From 95827b3afd2e50226d72a0db829f79b38b5483b7 Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Thu, 17 Jul 2025 12:39:06 +0500 Subject: [PATCH 1/3] imported script for DM --- scripts/convert-admonitions-plain.js | 151 +++++++++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 scripts/convert-admonitions-plain.js diff --git a/scripts/convert-admonitions-plain.js b/scripts/convert-admonitions-plain.js new file mode 100644 index 0000000000..f0e1e06efa --- /dev/null +++ b/scripts/convert-admonitions-plain.js @@ -0,0 +1,151 @@ +#!/usr/bin/env node +/** + * convert-admonitions-plain.js + * + * Recursively finds .md files in a given folder (relative to docs/), + * replaces paragraphs starting with NOTE:, CAUTION:, RECOMMENDED:, or Remember, (as plain text, not bold/italic) + * with Docusaurus admonition blocks. + * + * Usage: + * node scripts/convert-admonitions-plain.js + * Example: + * node scripts/convert-admonitions-plain.js accessanalyzer/12.0/install + * + * Only matches plain text forms (not bold/italic). + */ + +const fs = require('fs'); +const path = require('path'); + +const DOCS_ROOT = path.join(__dirname, '..', 'docs'); +const ADMONITION_MAP = { + NOTE: 'note', + CAUTION: 'warning', + RECOMMENDED: 'info', + // Add more mappings here if needed +}; + +function getAllMarkdownFiles(dir) { + let results = []; + const list = fs.readdirSync(dir); + list.forEach(function(file) { + const filePath = path.join(dir, file); + const stat = fs.statSync(filePath); + if (stat && stat.isDirectory()) { + results = results.concat(getAllMarkdownFiles(filePath)); + } else if (file.endsWith('.md')) { + results.push(filePath); + } + }); + return results; +} + +function extractTables(content) { + const tables = []; + let i = 0; + content = content.replace(/((?:^\|.*\n?)+)/gm, match => { + tables.push(match); + return `__TABLE_BLOCK_${i++}__`; + }); + return { content, tables }; +} + +function restoreTables(content, tables) { + tables.forEach((table, i) => { + content = content.replace(`__TABLE_BLOCK_${i}__`, table); + }); + return content; +} + +function convertNoteCautionPlain(content) { + // NOTE: and CAUTION: as plain text only (not bold/italic) + return content.replace( + /(^|\r?\n)([ \t]*)(NOTE|CAUTION):[ \t]*([\s\S]*?)(?=(\r?\n\s*\r?\n|$))/gi, + (match, p1, indent, type, text) => { + const admonition = ADMONITION_MAP[type.toUpperCase()]; + const cleanedText = text.replace(/^[ \t]+/gm, ''); + const blockLines = [ + `:::${admonition}`, + ...cleanedText.split(/\r?\n/), + ':::' + ]; + const block = blockLines.map(line => indent + line).join('\n'); + return `${p1}${block}\n`; + } + ); +} + +function convertRecommendedPlain(content) { + // RECOMMENDED: as plain text only (not bold/italic) + return content.replace( + /(^|\r?\n)([ \t]*)RECOMMENDED:[ \t]*([\s\S]*?)(?=(\r?\n\s*\r?\n|$))/gi, + (match, p1, indent, text) => { + const admonition = ADMONITION_MAP['RECOMMENDED']; + const cleanedText = text.replace(/^[ \t]+/gm, ''); + const blockLines = [ + `:::${admonition}`, + ...cleanedText.split(/\r?\n/), + ':::' + ]; + const block = blockLines.map(line => indent + line).join('\n'); + return `${p1}${block}\n`; + } + ); +} + +function convertRememberPlain(content) { + // Remember, as plain text only (not italics) + return content.replace( + /(^|\r?\n)([ \t]*)Remember,[ \t]*([\s\S]*?)(?=(\r?\n\s*\r?\n|$))/g, + (match, p1, indent, text) => { + const cleanedText = text.replace(/^[ \t]+/gm, ''); + const blockLines = [ + ':::tip', + ...(`${indent}Remember,${cleanedText ? ' ' + cleanedText : ''}`.trimEnd().split(/\r?\n/)), + ':::' + ]; + const block = blockLines.map(line => indent + line).join('\n'); + return `${p1}${block}\n`; + } + ); +} + +function convertAdmonitionsPlain(content) { + content = convertNoteCautionPlain(content); + content = convertRecommendedPlain(content); + content = convertRememberPlain(content); + return content; +} + +function processFile(filePath) { + const content = fs.readFileSync(filePath, 'utf8'); + // Extract tables and replace with placeholders + const { content: contentNoTables, tables } = extractTables(content); + // Convert admonitions in non-table content + let newContent = convertAdmonitionsPlain(contentNoTables); + // Restore tables + newContent = restoreTables(newContent, tables); + if (newContent !== content) { + fs.writeFileSync(filePath, newContent, 'utf8'); + console.log(`Updated: ${filePath}`); + } +} + +function main() { + const relInput = process.argv[2]; + if (!relInput) { + console.error('Usage: node scripts/convert-admonitions-plain.js '); + process.exit(1); + } + const inputDir = path.join(DOCS_ROOT, relInput); + if (!fs.existsSync(inputDir)) { + console.error(`Directory does not exist: ${inputDir}`); + process.exit(1); + } + const mdFiles = getAllMarkdownFiles(inputDir); + mdFiles.forEach(processFile); +} + +if (require.main === module) { + main(); +} \ No newline at end of file From 5c1cad742d1834970be2ae73d9968dc48f4575b9 Mon Sep 17 00:00:00 2001 From: Ayesha Azeem Date: Thu, 17 Jul 2025 12:52:27 +0500 Subject: [PATCH 2/3] imported script for DM --- .../11.1/APIs/contactapis/contactapis.md | 5 +- .../11.1/APIs/contactapis/createcontact.md | 5 +- .../11.1/APIs/contactapis/deletecontact.md | 5 +- .../11.1/APIs/contactapis/deletecontacts.md | 5 +- .../11.1/APIs/contactapis/getcontact.md | 5 +- .../11.1/APIs/contactapis/getcontacts.md | 5 +- .../11.1/APIs/contactapis/updatecontact.md | 5 +- .../APIs/datasourceapis/createds/dsoracle.md | 5 +- .../11.1/APIs/datasourceapis/deleteds.md | 5 +- docs/directorymanager/11.1/APIs/welcome.md | 5 +- .../11.1/APIs/workflowapis/deleteroute.md | 5 +- .../applications/portal/categories/custom.md | 5 +- .../portal/categories/linkedcombo/overview.md | 10 +- .../portal/categories/multivaluedcontrol.md | 7 +- .../applications/portal/categories/textbox.md | 4 +- .../admincenter/applications/portal/create.md | 20 +- .../portal/displaytype/createobject.md | 10 +- .../portal/displaytype/importexport.md | 5 +- .../portal/displaytype/navigationbar.md | 7 +- .../portal/displaytype/objectproperties.md | 5 +- .../portal/displaytype/overview.md | 6 +- .../portal/displaytype/propertyvalidation.md | 10 +- .../portal/displaytype/searchforms.md | 5 +- .../portal/displaytype/searchresults.md | 5 +- .../portal/displaytype/toolbars.md | 10 +- .../applications/portal/overview.md | 5 +- .../applications/portal/server/advanced.md | 10 +- .../applications/portal/server/general.md | 5 +- .../applications/portal/server/log.md | 5 +- .../applications/portal/server/overview.md | 11 +- .../applications/remoteiisprerequisites.md | 13 +- .../11.1/admincenter/authpolicy/mfa.md | 5 +- .../admincenter/authpolicy/setupauth/email.md | 5 +- .../authpolicy/setupauth/linkedaccount.md | 5 +- .../authpolicy/setupauth/windowshello.md | 5 +- .../11.1/admincenter/authpolicy/sfa.md | 5 +- .../11.1/admincenter/datasource/create.md | 35 ++- .../11.1/admincenter/datasource/manage.md | 5 +- .../admincenter/general/changepassword.md | 5 +- .../11.1/admincenter/general/enroll.md | 5 +- .../11.1/admincenter/general/history.md | 5 +- .../11.1/admincenter/general/licensing.md | 15 +- .../helpdesk/operation/resetpassword.md | 10 +- .../helpdesk/operation/unlockaccount.md | 5 +- .../11.1/admincenter/helpdesk/overview.md | 10 +- .../identitystore/configure/authtypes.md | 6 +- .../configure/dynastysettings.md | 12 +- .../configure/groupexpirydeletion.md | 15 +- .../identitystore/configure/grouplifecycle.md | 15 +- .../configure/historytracking.md | 10 +- .../configure/membershiplifecycle.md | 15 +- .../configure/messagingprovider.md | 5 +- .../identitystore/configure/outofbounds.md | 14 +- .../configure/passwordoptions.md | 13 +- .../identitystore/configure/ppe/overview.md | 9 + .../configure/ppe/passphrases.md | 5 +- .../configure/ppe/rules/complexityrule.md | 5 +- .../configure/ppe/rules/historyrule.md | 5 +- .../configure/ppe/rules/maximum_age_rule.md | 10 +- .../configure/ppe/rules/minimum_age_rule.md | 5 +- .../configure/ppe/usersgroups.md | 5 +- .../identitystore/configure/prefixes.md | 10 +- .../configure/profilevalidation.md | 10 +- .../configure/secondwayauthentication.md | 10 +- .../identitystore/configure/smtpserver.md | 30 +- .../11.1/admincenter/identitystore/create.md | 10 +- .../admincenter/identitystore/link/manage.md | 15 +- .../identitystore/link/overview.md | 10 +- .../11.1/admincenter/identitystore/manage.md | 10 +- .../admincenter/identitystore/overview.md | 6 +- .../admincenter/identitystore/replication.md | 10 +- .../admincenter/notification/customize.md | 5 +- .../11.1/admincenter/replication/overview.md | 10 +- .../11.1/admincenter/replication/settings.md | 5 +- .../admincenter/schedule/grouplifecycle.md | 5 +- .../admincenter/schedule/groupusageservice.md | 10 +- .../admincenter/schedule/historyretention.md | 5 +- .../schedule/membershiplifecycle.md | 5 +- .../11.1/admincenter/schedule/overview.md | 10 +- .../11.1/admincenter/schedule/reports.md | 5 +- .../admincenter/schedule/schemareplication.md | 5 +- .../admincenter/schedule/smartgroupupdate.md | 15 +- .../11.1/admincenter/securityrole/create.md | 5 +- .../11.1/admincenter/securityrole/manage.md | 5 +- .../11.1/admincenter/securityrole/overview.md | 5 +- .../admincenter/securityrole/permissions.md | 32 ++- .../securityrole/policy/authentication.md | 5 +- .../securityrole/policy/groupowners.md | 11 +- .../securityrole/policy/helpdesk.md | 36 ++- .../securityrole/policy/newobject.md | 15 +- .../securityrole/policy/overview.md | 5 +- .../securityrole/policy/password.md | 5 +- .../securityrole/policy/querydesigner.md | 15 +- .../admincenter/securityrole/policy/search.md | 10 +- .../securityrole/policy/synchronize.md | 15 +- .../admincenter/service/dataservice/create.md | 5 +- .../admincenter/service/dataservice/manage.md | 10 +- .../admincenter/service/replicationservice.md | 5 +- .../service/securityservice/create.md | 5 +- .../service/securityservice/manage.md | 5 +- .../service/securityservice/signkeyutility.md | 5 +- .../11.1/admincenter/signin.md | 15 +- .../admincenter/workflow/advancedsettings.md | 5 +- .../workflow/approveracceleration.md | 15 +- .../11.1/admincenter/workflow/implement.md | 12 +- .../11.1/admincenter/workflow/integrate.md | 17 +- .../11.1/admincenter/workflow/overview.md | 10 +- .../asidentityprovider/register.md | 5 +- .../adfs/configureadfsindirectorymanager.md | 5 +- .../asserviceprovider/adfs/generateurls.md | 5 +- .../11.1/configureentraid/createid.md | 5 +- .../configureentraid/register/appregister.md | 5 +- .../configureentraid/register/overview.md | 5 +- .../11.1/credentialprovider/installcp.md | 10 +- .../11.1/install/configure/database.md | 45 ++- .../11.1/install/configure/gidserver.md | 35 ++- .../install/configure/setupauthentication.md | 8 +- .../11.1/install/configure/signingkeyinfo.md | 27 ++ .../11.1/install/installer/installer.md | 15 +- .../11.1/install/installer/preparationtool.md | 5 +- .../11.1/install/installer/uninstall.md | 5 +- .../11.1/install/securityutility.md | 10 +- .../11.1/install/upgrade/backuprestore.md | 13 +- .../11.1/install/upgrade/notes.md | 5 +- .../11.1/install/upgrade/overview.md | 5 +- .../11.1/install/upgrade/upgrade.md | 34 ++- .../identitystore/clearmessagingserver.md | 5 +- .../identitystore/clearsmtpserver.md | 5 +- .../identitystore/newidentitystore.md | 15 +- .../identitystore/setidentitystore.md | 25 +- .../11.1/managementshell/overview.md | 20 +- .../managementshell/scheduling/newschedule.md | 5 +- .../smartgroup/newsmartgroup.md | 5 +- .../smartgroup/upgradegroup.md | 5 +- .../userlifecycle/terminatedirectreports.md | 5 +- .../userlifecycle/transferdirectreports.md | 5 +- .../11.1/portal/entitlement/fileservers.md | 5 +- .../portal/entitlement/sharepointsites.md | 10 +- .../11.1/portal/generalfeatures/find.md | 5 +- .../portal/generalfeatures/querysearch.md | 5 +- .../11.1/portal/generalfeatures/search.md | 25 +- .../11.1/portal/generalfeatures/user.md | 10 +- .../11.1/portal/group/create/AD/general.md | 17 +- .../11.1/portal/group/create/AD/group.md | 10 +- .../11.1/portal/group/create/AD/smartgroup.md | 5 +- .../portal/group/create/EntraID/general.md | 7 +- .../11.1/portal/group/create/EntraID/group.md | 23 +- .../portal/group/dynasty/AD/createdynasty.md | 52 +++- .../group/dynasty/EntraID/createdynasty.md | 52 +++- .../portal/group/dynasty/EntraID/general.md | 12 +- .../11.1/portal/group/overview.md | 10 +- .../11.1/portal/group/properties/advanced.md | 10 +- .../portal/group/properties/dynastyoptions.md | 267 +++++++++++++++++- .../11.1/portal/group/properties/email.md | 5 +- .../11.1/portal/group/properties/general.md | 25 +- .../portal/group/properties/importmembers.md | 5 +- .../11.1/portal/group/properties/members.md | 17 +- .../11.1/portal/group/properties/overview.md | 5 +- .../11.1/portal/group/properties/owner.md | 27 +- .../portal/group/properties/smartgroup.md | 10 +- .../group/querydesigner/filtercriteria.md | 5 +- .../portal/group/querydesigner/general.md | 5 +- .../group/querydesigner/includeexclude.md | 5 +- .../portal/group/querydesigner/overview.md | 10 +- .../11.1/portal/group/recyclebin/overview.md | 20 +- .../11.1/portal/group/transferownership.md | 5 +- .../group/workingwithgroups/attestation.md | 7 +- .../workingwithgroups/generalfunction.md | 5 +- .../workingwithgroups/groupexpiryfunction.md | 10 +- .../group/workingwithgroups/groupjoinleave.md | 25 +- .../groupmembershipfunction.md | 32 ++- .../groupownershipfunction.md | 37 ++- .../group/workingwithgroups/scheduleupdate.md | 15 +- .../workingwithgroups/sendassendonbehalf.md | 5 +- .../11.1/portal/history/mydirectreport.md | 5 +- docs/directorymanager/11.1/portal/login.md | 5 +- .../11.1/portal/reports/dashboard.md | 5 +- .../11.1/portal/request/overview.md | 10 +- .../secondfactorauthentication.md | 22 +- .../portal/synchronize/collection/create.md | 5 +- .../collection/schedulingandnotification.md | 5 +- .../11.1/portal/synchronize/create/create.md | 5 +- .../create/objectfieldsandmapping.md | 9 +- .../create/scheduleandnotification.md | 10 +- .../synchronize/create/selectedfield.md | 5 +- .../dtmscript/visualbasicnetbasic.md | 5 +- .../synchronize/manage/jobcollection.md | 5 +- .../autogenerateuniquepassword.md | 10 +- .../synchronize/transformation/overview.md | 5 +- .../11.1/portal/user/create/AD/contact.md | 15 +- .../11.1/portal/user/create/AD/mailbox.md | 10 +- .../11.1/portal/user/create/AD/messaging.md | 7 +- .../11.1/portal/user/create/AD/user.md | 20 +- .../portal/user/create/EntraID/mailbox.md | 10 +- .../11.1/portal/user/create/EntraID/user.md | 15 +- .../11.1/portal/user/linkedaccounts.md | 10 +- .../11.1/portal/user/manage/changepassword.md | 5 +- .../11.1/portal/user/manage/directreport.md | 5 +- .../11.1/portal/user/manage/unlockaccount.md | 5 +- .../portal/user/manage/validateprofile.md | 20 +- .../11.1/portal/user/overview.md | 5 +- .../AD/useroverview/organization.md | 20 +- .../user/properties/EntraID/identity.md | 5 +- .../11.1/portal/user/properties/overview.md | 5 +- docs/directorymanager/11.1/portal/welcome.md | 5 +- .../11.1/requirements/database.md | 5 +- .../11.1/requirements/hardware.md | 5 +- .../permissions/adserviceaccount.md | 5 +- .../permissions/gmsarequirements.md | 5 +- 209 files changed, 1959 insertions(+), 437 deletions(-) diff --git a/docs/directorymanager/11.1/APIs/contactapis/contactapis.md b/docs/directorymanager/11.1/APIs/contactapis/contactapis.md index 856c2e001c..be205d5ef1 100644 --- a/docs/directorymanager/11.1/APIs/contactapis/contactapis.md +++ b/docs/directorymanager/11.1/APIs/contactapis/contactapis.md @@ -15,4 +15,7 @@ Directory Manager provides the following APIs to perform contact-specific functi - [Get Contacts](/docs/directorymanager/11.1/APIs/contactapis/getcontacts.md) - [Update a Contact](/docs/directorymanager/11.1/APIs/contactapis/updatecontact.md) -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. + +::: diff --git a/docs/directorymanager/11.1/APIs/contactapis/createcontact.md b/docs/directorymanager/11.1/APIs/contactapis/createcontact.md index 40209c9a24..75d6455a3a 100644 --- a/docs/directorymanager/11.1/APIs/contactapis/createcontact.md +++ b/docs/directorymanager/11.1/APIs/contactapis/createcontact.md @@ -8,7 +8,10 @@ sidebar_position: 10 Using this API you can create a contact in the specified identity store. -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/APIs/contactapis/deletecontact.md b/docs/directorymanager/11.1/APIs/contactapis/deletecontact.md index 9717196c5e..c22f57494f 100644 --- a/docs/directorymanager/11.1/APIs/contactapis/deletecontact.md +++ b/docs/directorymanager/11.1/APIs/contactapis/deletecontact.md @@ -8,7 +8,10 @@ sidebar_position: 20 Using this API you can delete a specified contact from the specified identity store. -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/APIs/contactapis/deletecontacts.md b/docs/directorymanager/11.1/APIs/contactapis/deletecontacts.md index ce116188c8..6389ee00df 100644 --- a/docs/directorymanager/11.1/APIs/contactapis/deletecontacts.md +++ b/docs/directorymanager/11.1/APIs/contactapis/deletecontacts.md @@ -8,7 +8,10 @@ sidebar_position: 30 This API is for deleting multiple contacts from a specified identity store. -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/APIs/contactapis/getcontact.md b/docs/directorymanager/11.1/APIs/contactapis/getcontact.md index ac06385b21..bab571d531 100644 --- a/docs/directorymanager/11.1/APIs/contactapis/getcontact.md +++ b/docs/directorymanager/11.1/APIs/contactapis/getcontact.md @@ -8,7 +8,10 @@ sidebar_position: 40 Use this API to retrieve information about a contact in a specified identity store. -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/APIs/contactapis/getcontacts.md b/docs/directorymanager/11.1/APIs/contactapis/getcontacts.md index 838643836c..0f1d97c57a 100644 --- a/docs/directorymanager/11.1/APIs/contactapis/getcontacts.md +++ b/docs/directorymanager/11.1/APIs/contactapis/getcontacts.md @@ -8,7 +8,10 @@ sidebar_position: 50 Use this API to retrieve information of multiple contacts from a specified identity store. -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/APIs/contactapis/updatecontact.md b/docs/directorymanager/11.1/APIs/contactapis/updatecontact.md index ac50cb8e30..02971278da 100644 --- a/docs/directorymanager/11.1/APIs/contactapis/updatecontact.md +++ b/docs/directorymanager/11.1/APIs/contactapis/updatecontact.md @@ -9,7 +9,10 @@ sidebar_position: 60 Use this API if you want to update a contact's attribute(s) and their value(s) in a specified identity store. -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/APIs/datasourceapis/createds/dsoracle.md b/docs/directorymanager/11.1/APIs/datasourceapis/createds/dsoracle.md index 45beb9fdeb..92bb59e78f 100644 --- a/docs/directorymanager/11.1/APIs/datasourceapis/createds/dsoracle.md +++ b/docs/directorymanager/11.1/APIs/datasourceapis/createds/dsoracle.md @@ -28,8 +28,11 @@ Oracle server or a specific database on a server. This data source can be used i source and destination provider in Synchronize jobs. This provider supports dynamic schema detection. -NOTE: Oracle client must be installed to use this provider. Make sure you reboot your computer after +:::note +Oracle client must be installed to use this provider. Make sure you reboot your computer after installing the Oracle client. +::: + ``` { diff --git a/docs/directorymanager/11.1/APIs/datasourceapis/deleteds.md b/docs/directorymanager/11.1/APIs/datasourceapis/deleteds.md index b0572aa93c..22c1f2af08 100644 --- a/docs/directorymanager/11.1/APIs/datasourceapis/deleteds.md +++ b/docs/directorymanager/11.1/APIs/datasourceapis/deleteds.md @@ -8,8 +8,11 @@ sidebar_position: 20 This API can be used for deleting a specified data source. -NOTE: Deleting a data source corrupts all Synchronize jobs, membership queries, and search queries +:::note +Deleting a data source corrupts all Synchronize jobs, membership queries, and search queries using that data source. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/APIs/welcome.md b/docs/directorymanager/11.1/APIs/welcome.md index 67d3d609d3..c455c37433 100644 --- a/docs/directorymanager/11.1/APIs/welcome.md +++ b/docs/directorymanager/11.1/APIs/welcome.md @@ -20,6 +20,9 @@ first and last of these is clear, but `POST` and `PATCH` have specific meanings. defined is confusing, but the general rule is: use `POST` to create resources, `PUT` and `PATCH` to update resources. -NOTE: All the APIs documented in the API section are for an Active Directory based identity store. +:::note +All the APIs documented in the API section are for an Active Directory based identity store. In each API, the **Sample Request Syntax** and the **Sample Response Syntax** sections have attributes that are supported in an Active Directory based identity store. + +::: diff --git a/docs/directorymanager/11.1/APIs/workflowapis/deleteroute.md b/docs/directorymanager/11.1/APIs/workflowapis/deleteroute.md index 0522497bd9..9ca159ea92 100644 --- a/docs/directorymanager/11.1/APIs/workflowapis/deleteroute.md +++ b/docs/directorymanager/11.1/APIs/workflowapis/deleteroute.md @@ -8,7 +8,10 @@ sidebar_position: 50 You can use this API to delete a user-defined workflow route. -NOTE: You cannot delete a system workflow. +:::note +You cannot delete a system workflow. +::: + ## Endpoint diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/categories/custom.md b/docs/directorymanager/11.1/admincenter/applications/portal/categories/custom.md index 07426fb7cb..068b1a637d 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/categories/custom.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/categories/custom.md @@ -32,7 +32,10 @@ value for the linked attribute. You can delete custom display types, including linked combos. -NOTE: You cannot delete a custom display type that has been linked to a field in the portal. +:::note +You cannot delete a custom display type that has been linked to a field in the portal. +::: + To delete a custom display type: diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/categories/linkedcombo/overview.md b/docs/directorymanager/11.1/admincenter/applications/portal/categories/linkedcombo/overview.md index bd168ef0af..20f9064afa 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/categories/linkedcombo/overview.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/categories/linkedcombo/overview.md @@ -29,7 +29,10 @@ Before creating a linked combo, you must create and maintain an external data fi data and relationships for the required fields. The data source file is used to populate the linked combo and the fields linked to it. -NOTE: When defining a linked combo, consider the following: +:::note +When defining a linked combo, consider the following: +::: + - You can define multiple linked combos for an object, provided that different attributes are used for the combos. For example, you define a linked combo for the user object using the company, @@ -46,7 +49,10 @@ be in a specific format for Directory Manager to process it. For information about the Excel file format, see the [Excel Data File Format](/docs/directorymanager/11.1/admincenter/applications/portal/categories/linkedcombo/fileformat.md) topic. -NOTE: If data in the source file is updated, you must reload the file for changes to take effect. +:::note +If data in the source file is updated, you must reload the file for changes to take effect. +::: + ## Define a Linked Combo Display Type diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/categories/multivaluedcontrol.md b/docs/directorymanager/11.1/admincenter/applications/portal/categories/multivaluedcontrol.md index f81585ff1d..dea4717c0f 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/categories/multivaluedcontrol.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/categories/multivaluedcontrol.md @@ -56,12 +56,15 @@ schema attribute you link this display type with. The **Accessibility** drop-down list displays all predefined and user-defined security roles. - NOTE: (1) If a user has visibility on a value but not accessibility, and that value is set + :::note + (1) If a user has visibility on a value but not accessibility, and that value is set as default (see Step 9), then in the portal, the value will be displayed as selected to the user. Once the user removes it, he or she cannot select it again from the multi-valued drop-down list. - (2) If a user has accessibility on a value but not visibility, the value will not be + (2) If a user has accessibility on a value but not visibility, the value will not be displayed to the user. Hence, accessibility will have no impact. + ::: + 5. Click **OK**. The value is listed in the **Values** area, represented by its display text. diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/categories/textbox.md b/docs/directorymanager/11.1/admincenter/applications/portal/categories/textbox.md index 8a1090bd51..3a281c5951 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/categories/textbox.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/categories/textbox.md @@ -100,4 +100,6 @@ The API returns the following parameters: | message | (Optional) For the ‘false’ status, you can return an error message in this parameter, that is displayed to the user. | | data | Not in use | -NOTE: Data should be in JSON format. \ No newline at end of file +:::note +Data should be in JSON format. +::: diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/create.md b/docs/directorymanager/11.1/admincenter/applications/portal/create.md index 33985ed212..5ccc23ebca 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/create.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/create.md @@ -126,8 +126,11 @@ located on disk. - The **Import Design** option for identity stores in the Select Identity Stores area - The Advanced Settings area - NOTE: Directory Manager does not support the upgrade of a Password Center portal (from a + :::note + Directory Manager does not support the upgrade of a Password Center portal (from a previous version) to an SSPR portal. You have to create the SSPR portal as a new portal. + ::: + 12. In the **Select Identity Stores** area, select the check boxes for the identity stores you want to associate with the portal. Users in the associated identity stores can sign into the portal @@ -288,7 +291,10 @@ the portal there and run the portal from within that container. For an overview on application deployment in Docker, see the [Prerequisites for Deployments in Docker](/docs/directorymanager/11.1/admincenter/applications/dockerprerequisites.md) topic. -NOTE: To host the portal, Docker daemon should be configured to run Windows containers. +:::note +To host the portal, Docker daemon should be configured to run Windows containers. +::: + **To create a portal:** @@ -327,8 +333,11 @@ Creating an SSPR portal is similar to creating a standard Directory Manager port select the **Password Center Mode** check box on the Create GroupID Application page. For details, see Step 11 in the he Create a Portal in Native IIS topic. -NOTE: Directory Manager does not support the upgrade of a Password Center portal (from a previous +:::note +Directory Manager does not support the upgrade of a Password Center portal (from a previous version) to an SSPR portal. You have to create the SSPR portal as a new portal. +::: + ## Deploy Another Instance of a Portal @@ -341,8 +350,11 @@ server and design configurations, while only deployment details differ. For exam serve the same identity stores and have the same display and search-related configurations. Changing a shared setting propagates to all deployment instances of the portal. -NOTE: A SSPR portal does not have design settings. Hence, only server settings are shared across +:::note +A SSPR portal does not have design settings. Hence, only server settings are shared across multiple instances. +::: + **To deploy an instance:** diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/createobject.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/createobject.md index 1486be10e7..8fe8ae2f95 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/createobject.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/createobject.md @@ -21,10 +21,13 @@ Using a portal, users can create different directory objects, namely: The portal provides a separate wizard for creating each of these objects. You can customize a wizard as needed. -NOTE: In the portal, the _Create Group_ wizard starts with the _Group Type_ page, where users can +:::note +In the portal, the _Create Group_ wizard starts with the _Group Type_ page, where users can select the type of group they want to create. Options on this page vary, depending on the permissions assigned to the user in the identity store. (See the [Security Role – Permissions](/docs/directorymanager/11.1/admincenter/securityrole/permissions.md) topic.) +::: + - If a user has the _Create Static Group_ permission and is denied the _Create Smart Group_ permission, only the _Static Group_ option is displayed on the _Group Type_ page. @@ -32,8 +35,11 @@ permissions assigned to the user in the identity store. (See the permission, all options except _Static Group_ are displayed on the _Group Type_ page. ![group_type](/img/product_docs/directorymanager/11.1/admincenter/portal/design/group_type.webp) -NOTE: You can customize the _Group Type_ page individually for static group, Smart Group, and each +:::note +You can customize the _Group Type_ page individually for static group, Smart Group, and each of the Dynasty types. However: +::: + - If a user has permissions to create both static groups and Smart Groups, the _Group Type_ page created for _Static Group_ would be displayed to the user in the portal. diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/importexport.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/importexport.md index d9eae53e92..f93307241f 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/importexport.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/importexport.md @@ -33,8 +33,11 @@ wizards in the portal: | Import Additional Owners | This wizard is used to import additional owners to a group using an external file. Users can launch it from the Owners page on the Create Group wizard and from the Owner tab in group properties. | | Export Additional Owners | This wizard is used to export the additional owners of a group to an external file. Users can launch it from the Owner tab in group properties. | -NOTE: The attributes you specify apply to all four wizards. You cannot specify a different set of +:::note +The attributes you specify apply to all four wizards. You cannot specify a different set of attributes for a wizard. +::: + ## Specify Attributes for Import and Export diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/navigationbar.