Skip to content

Commit

Permalink
Update "Azure AD" references to "Microsoft Entra ID" (microsoft#3873)
Browse files Browse the repository at this point in the history
* rename Azure AD to Microsoft Entra Workforce ID

* update Azure Active Directory to Microsoft Entra Workforce ID

* replace

* update version

* change stale version

* update from stale

* update version

* update readme

* Microsoft Entra Workforce ID -> Microsoft Entra ID

* AAD -> Microsoft Entra ID

* Delete .devcontainer/devcontainer.json

* Revert "Delete .devcontainer/devcontainer.json"

This reverts commit 5dd6d5c.

* revert code changes

* remove double names

* update version

* go back version

* api update version

* revert for linting

* revert test linting

* fix linting

* roll back linting

* increase line length

* fix linting

* fix formatting

* fix lintin 3

* update urls

* update aad urls

---------

Co-authored-by: Tim Allen <tim.allen@cloudkubed.com>
  • Loading branch information
wojciechcloudkubed and Tim Allen authored Apr 11, 2024
1 parent 47c8182 commit bc2f233
Show file tree
Hide file tree
Showing 35 changed files with 88 additions and 88 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Core features include:
- Self-service provisioning of research tooling for research teams
- Package and repository mirroring - PyPi, R-CRAN, Apt and more.
- Extensible architecture - build your own service templates as required
- Azure Active Directory integration
- Microsoft Entra ID integration
- Airlock - import and export
- Cost reporting
- Ready to workspace templates including:
Expand Down
4 changes: 2 additions & 2 deletions api_app/.env.sample
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
# LOGGING_LEVEL can be set to DEBUG, INFO, WARNING, ERROR or CRITICAL
LOGGING_LEVEL="INFO"

# OAUTH information - client ids etc. for the AAD Apps
# OAUTH information - client ids etc. for the Microsoft Entra ID Apps
# ----------------------------------------------------
# The AppId for the API service principal (TRE API)
API_CLIENT_ID=__CHANGE_ME__
# The Client secret fo the TRE API application
API_CLIENT_SECRET=__CHANGE_ME__
# The AppId for the Swagger service principal (TRE Swagger UI)
SWAGGER_UI_CLIENT_ID=__CHANGE_ME__
# The Azure AD tenant
# The Microsoft Entra Workforce tenant
AAD_TENANT_ID=__CHANGE_ME__

# API parameters
Expand Down
2 changes: 1 addition & 1 deletion api_app/_version.py
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.18.5"
__version__ = "0.18.6"
2 changes: 1 addition & 1 deletion core/version.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = "0.9.6"
__version__ = "0.9.7"
2 changes: 1 addition & 1 deletion docs/azure-tre-overview/airlock.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ Whenever the airlock process changes to a state of **Draft**, **Submitted**, **A
When the state changes to `In-progress` the Workspace Owner (Airlock Manager) gets notified.

> * The Notification mechanism is also data-driven, allowing an organization to extend the notifications behavior. The mechanism is exemplified with a Logic App determining the notifications logic.
> * Notifications will work with All TRE users being AAD users (guests or not), with email defined – if not, notifications will not be sent.
> * Notifications will work with All TRE users being Microsoft Entra ID users (guests or not), with email defined – if not, notifications will not be sent.
## Architecture

Expand Down
2 changes: 1 addition & 1 deletion docs/azure-tre-overview/architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ All traffic has to be explicitly allowed by the Application Gateway or the Firew

[![Architecture overview](../assets/archtecture-overview.png)](../assets/archtecture-overview.png)

The Azure resources outside the network boundries of the Azure TRE are Azure Active Directory, Microsoft Graph and TRE Management. TRE Management are resources used during deployment.
The Azure resources outside the network boundries of the Azure TRE are Microsoft Entra ID, Microsoft Graph and TRE Management. TRE Management are resources used during deployment.

The Azure TRE core plane consists of two groups of components:

Expand Down
8 changes: 4 additions & 4 deletions docs/azure-tre-overview/tre-resources-breakdown.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ Once an Azure TRE has been [provisioned](../../tre-admins/setup-instructions/pre
| fw-dsk-{TRE_ID} | Azure Firewall | [Azure TRE Firewall](../networking) restricts external outbound traffic from all TRE resources | [Azure Firewall](https://docs.microsoft.com/en-us/azure/firewall/overview)
| kv-{TRE_ID} | Azure Key Vault | Management of TRE secrets & certificates | [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/general/overview)
| log-{TRE_ID} | Log Analytics Workspace | Azure Monitor Logs store for all TRE resources | [Log Analytics](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces)
| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
| sb-{TRE_ID} | Service Bus Namespace | Messaging for TRE API | [Service Bus](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview)
| stappinsights{TRE_ID} | Storage Account | Storage for TRE Application Insights telemetry logs | [Storage Blobs](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview)
| stg{TRE_ID} | Storage Account | Files shares for TRE services such as Gitea, Nexus | [Storage Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction)
Expand Down
2 changes: 1 addition & 1 deletion docs/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Core features include:
- Self-service for research teams – research tooling creation and administration
- Package and repository mirroring
- Extensible architecture - build your own service templates as required
- Azure Active Directory integration
- Microsoft Entra ID integration
- Airlock
- Cost reporting
- Ready to workspace templates including:
Expand Down
42 changes: 21 additions & 21 deletions docs/tre-admins/auth.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,21 @@
# Introduction to Authentication and Authorization

[Azure Active Directory (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role.
[Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role.

