging object has received new identity information from the connected data source that has not yet been processed, the object is flagged as **pending import**. If a staging object has new identity information that has not yet been exported to the connected data source, it is flagged as **pending export**.
-
-A staging object can be an import object or an export object. The sync engine creates an import object by using object information received from the connected data source. When sync engine receives information about the existence of a new object that matches one of the object types selected in the Connector, it creates an import object in the connector space as a representation of the object in the connected data source.
-
-The following illustration shows an import object that represents an object in the connected data source.
-
-![Diagram shows an import object brought from the connected data source to the connector space namespace in the sync engine.](./media/concept-azure-ad-connect-sync-architecture/arch3.png)
-
-The sync engine creates an export object by using object information in the metaverse. Export objects are exported to the connected data source during the next communication session. From the perspective of the sync engine, export objects do not exist in the connected data source yet. Therefore, the anchor attribute for an export object is not available. After it receives the object from sync engine, the connected data source creates a unique value for the anchor attribute of the object.
-
-The following illustration shows how an export object is created by using identity information in the metaverse.
-
-![Diagram shows an export object brought from the metaverse to the connector space namespace, then to the connected data source.](./media/concept-azure-ad-connect-sync-architecture/arch4.png)
-
-The sync engine confirms the export of the object by reimporting the object from the connected data source. Export objects become import objects when sync engine receives them during the next import from that connected data source.
-
-### Placeholders
-The sync engine uses a flat namespace to store objects. However, some connected data sources such as Active Directory use a hierarchical namespace. To transform information from a hierarchical namespace into a flat namespace, sync engine uses placeholders to preserve the hierarchy.
-
-Each placeholder represents a component (for example, an organizational unit) of an object's hierarchical name that has not been imported into sync engine but is required to construct the hierarchical name. They fill gaps created by references in the connected data source to objects that are not staging objects in the connector space.
-
-The sync engine also uses placeholders to store referenced objects that have not yet been imported. For example, if sync is configured to include the manager attribute for the *Abbie Spencer* object and the received value is an object that has not been imported yet, such as *CN=Lee Sperry,CN=Users,DC=fabrikam,DC=com*, the manager information is stored as placeholders in the connector space. If the manager object is later imported, the placeholder object is overwritten by the staging object that represents the manager.
-
-### Metaverse objects
-A metaverse object contains the aggregated view that sync engine has of the staging objects in the connector space. Sync engine creates metaverse objects by using the information in import objects. Several connector space objects can be linked to a single metaverse object, but a connector space object cannot be linked to more than one metaverse object.
-
-Metaverse objects cannot be manually created or deleted. The sync engine automatically deletes metaverse objects that do not have a link to any connector space object in the connector space.
-
-To map objects within a connected data source to a corresponding object type within the metaverse, sync engine provides an extensible schema with a predefined set of object types and associated attributes. You can create new object types and attributes for metaverse objects. Attributes can be single-valued or multivalued, and the attribute types can be strings, references, numbers, and Boolean values.
-
-### Relationships between staging objects and metaverse objects
-Within the sync engine namespace, the data flow is enabled by the link relationship between staging objects and metaverse objects. A staging object that is linked to a metaverse object is called a **joined object** (or **connector object**). A staging object that is not linked to a metaverse object is called a **disjoined object** (or **disconnector object**). The terms joined and disjoined are preferred to not confuse with the Connectors responsible for importing and exporting data from a connected directory.
-
-Placeholders are never linked to a metaverse object
-
-A joined object comprises a staging object and its linked relationship to a single metaverse object. Joined objects are used to synchronize attribute values between a connector space object and a metaverse object.
-
-When a staging object becomes a joined object during synchronization, attributes can flow between the staging object and the metaverse object. Attribute flow is bidirectional and is configured by using import attribute rules and export attribute rules.
-
-A single connector space object can be linked to only one metaverse object. However, each metaverse object can be linked to multiple connector space objects in the same or in different connector spaces, as shown in the following illustration.
-
-![Diagram shows two connected data objects associated by connectors to a sync engine, which has joined objects and a disjoined object.](./media/concept-azure-ad-connect-sync-architecture/arch5.png)
-
-The linked relationship between the staging object and a metaverse object is persistent and can be removed only by rules that you specify.
