Configuring Microsoft Entra tenants

DRA allows you to manage MFA enabled Microsoft Entra Tenants using certificate authentication. Basic authentication will be deprecated.

With one or more Microsoft Entra Tenants, you can configure DRA to work with Microsoft Entra ID to manage Entra ID objects. These objects include users, guest users, contacts, and groups created in Entra ID and users, contacts, and groups synchronized with the Microsoft Entra Tenant from DRA managed domains.

The DRA Administrator or an assistant administrator with the delegated role “Configure Servers and Domains” can manage Microsoft Entra Tenants. Entra ID built-in roles are required to manage Entra ID objects in the Web Console.

Managing Entra ID tasks requires Entra ID PowerShell modules, Microsoft.Graph, Az.Accounts Module, and Exchange Online. For more information, see Supported Platforms.

You perform the configuration tasks provided below in the Delegation and Configuration Console. Operations on Entra ID objects are only performed in the Web Console. For more information, see Managing Entra ID Objects in the DRA User Guide.

Configuring Government Cloud Tenants

Private cloud configuration is used when DRA connects to Microsoft Entra Tenants.

To use private cloud, modify the <DRA Install location>/X64/Office365SessionConfig-Custom.xml configuration file and update the values for the ExchangeEnvironmentName and Environment parameters in the following sections:

<connect-exchangeonline-parameters> <param name="ExchangeEnvironmentName">O365Default</param> </connect-exchangeonline-parameters>.

The following are the values for the ExchangeEnvironmentName parameter: O365USGovGCCHigh, O365USGovDoD, O365GermanyCloud, O365China, and O365Default.

<connect-msgraph-parameters> <param name="Environment">Global</param> </connect-msgraph-parameters>.

The following are the Possible values for MGGraph: USGov, USGovDoD, Germany, China, and Global.

The msgraph.config files are found in the following paths:

  • <DRA Install location>\X64\msgraph.config

  • <DRA Install location>\msgraph.config

Modify the Graph URLs for their respective private cloud.

Ensure that the URLs correspond to the correct environment for the Government Cloud.

Adding a New Microsoft Entra Tenant

Microsoft Entra Tenant can be managed using certificate and basic authentication types. For certificate authentication, we need application with list of permissions. for basic authentication, we need an account in Microsoft Entra ID. For information on Microsoft Entra Tenant access account permissions, see Least Privilege DRA Access Accounts.

To create an Entra ID application for DRA and to add Fan Microsoft Entra Tenant:

  1. Navigate to Configuration Management > Microsoft Entra Tenants in the Delegation and Configuration Console.

  2. Right-click Microsoft Entra Tenants, and select New Microsoft Entra Tenant. Click Next.

  3. Create the Entra ID application and specify the required details in the Entra ID Application tab.

    1. Launch a PowerShell session in the DRA Administration server, and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles

    2. Execute . .\NewDraAzureApplication.ps1 to load PowerShell.

    3. Execute the New-DRAAzureApplication cmdlet by specifying the following parameters:

      • <name> - Name of the application from the tenant wizard.

        Open Text recommends that you use the name specified in the DRA console.

      • <environment>: Specify an environment, Users can select the environment value based on the cloud configuration. By default the Global environment is selected. Select Global, China, USGov, USGovDoD or Germany depending on the tenant you are using.

    4. In the Credentials dialog box, specify the Global Administrator credentials. The Microsoft Entra Tenant ID, object ID, application ID, and client secret (application password) are generated.

      DRA uses both Microsoft.Graph and Exchange Online PowerShell modules, and Microsoft Graph API to access the data.

    5. Copy the Tenant ID, object ID, application ID, and client secret into the Entra ID Application tab of the Add New Microsoft Entra Tenant Wizard, and click Next. DRA validates the Entra ID application.

  4. In the Authentication tab, select an authentication type.

    DRA supports certificate-based authentication and basic authentication for DRA 10.2.2 or earlier while using the Microsoft Entra ID AD and Exchange Online PowerShell modules.

    • Certificate-based authentication: This is the default option. DRA creates a self-signed certificate and associates the certificate with the Entra ID application. If you do not want to use the self-signed certificate, you can upload your own certificate after managing the tenant. For more information, see Uploading a Certificate Manually.

    • Basic authentication: This is the legacy option. DRA uses the user account that you specify to authenticate with Microsoft Entra ID (This option is not available in a fresh DRA 10.3 installation).

    DRA supports certificate-based authentication, while using the Microsoft Entra ID AD and Exchange Online PowerShell modules while adding new tenants.

    For enhanced security, it is recommended to transition to certificate-based authentication as basic authentication is expected to be deprecated. You must attempt this only after the first successful Full tenant cache refresh
    Post the transition to certificate-based authentication a Full tenant cache refresh is not triggered again.

    Click Next.

  5. (Optional) In the Custom Microsoft Entra Tenant Source Anchor Attribute tab, specify the source anchor attribute used to map your Active Directory objects to Entra ID during synchronization. Click Next.

  6. Click Finish.

    Adding the Microsoft Entra Tenant might take several minutes. After the tenant is successfully added, DRA performs a full accounts cache refresh for the tenant and then the added tenant displays in the Microsoft Entra Tenants view pane.

    To view the authentication type for the Microsoft Entra Tenant, right-click the tenant and go to Properties > Authentication.