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/navigationbar.md index 4cf39d47e0..29dd53cc18 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/navigationbar.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/navigationbar.md @@ -97,8 +97,11 @@ Note the following: - If an image has been uploaded, the very image is displayed. Click the icon below the image to replace the existing image with a new one. - NOTE: Image dimensions: 30 x 30 pixels - Supported formats: .webp, .jpg, .jpe, .jpeg + :::note + Image dimensions: 30 x 30 pixels + Supported formats: .webp, .jpg, .jpe, .jpeg + ::: + 11. Click **OK**. 12. Click **Save** on the **Navigation Bar** page. diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/objectproperties.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/objectproperties.md index 2c65b83342..54dd5656d0 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/objectproperties.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/objectproperties.md @@ -20,8 +20,11 @@ directory objects: - Computer (Only available for adding to group memberships in the portal. Its properties are read-only.) -NOTE: A Microsoft Entra ID identity store does not support the _computer_ and _contact_ object +:::note +A Microsoft Entra ID identity store does not support the _computer_ and _contact_ object types. +::: + In the Directory Manager portal, the properties page of an object has multiple tabs, where each tab groups similar attributes. These tabs are referred to as categories. diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/overview.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/overview.md index 66852da784..12a6936c9a 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/overview.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/overview.md @@ -51,5 +51,7 @@ You can customize the following for a portal: Groups** tab in group properties. See the [Specify Attributes for Object List View](/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/objectlist.md) topic. -NOTE: Design settings are available for a standard Directory Manager portal, and not for a -Self-Service Password Reset portal. \ No newline at end of file +:::note +Design settings are available for a standard Directory Manager portal, and not for a +Self-Service Password Reset portal. +::: diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/propertyvalidation.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/propertyvalidation.md index 3eb98d4942..a49b52169e 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/propertyvalidation.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/propertyvalidation.md @@ -29,9 +29,12 @@ You can specify the schema attributes (fields) for user profile validation. Thes (fields) are displayed on the **Validate Profile Properties** window of the portal, where users can validate and update the values for these attributes. -NOTE: A few fields for profile validation are specified in the default portal template. You can add +:::note +A few fields for profile validation are specified in the default portal template. You can add more fields, edit the existing fields, or remove them. However, the **My Direct Reports** field can neither be edited nor removed. +::: + ### Property Validation for Groups @@ -53,9 +56,12 @@ You can specify the schema attributes (fields) for group attestation. These attr displayed on the **Attest & Renew Group** wizard in the portal, where group owners can validate and update the values for these attributes. -NOTE: A few fields for group attestation are specified in the default portal template. You can add +:::note +A few fields for group attestation are specified in the default portal template. You can add more fields, edit the existing fields, or remove them. However, the _Members_ grid can neither be edited nor removed. +::: + What do you want to do? diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchforms.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchforms.md index 2c497804a1..b6005ac088 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchforms.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchforms.md @@ -13,7 +13,10 @@ You can customize the search forms for a portal. You can: - Remove fields - Change the arrangement of fields on a page -NOTE: You can only customize existing search forms; you cannot add new ones. +:::note +You can only customize existing search forms; you cannot add new ones. +::: + ### Customizable Search Forms diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchresults.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchresults.md index 50539fabd3..c7dd3343c0 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchresults.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/searchresults.md @@ -13,7 +13,10 @@ You can customize the search result pages for a portal. You can: - Remove fields - Change the arrangement of fields on a page -NOTE: You can only customize existing search result pages; you cannot add new ones. +:::note +You can only customize existing search result pages; you cannot add new ones. +::: + ### Customizable Search Results Pages diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/toolbars.md b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/toolbars.md index b8aec53006..7137832709 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/toolbars.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/toolbars.md @@ -47,8 +47,11 @@ You can customize the following toolbars: | Group Member Of Grid | The **Member Of** tab in group properties | | Direct Reports Grid | The **Organization** tab in user properties | -NOTE: The **Computer Members of Grid** and **Contact Member of Grid** toolbars are not available for +:::note +The **Computer Members of Grid** and **Contact Member of Grid** toolbars are not available for a Microsoft Entra ID identity store. +::: + The buttons available on these toolbars are predefined. You cannot add or remove a button, but you can update a few details for a button, such as its name and image. @@ -81,7 +84,10 @@ can update a few details for a button, such as its name and image. - If an image has been uploaded, the very image is displayed. Click **Upload** to replace the existing image with a new one. - NOTE: Image dimensions: 30 x 30 pixels + :::note + Image dimensions: 30 x 30 pixels + ::: + Supported formats: .webp, .jpg, .jpe, .jpeg diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/overview.md b/docs/directorymanager/11.1/admincenter/applications/portal/overview.md index 20873b20e1..891a40ee43 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/overview.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/overview.md @@ -45,8 +45,11 @@ i.e., the password for the account they use to access their workstations and oth services. Users can change and reset their passwords, as well as unlock their accounts. They can also enroll their accounts in Directory Manager and link accounts in different identity stores. -NOTE: Directory Manager does not support the upgrade of a Password Center portal (from a previous +:::note +Directory Manager does not support the upgrade of a Password Center portal (from a previous version) to an SSPR portal. You have to create the SSPR portal as a new portal. +::: + ## Linked Identity Stores and the Portal diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/server/advanced.md b/docs/directorymanager/11.1/admincenter/applications/portal/server/advanced.md index c8ac2463a1..bc20977805 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/server/advanced.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/server/advanced.md @@ -10,8 +10,11 @@ Advanced settings allow you to customize the functionality and appearance of a p you can set the default landing page, change the portal logo, show or hide the help link, display enrollment reminders, and more. -NOTE: Advanced settings are available for a standard Directory Manager portal, and not for a +:::note +Advanced settings are available for a standard Directory Manager portal, and not for a Self-Service Password Reset portal. +::: + Default values for all advanced settings are specified for a portal. You can update any setting as required. You can also import these advanced settings for a portal from a previous Directory Manager @@ -51,8 +54,11 @@ You can manage the following advanced settings for a portal: | Display Groups in My Dynasties | Controls whether to display the Dynasties for which the logged-on user is an additional owner, on the portal’s **My Dynasties** tab. By default, the tab displays the Dynasties that the logged-on user is the primary owner. Enable this setting to include Dynasties for which the logged-on user is an additional owner. Note that this setting applies individually to parent, middle, and leaf Dynasties. | | Display Additional Manager Direct Reports | Controls whether to display the direct reports for whom the logged-on user is an additional manager, on the portal’s **My Direct Reports** tab. By default, the tab displays the direct reports that the logged-on user is the primary manager. Enable this setting to include direct reports for whom the logged-on user is an additional manager. | -NOTE: Individual users can personalize all except the _Display Nested Ownership_ setting from the +:::note +Individual users can personalize all except the _Display Nested Ownership_ setting from the **Settings** panel in the portal. +::: + ## Miscellaneous diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/server/general.md b/docs/directorymanager/11.1/admincenter/applications/portal/server/general.md index ac3f44cc40..bc2202b9d0 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/server/general.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/server/general.md @@ -50,7 +50,10 @@ a user must select an identity store to connect to, for performing password mana 4. Click **Save.