# Microsoft Entra Cloud Sync Project: Level 2
# Title: CloudSync Deployment – Level 2: Technical Configuration

"""
PROJECT CONTEXT
This notebook builds on the previously completed Level 1 facsimile project for Acme Finance Group,
which established the business case for initiating Microsoft Entra Cloud Sync from a traditional
on-premises Active Directory. In this Level 2 project, we simulate the technical steps required to
configure Cloud Sync in a small-to-medium business scenario.

Scenario Recap:
- Company: Acme Finance Group (Regional Accounting Firm)
- Goal: Enable secure sign-in to Microsoft 365 for on-premises AD users via Microsoft Entra ID
- Chosen Path: Lightweight Cloud Sync due to small IT staff and no need for advanced transformations

This notebook focuses on key setup stages, agent deployment, scope configuration, and validation.
"""

# 1. INSTALL CLOUD SYNC AGENT
"""
- Action: Download and install Microsoft Entra Cloud Sync Agent on a domain-joined Windows Server.
- Purpose: Bridge between on-prem AD and Microsoft Entra ID.
- Requirements:
  - .NET Framework 4.7.2 or later
  - Outbound access to Microsoft Entra URLs and ports (TCP 443)
  - Local admin rights on target server
- Sample Facsimile Output:
  Simulated: 'Agent registered successfully with Microsoft Entra ID tenant xyz.onmicrosoft.com'
"""

# 2. GRANT DIRECTORY PERMISSIONS
"""
- Action: Use delegated admin permissions or provide cloud provisioning app access to on-prem AD.
- Facsimile Step:
  - Simulated domain: acme.local
  - Admin grants permissions using provided wizard
  - Verification screen: 'Domain acme.local successfully authorized'
"""

# 3. CONFIGURE SYNC SCOPE
"""
- Action: Define which organizational units (OUs), users, or groups are synchronized.
- Reason: Avoid syncing service accounts, test users, or outdated entities
- Facsimile Example:
  - Include: OU=Finance,DC=acme,DC=local
  - Exclude: OU=TestAccounts,DC=acme,DC=local
  - Tool: Microsoft Entra Admin Center > Identity > Cloud Sync > Configuration Wizard
"""

# 4. MAP ATTRIBUTES (DEFAULT MAPPING)
"""
- Action: Use built-in attribute mappings unless business logic requires otherwise.
- Examples:
  - AD attribute: userPrincipalName -> Entra ID UPN
  - AD attribute: mail -> Entra ID email address
- Comment: Attribute transformations are limited in Cloud Sync but can be edited in UI
"""

# 5. VALIDATE SYNC AND IDENTITY STATE
"""
- Action: Review successful sync status in Microsoft Entra admin center
- Output Signals:
  - Sync cycle timestamp (e.g., 08:15 AM UTC, status: success)
  - User object 'John.Doe@acme.com' now visible in Microsoft Entra ID > Users
  - Matching sourceAnchor confirms linkage to on-prem AD object
"""

# 6. TROUBLESHOOTING CHECKPOINTS (Early Signals)
"""
- Failure cases:
  - Agent status offline
  - Duplicate attribute errors (e.g., UPN already in use)
  - Connectivity issues to Entra ID endpoints
- Observation:
  - Admin Center will show warnings and sync failures in dashboard view
- Mitigation:
  - Restart agent service
  - Adjust sync scope to avoid conflicts
"""

# 7. PROJECT WRAP-UP (LEVEL 2)
"""
- Outcome: Initial technical setup completed and validated
- Outcome Artifacts:
  - Agent installed and linked
  - Sync configuration (OUs filtered)
  - Attributes mapped, default rules applied
  - Successful object sync visible in portal
- Foundation built for: Level 3 (custom rules and business logic refinement)
"""