-
-A disjoined object is a staging object that is not linked to any metaverse object. The attribute values of a disjoined object are not processed any further within the metaverse. The attribute values of the corresponding object in the connected data source are not updated by sync engine.
-
-By using disjoined objects, you can store identity information in sync engine and process it later. Keeping a staging object as a disjoined object in the connector space has many advantages. Because the system has already staged the required information about this object, it is not necessary to create a representation of this object again during the next import from the connected data source. This way, sync engine always has a complete snapshot of the connected data source, even if there is no current connection to the connected data source. Disjoined objects can be converted into joined objects, and vice versa, depending on the rules that you specify.
-
-An import object is created as a disjoined object. An export object must be a joined object. The system logic enforces this rule and deletes every export object that is not a joined object.
-
-## Sync engine identity management process
-The identity management process controls how identity information is updated between different connected data sources. Identity management occurs in three processes:
-
-* Import
-* Synchronization
-* Export
-
-During the import process, sync engine evaluates the incoming identity information from a connected data source. When changes are detected, it either creates new staging objects or updates existing staging objects in the connector space for synchronization.
-
-During the synchronization process, sync engine updates the metaverse to reflect changes that have occurred in the connector space and updates the connector space to reflect changes that have occurred in the metaverse.
-
-During the export process, sync engine pushes out changes that are staged on staging objects and that are flagged as pending export.
-
-The following illustration shows where each of the processes occurs as identity information flows from one connected data source to another.
-
-![Diagram shows the flow of identity information from connected data to connector space (import) to metaverse to connector space (synchonization) to connected data (export).](./media/concept-azure-ad-connect-sync-architecture/arch6.png)
-
-### Import process
-During the import process, sync engine evaluates updates to identity information. Sync engine compares the identity information received from the connected data source with the identity information about a staging object and determines whether the staging object requires updates. If it is necessary to update the staging object with new data, the staging object is flagged as pending import.
-
-By staging objects in the connector space before synchronization, sync engine can process only the identity information that has changed. This process provides the following benefits:
-
-* **Efficient synchronization**. The amount of data processed during synchronization is minimized.
-* **Efficient resynchronization**. You can change how sync engine processes identity information without reconnecting the sync engine to the data source.
-* **Opportunity to preview synchronization**. You can preview synchronization to verify that your assumptions about the identity management process are correct.
-
-For each object specified in the Connector, the sync engine first tries to locate a representation of the object in the connector space of the Connector. Sync engine examines all staging objects in the connector space and tries to find a corresponding staging object that has a matching anchor attribute. If no existing staging object has a matching anchor attribute, sync engine tries to find a corresponding staging object with the same distinguished name.
-
-When sync engine finds a staging object that matches by distinguished name but not by anchor, the following special behavior occurs:
-
-* If the object located in the connector space has no anchor, then sync engine removes this object from the connector space and marks the metaverse object it is linked to as **retry provisioning on next synchronization run**. Then it creates the new import object.
-* If the object located in the connector space has an anchor, then sync engine assumes that this object has either been renamed or deleted in the connected directory. It assigns a temporary, new distinguished name for the connector space object so that it can stage the incoming object. The old object then becomes **transient**, waiting for the Connector to import the rename or deletion to resolve the situation.
-
-Transient objects are not always a problem, and you might see them even in a healthy environment. With [Azure AD Connect sync V2 endpoint API](how-to-connect-sync-endpoint-api-v2.md), transient objects should auto-resolve in subsequent delta synchronization cycles. A common example where you might find transient objects being generated occurs on Azure AD Connect servers installed in staging mode, when an admin permanently deletes an object directly in Azure AD using PowerShell and later synchronizes the object again.
-
-If sync engine locates a staging object that corresponds to the object specified in the Connector, it determines what kind of changes to apply. For example, sync engine might rename or delete the object in the connected data source, or it might only update the objectΓÇÖs attribute values.
-
-Staging objects with updated data are marked as pending import. Different types of pending imports are available. Depending on the result of the import process, a staging object in the connector space has one of the following pending import types:
-
-* **None**. No changes to any of the attributes of the staging object are available. Sync engine does not flag this type as pending import.
