From bc2f233216727f2586c7e79cdd4ca0a12d4dfbbe Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Thu, 11 Apr 2024 09:50:09 +0100 Subject: [PATCH] Update "Azure AD" references to "Microsoft Entra ID" (#3873) * rename Azure AD to Microsoft Entra Workforce ID * update Azure Active Directory to Microsoft Entra Workforce ID * replace * update version * change stale version * update from stale * update version * update readme * Microsoft Entra Workforce ID -> Microsoft Entra ID * AAD -> Microsoft Entra ID * Delete .devcontainer/devcontainer.json * Revert "Delete .devcontainer/devcontainer.json" This reverts commit 5dd6d5c2656c5304bf4adf6bb38e1a20735bbc8a. * revert code changes * remove double names * update version * go back version * api update version * revert for linting * revert test linting * fix linting * roll back linting * increase line length * fix linting * fix formatting * fix lintin 3 * update urls * update aad urls --------- Co-authored-by: Tim Allen --- README.md | 2 +- api_app/.env.sample | 4 +- api_app/_version.py | 2 +- core/version.txt | 2 +- docs/azure-tre-overview/airlock.md | 2 +- docs/azure-tre-overview/architecture.md | 2 +- .../tre-resources-breakdown.md | 8 ++-- docs/index.md | 2 +- docs/tre-admins/auth.md | 42 +++++++++---------- docs/tre-admins/environment-variables.md | 6 +-- docs/tre-admins/identities/api.md | 8 ++-- .../identities/application_admin.md | 12 +++--- docs/tre-admins/identities/auth-manual.md | 2 +- docs/tre-admins/identities/client.md | 6 +-- docs/tre-admins/identities/test-account.md | 6 +-- docs/tre-admins/identities/workspace.md | 8 ++-- .../setup-instructions/ad-tenant-choices.md | 8 ++-- .../cicd-pre-deployment-steps.md | 4 +- .../installing-base-workspace.md | 2 +- .../setup-instructions/prerequisites.md | 2 +- .../setup-instructions/setup-auth-entities.md | 6 +-- .../ui-install-base-workspace.md | 2 +- .../setup-instructions/workflows.md | 2 +- docs/tre-developers/api.md | 2 +- docs/tre-developers/ui.md | 6 +-- docs/tre-templates/shared-services/gitea.md | 2 +- docs/tre-templates/shared-services/nexus.md | 2 +- .../tre-templates/workspace-services/gitea.md | 2 +- .../authoring-workspace-templates.md | 4 +- .../local-development/local-development.md | 2 +- e2e_tests/.env.sample | 2 +- .../airlock-import-review/.env.sample | 4 +- templates/workspaces/base/.env.sample | 4 +- templates/workspaces/unrestricted/.env.sample | 4 +- ui/README.md | 2 +- 35 files changed, 88 insertions(+), 88 deletions(-) diff --git a/README.md b/README.md index 4bcb9bcc3e..2fbbb0b2b5 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Core features include: - Self-service provisioning of research tooling for research teams - Package and repository mirroring - PyPi, R-CRAN, Apt and more. - Extensible architecture - build your own service templates as required -- Azure Active Directory integration +- Microsoft Entra ID integration - Airlock - import and export - Cost reporting - Ready to workspace templates including: diff --git a/api_app/.env.sample b/api_app/.env.sample index acc5a0056f..0cf370e342 100644 --- a/api_app/.env.sample +++ b/api_app/.env.sample @@ -4,7 +4,7 @@ # LOGGING_LEVEL can be set to DEBUG, INFO, WARNING, ERROR or CRITICAL LOGGING_LEVEL="INFO" -# OAUTH information - client ids etc. for the AAD Apps +# OAUTH information - client ids etc. for the Microsoft Entra ID Apps # ---------------------------------------------------- # The AppId for the API service principal (TRE API) API_CLIENT_ID=__CHANGE_ME__ @@ -12,7 +12,7 @@ API_CLIENT_ID=__CHANGE_ME__ API_CLIENT_SECRET=__CHANGE_ME__ # The AppId for the Swagger service principal (TRE Swagger UI) SWAGGER_UI_CLIENT_ID=__CHANGE_ME__ -# The Azure AD tenant +# The Microsoft Entra Workforce tenant AAD_TENANT_ID=__CHANGE_ME__ # API parameters diff --git a/api_app/_version.py b/api_app/_version.py index 391a39001a..bcea63d014 100644 --- a/api_app/_version.py +++ b/api_app/_version.py @@ -1 +1 @@ -__version__ = "0.18.5" +__version__ = "0.18.6" diff --git a/core/version.txt b/core/version.txt index 50533e307d..f5b77301f5 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.9.6" +__version__ = "0.9.7" diff --git a/docs/azure-tre-overview/airlock.md b/docs/azure-tre-overview/airlock.md index 791b024e71..91b50ee77c 100644 --- a/docs/azure-tre-overview/airlock.md +++ b/docs/azure-tre-overview/airlock.md @@ -117,7 +117,7 @@ Whenever the airlock process changes to a state of **Draft**, **Submitted**, **A When the state changes to `In-progress` the Workspace Owner (Airlock Manager) gets notified. > * The Notification mechanism is also data-driven, allowing an organization to extend the notifications behavior. The mechanism is exemplified with a Logic App determining the notifications logic. -> * Notifications will work with All TRE users being AAD users (guests or not), with email defined – if not, notifications will not be sent. +> * Notifications will work with All TRE users being Microsoft Entra ID users (guests or not), with email defined – if not, notifications will not be sent. ## Architecture diff --git a/docs/azure-tre-overview/architecture.md b/docs/azure-tre-overview/architecture.md index 