Release notes - IBM Security Verify Governance Adapter v 10.0.12 for Microsoft Azure AD

IBM Security Verify Governance Adapter v 10.0.12 for Microsoft Azure Active Directory is available. Compatibility, installation, and other getting-started issues are addressed.

Copyright International Business Machines Corporation 2022, 2023. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

 Contents

• Preface

• Adapter Features and Purpose

• License Agreement

• Contents of this Release

• Installation and Configuration Notes

• Customizing or Extending Adapter Features

• Supported Configurations

• Notices

 Preface

Welcome to the IBM Security Verify Governance Adapter for Microsoft Azure AD.

• Microsoft Azure Active Directory Adapter Installation and Configuration Guide for IGI

Adapter Features and Purpose

The Microsoft Azure AD Adapter is designed to create and manage User Accounts on the Microsoft Azure AD domain. The adapter runs in "agentless" mode and communicates using the Graph API to the Microsoft Azure Domain being managed.

The IBM Security Verify Governance Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Verify Identity server, IBM Security Verify Privilege Vault, and IBM Security Verify Governance server will fail if the Adapter is not given sufficient authority to perform the requested task. 

License Agreement

Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the product package.

Contents of this Release

Adapter Version

New Features

Closed Issues

Known Limitations

Installation and Configuration Notes

  See the IBM Security Verify Governance Adapter Installation and Configuration Guide for detailed instructions.

 Supported API

   Now supporting Graph API.

Corrections to Installation Guide:  

Chapter 1: Overview
          -> Features of the adapter
             (modify the section by adding below point and a note.)

             - Create, modify, suspend, restore, change password, and delete a user and guest user.
             - Sending guest account Invitations.

             Note : See https://www.ibm.com/docs/en/svgaa?topic=reference-adapter-attributes-by-operations for more details on guest account creation and operations related to it.

Chapter 2: Planning
         -> Prerequisites

                Directory Integrator:
                Update the description as below:

                IBM Security Directory Integrator, consult the release notes for the currently supported versions

Chapter 3: Installing
         -> Installing ILMT-Tags File

          (Please add new section "Installing ILMT-Tags"  File under the section Installing > Installing ILMT-Tags in install guide.)

          Before you begin:

          - The Dispatcher must be installed

          Procedure:

             Copy the files in the ILMT-Tags folder to the specified location:

              1. Windows: <SDI-HOME>/swidtag

              2. Unix/Linux: <SDI-HOME>/swidtag

-> Installing in the Verify Governance Virtual Appliance

( Please add this new section at knowledge centre (under Installing > Installing in the Verify Governance Virtual Appliance) for Azure AD Adapter to describe installation procedure of adapter in Verify Governance Virtual Appliance: https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance. Please add this below note as well after adding the description.)

Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.

            The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit IBM Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.

      
       -> (Update sub-section "Service/Target form details" of "Installing" section and add below content.)
            (in Installing > Service/Target form details > Complete the service/target form fields > Azure Active Directory Domain Details)
            Configuration File Path

            Specify the location of the .properties file containing the additional attributes that the adapter must support.  (See "Configuration for additional attributes")

Select Groups to Sync

Please choose an option to sync Groups: (Default) Fetch Only Azure AD Groups or Fetch Azure AD and Active Directory Groups
(Default) Fetch Only Azure AD Groups- By default Adapter will only fetch Azure AD(Cloud Groups) Groups.
Fetch Azure AD and Active Directory Groups: To sync all Groups(Cloud Groups and On-premises Groups) from Azure AD. (Only If ISVG and Identity Manager in hybrid AD/Azure AD environment with AD Sync synchronization enabled.)


       -> (Add the below sub-section under Installing section: "Configuration for additional attributes")  

       -> Configuration for additional attributes

The AzureAD adapter is configured to support all the standard user account  attributes provided by the Azure.  Since collecting additional attributes during reconciliation might have a negative impact on performance, support for additional attributes can be activated using a configuration file. This file must include the additional attributes that are required by your organization.

             The additional attributes that currently are supported needs to be added to the configuration file.  

==> Follow the below steps to set up and configure the path of Additional Attribute file:

(A sample AzureAd-Attributes.properties file, in which all the supported additional attributes are specified, is available in the adapter package.)
1) In the Adapter Connector/Service form details you can find Configuration File Path.

2) Specify the file location in the configuration file path. (e.g. C:\Program Files\IBM\TDI\V7.2\timsol\properties\AzureAD-Attributes.properties)

               - The file must be in .properties formate (Follow steps of setting up the AzureAD-Attributes.properties file).