-* **Add**. The staging object is a new import object in the connector space. Sync engine flags this type as pending import for additional processing in the metaverse.
-* **Update**. Sync engine finds a corresponding staging object in the connector space and flags this type as pending import so that updates to the attributes can be processed in the metaverse. Updates include object renaming.
-* **Delete**. Sync engine finds a corresponding staging object in the connector space and flags this type as pending import so that the joined object can be deleted.
-* **Delete/Add**. Sync engine finds a corresponding staging object in the connector space, but the object types do not match. In this case, a delete-add modification is staged. A delete-add modification indicates to the sync engine that a complete resynchronization of this object must occur because different sets of rules apply to this object when the object type changes.
-
-By setting the pending import status of a staging object, it is possible to reduce significantly the amount of data processed during synchronization because doing so allows the system to process only those objects that have updated data.
-
-### Synchronization process
-Synchronization consists of two related processes:
-
-* Inbound synchronization, when the content of the metaverse is updated by using the data in the connector space.
-* Outbound synchronization, when the content of the connector space is updated by using data in the metaverse.
-
-By using the information staged in the connector space, the inbound synchronization process creates an integrated view of the data in the metaverse that is stored in the connected data sources. Either all staging objects or only those with a pending import information are aggregated, depending on how the rules are configured.
-
-The outbound synchronization process updates export objects when metaverse objects change.
-
-Inbound synchronization creates the integrated view in the metaverse of the identity information that is received from the connected data sources. Sync engine can process identity information at any time by using the latest identity information that it has from the connected data source.
-
-**Inbound synchronization**
-
-Inbound synchronization includes the following processes:
-
-* **Provision** (also called **Projection** if it is important to distinguish this process from outbound synchronization provisioning). The Sync engine creates a new metaverse object based on a staging object and links them. Provision is an object-level operation.
-* **Join**. The Sync engine links a staging object to an existing metaverse object. A join is an object-level operation.
-* **Import attribute flow**. Sync engine updates the attribute values, called attribute flow, of the object in the metaverse. Import attribute flow is an attribute-level operation that requires a link between a staging object and a metaverse object.
-
-Provision is the only process that creates objects in the metaverse. Provision affects only import objects that are disjoined objects. During provision, sync engine creates a metaverse object that corresponds to the object type of the import object and establishes a link between both objects, thus creating a joined object.
-
-The join process also establishes a link between import objects and a metaverse object. The difference between join and provision is that the join process requires that the import object are linked to an existing metaverse object, where the provision process creates a new metaverse object.
-
-Sync engine tries to join an import object to a metaverse object by using criteria that is specified in the Synchronization Rule configuration.
-
-During the provision and join processes, sync engine links a disjoined object to a metaverse object, making them joined. After these object-level operations are completed, sync engine can update the attribute values of the associated metaverse object. This process is called import attribute flow.
-
-Import attribute flow occurs on all import objects that carry new data and are linked to a metaverse object.
-
-**Outbound synchronization**
-
-Outbound synchronization updates export objects when a metaverse object change but is not deleted. The objective of outbound synchronization is to evaluate whether changes to metaverse objects require updates to staging objects in the connector spaces. In some cases, the changes can require that staging objects in all connector spaces be updated. Staging objects that are changed are flagged as pending export, making them export objects. These export objects are later pushed out to the connected data source during the export process.
-
-Outbound synchronization has three processes:
-
-* **Provisioning**
-* **Deprovisioning**
-* **Export attribute flow**
-
-Provisioning and deprovisioning are both object-level operations. Deprovisioning depends on provisioning because only provisioning can initiate it. Deprovisioning is triggered when provisioning removes the link between a metaverse object and an export object.
-
-Provisioning is always triggered when changes are applied to objects in the metaverse. When changes are made to metaverse objects, sync engine can perform any of the following tasks as part of the provisioning process:
-
-* Create joined objects, where a metaverse object is linked to a newly created export object.
-* Rename a joined object.
-* Disjoin links between a metaverse object and staging objects, creating a disjoined object.
-
-If provisioning requires sync engine to create a new connector object, the staging object to which the metaverse object is linked is always an export object, because the object does not yet exist in the connected data source.