It is common that the Azure Administrator is not necessarily the Azure Active Directory Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually.
It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually.

This page describes the automated Auth setup for TRE.

## Pre-requisites
The automation utilises a `make` command, which reads a few environment variables and creates the AAD assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`)
The automation utilises a `make` command, which reads a few environment variables and creates the Microsoft Entra ID assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`)

| Key | Description |
| ----------- | ----------- |
|TRE_ID|This is used to build up the name of the identities|
|AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.|
| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.
|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md).
|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).
|AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.|
| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.|
|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found&nbsp;[here](./identities/application_admin.md).|
|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).|

## Create Authentication assets
You can build all of the Identity assets by running the following at the command line
Expand All @@ -28,8 +28,8 @@ The contents of your authentication section in `config.yaml` file should contain

| Variable | Description |
| -------- | ----------- |
| `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE |
| `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE |
| `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE |
| `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE |
| `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you |
| `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you |
| `API_CLIENT_ID` | API application (client) ID. |
Expand All @@ -38,16 +38,16 @@ The contents of your authentication section in `config.yaml` file should contain
| `WORKSPACE_API_CLIENT_ID` | Each workspace is secured behind it's own AD Application|
| `WORKSPACE_API_CLIENT_SECRET` | Each workspace is secured behind it's own AD Application. This is the secret for that application.|

### Using a separate Azure Active Directory tenant
### Using a separate Microsoft Entra ID tenant

!!! caution
This section is only relevant it you are setting up a separate Azure Active Directory tenant for use.
This is only recommended for development environments when you don't have the required permissions to register applications in Azure Active Directory.
Using a separate Azure Active Directory tenant will prevent you from using certain Azure Active Directory integrated services.
For production deployments, work with your Azure Active Directory administrator to perform the required registration
This section is only relevant it you are setting up a separate Microsoft Entra ID tenant for use.
This is only recommended for development environments when you don't have the required permissions to register applications in Microsoft Entra ID.
Using a separate Microsoft Entra ID tenant will prevent you from using certain Microsoft Entra ID integrated services.
For production deployments, work with your Microsoft Entra ID administrator to perform the required registration

1. Create an Azure Active Directory tenant
To create a new Azure Active Directory tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant)
1. Create an Microsoft Entra ID tenant
To create a new Microsoft Entra ID tenant, [follow the steps here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-create-new-tenant)

1. Follow the steps outlined above. `make auth` should logon to the correct tenant. Make sure you logon back to the correct tenant before running `make all`.

Expand All @@ -56,23 +56,23 @@ The contents of your authentication section in `config.yaml` file should contain

App registrations (represented by service principals) define the various access permissions to the TRE system. There are a total of five main Applications of interest.

| AAD Application | Description |
| Microsoft Entra ID Application | Description |
| ----------- | ----------- |
| TRE API application | This is the main application and used to secure access to the [TRE API](../tre-developers/api.md). |
| TRE UX | This is the client application that will authenticate to the TRE/Workspace APIs. |
| Application Admin | There are times when workspace services need to update the AAD Application. For example, Guacamole needs to add a redirect URI to the Workspace AAD Application. This identity is used to manage AAD Applications.
| Application Admin | There are times when workspace services need to update the Microsoft Entra ID Application. For example, Guacamole needs to add a redirect URI to the Workspace Microsoft Entra ID Application. This identity is used to manage Microsoft Entra ID Applications. |
| Automation App | This application is created so that you can run the tests or any CI/CD capability without the need to divulge a user password. This is particularly important if your tenant is MFA enabled. |
| Workspace API | Typically you would have an application securing one or more workspaces that are created by TRE. |

Some of the applications require **admin consent** to allow them to validate users against the AAD. Check the Microsoft Docs on [Configure the admin consent workflow](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests.
Some of the applications require **admin consent** to allow them to validate users against the Microsoft Entra ID. Check the Microsoft Docs on [Configure the admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests.

We strongly recommend that you use `make auth` to create the AAD assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app); more information can be found [here](./identities/auth-manual.md).
We strongly recommend that you use `make auth` to create the Microsoft Entra ID assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app); more information can be found [here](./identities/auth-manual.md).

### Enabling users

For a user to gain access to the system, they have to:

1. Have an identity in Azure AD
1. Have an identity in Microsoft Entra ID
1. Be linked with an app registration and assigned a role

When these requirements are met, the user can sign-in using their credentials and use their privileges to use the API, login to workspace environment etc. based on their specific roles.
Expand Down
6 changes: 3 additions & 3 deletions docs/tre-admins/environment-variables.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
| `ARM_SUBSCRIPTION_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Azure subscription ID for all resources. |
| `ARM_CLIENT_ID` | *Optional for manual deployment without logged-in credentials.* The client whose azure identity will be used to deploy the solution. |
| `ARM_CLIENT_SECRET` | *Optional for manual deployment without logged-in credentials.* The password of the client defined in `ARM_CLIENT_ID`. |
| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The AAD tenant of the client defined in `ARM_CLIENT_ID`. |
| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Microsoft Entra ID tenant of the client defined in `ARM_CLIENT_ID`. |

## For Azure TRE instance in `/config.yaml`

Expand Down Expand Up @@ -43,8 +43,8 @@

| Variable | Description |
| -------- | ----------- |
| `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE |
| `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE |
| `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE |
| `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE |
| `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you |
| `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you |
| `API_CLIENT_ID` | API application (client) ID. |
Expand Down
Loading

0 comments on commit bc2f233

Please sign in to comment.