From e7f85643011ff4a1fd11ec950f9e059328de21ed Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:49:38 +0000 Subject: [PATCH 01/27] rename Azure AD to Microsoft Entra Workforce ID --- api_app/.env.sample | 2 +- api_app/api/routes/workspaces.py | 2 +- api_app/schemas/azuread.json | 2 +- cli/tre/commands/login.py | 2 +- core/terraform/variables.tf | 12 ++++++------ devops/scripts/aad/create_api_application.sh | 4 ++-- .../scripts/aad/create_application_administrator.sh | 4 ++-- .../scripts/aad/create_automation_administrator.sh | 2 +- devops/scripts/aad/create_workspace_application.sh | 4 ++-- docs/tre-admins/auth.md | 2 +- docs/tre-admins/identities/application_admin.md | 2 +- docs/tre-admins/setup-instructions/workflows.md | 2 +- docs/tre-templates/workspace-services/gitea.md | 2 +- .../guacamole/terraform/variables.tf | 2 +- 14 files changed, 22 insertions(+), 22 deletions(-) diff --git a/api_app/.env.sample b/api_app/.env.sample index acc5a0056f..ff6a60e8c4 100644 --- a/api_app/.env.sample +++ b/api_app/.env.sample @@ -12,7 +12,7 @@ API_CLIENT_ID=__CHANGE_ME__ API_CLIENT_SECRET=__CHANGE_ME__ # The AppId for the Swagger service principal (TRE Swagger UI) SWAGGER_UI_CLIENT_ID=__CHANGE_ME__ -# The Azure AD tenant +# The Microsoft Entra Workforce tenant AAD_TENANT_ID=__CHANGE_ME__ # API parameters diff --git a/api_app/api/routes/workspaces.py b/api_app/api/routes/workspaces.py index 018a21999c..1701b779f6 100644 --- a/api_app/api/routes/workspaces.py +++ b/api_app/api/routes/workspaces.py @@ -99,7 +99,7 @@ async def retrieve_workspace_scope_id_by_workspace_id(workspace=Depends(get_work @workspaces_core_router.post("/workspaces", status_code=status.HTTP_202_ACCEPTED, response_model=OperationInResponse, name=strings.API_CREATE_WORKSPACE, dependencies=[Depends(get_current_admin_user)]) async def create_workspace(workspace_create: WorkspaceInCreate, response: Response, user=Depends(get_current_admin_user), workspace_repo=Depends(get_repository(WorkspaceRepository)), resource_template_repo=Depends(get_repository(ResourceTemplateRepository)), operations_repo=Depends(get_repository(OperationRepository)), resource_history_repo=Depends(get_repository(ResourceHistoryRepository))) -> OperationInResponse: try: - # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Azure AD application to enable a users workspaces to be listed. This should be made optional. + # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Microsoft Entra Workforce ID application to enable a users workspaces to be listed. This should be made optional. auth_info = extract_auth_information(workspace_create.properties) workspace, resource_template = await workspace_repo.create_workspace_item(workspace_create, auth_info, user.id, user.roles) except (ValidationError, ValueError) as e: diff --git a/api_app/schemas/azuread.json b/api_app/schemas/azuread.json index 8c4fa52189..6f7ddd448a 100644 --- a/api_app/schemas/azuread.json +++ b/api_app/schemas/azuread.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema", "$id": "https://github.com/microsoft/AzureTRE/schema/azuread.json", "type": "object", - "title": "Azure AD Authorisation Schema", + "title": "Microsoft Entra Workforce ID Authorisation Schema", "default": {}, "required": [ ], diff --git a/cli/tre/commands/login.py b/cli/tre/commands/login.py index 1d8313a6b1..511f0b09e8 100644 --- a/cli/tre/commands/login.py +++ b/cli/tre/commands/login.py @@ -43,7 +43,7 @@ def login(): + 'https://..cloudapp.azure.com/') @click.option('--client-id', required=False, - help='The Client ID of the Azure AD application for the API (optional for API versions >= v0.5.7)') + help='The Client ID of the Microsoft Entra Workforce ID application for the API (optional for API versions >= v0.5.7)') @click.option('--aad-tenant-id', required=False, help='The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)') diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index 39702b98fb..2b9a609f05 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -78,37 +78,37 @@ variable "enable_swagger" { variable "swagger_ui_client_id" { type = string - description = "The client id (app id) of the registration in Azure AD for the Swagger UI" + description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for the Swagger UI" sensitive = true } variable "aad_tenant_id" { type = string - description = "The tenant id of the Azure AD used for authentication." + description = "The tenant id of the Microsoft Entra Workforce ID used for authentication." sensitive = true } variable "api_client_id" { type = string - description = "The client id (app id) of the registration in Azure AD for the API." + description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for the API." sensitive = true } variable "api_client_secret" { type = string - description = "A client secret used by the API to authenticate with Azure AD for access to Microsoft Graph." + description = "A client secret used by the API to authenticate with Microsoft Entra Workforce ID for access to Microsoft Graph." sensitive = true } variable "application_admin_client_id" { type = string - description = "The client id (app id) of the registration in Azure AD for creating AAD Applications." + description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for creating AAD Applications." sensitive = true } variable "application_admin_client_secret" { type = string - description = "A client secret used by the Resource Processor to authenticate with Azure AD to create AAD Applications." + description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra Workforce ID to create AAD Applications." sensitive = true } diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index bfc18ebb27..f3bbc70b49 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -19,7 +19,7 @@ Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE", or "Workspace One". -u,--tre-url TRE URL, used to construct auth redirection URLs for the UI and Swagger app. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Azure AD in question. + Requires directory admin privileges to the Microsoft Entra Workforce ID in question. -t,--automation-clientid Optional, when --workspace is specified the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -102,7 +102,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Azure AD tenant.\e[0m" +echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_application_administrator.sh b/devops/scripts/aad/create_application_administrator.sh index 671f2823af..a707a7b333 100755 --- a/devops/scripts/aad/create_application_administrator.sh +++ b/devops/scripts/aad/create_application_administrator.sh @@ -18,7 +18,7 @@ Usage: $0 --name "MYTRE" --application-permission "Application.ReadWrite.OwnedBy Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE". -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Azure AD in question. + Requires directory admin privileges to the Microsoft Entra Workforce ID in question. -p,--application-permission The API Permission that this identity will be granted. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -85,7 +85,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Azure AD tenant.\e[0m" +echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_automation_administrator.sh b/devops/scripts/aad/create_automation_administrator.sh index 2b02171b9c..3061257ccc 100755 --- a/devops/scripts/aad/create_automation_administrator.sh +++ b/devops/scripts/aad/create_automation_administrator.sh @@ -70,7 +70,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Azure AD tenant.\e[0m" +echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_workspace_application.sh b/devops/scripts/aad/create_workspace_application.sh index 2495731240..acc3cd2c88 100755 --- a/devops/scripts/aad/create_workspace_application.sh +++ b/devops/scripts/aad/create_workspace_application.sh @@ -20,7 +20,7 @@ Options: -y,--application-admin-clientid Required. The client ID of the Application Administrator that will be able to update this application. e.g. updating a redirect URI. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Azure AD in question. + Requires directory admin privileges to the Microsoft Entra Workforce ID in question. -z,--automation-clientid Optional, the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -103,7 +103,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Azure AD tenant.\e[0m" +echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index ffbad4846a..6f8c007a96 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -72,7 +72,7 @@ We strongly recommend that you use `make auth` to create the AAD assets as this For a user to gain access to the system, they have to: -1. Have an identity in Azure AD +1. Have an identity in Microsoft Entra Workforce ID 1. Be linked with an app registration and assigned a role When these requirements are met, the user can sign-in using their credentials and use their privileges to use the API, login to workspace environment etc. based on their specific roles. diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index f64fcdd2d4..fc4be3817d 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -12,7 +12,7 @@ This application does not have any roles defined. | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | | Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | | Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | -| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Azure AD groups. This is requried if Azure AD groups are to be created automatically by the TRE. | +| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra Workforce ID groups. This is requried if Microsoft Entra Workforce ID groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md index 28db90d053..ca9e371fc9 100644 --- a/docs/tre-admins/setup-instructions/workflows.md +++ b/docs/tre-admins/setup-instructions/workflows.md @@ -74,7 +74,7 @@ Configure the TRE API and Swagger UI repository secrets |
Secret name
| Description | | ----------- | ----------- | -| `AAD_TENANT_ID` | The tenant ID of the Azure AD. | +| `AAD_TENANT_ID` | The tenant ID of the Microsoft Entra Workforce ID. | | `SWAGGER_UI_CLIENT_ID` | The application (client) ID of the TRE Swagger UI app. | | `API_CLIENT_ID` | The application (client) ID of the TRE API app. | | `API_CLIENT_SECRET` | The application password (client secret) of the TRE API app. | diff --git a/docs/tre-templates/workspace-services/gitea.md b/docs/tre-templates/workspace-services/gitea.md index b62b9778aa..65904692a4 100644 --- a/docs/tre-templates/workspace-services/gitea.md +++ b/docs/tre-templates/workspace-services/gitea.md @@ -7,7 +7,7 @@ See: [https://gitea.io/](https://gitea.io) The Gitea worskpace service opens outbound access to: - AzureActiveDirectory -- Azure AD CDN - `https://aadcdn.msftauth.net` +- Microsoft Entra Workforce ID CDN - `https://aadcdn.msftauth.net` ## Prerequisites diff --git a/templates/workspace_services/guacamole/terraform/variables.tf b/templates/workspace_services/guacamole/terraform/variables.tf index 26fcbb2f05..0fd95b6e2c 100644 --- a/templates/workspace_services/guacamole/terraform/variables.tf +++ b/templates/workspace_services/guacamole/terraform/variables.tf @@ -4,7 +4,7 @@ variable "workspace_id" { } variable "aad_authority_url" { type = string - description = "The Azure AD authority URL" + description = "The Microsoft Entra Workforce ID authority URL" } variable "tre_id" { type = string From 8fc130ad587b7e9f84cdcc215246ee400d768070 Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Fri, 15 Mar 2024 09:03:40 +0000 Subject: [PATCH 02/27] update Azure Active Directory to Microsoft Entra Workforce ID --- Makefile | 4 ++-- README.md | 2 +- devops/scripts/aad/create_api_application.sh | 2 +- .../aad/create_application_administrator.sh | 2 +- .../aad/create_automation_administrator.sh | 2 +- .../aad/create_workspace_application.sh | 2 +- devops/scripts/create_aad_assets.sh | 2 +- docs/azure-tre-overview/architecture.md | 2 +- docs/index.md | 2 +- docs/tre-admins/auth.md | 18 +++++++++--------- docs/tre-admins/identities/api.md | 4 ++-- .../tre-admins/identities/application_admin.md | 2 +- docs/tre-admins/identities/test-account.md | 4 ++-- .../setup-instructions/ad-tenant-choices.md | 4 ++-- .../installing-base-workspace.md | 2 +- .../setup-instructions/prerequisites.md | 2 +- .../setup-instructions/setup-auth-entities.md | 2 +- .../ui-install-base-workspace.md | 2 +- docs/tre-templates/shared-services/gitea.md | 2 +- docs/tre-templates/shared-services/nexus.md | 2 +- .../local-development/local-development.md | 2 +- .../aml_compute/template_schema.json | 4 ++-- 22 files changed, 35 insertions(+), 35 deletions(-) diff --git a/Makefile b/Makefile index f450e2a36f..38adc7a408 100644 --- a/Makefile +++ b/Makefile @@ -362,8 +362,8 @@ setup-local-debugging: ## 🛠️ Setup local debugging && . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/core/private.env \ && . ${MAKEFILE_DIR}/devops/scripts/setup_local_debugging.sh -auth: ## 🔐 Create the necessary Azure Active Directory assets - $(call target_title,"Setting up Azure Active Directory") \ +auth: ## 🔐 Create the necessary Microsoft Entra Workforce ID assets + $(call target_title,"Setting up Microsoft Entra Workforce ID") \ && . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \ && ${MAKEFILE_DIR}/devops/scripts/create_aad_assets.sh diff --git a/README.md b/README.md index 4bcb9bcc3e..b2a3683d68 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Core features include: - Self-service provisioning of research tooling for research teams - Package and repository mirroring - PyPi, R-CRAN, Apt and more. - Extensible architecture - build your own service templates as required -- Azure Active Directory integration +- Microsoft Entra Workforce ID integration - Airlock - import and export - Cost reporting - Ready to workspace templates including: diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index f3bbc70b49..d8158627d2 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -11,7 +11,7 @@ function show_usage() Utility script for creating app registrations required by Azure TRE. This script will create the API and Client Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application. -You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. Usage: $0 -n [-r ] [-a] [-s] [--automation-account] diff --git a/devops/scripts/aad/create_application_administrator.sh b/devops/scripts/aad/create_application_administrator.sh index a707a7b333..2036607d71 100755 --- a/devops/scripts/aad/create_application_administrator.sh +++ b/devops/scripts/aad/create_application_administrator.sh @@ -11,7 +11,7 @@ function show_usage() Utility script for creating an application administrator for TRE. This is mandatory and is used to manage AAD Application creation within TRE. This script is called when you run "make auth" and the environment variable AUTO_WORKSPACE_APP_REGISTRATION determines the permission this identity has. -You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. Usage: $0 --name "MYTRE" --application-permission "Application.ReadWrite.OwnedBy" [--admin-consent] diff --git a/devops/scripts/aad/create_automation_administrator.sh b/devops/scripts/aad/create_automation_administrator.sh index 3061257ccc..2ee8b7bea7 100755 --- a/devops/scripts/aad/create_automation_administrator.sh +++ b/devops/scripts/aad/create_automation_administrator.sh @@ -10,7 +10,7 @@ function show_usage() Utility script for creating an automation administrator for TRE. This is optional and is used when you want to run the E2E tests locally or automatically register bundles in the TRE. -You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. Usage: $0 --name "mytre" [--admin-consent] diff --git a/devops/scripts/aad/create_workspace_application.sh b/devops/scripts/aad/create_workspace_application.sh index acc3cd2c88..ab56db14c7 100755 --- a/devops/scripts/aad/create_workspace_application.sh +++ b/devops/scripts/aad/create_workspace_application.sh @@ -10,7 +10,7 @@ function show_usage() Utility script for creating a workspace TRE. You would typically have one of these per workspace for a security boundary. -You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. Usage: $0 [--admin-consent] diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index d034e1be40..86b1545118 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -12,7 +12,7 @@ CHANGED_TENANT=0 LOGGED_IN_TENANT_ID=$(az account show --query tenantId -o tsv) if [ "${LOGGED_IN_TENANT_ID}" != "${AAD_TENANT_ID}" ]; then - echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Azure Active Directory assets." + echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Microsoft Entra Workforce ID assets." # First we need to login to the AAD tenant (as it is different to the subscription tenant) az login --tenant "${AAD_TENANT_ID}" --allow-no-subscriptions --use-device-code diff --git a/docs/azure-tre-overview/architecture.md b/docs/azure-tre-overview/architecture.md index 89abf8f147..25fc8e2b99 100644 --- a/docs/azure-tre-overview/architecture.md +++ b/docs/azure-tre-overview/architecture.md @@ -8,7 +8,7 @@ All traffic has to be explicitly allowed by the Application Gateway or the Firew [![Architecture overview](../assets/archtecture-overview.png)](../assets/archtecture-overview.png) -The Azure resources outside the network boundries of the Azure TRE are Azure Active Directory, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. +The Azure resources outside the network boundries of the Azure TRE are Microsoft Entra Workforce ID, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. The Azure TRE core plane consists of two groups of components: diff --git a/docs/index.md b/docs/index.md index 5398470069..dacc8e7b74 100644 --- a/docs/index.md +++ b/docs/index.md @@ -20,7 +20,7 @@ Core features include: - Self-service for research teams – research tooling creation and administration - Package and repository mirroring - Extensible architecture - build your own service templates as required -- Azure Active Directory integration +- Microsoft Entra Workforce ID integration - Airlock - Cost reporting - Ready to workspace templates including: diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 6f8c007a96..56e849d95a 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,8 +1,8 @@ # Introduction to Authentication and Authorization -[Azure Active Directory (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. +[Microsoft Entra Workforce ID (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. -It is common that the Azure Administrator is not necessarily the Azure Active Directory Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. +It is common that the Azure Administrator is not necessarily the Microsoft Entra Workforce ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. This page describes the automated Auth setup for TRE. @@ -38,16 +38,16 @@ The contents of your authentication section in `config.yaml` file should contain | `WORKSPACE_API_CLIENT_ID` | Each workspace is secured behind it's own AD Application| | `WORKSPACE_API_CLIENT_SECRET` | Each workspace is secured behind it's own AD Application. This is the secret for that application.| -### Using a separate Azure Active Directory tenant +### Using a separate Microsoft Entra Workforce ID tenant !!! caution - This section is only relevant it you are setting up a separate Azure Active Directory tenant for use. - This is only recommended for development environments when you don't have the required permissions to register applications in Azure Active Directory. - Using a separate Azure Active Directory tenant will prevent you from using certain Azure Active Directory integrated services. - For production deployments, work with your Azure Active Directory administrator to perform the required registration + This section is only relevant it you are setting up a separate Microsoft Entra Workforce ID tenant for use. + This is only recommended for development environments when you don't have the required permissions to register applications in Microsoft Entra Workforce ID. + Using a separate Microsoft Entra Workforce ID tenant will prevent you from using certain Microsoft Entra Workforce ID integrated services. + For production deployments, work with your Microsoft Entra Workforce ID administrator to perform the required registration -1. Create an Azure Active Directory tenant - To create a new Azure Active Directory tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) +1. Create an Microsoft Entra Workforce ID tenant + To create a new Microsoft Entra Workforce ID tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) 1. Follow the steps outlined above. `make auth` should logon to the correct tenant. Make sure you logon back to the correct tenant before running `make all`. diff --git a/docs/tre-admins/identities/api.md b/docs/tre-admins/identities/api.md index 36aeec5bc3..0dc04b285b 100644 --- a/docs/tre-admins/identities/api.md +++ b/docs/tre-admins/identities/api.md @@ -4,7 +4,7 @@ The API Identity is typically called ` API` within the AAD Portal. ## Purpose -This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Azure Active Directory and authorize the various operations. +This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Microsoft Entra Workforce ID and authorize the various operations. ## Application Roles @@ -60,7 +60,7 @@ Below is a sample where `TRE_ID` has value `mytre`: You can create an automation account which will aid your development flow, if you don't want to do this you can omit the `--automation-clientid` switch. -You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Azure Active Directory tenant) below. +You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Microsoft Entra Workforce ID tenant) below. ## Environment Variables | Variable | Description | Location | diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index fc4be3817d..e588554811 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -11,7 +11,7 @@ This application does not have any roles defined. | --- | -- | -----| --------- | | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | | Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | -| Directory.Read.All | Application | Yes | This permission is required to read User details from Azure Active Directory. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | +| Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra Workforce ID. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | | Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra Workforce ID groups. This is requried if Microsoft Entra Workforce ID groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. diff --git a/docs/tre-admins/identities/test-account.md b/docs/tre-admins/identities/test-account.md index c913885730..0f0c3cf0dc 100644 --- a/docs/tre-admins/identities/test-account.md +++ b/docs/tre-admins/identities/test-account.md @@ -48,10 +48,10 @@ Example on how to run the script: ### Create this application from the portal (optional) -To create an application registration for automation, open the Azure Active Directory tenant for your TRE in the portal and navigate to "App Registrations". +To create an application registration for automation, open the Microsoft Entra Workforce ID tenant for your TRE in the portal and navigate to "App Registrations". Click "New registration" as shown in the image below. -![Screenshot of Azure portal showing "New registration" in Azure Active Directory](../../assets/tre-automation-new-app-registration.png) +![Screenshot of Azure portal showing "New registration" in Microsoft Entra Workforce ID](../../assets/tre-automation-new-app-registration.png) Enter a name for the application registration and click "Register". diff --git a/docs/tre-admins/setup-instructions/ad-tenant-choices.md b/docs/tre-admins/setup-instructions/ad-tenant-choices.md index 50eef29d25..b16e006c3b 100644 --- a/docs/tre-admins/setup-instructions/ad-tenant-choices.md +++ b/docs/tre-admins/setup-instructions/ad-tenant-choices.md @@ -1,4 +1,4 @@ -# Azure Active Directory Tenant Choices +# Microsoft Entra Workforce ID Tenant Choices ## Dedicated Tenant for TRE @@ -14,7 +14,7 @@ It is possible to use your corporate tenant for TRE. This does have the advantag [![TRE Tenant](../../assets/corp-tenant.png)](../../assets/corp-tenant.png) -## Create Dedicated Azure Active Directory Tenant +## Create Dedicated Microsoft Entra Workforce ID Tenant Follow [this guide](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to create new dedicated tenant. diff --git a/docs/tre-admins/setup-instructions/installing-base-workspace.md b/docs/tre-admins/setup-instructions/installing-base-workspace.md index 01a9350b3f..a0f101ba2e 100644 --- a/docs/tre-admins/setup-instructions/installing-base-workspace.md +++ b/docs/tre-admins/setup-instructions/installing-base-workspace.md @@ -29,7 +29,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. + If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra Workforce ID tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. Running the script will report `workspace_api_client_id` and `workspace_api_client_secret` for the generated app. Add these under the authenrication section in `/config.yaml` so that automated testing will work. You also need to use `workspace_api_client_id` in the POST body below. diff --git a/docs/tre-admins/setup-instructions/prerequisites.md b/docs/tre-admins/setup-instructions/prerequisites.md index b4ac864188..6471f5c7e0 100644 --- a/docs/tre-admins/setup-instructions/prerequisites.md +++ b/docs/tre-admins/setup-instructions/prerequisites.md @@ -3,7 +3,7 @@ To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra Workforce ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/docs/tre-admins/setup-instructions/setup-auth-entities.md b/docs/tre-admins/setup-instructions/setup-auth-entities.md index dc4f91b91b..2779128d5e 100644 --- a/docs/tre-admins/setup-instructions/setup-auth-entities.md +++ b/docs/tre-admins/setup-instructions/setup-auth-entities.md @@ -33,7 +33,7 @@ Next, you will set the configuration variables for the specific Azure TRE instan In case you have several subscriptions and would like to change your default subscription use `az account set --subscription ` !!! note - The full functionality of the script requires directory admin privileges. You may need to contact your friendly Azure Active Directory admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). + The full functionality of the script requires directory admin privileges. You may need to contact your friendly Microsoft Entra Workforce ID admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). All other variables can have their default values for now. diff --git a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md index 46d067ab13..72989bd267 100644 --- a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md +++ b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md @@ -57,7 +57,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Azure Active Directory tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. + If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra Workforce ID tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Set these under authentication section in `config.yaml` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` in the form. diff --git a/docs/tre-templates/shared-services/gitea.md b/docs/tre-templates/shared-services/gitea.md index b846d042b2..ac1c9dc82b 100644 --- a/docs/tre-templates/shared-services/gitea.md +++ b/docs/tre-templates/shared-services/gitea.md @@ -44,6 +44,6 @@ Gitea needs to be able to access the following resource outside the Azure TRE VN | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Azure Active Directory. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra Workforce ID. | | AzureContainerRegistry | Pull the Gitea container image, as it is located in Azure Container Registry. | | (www.)github.com | Allows Gitea to mirror any repo on GitHub | diff --git a/docs/tre-templates/shared-services/nexus.md b/docs/tre-templates/shared-services/nexus.md index 2a9e437a10..a4cbc795f2 100644 --- a/docs/tre-templates/shared-services/nexus.md +++ b/docs/tre-templates/shared-services/nexus.md @@ -63,7 +63,7 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET. | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Azure Active Directory. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra Workforce ID. | | AzureContainerRegistry | Pull the Nexus container image, as it is located in Azure Container Registry. | | pypi.org, *.pypi.org | Enables Nexus to "proxy" python packages to use inside of workspaces. | | repo.anaconda.com | Enables Nexus to "proxy" conda packages to use inside of workspaces. | diff --git a/docs/using-tre/local-development/local-development.md b/docs/using-tre/local-development/local-development.md index 2bda151098..1d3e752bc3 100644 --- a/docs/using-tre/local-development/local-development.md +++ b/docs/using-tre/local-development/local-development.md @@ -9,7 +9,7 @@ This guide will cover how to setup local development environment to add custom t To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra Workforce ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json b/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json index 044dfa5ee1..9ff32b7c19 100644 --- a/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json +++ b/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json @@ -41,8 +41,8 @@ }, "user_object_id": { "type": "string", - "title": "Azure Active Directory User Object ID", - "description": "The Azure Active Directory user object ID of User who will be using the compute instance", + "title": "Microsoft Entra Workforce ID User Object ID", + "description": "The Microsoft Entra Workforce ID user object ID of User who will be using the compute instance", "default": "", "minLength": 1 } From 4ba9df7dedcf96d4cb5b18d6cc4d9a58406f1e06 Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed <159798789+wojciechcloudkubed@users.noreply.github.com> Date: Fri, 15 Mar 2024 09:16:24 +0000 Subject: [PATCH 03/27] replace --- docs/tre-admins/auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 56e849d95a..8aaec7bf1f 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -15,7 +15,7 @@ The automation utilises a `make` command, which reads a few environment variable |AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. |AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra Workforce ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). ## Create Authentication assets You can build all of the Identity assets by running the following at the command line From 3900ef7a2098cc273e3b24f24d183652afa23b79 Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed Date: Mon, 18 Mar 2024 16:41:50 +0000 Subject: [PATCH 04/27] update version --- api_app/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api_app/_version.py b/api_app/_version.py index 391a39001a..3f56ae5654 100644 --- a/api_app/_version.py +++ b/api_app/_version.py @@ -1 +1 @@ -__version__ = "0.18.5" +__version__ = "0.19.5" From 5879f2178f7d189570a2f4330a3e7f80f62ac734 Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed Date: Mon, 18 Mar 2024 16:48:31 +0000 Subject: [PATCH 05/27] change stale version --- api_app/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api_app/_version.py b/api_app/_version.py index 3f56ae5654..bcea63d014 100644 --- a/api_app/_version.py +++ b/api_app/_version.py @@ -1 +1 @@ -__version__ = "0.19.5" +__version__ = "0.18.6" From 7fd193bd1fd1670627b6d5b67b3b32c79e3d4f01 Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed Date: Mon, 18 Mar 2024 17:11:37 +0000 Subject: [PATCH 06/27] update from stale --- resource_processor/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resource_processor/_version.py b/resource_processor/_version.py index fa3ddd8c5a..af46754d38 100644 --- a/resource_processor/_version.py +++ b/resource_processor/_version.py @@ -1 +1 @@ -__version__ = "0.8.4" +__version__ = "0.8.5" From efc350ec6fb1701970d823b1a72e912f8c30c483 Mon Sep 17 00:00:00 2001 From: wojciechcloudkubed Date: Mon, 18 Mar 2024 17:20:00 +0000 Subject: [PATCH 07/27] update version --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index 50533e307d..f5b77301f5 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.9.6" +__version__ = "0.9.7" From 1f2a1d726b823cfb8f558a4c315d6b7166669d03 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Tue, 19 Mar 2024 09:48:47 +0000 Subject: [PATCH 08/27] update readme --- ui/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/README.md b/ui/README.md index 9ec30ef5ba..b1db0f731b 100644 --- a/ui/README.md +++ b/ui/README.md @@ -7,7 +7,7 @@ The UI was built using Create React App and Microsoft Fluent UI. Further details ## Run the UI - Ensure `deploy_ui=false` is not set in your `./config.yaml` file - In the root of the repo, run `make tre-deploy`. This will provision the necessary resources in Azure, build and deploy the UI to Azure blob storage, behind the App Gateway used for the API. The deployment process will also create the necessary `config.json`, using the `config.source.json` as a template. -- In Azure AD, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: +- In Microsoft Entra Workforce ID, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: - `http://localhost:3000` (if wanting to run locally) - Your deployed App Url - `https://{TRE_ID}.{LOCATION}.cloudapp.azure.com`. From fb833ee9505168892a4d3ab67c97d940e660ef9a Mon Sep 17 00:00:00 2001 From: Wojciech Date: Tue, 19 Mar 2024 14:42:14 +0000 Subject: [PATCH 09/27] Microsoft Entra Workforce ID -> Microsoft Entra ID --- Makefile | 4 ++-- README.md | 2 +- api_app/api/routes/workspaces.py | 2 +- api_app/schemas/azuread.json | 2 +- cli/tre/commands/login.py | 2 +- core/terraform/variables.tf | 12 +++++----- devops/scripts/aad/create_api_application.sh | 6 ++--- .../aad/create_application_administrator.sh | 6 ++--- .../aad/create_automation_administrator.sh | 4 ++-- .../aad/create_workspace_application.sh | 6 ++--- devops/scripts/create_aad_assets.sh | 2 +- docs/azure-tre-overview/architecture.md | 2 +- docs/index.md | 2 +- docs/tre-admins/auth.md | 22 +++++++++---------- docs/tre-admins/identities/api.md | 4 ++-- .../identities/application_admin.md | 4 ++-- docs/tre-admins/identities/test-account.md | 4 ++-- .../setup-instructions/ad-tenant-choices.md | 4 ++-- .../installing-base-workspace.md | 2 +- .../setup-instructions/prerequisites.md | 2 +- .../setup-instructions/setup-auth-entities.md | 2 +- .../ui-install-base-workspace.md | 2 +- .../setup-instructions/workflows.md | 2 +- docs/tre-templates/shared-services/gitea.md | 2 +- docs/tre-templates/shared-services/nexus.md | 2 +- .../tre-templates/workspace-services/gitea.md | 2 +- .../local-development/local-development.md | 2 +- .../aml_compute/template_schema.json | 4 ++-- .../guacamole/terraform/variables.tf | 2 +- ui/README.md | 2 +- 30 files changed, 58 insertions(+), 58 deletions(-) diff --git a/Makefile b/Makefile index 38adc7a408..cb8afa7aaf 100644 --- a/Makefile +++ b/Makefile @@ -362,8 +362,8 @@ setup-local-debugging: ## 🛠️ Setup local debugging && . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/core/private.env \ && . ${MAKEFILE_DIR}/devops/scripts/setup_local_debugging.sh -auth: ## 🔐 Create the necessary Microsoft Entra Workforce ID assets - $(call target_title,"Setting up Microsoft Entra Workforce ID") \ +auth: ## 🔐 Create the necessary Microsoft Entra ID assets + $(call target_title,"Setting up Microsoft Entra ID") \ && . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \ && ${MAKEFILE_DIR}/devops/scripts/create_aad_assets.sh diff --git a/README.md b/README.md index b2a3683d68..2fbbb0b2b5 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ Core features include: - Self-service provisioning of research tooling for research teams - Package and repository mirroring - PyPi, R-CRAN, Apt and more. - Extensible architecture - build your own service templates as required -- Microsoft Entra Workforce ID integration +- Microsoft Entra ID integration - Airlock - import and export - Cost reporting - Ready to workspace templates including: diff --git a/api_app/api/routes/workspaces.py b/api_app/api/routes/workspaces.py index 1701b779f6..02b20fd786 100644 --- a/api_app/api/routes/workspaces.py +++ b/api_app/api/routes/workspaces.py @@ -99,7 +99,7 @@ async def retrieve_workspace_scope_id_by_workspace_id(workspace=Depends(get_work @workspaces_core_router.post("/workspaces", status_code=status.HTTP_202_ACCEPTED, response_model=OperationInResponse, name=strings.API_CREATE_WORKSPACE, dependencies=[Depends(get_current_admin_user)]) async def create_workspace(workspace_create: WorkspaceInCreate, response: Response, user=Depends(get_current_admin_user), workspace_repo=Depends(get_repository(WorkspaceRepository)), resource_template_repo=Depends(get_repository(ResourceTemplateRepository)), operations_repo=Depends(get_repository(OperationRepository)), resource_history_repo=Depends(get_repository(ResourceHistoryRepository))) -> OperationInResponse: try: - # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Microsoft Entra Workforce ID application to enable a users workspaces to be listed. This should be made optional. + # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Microsoft Entra ID application to enable a users workspaces to be listed. This should be made optional. auth_info = extract_auth_information(workspace_create.properties) workspace, resource_template = await workspace_repo.create_workspace_item(workspace_create, auth_info, user.id, user.roles) except (ValidationError, ValueError) as e: diff --git a/api_app/schemas/azuread.json b/api_app/schemas/azuread.json index 6f7ddd448a..ad96d2e370 100644 --- a/api_app/schemas/azuread.json +++ b/api_app/schemas/azuread.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema", "$id": "https://github.com/microsoft/AzureTRE/schema/azuread.json", "type": "object", - "title": "Microsoft Entra Workforce ID Authorisation Schema", + "title": "Microsoft Entra ID Authorisation Schema", "default": {}, "required": [ ], diff --git a/cli/tre/commands/login.py b/cli/tre/commands/login.py index 511f0b09e8..45d76121d4 100644 --- a/cli/tre/commands/login.py +++ b/cli/tre/commands/login.py @@ -43,7 +43,7 @@ def login(): + 'https://..cloudapp.azure.com/') @click.option('--client-id', required=False, - help='The Client ID of the Microsoft Entra Workforce ID application for the API (optional for API versions >= v0.5.7)') + help='The Client ID of the Microsoft Entra ID application for the API (optional for API versions >= v0.5.7)') @click.option('--aad-tenant-id', required=False, help='The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)') diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index 2b9a609f05..900a48e18d 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -78,37 +78,37 @@ variable "enable_swagger" { variable "swagger_ui_client_id" { type = string - description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for the Swagger UI" + description = "The client id (app id) of the registration in Microsoft Entra ID for the Swagger UI" sensitive = true } variable "aad_tenant_id" { type = string - description = "The tenant id of the Microsoft Entra Workforce ID used for authentication." + description = "The tenant id of the Microsoft Entra ID used for authentication." sensitive = true } variable "api_client_id" { type = string - description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for the API." + description = "The client id (app id) of the registration in Microsoft Entra ID for the API." sensitive = true } variable "api_client_secret" { type = string - description = "A client secret used by the API to authenticate with Microsoft Entra Workforce ID for access to Microsoft Graph." + description = "A client secret used by the API to authenticate with Microsoft Entra ID for access to Microsoft Graph." sensitive = true } variable "application_admin_client_id" { type = string - description = "The client id (app id) of the registration in Microsoft Entra Workforce ID for creating AAD Applications." + description = "The client id (app id) of the registration in Microsoft Entra ID for creating AAD Applications." sensitive = true } variable "application_admin_client_secret" { type = string - description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra Workforce ID to create AAD Applications." + description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra ID to create AAD Applications." sensitive = true } diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index d8158627d2..8b9e38081e 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -11,7 +11,7 @@ function show_usage() Utility script for creating app registrations required by Azure TRE. This script will create the API and Client Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. Usage: $0 -n [-r ] [-a] [-s] [--automation-account] @@ -19,7 +19,7 @@ Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE", or "Workspace One". -u,--tre-url TRE URL, used to construct auth redirection URLs for the UI and Swagger app. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Microsoft Entra Workforce ID in question. + Requires directory admin privileges to the Microsoft Entra ID in question. -t,--automation-clientid Optional, when --workspace is specified the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -102,7 +102,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" +echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_application_administrator.sh b/devops/scripts/aad/create_application_administrator.sh index 2036607d71..af1a4ed3f1 100755 --- a/devops/scripts/aad/create_application_administrator.sh +++ b/devops/scripts/aad/create_application_administrator.sh @@ -11,14 +11,14 @@ function show_usage() Utility script for creating an application administrator for TRE. This is mandatory and is used to manage AAD Application creation within TRE. This script is called when you run "make auth" and the environment variable AUTO_WORKSPACE_APP_REGISTRATION determines the permission this identity has. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. Usage: $0 --name "MYTRE" --application-permission "Application.ReadWrite.OwnedBy" [--admin-consent] Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE". -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Microsoft Entra Workforce ID in question. + Requires directory admin privileges to the Microsoft Entra ID in question. -p,--application-permission The API Permission that this identity will be granted. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -85,7 +85,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" +echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_automation_administrator.sh b/devops/scripts/aad/create_automation_administrator.sh index 2ee8b7bea7..6fc4a8b878 100755 --- a/devops/scripts/aad/create_automation_administrator.sh +++ b/devops/scripts/aad/create_automation_administrator.sh @@ -10,7 +10,7 @@ function show_usage() Utility script for creating an automation administrator for TRE. This is optional and is used when you want to run the E2E tests locally or automatically register bundles in the TRE. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. Usage: $0 --name "mytre" [--admin-consent] @@ -70,7 +70,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" +echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_workspace_application.sh b/devops/scripts/aad/create_workspace_application.sh index ab56db14c7..59191cfd60 100755 --- a/devops/scripts/aad/create_workspace_application.sh +++ b/devops/scripts/aad/create_workspace_application.sh @@ -10,7 +10,7 @@ function show_usage() Utility script for creating a workspace TRE. You would typically have one of these per workspace for a security boundary. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra Workforce ID to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. Usage: $0 [--admin-consent] @@ -20,7 +20,7 @@ Options: -y,--application-admin-clientid Required. The client ID of the Application Administrator that will be able to update this application. e.g. updating a redirect URI. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Microsoft Entra Workforce ID in question. + Requires directory admin privileges to the Microsoft Entra ID in question. -z,--automation-clientid Optional, the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -103,7 +103,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Microsoft Entra Workforce ID tenant.\e[0m" +echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index 86b1545118..51c4d3f093 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -12,7 +12,7 @@ CHANGED_TENANT=0 LOGGED_IN_TENANT_ID=$(az account show --query tenantId -o tsv) if [ "${LOGGED_IN_TENANT_ID}" != "${AAD_TENANT_ID}" ]; then - echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Microsoft Entra Workforce ID assets." + echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Microsoft Entra ID assets." # First we need to login to the AAD tenant (as it is different to the subscription tenant) az login --tenant "${AAD_TENANT_ID}" --allow-no-subscriptions --use-device-code diff --git a/docs/azure-tre-overview/architecture.md b/docs/azure-tre-overview/architecture.md index 25fc8e2b99..33a18718b3 100644 --- a/docs/azure-tre-overview/architecture.md +++ b/docs/azure-tre-overview/architecture.md @@ -8,7 +8,7 @@ All traffic has to be explicitly allowed by the Application Gateway or the Firew [![Architecture overview](../assets/archtecture-overview.png)](../assets/archtecture-overview.png) -The Azure resources outside the network boundries of the Azure TRE are Microsoft Entra Workforce ID, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. +The Azure resources outside the network boundries of the Azure TRE are Microsoft Entra ID, Microsoft Graph and TRE Management. TRE Management are resources used during deployment. The Azure TRE core plane consists of two groups of components: diff --git a/docs/index.md b/docs/index.md index dacc8e7b74..daa36b31fb 100644 --- a/docs/index.md +++ b/docs/index.md @@ -20,7 +20,7 @@ Core features include: - Self-service for research teams – research tooling creation and administration - Package and repository mirroring - Extensible architecture - build your own service templates as required -- Microsoft Entra Workforce ID integration +- Microsoft Entra ID integration - Airlock - Cost reporting - Ready to workspace templates including: diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 8aaec7bf1f..8a0ba7a056 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,8 +1,8 @@ # Introduction to Authentication and Authorization -[Microsoft Entra Workforce ID (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. +[Microsoft Entra ID (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. -It is common that the Azure Administrator is not necessarily the Microsoft Entra Workforce ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. +It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. This page describes the automated Auth setup for TRE. @@ -15,7 +15,7 @@ The automation utilises a `make` command, which reads a few environment variable |AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. |AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra Workforce ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). ## Create Authentication assets You can build all of the Identity assets by running the following at the command line @@ -38,16 +38,16 @@ The contents of your authentication section in `config.yaml` file should contain | `WORKSPACE_API_CLIENT_ID` | Each workspace is secured behind it's own AD Application| | `WORKSPACE_API_CLIENT_SECRET` | Each workspace is secured behind it's own AD Application. This is the secret for that application.| -### Using a separate Microsoft Entra Workforce ID tenant +### Using a separate Microsoft Entra ID tenant !!! caution - This section is only relevant it you are setting up a separate Microsoft Entra Workforce ID tenant for use. - This is only recommended for development environments when you don't have the required permissions to register applications in Microsoft Entra Workforce ID. - Using a separate Microsoft Entra Workforce ID tenant will prevent you from using certain Microsoft Entra Workforce ID integrated services. - For production deployments, work with your Microsoft Entra Workforce ID administrator to perform the required registration + This section is only relevant it you are setting up a separate Microsoft Entra ID tenant for use. + This is only recommended for development environments when you don't have the required permissions to register applications in Microsoft Entra ID. + Using a separate Microsoft Entra ID tenant will prevent you from using certain Microsoft Entra ID integrated services. + For production deployments, work with your Microsoft Entra ID administrator to perform the required registration -1. Create an Microsoft Entra Workforce ID tenant - To create a new Microsoft Entra Workforce ID tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) +1. Create an Microsoft Entra ID tenant + To create a new Microsoft Entra ID tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) 1. Follow the steps outlined above. `make auth` should logon to the correct tenant. Make sure you logon back to the correct tenant before running `make all`. @@ -72,7 +72,7 @@ We strongly recommend that you use `make auth` to create the AAD assets as this For a user to gain access to the system, they have to: -1. Have an identity in Microsoft Entra Workforce ID +1. Have an identity in Microsoft Entra ID 1. Be linked with an app registration and assigned a role When these requirements are met, the user can sign-in using their credentials and use their privileges to use the API, login to workspace environment etc. based on their specific roles. diff --git a/docs/tre-admins/identities/api.md b/docs/tre-admins/identities/api.md index 0dc04b285b..829fd22bbf 100644 --- a/docs/tre-admins/identities/api.md +++ b/docs/tre-admins/identities/api.md @@ -4,7 +4,7 @@ The API Identity is typically called ` API` within the AAD Portal. ## Purpose -This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Microsoft Entra Workforce ID and authorize the various operations. +This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Microsoft Entra ID and authorize the various operations. ## Application Roles @@ -60,7 +60,7 @@ Below is a sample where `TRE_ID` has value `mytre`: You can create an automation account which will aid your development flow, if you don't want to do this you can omit the `--automation-clientid` switch. -You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Microsoft Entra Workforce ID tenant) below. +You can run the script without the `--admin-consent` and ask your admin to grant consent. If you don't have permissions and just want to create a development environment then skip this step and see the steps in the "Using a separate Microsoft Entra ID tenant) below. ## Environment Variables | Variable | Description | Location | diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index e588554811..5342e844df 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -11,8 +11,8 @@ This application does not have any roles defined. | --- | -- | -----| --------- | | Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | | Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | -| Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra Workforce ID. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | -| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra Workforce ID groups. This is requried if Microsoft Entra Workforce ID groups are to be created automatically by the TRE. | +| Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra ID. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | +| Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra ID groups. This is requried if Microsoft Entra ID groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. diff --git a/docs/tre-admins/identities/test-account.md b/docs/tre-admins/identities/test-account.md index 0f0c3cf0dc..42ee5d03b8 100644 --- a/docs/tre-admins/identities/test-account.md +++ b/docs/tre-admins/identities/test-account.md @@ -48,10 +48,10 @@ Example on how to run the script: ### Create this application from the portal (optional) -To create an application registration for automation, open the Microsoft Entra Workforce ID tenant for your TRE in the portal and navigate to "App Registrations". +To create an application registration for automation, open the Microsoft Entra ID tenant for your TRE in the portal and navigate to "App Registrations". Click "New registration" as shown in the image below. -![Screenshot of Azure portal showing "New registration" in Microsoft Entra Workforce ID](../../assets/tre-automation-new-app-registration.png) +![Screenshot of Azure portal showing "New registration" in Microsoft Entra ID](../../assets/tre-automation-new-app-registration.png) Enter a name for the application registration and click "Register". diff --git a/docs/tre-admins/setup-instructions/ad-tenant-choices.md b/docs/tre-admins/setup-instructions/ad-tenant-choices.md index b16e006c3b..38342060ef 100644 --- a/docs/tre-admins/setup-instructions/ad-tenant-choices.md +++ b/docs/tre-admins/setup-instructions/ad-tenant-choices.md @@ -1,4 +1,4 @@ -# Microsoft Entra Workforce ID Tenant Choices +# Microsoft Entra ID Tenant Choices ## Dedicated Tenant for TRE @@ -14,7 +14,7 @@ It is possible to use your corporate tenant for TRE. This does have the advantag [![TRE Tenant](../../assets/corp-tenant.png)](../../assets/corp-tenant.png) -## Create Dedicated Microsoft Entra Workforce ID Tenant +## Create Dedicated Microsoft Entra ID Tenant Follow [this guide](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to create new dedicated tenant. diff --git a/docs/tre-admins/setup-instructions/installing-base-workspace.md b/docs/tre-admins/setup-instructions/installing-base-workspace.md index a0f101ba2e..ebec8961b6 100644 --- a/docs/tre-admins/setup-instructions/installing-base-workspace.md +++ b/docs/tre-admins/setup-instructions/installing-base-workspace.md @@ -29,7 +29,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra Workforce ID tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. + If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. Running the script will report `workspace_api_client_id` and `workspace_api_client_secret` for the generated app. Add these under the authenrication section in `/config.yaml` so that automated testing will work. You also need to use `workspace_api_client_id` in the POST body below. diff --git a/docs/tre-admins/setup-instructions/prerequisites.md b/docs/tre-admins/setup-instructions/prerequisites.md index 6471f5c7e0..692ae33a98 100644 --- a/docs/tre-admins/setup-instructions/prerequisites.md +++ b/docs/tre-admins/setup-instructions/prerequisites.md @@ -3,7 +3,7 @@ To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra Workforce ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/docs/tre-admins/setup-instructions/setup-auth-entities.md b/docs/tre-admins/setup-instructions/setup-auth-entities.md index 2779128d5e..ad2a6e94fb 100644 --- a/docs/tre-admins/setup-instructions/setup-auth-entities.md +++ b/docs/tre-admins/setup-instructions/setup-auth-entities.md @@ -33,7 +33,7 @@ Next, you will set the configuration variables for the specific Azure TRE instan In case you have several subscriptions and would like to change your default subscription use `az account set --subscription ` !!! note - The full functionality of the script requires directory admin privileges. You may need to contact your friendly Microsoft Entra Workforce ID admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). + The full functionality of the script requires directory admin privileges. You may need to contact your friendly Microsoft Entra ID admin to complete this step. The app registrations can be created manually in Azure Portal too. For more information, see [Authentication and authorization](../auth.md). All other variables can have their default values for now. diff --git a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md index 72989bd267..1b612d4292 100644 --- a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md +++ b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md @@ -57,7 +57,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra Workforce ID tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. + If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Set these under authentication section in `config.yaml` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` in the form. diff --git a/docs/tre-admins/setup-instructions/workflows.md b/docs/tre-admins/setup-instructions/workflows.md index ca9e371fc9..a432e90463 100644 --- a/docs/tre-admins/setup-instructions/workflows.md +++ b/docs/tre-admins/setup-instructions/workflows.md @@ -74,7 +74,7 @@ Configure the TRE API and Swagger UI repository secrets |