-
-If provisioning requires sync engine to disjoin a joined object, creating a disjoined object, deprovisioning is triggered. The deprovisioning process deletes the object.
-
-During deprovisioning, deleting an export object does not physically delete the object. The object is flagged as **deleted**, which means that the delete operation is staged on the object.
-
-Export attribute flow also occurs during the outbound synchronization process, similar to the way that import attribute flow occurs during inbound synchronization. Export attribute flow occurs only between metaverse and export objects that are joined.
-
-### Export process
-During the export process, sync engine examines all export objects that are flagged as pending export in the connector space, and then sends updates to the connected data source.
-
-The sync engine can determine the success of an export but it cannot sufficiently determine that the identity management process is complete. Objects in the connected data source can always be changed by other processes. Because sync engine does not have a persistent connection to the connected data source, it is not sufficient to make assumptions about the properties of an object in the connected data source based only on a successful export notification.
-
-For example, a process in the connected data source could change the objectΓÇÖs attributes back to their original values (that is, the connected data source could overwrite the values immediately after the data is pushed out by sync engine and successfully applied in the connected data source).
-
-The sync engine stores export and import status information about each staging object. If values of the attributes that are specified in the attribute inclusion list have changed since the last export, the storage of import and export status enables sync engine to react appropriately. Sync engine uses the import process to confirm attribute values that have been exported to the connected data source. A comparison between the imported and exported information, as shown in the following illustration, enables sync engine to determine whether the export was successful or if it needs to be repeated.
-
-![Diagram shows the synchronization of an object between connector space and connected data over the connector.](./media/concept-azure-ad-connect-sync-architecture/arch7.png)
-
-For example, if sync engine exports attribute C, which has a value of 5, to a connected data source, it stores C=5 in its export status memory. Each additional export on this object results in an attempt to export C=5 to the connected data source again because sync engine assumes that this value has not been persistently applied to the object (that is, unless a different value was imported recently from the connected data source). The export memory is cleared when C=5 is received during an import operation on the object.
-
-## Next steps
-Learn more about the [Azure AD Connect sync](how-to-connect-sync-whatis.md) configuration.
-
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
-
active-directory Concept Azure Ad Connect Sync Declarative Provisioning Expressions https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/concept-azure-ad-connect-sync-declarative-provisioning-expressions.md
- Title: 'Azure AD Connect: Declarative Provisioning Expressions'
-description: Explains the declarative provisioning expressions.
------ Previously updated : 01/26/2023-----
-# Azure AD Connect sync: Understanding Declarative Provisioning Expressions
-Azure AD Connect sync builds on declarative provisioning first introduced in Forefront Identity Manager 2010. It allows you to implement your complete identity integration business logic without the need to write compiled code.
-
-An essential part of declarative provisioning is the expression language used in attribute flows. The language used is a subset of Microsoft® Visual Basic® for Applications (VBA). This language is used in Microsoft Office and users with experience of VBScript will also recognize it. The Declarative Provisioning Expression Language is only using functions and is not a structured language. There are no methods or statements. Functions are instead nested to express program flow.
-
-For more details, see [Welcome to the Visual Basic for Applications language reference for Office 2013](/office/vba/api/overview/language-reference).
-
-The attributes are strongly typed. A function only accepts attributes of the correct type. It is also case-sensitive. Both function names and attribute names must have proper casing or an error is thrown.
-
-## Language definitions and Identifiers
-* Functions have a name followed by arguments in brackets: FunctionName(argument 1, argument N).
-* Attributes are identified by square brackets: [attributeName]
-* Parameters are identified by percent signs: %ParameterName%
-* String constants are surrounded by quotes: For example, "Contoso" (Note: must use straight quotes "" and not smart quotes ΓÇ£ΓÇ¥)
-* Numeric values are expressed without quotes and expected to be decimal. Hexadecimal values are prefixed with &H. For example, 98052, &HFF
-* Boolean values are expressed with constants: True, False.
-* Built-in constants and literals are expressed with only their name: NULL, CRLF, IgnoreThisFlow
-
-### Functions
-Declarative provisioning uses many functions to enable the possibility to transform attribute values. These functions can be nested so the result from one function is passed in to another function.