89abf8f147..33a18718b3 100644 --- a/docs/azure-tre-overview/architecture.md +++ b/docs/azure-tre-overview/architecture.md @@ -8,7 +8,7 @@ All traffic has to be explicitly allowed by the Application Gateway or the Firew [![Architecture overview](../assets/archtecture-overview.png)](../assets/archtecture-overview.png) -The Azure resources outside the network boundries of the Azure TRE are Azure Active Directory, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. +The Azure resources outside the network boundries of the Azure TRE are Microsoft Entra ID, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. The Azure TRE core plane consists of two groups of components: diff --git a/docs/azure-tre-overview/tre-resources-breakdown.md b/docs/azure-tre-overview/tre-resources-breakdown.md index cb2272a6bb..b4f6a329e9 100644 --- a/docs/azure-tre-overview/tre-resources-breakdown.md +++ b/docs/azure-tre-overview/tre-resources-breakdown.md @@ -36,10 +36,10 @@ Once an Azure TRE has been [provisioned](../../tre-admins/setup-instructions/pre | fw-dsk-{TRE_ID} | Azure Firewall | [Azure TRE Firewall](../networking) restricts external outbound traffic from all TRE resources | [Azure Firewall](https://docs.microsoft.com/en-us/azure/firewall/overview) | kv-{TRE_ID} | Azure Key Vault | Management of TRE secrets & certificates | [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/general/overview) | log-{TRE_ID} | Log Analytics Workspace | Azure Monitor Logs store for all TRE resources | [Log Analytics](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces) -| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) +| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) | sb-{TRE_ID} | Service Bus Namespace | Messaging for TRE API | [Service Bus](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview) | stappinsights{TRE_ID} | Storage Account | Storage for TRE Application Insights telemetry logs | [Storage Blobs](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview) | stg{TRE_ID} | Storage Account | Files shares for TRE services such as Gitea, Nexus | [Storage Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction) diff --git a/docs/index.md b/docs/index.md index 5398470069..daa36b31fb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -20,7 +20,7 @@ Core features include: - Self-service for research teams – research tooling creation and administration - Package and repository mirroring - Extensible architecture - build your own service templates as required -- Azure Active Directory integration +- Microsoft Entra ID integration - Airlock - Cost reporting - Ready to workspace templates including: diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index ffbad4846a..3cff5e5a90 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,21 +1,21 @@ # Introduction to Authentication and Authorization -[Azure Active Directory (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. +[Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. -It is common that the Azure Administrator is not necessarily the Azure Active Directory Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. +It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. This page describes the automated Auth setup for TRE. ## Pre-requisites -The automation utilises a `make` command, which reads a few environment variables and creates the AAD assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`) +The automation utilises a `make` command, which reads a few environment variables and creates the Microsoft Entra ID assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`) | Key | Description | | ----------- | ----------- | |TRE_ID|This is used to build up the name of the identities| -|AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.| -| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| +| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.| +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md).| +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).| ## Create Authentication assets You can build all of the Identity assets by running the following at the command line @@ -28,8 +28,8 @@ The contents of your authentication section in `config.yaml` file should contain | Variable | Description | | -------- | ----------- | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | @@ -38,16 +38,16 @@ The contents of your authentication section in `config.yaml` file should contain | `WORKSPACE_API_CLIENT_ID` | Each workspace is secured behind it's own AD Application| | `WORKSPACE_API_CLIENT_SECRET` | Each workspace is secured behind it's own AD Application. This is the secret for that application.