Secret name
| Description | | ----------- | ----------- | -| `AAD_TENANT_ID` | The tenant ID of the Microsoft Entra Workforce ID. | +| `AAD_TENANT_ID` | The tenant ID of the Microsoft Entra ID. | | `SWAGGER_UI_CLIENT_ID` | The application (client) ID of the TRE Swagger UI app. | | `API_CLIENT_ID` | The application (client) ID of the TRE API app. | | `API_CLIENT_SECRET` | The application password (client secret) of the TRE API app. | diff --git a/docs/tre-templates/shared-services/gitea.md b/docs/tre-templates/shared-services/gitea.md index ac1c9dc82b..9e0ddfce71 100644 --- a/docs/tre-templates/shared-services/gitea.md +++ b/docs/tre-templates/shared-services/gitea.md @@ -44,6 +44,6 @@ Gitea needs to be able to access the following resource outside the Azure TRE VN | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra Workforce ID. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra ID. | | AzureContainerRegistry | Pull the Gitea container image, as it is located in Azure Container Registry. | | (www.)github.com | Allows Gitea to mirror any repo on GitHub | diff --git a/docs/tre-templates/shared-services/nexus.md b/docs/tre-templates/shared-services/nexus.md index a4cbc795f2..5869ae9693 100644 --- a/docs/tre-templates/shared-services/nexus.md +++ b/docs/tre-templates/shared-services/nexus.md @@ -63,7 +63,7 @@ Nexus Shared Service requires access to resources outside of the Azure TRE VNET. | Service Tag / Destination | Justification | | --- | --- | -| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra Workforce ID. | +| AzureActiveDirectory | Authorize the signed in user against Microsoft Entra ID. | | AzureContainerRegistry | Pull the Nexus container image, as it is located in Azure Container Registry. | | pypi.org, *.pypi.org | Enables Nexus to "proxy" python packages to use inside of workspaces. | | repo.anaconda.com | Enables Nexus to "proxy" conda packages to use inside of workspaces. | diff --git a/docs/tre-templates/workspace-services/gitea.md b/docs/tre-templates/workspace-services/gitea.md index 65904692a4..28671b7708 100644 --- a/docs/tre-templates/workspace-services/gitea.md +++ b/docs/tre-templates/workspace-services/gitea.md @@ -7,7 +7,7 @@ See: [https://gitea.io/](https://gitea.io) The Gitea worskpace service opens outbound access to: - AzureActiveDirectory -- Microsoft Entra Workforce ID CDN - `https://aadcdn.msftauth.net` +- Microsoft Entra ID CDN - `https://aadcdn.msftauth.net` ## Prerequisites diff --git a/docs/using-tre/local-development/local-development.md b/docs/using-tre/local-development/local-development.md index 1d3e752bc3..98c3892688 100644 --- a/docs/using-tre/local-development/local-development.md +++ b/docs/using-tre/local-development/local-development.md @@ -9,7 +9,7 @@ This guide will cover how to setup local development environment to add custom t To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra Workforce ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json b/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json index 9ff32b7c19..bf4cf3c414 100644 --- a/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json +++ b/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json @@ -41,8 +41,8 @@ }, "user_object_id": { "type": "string", - "title": "Microsoft Entra Workforce ID User Object ID", - "description": "The Microsoft Entra Workforce ID user object ID of User who will be using the compute instance", + "title": "Microsoft Entra ID User Object ID", + "description": "The Microsoft Entra ID user object ID of User who will be using the compute instance", "default": "", "minLength": 1 } diff --git a/templates/workspace_services/guacamole/terraform/variables.tf b/templates/workspace_services/guacamole/terraform/variables.tf index 0fd95b6e2c..71d22c2881 100644 --- a/templates/workspace_services/guacamole/terraform/variables.tf +++ b/templates/workspace_services/guacamole/terraform/variables.tf @@ -4,7 +4,7 @@ variable "workspace_id" { } variable "aad_authority_url" { type = string - description = "The Microsoft Entra Workforce ID authority URL" + description = "The Microsoft Entra ID authority URL" } variable "tre_id" { type = string diff --git a/ui/README.md b/ui/README.md index b1db0f731b..b605e4bc71 100644 --- a/ui/README.md +++ b/ui/README.md @@ -7,7 +7,7 @@ The UI was built using Create React App and Microsoft Fluent UI. Further details ## Run the UI - Ensure `deploy_ui=false` is not set in your `./config.yaml` file - In the root of the repo, run `make tre-deploy`. This will provision the necessary resources in Azure, build and deploy the UI to Azure blob storage, behind the App Gateway used for the API. The deployment process will also create the necessary `config.json`, using the `config.source.json` as a template. -- In Microsoft Entra Workforce ID, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: +- In Microsoft Entra ID, locate the TRE Client Apps app (possibly called Swagger App). In the Authentication section add reply URIs for: - `http://localhost:3000` (if wanting to run locally) - Your deployed App Url - `https://{TRE_ID}.{LOCATION}.cloudapp.azure.com`. From 805cafaf1c72774f0bb19a2858f5fc71234fbcc3 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Tue, 19 Mar 2024 14:45:04 +0000 Subject: [PATCH 10/27] AAD -> Microsoft Entra ID --- .devcontainer/devcontainer.json | 2 +- .../devcontainer_run_command/action.yml | 4 ++-- .github/scripts/build.js | 4 ++-- .github/scripts/build.test.js | 2 +- Makefile | 4 ++-- api_app/.env.sample | 2 +- api_app/models/schemas/workspace.py | 4 ++-- api_app/resources/strings.py | 2 +- api_app/services/aad_authentication.py | 10 +++++----- api_app/services/authentication.py | 6 +++--- .../test_service_bus/test_substitutions.py | 2 +- cli/tre/commands/login.py | 4 ++-- config.sample.yaml | 4 ++-- config_schema.json | 6 +++--- core/terraform/variables.tf | 4 ++-- devops/scripts/aad/create_api_application.sh | 2 +- .../aad/create_application_administrator.sh | 2 +- devops/scripts/aad/update_resource_access.sh | 2 +- devops/scripts/create_aad_assets.sh | 2 +- docs/azure-tre-overview/airlock.md | 2 +- docs/tre-admins/auth.md | 20 +++++++++---------- docs/tre-admins/environment-variables.md | 6 +++--- docs/tre-admins/identities/api.md | 4 ++-- .../identities/application_admin.md | 10 +++++----- docs/tre-admins/identities/auth-manual.md | 2 +- docs/tre-admins/identities/client.md | 6 +++--- docs/tre-admins/identities/test-account.md | 2 +- docs/tre-admins/identities/workspace.md | 8 ++++---- .../setup-instructions/ad-tenant-choices.md | 2 +- .../cicd-pre-deployment-steps.md | 4 ++-- .../installing-base-workspace.md | 2 +- .../setup-instructions/prerequisites.md | 2 +- .../setup-instructions/setup-auth-entities.md | 4 ++-- .../ui-install-base-workspace.md | 2 +- docs/tre-developers/api.md | 2 +- docs/tre-developers/ui.md | 6 +++--- .../local-development/local-development.md | 2 +- e2e_tests/.env.sample | 2 +- e2e_tests/conftest.py | 2 +- e2e_tests/helpers.py | 2 +- e2e_tests/test_workspace_services.py | 2 +- .../workspace_services/azureml/porter.yaml | 2 +- .../azureml/terraform/variables.tf | 6 +++--- .../databricks/template_schema.json | 12 +++++------ .../gitea/template_schema.json | 18 ++++++++--------- .../guacamole/template_schema.json | 8 ++++---- .../health-services/porter.yaml | 2 +- .../health-services/template_schema.json | 12 +++++------ .../health-services/terraform/variables.tf | 6 +++--- .../ohdsi/template_schema.json | 18 ++++++++--------- .../airlock-import-review/.env.sample | 4 ++-- .../airlock-import-review/porter.yaml | 8 ++++---- .../template_schema.json | 12 +++++------ templates/workspaces/base/.env.sample | 4 ++-- templates/workspaces/base/porter.yaml | 8 ++++---- .../workspaces/base/template_schema.json | 12 +++++------ .../workspaces/base/terraform/keyvault.tf | 4 ++-- .../workspaces/base/terraform/outputs.tf | 2 +- .../workspaces/base/terraform/variables.tf | 12 +++++------ .../workspaces/base/update_redirect_urls.sh | 2 +- templates/workspaces/unrestricted/.env.sample | 4 ++-- templates/workspaces/unrestricted/porter.yaml | 8 ++++---- .../unrestricted/template_schema.json | 12 +++++------ 63 files changed, 169 insertions(+), 169 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 9d49130458..09ba1a76c4 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -109,7 +109,7 @@ ] }, { - "name": "E2E Extended AAD", + "name": "E2E Extended Microsoft Entra ID", "type": "python", "request": "launch", "module": "pytest", diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index f403c60083..37c7618057 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -65,10 +65,10 @@ inputs: description: "The API Client Secret." required: false APPLICATION_ADMIN_CLIENT_ID: - description: "The Client ID of an identity that can manage the AAD Applications." + description: "The Client ID of an identity that can manage the Microsoft Entra ID Applications." required: false APPLICATION_ADMIN_CLIENT_SECRET: - description: "The Client secret of an identity that can manage the AAD Applications." + description: "The Client secret of an identity that can manage the Microsoft Entra ID Applications." required: false ACR_NAME: description: "The Container Registry that holds our Research images." diff --git a/.github/scripts/build.js b/.github/scripts/build.js index e6d17b8f84..07c1106389 100644 --- a/.github/scripts/build.js +++ b/.github/scripts/build.js @@ -97,7 +97,7 @@ async function getCommandFromComment({ core, context, github }) { case "/test-extended-aad": { - const runTests = await handleTestCommand({ core, github }, parts, "extended AAD tests", runId, { number: prNumber, authorUsername: prAuthorUsername, repoOwner, repoName, headSha: prHeadSha, refId: prRefId, details: pr }, { username: commentUsername, link: commentLink }); + const runTests = await handleTestCommand({ core, github }, parts, "extended Microsoft Entra ID tests", runId, { number: prNumber, authorUsername: prAuthorUsername, repoOwner, repoName, headSha: prHeadSha, refId: prRefId, details: pr }, { username: commentUsername, link: commentLink }); if (runTests) { command = "run-tests-extended-aad"; } @@ -247,7 +247,7 @@ async function showHelp({ github }, repoOwner, repoName, prNumber, commentUser, You can use the following commands:     /test - build, deploy and run smoke tests on a PR     /test-extended - build, deploy and run smoke & extended tests on a PR -    /test-extended-aad - build, deploy and run smoke & extended AAD tests on a PR +    /test-extended-aad - build, deploy and run smoke & extended Microsoft Entra ID tests on a PR     /test-shared-services - test the deployment of shared services on a PR build     /test-force-approve - force approval of the PR tests (i.e. skip the deployment checks)     /test-destroy-env - delete the validation environment for a PR (e.g. to enable testing a deployment from a clean start after previous tests) diff --git a/.github/scripts/build.test.js b/.github/scripts/build.test.js index 73a5b0d632..bd0b07bf15 100644 --- a/.github/scripts/build.test.js +++ b/.github/scripts/build.test.js @@ -407,7 +407,7 @@ describe('getCommandFromComment', () => { owner: 'someOwner', repo: 'someRepo', issue_number: PR_NUMBER.UPSTREAM_NON_DOCS_CHANGES, - bodyMatcher: /Running extended AAD tests: https:\/\/github.com\/someOwner\/someRepo\/actions\/runs\/11112222 \(with refid `cbce50da`\)/, + bodyMatcher: /Running extended Microsoft Entra ID tests: https:\/\/github.com\/someOwner\/someRepo\/actions\/runs\/11112222 \(with refid `cbce50da`\)/, }); }); }); diff --git a/Makefile b/Makefile index cb8afa7aaf..8b5ee8e137 100644 --- a/Makefile +++ b/Makefile @@ -334,8 +334,8 @@ test-e2e-extended: ## 🧪 Run E2E extended tests $(call target_title, "Running E2E extended tests") && \ $(MAKE) test-e2e-custom SELECTOR=extended -test-e2e-extended-aad: ## 🧪 Run E2E extended AAD tests - $(call target_title, "Running E2E extended AAD tests") && \ +test-e2e-extended-aad: ## 🧪 Run E2E extended Microsoft Entra ID tests + $(call target_title, "Running E2E extended Microsoft Entra ID tests") && \ $(MAKE) test-e2e-custom SELECTOR=extended_aad test-e2e-shared-services: ## 🧪 Run E2E shared service tests diff --git a/api_app/.env.sample b/api_app/.env.sample index ff6a60e8c4..0cf370e342 100644 --- a/api_app/.env.sample +++ b/api_app/.env.sample @@ -4,7 +4,7 @@ # LOGGING_LEVEL can be set to DEBUG, INFO, WARNING, ERROR or CRITICAL LOGGING_LEVEL="INFO" -# OAUTH information - client ids etc. for the AAD Apps +# OAUTH information - client ids etc. for the Microsoft Entra ID Apps # ---------------------------------------------------- # The AppId for the API service principal (TRE API) API_CLIENT_ID=__CHANGE_ME__ diff --git a/api_app/models/schemas/workspace.py b/api_app/models/schemas/workspace.py index 424c82b46a..bb165a7fd7 100644 --- a/api_app/models/schemas/workspace.py +++ b/api_app/models/schemas/workspace.py @@ -27,11 +27,11 @@ class AuthProvider(str, Enum): """ Auth Provider """ - AAD = "AAD" + Microsoft Entra ID = "Microsoft Entra ID" class AuthenticationConfiguration(BaseModel): - provider: AuthProvider = Field(AuthProvider.AAD, title="Authentication Provider") + provider: AuthProvider = Field(AuthProvider.Microsoft Entra ID, title="Authentication Provider") data: dict = Field({}, title="Authentication information") diff --git a/api_app/resources/strings.py b/api_app/resources/strings.py index 9c2d7ff4b4..4f8bebf427 100644 --- a/api_app/resources/strings.py +++ b/api_app/resources/strings.py @@ -99,7 +99,7 @@ # Error strings ACCESS_APP_IS_MISSING_ROLE = "The App is missing role" -ACCESS_PLEASE_SUPPLY_CLIENT_ID = "Please supply the client_id for the AAD application" +ACCESS_PLEASE_SUPPLY_CLIENT_ID = "Please supply the client_id for the Microsoft Entra ID application" ACCESS_UNABLE_TO_GET_INFO_FOR_APP = "Unable to get app info for app:" ACCESS_UNABLE_TO_GET_ROLE_ASSIGNMENTS_FOR_USER = "Unable to get role assignments for user" ACCESS_UNABLE_TO_GET_ACCOUNT_TYPE = "Unable to look up account type" diff --git a/api_app/services/aad_authentication.py b/api_app/services/aad_authentication.py index 81dd486a8f..7ddedb4080 100644 --- a/api_app/services/aad_authentication.py +++ b/api_app/services/aad_authentication.py @@ -168,7 +168,7 @@ def _ensure_b64padding(key: str) -> str: def _get_token_key(self, key_id: str) -> str: """ - Rather tha use PyJWKClient.get_signing_key_from_jwt every time, we'll get all the keys from AAD and cache them. + Rather tha use PyJWKClient.get_signing_key_from_jwt every time, we'll get all the keys from Microsoft Entra ID and cache them. """ if key_id not in AzureADAuthorization._jwt_keys: response = requests.get(f"{self.aad_instance}/{config.AAD_TENANT_ID}/v2.0/.well-known/openid-configuration") @@ -203,7 +203,7 @@ def _get_msgraph_token() -> str: except Exception: result = None if not result: - logger.debug('No suitable token exists in cache, getting a new one from AAD') + logger.debug('No suitable token exists in cache, getting a new one from Microsoft Entra ID') result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise Exception(f"API app registration access token cannot be retrieved. {result.get('error')}: {result.get('error_description')}") @@ -321,8 +321,8 @@ def _get_batch_users_by_role_assignments_body(self, roles_graph_data): return request_body - # This method is called when you create a workspace and you already have an AAD App Registration - # to link it to. You pass in the client_id and go and get the extra information you need from AAD + # This method is called when you create a workspace and you already have an Microsoft Entra ID App Registration + # to link it to. You pass in the client_id and go and get the extra information you need from Microsoft Entra ID # If the auth_type is `Automatic`, then these values will be written by Terraform. def _get_app_auth_info(self, client_id: str) -> dict: graph_data = self._get_app_sp_graph_data(client_id) @@ -396,7 +396,7 @@ def extract_workspace_auth_information(self, data: dict) -> dict: raise AuthConfigValidationError(strings.ACCESS_PLEASE_SUPPLY_CLIENT_ID) auth_info = {} - # The user may want us to create the AAD workspace app and therefore they + # The user may want us to create the Microsoft Entra ID workspace app and therefore they # don't know the client_id yet. if data["auth_type"] != "Automatic": auth_info = self._get_app_auth_info(data["client_id"]) diff --git a/api_app/services/authentication.py b/api_app/services/authentication.py index 30b49af194..38006cf81b 100644 --- a/api_app/services/authentication.py +++ b/api_app/services/authentication.py @@ -8,15 +8,15 @@ def extract_auth_information(workspace_creation_properties: dict) -> dict: - access_service = get_access_service('AAD') + access_service = get_access_service('Microsoft Entra ID') try: return access_service.extract_workspace_auth_information(workspace_creation_properties) except AuthConfigValidationError as e: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)) -def get_access_service(provider: str = AuthProvider.AAD) -> AccessService: - if provider == AuthProvider.AAD: +def get_access_service(provider: str = AuthProvider.Microsoft Entra ID) -> AccessService: + if provider == AuthProvider.Microsoft Entra ID: return AzureADAuthorization() raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=strings.INVALID_AUTH_PROVIDER) diff --git a/api_app/tests_ma/test_service_bus/test_substitutions.py b/api_app/tests_ma/test_service_bus/test_substitutions.py index f8f81ca318..0449cb4c5e 100644 --- a/api_app/tests_ma/test_service_bus/test_substitutions.py +++ b/api_app/tests_ma/test_service_bus/test_substitutions.py @@ -242,7 +242,7 @@ def test_substitution_list_strings(primary_resource, resource_to_update): "rules": [ { "name": "AllowAzureAD", - "description": "AAD access for authNZ", + "description": "Microsoft Entra ID access for authNZ", "source_addresses": "", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*", "{{resource.id}}"], diff --git a/cli/tre/commands/login.py b/cli/tre/commands/login.py index 45d76121d4..10337be056 100644 --- a/cli/tre/commands/login.py +++ b/cli/tre/commands/login.py @@ -46,7 +46,7 @@ def login(): help='The Client ID of the Microsoft Entra ID application for the API (optional for API versions >= v0.5.7)') @click.option('--aad-tenant-id', required=False, - help='The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)') + help='The Tenant ID for the Microsoft Entra ID tenant to authenticate with (optional for API versions >= v0.5.7)') @click.option('--api-scope', required=False, help='The API scope for the base API (optional for API versions >= v0.5.7)') @@ -173,7 +173,7 @@ def login_device_code(base_url: str, client_id: str, aad_tenant_id: str, api_sco @click.option( "--aad-tenant-id", required=False, - help="The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)", + help="The Tenant ID for the Microsoft Entra ID tenant to authenticate with (optional for API versions >= v0.5.7)", ) @click.option("--api-scope", required=False, help="The API scope for the base API (optional for API versions >= v0.5.7)") @click.option( diff --git a/config.sample.yaml b/config.sample.yaml index e4c2f2d789..db7d8df3a5 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -48,8 +48,8 @@ authentication: # create an identity with `Application.ReadWrite.OwnedBy`. # Setting AUTO_WORKSPACE_APP_REGISTRATION to true will: # create an identity with `Application.ReadWrite.All` and `Directory.Read.All`. - # When this is true, create Workspaces will also create an AAD Application automatically. - # When this is false, the AAD Application will need creating manually. + # When this is true, create Workspaces will also create an Microsoft Entra ID Application automatically. + # When this is false, the Microsoft Entra ID Application will need creating manually. auto_workspace_app_registration: true # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All` auto_workspace_group_creation: false diff --git a/config_schema.json b/config_schema.json index 0d2a781578..246af780bf 100644 --- a/config_schema.json +++ b/config_schema.json @@ -98,7 +98,7 @@ "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" }, "auto_workspace_app_registration": { - "description": "This identity is used to manage other AAD applications that it owns. Read more about it here: docs/tre-admins/auth.md", + "description": "This identity is used to manage other Microsoft Entra ID applications that it owns. Read more about it here: docs/tre-admins/auth.md", "type": "boolean" }, "auto_workspace_group_creation": { @@ -121,12 +121,12 @@ "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" }, "application_admin_client_id": { - "description": "This client will administer AAD Applications for TRE.", + "description": "This client will administer Microsoft Entra ID Applications for TRE.", "type": "string", "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" }, "application_admin_client_secret": { - "description": "Secret to client which will administer AAD Applications for TRE", + "description": "Secret to client which will administer Microsoft Entra ID Applications for TRE", "type": "string", "minLength": 11 }, diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index 900a48e18d..538764aab6 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -102,13 +102,13 @@ variable "api_client_secret" { variable "application_admin_client_id" { type = string - description = "The client id (app id) of the registration in Microsoft Entra ID for creating AAD Applications." + description = "The client id (app id) of the registration in Microsoft Entra ID for creating Microsoft Entra ID Applications." sensitive = true } variable "application_admin_client_secret" { type = string - description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra ID to create AAD Applications." + description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra ID to create Microsoft Entra ID Applications." sensitive = true } diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index 8b9e38081e..694dc6f439 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -10,7 +10,7 @@ function show_usage() cat << USAGE Utility script for creating app registrations required by Azure TRE. This script will create the API and Client -Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application. +Applications. The Client Application is the public facing app, whereas the API is an internal Microsoft Entra ID Application. You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. Usage: $0 -n [-r ] [-a] [-s] [--automation-account] diff --git a/devops/scripts/aad/create_application_administrator.sh b/devops/scripts/aad/create_application_administrator.sh index af1a4ed3f1..bf5eefc096 100755 --- a/devops/scripts/aad/create_application_administrator.sh +++ b/devops/scripts/aad/create_application_administrator.sh @@ -9,7 +9,7 @@ function show_usage() cat << USAGE Utility script for creating an application administrator for TRE. This is mandatory and is used -to manage AAD Application creation within TRE. This script is called when you run "make auth" and +to manage Microsoft Entra ID Application creation within TRE. This script is called when you run "make auth" and the environment variable AUTO_WORKSPACE_APP_REGISTRATION determines the permission this identity has. You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. diff --git a/devops/scripts/aad/update_resource_access.sh b/devops/scripts/aad/update_resource_access.sh index e0db1a3685..4aaedbae27 100755 --- a/devops/scripts/aad/update_resource_access.sh +++ b/devops/scripts/aad/update_resource_access.sh @@ -4,7 +4,7 @@ # Utility function that retrieves all of the 'requiredResourceAccess' from an application, # it then removes any access for a given `resourceAppId`, merges in a new element into the -# array and then posts it back to AAD. +# array and then posts it back to Microsoft Entra ID. function update_resource_access() { local msGraphUri=$1 diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index 51c4d3f093..9e1b4e8930 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -14,7 +14,7 @@ LOGGED_IN_TENANT_ID=$(az account show --query tenantId -o tsv) if [ "${LOGGED_IN_TENANT_ID}" != "${AAD_TENANT_ID}" ]; then echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Microsoft Entra ID assets." - # First we need to login to the AAD tenant (as it is different to the subscription tenant) + # First we need to login to the Microsoft Entra ID tenant (as it is different to the subscription tenant) az login --tenant "${AAD_TENANT_ID}" --allow-no-subscriptions --use-device-code CHANGED_TENANT=1 fi diff --git a/docs/azure-tre-overview/airlock.md b/docs/azure-tre-overview/airlock.md index 791b024e71..91b50ee77c 100644 --- a/docs/azure-tre-overview/airlock.md +++ b/docs/azure-tre-overview/airlock.md @@ -117,7 +117,7 @@ Whenever the airlock process changes to a state of **Draft**, **Submitted**, **A When the state changes to `In-progress` the Workspace Owner (Airlock Manager) gets notified. > * The Notification mechanism is also data-driven, allowing an organization to extend the notifications behavior. The mechanism is exemplified with a Logic App determining the notifications logic. -> * Notifications will work with All TRE users being AAD users (guests or not), with email defined – if not, notifications will not be sent. +> * Notifications will work with All TRE users being Microsoft Entra ID users (guests or not), with email defined – if not, notifications will not be sent. ## Architecture diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 8a0ba7a056..739854dc46 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,20 +1,20 @@ # Introduction to Authentication and Authorization -[Microsoft Entra ID (AAD)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. AAD holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. +[Microsoft Entra ID (Microsoft Entra ID)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. This page describes the automated Auth setup for TRE. ## Pre-requisites -The automation utilises a `make` command, which reads a few environment variables and creates the AAD assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`) +The automation utilises a `make` command, which reads a few environment variables and creates the Microsoft Entra ID assets. The following values are needed to be in place before you run the creation process. (`/config.yaml`) | Key | Description | | ----------- | ----------- | |TRE_ID|This is used to build up the name of the identities| -|AAD_TENANT_ID|The tenant id of where your AAD identities will be placed. This can be different to the tenant where your Azure resources are created.