-
-`Function1(Function2(Function3()))`
-
-The complete list of functions can be found in the [function reference](reference-connect-sync-functions-reference.md).
-
-### Parameters
-A parameter is defined either by a Connector or by an administrator using PowerShell. Parameters usually contain values that are different from system to system, for example the name of the domain the user is located in. These parameters can be used in attribute flows.
-
-The Active Directory Connector provided the following parameters for inbound Synchronization Rules:
-
-| Parameter Name | Comment |
-| | |
-| Domain.Netbios |Netbios format of the domain currently being imported, for example FABRIKAMSALES |
-| Domain.FQDN |FQDN format of the domain currently being imported, for example sales.fabrikam.com |
-| Domain.LDAP |LDAP format of the domain currently being imported, for example DC=sales,DC=fabrikam,DC=com |
-| Forest.Netbios |Netbios format of the forest name currently being imported, for example FABRIKAMCORP |
-| Forest.FQDN |FQDN format of the forest name currently being imported, for example fabrikam.com |
-| Forest.LDAP |LDAP format of the forest name currently being imported, for example DC=fabrikam,DC=com |
-
-The system provides the following parameter, which is used to get the identifier of the Connector currently running:
-`Connector.ID`
-
-Here is an example that populates the metaverse attribute domain with the netbios name of the domain where the user is located:
-`domain` <- `%Domain.Netbios%`
-
-### Operators
-The following operators can be used:
-
-* **Comparison**: <, <=, <>, =, >, >=
-* **Mathematics**: +, -, \*, -
-* **String**: & (concatenate)
-* **Logical**: && (and), || (or)
-* **Evaluation order**: ( )
-
-Operators are evaluated left to right and have the same evaluation priority. That is, the \* (multiplier) is not evaluated before - (subtraction). 2\*(5+3) is not the same as 2\*5+3. The brackets ( ) are used to change the evaluation order when left to right evaluation order isn't appropriate.
-
-## Multi-valued attributes
-The functions can operate on both single-valued and multi-valued attributes. For multi-valued attributes, the function operates over every value and applies the same function to every value.
-
-For example:
-`Trim([proxyAddresses])` Do a Trim of every value in the proxyAddress attribute.
-`Word([proxyAddresses],1,"@") & "@contoso.com"` For every value with an @-sign, replace the domain with @contoso.com.
-`IIF(InStr([proxyAddresses],"SIP:")=1,NULL,[proxyAddresses])` Look for the SIP-address and remove it from the values.
-
-## Next steps
-* Read more about the configuration model in [Understanding Declarative Provisioning](concept-azure-ad-connect-sync-declarative-provisioning.md).
-* See how declarative provisioning is used out-of-box in [Understanding the default configuration](concept-azure-ad-connect-sync-default-configuration.md).
-* See how to make a practical change using declarative provisioning in [How to make a change to the default configuration](how-to-connect-sync-change-the-configuration.md).
-
-**Overview topics**
-
-* [Azure AD Connect sync: Understand and customize synchronization](how-to-connect-sync-whatis.md)
-* [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)
-
-**Reference topics**
-
-* [Azure AD Connect sync: Functions Reference](reference-connect-sync-functions-reference.md)
active-directory Concept Azure Ad Connect Sync Declarative Provisioning https://github.com/MicrosoftDocs/azure-docs/commits/main/articles/active-directory/hybrid/concept-azure-ad-connect-sync-declarative-provisioning.md
- Title: 'Azure AD Connect: Understanding Declarative Provisioning'
-description: Explains the declarative provisioning configuration model in Azure AD Connect.
------- Previously updated : 01/26/2023-----
-# Azure AD Connect sync: Understanding Declarative Provisioning
-This topic explains the configuration model in Azure AD Connect. The model is called Declarative Provisioning and it allows you to make a configuration change with ease. Many things described in this topic are advanced and not required for most customer scenarios.
-
-## Overview
-Declarative provisioning is processing objects coming in from a source connected directory and determines how the object and attributes should be transformed from a source to a target. An object is processed in a sync pipeline and the pipeline is the same for inbound and outbound rules. An inbound rule is from a connector space to the metaverse and an outbound rule is from the metaverse to a connector space.
