DRA allows you to manage MFA enabled Azure tenants using certificate authentication. Basic authentication will be deprecated.
With one or more Azure tenants, you can configure DRA to work with Azure Active Directory to manage Azure objects. These objects include users, guest users, contacts, and groups created in Azure and users, contacts, and groups synchronized with the Azure tenant from DRA managed domains.
The DRA Administrator or an assistant administrator with the delegated role “Configure Servers and Domains” can manage Azure tenants. Azure built-in roles are required to manage Azure objects in the Web Console.
Beginning with DRA 10.2.3, managing Azure tasks requires Azure PowerShell modules, Microsoft.Graph, Az.Accounts Module, and Exchange Online. For more information, see Supported Platforms.
If you are using DRA 10.2.2 or earlier, managing Azure tasks requires Azure PowerShell modules, Azure Active Directory, the Az.Accounts Module, and Exchange Online.
You perform the configuration tasks provided below in the Delegation and Configuration Console. Operations on Azure objects are only performed in the Web Console. For more information, see Managing Azure Objects in the DRA User Guide.
Private cloud configuration is used when DRA connects to Azure tenants.
To use private cloud, modify the <DRA Install location>/X64/Office365SessionConfig-Custom.xml configuration file and update the values for the ExchangeEnvironmentName and Environment parameters in the following sections:
<connect-exchangeonline-parameters> <param name="ExchangeEnvironmentName">O365Default</param> </connect-exchangeonline-parameters>.
The following are the values for the ExchangeEnvironmentName parameter: O365USGovGCCHigh, O365USGovDoD, O365GermanyCloud, O365China, and O365Default.
<connect-msgraph-parameters> <param name="Environment">Global</param> </connect-msgraph-parameters>.
The following are the Possible values for MGGraph: USGov, USGovDoD, Germany, China, and Global.
Azure tenant can be managed using certificate and basic authentication types. For certificate authentication, we need application with list of permissions. for basic authentication, we need an account in Azure Active Directory. For information on Azure tenant access account permissions, see Least Privilege DRA Access Accounts.
To create an Azure application for DRA and to add Fan Azure tenant:
Navigate to Configuration Management > Azure Tenants in the Delegation and Configuration Console.
Right-click Azure Tenants, and select New Azure Tenant. Click Next.
Create the Azure application and specify the required details in the Azure Application tab.
Launch a PowerShell session in the DRA Administration server, and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles
Execute . .\NewDraAzureApplication.ps1 to load PowerShell.
Execute the New-DRAAzureApplication cmdlet by specifying the following parameters:
<name> - Name of the application from the tenant wizard.
IMPORTANT:Open Text recommends that you use the name specified in the DRA console.
<environment> - DRA 10.2.3: Specify an environment, Users can select the environment value based on the cloud configuration. By default the Global environment is selected. Select Global, China, USGov, USGovDoD or Germany depending on the tenant you are using.
<environment> (Optional) - DRA 10.2.2 or earlier: Specify AzureCloud, AzureChinaCloud, AzureGermanyCloud, or AzureUSGovernment, depending on the tenant you are using.
In the Credentials dialog box, specify the Global Administrator credentials. The Azure Tenant ID, object ID, application ID, and client secret (application password) are generated.
NOTE:Beginning with 10.2.3, DRA uses both Microsoft.Graph and Exchange Online PowerShell modules, and Microsoft Graph API to access the data. In 10.2.2 and earlier, DRA uses both Azure AD and Exchange Online PowerShell modules, and Microsoft Graph API to access the data. The application ID and application secret are used while accessing Microsoft Graph by using Microsoft Graph API.
Copy the Tenant ID, object ID, application ID, and client secret into the Azure Application tab of the Add New Azure Tenant Wizard, and click Next. DRA validates the Azure application.
In the Authentication tab, select an authentication type.
DRA supports certificate-based authentication and basic authentication for DRA 10.2.2 or earlier while using the Azure AD and Exchange Online PowerShell modules.
Certificate-based authentication: This is the default option. DRA creates a self-signed certificate and associates the certificate with the Azure application. If you do not want to use the self-signed certificate, you can upload your own certificate after managing the tenant. For more information, see Uploading a Certificate Manually.
Basic authentication: This is the legacy option. DRA uses the user account that you specify to authenticate with Azure Active Directory (This option is not available in a fresh DRA 10.2.3 installation).
Beginning with DRA 10.2.3, DRA supports only certificate-based authentication, while using the Azure AD and Exchange Online PowerShell modules while adding new tenants.
NOTE:It is recommended to switch to certificate-based authentication for enhanced security. Basic authentication will be deprecated. Users can switch to certificate-based authentication using the Delegation and Configuration console.
Click Next.
(Optional) In the Custom Azure Tenant Source Anchor Attribute tab, specify the source anchor attribute used to map your Active Directory objects to Azure during synchronization. Click Next.
Click Finish.