| +|AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). |AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). ## Create Authentication assets @@ -28,8 +28,8 @@ The contents of your authentication section in `config.yaml` file should contain | Variable | Description | | -------- | ----------- | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | @@ -56,17 +56,17 @@ The contents of your authentication section in `config.yaml` file should contain App registrations (represented by service principals) define the various access permissions to the TRE system. There are a total of five main Applications of interest. -| AAD Application | Description | +| Microsoft Entra ID Application | Description | | ----------- | ----------- | | TRE API application | This is the main application and used to secure access to the [TRE API](../tre-developers/api.md). | | TRE UX | This is the client application that will authenticate to the TRE/Workspace APIs. | -| Application Admin | There are times when workspace services need to update the AAD Application. For example, Guacamole needs to add a redirect URI to the Workspace AAD Application. This identity is used to manage AAD Applications. +| Application Admin | There are times when workspace services need to update the Microsoft Entra ID Application. For example, Guacamole needs to add a redirect URI to the Workspace Microsoft Entra ID Application. This identity is used to manage Microsoft Entra ID Applications. | Automation App | This application is created so that you can run the tests or any CI/CD capability without the need to divulge a user password. This is particularly important if your tenant is MFA enabled. | | Workspace API | Typically you would have an application securing one or more workspaces that are created by TRE. | -Some of the applications require **admin consent** to allow them to validate users against the AAD. Check the Microsoft Docs on [Configure the admin consent workflow](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. +Some of the applications require **admin consent** to allow them to validate users against the Microsoft Entra ID. Check the Microsoft Docs on [Configure the admin consent workflow](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. -We strongly recommend that you use `make auth` to create the AAD assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). +We strongly recommend that you use `make auth` to create the Microsoft Entra ID assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). ### Enabling users diff --git a/docs/tre-admins/environment-variables.md b/docs/tre-admins/environment-variables.md index 0b56fd92b2..815251cd84 100644 --- a/docs/tre-admins/environment-variables.md +++ b/docs/tre-admins/environment-variables.md @@ -15,7 +15,7 @@ | `ARM_SUBSCRIPTION_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Azure subscription ID for all resources. | | `ARM_CLIENT_ID` | *Optional for manual deployment without logged-in credentials.* The client whose azure identity will be used to deploy the solution. | | `ARM_CLIENT_SECRET` | *Optional for manual deployment without logged-in credentials.* The password of the client defined in `ARM_CLIENT_ID`. | -| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The AAD tenant of the client defined in `ARM_CLIENT_ID`. | +| `ARM_TENANT_ID` | *Optional for manual deployment. If not specified the `az cli` selected subscription will be used.* The Microsoft Entra ID tenant of the client defined in `ARM_CLIENT_ID`. | ## For Azure TRE instance in `/config.yaml` @@ -43,8 +43,8 @@ | Variable | Description | | -------- | ----------- | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | diff --git a/docs/tre-admins/identities/api.md b/docs/tre-admins/identities/api.md index 829fd22bbf..7dbff00b5c 100644 --- a/docs/tre-admins/identities/api.md +++ b/docs/tre-admins/identities/api.md @@ -1,7 +1,7 @@ # The API Identity ## Name -The API Identity is typically called ` API` within the AAD Portal. +The API Identity is typically called ` API` within the Microsoft Entra ID Portal. ## Purpose This identity's credentials are stored in the `core` Key Vault and mandatory for the running of the Trusted Research Environment (TRE). It is required for the API Application, hosted in Azure App Service, to authenticate to Microsoft Entra ID and authorize the various operations. @@ -49,7 +49,7 @@ Below is a sample where `TRE_ID` has value `mytre`: | -------- | ----------- | | `--name` | The prefix of the name of the app registrations. `TRE` will give you `TRE API`. | | `--tre-url` | Used to construct auth redirection URLs for the UI and Swagger app. Use the values of the [environment variables](../environment-variables.md) `TRE_ID` and `LOCATION` in the URL. Reply URL for the localhost, `http://localhost:8000/api/docs/oauth2-redirect`, will be added by default. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will grant TREAdmin permission to the Service Principal of the Automation Admin.| | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | diff --git a/docs/tre-admins/identities/application_admin.md b/docs/tre-admins/identities/application_admin.md index 5342e844df..f685b67b60 100644 --- a/docs/tre-admins/identities/application_admin.md +++ b/docs/tre-admins/identities/application_admin.md @@ -1,7 +1,7 @@ # The Application Administrator Identity ## Purpose -This identity's credentials are stored in the core key vault and are used when you wish to update AAD Applications. For instance, when you add Guacamole as a Workspace Service, you would need to add the URI of the Guacamole Service as a Redirect URI to the Workspace App to complete the login flow. +This identity's credentials are stored in the core key vault and are used when you wish to update Microsoft Entra ID Applications. For instance, when you add Guacamole as a Workspace Service, you would need to add the URI of the Guacamole Service as a Redirect URI to the Workspace App to complete the login flow. ## Application Roles This application does not have any roles defined. @@ -9,9 +9,9 @@ This application does not have any roles defined. ## Microsoft Graph Permissions | Name | Type* | Admin consent required | TRE usage | | --- | -- | -----| --------- | -| Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the AAD Application. This will be a manual process for the Tenant Admin. | -| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | -| Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra ID. This is needed if the AAD Administrator has delegated AAD administrative operations to the TRE. | +| Application.ReadWrite.OwnedBy | Application | Yes | This user has `Application.ReadWrite.OwnedBy` as a minimum permission for it to function. If the tenant is managed by a customer administrator, then this user must be added to the **Owners** of every workspace that is created. This will allow TRE to manage the Microsoft Entra ID Application. This will be a manual process for the Tenant Admin. | +| Application.ReadWrite.All | Application | Yes | This permission is required to create workspace applications and administer any applications in the tenant. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. There will be no need for the Tenant Admin to manually create workspace applications in the Tenant. | +| Directory.Read.All | Application | Yes | This permission is required to read User details from Microsoft Entra ID. This is needed if the Microsoft Entra ID Administrator has delegated Microsoft Entra ID administrative operations to the TRE. | | Group.ReadWrite.All | Application | Yes | This permission is required to create and update Microsoft Entra ID groups. This is requried if Microsoft Entra ID groups are to be created automatically by the TRE. | '*' See the difference between [delegated and application permission](https://docs.microsoft.com/graph/auth/auth-concepts#delegated-and-application-permissions) types. See [Microsoft Graph permissions reference](https://docs.microsoft.com/graph/permissions-reference) for more details. @@ -28,7 +28,7 @@ This user is currently only used from the Porter bundles hosted on the Resource | Argument | Description | | -------- | ----------- | | `--name` | This is used to put a friendly name to the Application that can be seen in the portal. It is typical to use the name of your TRE instance. | -| `--admin-consent` | If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an AAD Admin to consent after you have created the identity. Consent is required for this permission. | +| `--admin-consent` | If you have the appropriate permission to grant admin consent, then pass in this argument. If you do not, you will have to ask an Microsoft Entra ID Admin to consent after you have created the identity. Consent is required for this permission. | | `--application-permission` | This is a comma seperated list of the permissions that need to be assigned. For exampler `Application.ReadWrite.All,Directory.Read.All,Group.ReadWrite.All` | | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | diff --git a/docs/tre-admins/identities/auth-manual.md b/docs/tre-admins/identities/auth-manual.md index bc55df319f..7c09eca3b9 100644 --- a/docs/tre-admins/identities/auth-manual.md +++ b/docs/tre-admins/identities/auth-manual.md @@ -1,4 +1,4 @@ -# Manually creating AAD identities +# Manually creating Microsoft Entra ID identities This guide is here if you wanted to create these Application Registrations manually. diff --git a/docs/tre-admins/identities/client.md b/docs/tre-admins/identities/client.md index 60e5ef9732..725d3ec3f2 100644 --- a/docs/tre-admins/identities/client.md +++ b/docs/tre-admins/identities/client.md @@ -1,7 +1,7 @@ # TRE Client UX ## Name -The Client Identity is typically called ` UX` within the AAD Portal. +The Client Identity is typically called ` UX` within the Microsoft Entra ID Portal. ## Purpose This identity is used by any public facing client application so that user impersonation can occur to the Core API and any Workspace Applications. @@ -38,9 +38,9 @@ Example on how to run the script: | -------- | ----------- | | `--name` | The prefix of the name of the app registrations. `TRE` will give you `TRE API`. | | `--tre-url` | Used to construct auth redirection URLs for the UI and Swagger app. Use the values of the [environment variables](../environment-variables.md) `TRE_ID` and `LOCATION` in the URL. Reply URL for the localhost, `http://localhost:8000/api/docs/oauth2-redirect`, will be added by default. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will create an application with test users with permission to use the `TRE API` and `TRE Swagger UI` | -| `--reset-password` | Optional, default is 0. This flag has no relevance when creating the UX as there is no password for the AAD Application. | +| `--reset-password` | Optional, default is 0. This flag has no relevance when creating the UX as there is no password for the Microsoft Entra ID Application. | ## Redirect URLs diff --git a/docs/tre-admins/identities/test-account.md b/docs/tre-admins/identities/test-account.md index 42ee5d03b8..c06a71f412 100644 --- a/docs/tre-admins/identities/test-account.md +++ b/docs/tre-admins/identities/test-account.md @@ -1,7 +1,7 @@ # TRE Automation Admin Application ## Name -The Automation Application is typically called ` Automation Admin` within the AAD Portal. +The Automation Application is typically called ` Automation Admin` within the Microsoft Entra ID Portal. ## Purpose This application is used to authorize end-to-end test scenarios. diff --git a/docs/tre-admins/identities/workspace.md b/docs/tre-admins/identities/workspace.md index 6f28293bd6..8bc5b1989a 100644 --- a/docs/tre-admins/identities/workspace.md +++ b/docs/tre-admins/identities/workspace.md @@ -25,7 +25,7 @@ This identity should only be used by the API Application. ## How to create There are two mechanisms for creating Workspace Applications -- Manually by your AAD Tenant Admin (default) +- Manually by your Microsoft Entra ID Tenant Admin (default) - Automatically by TRE. Please see this [guide](./application_admin.md) if you wish this to be automatic. !!! caution @@ -46,9 +46,9 @@ Example on how to run the script: | -------- | ----------- | | `--name` | The name of the application. This will be suffixed with 'API' by the script. | | `--ux-clientid` | This value is one of the outputs when you first ran the script. It is mandatory if you use admin-consent. | -| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires AAD admin privileges. | +| `--admin-consent` | Grants admin consent for the app registrations. This is required for them to function properly, but requires Microsoft Entra ID admin privileges. | | `--automation-clientid` | This is an optional parameter but will grant the Automation App (created in step 1) permission to the new workspace app. | -| `--application-admin-clientid` | This is a required parameter , and should be a client id that will be added to the Owners of the AAD Application so that it can be administered within TRE. | +| `--application-admin-clientid` | This is a required parameter , and should be a client id that will be added to the Owners of the Microsoft Entra ID Application so that it can be administered within TRE. | | `--reset-password` | Optional, default is 0. When run in a headless fashion, 1 is passed in to always reset the password. | @@ -64,4 +64,4 @@ If you do not wish to grant the Automation App permission to your workspace, jus |WORKSPACE_API_CLIENT_SECRET|The client secret|`./config.yaml`| ## Comments -When the Workspace AAD app is registered by running `make auth`, the `Workspace Scope Id` is the same as the Client Id. When the Workspace AAD app is created by the base workspace, the `Workspace Scope Id` will be in this format `api://_ws_` +When the Workspace Microsoft Entra ID app is registered by running `make auth`, the `Workspace Scope Id` is the same as the Client Id. When the Workspace Microsoft Entra ID app is created by the base workspace, the `Workspace Scope Id` will be in this format `api://_ws_` diff --git a/docs/tre-admins/setup-instructions/ad-tenant-choices.md b/docs/tre-admins/setup-instructions/ad-tenant-choices.md index 38342060ef..96a7a43486 100644 --- a/docs/tre-admins/setup-instructions/ad-tenant-choices.md +++ b/docs/tre-admins/setup-instructions/ad-tenant-choices.md @@ -10,7 +10,7 @@ Users from your corporate tenant can be guested into this new TRE tenant. ## Corporate Tenant -It is possible to use your corporate tenant for TRE. This does have the advantage of only managing a single tenant, but your AAD Tenant Admin must be aware of what TRE brings to your organization and must be prepared to carry out some admin tasks, like creating an AAD Application every time a new Workspace is created. +It is possible to use your corporate tenant for TRE. This does have the advantage of only managing a single tenant, but your Microsoft Entra ID Tenant Admin must be aware of what TRE brings to your organization and must be prepared to carry out some admin tasks, like creating an Microsoft Entra ID Application every time a new Workspace is created. [![TRE Tenant](../../assets/corp-tenant.png)](../../assets/corp-tenant.png) diff --git a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md index d089d1967d..07a231ef0b 100644 --- a/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md +++ b/docs/tre-admins/setup-instructions/cicd-pre-deployment-steps.md @@ -92,8 +92,8 @@ In a previous [Setup Auth configuration](./setup-auth-entities.md) step authenti | Secret Name | Description | | -------- | ----------- | | `AAD_TENANT_ID` | Tenant id against which auth is performed. | - | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer AAD Applications for TRE | - | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer AAD Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_ID`| This client will administer Microsoft Entra ID Applications for TRE | + | `APPLICATION_ADMIN_CLIENT_SECRET`| This client will administer Microsoft Entra ID Applications for TRE | | `TEST_ACCOUNT_CLIENT_ID`| This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `TEST_ACCOUNT_CLIENT_SECRET` | This will be created by default, but can be disabled by editing `/devops/scripts/create_aad_assets.sh`. This is the user that will run the tests for you | | `API_CLIENT_ID` | API application (client) ID. | diff --git a/docs/tre-admins/setup-instructions/installing-base-workspace.md b/docs/tre-admins/setup-instructions/installing-base-workspace.md index ebec8961b6..25caddc50c 100644 --- a/docs/tre-admins/setup-instructions/installing-base-workspace.md +++ b/docs/tre-admins/setup-instructions/installing-base-workspace.md @@ -29,7 +29,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. + If you're using a separate tenant for Microsoft Entra ID app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](setup-auth-entities.md) for more details. Running the script will report `workspace_api_client_id` and `workspace_api_client_secret` for the generated app. Add these under the authenrication section in `/config.yaml` so that automated testing will work. You also need to use `workspace_api_client_id` in the POST body below. diff --git a/docs/tre-admins/setup-instructions/prerequisites.md b/docs/tre-admins/setup-instructions/prerequisites.md index 692ae33a98..2fc10eb8ab 100644 --- a/docs/tre-admins/setup-instructions/prerequisites.md +++ b/docs/tre-admins/setup-instructions/prerequisites.md @@ -3,7 +3,7 @@ To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID (Microsoft Entra ID)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/docs/tre-admins/setup-instructions/setup-auth-entities.md b/docs/tre-admins/setup-instructions/setup-auth-entities.md index ad2a6e94fb..c1616c83cb 100644 --- a/docs/tre-admins/setup-instructions/setup-auth-entities.md +++ b/docs/tre-admins/setup-instructions/setup-auth-entities.md @@ -19,9 +19,9 @@ Next, you will set the configuration variables for the specific Azure TRE instan The rest of the variables can have their default values. -1. Decide on a name for your `tre_id` ID for the Azure TRE instance. The value will be used in various Azure resources and AAD application names. It **needs to be globally unique and less than 12 characters in length**. Use **only** lowercase alphanumerics. Choose wisely! +1. Decide on a name for your `tre_id` ID for the Azure TRE instance. The value will be used in various Azure resources and Microsoft Entra ID application names. It **needs to be globally unique and less than 12 characters in length**. Use **only** lowercase alphanumerics. Choose wisely! 1. Once you have decided on which AD Tenant paradigm, then you should be able to set `aad_tenant_id` in the authentication section in your `config.yaml` file. -1. Your AAD Tenant Admin can now use the terminal window in Visual Studio Code to execute the following script from within the development container to create all the AAD Applications that are used for TRE. The details of the script are covered in the [auth document](../auth.md). +1. Your Microsoft Entra ID Tenant Admin can now use the terminal window in Visual Studio Code to execute the following script from within the development container to create all the Microsoft Entra ID Applications that are used for TRE. The details of the script are covered in the [auth document](../auth.md). ```bash make auth diff --git a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md index 1b612d4292..25b4e2c213 100644 --- a/docs/tre-admins/setup-instructions/ui-install-base-workspace.md +++ b/docs/tre-admins/setup-instructions/ui-install-base-workspace.md @@ -57,7 +57,7 @@ As explained in the [auth guide](../auth.md), every workspace has a correspondin ``` !!! caution - If you're using a separate tenant for AAD app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. + If you're using a separate tenant for Microsoft Entra ID app registrations to the one where you've deployed the TRE infrastructure resources, ensure you've signed into that tenant in the `az cli` before running the above command. See **Using a separate Microsoft Entra ID tenant** in [Setup Auth configuration](./setup-auth-entities.md) for more details. Running the script will report `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` for the generated app. Set these under authentication section in `config.yaml` so that automated testing will work. You also need to use `WORKSPACE_API_CLIENT_ID` and `WORKSPACE_API_CLIENT_SECRET` in the form. diff --git a/docs/tre-developers/api.md b/docs/tre-developers/api.md index e35e0cd83d..06c2195aa6 100644 --- a/docs/tre-developers/api.md +++ b/docs/tre-developers/api.md @@ -144,7 +144,7 @@ make auth ``` Alternatively, in Azure Portal you can add the redirect URL to the App Registration. -Under AAD, find App Registrations, and find the App Registration with the ID shown in the error message. +Under Microsoft Entra ID, find App Registrations, and find the App Registration with the ID shown in the error message. There, go to Redirect URL and add the URL given to you by the error message (it will have a form of `https://${TRE_ID}.westeurope.cloudapp.azure.com/api/docs/oauth2-redirect`). diff --git a/docs/tre-developers/ui.md b/docs/tre-developers/ui.md index 433985875f..e9b4a04441 100644 --- a/docs/tre-developers/ui.md +++ b/docs/tre-developers/ui.md @@ -8,7 +8,7 @@ The UI is built upon several popular web frameworks: - Typescript - React Router v6 for client side routing - Fluent UI [Fluent UI Docs](https://developer.microsoft.com/en-us/fluentui#/controls/web) -- MSAL v2: AAD authentication [msal-react docs](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react) +- MSAL v2: Microsoft Entra ID authentication [msal-react docs](https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-react) ### Folder structure @@ -27,7 +27,7 @@ ui ### AuthN + AuthZ For further details on the auth setup, see [Auth](../tre-admins/auth.md). -As stated above, AAD is used for Authentication and Authorization. There are 3 AAD apps involved here: +As stated above, Microsoft Entra ID is used for Authentication and Authorization. There are 3 Microsoft Entra ID apps involved here: - **TRE UX**. This is the app that the user authenticates against. Once authenticated, the client will request an access token for the `TRE Api`. - **TRE Api**. In the access token response from this app we get the user's role membership for TRE-level roles (`TREAdmin` / `TREUser`). Based on these role memberships, aspects of the UI will be made available. If the user is in a `TREAdmin` role, they will see buttons to create workspaces for instance. When the user navigates into a Workspace, the client will request an access token for that `Workspace App`. @@ -39,7 +39,7 @@ From this access token we can find the Workspace-level roles the user is in (`Wo ### React Contexts The React Context API is a clean way to handle a limited amount of global state, and is used for a few scenarios in this project: - TRE Roles Context: A context provides details of the base TRE roles a user is in, which can be consumed anywhere throughout the app -- Workspace Context: Tracks the currently selected Workspace, and the roles the user is in for that Workspace. This context is used for nested components to be able to authenticate against the correct AAD App via `workspaceCtx.workspaceApplicationIdURI`. +- Workspace Context: Tracks the currently selected Workspace, and the roles the user is in for that Workspace. This context is used for nested components to be able to authenticate against the correct Microsoft Entra ID App via `workspaceCtx.workspaceApplicationIdURI`. - Create Form Context: A context to control the Create / Update form behaviour. - Notifications Context: Tracks all the in-progress operations currently running. For each operation, the Notifications panel also uses this context to broadcast Component 'actions' which are subscribed to by downstream components. This way, a resource component does not have to track it's own changes, and can be 'told' by the Notifications Context whether it should refresh / lock etc. diff --git a/docs/using-tre/local-development/local-development.md b/docs/using-tre/local-development/local-development.md index 98c3892688..7ff597257d 100644 --- a/docs/using-tre/local-development/local-development.md +++ b/docs/using-tre/local-development/local-development.md @@ -9,7 +9,7 @@ This guide will cover how to setup local development environment to add custom t To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra ID (AAD)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID (Microsoft Entra ID)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/e2e_tests/.env.sample b/e2e_tests/.env.sample index 96d5a61628..504651cfda 100644 --- a/e2e_tests/.env.sample +++ b/e2e_tests/.env.sample @@ -18,7 +18,7 @@ TEST_WORKSPACE_APP_SECRET= WORKSPACE_APP_SERVICE_PLAN_SKU="P1v2" TEST_WORKSPACE_ID= -TEST_AAD_WORKSPACE_ID=ID of pre-created AAD workspace> +TEST_AAD_WORKSPACE_ID=ID of pre-created Microsoft Entra ID workspace> # Run tests sequentially. Change this value if you want to run tests in parallel locally E2E_TESTS_NUMBER_PROCESSES=1 diff --git a/e2e_tests/conftest.py b/e2e_tests/conftest.py index 7195a14588..8849f8ee52 100644 --- a/e2e_tests/conftest.py +++ b/e2e_tests/conftest.py @@ -53,7 +53,7 @@ async def create_or_get_test_workspace( payload = { "templateName": template_name, "properties": { - "display_name": f"E2E {description} workspace ({auth_type} AAD)", + "display_name": f"E2E {description} workspace ({auth_type} Microsoft Entra ID)", "description": f"{template_name} test workspace for E2E tests", "auth_type": auth_type, "address_space_size": "small" diff --git a/e2e_tests/helpers.py b/e2e_tests/helpers.py index 307fb88933..79e70ae6db 100644 --- a/e2e_tests/helpers.py +++ b/e2e_tests/helpers.py @@ -72,7 +72,7 @@ async def get_shared_service_by_name(template_name: str, verify, token) -> Optio async def check_aad_auth_redirect(endpoint, verify) -> None: - LOGGER.info(f"Checking AAD AuthN redirect on: {endpoint}") + LOGGER.info(f"Checking Microsoft Entra ID AuthN redirect on: {endpoint}") terminal_http_status = [status.HTTP_200_OK, status.HTTP_401_UNAUTHORIZED, diff --git a/e2e_tests/test_workspace_services.py b/e2e_tests/test_workspace_services.py index 31ac5a0b14..8dc98786f0 100644 --- a/e2e_tests/test_workspace_services.py +++ b/e2e_tests/test_workspace_services.py @@ -39,7 +39,7 @@ async def test_create_guacamole_service_into_base_workspace(setup_test_workspace @pytest.mark.extended_aad @pytest.mark.timeout(75 * 60) async def test_create_guacamole_service_into_aad_workspace(setup_test_aad_workspace, verify) -> None: - """This test will create a Guacamole service but will create a workspace and automatically register the AAD Application""" + """This test will create a Guacamole service but will create a workspace and automatically register the Microsoft Entra ID Application""" workspace_path, workspace_id = setup_test_aad_workspace workspace_owner_token = await get_workspace_owner_token(workspace_id, verify) diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index 1d4b45d7b8..60a0ea79f9 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -7,7 +7,7 @@ registry: azuretre dockerfile: Dockerfile.tmpl credentials: - # Credentials for interacting with the AAD Auth tenant + # Credentials for interacting with the Microsoft Entra