-
-![Diagram that shows a sync pipeline example.](./media/concept-azure-ad-connect-sync-declarative-provisioning/sync1.png)
-
-The pipeline has several different modules. Each one is responsible for one concept in object synchronization.
-
-![Diagram that shows the modules in the pipeline.](./media/concept-azure-ad-connect-sync-declarative-provisioning/pipeline.png)
-
-* Source, The source object
-* [Scope](#scope), Finds all sync rules that are in scope
-* [Join](#join), Determines relationship between connector space and metaverse
-* Transform, Calculates how attributes should be transformed and flow
-* [Precedence](#precedence), Resolves conflicting attribute contributions
-* Target, The target object
-
-## Scope
-The scope module is evaluating an object and determines the rules that are in scope and should be included in the processing. Depending on the attributes values on the object, different sync rules are evaluated to be in scope. For example, a disabled user with no Exchange mailbox does have different rules than an enabled user with a mailbox.
-![Diagram that shows the scope module for an object.](./media/concept-azure-ad-connect-sync-declarative-provisioning/scope1.png)
-
-The scope is defined as groups and clauses. The clauses are inside a group. A logical AND is used between all clauses in a group. For example, (department =IT AND country = Denmark). A logical OR is used between groups.
-
-![Scope](./media/concept-azure-ad-connect-sync-declarative-provisioning/scope2.png)
-The scope in this picture should be read as (department = IT AND country = Denmark) OR (country=Sweden). If either group 1 or group 2 is evaluated to true, then the rule is in scope.
-
-The scope module supports the following operations.
-
-| Operation | Description |
-| | |
-| EQUAL, NOTEQUAL |A string compare that evaluates if value is equal to the value in the attribute. For multi-valued attributes, see ISIN and ISNOTIN. |
-| LESSTHAN, LESSTHAN_OR_EQUAL |A string compare that evaluates if value is less than of the value in the attribute. |
-| CONTAINS, NOTCONTAINS |A string compare that evaluates if value can be found somewhere inside value in the attribute. |
-| STARTSWITH, NOTSTARTSWITH |A string compare that evaluates if value is in the beginning of the value in the attribute. |
-| ENDSWITH, NOTENDSWITH |A string compare that evaluates if value is in the end of the value in the attribute. |
-| GREATERTHAN, GREATERTHAN_OR_EQUAL |A string compare that evaluates if value is greater than of the value in the attribute. |
-| ISNULL, ISNOTNULL |Evaluates if the attribute is absent from the object. If the attribute is not present and therefore null, then the rule is in scope. |
-| ISIN, ISNOTIN |Evaluates if the value is present in the defined attribute. This operation is the multi-valued variation of EQUAL and NOTEQUAL. The attribute is supposed to be a multi-valued attribute and if the value can be found in any of the attribute values, then the rule is in scope. |
-| ISBITSET, ISNOTBITSET |Evaluates if a particular bit is set. For example, can be used to evaluate the bits in userAccountControl to see if a user is enabled or disabled. |
-| ISMEMBEROF, ISNOTMEMBEROF |The value should contain a DN to a group in the connector space. If the object is a member of the group specified, the rule is in scope. |
-
-## Join
-The join module in the sync pipeline is responsible for finding the relationship between the object in the source and an object in the target. On an inbound rule, this relationship would be an object in a connector space finding a relationship to an object in the metaverse.
-![Join between cs and mv](./media/concept-azure-ad-connect-sync-declarative-provisioning/join1.png)
-The goal is to see if there is an object already in the metaverse, created by another Connector, it should be associated with. For example, in an account-resource forest the user from the account forest should be joined with the user from the resource forest.
-
-Joins are used mostly on inbound rules to join connector space objects together to the same metaverse object.
-
-The joins are defined as one or more groups. Inside a group, you have clauses. A logical AND is used between all clauses in a group. A logical OR is used between groups. The groups are processed in order from top to bottom. When one group has found exactly one match with an object in the target, then no other join rules are evaluated. If zero or more than one object is found, processing continues to the next group of rules. For this reason, the rules should be created in the order of most explicit first and more fuzzy at the end.