| -### Using a separate Azure Active Directory tenant +### Using a separate Microsoft Entra ID tenant !!! caution - This section is only relevant it you are setting up a separate Azure Active Directory tenant for use. - This is only recommended for development environments when you don't have the required permissions to register applications in Azure Active Directory. - Using a separate Azure Active Directory tenant will prevent you from using certain Azure Active Directory integrated services. - For production deployments, work with your Azure Active Directory administrator to perform the required registration + This section is only relevant it you are setting up a separate Microsoft Entra ID tenant for use. + This is only recommended for development environments when you don't have the required permissions to register applications in Microsoft Entra ID. + Using a separate Microsoft Entra ID tenant will prevent you from using certain Microsoft Entra ID integrated services. + For production deployments, work with your Microsoft Entra ID administrator to perform the required registration -1. Create an Azure Active Directory tenant - To create a new Azure Active Directory tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) +1. Create an Microsoft Entra ID tenant + To create a new Microsoft Entra ID tenant, [follow the steps here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-create-new-tenant) 1. Follow the steps outlined above. `make auth` should logon to the correct tenant. Make sure you logon back to the correct tenant before running `make all`. @@ -56,23 +56,23 @@ The contents of your authentication section in `config.yaml` file should contain App registrations (represented by service principals) define the various access permissions to the TRE system. There are a total of five main Applications of interest. -| AAD Application | Description | +| Microsoft Entra ID Application | Description | | ----------- | ----------- | | TRE API application | This is the main application and used to secure access to the [TRE API](../tre-developers/api.md). | | TRE UX | This is the client application that will authenticate to the TRE/Workspace APIs. | -| Application Admin | There are times when workspace services need to update the AAD Application. For example, Guacamole needs to add a redirect URI to the Workspace AAD Application. This identity is used to manage AAD Applications. +| Application Admin | There are times when workspace services need to update the Microsoft Entra ID Application. For example, Guacamole needs to add a redirect URI to the Workspace Microsoft Entra ID Application. This identity is used to manage Microsoft Entra ID Applications. | | Automation App | This application is created so that you can run the tests or any CI/CD capability without the need to divulge a user password. This is particularly important if your tenant is MFA enabled. | | Workspace API | Typically you would have an application securing one or more workspaces that are created by TRE. | -Some of the applications require **admin consent** to allow them to validate users against the AAD. Check the Microsoft Docs on [Configure the admin consent workflow](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. +Some of the applications require **admin consent** to allow them to validate users against the Microsoft Entra ID. Check the Microsoft Docs on [Configure the admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. -We strongly recommend that you use `make auth` to create the AAD assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). +We strongly recommend that you use `make auth` to create the Microsoft Entra ID assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). ### Enabling users For a user to gain access to the system, they have to: -1. Have an identity in Azure AD +1. Have an identity in Microsoft Entra ID 1. Be linked with an app registration and assigned a role When these requirements are met, the user can sign-in using their credentials and use their privileges to use the API, login to workspace environment etc. based on their specific roles. diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 0b56fd92b2..815251cd84 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -15,7 +15,7 @@ | `ARM_SUBSCRIPTION_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Azure subscription ID for all resources. | | `ARM_CLIENT_ID` | *Optional for manual deployment without logged-in credentials.* The client whose azure identity will be used to deploy the solution. | | `ARM_CLIENT_SECRET` | *Optional for manual deployment without logged-in credentials.* The password of the client defined in `ARM_CLIENT_ID`. | -| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The AAD tenant of the client defined in `ARM_CLIENT_ID`. | +| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Microsoft Entra ID tenant of the client defined in `ARM_CLIENT_ID`. | ## For Azure TRE instance in `/config.yaml` @@ -43,8 +43,8 @@ | Variable | Description | | -------- | ----------- | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | diff --git a/docs/tre-admins/identities/api.md b/docs/tre-admins/identities/api.md index 36aeec5bc3..7dbff00b5c 100644 --- a/docs/tre-admins/identities/api.md +++ b/docs/tre-admins/identities/api.md @@ -1,10 +1,10 @@ # The API Identity ## Name -The API Identity is typically called ` API` within the AAD Portal. +The API Identity is typically called ` API` within the Microsoft Entra ID Portal. ## Purpose -This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Azure Active Directory and authorize the various operations. +This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Microsoft Entra ID and authorize the various operations. ## Application Roles @@ -49,7 +49,7 @@ Below is a sample where `TRE_ID` has value `mytre`: | -------- | ----------- | | `--name` | The prefix of the name of the app registrations. `TRE` will give you `TRE API`. | | `--tre-url` | Used to construct auth redirection URLs for the UI and Swagger app. Use the values of the [environment variables](../environment-variables.md) `TRE_ID` and `LOCATION` in the URL. Reply URL for the localhost, `http://localhost:8000/api/docs/oauth2-redirect`, will be added by default. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will grant TREAdmin permission to the Service Principal of the Automation Admin.| | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | @@ -60,7 +60,7 @@ Below is a sample where `TRE_ID` has value `mytre`: You can create an automation account which will aid your development flow, if you don't want to do this you can omit the `--automation-clientid` switch. -You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Azure Active Directory tenant) below. +You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Microsoft Entra ID tenant) below. ## Environment Variables | Variable | Description | Location | diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index f64fcdd2d4..f685b67b60 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -1,7 +1,7 @@ # The Application Administrator Identity ## Purpose -This identity's credentials are stored in the core key vault and are used when you wish to update AAD Applications. For instance, when you add Guacamole as a Workspace Service, you would need to add the URI of the Guacamole Service as a Redirect URI to the Workspace App to complete the login flow. +This identity's credentials are stored in the core key vault and are used when you wish to update Microsoft Entra ID Applications. For instance, when you add Guacamole as a Workspace Service, you would need to add the URI of the Guacamole Service as a Redirect URI to the Workspace App to complete the login flow. ## Application Roles This application does not have any roles defined. @@ -9,10 +9,10 @@ This application does not have any roles defined. ## Microsoft Graph Permissions | Name | Type* | Admin consent required | TRE usage | | --- | -- | -----| --------- | -| Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | -| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | -| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | -| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE. | +| Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the Microsoft Entra ID Application. This will be a manual process for the Tenant Admin. | +| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | +| Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra ID. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. | +| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra ID groups. This is requried if Microsoft Entra ID groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. @@ -28,7 +28,7 @@ This user is currently only used from the Porter bundles hosted on the Resource | Argument | Description | | -------- | ----------- | | `--name` | This is used to put a friendly name to the Application that can be seen in the portal. It is typical to use the name of your TRE instance. | -| `--admin-consent` | If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an AAD Admin to consent after you have created the identity. Consent is required for this permission. | +| `--admin-consent` | If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an Microsoft Entra ID Admin to consent after you have created the identity. Consent is required for this permission. | | `--application-permission` | This is a comma seperated list of the permissions that need to be assigned. For exampler `Application.ReadWrite.All,Directory.Read.All,Group.ReadWrite.All` | | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | diff --git a/docs/tre-admins/identities/auth-manual.md b/docs/tre-admins/identities/auth-manual.md index bc55df319f..7c09eca3b9 100644 --- a/docs/tre-admins/identities/auth-manual.md +++ b/docs/tre-admins/identities/auth-manual.md @@ -1,4 +1,4 @@ -# Manually creating AAD identities +# Manually creating Microsoft Entra ID identities This guide is here if you wanted to create these Application Registrations manually. diff --git a/docs/tre-admins/identities/client.md b/docs/tre-admins/identities/client.md index 60e5ef9732..725d3ec3f2 100644 --- a/docs/tre-admins/identities/client.md +++ b/docs/tre-admins/identities/client.md @@ -1,7 +1,7 @@ # TRE Client UX ## Name -The Client Identity is typically called ` UX` within the AAD Portal. +The Client Identity is typically called ` UX` within the Microsoft Entra ID Portal. ## Purpose This identity is used by any public facing client application so that user impersonation can occur to the Core API and any Workspace Applications. @@ -38,9 +38,9 @@ Example on how to run the script: | -------- | ----------- | | `--name` | The prefix of the name of the app registrations. `TRE` will give you `TRE API`. | | `--tre-url` | Used to construct auth redirection URLs for the UI and Swagger app. Use the values of the [environment variables](../environment-variables.md) `TRE_ID` and `LOCATION` in the URL. Reply URL for the localhost, `http://localhost:8000/api/docs/oauth2-redirect`, will be added by default. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will create an application with test users with permission to use the `TRE API` and `TRE Swagger UI` | -| `--reset-password` | Optional, default is 0. This flag has no relevance when creating the UX as there is no password for the AAD Application. | +| `--reset-password` | Optional, default is 0. This flag has no relevance when creating the UX as there is no password for the Microsoft Entra ID Application. | ## Redirect URLs diff --git a/docs/tre-admins/identities/test-account.md b/docs/tre-admins/identities/test-account.md index c913885730..c06a71f412 100644 --- a/docs/tre-admins/identities/test-account.md +++ b/docs/tre-admins/identities/test-account.md @@ -1,7 +1,7 @@ # TRE Automation Admin Application ## Name -The Automation Application is typically called ` Automation Admin` within the AAD Portal. +The Automation Application is typically called ` Automation Admin` within the Microsoft Entra ID Portal. ## Purpose This application is used to authorize end-to-end test scenarios. @@ -48,10 +48,10 @@ Example on how to run the script: ### Create this application from the portal (optional) -To create an application registration for automation, open the Azure Active Directory tenant for your TRE in the portal and navigate to "App Registrations". +To create an application registration for automation, open the Microsoft Entra ID tenant for your TRE in the portal and navigate to "App Registrations". Click "New registration" as shown in the image below. -![Screenshot of Azure portal showing "New registration" in Azure Active Directory](../../assets/tre-automation-new-app-registration.png) +![Screenshot of Azure portal showing "New registration" in Microsoft Entra ID](../../assets/tre-automation-new-app-registration.png) Enter a name for the application registration and click "Register". diff --git a/docs/tre-admins/identities/workspace.md b/docs/tre-admins/identities/workspace.md index 6f28293bd6..8bc5b1989a 100644 --- a/docs/tre-admins/identities/workspace.md +++ b/docs/tre-admins/identities/workspace.md @@ -25,7 +25,7 @@ This identity should only be used by the API Application. ## How to create There are two mechanisms for creating Workspace Applications -- Manually by your AAD Tenant Admin (default) +- Manually by your Microsoft Entra ID Tenant Admin (default) - Automatically by TRE. Please see this [guide](./application_admin.md) if you wish this to be automatic. !!! caution @@ -46,9 +46,9 @@ Example on how to run the script: | -------- | ----------- | | `--name` | The name of the application. This will be suffixed with 'API' by the script. | | `--ux-clientid` | This value is one of the outputs when you first ran the script. It is mandatory if you use admin-consent. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will grant the Automation App (created in step 1) permission to the new workspace app. | -| `--application-admin-clientid` | This is a required parameter , and should be a client id that will be added to the Owners of the AAD Application so that it can be administered within TRE. | +| `--application-admin-clientid` | This is a required parameter , and should be a client id that will be added to the Owners of the Microsoft Entra ID Application so that it can be administered within TRE. | | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | @@ -64,4 +64,4 @@ If you do not wish to grant the Automation App permission to your workspace, jus |WORKSPACE_API_CLIENT_SECRET|The client secret|`./config.yaml`| ## Comments -When the Workspace AAD app is registered by running `make auth`, the `Workspace Scope Id` is the same as the Client Id. When the Workspace AAD app is created by the base workspace, the `Workspace Scope Id` will be in this format `api://_ws_` +When the Workspace Microsoft Entra ID app is registered by running `make auth`, the `Workspace Scope Id` is the same as the Client Id. When the Workspace Microsoft Entra ID app is created by the base workspace, the `Workspace Scope Id` will be in this format `api://_ws_` diff --git a/docs/tre-admins/setup-instructions/ad-tenant-choices.md b/docs/tre-admins/setup-instructions/ad-tenant-choices.md index 50eef29d25..94b600a08b 100644 --- a/docs/tre-admins/setup-instructions/ad-tenant-choices.md +++ b/docs/tre-admins/setup-instructions/ad-tenant-choices.md @@ -1,4 +1,4 @@ -# Azure Active Directory Tenant Choices +# Microsoft Entra ID Tenant Choices ## Dedicated Tenant for TRE @@ -10,13 +10,13 @@ Users from your corporate tenant can be guested into this new TRE tenant. ## Corporate Tenant -It is possible to use your corporate tenant for TRE. This does have the advantage of only managing a single tenant, but your AAD Tenant Admin must be aware of what TRE brings to your organization and must be prepared to carry out some admin tasks, like creating an AAD Application every time a new Workspace is created. +It is possible to use your corporate tenant for