Adding the Azure tenant might take several minutes. After the tenant is successfully added, DRA performs a full accounts cache refresh for the tenant and then the added tenant displays in the Azure Tenants view pane.
To view the authentication type for the Azure tenant, right-click the tenant and go to Properties > Authentication.
To view the certificate information, right-click the tenant and go to Properties > Certificate Info.
If you want to use your own certificate or if the existing custom certificate has expired and you want to specify a new certificate, you can upload the certificate from the Azure tenant properties page. The supported certificate file formats are .pfx and .cer
IMPORTANT:Ensure that the manual certificate you specify is protected with a strong password.
To upload a certificate:
Open the Delegation and Configuration Console and navigate to Configuration Management > Azure Tenants.
Right-click the Azure tenant and go to Properties > Authentication. Ensure that the Manual customer certificate option is selected.
Select the Certificate Info tab.
Under New certificate, click Browse to select a certificate file. If you want to specify a .cer certificate file, ensure that a certificate with the private key is installed into the personal store of service account user.
Specify the password for the certificate, if necessary.
Apply the changes. The certificate details are updated.
IMPORTANT:
If the primary Administration server is configured with the Basic authentication, ensure that you manually specify the credentials for Basic authentication on secondary Administration servers for the full accounts cache refresh to be successful. The access account must be unique on each Administration server in the MMS set.
If the primary Administration server is configured with the Manual customer certificate or Automatic self-signed certificate authentication type, the secondary Administration servers display the authentication type as Automatic self-signed certificate. To upload your own certificate, you must manually change the authentication type to Manual customer certificate on the secondary Administration server. The certificate must be unique on each Administration server in the MMS set.
After you upgrade to DRA 10.2 or later, you can switch from basic authentication to certificate-based authentication and configure the Azure application to use certificate-based authentication.
NOTE:For enhanced security, it is recommended to transition to certificate-based authentication as basic authentication will be deprecated. Users can make this switch using the Delegation and Configuration console.
The Azure application requires additional permissions for certificate-based authentication. To apply the required permissions to the Azure application, you must run the UpdateDraAzureApplicationPermission.ps1 script.
To set up the Azure application to use certificate-based authentication after you upgrade, perform the following steps:
Open the Delegation and Configuration Console and navigate to Configuration Management > Azure Tenants.
Right-click the Azure tenant and select Properties > Authentication. The Basic authentication option is selected by default.
Change the authentication type to Automatic self-signed certificate or Manual customer certificate.
Click the Certificate Info tab.
Update the Azure application by applying the necessary permissions for certificate-based authentication.
Launch a PowerShell session in the DRA Administration server, and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles
Execute . .\UpdateDraAzureApplicationPermission.ps1 to load PowerShell.
Execute the UpdateDraAzureApplicatioPermission cmdlet by specifying the name of the Azure application that is available in the Azure Application tab.
In the Credentials dialog box, specify the Global Administrator credentials. The application object ID is generated.
Copy the application object ID into the Certificate Info tab. If you have selected the Manual customer certificate option, upload the certificate in the New Certificate area.
Apply the changes. The certificate details are updated.
Follow the steps below if you need to reset the client secret for an Azure application.
To reset the client secret for an Azure application:
Launch a PowerShell session in the DRA Administration server and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles
Execute ..\ResetDraAzureApplicationClientSecret.ps1 to load PowerShell.
Execute the ResetDraAzureApplicationClientSecret cmdlet to prompt for parameters.
Specify the following parameters for Reset-DraAzureApplicationClientSecret:
<name> - Name of the application from the tenant wizard.
<environment> - DRA 10.2.3: Specify an Environment value, users can select the environment value based on their cloud configuration they have, by default the Global environment is selected. Select AGlobal, China, USGov, USGovDoD or Germany depending on the tenant you are using.
<environment> (optional) - DRA 10.2.2 or earlier, specify AzureCloud, AzureChinaCloud, AzureGermanyCloud, or AzureUSGovernment, depending on which tenant you are using.
In the Credentials dialog box, specify the Global Administrator credentials.
The Azure application ID and client secret are generated.
Copy the client secret into the DRA console (tenant wizard).
Open the Delegation and Configuration Console and navigate to Configuration Management > Azure Tenants.
Right-click the Azure tenant and go to Properties > Azure Application.
Paste the Azure application client secret that is generated from the script into the Client Secret field.
Apply the changes.
When you invite Azure guest users to Azure Active Directory, DRA sends an email to the Azure guest user with a customized welcome message that includes an invitation link. You can configure this welcome message and the invitation link or redirect URL that you want to be displayed in the invitation. An Azure guest user is redirected to the configured URL after accepting the invitation, where Azure guest users can log in using their credentials.
To configure the guest user invitation:
Navigate to Configuration Management > Azure Tenants in the Delegation and Configuration Console.
Select the managed Azure tenant for which you want to configure the invite, right-click and select Properties.
Click the Guest Invite Config tab.
Specify the welcome message and the invitation link.
Apply the changes.