ID Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret diff --git a/templates/workspace_services/azureml/terraform/variables.tf b/templates/workspace_services/azureml/terraform/variables.tf index a47b5588ff..2b40065a28 100644 --- a/templates/workspace_services/azureml/terraform/variables.tf +++ b/templates/workspace_services/azureml/terraform/variables.tf @@ -24,16 +24,16 @@ variable "arm_tenant_id" { } variable "auth_tenant_id" { type = string - description = "Used to authenticate into the AAD Tenant to get app role members" + description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" } variable "auth_client_id" { type = string - description = "Used to authenticate into the AAD Tenant to get app role members" + description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" } variable "auth_client_secret" { type = string sensitive = true - description = "Used to authenticate into the AAD Tenant to get app role members" + description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" } variable "arm_environment" { diff --git a/templates/workspace_services/databricks/template_schema.json b/templates/workspace_services/databricks/template_schema.json index 6d559d111a..9afa5f7f4c 100644 --- a/templates/workspace_services/databricks/template_schema.json +++ b/templates/workspace_services/databricks/template_schema.json @@ -112,7 +112,7 @@ }, { "name": "AzureAD", - "description": "AAD access", + "description": "Microsoft Entra ID access", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -169,8 +169,8 @@ ] }, { - "name": "AAD CDN", - "description": "AAD CDN", + "name": "Microsoft Entra ID CDN", + "description": "Microsoft Entra ID CDN", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -253,7 +253,7 @@ }, { "name": "AzureAD", - "description": "AAD access", + "description": "Microsoft Entra ID access", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -310,8 +310,8 @@ ] }, { - "name": "AAD CDN", - "description": "AAD CDN", + "name": "Microsoft Entra ID CDN", + "description": "Microsoft Entra ID CDN", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "target_fqdns": [ "aadcdn.msftauth.net" diff --git a/templates/workspace_services/gitea/template_schema.json b/templates/workspace_services/gitea/template_schema.json index d9f10c1d8d..15719b7f70 100644 --- a/templates/workspace_services/gitea/template_schema.json +++ b/templates/workspace_services/gitea/template_schema.json @@ -48,7 +48,7 @@ }, { "stepId": "12ba0dad-ea6c-4d0d-9255-d316212f5ffa", - "stepTitle": "Add Gitea URI as AAD redirect URI", + "stepTitle": "Add Gitea URI as Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -82,7 +82,7 @@ "rules": [ { "name": "AzureAD", - "description": "AAD access", + "description": "Microsoft Entra ID access", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -101,8 +101,8 @@ "action": "Allow", "rules": [ { - "name": "AAD CDN", - "description": "AAD CDN", + "name": "Microsoft Entra ID CDN", + "description": "Microsoft Entra ID CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -142,7 +142,7 @@ "rules": [ { "name": "AzureAD", - "description": "AAD access for authNZ", + "description": "Microsoft Entra ID access for authNZ", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -161,8 +161,8 @@ "action": "Allow", "rules": [ { - "name": "AAD CDN", - "description": "AAD CDN", + "name": "Microsoft Entra ID CDN", + "description": "Microsoft Entra ID CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -181,7 +181,7 @@ }, { "stepId": "741c7ff2-eff5-47b2-bf62-2b410d65c96b", - "stepTitle": "Add Gitea URI as AAD redirect URI", + "stepTitle": "Add Gitea URI as Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -201,7 +201,7 @@ "uninstall": [ { "stepId": "9a1d6b95-26c8-4165-8890-573dd4e2b45c", - "stepTitle": "Update Gitea URI to AAD redirect URI", + "stepTitle": "Update Gitea URI to Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ diff --git a/templates/workspace_services/guacamole/template_schema.json b/templates/workspace_services/guacamole/template_schema.json index e0f052bd08..6708ad0735 100644 --- a/templates/workspace_services/guacamole/template_schema.json +++ b/templates/workspace_services/guacamole/template_schema.json @@ -79,7 +79,7 @@ }, { "stepId": "12ba0dad-ea6c-4d0d-9255-d316212f5ffa", - "stepTitle": "Add Guacamole URI as AAD redirect URI", + "stepTitle": "Add Guacamole URI as Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -113,7 +113,7 @@ "rules": [ { "name": "AzureAD", - "description": "AAD access for authNZ", + "description": "Microsoft Entra ID access for authNZ", "source_addresses": "{{ resource.properties.web_apps_addresses }}", "destination_addresses": [ "AzureActiveDirectory" @@ -137,7 +137,7 @@ }, { "stepId": "741c7ff2-eff5-47b2-bf62-2b410d65c96b", - "stepTitle": "Update Guacamole URI in AAD", + "stepTitle": "Update Guacamole URI in Microsoft Entra ID", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -175,7 +175,7 @@ }, { "stepId": "9a1d6b95-26c8-4165-8010-573dd4e2b45c", - "stepTitle": "Update guacamole URI to AAD redirect URI", + "stepTitle": "Update guacamole URI to Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ diff --git a/templates/workspace_services/health-services/porter.yaml b/templates/workspace_services/health-services/porter.yaml index 6667359afa..2f2339c1aa 100644 --- a/templates/workspace_services/health-services/porter.yaml +++ b/templates/workspace_services/health-services/porter.yaml @@ -7,7 +7,7 @@ registry: azuretre dockerfile: Dockerfile.tmpl credentials: - # Credentials for interacting with the AAD Auth tenant + # Credentials for interacting with the Microsoft Entra ID Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret diff --git a/templates/workspace_services/health-services/template_schema.json b/templates/workspace_services/health-services/template_schema.json index 290b8e5b4c..5610a98b7d 100644 --- a/templates/workspace_services/health-services/template_schema.json +++ b/templates/workspace_services/health-services/template_schema.json @@ -88,7 +88,7 @@ "rules": [ { "name": "AzureAD", - "description": "AAD access", + "description": "Microsoft Entra ID access", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -107,8 +107,8 @@ "action": "Allow", "rules": [ { - "name": "AAD CDN", - "description": "AAD CDN", + "name": "Microsoft Entra ID CDN", + "description": "Microsoft Entra ID CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -148,7 +148,7 @@ "rules": [ { "name": "AzureAD", - "description": "AAD access for authNZ", + "description": "Microsoft Entra ID access for authNZ", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -167,8 +167,8 @@ "action": "Allow", "rules": [ { - "name": "AAD CDN", - "description": "AAD CDN", + "name": "Microsoft Entra ID CDN", + "description": "Microsoft Entra ID CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" diff --git a/templates/workspace_services/health-services/terraform/variables.tf b/templates/workspace_services/health-services/terraform/variables.tf index 72547d6a74..e5b7419597 100644 --- a/templates/workspace_services/health-services/terraform/variables.tf +++ b/templates/workspace_services/health-services/terraform/variables.tf @@ -35,17 +35,17 @@ variable "deploy_dicom" { variable "auth_tenant_id" { type = string - description = "Used to authenticate into the AAD Tenant to get app role members" + description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" } variable "auth_client_id" { type = string - description = "Used to authenticate into the AAD Tenant to get app role members" + description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" } variable "auth_client_secret" { type = string - description = "Used to authenticate into the AAD Tenant to get app role members" + description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" } variable "arm_environment" { diff --git a/templates/workspace_services/ohdsi/template_schema.json b/templates/workspace_services/ohdsi/template_schema.json index 1fa56948ba..c6a1c131ec 100644 --- a/templates/workspace_services/ohdsi/template_schema.json +++ b/templates/workspace_services/ohdsi/template_schema.json @@ -160,7 +160,7 @@ }, { "stepId": "7276dcc1-7d0e-496a-badf-87c8c25fc06e", - "stepTitle": "Add Atlas callback URI as AAD redirect URI", + "stepTitle": "Add Atlas callback URI as Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -178,7 +178,7 @@ }, { "stepId": "37d7fbde-fd61-4096-ac4d-741960474995", - "stepTitle": "Add firewall rules for AAD", + "stepTitle": "Add firewall rules for Microsoft Entra ID", "resourceTemplateName": "tre-shared-service-firewall", "resourceType": "shared-service", "resourceAction": "upgrade", @@ -194,7 +194,7 @@ "rules": [ { "name": "AzureAD", - "description": "Allow access to AAD", + "description": "Allow access to Microsoft Entra ID", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "destination_addresses": [ "AzureActiveDirectory" @@ -220,7 +220,7 @@ "rules": [ { "name": "microsoft-aad", - "description": "Allow AAD FQDNs", + "description": "Allow Microsoft Entra ID FQDNs", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "target_fqdns": [ "*.msftauth.net", @@ -262,7 +262,7 @@ }, { "stepId": "0d3961fd-1538-4b0e-a6ed-bf401b65c034", - "stepTitle": "Upgrade Atlas callback URI as AAD redirect URI", + "stepTitle": "Upgrade Atlas callback URI as Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -280,7 +280,7 @@ }, { "stepId": "3329d760-3e09-4721-8722-f369b123ca77", - "stepTitle": "Add firewall rules for AAD", + "stepTitle": "Add firewall rules for Microsoft Entra ID", "resourceTemplateName": "tre-shared-service-firewall", "resourceType": "shared-service", "resourceAction": "upgrade", @@ -296,7 +296,7 @@ "rules": [ { "name": "AzureAD", - "description": "Allow access to AAD", + "description": "Allow access to Microsoft Entra ID", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "destination_addresses": [ "AzureActiveDirectory" @@ -322,7 +322,7 @@ "rules": [ { "name": "microsoft-aad", - "description": "Allow AAD FQDNs", + "description": "Allow Microsoft Entra ID FQDNs", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "target_fqdns": [ "*.msftauth.net", @@ -354,7 +354,7 @@ "uninstall": [ { "stepId": "e1986fe8-b1f9-4a9d-abb1-da1ea9a50b41", - "stepTitle": "Remove Atlas callback URI as AAD redirect URI", + "stepTitle": "Remove Atlas callback URI as Microsoft Entra ID redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ diff --git a/templates/workspaces/airlock-import-review/.env.sample b/templates/workspaces/airlock-import-review/.env.sample index 68d0a40652..c89893b33f 100644 --- a/templates/workspaces/airlock-import-review/.env.sample +++ b/templates/workspaces/airlock-import-review/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml index 5943388107..fe231cc81e 100644 --- a/templates/workspaces/airlock-import-review/porter.yaml +++ b/templates/workspaces/airlock-import-review/porter.yaml @@ -7,7 +7,7 @@ dockerfile: Dockerfile.tmpl registry: azuretre credentials: - # Credentials for interacting with the AAD Auth tenant + # Credentials for interacting with the Microsoft Entra ID Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret @@ -64,11 +64,11 @@ parameters: - name: register_aad_application type: boolean default: false - description: "Whether this bundle should register the workspace in AAD" + description: "Whether this bundle should register the workspace in Microsoft Entra ID" - name: create_aad_groups type: boolean default: false - description: "Whether this bundle should create AAD groups for the workspace app roles" + description: "Whether this bundle should create Microsoft Entra ID groups for the workspace app roles" - name: workspace_owner_object_id type: string description: "The object id of the user that will be granted WorkspaceOwner after it is created." @@ -237,7 +237,7 @@ upgrade: flags: name: ${ bundle.parameters.azure_environment } - az: - description: "AAD Application Admin Login" + description: "Microsoft Entra ID Application Admin Login" arguments: - login flags: diff --git a/templates/workspaces/airlock-import-review/template_schema.json b/templates/workspaces/airlock-import-review/template_schema.json index e05a0d87e7..19c125201f 100644 --- a/templates/workspaces/airlock-import-review/template_schema.json +++ b/templates/workspaces/airlock-import-review/template_schema.json @@ -94,13 +94,13 @@ "client_id": { "type": "string", "title": "Application (Client) ID", - "description": "The AAD Application Registration ID for the workspace.", + "description": "The Microsoft Entra ID Application Registration ID for the workspace.", "updateable": true }, "client_secret": { "type": "string", "title": "Application (Client) Secret", - "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", + "description": "The Microsoft Entra ID Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", "sensitive": true, "updateable": true } @@ -113,15 +113,15 @@ "properties": { "create_aad_groups": { "type": "boolean", - "title": "Create AAD Groups for each workspace role", - "description": "Create AAD Groups for the workspace roles. If this is set to true, the workspace will create new AAD Groups.", + "title": "Create Microsoft Entra ID Groups for each workspace role", + "description": "Create Microsoft Entra ID Groups for the workspace roles. If this is set to true, the workspace will create new Microsoft Entra ID Groups.", "default": false, "updateable": true }, "aad_redirect_uris": { "type": "array", - "title": "AAD Redirect URIs", - "description": "Redirect URIs for the AAD app in Automatic Auth mode", + "title": "Microsoft Entra ID Redirect URIs", + "description": "Redirect URIs for the Microsoft Entra ID app in Automatic Auth mode", "updateable": true, "items": { "title": "items", diff --git a/templates/workspaces/base/.env.sample b/templates/workspaces/base/.env.sample index df96d05cc7..40de3a637f 100644 --- a/templates/workspaces/base/.env.sample +++ b/templates/workspaces/base/.env.sample @@ -4,14 +4,14 @@ ARM_TENANT_ID="__CHANGE_ME__" ARM_SUBSCRIPTION_ID="__CHANGE_ME__" AUTH_TENANT_ID="__CHANGE_ME__" -# These are passed in if Terraform will create the Workspace AAD Application +# These are passed in if Terraform will create the Workspace Microsoft Entra ID Application REGISTER_AAD_APPLICATION=true CREATE_AAD_GROUPS=true AUTH_CLIENT_ID="__CHANGE_ME__" AUTH_CLIENT_SECRET="__CHANGE_ME__" WORKSPACE_OWNER_OBJECT_ID="__CHANGE_ME__" -# These are passed in if you register the Workspace AAD Application before hand +# These are passed in if you register the Workspace Microsoft Entra ID Application before hand # REGISTER_AAD_APPLICATION=false # CLIENT_ID="__CHANGE_ME__" # CLIENT_SECRET="__CHANGE_ME__" diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index f7a1802477..c184a162d4 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -7,7 +7,7 @@ dockerfile: Dockerfile.tmpl registry: azuretre credentials: - # Credentials for interacting with the AAD Auth tenant + # Credentials for interacting with the Microsoft Entra ID Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret @@ -63,11 +63,11 @@ parameters: - name: register_aad_application type: boolean default: false - description: "Whether this bundle should register the workspace in AAD" + description: "Whether this bundle should register the workspace in Microsoft Entra ID" - name: create_aad_groups type: boolean default: false - description: "Whether this bundle should create AAD groups for the workspace app roles" + description: "Whether this bundle should create Microsoft Entra ID groups for the workspace app roles" - name: workspace_owner_object_id type: string description: "The object id of the user that will be granted WorkspaceOwner after it is created." @@ -243,7 +243,7 @@ upgrade: flags: name: ${ bundle.parameters.azure_environment } - az: - description: "AAD Application Admin Login" + description: "Microsoft Entra ID Application Admin Login" arguments: - login flags: diff --git a/templates/workspaces/base/template_schema.json b/templates/workspaces/base/template_schema.json index 3d6cdf0e16..4295fe6316 100644 --- a/templates/workspaces/base/template_schema.json +++ b/templates/workspaces/base/template_schema.json @@ -208,13 +208,13 @@ "client_id": { "type": "string", "title": "Application (Client) ID", - "description": "The AAD Application Registration ID for the workspace.", + "description": "The Microsoft Entra ID Application Registration ID for the workspace.", "updateable": true }, "client_secret": { "type": "string", "title": "Application (Client) Secret", - "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", + "description": "The Microsoft Entra ID Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", "sensitive": true, "updateable": true } @@ -227,15 +227,15 @@ "properties": { "create_aad_groups": { "type": "boolean", - "title": "Create AAD Groups for each workspace role", - "description": "Create AAD Groups for the workspace roles. If this is set to true, the workspace will create new AAD Groups.", + "title": "Create Microsoft Entra ID Groups for each workspace role", + "description": "Create Microsoft Entra ID Groups for the workspace roles. If this is set to true, the workspace will create new Microsoft Entra ID Groups.", "default": false, "updateable": true }, "aad_redirect_uris": { "type": "array", - "title": "AAD Redirect URIs", - "description": "Redirect URIs for the AAD app in Automatic Auth mode", + "title": "Microsoft Entra ID Redirect URIs", + "description": "Redirect URIs for the Microsoft Entra ID app in Automatic Auth mode", "updateable": true, "items": { "title": "items", diff --git a/templates/workspaces/base/terraform/keyvault.tf b/templates/workspaces/base/terraform/keyvault.tf index acfe387cd4..1fa6c06701 100644 --- a/templates/workspaces/base/terraform/keyvault.tf +++ b/templates/workspaces/base/terraform/keyvault.tf @@ -113,7 +113,7 @@ resource "azurerm_key_vault_secret" "aad_tenant_id" { } # This secret only gets written if Terraform is not responsible for -# registering the AAD Application +# registering the Microsoft Entra ID Application resource "azurerm_key_vault_secret" "client_id" { name = "workspace-client-id" value = var.client_id @@ -136,7 +136,7 @@ data "azurerm_key_vault_secret" "client_secret" { } # This secret only gets written if Terraform is not responsible for -# registering the AAD Application +# registering the Microsoft Entra ID Application resource "azurerm_key_vault_secret" "client_secret" { name = "workspace-client-secret" value = var.client_secret == local.redacted_senstive_value ? data.azurerm_key_vault_secret.client_secret[0].value : var.client_secret diff --git a/templates/workspaces/base/terraform/outputs.tf b/templates/workspaces/base/terraform/outputs.tf index 40fa8dcd69..19290e0e1b 100644 --- a/templates/workspaces/base/terraform/outputs.tf +++ b/templates/workspaces/base/terraform/outputs.tf @@ -2,7 +2,7 @@ output "workspace_resource_name_suffix" { value = local.workspace_resource_name_suffix } -# The following outputs are dependent on an Automatic AAD Workspace Application Registration. +# The following outputs are dependent on an Automatic Microsoft Entra ID Workspace Application Registration. # If we are not creating an App Reg we simple pass back the same values that were already created # This is necessary so that we don't delete workspace properties output "app_role_id_workspace_owner" { diff --git a/templates/workspaces/base/terraform/variables.tf b/templates/workspaces/base/terraform/variables.tf index 567d468ede..25853797bf 100644 --- a/templates/workspaces/base/terraform/variables.tf +++ b/templates/workspaces/base/terraform/variables.tf @@ -44,13 +44,13 @@ variable "enable_local_debugging" { variable "register_aad_application" { type = bool default = false - description = "Create an AAD application automatically for the Workspace." + description = "Create an Microsoft Entra ID application automatically for the Workspace." } variable "create_aad_groups" { type = bool default = false - description = "Create AAD groups automatically for the Workspace Application Roles." + description = "Create Microsoft Entra ID groups automatically for the Workspace Application Roles." } variable "enable_airlock" { @@ -65,18 +65,18 @@ variable "aad_redirect_uris_b64" { variable "auth_tenant_id" { type = string - description = "Used to authenticate into the AAD Tenant to create the AAD App" + description = "Used to authenticate into the Microsoft Entra ID Tenant to create the Microsoft Entra ID App" } variable "auth_client_id" { type = string - description = "Used to authenticate into the AAD Tenant to create the AAD App" + description = "Used to authenticate into the Microsoft Entra ID Tenant to create the Microsoft Entra ID App" } variable "auth_client_secret" { type = string - description = "Used to authenticate into the AAD Tenant to create the AAD App" + description = "Used to authenticate into the Microsoft Entra ID Tenant to create the Microsoft Entra ID App" } -# These variables are only passed in if you are not registering an AAD +# These variables are only passed in if you are not registering an Microsoft Entra ID # application as they need passing back out variable "app_role_id_workspace_owner" { type = string diff --git a/templates/workspaces/base/update_redirect_urls.sh b/templates/workspaces/base/update_redirect_urls.sh index 109d62b501..a4470ee5ba 100755 --- a/templates/workspaces/base/update_redirect_urls.sh +++ b/templates/workspaces/base/update_redirect_urls.sh @@ -9,7 +9,7 @@ function usage() { cat < Date: Fri, 22 Mar 2024 11:41:10 +0000 Subject: [PATCH 11/27] Delete .devcontainer/devcontainer.json --- .devcontainer/devcontainer.json | 295 -------------------------------- 1 file changed, 295 deletions(-) delete mode 100644 .devcontainer/devcontainer.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json deleted file mode 100644 index 09ba1a76c4..0000000000 --- a/.devcontainer/devcontainer.json +++ /dev/null @@ -1,295 +0,0 @@ -{ - "name": "AzureTRE", - // Uncomment when debugging using Jetbrains - // "features": { - // "ghcr.io/devcontainers/features/sshd:1": { - // "version": "latest" - // } - // }, - "build": { - "context": "..", - "dockerfile": "Dockerfile", - "args": { - // To ensure that the group ID for the docker group in the container - // matches the group ID on the host, add this to your .bash_profile on the host - // export DOCKER_GROUP_ID=$(getent group docker | awk -F ":" '{ print $3 }') - "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}", - "INTERACTIVE": "true" - } - }, - "runArgs": [ - "--network", - "host" - ], - "mounts": [ - // Keep command history - "type=volume,source=tre-bashhistory,target=/home/vscode/commandhistory", - // Mounts the login details from the host machine to azcli works in the container - "type=bind,source=${env:HOME}${env:USERPROFILE}/.azure,target=/home/vscode/.azure", - // Mount docker socket for docker builds - "type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock", - // Mounts the github cli login details from the host machine to the container (~/.config/gh/hosts.yml) - "type=bind,source=${env:HOME}${env:USERPROFILE}/.config,target=/home/vscode/.config", - ], - "remoteUser": "vscode", - "containerEnv": { - "DOCKER_BUILDKIT": "1" - }, - "remoteEnv": { - // this is used for SuperLinter - "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" - }, - "customizations": { - "vscode": { - // Set *default* container specific settings.json values on container create. - "settings": { - "terminal.integrated.defaultProfile.linux": "bash", - "python.pythonPath": "/usr/local/bin/python", - "python.linting.enabled": true, - "python.linting.pylintEnabled": false, - "python.linting.flake8Enabled": true, - "python.formatting.provider": "black", - "python.formatting.autopep8Path": "/usr/local/py-utils/bin/autopep8", - "python.formatting.blackPath": "/usr/local/py-utils/bin/black", - "python.formatting.yapfPath": "/usr/local/py-utils/bin/yapf", - "python.linting.banditPath": "/usr/local/py-utils/bin/bandit", - "python.linting.flake8Path": "/usr/local/py-utils/bin/flake8", - "python.linting.mypyPath": "/usr/local/py-utils/bin/mypy", - "python.linting.pycodestylePath": "/usr/local/py-utils/bin/pycodestyle", - "python.linting.pydocstylePath": "/usr/local/py-utils/bin/pydocstyle", - "python.linting.pylintPath": "/usr/local/py-utils/bin/pylint", - "python.testing.unittestEnabled": false, - "python.testing.pytestEnabled": true, - "python.testing.pytestArgs": [ - "--ignore=e2e_tests", - "-W ignore::DeprecationWarning" - ], - "python.testing.cwd": "${workspaceFolder}", - "files.associations": { - "*.terraform": "terraform" - }, - "launch": { - "configurations": [ - { - "name": "TRE API", - "type": "python", - "module": "uvicorn", - "request": "launch", - "args": [ - "main:app", - "--reload", - "--host", - "::", - "--port", - "8000" - ], - "jinja": true, - "justMyCode": false, - "console": "integratedTerminal", - "preLaunchTask": "Copy_env_file_for_api_debug", - "cwd": "${workspaceFolder}/api_app", - "envFile": "${workspaceFolder}/api_app/.env", - "env": { - "OTEL_RESOURCE_ATTRIBUTES": "service.name=api,service.instance.id=local_debug,service.version=dev" - } - }, - { - "name": "E2E Extended", - "type": "python", - "request": "launch", - "module": "pytest", - "justMyCode": true, - "cwd": "${workspaceFolder}/e2e_tests/", - "preLaunchTask": "Copy_env_file_for_e2e_debug", - "args": [ - "-m", - "extended", - "--verify", - "false" - ] - }, - { - "name": "E2E Extended Microsoft Entra ID", - "type": "python", - "request": "launch", - "module": "pytest", - "justMyCode": true, - "cwd": "${workspaceFolder}/e2e_tests/", - "preLaunchTask": "Copy_env_file_for_e2e_debug", - "args": [ - "-m", - "extended_aad", - "--verify", - "false" - ] - }, - { - "name": "E2E Shared Services", - "type": "python", - "request": "launch", - "module": "pytest", - "justMyCode": true, - "cwd": "${workspaceFolder}/e2e_tests/", - "preLaunchTask": "Copy_env_file_for_e2e_debug", - "args": [ - "-m", - "shared_services", - "--verify", - "false" - ] - }, - { - "name": "E2E Performance", - "type": "python", - "request": "launch", - "module": "pytest", - "justMyCode": true, - "cwd": "${workspaceFolder}/e2e_tests/", - "preLaunchTask": "Copy_env_file_for_e2e_debug", - "args": [ - "-m", - "performance", - "--verify", - "false" - ] - }, - { - "name": "E2E Smoke", - "type": "python", - "request": "launch", - "module": "pytest", - "justMyCode": true, - "cwd": "${workspaceFolder}/e2e_tests/", - "preLaunchTask": "Copy_env_file_for_e2e_debug", - "args": [ - "-m", - "smoke", - "--verify", - "false" - ] - }, - { - "name": "E2E Airlock", - "type": "python", - "request": "launch", - "module": "pytest", - "justMyCode": true, - "cwd": "${workspaceFolder}/e2e_tests/", - "preLaunchTask": "Copy_env_file_for_e2e_debug", - "args": [ - "-m", - "airlock", - "--verify", - "false" - ] - }, - { - "name": "Resource Processor", - "type": "python", - "request": "launch", - "program": "vmss_porter/runner.py", - "console": "integratedTerminal", - "preLaunchTask": "Install_resource_processor_dependencies", - "cwd": "${workspaceFolder}/resource_processor", - "envFile": "${workspaceFolder}/core/private.env", - "env": { - "PYTHONPATH": ".", - "OTEL_RESOURCE_ATTRIBUTES": "service.name=resource_processor,service.instance.id=local_debug,service.version=dev" - }, - "justMyCode": false - }, - { - "name": "Debug Python file", - "type": "python", - "request": "launch", - "program": "${file}", - "console": "integratedTerminal", - "purpose": [ - "debug-test" - ] - }, - { - "name": "Launch Edge (localhost)", - "type": "pwa-msedge", - "request": "launch", - "url": "http://localhost:3000", - "webRoot": "${workspaceFolder}/ui/app" - }, - { - "name": "Launch Chrome (localhost)", - "type": "pwa-chrome", - "request": "launch", - "url": "http://localhost:3000", - "webRoot": "${workspaceFolder}/ui/app" - } - ], - "compounds": [] - }, - "tasks": { - "version": "2.0.0", - "tasks": [ - { - "label": "Copy_env_file_for_api_debug", - "command": "./.devcontainer/scripts/consolidate_env.sh ${workspaceFolder} ${workspaceFolder}/api_app/.env", - "type": "shell" - }, - { - "label": "Copy_env_file_for_e2e_debug", - "command": "./.devcontainer/scripts/consolidate_env.sh ${workspaceFolder} ${workspaceFolder}/e2e_tests/.env", - "type": "shell" - }, - { - "label": "Install_resource_processor_dependencies", - "command": "pip install -r ./resource_processor/vmss_porter/requirements.txt", - "type": "shell" - }, - { - "label": "Unit_tests", - "group": { - "kind": "test", - "isDefault": true - }, - "command": "pytest", - "args": [ - "--ignore=e2e_tests" - ] - }, - { - "label": "Smoke_tests", - "group": "test", - "command": "python", - "options": { - "cwd": "${workspaceFolder}/e2e_tests/" - }, - "args": [ - "-m", - "pytest", - "-m", - "smoke" - ] - } - ] - } - }, - // Add the IDs of extensions you want installed when the container is created. - "extensions": [ - "ms-python.python", - "ms-python.pylance", - "hashicorp.terraform", - "github.vscode-pull-request-github", - "getporter.porter-vscode", - "davidanson.vscode-markdownlint", - "editorconfig.editorconfig", - "mikestead.dotenv", - "humao.rest-client", - "timonwong.shellcheck", - "ms-azuretools.vscode-azurefunctions" - ] - } - }, - "forwardPorts": [ - 8000 - ], - // Run commands after the container is created. - "postCreateCommand": "./.devcontainer/scripts/post-create.sh" -} From 79b8bd934911707d5748f1776a75dbee98db70ea Mon Sep 17 00:00:00 2001 From: Wojciech Date: Fri, 22 Mar 2024 11:43:43 +0000 Subject: [PATCH 12/27] Revert "Delete .devcontainer/devcontainer.json" This reverts commit 5dd6d5c2656c5304bf4adf6bb38e1a20735bbc8a. --- .devcontainer/devcontainer.json | 295 ++++++++++++++++++++++++++++++++ 1 file changed, 295 insertions(+) create mode 100644 .devcontainer/devcontainer.