** -NOTE: You may observe the following message on the **Server Settings – General** page: +:::note +You may observe the following message on the **Server Settings – General** page: +::: + ![linked_message](/img/product_docs/directorymanager/11.1/admincenter/portal/linked_message.webp) diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/server/log.md b/docs/directorymanager/11.1/admincenter/applications/portal/server/log.md index 4ed71ab0d0..f54638066a 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/server/log.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/server/log.md @@ -45,7 +45,10 @@ The Windows Event Viewer shows a log of application and system messages, includi information messages, and warnings. It is a useful tool for troubleshooting all kinds of Windows problems. -NOTE: Windows logging is not available for a portal instance deployed in Docker. +:::note +Windows logging is not available for a portal instance deployed in Docker. +::: + #### View Windows Logs diff --git a/docs/directorymanager/11.1/admincenter/applications/portal/server/overview.md b/docs/directorymanager/11.1/admincenter/applications/portal/server/overview.md index 226f629c89..cf68a5766e 100644 --- a/docs/directorymanager/11.1/admincenter/applications/portal/server/overview.md +++ b/docs/directorymanager/11.1/admincenter/applications/portal/server/overview.md @@ -15,8 +15,11 @@ or Docker). You can manage the following server-related settings for a portal: URL. - Specify search-related, group-related, and other advanced settings for a portal. - NOTE: Advanced settings are available for a standard Directory Manager portal, but not for a + :::note + Advanced settings are available for a standard Directory Manager portal, but not for a Self-Service Password Reset portal. + ::: + You can also view the deployment details for all instances of a portal and do the following: @@ -25,5 +28,7 @@ You can also view the deployment details for all instances of a portal and do th - Delete an instance. - Move a portal instance under a different site in IIS. -NOTE: On changing some of these settings, the portal’s session ends and all connected users are -logged out. When accessed again, the portal runs under the new configurations. \ No newline at end of file +:::note +On changing some of these settings, the portal’s session ends and all connected users are +logged out. When accessed again, the portal runs under the new configurations. +::: diff --git a/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md b/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md index 2387fa934d..737825ed77 100644 --- a/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md +++ b/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md @@ -117,8 +117,17 @@ The next step is to assign permissions on the physical folder that binds to your ``` - Remember, to provide values for alias "site name" and path "physical folder location of the - site", created in the section Create a Site in Remote IIS. + :::tip + :::tip + :::tip + Remember, to provide values for alias "site name" and path "physical folder location of the + site", created in the section Create a Site in Remote IIS. + ::: + ::: + ::: + + + ## Generate an Access Key diff --git a/docs/directorymanager/11.1/admincenter/authpolicy/mfa.md b/docs/directorymanager/11.1/admincenter/authpolicy/mfa.md index 58f71f0c4b..b6edb7e8e9 100644 --- a/docs/directorymanager/11.1/admincenter/authpolicy/mfa.md +++ b/docs/directorymanager/11.1/admincenter/authpolicy/mfa.md @@ -21,10 +21,13 @@ Helpdesk users with restricted access also use authentication type(s) to authent before resetting their password or unlocking their identity store account. See the [Set Restricted Mode](/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md#set-restricted-mode) topic. -NOTE: Multifactor authentication defined in Microsoft Entra Admin Center does not integrate with MFA +:::note +Multifactor authentication defined in Microsoft Entra Admin Center does not integrate with MFA in Directory Manager. See the [Multifactor Authentication Policy](/docs/directorymanager/11.1/admincenter/identitystore/advsentraid.md#multifactor-authentication-policy) topic. +::: + What do you want to do? diff --git a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md index ace8cc4fad..bfea04c77c 100644 --- a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md +++ b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md @@ -14,8 +14,11 @@ Directory Manager provides a default notification template for enrollment/authen in various languages. You can change the subject line and the body text in the template for any of these languages. -NOTE: Before configuring Email authentication, make sure that an SMTP server is configured for the +:::note +Before configuring Email authentication, make sure that an SMTP server is configured for the identity store. See the [Configure an SMTP Server](/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md) topic. +::: + What do you want to do? diff --git a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/linkedaccount.md b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/linkedaccount.md index 0b94e32096..7b35ed48c3 100644 --- a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/linkedaccount.md +++ b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/linkedaccount.md @@ -15,7 +15,10 @@ assume a user links his or her accounts in Identity Store A and Identity Store B Account authentication type, the user can unlock the Identity Store A account by providing the credentials of the Identity Store B account and vice versa. -NOTE: The Linked Account authentication type is available for multifactor authentication only. +:::note +The Linked Account authentication type is available for multifactor authentication only. +::: + What do you want to do? diff --git a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md index 6ee57c7c2f..281fd58d4c 100644 --- a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md +++ b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md @@ -9,7 +9,10 @@ sidebar_position: 50 The Windows Hello authentication type can be used on Windows 10 devices only with specialized hardware installed, such as fingerprint reader and 3D camera. -NOTE: Windows Hello supports the Microsoft Edge browser only. +:::note +Windows Hello supports the Microsoft Edge browser only. +::: + What do you want to do? diff --git a/docs/directorymanager/11.1/admincenter/authpolicy/sfa.md b/docs/directorymanager/11.1/admincenter/authpolicy/sfa.md index e491319c7e..3c27e63c37 100644 --- a/docs/directorymanager/11.1/admincenter/authpolicy/sfa.md +++ b/docs/directorymanager/11.1/admincenter/authpolicy/sfa.md @@ -15,7 +15,10 @@ Once enrolled, role members must authenticate their accounts using an authentica enrolled with, while signing into Admin Center or theDirectory Manager portal. Users enrolled with multiple authentication types can use any one type to authenticate. -NOTE: Directory Manager SFA does not apply to Microsoft Entra ID MFA enabled users. +:::note +Directory Manager SFA does not apply to Microsoft Entra ID MFA enabled users. +::: + What do you want to do? diff --git a/docs/directorymanager/11.1/admincenter/datasource/create.md b/docs/directorymanager/11.1/admincenter/datasource/create.md index a05a0e93f9..4874278596 100644 --- a/docs/directorymanager/11.1/admincenter/datasource/create.md +++ b/docs/directorymanager/11.1/admincenter/datasource/create.md @@ -55,8 +55,11 @@ Step 6 – In the File Path box, provide the path to the MS Excel file you want source for. This path should be complete with the file name and extension. For example: D:\Employee Records\Sheets\EmployeeMedical Records.xlsx -NOTE: The MS Excel file must be placed either on the machine that Data service is installed on, or a +:::note +The MS Excel file must be placed either on the machine that Data service is installed on, or a location that Data service can access. +::: + Step 7 – In case the file is placed on a network path, enter the network domain or hostname in the Domain/Hostname box. @@ -88,7 +91,10 @@ Step 7 – In the Registered Application ID on Azure Active Directory box, enter assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. -NOTE: The registered app must have the following API permissions to access files on OneDrive: +:::note +The registered app must have the following API permissions to access files on OneDrive: +::: + ![API permissions](/img/product_docs/directorymanager/11.1/admincenter/datasource/apipermissions.webp) @@ -139,8 +145,11 @@ Step 6 – In the File Path box, provide the path to the MS Access database you data source for. This path should be complete with the file name and extension. For example: D:\Employee Records\Databases\Employee Medical Records.accdb -NOTE: The Access database must be located either on the machine that Data service is installed on, +:::note +The Access database must be located either on the machine that Data service is installed on, or a location that Data service can access. +::: + Step 7 – If the database file is password protected, enter the password in the File Password box. @@ -176,7 +185,10 @@ Step 8 – In the Registered Application ID on Azure Active Directory box, enter assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. -NOTE: The registered app must have the following API permissions to access files on OneDrive: +:::note +The registered app must have the following API permissions to access files on OneDrive: +::: + ![API permissions](/img/product_docs/directorymanager/11.1/admincenter/datasource/apipermissions.webp) @@ -195,8 +207,11 @@ You can create a data source for an Oracle server or a specific database on a se source can be used in queries and as source and destination provider in Synchronize jobs. This provider supports dynamic schema detection. -NOTE: Oracle client must be installed to use this provider. Make sure you reboot your computer after +:::note +Oracle client must be installed to use this provider. Make sure you reboot your computer after installing the Oracle client. +::: + Follow the steps to create a data source. @@ -299,8 +314,11 @@ Step 6 – In the File Path box, provide the path to the text file you want to c for. This path should be complete with the file name and extension. For example: D:\Employee