                - The file must be located in the same machine where the dispatcher is running. (e.g. <SDI_Solution_Directory>\properties\AzureAD-Attributes.properties)

  - You must provide the full path of the file in the "Configuration File Path" section of the service form. See  "Service/Target form details"

             3) Restart dispatcher service.

4) Perform reconciliation.

==> Notes of Additional Attribute Configuration file:
- The Additional Attributes Configuration file(AzureAD-Attributes.properties) must be a list of comma separated values.

- Attribute names are case sensitive.

- A warning message will be generated in the SDI log for attributes that can't be processed

- If you try to modify any Additional Attributes and the execution of operation returns success, but the attribute is not actually modified at the target, then verify if this attribute exists in the additional attribute configuration file, and the name matches the name as provided in the "Additional User Attributes" table.

- If you update the contents of the configuration file, then it is required to restart the dispatcher and perform a reconciliation.
           
            - Sample File Data (Ex: You can provide attribute in a file in the below way and attributes can be included or excluded as needed.)

                            additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,proxyAddresses,securityIdentifier,signInSessionsValidFromDateTime,imAddresses,provisionedPlans,licenseAssignmentStates,assignedPlans,onPremisesProvisioningErrors,deletedDateTime,signInActivity,division,costCenter,refreshTokensValidFromDateTime,employeeLeaveDateTime,employeeOrgData,manager,manager_FULLSUPPORT
 
            - On Premises Attributes:
              1) onPremisesDistinguishedName: Contains the on-premises Active Directory distinguished name or DN.
              2) onPremisesDomainName: Contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory.

              3) onPremisesImmutableId: This property is used to associate an on-premises Active Directory user account to their Azure AD user object.           
             4) onPremisesLastSyncDateTime: Indicates the last time at which the object was synced with the on-premises directory.

              5) onPremisesSamAccountName: Contains the on-premises samAccountName synchronized from the on-premises directory.

              6) onPremisesSecurityIdentifier: Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.

              7) onPremisesSyncEnabled: True, if this user object is currently being synced from an on-premises Active Directory (AD). Otherwise the user isn't being synced and can be managed in Azure Active Directory.
              8) onPremisesUserPrincipalName: Contains the on-premises userPrincipalName synchronized from the on-premises directory.

             - ageGroup and consentProvidedForMinor are optional properties used by Azure AD administrators to help ensure the use of an account is handled correctly based on the age-related regulatory rules governing the user's country or region.

            - Value of some attributes are depend on other attributes, so once you update such attributes perform reconciliation to fetch dependent attribute value.

            legalAgeGroupClassification: This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties.

- manager : This property do not support full reconciliation.
     

- manager_FULLSUPPORT : To enable full reconciliation in manager use this property in additional attribute configuration file.

- For SignIn Activity attributes (Last Interactive Sign In Date and Time, Request Identifier of the Last Interactive Sign In, Last Non Interactive Sign In Date and Time, Request Identifier of the Last Non Interactive Sign In):
to get details for this property require an Azure AD Premium P1/P2 license and the AuditLog.Read.All permission.

- Note : At IBM Security Verify Identity Manager(ISIM) For Employee Leave Date Time and Employee Hire Date Time attributes, if its date and time values are empty then by default never check-box will be enabled.

- Note: If you are using Employee Hire Date attribute in previous versions of Azure AD Adapter v10.0.8 and v10.0.9, at IBM Security Verify Governance(IGI) then follow below steps to get the Employee Hire Date in proper fromat:
1) Open Access Governance Core option > select Account Configurations > Target Attributes
select Employee Hire Date attribute, remove and save it.
2) Then import the profile jar of Azure AD adapter latest version v10.0.10.
3) Open Access Governance Core option > select Account Configurations > Target Attributes then do Discover Account attributes from Target and add Employee Hire Date attribute.

- Not Included following Attributes as they require various license and few are just in beta of Graph APIs are listed below:

aboutMe - require a SPO license.

birthday - require a SPO license.

hireDate - require a SPO license.

interests - require a SPO license.

mailboxSettings - require a M365 License.

mySite - require a SPO license.

pastProjects - require a SPO license.

preferredName - require a SPO license.

responsibilities - require a SPO license.

schools - require a SPO license.

skills - require a SPO license.

showInAddressList - Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin centre instead.

           
            ==> Steps to update design form in IGI:

             - Select Access Governance Core > manage > Account Configuration.

            - Select AzureAD adapter Account you created.