TRE. This does have the advantage of only managing a single tenant, but your Microsoft Entra ID Tenant Admin must be aware of what TRE brings to your organization and must be prepared to carry out some admin tasks, like creating an Microsoft Entra ID Application every time a new Workspace is created. [![TRE Tenant](../../assets/corp-tenant.png)](../../assets/corp-tenant.png) -## Create Dedicated Azure Active Directory Tenant +## Create Dedicated Microsoft Entra ID Tenant -Follow [this guide](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to create new dedicated tenant. +Follow [this guide](https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant) to create new dedicated tenant. ## Next steps diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md index d089d1967d..07a231ef0b 100644 --- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md +++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md @@ -92,8 +92,8 @@ In a previous [Setup Auth configuration](./setup-auth-entities.md) step authenti | Secret Name | Description | | -------- | ----------- | | `AAD_TENANT_ID` | Tenant id against which auth is performed. | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | diff --git a/docs/tre-admins/setup-instructions/installing-base-workspace.md b/docs/tre-admins/setup-instructions/installing-base-workspace.md index 01a9350b3f..25caddc50c 100644 --- a/docs/tre-admins/setup-instructions/installing-base-workspace.md +++ b/docs/tre-admins/setup-instructions/installing-base-workspace.md @@ -29,7 +29,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. + If you're using a separate tenant for Microsoft Entra ID app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. Running the script will report `workspace_api_client_id` and `workspace_api_client_secret` for the generated app. Add these under the authenrication section in `/config.yaml` so that automated testing will work. You also need to use `workspace_api_client_id` in the POST body below. diff --git a/docs/tre-admins/setup-instructions/prerequisites.md b/docs/tre-admins/setup-instructions/prerequisites.md index b4ac864188..78b6dbd47e 100644 --- a/docs/tre-admins/setup-instructions/prerequisites.md +++ b/docs/tre-admins/setup-instructions/prerequisites.md @@ -3,7 +3,7 @@ To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://learn.microsoft.com/en-gb/entra/fundamentals/whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/docs/tre-admins/setup-instructions/setup-auth-entities.md b/docs/tre-admins/setup-instructions/setup-auth-entities.md index dc4f91b91b..c1616c83cb 100644 --- a/docs/tre-admins/setup-instructions/setup-auth-entities.md +++ b/docs/tre-admins/setup-instructions/setup-auth-entities.md @@ -19,9 +19,9 @@ Next, you will set the configuration variables for the specific Azure TRE instan The rest of the variables can have their default values. -1. Decide on a name for your `tre_id` ID for the Azure TRE instance. The value will be used in various Azure resources and AAD application names. It **needs to be globally unique and less than 12 characters in length**. Use **only** lowercase alphanumerics. Choose wisely! +1. Decide on a name for your `tre_id` ID for the Azure TRE instance. The value will be used in various Azure resources and Microsoft Entra ID application names. It **needs to be globally unique and less than 12 characters in length**. Use **only** lowercase alphanumerics. Choose wisely! 1. Once you have decided on which AD Tenant paradigm, then you should be able to set `aad_tenant_id` in the authentication section in your `config.yaml` file. -1. Your AAD Tenant Admin can now use the terminal window in Visual Studio Code to execute the following script from within the development container to create all the AAD Applications that are used for TRE. The details of the script are covered in the [auth document](../auth.md). +1. Your Microsoft Entra ID Tenant Admin can now use the terminal window in Visual Studio Code to execute the following script from within the development container to create all the Microsoft Entra ID Applications that are used for TRE. The details of the script are covered in the [auth document](../auth.md). ```bash make auth @@ -33,7 +33,7 @@ Next, you will set the configuration variables for the specific Azure TRE instan In case you have several subscriptions and would like to change your default subscription use `az account set --subscription ` !!! note - The full functionality of the script requires directory admin privileges. You may need to contact your friendly Azure Active Directory admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). + The full functionality of the script requires directory admin privileges. You may need to contact your friendly Microsoft Entra ID admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). All other variables can have their default values for now. diff --git a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md index 46d067ab13..25b4e2c213 100644 --- a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md +++ b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md @@ -57,7 +57,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. + If you're using a separate tenant for Microsoft Entra ID app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Set these under authentication section in `config.yaml` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` in the form. diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md index 28db90d053..a432e90463 100644 --- a/docs/tre-admins/setup-instructions/workflows.md +++ b/docs/tre-admins/setup-instructions/workflows.md @@ -74,7 +74,7 @@ Configure the TRE API and Swagger UI repository secrets |