Records\Sheets\Employee Medical Records.csv -NOTE: The text file must be placed either on the machine that Data service is installed on, or a +:::note +The text file must be placed either on the machine that Data service is installed on, or a location that Data service can access. +::: + Step 7 – In the Delimiter box, specify the character that is used to separate values in the file. You can also enter a space as a character. @@ -338,7 +356,10 @@ Step 8 – In the Registered Application ID on Azure Active Directory box, enter assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. -NOTE: The registered app must have the following API permissions to access files on OneDrive: +:::note +The registered app must have the following API permissions to access files on OneDrive: +::: + ![API permissions](/img/product_docs/directorymanager/11.1/admincenter/datasource/apipermissions.webp) diff --git a/docs/directorymanager/11.1/admincenter/datasource/manage.md b/docs/directorymanager/11.1/admincenter/datasource/manage.md index f2e84dd71a..535f7a5856 100644 --- a/docs/directorymanager/11.1/admincenter/datasource/manage.md +++ b/docs/directorymanager/11.1/admincenter/datasource/manage.md @@ -45,8 +45,11 @@ Step 4 – Click **Update Data Source**. You can delete a data source to prevent users from using it as source and destination in Synchronize jobs. -NOTE: Deleting a data source corrupts all Synchronize jobs, membership queries, and search queries +:::note +Deleting a data source corrupts all Synchronize jobs, membership queries, and search queries using that data source. +::: + Follow the steps to delete a data source. diff --git a/docs/directorymanager/11.1/admincenter/general/changepassword.md b/docs/directorymanager/11.1/admincenter/general/changepassword.md index e2acf72fef..59637dd325 100644 --- a/docs/directorymanager/11.1/admincenter/general/changepassword.md +++ b/docs/directorymanager/11.1/admincenter/general/changepassword.md @@ -29,8 +29,11 @@ password must conform to the rules of the applied password policy for the identi Step 4 – Click **Change Password**. -NOTE: MFA enabled Microsoft Entra ID users cannot change their passwords in Directory Manager. If +:::note +MFA enabled Microsoft Entra ID users cannot change their passwords in Directory Manager. If they try to use the option, the following message is displayed:. +::: + ![Admin Center Change Password error message for an Entra ID user](/img/product_docs/directorymanager/11.1/admincenter/general/changepassword.webp) diff --git a/docs/directorymanager/11.1/admincenter/general/enroll.md b/docs/directorymanager/11.1/admincenter/general/enroll.md index 7d446a73ee..172a9b98f6 100644 --- a/docs/directorymanager/11.1/admincenter/general/enroll.md +++ b/docs/directorymanager/11.1/admincenter/general/enroll.md @@ -119,6 +119,9 @@ Step 3 – Select an authentication type to enroll your account with. 2. Enter a name for your authentication device in the box and click **Start Registration**. You will be prompted to provide your biometric information using the configured biometric device. -NOTE: YubiKey and Windows Hello have issues with enrollment in browsers. To resolve this issue, +:::note +YubiKey and Windows Hello have issues with enrollment in browsers. To resolve this issue, configure a TLS certificate on your machine. Without a TLS certificate, YubiKey and Windows Hello will only work with the Firefox browser, as only Firefox allows WebAuthn without a TLS certificate. + +::: diff --git a/docs/directorymanager/11.1/admincenter/general/history.md b/docs/directorymanager/11.1/admincenter/general/history.md index c3c6e16de9..ebd4e420bc 100644 --- a/docs/directorymanager/11.1/admincenter/general/history.md +++ b/docs/directorymanager/11.1/admincenter/general/history.md @@ -51,7 +51,8 @@ and topics. Your desired setting applies to all history tracked for the respective identity store, including that tracked for helpdesk and Admin Center. -NOTE: Actions tracked under Admin Center history are independent of an identity store. In this case, +:::note +Actions tracked under Admin Center history are independent of an identity store. In this case, history retention settings apply to a history item in the context of the identity store selected by the user to log into Admin Center to perform that action. **Example:** UserA selects IdentityStoreA to sign into Admin Center and creates an SMS gateway @@ -59,6 +60,8 @@ account. This user then selects IdentityStoreB to sign into Admin Center and cre Manager portal. Both actions are logged in Admin Center history. However, history retention setting of IdentityStoreA will apply to the SMS gateway account creation action and that of IdentityStoreB will apply to the Directory Manager portal creation action. +::: + Event Logging diff --git a/docs/directorymanager/11.1/admincenter/general/licensing.md b/docs/directorymanager/11.1/admincenter/general/licensing.md index e181f51725..e3ff18b3c3 100644 --- a/docs/directorymanager/11.1/admincenter/general/licensing.md +++ b/docs/directorymanager/11.1/admincenter/general/licensing.md @@ -59,11 +59,17 @@ You can license Directory Manager under one or more of these license types: A license is valid for a period of 12 months. -NOTE: All the above licenses are also available for a trial period. +:::note +All the above licenses are also available for a trial period. +::: -NOTE: Licenses for certain add-ons are dependent on other licenses, such as the Group Attestation + +:::note +Licenses for certain add-ons are dependent on other licenses, such as the Group Attestation license is dependent on the Group Usage Service license, which in turn is dependent on the Group Management license. +::: + What happens when your license expires @@ -108,7 +114,10 @@ licenses. On removing a license, users lose all access to the functionality covered under the license. -NOTE: A dependent license is rendered ineffective when you remove its parent license. +:::note +A dependent license is rendered ineffective when you remove its parent license. +::: + To remove a license: diff --git a/docs/directorymanager/11.1/admincenter/helpdesk/operation/resetpassword.md b/docs/directorymanager/11.1/admincenter/helpdesk/operation/resetpassword.md index 2983ec9532..ac4a717ce5 100644 --- a/docs/directorymanager/11.1/admincenter/helpdesk/operation/resetpassword.md +++ b/docs/directorymanager/11.1/admincenter/helpdesk/operation/resetpassword.md @@ -9,8 +9,11 @@ sidebar_position: 10 Admin Center provides a variety of options to helpdesk users for resetting passwords and then communicating them to users. -NOTE: You can reset passwords of unenrolled users if (a) the **Reset Any Password** permission has +:::note +You can reset passwords of unenrolled users if (a) the **Reset Any Password** permission has been granted to your role and (b) the Helpdesk policy for your role is set to the unrestricted mode. +::: + Helpdesk users may have to authenticate end users before resetting their passwords. See the [Helpdesk Policy ](/docs/directorymanager/11.1/admincenter/helpdesk/overview.md#helpdesk-policy) topic. @@ -107,8 +110,11 @@ See the [Helpdesk Policy](/docs/directorymanager/11.1/admincenter/securityrole/p app and enter it in the box. 2. Click **Verify**. - NOTE: Helpdesk cannot authenticate users with the Link Account, YubiKey, and Windows Hello + :::note + Helpdesk cannot authenticate users with the Link Account, YubiKey, and Windows Hello authentication types. + ::: + 5. Click **Next**. 6. On the **Reset** page, you can reset the password. Follow step 4 and onwards in the Reset diff --git a/docs/directorymanager/11.1/admincenter/helpdesk/operation/unlockaccount.md b/docs/directorymanager/11.1/admincenter/helpdesk/operation/unlockaccount.md index b54e448a13..cceea2ff8f 100644 --- a/docs/directorymanager/11.1/admincenter/helpdesk/operation/unlockaccount.md +++ b/docs/directorymanager/11.1/admincenter/helpdesk/operation/unlockaccount.md @@ -16,9 +16,12 @@ In such a situation as this, helpdesk users can unlock user accounts in an ident Helpdesk may have to authenticate users before unlocking their accounts. See the [Helpdesk Policy ](/docs/directorymanager/11.1/admincenter/helpdesk/overview.md#helpdesk-policy) topic. -NOTE: You can unlock the account of unenrolled users if (a) the **Unlock Any Account** permission +:::note +You can unlock the account of unenrolled users if (a) the **Unlock Any Account** permission has been granted to your role and (b) the Helpdesk policy for your role is set to the unrestricted mode. +::: + ## Unlock User Accounts in Unrestricted Mode diff --git a/docs/directorymanager/11.1/admincenter/helpdesk/overview.md b/docs/directorymanager/11.1/admincenter/helpdesk/overview.md index e7d462909e..759c8d87b2 100644 --- a/docs/directorymanager/11.1/admincenter/helpdesk/overview.md +++ b/docs/directorymanager/11.1/admincenter/helpdesk/overview.md @@ -16,10 +16,13 @@ helpdesk-specific tasks, such as: functions. Toast notifications and history tracking are also enabled for these actions. See the [Helpdesk Operations](/docs/directorymanager/11.1/admincenter/helpdesk/operation/overview.md) topic for additional information. -NOTE: The Admin Center for helpdesk role is available in Helpdesk mode only. By default, only the +:::note +The Admin Center for helpdesk role is available in Helpdesk mode only. By default, only the Helpdesk node of Admin Center is visible to the Helpdesk role members. The administrator can also restrict access of a security role by selecting the Helpdesk Role check box on the Security Role page. See the [Create a Security Role](/docs/directorymanager/11.1/admincenter/securityrole/create.md) topic for additional information. +::: + ## Helpdesk Permissions @@ -39,8 +42,11 @@ The administrator can define a Helpdesk policy for a user role in an identity st mainly defines whether helpdesk role members should operate under the restricted or unrestricted mode to perform the account unlock and reset password functions. -NOTE: In unrestricted mode, helpdesk can unlock accounts and reset passwords of both enrolled and +:::note +In unrestricted mode, helpdesk can unlock accounts and reset passwords of both enrolled and unenrolled users. In restricted mode, helpdesk can perform these functions for enrolled users only. +::: + See the [Helpdesk Policy](/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md) topic. diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/authtypes.