            - Select on Target Attributes > action > Discover Attributes from Target > Select only attributes you want to process (Only those attributes will be processed - this is applicable to additional attributes only.).

            - Update Editable to false for read only attributes.

            - Click Save.
            - Make sure to include these list of attributes in Attribute Additional file.

            ==> Steps to update Design form in ISIM:
            - Select Configure System > Design Forms
            - - Configure the form and include the additional attributes that you want to include and/or remove unneeded attributes.
              (Account > Azure Account > $erazureadditionaldetails)
            - Click Save.
            - Make sure to include these list of attributes in Attribute Additional file.


-> Upgrading the adapter binaries or connector

(Please update Upgrading the adapter binaries or connector section at Installing > Upgrading the adapter binaries or connector)

         - Take backup of adapter binaries or connector

                  Procedure:

                  Take backup of below files before performing upgrade.

                  If AzureADConnector.jar exists then take a backup of it.

                              <SDI-HOME>/jars/connectors/AzureADConnector.jar.  

                  If Microsoft365Connector.jar exists then take a backup of it.

                             <SDI-HOME>/jars/connectors/Microsoft365Connector.jar

                 There will be either AzureADConnector.jar or Microsoft365Connector.jar in the <SDI-HOME>/jars/connectors/ directory.

                  Note: Stop the dispatcher service before the upgrading the connector and start it again after the upgrade is complete.

          - Upgrade adapter binaries or connector Procedure:

           There is Microsoft365Connector.jar included in the Microsoft Azure AD Adapter distribution package.

           Copy Microsoft365Connector.jar from the adapter package to the <SDI-HOME>/jars/connectors directory.

           If AzureADConnector.jar exists in <SDI-HOME>/jars/connectors directory then delete AzureADConnector.jar.

          - Upgrading the adapter profile

            Read the adapter Release Notes for any specific instructions before you import a new adapter profile.

          - Upgrading the AzureAD-Attributes.properties file

           Properties file update for additional Attributes. Additional Attributes of the Azure Adapter need to be listed with additionalAttributes key as mentioned below:

additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,proxyAddresses,securityIdentifier,signInSessionsValidFromDateTime,imAddresses,provisionedPlans,licenseAssignmentStates,assignedPlans,onPremisesProvisioningErrors,deletedDateTime,signInActivity,division,costCenter,refreshTokensValidFromDateTime,employeeLeaveDateTime,employeeOrgData,manager,manager_FULLSUPPORT

         Properties file location updated to : <SDI_Solution_Directory>\properties\AzureAD-Attributes.properties

            Note: Restart the Dispatcher service after importing the profile, connector jar or properties file. Restarting the Dispatcher clears the assembly lines cache and ensures that the dispatcher runs the assembly lines from the updated adapter profile.
The AzureAD (from 10.0.11v) and O365 (from 10.0.9v) adapter are using a single combined Microsoft365Connector.jar implementation.

Installing in an IBM Security Verify Directory Dispatcher Container

Before you begin

The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).

If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.

Note:  The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To activate changes and restart the container run the following commands:

�       <path_to_starterkit>/bin/createConfigs.sh isvdi

�       For OpenShift container:   oc -n isvgim rollout restart deployment isvdi

�       For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi

Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3^rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.

Installing / Upgrading / Re-installing / Downgrading the adapter

Using Script

Use the below command to install / upgrade/ re-install / downgrade the adapter:

/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-AzureAD-*.zip" accept

Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script is installed and /path/to/Adapter-AzureAD-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.

Manually copying files to Persistent Volume

Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:

Microsoft365Connector.jar

Copy this file to the <Persistent_Volume>/jars/connectors directory.

ILMT-Tags

Copy below files to the <Persistent_Volume>/swidtag directory:

ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag

ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag

ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag 

AzureAD-Attributes.properties

Copy this file to the <Persistent_Volume>/timsol/properties directory.

Copying 3rd party libraries:

Using Script

Use the below command to copy the 3rd party jars:

/path/to/adapterUtil.sh -copyToPatches "/path/to/httpclient-*.jar"

/path/to/adapterUtil.sh -copyToPatches "/path/to/httpcore-*.jar"

/path/to/adapterUtil.sh -copyToPatches "/path/to/ commons-logging-*.jar"

This command will copy the 3rd party jars to the <Persistent_Volume>/jars/patches directory.