    To view the certificate information, right-click the tenant and go to Properties > Certificate Info.

Uploading a Certificate Manually

If you want to use your own certificate or if the existing custom certificate has expired and you want to specify a new certificate, you can upload the certificate from the Microsoft Entra Tenant properties page. The supported certificate file formats are .pfx and .cer

Ensure that the manual certificate you specify is protected with a strong password.

To upload a certificate:

  1. Open the Delegation and Configuration Console and navigate to Configuration Management > Microsoft Entra Tenants.

  2. Right-click the Microsoft Entra Tenant and go to Properties > Authentication. Ensure that the Manual customer certificate option is selected.

  3. Select the Certificate Info tab.

  4. Under New certificate, click Browse to select a certificate file. If you want to specify a .cer certificate file, ensure that a certificate with the private key is installed into the personal store of service account user.

  5. Specify the password for the certificate, if necessary.

  6. Apply the changes. The certificate details are updated.

    • If the primary Administration server is configured with the Basic authentication, ensure that you manually specify the credentials for Basic authentication on secondary Administration servers for the full accounts cache refresh to be successful. The access account must be unique on each Administration server in the MMS set.

    • If the primary Administration server is configured with the Manual customer certificate or Automatic self-signed certificate authentication type, the secondary Administration servers display the authentication type as Automatic self-signed certificate. To upload your own certificate, you must manually change the authentication type to Manual customer certificate on the secondary Administration server. The certificate must be unique on each Administration server in the MMS set.

Configuring Certificate-Based Authentication for an Entra ID Application after Upgrading to 10.2 or later

After you upgrade to DRA 10.2 or later, you can switch from basic authentication to certificate-based authentication and configure the Entra ID application to use certificate-based authentication.

For enhanced security, it is recommended to transition to certificate-based authentication as basic authentication is expected to be deprecated. You must attempt this only after the first successful Full tenant cache refresh
Post the transition to certificate-based authentication a Full tenant cache refresh is not triggered again.

The Entra ID application requires additional permissions for certificate-based authentication. To apply the required permissions to the Entra ID application, you must run the UpdateDraAzureApplicationPermission.ps1 script.

To set up the Entra ID application to use certificate-based authentication after you upgrade, perform the following steps:

  1. Open the Delegation and Configuration Console and navigate to Configuration Management > Microsoft Entra Tenants.

  2. Right-click the Microsoft Entra Tenant and select Properties > Authentication. The Basic authentication option is selected by default.

  3. Change the authentication type to Automatic self-signed certificate or Manual customer certificate.

  4. Click the Certificate Info tab.

  5. Update the Entra ID application by applying the necessary permissions for certificate-based authentication.

    1. Launch a PowerShell session in the DRA Administration server, and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles

    2. Execute . .\UpdateDraAzureApplicationPermission.ps1 to load PowerShell.

    3. Execute the UpdateDraAzureApplicatioPermission cmdlet by specifying the name of the Entra ID application that is available in the Entra ID Application tab.

    4. In the Credentials dialog box, specify the Global Administrator credentials. The application object ID is generated.

    5. Copy the application object ID into the Certificate Info tab. If you have selected the Manual customer certificate option, upload the certificate in the New Certificate area.

  6. Apply the changes. The certificate details are updated.

Resetting the Client Secret for an Entra ID Application

Follow the steps below if you need to reset the client secret for an Entra ID application.

To reset the client secret for an Entra ID application:

  1. Launch a PowerShell session in the DRA Administration server and navigate to C:\Program Files (x86)\NetIQ\DRA\SupportingFiles

  2. Execute ..\ResetDraAzureApplicationClientSecret.ps1 to load PowerShell.

  3. Execute the ResetDraAzureApplicationClientSecret cmdlet to prompt for parameters.

  4. Specify the following parameters for Reset-DraAzureApplicationClientSecret:

    • <name> - Name of the application from the tenant wizard.

    • <environment>: Specify an Environment value, users can select the environment value based on their cloud configuration they have, by default the Global environment is selected. Select AGlobal, China, USGov, USGovDoD or Germany depending on the tenant you are using.

  5. In the Credentials dialog box, specify the Global Administrator credentials.

    The Entra ID application ID and client secret are generated.

  6. Copy the client secret into the DRA console (tenant wizard).

    1. Open the Delegation and Configuration Console and navigate to Configuration Management > Microsoft Entra Tenants.

    2. Right-click the Microsoft Entra Tenant and go to Properties > Entra ID Application.

    3. Paste the Entra ID application client secret that is generated from the script into the Client Secret field.

    4. Apply the changes.

Configuring the Entra ID Guest User Invitation

When you invite Entra ID guest users to Microsoft Entra ID, DRA sends an email to the Entra ID guest user with a customized welcome message that includes an invitation link. You can configure this welcome message and the invitation link or redirect URL that you want to be displayed in the invitation. An Entra ID guest user is redirected to the configured URL after accepting the invitation, where Entra ID guest users can log in using their credentials.

To configure the guest user invitation:

  1. Navigate to Configuration Management > Microsoft Entra Tenants in the Delegation and Configuration Console.

  2. Select the managed Microsoft Entra Tenant for which you want to configure the invite, right-click and select Properties.

  3. Click the Guest Invite Config tab.

  4. Specify the welcome message and the invitation link.

  5. Apply the changes.