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/authtypes.md index ec5698f6d8..f28edda0df 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/authtypes.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/authtypes.md @@ -46,6 +46,8 @@ Moreover, you must also enable enrollment for an identity store, so users can en factor authentication in Directory Manager. 5. Click **Save**. -NOTE: For second factor authentication and multifactor authentication to work in Directory Manager, +:::note +For second factor authentication and multifactor authentication to work in Directory Manager, the **Enrollment Enabled** check box must be selected. Else, users will not be able to enroll, which -will prevent them from using Directory Manager. \ No newline at end of file +will prevent them from using Directory Manager. +::: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/dynastysettings.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/dynastysettings.md index ed4d1ef31f..0db32f2464 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/dynastysettings.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/dynastysettings.md @@ -120,13 +120,19 @@ You can add and remove attributes to this list. 5. Click **Save**. -NOTE: (1) At the Dynasty level, you can control whether child Dynasties should inherit these +:::note +(1) At the Dynasty level, you can control whether child Dynasties should inherit these attributes only when child Dynasties are created, or every time the parent Dynasty is updated. You can also opt to disable attribute inheritance for child Dynasties. - (2) If, for a managerial Dynasty, the ‘Set manager as owner’ option is applied and the managedBy +(2) If, for a managerial Dynasty, the ‘Set manager as owner’ option is applied and the managedBy attribute is set for inheritance, then the latter settings will not have any impact and the manager of a child Dynasty will be set as its owner. +::: -NOTE: In a Microsoft Entra ID identity store, where a group can have multiple primary owners, the + +:::note +In a Microsoft Entra ID identity store, where a group can have multiple primary owners, the owner of the parent Dynasty and the manager of a child Dynasty are collectively set as owners of that child Dynasty. + +::: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/groupexpirydeletion.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/groupexpirydeletion.md index 3292584962..8468bc5182 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/groupexpirydeletion.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/groupexpirydeletion.md @@ -51,8 +51,11 @@ schedule: - Directory Manager takes a backup of the group’s membership. - It empties out the group’s membership in Office 365. - NOTE: When an Office 365 group is expired, its member list is backed up in the database and + :::note + When an Office 365 group is expired, its member list is backed up in the database and cleared from Office 365. + ::: + On renewing an expired distribution group, the following happens: @@ -76,10 +79,16 @@ deleted groups as: Both types are locked for further operations until restored. -NOTE: While all searches in Directory Manager are catered through Elasticsearch, the Recycle Bin is +:::note +While all searches in Directory Manager are catered through Elasticsearch, the Recycle Bin is an exception; it fetches data from the directory. +::: + + +:::note +The Recycle Bin does not display data for a Microsoft Entra ID identity store. +::: -NOTE: The Recycle Bin does not display data for a Microsoft Entra ID identity store. ### Physical Deletion diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/grouplifecycle.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/grouplifecycle.md index 2ec6d02637..7612bfd66c 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/grouplifecycle.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/grouplifecycle.md @@ -28,9 +28,12 @@ process the groups that reside therein. Groups that reside outside of the target be processed by the schedule; hence, the group life cycle policy is not applied to them. See the [Group Life Cycle Schedule](/docs/directorymanager/11.1/admincenter/schedule/grouplifecycle.md) topic. -NOTE: Before you specify a group life cycle policy for a Microsoft Entra ID identity store, see the +:::note +Before you specify a group life cycle policy for a Microsoft Entra ID identity store, see the [Group Expiration Policy](/docs/directorymanager/11.1/admincenter/identitystore/advsentraid.md#group-expiration-policy) section in the [Microsoft Entra ID vs. Active Directory Identity Stores](/docs/directorymanager/11.1/admincenter/identitystore/advsentraid.md) topic. +::: + ## Set a Default Expiry Policy for Groups @@ -97,10 +100,13 @@ those containers. 5. Click **Save**. -NOTE: If a container is set as target in a Group Life Cycle schedule while it is also listed as an +:::note +If a container is set as target in a Group Life Cycle schedule while it is also listed as an exempted container in the Group Lifecycle policy, the schedule does not process it. As a result, different aspects of the Group Lifecycle policy, such as group expiry and group attestation does not apply to groups in the container. +::: + ## Exempt Security Groups from Expiry @@ -111,8 +117,11 @@ expire security groups. When a security group expires, its membership is cleared. However, Directory Manager keeps a backup of its membership in the database. -NOTE: In a Microsoft Entra ID identity store, the security group expiry option also applies to +:::note +In a Microsoft Entra ID identity store, the security group expiry option also applies to Office 365 groups. +::: + **The security group expiration paradox** diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/historytracking.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/historytracking.md index 681a20b868..8eebddad52 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/historytracking.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/historytracking.md @@ -41,9 +41,12 @@ By default, history tracking is disabled. You can: - Specify a period for retaining history data in the Directory Manager database. When the period is over, data is exported to CSV files and deleted from the database. -RECOMMENDED: History tracking can slow down system performance. For optimal performance, it is +:::info +History tracking can slow down system performance. For optimal performance, it is recommended that you track only specific, more important actions and limit Directory Manager history data storage to the most recent records. +::: + See the [History in Directory Manager](/docs/directorymanager/11.1/admincenter/general/history.md) and [Event Logging](/docs/directorymanager/11.1/admincenter/identitystore/view/eventlogging.md) topics for additional information. @@ -128,8 +131,11 @@ database forever. 4. On the **History** page, select _All_ in the **History Options** drop-down list to retain all tracked history data in the database. - NOTE: This setting may result in a massive increase in the database size and may affect + :::note + This setting may result in a massive increase in the database size and may affect Directory Manager performance. + ::: + 5. Click **Save**. diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/membershiplifecycle.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/membershiplifecycle.md index d16857761d..1aaa7fc259 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/membershiplifecycle.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/membershiplifecycle.md @@ -13,11 +13,17 @@ You can define a membership policy for groups and OUs. In case of an OU, the pol groups in that OU. The Membership Life Cycle schedule is responsible for applying membership lifecycle policies to groups. -NOTE: Membership lifecycle policies apply to static groups only. You cannot specify system critical +:::note +Membership lifecycle policies apply to static groups only. You cannot specify system critical objects, Smart Groups, and Dynasties as target groups in a policy. +::: -NOTE: When Smart Groups and Dynasties reside in a target OU, Directory Manager does not process + +:::note +When Smart Groups and Dynasties reside in a target OU, Directory Manager does not process them. +::: + ## Types of Membership Lifecycle Policies @@ -228,9 +234,12 @@ Consider the following: **Example:** Let’s assume a policy is active from Jan. 20-31. Reapplying it on Feb 1 will have no impact.\ -NOTE: When you move a group from a target OU in a policy (OUA) to an OU that is not the target of +:::note +When you move a group from a target OU in a policy (OUA) to an OU that is not the target of any policy (OUB), the policy applied to the group in OUA will continue to apply to till its end date. +::: + **To reapply a policy:** diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/messagingprovider.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/messagingprovider.md index 7db8f73395..7c8301c361 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/messagingprovider.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/messagingprovider.md @@ -109,10 +109,13 @@ If the server is not listed, click **Sync Again**. Step 12 – Click **Save**. -NOTE: When Office 365 is configured as the messaging provider for an Active Directory identity +:::note +When Office 365 is configured as the messaging provider for an Active Directory identity store, Directory Manager creates distribution groups but does not populate their membership in Office 365. Use AD Connect or any directory synchronize tool to replicate information (such as membership info) between on-premises AD and Office 365. +::: + ## Set Google Workspace as Messaging Provider diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/outofbounds.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/outofbounds.md index 78cf53b71d..cdac00c343 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/outofbounds.