Secret name
| Description | | ----------- | ----------- | -| `AAD_TENANT_ID` | The tenant ID of the Azure AD. | +| `AAD_TENANT_ID` | The tenant ID of the Microsoft Entra ID. | | `SWAGGER_UI_CLIENT_ID` | The application (client) ID of the TRE Swagger UI app. | | `API_CLIENT_ID` | The application (client) ID of the TRE API app. | | `API_CLIENT_SECRET` | The application password (client secret) of the TRE API app. | diff --git a/docs/tre-developers/api.md b/docs/tre-developers/api.md index e35e0cd83d..06c2195aa6 100644 --- a/docs/tre-developers/api.md +++ b/docs/tre-developers/api.md @@ -144,7 +144,7 @@ make auth ``` Alternatively, in Azure Portal you can add the redirect URL to the App Registration. -Under AAD, find App Registrations, and find the App Registration with the ID shown in the error message. +Under Microsoft Entra ID, find App Registrations, and find the App Registration with the ID shown in the error message. There, go to Redirect URL and add the URL given to you by the error message (it will have a form of `https://${TRE_ID}.westeurope.cloudapp.azure.com/api/docs/oauth2-redirect`). diff --git a/docs/tre-developers/ui.md b/docs/tre-developers/ui.md index 433985875f..e9b4a04441 100644 --- a/docs/tre-developers/ui.md +++ b/docs/tre-developers/ui.md @@ -8,7 +8,7 @@ The UI is built upon several popular web frameworks: - Typescript - React Router v6 for client side routing - Fluent UI [Fluent UI Docs](https://developer.microsoft.com/en-us/fluentui#/controls/web) -- MSAL v2: AAD authentication [msal-react docs](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react) +- MSAL v2: Microsoft Entra ID authentication [msal-react docs](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react) ### Folder structure @@ -27,7 +27,7 @@ ui ### AuthN + AuthZ For further details on the auth setup, see [Auth](../tre-admins/auth.md). -As stated above, AAD is used for Authentication and Authorization. There are 3 AAD apps involved here: +As stated above, Microsoft Entra ID is used for Authentication and Authorization. There are 3 Microsoft Entra ID apps involved here: - **TRE UX**. This is the app that the user authenticates against. Once authenticated, the client will request an access token for the `TRE Api`. - **TRE Api**. In the access token response from this app we get the user's role membership for TRE-level roles (`TREAdmin` / `TREUser`). Based on these role memberships, aspects of the UI will be made available. If the user is in a `TREAdmin` role, they will see buttons to create workspaces for instance. When the user navigates into a Workspace, the client will request an access token for that `Workspace App`. @@ -39,7 +39,7 @@ From this access token we can find the Workspace-level roles the user is in (`Wo ### React Contexts The React Context API is a clean way to handle a limited amount of global state, and is used for a few scenarios in this project: - TRE Roles Context: A context provides details of the base TRE roles a user is in, which can be consumed anywhere throughout the app -- Workspace Context: Tracks the currently selected Workspace, and the roles the user is in for that Workspace. This context is used for nested components to be able to authenticate against the correct AAD App via `workspaceCtx.workspaceApplicationIdURI`. +- Workspace Context: Tracks the currently selected Workspace, and the roles the user is in for that Workspace. This context is used for nested components to be able to authenticate against the correct Microsoft Entra ID App via `workspaceCtx.workspaceApplicationIdURI`. - Create Form Context: A context to control the Create / Update form behaviour. - Notifications Context: Tracks all the in-progress operations currently running. For each operation, the Notifications panel also uses this context to broadcast Component 'actions' which are subscribed to by downstream components. This way, a resource component does not have to track it's own changes, and can be 'told' by the Notifications Context whether it should refresh / lock etc. diff --git a/docs/tre-templates/shared-services/gitea.md b/docs/tre-templates/shared-services/gitea.md index 173611a5ae..d15a69f02b 100644 --- a/docs/tre-templates/shared-services/gitea.md +++ b/docs/tre-templates/shared-services/gitea.md @@ -44,7 +44,7 @@ Gitea needs to be able to access the following resource outside the Azure TRE VN | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Azure Active Directory. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra ID. | | AzureContainerRegistry | Pull the Gitea container image, as it is located in Azure Container Registry. | | (www.)github.com | Allows Gitea to mirror any repo on GitHub | diff --git a/docs/tre-templates/shared-services/nexus.md b/docs/tre-templates/shared-services/nexus.md index 2a9e437a10..5869ae9693 100644 --- a/docs/tre-templates/shared-services/nexus.md +++ b/docs/tre-templates/shared-services/nexus.md @@ -63,7 +63,7 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET. | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Azure Active Directory. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra ID. | | AzureContainerRegistry | Pull the Nexus container image, as it is located in Azure Container Registry. | | pypi.org, *.pypi.org | Enables Nexus to "proxy" python packages to use inside of workspaces. | | repo.anaconda.com | Enables Nexus to "proxy" conda packages to use inside of workspaces. | diff --git a/docs/tre-templates/workspace-services/gitea.md b/docs/tre-templates/workspace-services/gitea.md index 054e21bd67..9725cbb711 100644 --- a/docs/tre-templates/workspace-services/gitea.md +++ b/docs/tre-templates/workspace-services/gitea.md @@ -7,7 +7,7 @@ See: [https://gitea.io/](https://gitea.io) The Gitea worskpace service opens outbound access to: - AzureActiveDirectory -- Azure AD CDN - `https://aadcdn.msftauth.net` +- Microsoft Entra ID CDN - `https://aadcdn.msftauth.net` ## Prerequisites diff --git a/docs/tre-workspace-authors/authoring-workspace-templates.md b/docs/tre-workspace-authors/authoring-workspace-templates.md index d40105515f..76aa356cbd 100644 --- a/docs/tre-workspace-authors/authoring-workspace-templates.md +++ b/docs/tre-workspace-authors/authoring-workspace-templates.md @@ -27,9 +27,9 @@ The manifest of a workspace bundle is the `porter.yaml` file (see [Author Bundle A workspace bundle requires the following [credentials](https://porter.sh/author-bundles/#credentials) to provision resources in Azure: -* [Azure tenant ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +* [Azure tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) * Azure subscription ID -* The client ID of a [service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with privileges to provision resources +* The client ID of a [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) with privileges to provision resources * The client secret (password) of a service principal The credentials are provided as environment variables by the deployment runner. The bundle author must use the following environment variable names: diff --git a/docs/using-tre/local-development/local-development.md b/docs/using-tre/local-development/local-development.md index 2bda151098..4db16e676b 100644 --- a/docs/using-tre/local-development/local-development.md +++ b/docs/using-tre/local-development/local-development.md @@ -9,7 +9,7 @@ This guide will cover how to setup local development environment to add custom t To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://learn.microsoft.com/en-gb/entra/fundamentals/whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/e2e_tests/.env.sample b/e2e_tests/.env.sample index 96d5a61628..504651cfda 100644 --- a/e2e_tests/.env.sample +++ b/e2e_tests/.env.sample @@ -18,7 +18,7 @@ TEST_WORKSPACE_APP_SECRET= WORKSPACE_APP_SERVICE_PLAN_SKU="P1v2" TEST_WORKSPACE_ID= -TEST_AAD_WORKSPACE_ID=ID of pre-created AAD workspace> +TEST_AAD_WORKSPACE_ID=ID of pre-created Microsoft Entra ID workspace> # Run tests sequentially. Change this value if you want to run tests in parallel locally E2E_TESTS_NUMBER_PROCESSES=1 diff --git a/templates/workspaces/airlock-import-review/.env.sample b/templates/workspaces/airlock-import-review/.env.sample index 68d0a40652..c89893b33f 100644 --- a/templates/workspaces/airlock-import-review/.env.sample +++ b/templates/workspaces/airlock-import-review/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/templates/workspaces/base/.env.sample b/templates/workspaces/base/.env.sample index df96d05cc7..40de3a637f 100644 --- a/templates/workspaces/base/.env.sample +++ b/templates/workspaces/base/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/templates/workspaces/unrestricted/.env.sample b/templates/workspaces/unrestricted/.env.sample index ba25f23336..42b235effd 100644 --- a/templates/workspaces/unrestricted/.env.sample +++ b/templates/workspaces/unrestricted/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/ui/README.md b/ui/README.md index 9ec30ef5ba..b605e4bc71 100644 --- a/ui/README.md +++ b/ui/README.md @@ -7,7 +7,7 @@ The UI was built using Create React App and Microsoft Fluent UI. Further details ## Run the UI - Ensure `deploy_ui=false` is not set in your `./config.yaml` file - In the root of the repo, run `make tre-deploy`. This will provision the necessary resources in Azure, build and deploy the UI to Azure blob storage, behind the App Gateway used for the API. The deployment process will also create the necessary `config.json`, using the `config.source.json` as a template. -- In Azure AD, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: +- In Microsoft Entra ID, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: - `http://localhost:3000` (if wanting to run locally) - Your deployed App Url - `https://{TRE_ID}.{LOCATION}.cloudapp.azure.com`.