Manually copying files to the Persistent Volume

Copy below 3rd party jar files to the <Persistent_Volume>/jars/patches directory (Refer release notes for the supported jar versions):

httpclient-*.jar

httpcore-*.jar

commons-logging-*.jar

Configuring the SSL connection between the IBM Security Verify Directory Integrator Container and the Azure AD Target

Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates page from SVDI

If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have a trusted-certificates element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates to add a trusted-certificates section to the config.yaml file.

To add a trusted-certificates element (if it doesn�t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container, download the DigiCert Global Root CA and DigiCert Global Root G2 certificates in DER/CRT format from https://www.digicert.com/kb/digicert-root-certificates.htm and place the certificate in the certs directory of the config volume which contains the config.yaml file. The default location for this config volume is /opt/IBM/dispatcher/config.

Provide this path of the certificate in config.yaml file as shown in the example below:

keyfile:

  trusted-certificates:

- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootG2.crt'

- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootCA.crt'

Enabling TLS 1.2

Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI to add an advanced configuration element (if it don�t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.

If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.

To enable TLSv1.2, add 2 attr and value key pair (as mentioned in the SVDI guide) as below:

- attr: com.ibm.di.SSLProtocols

  value: 'TLSv1.2'

- attr: com.ibm.di.SSLServerProtocols

  value: 'TLSv1.2'

Enabling debug logs and disabling json-logging

If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.

Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SVDI to add root-level and json-logging configuration elements (if they don�t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.

To enable debug logs, set the value for root-level to debug. To disable json logging, set the value for json-logging element to false.

Uninstalling the adapter

Using Script

Use the below command to remove the adapter:

/path/to/adapterUtil.sh -removeAdapter Adapter-AzureAD

Manually copying / removing files to / from the Persistent Volume

Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.

Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:

Microsoft365Connector.jar

Remove this file from <Persistent_Volume>/jars/connectors directory.

ILMT-Tags

Remove below files from <Persistent_Volume>/swidtag directory:

ibm.com_IBM_Security_Verify_Governance_Compliance-10.0.2.swidtag

ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag

ibm.com_IBM_Security_Verify_Governance_Lifecycle-10.0.2.swidtag

3rd party jars

Remove the appropriate version of the 3rd party jar files used by this adapter as listed below from the <Persistent_Volume>/jars/patches directory:

httpclient-*.jar

httpcore-*.jar

commons-logging-*.jar

AzureAD-Attributes.properties

Remove this file from the <Persistent_Volume>/timsol/properties directory

Chapter 4: Configuring
  (Add this section Adapter Installation and Configuration Guide)  

         - Enabling TLSv1.2 in Security Directory Integrator

            Procedure:   

              1. Apply recommended fix packs and limited availability (LA) versions on the Security Directory Integrator. See Recommended fixes for IBM Tivoli Directory Integrator (TDI) & IBM Security Directory Integrator
                  (SDI).

              2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:

#####################

# # Protocols to enforce SSL protocols in a SDI Server

# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property

# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).

# # This is a single value property.

#####################

-

com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2

com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2

com.ibm.jsse2.overrideDefaultProtocol=TLSv1

com.ibm.jsse2.overrideDefaultTLS=true

#####################

             Customizing the adapter

                          The adapters can be customized or extended or both. The type and method of this customization varies depending on the adapter.

                          Customizing and extending adapters requires a number of skills. The developer must be familiar with the following concepts and skills:

                          - IBM Security Verify Governance Identity Manager administration

                          - IBM Security Verify Governance administration

                          - IBM Security Directory Integrator management

                          - Security Directory Integrator Assembly Line development

                          - LDAP schema management

                          - Working knowledge of Java ˘ scripting language

                          - Working knowledge of LDAP object classes and attributes

                          - Working knowledge of XML document structure

                          Note: If the customization requires a new Security Directory Integrator connector, the developer must also be familiar with Security Directory Integrator connector development and working knowledge of Java programming language.

                          Support for custom adapters

                                         The integration to IBM Security Verify Governance servers "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.

 

Chapter 5: Troubleshooting
                    Enabling DEBUG Logs on SDI Server

                          Procedure:

1.     Stop the SDI Server process

                          Pre-7.2.0-ISS-SDI-FP0008

                          2. Edit the <SDI_Solution_Directory>/etc/log4j.properties

                          3. Modify the following line:

                                      log4j.rootCategory=INFO, Default

                                      to

                                      log4j.rootCategory=DEBUG, Default

                          Post-7.2.0-ISS-SDI-FP0008

                          2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml

                          3. Modify the following line:

                                      <Root level="info">

                                     to

                                      <Root level="debug">

                          Post-7.2.0-ISS-SDI-FP0011

                          4. To enable TCB block in debug

                          5. Append the line com.ibm.di.logging.close=false in the the <SDI_HOME_Directory>/etc/global.properties file.

                          6. Start the SDI Server process

                          7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log

 

Chapter 6: Uninstalling
           No updates for the current release

Chapter 7: Reference
           (Please make update into below tables for the section "Adapter Attributes and Object classes".)
            - Rename the table name "Table 1. Supported user attributes" to "Table 1. Default User Attributes".