-![Join definition](./media/concept-azure-ad-connect-sync-declarative-provisioning/join2.png)
-The joins in this picture are processed from top to bottom. First the sync pipeline sees if there is a match on employeeID. If not, the second rule sees if the account name can be used to join the objects together. If that is not a match either, the third and final rule is a more fuzzy match by using the name of user.
-
-If all join rules have been evaluated and there is not exactly one match, the **Link Type** on the **Description** page is used. If this option is set to **Provision**, then a new object in the target is created.
-![Screenshot that shows the "Link Type" drop-down menu open.](./media/concept-azure-ad-connect-sync-declarative-provisioning/join3.png)
-
-An object should only have one single sync rule with join rules in scope. If there are multiple sync rules where join is defined, an error occurs. Precedence is not used to resolve join conflicts. An object must have a join rule in scope for attributes to flow with the same inbound/outbound direction. If you need to flow attributes both inbound and outbound to the same object, you must have both an inbound and an outbound sync rule with join.
-
-Outbound join has a special behavior when it tries to provision an object to a target connector space. The DN attribute is used to first try a reverse-join. If there is already an object in the target connector space with the same DN, the objects are joined.
-
-The join module is only evaluated once when a new sync rule comes into scope. When an object has joined, it is not disjoining even if the join criteria is no longer satisfied. If you want to disjoin an object, the sync rule that joined the objects must go out of scope.
-
-### Metaverse delete
-A metaverse object remains as long as there is one sync rule in scope with **Link Type** set to **Provision** or **StickyJoin**. A StickyJoin is used when a Connector is not allowed to provision a new object to the metaverse, but when it has joined, it must be deleted in the source before the metaverse object is deleted.
-
-When a metaverse object is deleted, all objects associated with an outbound sync rule marked for **provision** are marked for a delete.
-
-## Transformations
-The transformations are used to define how attributes should flow from the source to the target. The flows can have one of the following **flow types**: Direct, Constant, or Expression. A direct flow, flows an attribute value as-is with no additional transformations. A constant value sets the specified value. An expression uses the declarative provisioning expression language to express how the transformation should be. The details for the expression language can be found in the [understanding declarative provisioning expression language](concept-azure-ad-connect-sync-declarative-provisioning-expressions.md) topic.
-
-![Provision or join](./media/concept-azure-ad-connect-sync-declarative-provisioning/transformations1.png)
-
-The **Apply once** checkbox defines that the attribute should only be set when the object is initially created. For example, this configuration can be used to set an initial password for a new user object.
-
-### Merging attribute values
-In the attribute flows there is a setting to determine if multi-valued attributes should be merged from several different Connectors. The default value is **Update**, which indicates that the sync rule with highest precedence should win.
-
-![Screenshot that shows the "Add transformations" section with the "Merge Types" drop-down menu open.](./media/concept-azure-ad-connect-sync-declarative-provisioning/mergetype.png)
-
-There is also **Merge** and **MergeCaseInsensitive**. These options allow you to merge values from different sources. For example, it can be used to merge the proxyAddresses attribute from several different forests. When you use this option, all sync rules in scope for an object must use the same merge type. You cannot define **Update** from one Connector and **Merge** from another. If you try, you receive an error.
-
-The difference between **Merge** and **MergeCaseInsensitive** is how to process duplicate attribute values. The sync engine makes sure duplicate values are not inserted into the target attribute. With **MergeCaseInsensitive**, duplicate values with only a difference in case are not going to be present. For example, you should not see both "SMTP:bob@contoso.com" and "smtp:bob@contoso.com" in the target attribute. **Merge** is only looking at the exact values and multiple values where there only is a difference in case might be present.
-
-The option **Replace** is the same as **Update**, but it is not used.
-
-### Control the attribute flow process
-When multiple inbound sync rules are configured to contribute to the same metaverse attribute, then precedence is used to determine the winner. The sync rule with highest precedence (lowest numeric value) is going to contribute the value. The same happens for outbound rules. The sync rule with highest precedence wins and contribute the value to the connected directory.
-
-In some cases, rather than contribute a value, the sync rule should determine how other rules should behave. There are some special literals used for this case.