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000000..09ba1a76c4 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,295 @@ +{ + "name": "AzureTRE", + // Uncomment when debugging using Jetbrains + // "features": { + // "ghcr.io/devcontainers/features/sshd:1": { + // "version": "latest" + // } + // }, + "build": { + "context": "..", + "dockerfile": "Dockerfile", + "args": { + // To ensure that the group ID for the docker group in the container + // matches the group ID on the host, add this to your .bash_profile on the host + // export DOCKER_GROUP_ID=$(getent group docker | awk -F ":" '{ print $3 }') + "DOCKER_GROUP_ID": "${localEnv:DOCKER_GROUP_ID}", + "INTERACTIVE": "true" + } + }, + "runArgs": [ + "--network", + "host" + ], + "mounts": [ + // Keep command history + "type=volume,source=tre-bashhistory,target=/home/vscode/commandhistory", + // Mounts the login details from the host machine to azcli works in the container + "type=bind,source=${env:HOME}${env:USERPROFILE}/.azure,target=/home/vscode/.azure", + // Mount docker socket for docker builds + "type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock", + // Mounts the github cli login details from the host machine to the container (~/.config/gh/hosts.yml) + "type=bind,source=${env:HOME}${env:USERPROFILE}/.config,target=/home/vscode/.config", + ], + "remoteUser": "vscode", + "containerEnv": { + "DOCKER_BUILDKIT": "1" + }, + "remoteEnv": { + // this is used for SuperLinter + "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}" + }, + "customizations": { + "vscode": { + // Set *default* container specific settings.json values on container create. + "settings": { + "terminal.integrated.defaultProfile.linux": "bash", + "python.pythonPath": "/usr/local/bin/python", + "python.linting.enabled": true, + "python.linting.pylintEnabled": false, + "python.linting.flake8Enabled": true, + "python.formatting.provider": "black", + "python.formatting.autopep8Path": "/usr/local/py-utils/bin/autopep8", + "python.formatting.blackPath": "/usr/local/py-utils/bin/black", + "python.formatting.yapfPath": "/usr/local/py-utils/bin/yapf", + "python.linting.banditPath": "/usr/local/py-utils/bin/bandit", + "python.linting.flake8Path": "/usr/local/py-utils/bin/flake8", + "python.linting.mypyPath": "/usr/local/py-utils/bin/mypy", + "python.linting.pycodestylePath": "/usr/local/py-utils/bin/pycodestyle", + "python.linting.pydocstylePath": "/usr/local/py-utils/bin/pydocstyle", + "python.linting.pylintPath": "/usr/local/py-utils/bin/pylint", + "python.testing.unittestEnabled": false, + "python.testing.pytestEnabled": true, + "python.testing.pytestArgs": [ + "--ignore=e2e_tests", + "-W ignore::DeprecationWarning" + ], + "python.testing.cwd": "${workspaceFolder}", + "files.associations": { + "*.terraform": "terraform" + }, + "launch": { + "configurations": [ + { + "name": "TRE API", + "type": "python", + "module": "uvicorn", + "request": "launch", + "args": [ + "main:app", + "--reload", + "--host", + "::", + "--port", + "8000" + ], + "jinja": true, + "justMyCode": false, + "console": "integratedTerminal", + "preLaunchTask": "Copy_env_file_for_api_debug", + "cwd": "${workspaceFolder}/api_app", + "envFile": "${workspaceFolder}/api_app/.env", + "env": { + "OTEL_RESOURCE_ATTRIBUTES": "service.name=api,service.instance.id=local_debug,service.version=dev" + } + }, + { + "name": "E2E Extended", + "type": "python", + "request": "launch", + "module": "pytest", + "justMyCode": true, + "cwd": "${workspaceFolder}/e2e_tests/", + "preLaunchTask": "Copy_env_file_for_e2e_debug", + "args": [ + "-m", + "extended", + "--verify", + "false" + ] + }, + { + "name": "E2E Extended Microsoft Entra ID", + "type": "python", + "request": "launch", + "module": "pytest", + "justMyCode": true, + "cwd": "${workspaceFolder}/e2e_tests/", + "preLaunchTask": "Copy_env_file_for_e2e_debug", + "args": [ + "-m", + "extended_aad", + "--verify", + "false" + ] + }, + { + "name": "E2E Shared Services", + "type": "python", + "request": "launch", + "module": "pytest", + "justMyCode": true, + "cwd": "${workspaceFolder}/e2e_tests/", + "preLaunchTask": "Copy_env_file_for_e2e_debug", + "args": [ + "-m", + "shared_services", + "--verify", + "false" + ] + }, + { + "name": "E2E Performance", + "type": "python", + "request": "launch", + "module": "pytest", + "justMyCode": true, + "cwd": "${workspaceFolder}/e2e_tests/", + "preLaunchTask": "Copy_env_file_for_e2e_debug", + "args": [ + "-m", + "performance", + "--verify", + "false" + ] + }, + { + "name": "E2E Smoke", + "type": "python", + "request": "launch", + "module": "pytest", + "justMyCode": true, + "cwd": "${workspaceFolder}/e2e_tests/", + "preLaunchTask": "Copy_env_file_for_e2e_debug", + "args": [ + "-m", + "smoke", + "--verify", + "false" + ] + }, + { + "name": "E2E Airlock", + "type": "python", + "request": "launch", + "module": "pytest", + "justMyCode": true, + "cwd": "${workspaceFolder}/e2e_tests/", + "preLaunchTask": "Copy_env_file_for_e2e_debug", + "args": [ + "-m", + "airlock", + "--verify", + "false" + ] + }, + { + "name": "Resource Processor", + "type": "python", + "request": "launch", + "program": "vmss_porter/runner.py", + "console": "integratedTerminal", + "preLaunchTask": "Install_resource_processor_dependencies", + "cwd": "${workspaceFolder}/resource_processor", + "envFile": "${workspaceFolder}/core/private.env", + "env": { + "PYTHONPATH": ".", + "OTEL_RESOURCE_ATTRIBUTES": "service.name=resource_processor,service.instance.id=local_debug,service.version=dev" + }, + "justMyCode": false + }, + { + "name": "Debug Python file", + "type": "python", + "request": "launch", + "program": "${file}", + "console": "integratedTerminal", + "purpose": [ + "debug-test" + ] + }, + { + "name": "Launch Edge (localhost)", + "type": "pwa-msedge", + "request": "launch", + "url": "http://localhost:3000", + "webRoot": "${workspaceFolder}/ui/app" + }, + { + "name": "Launch Chrome (localhost)", + "type": "pwa-chrome", + "request": "launch", + "url": "http://localhost:3000", + "webRoot": "${workspaceFolder}/ui/app" + } + ], + "compounds": [] + }, + "tasks": { + "version": "2.0.0", + "tasks": [ + { + "label": "Copy_env_file_for_api_debug", + "command": "./.devcontainer/scripts/consolidate_env.sh ${workspaceFolder} ${workspaceFolder}/api_app/.env", + "type": "shell" + }, + { + "label": "Copy_env_file_for_e2e_debug", + "command": "./.devcontainer/scripts/consolidate_env.sh ${workspaceFolder} ${workspaceFolder}/e2e_tests/.env", + "type": "shell" + }, + { + "label": "Install_resource_processor_dependencies", + "command": "pip install -r ./resource_processor/vmss_porter/requirements.txt", + "type": "shell" + }, + { + "label": "Unit_tests", + "group": { + "kind": "test", + "isDefault": true + }, + "command": "pytest", + "args": [ + "--ignore=e2e_tests" + ] + }, + { + "label": "Smoke_tests", + "group": "test", + "command": "python", + "options": { + "cwd": "${workspaceFolder}/e2e_tests/" + }, + "args": [ + "-m", + "pytest", + "-m", + "smoke" + ] + } + ] + } + }, + // Add the IDs of extensions you want installed when the container is created. + "extensions": [ + "ms-python.python", + "ms-python.pylance", + "hashicorp.terraform", + "github.vscode-pull-request-github", + "getporter.porter-vscode", + "davidanson.vscode-markdownlint", + "editorconfig.editorconfig", + "mikestead.dotenv", + "humao.rest-client", + "timonwong.shellcheck", + "ms-azuretools.vscode-azurefunctions" + ] + } + }, + "forwardPorts": [ + 8000 + ], + // Run commands after the container is created. + "postCreateCommand": "./.devcontainer/scripts/post-create.sh" +} From 41f9e61d63547316a9567b1c15c56a0dd1bccd92 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Fri, 22 Mar 2024 11:53:59 +0000 Subject: [PATCH 13/27] revert code changes --- .devcontainer/devcontainer.json | 2 +- .../devcontainer_run_command/action.yml | 4 ++-- .github/scripts/build.js | 4 ++-- .github/scripts/build.test.js | 2 +- Makefile | 8 ++++---- api_app/_version.py | 2 +- api_app/api/routes/workspaces.py | 2 +- api_app/models/schemas/workspace.py | 4 ++-- api_app/resources/strings.py | 2 +- api_app/schemas/azuread.json | 2 +- api_app/services/aad_authentication.py | 10 +++++----- api_app/services/authentication.py | 6 +++--- .../test_service_bus/test_substitutions.py | 2 +- cli/tre/commands/login.py | 6 +++--- config.sample.yaml | 4 ++-- config_schema.json | 6 +++--- core/terraform/variables.tf | 12 ++++++------ devops/scripts/aad/create_api_application.sh | 8 ++++---- .../aad/create_application_administrator.sh | 8 ++++---- .../aad/create_automation_administrator.sh | 4 ++-- .../aad/create_workspace_application.sh | 6 +++--- devops/scripts/aad/update_resource_access.sh | 2 +- devops/scripts/create_aad_assets.sh | 4 ++-- e2e_tests/conftest.py | 2 +- e2e_tests/helpers.py | 2 +- e2e_tests/test_workspace_services.py | 2 +- resource_processor/_version.py | 2 +- .../workspace_services/azureml/porter.yaml | 2 +- .../azureml/terraform/variables.tf | 6 +++--- .../aml_compute/template_schema.json | 4 ++-- .../databricks/template_schema.json | 12 ++++++------ .../gitea/template_schema.json | 18 +++++++++--------- .../guacamole/template_schema.json | 8 ++++---- .../guacamole/terraform/variables.tf | 2 +- .../health-services/porter.yaml | 2 +- .../health-services/template_schema.json | 12 ++++++------ .../health-services/terraform/variables.tf | 6 +++--- .../ohdsi/template_schema.json | 18 +++++++++--------- .../airlock-import-review/porter.yaml | 8 ++++---- .../airlock-import-review/template_schema.json | 12 ++++++------ templates/workspaces/base/porter.yaml | 8 ++++---- templates/workspaces/base/template_schema.json | 12 ++++++------ .../workspaces/base/terraform/keyvault.tf | 4 ++-- templates/workspaces/base/terraform/outputs.tf | 2 +- .../workspaces/base/terraform/variables.tf | 12 ++++++------ .../workspaces/base/update_redirect_urls.sh | 2 +- templates/workspaces/unrestricted/porter.yaml | 8 ++++---- .../unrestricted/template_schema.json | 12 ++++++------ 48 files changed, 144 insertions(+), 144 deletions(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 09ba1a76c4..9d49130458 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -109,7 +109,7 @@ ] }, { - "name": "E2E Extended Microsoft Entra ID", + "name": "E2E Extended AAD", "type": "python", "request": "launch", "module": "pytest", diff --git a/.github/actions/devcontainer_run_command/action.yml b/.github/actions/devcontainer_run_command/action.yml index 37c7618057..f403c60083 100644 --- a/.github/actions/devcontainer_run_command/action.yml +++ b/.github/actions/devcontainer_run_command/action.yml @@ -65,10 +65,10 @@ inputs: description: "The API Client Secret." required: false APPLICATION_ADMIN_CLIENT_ID: - description: "The Client ID of an identity that can manage the Microsoft Entra ID Applications." + description: "The Client ID of an identity that can manage the AAD Applications." required: false APPLICATION_ADMIN_CLIENT_SECRET: - description: "The Client secret of an identity that can manage the Microsoft Entra ID Applications." + description: "The Client secret of an identity that can manage the AAD Applications." required: false ACR_NAME: description: "The Container Registry that holds our Research images." diff --git a/.github/scripts/build.js b/.github/scripts/build.js index 07c1106389..e6d17b8f84 100644 --- a/.github/scripts/build.js +++ b/.github/scripts/build.js @@ -97,7 +97,7 @@ async function getCommandFromComment({ core, context, github }) { case "/test-extended-aad": { - const runTests = await handleTestCommand({ core, github }, parts, "extended Microsoft Entra ID tests", runId, { number: prNumber, authorUsername: prAuthorUsername, repoOwner, repoName, headSha: prHeadSha, refId: prRefId, details: pr }, { username: commentUsername, link: commentLink }); + const runTests = await handleTestCommand({ core, github }, parts, "extended AAD tests", runId, { number: prNumber, authorUsername: prAuthorUsername, repoOwner, repoName, headSha: prHeadSha, refId: prRefId, details: pr }, { username: commentUsername, link: commentLink }); if (runTests) { command = "run-tests-extended-aad"; } @@ -247,7 +247,7 @@ async function showHelp({ github }, repoOwner, repoName, prNumber, commentUser, You can use the following commands:     /test - build, deploy and run smoke tests on a PR     /test-extended - build, deploy and run smoke & extended tests on a PR -    /test-extended-aad - build, deploy and run smoke & extended Microsoft Entra ID tests on a PR +    /test-extended-aad - build, deploy and run smoke & extended AAD tests on a PR     /test-shared-services - test the deployment of shared services on a PR build     /test-force-approve - force approval of the PR tests (i.e. skip the deployment checks)     /test-destroy-env - delete the validation environment for a PR (e.g. to enable testing a deployment from a clean start after previous tests) diff --git a/.github/scripts/build.test.js b/.github/scripts/build.test.js index bd0b07bf15..73a5b0d632 100644 --- a/.github/scripts/build.test.js +++ b/.github/scripts/build.test.js @@ -407,7 +407,7 @@ describe('getCommandFromComment', () => { owner: 'someOwner', repo: 'someRepo', issue_number: PR_NUMBER.UPSTREAM_NON_DOCS_CHANGES, - bodyMatcher: /Running extended Microsoft Entra ID tests: https:\/\/github.com\/someOwner\/someRepo\/actions\/runs\/11112222 \(with refid `cbce50da`\)/, + bodyMatcher: /Running extended AAD tests: https:\/\/github.com\/someOwner\/someRepo\/actions\/runs\/11112222 \(with refid `cbce50da`\)/, }); }); }); diff --git a/Makefile b/Makefile index 8b5ee8e137..f450e2a36f 100644 --- a/Makefile +++ b/Makefile @@ -334,8 +334,8 @@ test-e2e-extended: ## 🧪 Run E2E extended tests $(call target_title, "Running E2E extended tests") && \ $(MAKE) test-e2e-custom SELECTOR=extended -test-e2e-extended-aad: ## 🧪 Run E2E extended Microsoft Entra ID tests - $(call target_title, "Running E2E extended Microsoft Entra ID tests") && \ +test-e2e-extended-aad: ## 🧪 Run E2E extended AAD tests + $(call target_title, "Running E2E extended AAD tests") && \ $(MAKE) test-e2e-custom SELECTOR=extended_aad test-e2e-shared-services: ## 🧪 Run E2E shared service tests @@ -362,8 +362,8 @@ setup-local-debugging: ## 🛠️ Setup local debugging && . ${MAKEFILE_DIR}/devops/scripts/load_env.sh ${MAKEFILE_DIR}/core/private.env \ && . ${MAKEFILE_DIR}/devops/scripts/setup_local_debugging.sh -auth: ## 🔐 Create the necessary Microsoft Entra ID assets - $(call target_title,"Setting up Microsoft Entra ID") \ +auth: ## 🔐 Create the necessary Azure Active Directory assets + $(call target_title,"Setting up Azure Active Directory") \ && . ${MAKEFILE_DIR}/devops/scripts/check_dependencies.sh nodocker,env \ && ${MAKEFILE_DIR}/devops/scripts/create_aad_assets.sh diff --git a/api_app/_version.py b/api_app/_version.py index bcea63d014..391a39001a 100644 --- a/api_app/_version.py +++ b/api_app/_version.py @@ -1 +1 @@ -__version__ = "0.18.6" +__version__ = "0.18.5" diff --git a/api_app/api/routes/workspaces.py b/api_app/api/routes/workspaces.py index 02b20fd786..018a21999c 100644 --- a/api_app/api/routes/workspaces.py +++ b/api_app/api/routes/workspaces.py @@ -99,7 +99,7 @@ async def retrieve_workspace_scope_id_by_workspace_id(workspace=Depends(get_work @workspaces_core_router.post("/workspaces", status_code=status.HTTP_202_ACCEPTED, response_model=OperationInResponse, name=strings.API_CREATE_WORKSPACE, dependencies=[Depends(get_current_admin_user)]) async def create_workspace(workspace_create: WorkspaceInCreate, response: Response, user=Depends(get_current_admin_user), workspace_repo=Depends(get_repository(WorkspaceRepository)), resource_template_repo=Depends(get_repository(ResourceTemplateRepository)), operations_repo=Depends(get_repository(OperationRepository)), resource_history_repo=Depends(get_repository(ResourceHistoryRepository))) -> OperationInResponse: try: - # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Microsoft Entra ID application to enable a users workspaces to be listed. This should be made optional. + # TODO: This requires Directory.ReadAll ( Application.Read.All ) to be enabled in the Azure AD application to enable a users workspaces to be listed. This should be made optional. auth_info = extract_auth_information(workspace_create.properties) workspace, resource_template = await workspace_repo.create_workspace_item(workspace_create, auth_info, user.id, user.roles) except (ValidationError, ValueError) as e: diff --git a/api_app/models/schemas/workspace.py b/api_app/models/schemas/workspace.py index bb165a7fd7..424c82b46a 100644 --- a/api_app/models/schemas/workspace.py +++ b/api_app/models/schemas/workspace.py @@ -27,11 +27,11 @@ class AuthProvider(str, Enum): """ Auth Provider """ - Microsoft Entra ID = "Microsoft Entra ID" + AAD = "AAD" class AuthenticationConfiguration(BaseModel): - provider: AuthProvider = Field(AuthProvider.Microsoft Entra ID, title="Authentication Provider") + provider: AuthProvider = Field(AuthProvider.AAD, title="Authentication Provider") data: dict = Field({}, title="Authentication information") diff --git a/api_app/resources/strings.py b/api_app/resources/strings.py index 4f8bebf427..9c2d7ff4b4 100644 --- a/api_app/resources/strings.py +++ b/api_app/resources/strings.py @@ -99,7 +99,7 @@ # Error strings ACCESS_APP_IS_MISSING_ROLE = "The App is missing role" -ACCESS_PLEASE_SUPPLY_CLIENT_ID = "Please supply the client_id for the Microsoft Entra ID application" +ACCESS_PLEASE_SUPPLY_CLIENT_ID = "Please supply the client_id for the AAD application" ACCESS_UNABLE_TO_GET_INFO_FOR_APP = "Unable to get app info for app:" ACCESS_UNABLE_TO_GET_ROLE_ASSIGNMENTS_FOR_USER = "Unable to get role assignments for user" ACCESS_UNABLE_TO_GET_ACCOUNT_TYPE = "Unable to look up account type" diff --git a/api_app/schemas/azuread.json b/api_app/schemas/azuread.json index ad96d2e370..8c4fa52189 100644 --- a/api_app/schemas/azuread.json +++ b/api_app/schemas/azuread.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema", "$id": "https://github.com/microsoft/AzureTRE/schema/azuread.json", "type": "object", - "title": "Microsoft Entra ID Authorisation Schema", + "title": "Azure AD Authorisation Schema", "default": {}, "required": [ ], diff --git a/api_app/services/aad_authentication.py b/api_app/services/aad_authentication.py index 7ddedb4080..81dd486a8f 100644 --- a/api_app/services/aad_authentication.py +++ b/api_app/services/aad_authentication.py @@ -168,7 +168,7 @@ def _ensure_b64padding(key: str) -> str: def _get_token_key(self, key_id: str) -> str: """ - Rather tha use PyJWKClient.get_signing_key_from_jwt every time, we'll get all the keys from Microsoft Entra ID and cache them. + Rather tha use PyJWKClient.get_signing_key_from_jwt every time, we'll get all the keys from AAD and cache them. """ if key_id not in AzureADAuthorization._jwt_keys: response = requests.get(f"{self.aad_instance}/{config.AAD_TENANT_ID}/v2.0/.well-known/openid-configuration") @@ -203,7 +203,7 @@ def _get_msgraph_token() -> str: except Exception: result = None if not result: - logger.debug('No suitable token exists in cache, getting a new one from Microsoft Entra ID') + logger.debug('No suitable token exists in cache, getting a new one from AAD') result = app.acquire_token_for_client(scopes=scopes) if "access_token" not in result: raise Exception(f"API app registration access token cannot be retrieved. {result.get('error')}: {result.get('error_description')}") @@ -321,8 +321,8 @@ def _get_batch_users_by_role_assignments_body(self, roles_graph_data): return request_body - # This method is called when you create a workspace and you already have an Microsoft Entra ID App Registration - # to link it to. You pass in the client_id and go and get the extra information you need from Microsoft Entra ID + # This method is called when you create a workspace and you already have an AAD App Registration + # to link it to. You pass in the client_id and go and get the extra information you need from AAD # If the auth_type is `Automatic`, then these values will be written by Terraform. def _get_app_auth_info(self, client_id: str) -> dict: graph_data = self._get_app_sp_graph_data(client_id) @@ -396,7 +396,7 @@ def extract_workspace_auth_information(self, data: dict) -> dict: raise AuthConfigValidationError(strings.ACCESS_PLEASE_SUPPLY_CLIENT_ID) auth_info = {} - # The user may want us to create the Microsoft Entra ID workspace app and therefore they + # The user may want us to create the AAD workspace app and therefore they # don't know the client_id yet. if data["auth_type"] != "Automatic": auth_info = self._get_app_auth_info(data["client_id"]) diff --git a/api_app/services/authentication.py b/api_app/services/authentication.py index 38006cf81b..30b49af194 100644 --- a/api_app/services/authentication.py +++ b/api_app/services/authentication.py @@ -8,15 +8,15 @@ def extract_auth_information(workspace_creation_properties: dict) -> dict: - access_service = get_access_service('Microsoft Entra ID') + access_service = get_access_service('AAD') try: return access_service.extract_workspace_auth_information(workspace_creation_properties) except AuthConfigValidationError as e: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)) -def get_access_service(provider: str = AuthProvider.Microsoft Entra ID) -> AccessService: - if provider == AuthProvider.Microsoft Entra ID: +def get_access_service(provider: str = AuthProvider.AAD) -> AccessService: + if provider == AuthProvider.AAD: return AzureADAuthorization() raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=strings.INVALID_AUTH_PROVIDER) diff --git a/api_app/tests_ma/test_service_bus/test_substitutions.py b/api_app/tests_ma/test_service_bus/test_substitutions.py index 0449cb4c5e..f8f81ca318 100644 --- a/api_app/tests_ma/test_service_bus/test_substitutions.py +++ b/api_app/tests_ma/test_service_bus/test_substitutions.py @@ -242,7 +242,7 @@ def test_substitution_list_strings(primary_resource, resource_to_update): "rules": [ { "name": "AllowAzureAD", - "description": "Microsoft Entra ID access for authNZ", + "description": "AAD access for authNZ", "source_addresses": "", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*", "{{resource.id}}"], diff --git a/cli/tre/commands/login.py b/cli/tre/commands/login.py index 10337be056..1d8313a6b1 100644 --- a/cli/tre/commands/login.py +++ b/cli/tre/commands/login.py @@ -43,10 +43,10 @@ def login(): + 'https://..cloudapp.azure.com/') @click.option('--client-id', required=False, - help='The Client ID of the Microsoft Entra ID application for the API (optional for API versions >= v0.5.7)') + help='The Client ID of the Azure AD application for the API (optional for API versions >= v0.5.7)') @click.option('--aad-tenant-id', required=False, - help='The Tenant ID for the Microsoft Entra ID tenant to authenticate with (optional for API versions >= v0.5.7)') + help='The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)') @click.option('--api-scope', required=False, help='The API scope for the base API (optional for API versions >= v0.5.7)') @@ -173,7 +173,7 @@ def login_device_code(base_url: str, client_id: str, aad_tenant_id: str, api_sco @click.option( "--aad-tenant-id", required=False, - help="The Tenant ID for the Microsoft Entra ID tenant to authenticate with (optional for API versions >= v0.5.7)", + help="The Tenant ID for the AAD tenant to authenticate with (optional for API versions >= v0.5.7)", ) @click.option("--api-scope", required=False, help="The API scope for the base API (optional for API versions >= v0.5.7)") @click.option( diff --git a/config.sample.yaml b/config.sample.yaml index db7d8df3a5..e4c2f2d789 100644 --- a/config.sample.yaml +++ b/config.sample.yaml @@ -48,8 +48,8 @@ authentication: # create an identity with `Application.ReadWrite.OwnedBy`. # Setting AUTO_WORKSPACE_APP_REGISTRATION to true will: # create an identity with `Application.ReadWrite.All` and `Directory.Read.All`. - # When this is true, create Workspaces will also create an Microsoft Entra ID Application automatically. - # When this is false, the Microsoft Entra ID Application will need creating manually. + # When this is true, create Workspaces will also create an AAD Application automatically. + # When this is false, the AAD Application will need creating manually. auto_workspace_app_registration: true # Setting AUTO_WORKSPACE_GROUP_CREATION to true will create an identity with `Group.ReadWrite.All` auto_workspace_group_creation: false diff --git a/config_schema.json b/config_schema.json index 246af780bf..0d2a781578 100644 --- a/config_schema.json +++ b/config_schema.json @@ -98,7 +98,7 @@ "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" }, "auto_workspace_app_registration": { - "description": "This identity is used to manage other Microsoft Entra ID applications that it owns. Read more about it here: docs/tre-admins/auth.md", + "description": "This identity is used to manage other AAD applications that it owns. Read more about it here: docs/tre-admins/auth.md", "type": "boolean" }, "auto_workspace_group_creation": { @@ -121,12 +121,12 @@ "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" }, "application_admin_client_id": { - "description": "This client will administer Microsoft Entra ID Applications for TRE.", + "description": "This client will administer AAD Applications for TRE.", "type": "string", "pattern": "^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$" }, "application_admin_client_secret": { - "description": "Secret to client which will administer Microsoft Entra ID Applications for TRE", + "description": "Secret to client which will administer AAD Applications for TRE", "type": "string", "minLength": 11 }, diff --git a/core/terraform/variables.tf b/core/terraform/variables.tf index 538764aab6..39702b98fb 100644 --- a/core/terraform/variables.tf +++ b/core/terraform/variables.tf @@ -78,37 +78,37 @@ variable "enable_swagger" { variable "swagger_ui_client_id" { type = string - description = "The client id (app id) of the registration in Microsoft Entra ID for the Swagger UI" + description = "The client id (app id) of the registration in Azure AD for the Swagger UI" sensitive = true } variable "aad_tenant_id" { type = string - description = "The tenant id of the Microsoft Entra ID used for authentication." + description = "The tenant id of the Azure AD used for authentication." sensitive = true } variable "api_client_id" { type = string - description = "The client id (app id) of the registration in Microsoft Entra ID for the API." + description = "The client id (app id) of the registration in Azure AD for the API." sensitive = true } variable "api_client_secret" { type = string - description = "A client secret used by the API to authenticate with Microsoft Entra ID for access to Microsoft Graph." + description = "A client secret used by the API to authenticate with Azure AD for access to Microsoft Graph." sensitive = true } variable "application_admin_client_id" { type = string - description = "The client id (app id) of the registration in Microsoft Entra ID for creating Microsoft Entra ID Applications." + description = "The client id (app id) of the registration in Azure AD for creating AAD Applications." sensitive = true } variable "application_admin_client_secret" { type = string - description = "A client secret used by the Resource Processor to authenticate with Microsoft Entra ID to create Microsoft Entra ID Applications." + description = "A client secret used by the Resource Processor to authenticate with Azure AD to create AAD Applications." sensitive = true } diff --git a/devops/scripts/aad/create_api_application.sh b/devops/scripts/aad/create_api_application.sh index 694dc6f439..bfc18ebb27 100755 --- a/devops/scripts/aad/create_api_application.sh +++ b/devops/scripts/aad/create_api_application.sh @@ -10,8 +10,8 @@ function show_usage() cat << USAGE Utility script for creating app registrations required by Azure TRE. This script will create the API and Client -Applications. The Client Application is the public facing app, whereas the API is an internal Microsoft Entra ID Application. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. +Applications. The Client Application is the public facing app, whereas the API is an internal AAD Application. +You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. Usage: $0 -n [-r ] [-a] [-s] [--automation-account] @@ -19,7 +19,7 @@ Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE", or "Workspace One". -u,--tre-url TRE URL, used to construct auth redirection URLs for the UI and Swagger app. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Microsoft Entra ID in question. + Requires directory admin privileges to the Azure AD in question. -t,--automation-clientid Optional, when --workspace is specified the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -102,7 +102,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" +echo -e "\e[96mCreating the API/UX Application in the \"${tenant}\" Azure AD tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_application_administrator.sh b/devops/scripts/aad/create_application_administrator.sh index bf5eefc096..671f2823af 100755 --- a/devops/scripts/aad/create_application_administrator.sh +++ b/devops/scripts/aad/create_application_administrator.sh @@ -9,16 +9,16 @@ function show_usage() cat << USAGE Utility script for creating an application administrator for TRE. This is mandatory and is used -to manage Microsoft Entra ID Application creation within TRE. This script is called when you run "make auth" and +to manage AAD Application creation within TRE. This script is called when you run "make auth" and the environment variable AUTO_WORKSPACE_APP_REGISTRATION determines the permission this identity has. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. Usage: $0 --name "MYTRE" --application-permission "Application.ReadWrite.OwnedBy" [--admin-consent] Options: -n,--name Required. The prefix for the app (registration) names e.g., "TRE". -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Microsoft Entra ID in question. + Requires directory admin privileges to the Azure AD in question. -p,--application-permission The API Permission that this identity will be granted. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -85,7 +85,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" +echo -e "\e[96mCreating the Application Admin in the \"${tenant}\" Azure AD tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_automation_administrator.sh b/devops/scripts/aad/create_automation_administrator.sh index 6fc4a8b878..2b02171b9c 100755 --- a/devops/scripts/aad/create_automation_administrator.sh +++ b/devops/scripts/aad/create_automation_administrator.sh @@ -10,7 +10,7 @@ function show_usage() Utility script for creating an automation administrator for TRE. This is optional and is used when you want to run the E2E tests locally or automatically register bundles in the TRE. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. Usage: $0 --name "mytre" [--admin-consent] @@ -70,7 +70,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" +echo -e "\e[96mCreating the Automation Admin in the \"${tenant}\" Azure AD tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/create_workspace_application.sh b/devops/scripts/aad/create_workspace_application.sh index 59191cfd60..2495731240 100755 --- a/devops/scripts/aad/create_workspace_application.sh +++ b/devops/scripts/aad/create_workspace_application.sh @@ -10,7 +10,7 @@ function show_usage() Utility script for creating a workspace TRE. You would typically have one of these per workspace for a security boundary. -You must be logged in using Azure CLI with sufficient privileges to modify Microsoft Entra ID to run this script. +You must be logged in using Azure CLI with sufficient privileges to modify Azure Active Directory to run this script. Usage: $0 [--admin-consent] @@ -20,7 +20,7 @@ Options: -y,--application-admin-clientid Required. The client ID of the Application Administrator that will be able to update this application. e.g. updating a redirect URI. -a,--admin-consent Optional, but recommended. Grants admin consent for the app registrations, when this flag is set. - Requires directory admin privileges to the Microsoft Entra ID in question. + Requires directory admin privileges to the Azure AD in question. -z,--automation-clientid Optional, the client ID of the automation account can be added to the TRE workspace. -r,--reset-password Optional, switch to automatically reset the password. Default 0 @@ -103,7 +103,7 @@ currentUserId=$(az ad signed-in-user show --query 'id' --output tsv --only-show- msGraphUri="$(az cloud show --query endpoints.microsoftGraphResourceId --output tsv)/v1.0" tenant=$(az rest -m get -u "${msGraphUri}/domains" -o json | jq -r '.value[] | select(.isDefault == true) | .id') -echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Microsoft Entra ID tenant.\e[0m" +echo -e "\e[96mCreating a Workspace Application in the \"${tenant}\" Azure AD tenant.\e[0m" # Load in helper functions # shellcheck disable=SC1091 diff --git a/devops/scripts/aad/update_resource_access.sh b/devops/scripts/aad/update_resource_access.sh index 4aaedbae27..e0db1a3685 100755 --- a/devops/scripts/aad/update_resource_access.sh +++ b/devops/scripts/aad/update_resource_access.sh @@ -4,7 +4,7 @@ # Utility function that retrieves all of the 'requiredResourceAccess' from an application, # it then removes any access for a given `resourceAppId`, merges in a new element into the -# array and then posts it back to Microsoft Entra ID. +# array and then posts it back to AAD. function update_resource_access() { local msGraphUri=$1 diff --git a/devops/scripts/create_aad_assets.sh b/devops/scripts/create_aad_assets.sh index 9e1b4e8930..d034e1be40 100755 --- a/devops/scripts/create_aad_assets.sh +++ b/devops/scripts/create_aad_assets.sh @@ -12,9 +12,9 @@ CHANGED_TENANT=0 LOGGED_IN_TENANT_ID=$(az account show --query tenantId -o tsv) if [ "${LOGGED_IN_TENANT_ID}" != "${AAD_TENANT_ID}" ]; then - echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Microsoft Entra ID assets." + echo "Attempting to sign you onto ${AAD_TENANT_ID} to setup Azure Active Directory assets." - # First we need to login to the Microsoft Entra ID tenant (as it is different to the subscription tenant) + # First we need to login to the AAD tenant (as it is different to the subscription tenant) az login --tenant "${AAD_TENANT_ID}" --allow-no-subscriptions --use-device-code CHANGED_TENANT=1 fi diff --git a/e2e_tests/conftest.py b/e2e_tests/conftest.py index 8849f8ee52..7195a14588 100644 --- a/e2e_tests/conftest.py +++ b/e2e_tests/conftest.py @@ -53,7 +53,7 @@ async def create_or_get_test_workspace( payload = { "templateName": template_name, "properties": { - "display_name": f"E2E {description} workspace ({auth_type} Microsoft Entra ID)", + "display_name": f"E2E {description} workspace ({auth_type} AAD)", "description": f"{template_name} test workspace for E2E tests", "auth_type": auth_type, "address_space_size": "small" diff --git a/e2e_tests/helpers.py b/e2e_tests/helpers.py index 79e70ae6db..307fb88933 100644 --- a/e2e_tests/helpers.py +++ b/e2e_tests/helpers.py @@ -72,7 +72,7 @@ async def get_shared_service_by_name(template_name: str, verify, token) -> Optio async def check_aad_auth_redirect(endpoint, verify) -> None: - LOGGER.info(f"Checking Microsoft Entra ID AuthN redirect on: {endpoint}") + LOGGER.info(f"Checking AAD AuthN redirect on: {endpoint}") terminal_http_status = [status.HTTP_200_OK, status.HTTP_401_UNAUTHORIZED, diff --git a/e2e_tests/test_workspace_services.py b/e2e_tests/test_workspace_services.py index 8dc98786f0..31ac5a0b14 100644 --- a/e2e_tests/test_workspace_services.py +++ b/e2e_tests/test_workspace_services.py @@ -39,7 +39,7 @@ async def test_create_guacamole_service_into_base_workspace(setup_test_workspace @pytest.mark.extended_aad @pytest.mark.timeout(75 * 60) async def test_create_guacamole_service_into_aad_workspace(setup_test_aad_workspace, verify) -> None: - """This test will create a Guacamole service but will create a workspace and automatically register the Microsoft Entra ID Application""" + """This test will create a Guacamole service but will create a workspace and automatically register the AAD Application""" workspace_path, workspace_id = setup_test_aad_workspace workspace_owner_token = await get_workspace_owner_token(workspace_id, verify) diff --git a/resource_processor/_version.py b/resource_processor/_version.py index af46754d38..fa3ddd8c5a 100644 --- a/resource_processor/_version.py +++ b/resource_processor/_version.py @@ -1 +1 @@ -__version__ = "0.8.5" +__version__ = "0.8.4" diff --git a/templates/workspace_services/azureml/porter.yaml b/templates/workspace_services/azureml/porter.yaml index 60a0ea79f9..1d4b45d7b8 100644 --- a/templates/workspace_services/azureml/porter.yaml +++ b/templates/workspace_services/azureml/porter.yaml @@ -7,7 +7,7 @@ registry: azuretre dockerfile: Dockerfile.tmpl credentials: - # Credentials for interacting with the Microsoft Entra ID Auth tenant + # Credentials for interacting with the AAD Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret diff --git a/templates/workspace_services/azureml/terraform/variables.tf b/templates/workspace_services/azureml/terraform/variables.tf index 2b40065a28..a47b5588ff 100644 --- a/templates/workspace_services/azureml/terraform/variables.tf +++ b/templates/workspace_services/azureml/terraform/variables.tf @@ -24,16 +24,16 @@ variable "arm_tenant_id" { } variable "auth_tenant_id" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" + description = "Used to authenticate into the AAD Tenant to get app role members" } variable "auth_client_id" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" + description = "Used to authenticate into the AAD Tenant to get app role members" } variable "auth_client_secret" { type = string sensitive = true - description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" + description = "Used to authenticate into the AAD Tenant to get app role members" } variable "arm_environment" { diff --git a/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json b/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json index bf4cf3c414..044dfa5ee1 100644 --- a/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json +++ b/templates/workspace_services/azureml/user_resources/aml_compute/template_schema.json @@ -41,8 +41,8 @@ }, "user_object_id": { "type": "string", - "title": "Microsoft Entra ID User Object ID", - "description": "The Microsoft Entra ID user object ID of User who will be using the compute instance", + "title": "Azure Active Directory User Object ID", + "description": "The Azure Active Directory user object ID of User who will be using the compute instance", "default": "", "minLength": 1 } diff --git a/templates/workspace_services/databricks/template_schema.json b/templates/workspace_services/databricks/template_schema.json index 9afa5f7f4c..6d559d111a 100644 --- a/templates/workspace_services/databricks/template_schema.json +++ b/templates/workspace_services/databricks/template_schema.json @@ -112,7 +112,7 @@ }, { "name": "AzureAD", - "description": "Microsoft Entra ID access", + "description": "AAD access", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -169,8 +169,8 @@ ] }, { - "name": "Microsoft Entra ID CDN", - "description": "Microsoft Entra ID CDN", + "name": "AAD CDN", + "description": "AAD CDN", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -253,7 +253,7 @@ }, { "name": "AzureAD", - "description": "Microsoft Entra ID access", + "description": "AAD access", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -310,8 +310,8 @@ ] }, { - "name": "Microsoft Entra ID CDN", - "description": "Microsoft Entra ID CDN", + "name": "AAD CDN", + "description": "AAD CDN", "source_addresses": "{{ resource.properties.workspace_address_spaces }}", "target_fqdns": [ "aadcdn.msftauth.net" diff --git a/templates/workspace_services/gitea/template_schema.json b/templates/workspace_services/gitea/template_schema.json index 15719b7f70..d9f10c1d8d 100644 --- a/templates/workspace_services/gitea/template_schema.json +++ b/templates/workspace_services/gitea/template_schema.json @@ -48,7 +48,7 @@ }, { "stepId": "12ba0dad-ea6c-4d0d-9255-d316212f5ffa", - "stepTitle": "Add Gitea URI as Microsoft Entra ID redirect URI", + "stepTitle": "Add Gitea URI as AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -82,7 +82,7 @@ "rules": [ { "name": "AzureAD", - "description": "Microsoft Entra ID access", + "description": "AAD access", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -101,8 +101,8 @@ "action": "Allow", "rules": [ { - "name": "Microsoft Entra ID CDN", - "description": "Microsoft Entra ID CDN", + "name": "AAD CDN", + "description": "AAD CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -142,7 +142,7 @@ "rules": [ { "name": "AzureAD", - "description": "Microsoft Entra ID access for authNZ", + "description": "AAD access for authNZ", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -161,8 +161,8 @@ "action": "Allow", "rules": [ { - "name": "Microsoft Entra ID CDN", - "description": "Microsoft Entra ID CDN", + "name": "AAD CDN", + "description": "AAD CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -181,7 +181,7 @@ }, { "stepId": "741c7ff2-eff5-47b2-bf62-2b410d65c96b", - "stepTitle": "Add Gitea URI as Microsoft Entra ID redirect URI", + "stepTitle": "Add Gitea URI as AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -201,7 +201,7 @@ "uninstall": [ { "stepId": "9a1d6b95-26c8-4165-8890-573dd4e2b45c", - "stepTitle": "Update Gitea URI to Microsoft Entra ID redirect URI", + "stepTitle": "Update Gitea URI to AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ diff --git a/templates/workspace_services/guacamole/template_schema.json b/templates/workspace_services/guacamole/template_schema.json index 6708ad0735..e0f052bd08 100644 --- a/templates/workspace_services/guacamole/template_schema.json +++ b/templates/workspace_services/guacamole/template_schema.json @@ -79,7 +79,7 @@ }, { "stepId": "12ba0dad-ea6c-4d0d-9255-d316212f5ffa", - "stepTitle": "Add Guacamole URI as Microsoft Entra ID redirect URI", + "stepTitle": "Add Guacamole URI as AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -113,7 +113,7 @@ "rules": [ { "name": "AzureAD", - "description": "Microsoft Entra ID access for authNZ", + "description": "AAD access for authNZ", "source_addresses": "{{ resource.properties.web_apps_addresses }}", "destination_addresses": [ "AzureActiveDirectory" @@ -137,7 +137,7 @@ }, { "stepId": "741c7ff2-eff5-47b2-bf62-2b410d65c96b", - "stepTitle": "Update Guacamole URI in Microsoft Entra ID", + "stepTitle": "Update Guacamole URI in AAD", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -175,7 +175,7 @@ }, { "stepId": "9a1d6b95-26c8-4165-8010-573dd4e2b45c", - "stepTitle": "Update guacamole URI to Microsoft Entra ID redirect URI", + "stepTitle": "Update guacamole URI to AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ diff --git a/templates/workspace_services/guacamole/terraform/variables.tf b/templates/workspace_services/guacamole/terraform/variables.tf index 71d22c2881..26fcbb2f05 100644 --- a/templates/workspace_services/guacamole/terraform/variables.tf +++ b/templates/workspace_services/guacamole/terraform/variables.tf @@ -4,7 +4,7 @@ variable "workspace_id" { } variable "aad_authority_url" { type = string - description = "The Microsoft Entra ID authority URL" + description = "The Azure AD authority URL" } variable "tre_id" { type = string diff --git a/templates/workspace_services/health-services/porter.yaml b/templates/workspace_services/health-services/porter.yaml index 2f2339c1aa..6667359afa 100644 --- a/templates/workspace_services/health-services/porter.yaml +++ b/templates/workspace_services/health-services/porter.yaml @@ -7,7 +7,7 @@ registry: azuretre dockerfile: Dockerfile.tmpl credentials: - # Credentials for interacting with the Microsoft Entra ID Auth tenant + # Credentials for interacting with the AAD Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret diff --git a/templates/workspace_services/health-services/template_schema.json b/templates/workspace_services/health-services/template_schema.json index 5610a98b7d..290b8e5b4c 100644 --- a/templates/workspace_services/health-services/template_schema.json +++ b/templates/workspace_services/health-services/template_schema.json @@ -88,7 +88,7 @@ "rules": [ { "name": "AzureAD", - "description": "Microsoft Entra ID access", + "description": "AAD access", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -107,8 +107,8 @@ "action": "Allow", "rules": [ { - "name": "Microsoft Entra ID CDN", - "description": "Microsoft Entra ID CDN", + "name": "AAD CDN", + "description": "AAD CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" @@ -148,7 +148,7 @@ "rules": [ { "name": "AzureAD", - "description": "Microsoft Entra ID access for authNZ", + "description": "AAD access for authNZ", "source_addresses": "{{ resource.properties.workspace_address_space }}", "destination_addresses": ["AzureActiveDirectory"], "destination_ports": ["*"], @@ -167,8 +167,8 @@ "action": "Allow", "rules": [ { - "name": "Microsoft Entra ID CDN", - "description": "Microsoft Entra ID CDN", + "name": "AAD CDN", + "description": "AAD CDN", "source_addresses": "{{ resource.properties.workspace_address_space }}", "target_fqdns": [ "aadcdn.msftauth.net" diff --git a/templates/workspace_services/health-services/terraform/variables.tf b/templates/workspace_services/health-services/terraform/variables.tf index e5b7419597..72547d6a74 100644 --- a/templates/workspace_services/health-services/terraform/variables.tf +++ b/templates/workspace_services/health-services/terraform/variables.tf @@ -35,17 +35,17 @@ variable "deploy_dicom" { variable "auth_tenant_id" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" + description = "Used to authenticate into the AAD Tenant to get app role members" } variable "auth_client_id" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" + description = "Used to authenticate into the AAD Tenant to get app role members" } variable "auth_client_secret" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to get app role members" + description = "Used to authenticate into the AAD Tenant to get app role members" } variable "arm_environment" { diff --git a/templates/workspace_services/ohdsi/template_schema.json b/templates/workspace_services/ohdsi/template_schema.json index c6a1c131ec..1fa56948ba 100644 --- a/templates/workspace_services/ohdsi/template_schema.json +++ b/templates/workspace_services/ohdsi/template_schema.json @@ -160,7 +160,7 @@ }, { "stepId": "7276dcc1-7d0e-496a-badf-87c8c25fc06e", - "stepTitle": "Add Atlas callback URI as Microsoft Entra ID redirect URI", + "stepTitle": "Add Atlas callback URI as AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -178,7 +178,7 @@ }, { "stepId": "37d7fbde-fd61-4096-ac4d-741960474995", - "stepTitle": "Add firewall rules for Microsoft Entra ID", + "stepTitle": "Add firewall rules for AAD", "resourceTemplateName": "tre-shared-service-firewall", "resourceType": "shared-service", "resourceAction": "upgrade", @@ -194,7 +194,7 @@ "rules": [ { "name": "AzureAD", - "description": "Allow access to Microsoft Entra ID", + "description": "Allow access to AAD", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "destination_addresses": [ "AzureActiveDirectory" @@ -220,7 +220,7 @@ "rules": [ { "name": "microsoft-aad", - "description": "Allow Microsoft Entra ID FQDNs", + "description": "Allow AAD FQDNs", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "target_fqdns": [ "*.msftauth.net", @@ -262,7 +262,7 @@ }, { "stepId": "0d3961fd-1538-4b0e-a6ed-bf401b65c034", - "stepTitle": "Upgrade Atlas callback URI as Microsoft Entra ID redirect URI", + "stepTitle": "Upgrade Atlas callback URI as AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ @@ -280,7 +280,7 @@ }, { "stepId": "3329d760-3e09-4721-8722-f369b123ca77", - "stepTitle": "Add firewall rules for Microsoft Entra ID", + "stepTitle": "Add firewall rules for AAD", "resourceTemplateName": "tre-shared-service-firewall", "resourceType": "shared-service", "resourceAction": "upgrade", @@ -296,7 +296,7 @@ "rules": [ { "name": "AzureAD", - "description": "Allow access to Microsoft Entra ID", + "description": "Allow access to AAD", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "destination_addresses": [ "AzureActiveDirectory" @@ -322,7 +322,7 @@ "rules": [ { "name": "microsoft-aad", - "description": "Allow Microsoft Entra ID FQDNs", + "description": "Allow AAD FQDNs", "source_addresses": "{{ resource.parent.properties.address_spaces }}", "target_fqdns": [ "*.msftauth.net", @@ -354,7 +354,7 @@ "uninstall": [ { "stepId": "e1986fe8-b1f9-4a9d-abb1-da1ea9a50b41", - "stepTitle": "Remove Atlas callback URI as Microsoft Entra ID redirect URI", + "stepTitle": "Remove Atlas callback URI as AAD redirect URI", "resourceType": "workspace", "resourceAction": "upgrade", "properties": [ diff --git a/templates/workspaces/airlock-import-review/porter.yaml b/templates/workspaces/airlock-import-review/porter.yaml index fe231cc81e..5943388107 100644 --- a/templates/workspaces/airlock-import-review/porter.yaml +++ b/templates/workspaces/airlock-import-review/porter.yaml @@ -7,7 +7,7 @@ dockerfile: Dockerfile.tmpl registry: azuretre credentials: - # Credentials for interacting with the Microsoft Entra ID Auth tenant + # Credentials for interacting with the AAD Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret @@ -64,11 +64,11 @@ parameters: - name: register_aad_application type: boolean default: false - description: "Whether this bundle should register the workspace in Microsoft Entra ID" + description: "Whether this bundle should register the workspace in AAD" - name: create_aad_groups type: boolean default: false - description: "Whether this bundle should create Microsoft Entra ID groups for the workspace app roles" + description: "Whether this bundle should create AAD groups for the workspace app roles" - name: workspace_owner_object_id type: string description: "The object id of the user that will be granted WorkspaceOwner after it is created." @@ -237,7 +237,7 @@ upgrade: flags: name: ${ bundle.parameters.azure_environment } - az: - description: "Microsoft Entra ID Application Admin Login" + description: "AAD Application Admin Login" arguments: - login flags: diff --git a/templates/workspaces/airlock-import-review/template_schema.json b/templates/workspaces/airlock-import-review/template_schema.json index 19c125201f..e05a0d87e7 100644 --- a/templates/workspaces/airlock-import-review/template_schema.json +++ b/templates/workspaces/airlock-import-review/template_schema.json @@ -94,13 +94,13 @@ "client_id": { "type": "string", "title": "Application (Client) ID", - "description": "The Microsoft Entra ID Application Registration ID for the workspace.", + "description": "The AAD Application Registration ID for the workspace.", "updateable": true }, "client_secret": { "type": "string", "title": "Application (Client) Secret", - "description": "The Microsoft Entra ID Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", + "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", "sensitive": true, "updateable": true } @@ -113,15 +113,15 @@ "properties": { "create_aad_groups": { "type": "boolean", - "title": "Create Microsoft Entra ID Groups for each workspace role", - "description": "Create Microsoft Entra ID Groups for the workspace roles. If this is set to true, the workspace will create new Microsoft Entra ID Groups.", + "title": "Create AAD Groups for each workspace role", + "description": "Create AAD Groups for the workspace roles. If this is set to true, the workspace will create new AAD Groups.", "default": false, "updateable": true }, "aad_redirect_uris": { "type": "array", - "title": "Microsoft Entra ID Redirect URIs", - "description": "Redirect URIs for the Microsoft Entra ID app in Automatic Auth mode", + "title": "AAD Redirect URIs", + "description": "Redirect URIs for the AAD app in Automatic Auth mode", "updateable": true, "items": { "title": "items", diff --git a/templates/workspaces/base/porter.yaml b/templates/workspaces/base/porter.yaml index c184a162d4..f7a1802477 100644 --- a/templates/workspaces/base/porter.yaml +++ b/templates/workspaces/base/porter.yaml @@ -7,7 +7,7 @@ dockerfile: Dockerfile.tmpl registry: azuretre credentials: - # Credentials for interacting with the Microsoft Entra ID Auth tenant + # Credentials for interacting with the AAD Auth tenant - name: auth_client_id env: AUTH_CLIENT_ID - name: auth_client_secret @@ -63,11 +63,11 @@ parameters: - name: register_aad_application type: boolean default: false - description: "Whether this bundle should register the workspace in Microsoft Entra ID" + description: "Whether this bundle should register the workspace in AAD" - name: create_aad_groups type: boolean default: false - description: "Whether this bundle should create Microsoft Entra ID groups for the workspace app roles" + description: "Whether this bundle should create AAD groups for the workspace app roles" - name: workspace_owner_object_id type: string description: "The object id of the user that will be granted WorkspaceOwner after it is created." @@ -243,7 +243,7 @@ upgrade: flags: name: ${ bundle.parameters.azure_environment } - az: - description: "Microsoft Entra ID Application Admin Login" + description: "AAD Application Admin Login" arguments: - login flags: diff --git a/templates/workspaces/base/template_schema.json b/templates/workspaces/base/template_schema.json