            - Make a new table for the section "Adapter Attributes and Object classes" with table name as " Table 2. Additional User Attributes".
           

 
          - Note : We can delete any identity value in identities attribute except for the userPrincipalName
          - Note : To enter Identities on the ISVG/ISVG Identity Manager, you must follow below mentioned syntax :

          `` a|b|c ``
          a=Issuer
          b=SignIn Type
          c= Issuer Assigned ID
          example : contoso.onmicrosoft.com|federated|username@contoso.com

            - Rename the table name "Table 2. Supported group attributes" to "Table 3. Default Group Attributes".

           (Please make update into below tables for the section "Adapter Attributes and Object classes".)

            - Make a new table for the section "Adapter Attributes and Object classes" with table name as " Table 4. Supported On-premise Group Attributes".
           

            - Rename the table name "Table 3. Supported object classes" to "Table 5. Supported Object Classes".

            - Make a new table for the section "Adapter Attributes and Object classes" with table name as " Table 6. Default GuestUser Attributes".
            Also add below written paragraph after the table

 For more information regarding the usage of attributes that are related to inviting and/or creating guest accounts refer: "Adapter attributes by operations"

              

         - Adapter attributes by operations
  
           Add below to "Adapter attributes by operations" section

 
           Guest User attributes
  
         The following tables show the attributes and object classes that are supported by the Azure Active Directory Adapter for creating guest Account.
        - Make a new table for the section " Guest User attributes" with table name as " Table 1. Additional GuestUser Attributes".
            Also add below written paragraph after the table

 
           Info : The following operations are supported by adapter for guest Accounts.
          - Creation of guest accounts through invitation.
          - Modify, suspend, restore, delete guest user accounts.
          - Resend invitation to guest user accounts.
          - Reset redemption of guest user accounts.
          
Note : In case of Reset redemption, the Redemption Email should match any emails on the user object. If an e-mail address that does not yet exist in AzureAD for this user is specified as the value for the redemption e-mail adddress in ISVG /ISVG Identity Manager for reset redemption operation and the response shows "Account is modified, reset redemption is unsuccessful", please retry after few minutes starting with filter reconciliation and recheck that the new redemption email matches the mails in otherMails attribute.

For more details on requesting and maintaining guest accounts, visit : https://learn.microsoft.com/en-us/azure/active-directory/external-identities/user-properties and https://learn.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status

Customizing or Extending Adapter Features

The IBM Security Verify Governance Adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.

Refer to the 'IBM Security Verify Governance Adapter Development and Customization Guide'

Support for Customized Adapters
The integration to the IBM Security Verify Governance server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a case is opened.

Supported Configurations

Installation Platform

The IBM Security Verify Governance Adapter for Microsoft Azure AD was built and tested on the following product versions.

Adapter Installation Platform: 
Due to continuous Java security updates that may be applied to your IBM Security Verify Governance server and IBM Security Verify Governance Identity Manager server, the following SDI releases are the officially supported versions:
            -  Security Directory Integrator 7.2 + FP12
          -  Security Verify Directory Integrator 10.0.0 

Note:  Earlier versions of SDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions by the adapters. Please refer to the adapter's installation and configuration guides for the latest update on IBM Security Directory Integrator versions and fix packs

Managed Resource:

Azure AD supported HTTP Client component:

 -        Apache HTTP Component Client

3rd Party Client Libraries:

        httpclient-4.5.14.jar

Download the httpclient-4.5.14.jar from

https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.14

        httpcore-4.4.16.jar

Download the httpcore-4.4.16.jar from

https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16

        commons-logging-1.2.jar

Download the commons-logging-1.2.jar from

https://mvnrepository.com/artifact/commons-logging/commons-logging/1.2

Supported IBM Security Verify Governance servers: 

-         IBM Security Verify Governance Identity Manager v10.0

-         IBM Security Verify Governance v10.0

Notices

This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY  10504-1785  U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:

IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.

The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

Trademarks

IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.