-
-For inbound Synchronization Rules, the literal **NULL** can be used to indicate that the flow has no value to contribute. Another rule with lower precedence can contribute a value. If no rule contributed a value, then the metaverse attribute is removed. For an outbound rule, if **NULL** is the final value after all sync rules have been processed, then the value is removed in the connected directory.
-
-The literal **AuthoritativeNull** is similar to **NULL** but with the difference that no lower precedence rules can contribute a value.
-
-An attribute flow can also use **IgnoreThisFlow**. It is similar to NULL in the sense that it indicates there is nothing to contribute. The difference is that it does not remove an already existing value in the target. It is like the attribute flow has never been there.
-
-Here is an example:
-
-In *Out to AD - User Exchange hybrid* the following flow can be found:
-`IIF([cloudSOAExchMailbox] = True,[cloudMSExchSafeSendersHash],IgnoreThisFlow)`
-This expression should be read as: if the user mailbox is located in Azure AD, then flow the attribute from Azure AD to AD. If not, do not flow anything back to Active Directory. In this case, it would keep the existing value in AD.
-
-### ImportedValue
-
-The function ImportedValue is different than all other functions since the attribute name must be enclosed in quotes rather than square brackets:
-
-`ImportedValue("proxyAddresses")`.
-
-Inbound synchronization has a concept of assuming that an attribute that hasnΓÇÖt yet reached a connected directory will eventually reach it at some point so, normally, synchronization gets an attribute value from the respective connector space, even if it hasnΓÇÖt been yet exported or an error occurred during export.
-In some cases, however, it is important to only synchronize a value that has been exported and confirmed during import from the connected directory. This function can be found in multiple ΓÇ£In From AD/AADΓÇ¥ out-of-box transformation rules where the attribute should only be synchronized when it has been confirmed that the value was exported successfully.
-
-An example of this function can be found in the out-of-box Synchronization Rule *In from AD ΓÇô User Common from Exchange*, for ProxyAddresses attribute flow with Hybrid Exchange. E.g., when a userΓÇÖs ProxyAddresses is added, the ImportedValue function will only return the new value after it has been confirmed from the following import step:
-
-`proxyAddresses` <- `RemoveDuplicates(Trim(ImportedValue("proxyAddresses")))`
-
-This function is required when the target directory might change or discard an exported attribute value silently, and we want the synchronization to only process confirmed attribute values.
-
-## Precedence
-When several sync rules try to contribute the same attribute value to the target, the precedence value is used to determine the winner. The rule with highest precedence, lowest numeric value, is going to contribute the attribute in a conflict.
-
-![Merge Types](./media/concept-azure-ad-connect-sync-declarative-provisioning/precedence1.png)
-
-This ordering can be used to define more precise attribute flows for a small subset of objects. For example, the out-of-box-rules make sure that attributes from an enabled account (**User AccountEnabled**) have precedence from other accounts.
-
-Precedence can be defined between Connectors. That allows Connectors with better data to contribute values first.
-
-### Multiple objects from the same connector space
-It is not possible to have several objects in the same connector space joined to the same metaverse object. This configuration is reported as ambiguous even if the attributes in the source have the same value.
-
-![Diagram that shows multiple objects joined to the same mv object with a transparent red X overlay. ](./media/concept-azure-ad-connect-sync-declarative-provisioning/multiple1.png)
-
-## Next steps
-* Read more about the expression language in [Understanding Declarative Provisioning Expressions](concept-azure-ad-connect-sync-declarative-provisioning-expressions.md).
-* See how declarative provisioning is used out-of-box in [Understanding the default configuration](concept-azure-ad-connect-sync-default-configuration.md).
-* See how to make a practical change using declarative provisioning in [How to make a change to the default configuration](how-to-connect-sync-change-the-configuration.md).
-* Continue to read how users and contacts work together in [Understanding Users and Contacts](concept-azure-ad-connect-sync-user-and-contacts.md).
-
-**Overview topics**
-
-* [Azure AD Connect sync: Understand and customize synchronization](how-to-connect-sync-whatis.md)
-* [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md)
-
-**Reference topics**
-
-* [Azure AD