index 4295fe6316..3d6cdf0e16 100644 --- a/templates/workspaces/base/template_schema.json +++ b/templates/workspaces/base/template_schema.json @@ -208,13 +208,13 @@ "client_id": { "type": "string", "title": "Application (Client) ID", - "description": "The Microsoft Entra ID Application Registration ID for the workspace.", + "description": "The AAD Application Registration ID for the workspace.", "updateable": true }, "client_secret": { "type": "string", "title": "Application (Client) Secret", - "description": "The Microsoft Entra ID Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", + "description": "The AAD Application Registration secret for the workspace. This value will be stored in the Workspace Key Vault.", "sensitive": true, "updateable": true } @@ -227,15 +227,15 @@ "properties": { "create_aad_groups": { "type": "boolean", - "title": "Create Microsoft Entra ID Groups for each workspace role", - "description": "Create Microsoft Entra ID Groups for the workspace roles. If this is set to true, the workspace will create new Microsoft Entra ID Groups.", + "title": "Create AAD Groups for each workspace role", + "description": "Create AAD Groups for the workspace roles. If this is set to true, the workspace will create new AAD Groups.", "default": false, "updateable": true }, "aad_redirect_uris": { "type": "array", - "title": "Microsoft Entra ID Redirect URIs", - "description": "Redirect URIs for the Microsoft Entra ID app in Automatic Auth mode", + "title": "AAD Redirect URIs", + "description": "Redirect URIs for the AAD app in Automatic Auth mode", "updateable": true, "items": { "title": "items", diff --git a/templates/workspaces/base/terraform/keyvault.tf b/templates/workspaces/base/terraform/keyvault.tf index 1fa6c06701..acfe387cd4 100644 --- a/templates/workspaces/base/terraform/keyvault.tf +++ b/templates/workspaces/base/terraform/keyvault.tf @@ -113,7 +113,7 @@ resource "azurerm_key_vault_secret" "aad_tenant_id" { } # This secret only gets written if Terraform is not responsible for -# registering the Microsoft Entra ID Application +# registering the AAD Application resource "azurerm_key_vault_secret" "client_id" { name = "workspace-client-id" value = var.client_id @@ -136,7 +136,7 @@ data "azurerm_key_vault_secret" "client_secret" { } # This secret only gets written if Terraform is not responsible for -# registering the Microsoft Entra ID Application +# registering the AAD Application resource "azurerm_key_vault_secret" "client_secret" { name = "workspace-client-secret" value = var.client_secret == local.redacted_senstive_value ? data.azurerm_key_vault_secret.client_secret[0].value : var.client_secret diff --git a/templates/workspaces/base/terraform/outputs.tf b/templates/workspaces/base/terraform/outputs.tf index 19290e0e1b..40fa8dcd69 100644 --- a/templates/workspaces/base/terraform/outputs.tf +++ b/templates/workspaces/base/terraform/outputs.tf @@ -2,7 +2,7 @@ output "workspace_resource_name_suffix" { value = local.workspace_resource_name_suffix } -# The following outputs are dependent on an Automatic Microsoft Entra ID Workspace Application Registration. +# The following outputs are dependent on an Automatic AAD Workspace Application Registration. # If we are not creating an App Reg we simple pass back the same values that were already created # This is necessary so that we don't delete workspace properties output "app_role_id_workspace_owner" { diff --git a/templates/workspaces/base/terraform/variables.tf b/templates/workspaces/base/terraform/variables.tf index 25853797bf..567d468ede 100644 --- a/templates/workspaces/base/terraform/variables.tf +++ b/templates/workspaces/base/terraform/variables.tf @@ -44,13 +44,13 @@ variable "enable_local_debugging" { variable "register_aad_application" { type = bool default = false - description = "Create an Microsoft Entra ID application automatically for the Workspace." + description = "Create an AAD application automatically for the Workspace." } variable "create_aad_groups" { type = bool default = false - description = "Create Microsoft Entra ID groups automatically for the Workspace Application Roles." + description = "Create AAD groups automatically for the Workspace Application Roles." } variable "enable_airlock" { @@ -65,18 +65,18 @@ variable "aad_redirect_uris_b64" { variable "auth_tenant_id" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to create the Microsoft Entra ID App" + description = "Used to authenticate into the AAD Tenant to create the AAD App" } variable "auth_client_id" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to create the Microsoft Entra ID App" + description = "Used to authenticate into the AAD Tenant to create the AAD App" } variable "auth_client_secret" { type = string - description = "Used to authenticate into the Microsoft Entra ID Tenant to create the Microsoft Entra ID App" + description = "Used to authenticate into the AAD Tenant to create the AAD App" } -# These variables are only passed in if you are not registering an Microsoft Entra ID +# These variables are only passed in if you are not registering an AAD # application as they need passing back out variable "app_role_id_workspace_owner" { type = string diff --git a/templates/workspaces/base/update_redirect_urls.sh b/templates/workspaces/base/update_redirect_urls.sh index a4470ee5ba..109d62b501 100755 --- a/templates/workspaces/base/update_redirect_urls.sh +++ b/templates/workspaces/base/update_redirect_urls.sh @@ -9,7 +9,7 @@ function usage() { cat < Date: Mon, 25 Mar 2024 16:41:20 +0000 Subject: [PATCH 14/27] remove double names --- docs/tre-admins/auth.md | 2 +- docs/tre-admins/setup-instructions/prerequisites.md | 2 +- docs/using-tre/local-development/local-development.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 739854dc46..0bb8d5d5f2 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,6 +1,6 @@ # Introduction to Authentication and Authorization -[Microsoft Entra ID (Microsoft Entra ID)](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. +[Microsoft Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. diff --git a/docs/tre-admins/setup-instructions/prerequisites.md b/docs/tre-admins/setup-instructions/prerequisites.md index 2fc10eb8ab..fc6737bee9 100644 --- a/docs/tre-admins/setup-instructions/prerequisites.md +++ b/docs/tre-admins/setup-instructions/prerequisites.md @@ -3,7 +3,7 @@ To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra ID (Microsoft Entra ID)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/docs/using-tre/local-development/local-development.md b/docs/using-tre/local-development/local-development.md index 7ff597257d..9071d72150 100644 --- a/docs/using-tre/local-development/local-development.md +++ b/docs/using-tre/local-development/local-development.md @@ -9,7 +9,7 @@ This guide will cover how to setup local development environment to add custom t To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra ID (Microsoft Entra ID)](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) From e4255a87f44b2b5cbb6768a5289b1898c9e99182 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Mon, 25 Mar 2024 17:24:38 +0000 Subject: [PATCH 15/27] update version --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index f5b77301f5..a25765c3e1 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.9.7" +__version__ = "0.9.8" From 90bccc3b3bc69152a961649391c2d84c3cbfc048 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Mon, 25 Mar 2024 20:38:28 +0000 Subject: [PATCH 16/27] go back version --- core/version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version.txt b/core/version.txt index a25765c3e1..f5b77301f5 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.9.8" +__version__ = "0.9.7" From a59b06b5a681e710d4cfdac875f30f5fafe75810 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Tue, 26 Mar 2024 09:13:16 +0000 Subject: [PATCH 17/27] api update version --- api_app/_version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api_app/_version.py b/api_app/_version.py index 391a39001a..bcea63d014 100644 --- a/api_app/_version.py +++ b/api_app/_version.py @@ -1 +1 @@ -__version__ = "0.18.5" +__version__ = "0.18.6" From f4ec8abaaf637cc3ded664ed5383a4ee1c9260e5 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Tue, 26 Mar 2024 09:25:49 +0000 Subject: [PATCH 18/27] revert for linting --- docs/tre-admins/auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 0bb8d5d5f2..3da1addf81 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -14,8 +14,8 @@ The automation utilises a `make` command, which reads a few environment variable |TRE_ID|This is used to build up the name of the identities| |AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). ## Create Authentication assets You can build all of the Identity assets by running the following at the command line From 24661baa34cab5c8b9e225648516fc86fc6bf6a5 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Tue, 26 Mar 2024 09:30:43 +0000 Subject: [PATCH 19/27] revert test linting --- docs/tre-admins/auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 3da1addf81..0bb8d5d5f2 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -14,8 +14,8 @@ The automation utilises a `make` command, which reads a few environment variable |TRE_ID|This is used to build up the name of the identities| |AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other AAD applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Active Directory licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). ## Create Authentication assets You can build all of the Identity assets by running the following at the command line From 637e6c67e886f2b7faa2fadd48426c27afaf196c Mon Sep 17 00:00:00 2001 From: Wojciech Date: Wed, 3 Apr 2024 10:09:49 +0100 Subject: [PATCH 20/27] fix linting --- docs/tre-admins/auth.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 0bb8d5d5f2..5917b5d4ac 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,8 +1,13 @@ # Introduction to Authentication and Authorization -[Microsoft Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. - -It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. +[Microsoft Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) +is the backbone of Authentication and Authorization in the Trusted Research Environment. +Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, +and connects the identities with applications which define the permissions for each user role. + +It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. +Due to this, this step may have to be carried out by a different individual/team. We have automated +this into a simple command, but should you wish, you can run these steps manually. This page describes the automated Auth setup for TRE. From 8900c92cb87125e6856b7053add89c335e301268 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Wed, 3 Apr 2024 10:21:11 +0100 Subject: [PATCH 21/27] roll back linting --- docs/tre-admins/auth.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 5917b5d4ac..0bb8d5d5f2 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,13 +1,8 @@ # Introduction to Authentication and Authorization -[Microsoft Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) -is the backbone of Authentication and Authorization in the Trusted Research Environment. -Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, -and connects the identities with applications which define the permissions for each user role. - -It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. -Due to this, this step may have to be carried out by a different individual/team. We have automated -this into a simple command, but should you wish, you can run these steps manually. +[Microsoft Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. + +It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. This page describes the automated Auth setup for TRE. From 90492598bae2f9d1a99be212e065c5dde7c61bab Mon Sep 17 00:00:00 2001 From: Wojciech Date: Wed, 3 Apr 2024 12:12:09 +0100 Subject: [PATCH 22/27] increase line length --- .markdownlint.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.markdownlint.json b/.markdownlint.json index 3ffa116956..92eb65400f 100644 --- a/.markdownlint.json +++ b/.markdownlint.json @@ -4,7 +4,7 @@ "indent": 2 }, "MD013": { - "line_length": 400 + "line_length": 450 }, "MD026": { "punctuation": ".,;:!。,;:" From 1c1f3ba9a1d3caa5ac661977fec4a00208c3176e Mon Sep 17 00:00:00 2001 From: Wojciech Date: Wed, 3 Apr 2024 13:12:27 +0000 Subject: [PATCH 23/27] fix linting --- .markdownlint.json | 2 +- docs/tre-admins/auth.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.markdownlint.json b/.markdownlint.json index 92eb65400f..3ffa116956 100644 --- a/.markdownlint.json +++ b/.markdownlint.json @@ -4,7 +4,7 @@ "indent": 2 }, "MD013": { - "line_length": 450 + "line_length": 400 }, "MD026": { "punctuation": ".,;:!。,;:" diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 0bb8d5d5f2..f015f703fb 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -13,9 +13,9 @@ The automation utilises a `make` command, which reads a few environment variable | ----------- | ----------- | |TRE_ID|This is used to build up the name of the identities| |AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| -| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application. -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md). -|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles). +| LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.| +|AUTO_WORKSPACE_APP_REGISTRATION| Default of false. Setting this to true grants the Application.ReadWrite.All and Directory.Read.All permission to the Application Admin identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have Application.ReadWrite.OwnedBy. Further information can be found [here](./identities/application_admin.md).| +|AUTO_WORKSPACE_GROUP_CREATION| Default of false. Setting this to true grants the Group.ReadWrite.All permission to the Application Admin identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).| ## Create Authentication assets You can build all of the Identity assets by running the following at the command line @@ -60,7 +60,7 @@ App registrations (represented by service principals) define the various access | ----------- | ----------- | | TRE API application | This is the main application and used to secure access to the [TRE API](../tre-developers/api.md). | | TRE UX | This is the client application that will authenticate to the TRE/Workspace APIs. | -| Application Admin | There are times when workspace services need to update the Microsoft Entra ID Application. For example, Guacamole needs to add a redirect URI to the Workspace Microsoft Entra ID Application. This identity is used to manage Microsoft Entra ID Applications. +| Application Admin | There are times when workspace services need to update the Microsoft Entra ID Application. For example, Guacamole needs to add a redirect URI to the Workspace Microsoft Entra ID Application. This identity is used to manage Microsoft Entra ID Applications. | | Automation App | This application is created so that you can run the tests or any CI/CD capability without the need to divulge a user password. This is particularly important if your tenant is MFA enabled. | | Workspace API | Typically you would have an application securing one or more workspaces that are created by TRE. | From 3c7b80e388529a9ec3d705c7de9bd900a74d320d Mon Sep 17 00:00:00 2001 From: Wojciech Date: Wed, 3 Apr 2024 14:17:31 +0100 Subject: [PATCH 24/27] fix formatting --- docs/tre-admins/auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index f015f703fb..8e763742c7 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -14,8 +14,8 @@ The automation utilises a `make` command, which reads a few environment variable |TRE_ID|This is used to build up the name of the identities| |AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.| -|AUTO_WORKSPACE_APP_REGISTRATION| Default of false. Setting this to true grants the Application.ReadWrite.All and Directory.Read.All permission to the Application Admin identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have Application.ReadWrite.OwnedBy. Further information can be found [here](./identities/application_admin.md).| -|AUTO_WORKSPACE_GROUP_CREATION| Default of false. Setting this to true grants the Group.ReadWrite.All permission to the Application Admin identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).| +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have Application.ReadWrite.OwnedBy. Further information can be found [here](./identities/application_admin.md).| +|AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).| ## Create Authentication assets You can build all of the Identity assets by running the following at the command line From a493670b6171617b152297ced3a0886ada47bca1 Mon Sep 17 00:00:00 2001 From: Wojciech Date: Wed, 3 Apr 2024 15:29:15 +0100 Subject: [PATCH 25/27] fix lintin 3 --- docs/tre-admins/auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index 8e763742c7..b0a3d8668d 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -14,7 +14,7 @@ The automation utilises a `make` command, which reads a few environment variable |TRE_ID|This is used to build up the name of the identities| |AAD_TENANT_ID|The tenant id of where your Microsoft Entra ID identities will be placed. This can be different to the tenant where your Azure resources are created.| | LOCATION | Where your Azure assets will be provisioned (eg. westeurope). This is used to add a redirect URI from the Swagger UI to the API Application.| -|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have Application.ReadWrite.OwnedBy. Further information can be found [here](./identities/application_admin.md).| +|AUTO_WORKSPACE_APP_REGISTRATION| Default of `false`. Setting this to true grants the `Application.ReadWrite.All` and `Directory.Read.All` permission to the *Application Admin* identity. This identity is used to manage other Microsoft Entra ID applications that it owns, e.g. Workspaces. If you do not set this, the identity will have `Application.ReadWrite.OwnedBy`. Further information can be found [here](./identities/application_admin.md).| |AUTO_WORKSPACE_GROUP_CREATION| Default of `false`. Setting this to true grants the `Group.ReadWrite.All` permission to the *Application Admin* identity. This identity can then create security groups aligned to each applciation role. Microsoft Entra ID licencing implications need to be considered as Group assignment is a [premium feature](https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles#roles-using-azure-ad-app-roles).| ## Create Authentication assets From ba93552de8eefb20de2f55aca86fc43f8cd1f19a Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Thu, 11 Apr 2024 09:39:30 +0100 Subject: [PATCH 26/27] update urls --- docs/tre-admins/auth.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/tre-admins/auth.md b/docs/tre-admins/auth.md index b0a3d8668d..3cff5e5a90 100644 --- a/docs/tre-admins/auth.md +++ b/docs/tre-admins/auth.md @@ -1,6 +1,6 @@ # Introduction to Authentication and Authorization -[Microsoft Entra ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. +[Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis) is the backbone of Authentication and Authorization in the Trusted Research Environment. Microsoft Entra ID holds the identities of all the TRE/workspace users, including administrators, and connects the identities with applications which define the permissions for each user role. It is common that the Azure Administrator is not necessarily the Microsoft Entra ID Administrator. Due to this, this step may have to be carried out by a different individual/team. We have automated this into a simple command, but should you wish, you can run these steps manually. @@ -47,7 +47,7 @@ The contents of your authentication section in `config.yaml` file should contain For production deployments, work with your Microsoft Entra ID administrator to perform the required registration 1. Create an Microsoft Entra ID tenant - To create a new Microsoft Entra ID tenant, [follow the steps here](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) + To create a new Microsoft Entra ID tenant, [follow the steps here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-create-new-tenant) 1. Follow the steps outlined above. `make auth` should logon to the correct tenant. Make sure you logon back to the correct tenant before running `make all`. @@ -64,9 +64,9 @@ App registrations (represented by service principals) define the various access | Automation App | This application is created so that you can run the tests or any CI/CD capability without the need to divulge a user password. This is particularly important if your tenant is MFA enabled. | | Workspace API | Typically you would have an application securing one or more workspaces that are created by TRE. | -Some of the applications require **admin consent** to allow them to validate users against the Microsoft Entra ID. Check the Microsoft Docs on [Configure the admin consent workflow](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. +Some of the applications require **admin consent** to allow them to validate users against the Microsoft Entra ID. Check the Microsoft Docs on [Configure the admin consent workflow](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow) on how to request admin consent and handle admin consent requests. -We strongly recommend that you use `make auth` to create the Microsoft Entra ID assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). +We strongly recommend that you use `make auth` to create the Microsoft Entra ID assets as this has been tested extensively. Should you wish to create these manually via the [Azure Portal](https://learn.microsoft.com/en-gb/entra/identity-platform/quickstart-register-app); more information can be found [here](./identities/auth-manual.md). ### Enabling users From 80d829b6a7532ad0992dbc375c9f45f66b82849d Mon Sep 17 00:00:00 2001 From: tim-allen-ck Date: Thu, 11 Apr 2024 09:46:08 +0100 Subject: [PATCH 27/27] update aad urls --- docs/azure-tre-overview/tre-resources-breakdown.md | 8 ++++---- docs/tre-admins/setup-instructions/ad-tenant-choices.md | 2 +- docs/tre-admins/setup-instructions/prerequisites.md | 2 +- .../authoring-workspace-templates.md | 4 ++-- docs/using-tre/local-development/local-development.md | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/azure-tre-overview/tre-resources-breakdown.md b/docs/azure-tre-overview/tre-resources-breakdown.md index cb2272a6bb..b4f6a329e9 100644 --- a/docs/azure-tre-overview/tre-resources-breakdown.md +++ b/docs/azure-tre-overview/tre-resources-breakdown.md @@ -36,10 +36,10 @@ Once an Azure TRE has been [provisioned](../../tre-admins/setup-instructions/pre | fw-dsk-{TRE_ID} | Azure Firewall | [Azure TRE Firewall](../networking) restricts external outbound traffic from all TRE resources | [Azure Firewall](https://docs.microsoft.com/en-us/azure/firewall/overview) | kv-{TRE_ID} | Azure Key Vault | Management of TRE secrets & certificates | [Azure Key Vault](https://docs.microsoft.com/en-us/azure/key-vault/general/overview) | log-{TRE_ID} | Log Analytics Workspace | Azure Monitor Logs store for all TRE resources | [Log Analytics](https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-platform-logs#log-analytics-workspaces) -| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) -| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) +| id-agw-{TRE_ID} | Managed Identity | User-managed identity for TRE Application Gateway | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-api-{TRE_ID} | Managed Identity | User-managed identity for TRE API App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-gitea-{TRE_ID} | Managed Identity | User-managed identity for TRE Gitea App Service | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) +| id-vmss-{TRE_ID} | Managed Identity | User-managed identity for TRE Resource Processer (VMSS) | [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) | sb-{TRE_ID} | Service Bus Namespace | Messaging for TRE API | [Service Bus](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-messaging-overview) | stappinsights{TRE_ID} | Storage Account | Storage for TRE Application Insights telemetry logs | [Storage Blobs](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-overview) | stg{TRE_ID} | Storage Account | Files shares for TRE services such as Gitea, Nexus | [Storage Files](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction) diff --git a/docs/tre-admins/setup-instructions/ad-tenant-choices.md b/docs/tre-admins/setup-instructions/ad-tenant-choices.md index 96a7a43486..94b600a08b 100644 --- a/docs/tre-admins/setup-instructions/ad-tenant-choices.md +++ b/docs/tre-admins/setup-instructions/ad-tenant-choices.md @@ -16,7 +16,7 @@ It is possible to use your corporate tenant for TRE. This does have the advantag ## Create Dedicated Microsoft Entra ID Tenant -Follow [this guide](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to create new dedicated tenant. +Follow [this guide](https://learn.microsoft.com/en-us/entra/fundamentals/create-new-tenant) to create new dedicated tenant. ## Next steps diff --git a/docs/tre-admins/setup-instructions/prerequisites.md b/docs/tre-admins/setup-instructions/prerequisites.md index fc6737bee9..78b6dbd47e 100644 --- a/docs/tre-admins/setup-instructions/prerequisites.md +++ b/docs/tre-admins/setup-instructions/prerequisites.md @@ -3,7 +3,7 @@ To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://learn.microsoft.com/en-gb/entra/fundamentals/whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop) diff --git a/docs/tre-workspace-authors/authoring-workspace-templates.md b/docs/tre-workspace-authors/authoring-workspace-templates.md index d40105515f..76aa356cbd 100644 --- a/docs/tre-workspace-authors/authoring-workspace-templates.md +++ b/docs/tre-workspace-authors/authoring-workspace-templates.md @@ -27,9 +27,9 @@ The manifest of a workspace bundle is the `porter.yaml` file (see [Author Bundle A workspace bundle requires the following [credentials](https://porter.sh/author-bundles/#credentials) to provision resources in Azure: -* [Azure tenant ID](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) +* [Azure tenant ID](https://learn.microsoft.com/en-us/entra/fundamentals/how-to-find-tenant) * Azure subscription ID -* The client ID of a [service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with privileges to provision resources +* The client ID of a [service principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) with privileges to provision resources * The client secret (password) of a service principal The credentials are provided as environment variables by the deployment runner. The bundle author must use the following environment variable names: diff --git a/docs/using-tre/local-development/local-development.md b/docs/using-tre/local-development/local-development.md index 9071d72150..4db16e676b 100644 --- a/docs/using-tre/local-development/local-development.md +++ b/docs/using-tre/local-development/local-development.md @@ -9,7 +9,7 @@ This guide will cover how to setup local development environment to add custom t To deploy an Azure TRE instance, the following assets and tools are required: * [Azure subscription](https://azure.microsoft.com) -* [Microsoft Entra ID](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) tenant in which you can create application registrations +* [Microsoft Entra ID](https://learn.microsoft.com/en-gb/entra/fundamentals/whatis) tenant in which you can create application registrations * Git client such as [Git](https://git-scm.com/) or [GitHub Desktop](https://desktop.github.com/) * [Docker Desktop](https://www.docker.com/products/docker-desktop)