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/outofbounds.md @@ -46,12 +46,15 @@ Since the count exceeds 500, it breaks the membership into 2 child groups (Group and Group 2 with 120 members) and nests them into Group A. Hence, Directory Manager checks the member count and takes necessary action before adding members to the group. -NOTE: In case of an Office 365 group, the option to break the membership into child groups has the +:::note +In case of an Office 365 group, the option to break the membership into child groups has the following impact - An Office 365 group (Group A) will be updated according to the Smart Group update process. However, when the maximum membership limit is hit, the update process will create child group(s) and try to add them as members of Group A. Since an Office 365 group cannot have groups as members, Group A’s membership will be empty. The child groups will continue to exist but without any link to Group A. +::: + **To set group membership limits:** @@ -100,12 +103,15 @@ out-of-bounds exception occurs, Directory Manager does not update group membersh intended recipient(s) by email. If they deem the change as valid, they can update the group manually in the Directory Manager portal. -NOTE: 1. Settings in the **Threshold** section apply in case of membership update through a Smart +:::note +1. Settings in the **Threshold** section apply in case of membership update through a Smart Group Update schedule. On manual update, these settings have no impact. - 2. If the group is not updated manually after an out-of-bounds exception, the changes remain +2. If the group is not updated manually after an out-of-bounds exception, the changes remain pending and the group will not be updated in future when the Smart Group Update job runs. - 3. Out-of-bounds exception notifications are sent as per notification settings configured for the +3. Out-of-bounds exception notifications are sent as per notification settings configured for the Smart Group Update schedule responsible for updating the respective group. +::: + **To set a group update threshold:** diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/passwordoptions.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/passwordoptions.md index 7640decd9d..10c0ff4a00 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/passwordoptions.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/passwordoptions.md @@ -15,10 +15,13 @@ You can define the following password restrictions and rules for an identity sto When identity store users reset or change their passwords using Directory Manager, their new passwords must adhere to the defined rules. -NOTE: (1) These password configurations do not apply when helpdesk users reset passwords of +:::note +(1) These password configurations do not apply when helpdesk users reset passwords of end-users. - (2) In case a user has linked his or her accounts in different identity stores, the password +(2) In case a user has linked his or her accounts in different identity stores, the password configurations for the master account apply. +::: + In addition to these password restrictions, you can define a password policy for a security role in an identity store. See the @@ -109,5 +112,7 @@ restricted passwords to a .csv or .txt file and upload it to Directory Manager. 5. Click **Import** to browse and select the file (.csv, .txt) containing the disallowed passwords. 6. Click **Save** on the **Password Options** page. -NOTE: Only a single file containing disallowed passwords can be imported for an identity store; -importing another file will replace the existing one. \ No newline at end of file +:::note +Only a single file containing disallowed passwords can be imported for an identity store; +importing another file will replace the existing one. +::: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/overview.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/overview.md index 180b649034..c1c0402a5c 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/overview.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/overview.md @@ -10,8 +10,17 @@ Netwrix Password Policy Enforcer (PPE) helps secure your network by ensuring use passwords. You can now enforce PPE policies to Active Directory domain accounts when they change and reset their passwords in Directory Manager. +:::tip +:::tip +:::tip Remember, You can only use PPE policies in Directory Manager when Password Policy Enforcer 11 is deployed on your domain controller. +::: +::: +::: + + + The PPE policies use rules to decide if it should accept or reject a password. You can assign these policies to users, groups, and containers (Organizational Units). You can also: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/passphrases.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/passphrases.md index dd6ad13bb6..723997febc 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/passphrases.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/passphrases.md @@ -40,6 +40,9 @@ accepts passphrases that comply with all enabled rules, irrespective of the comp ensures that passphrases can be used, even if they do not meet the compliance level when Password Policy Enforcer is configured to disable one or more rules for passphrases. -NOTE: Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can be +:::note +Opinions differ on how long a passphrase needs to be. Even a 30 character passphrase can be weaker than a well-chosen password. Do not disable too many rules under the assumption that length alone makes up for the reduced complexity. + +::: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/complexityrule.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/complexityrule.md index 97ea01bf47..eda935391f 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/complexityrule.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/complexityrule.md @@ -24,8 +24,11 @@ sets. Using several character types can make passwords more difficult to crack. mandatory rule can still be disabled when a passphrase is used. See the Passphrases topic for additional information. -NOTE: The Complexity rule uses custom character set definitions from the Character rules, even if +:::note +The Complexity rule uses custom character set definitions from the Character rules, even if the Character rules are disabled. +::: + This default character set contains the following: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/historyrule.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/historyrule.md index c273af0e62..7404f790e5 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/historyrule.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/historyrule.md @@ -30,10 +30,13 @@ number of days. minute with Argon2. All numbers are approximate. Use Argon2 if your domain controllers can handle the load. - NOTE: Changing the **Hash function** does not modify existing history records. It sets the + :::note + Changing the **Hash function** does not modify existing history records. It sets the function to be used for new password history records. If a user has Argon2 and SHA-256 hashes in their password history, then Password Policy Enforcer calculates both the Argon2 and SHA-256 hashes during a password change to ensure the new password is not in the password history. + ::: + - Enforce this rule when a password is reset – The History rule is normally not enforced when a password is reset. Select the check box to override the default behavior. diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/maximum_age_rule.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/maximum_age_rule.md index 2bed4cd82d..8b7d2cc225 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/maximum_age_rule.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/maximum_age_rule.md @@ -24,7 +24,8 @@ policies. after days and number of days in this in this field) are identical, then passwords will expire after the specified number of days, irrespective of length. - NOTE: When the Maximum Age rule is configured to delay the expiry of longer passwords, it + :::note + When the Maximum Age rule is configured to delay the expiry of longer passwords, it creates an Active Directory security group called "PPE Extended Maximum Age Users". Password Policy Enforcer uses this group to identify which users are eligible for a delayed password expiry. Users are added and removed from the group automatically. You can move and rename this @@ -33,6 +34,8 @@ policies. after moving or renaming the group to trigger a cache update in Password Policy Enforcer. Password Policy Enforcer recreates this group if you delete it. To stop creating a group, make the two days values equal in all policies. + ::: + - Mode – Mode Choose a value from the Mode drop-down list to specify how Password Policy Enforcer handles expired passwords. The Standard mode forces all users with expired passwords to change @@ -55,12 +58,15 @@ policies. Transitional and Warning modes. Users can ignore the prompt to change their password unless they are being forced to change it. - NOTE: The password expiry prompt is a Windows client feature, and is displayed even if the + :::note + The password expiry prompt is a Windows client feature, and is displayed even if the Password Policy Client is not installed. Windows clients display the prompt 5 days before passwords expire by default. You can alter this behavior in the Windows Group Policy security settings. See the [Interactive logon: Prompt user to change password before expiration](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration) Microsoft article for additional information. + ::: + Password Policy Enforcer expires passwords at 1:00 AM every day on the domain controller holding the PDC emulator operations master role. It sets "User must change password at next logon" for diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/minimum_age_rule.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/minimum_age_rule.md index 9f4ba71401..a977d7c2a8 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/minimum_age_rule.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/rules/minimum_age_rule.md @@ -13,5 +13,8 @@ evade the History and Similarity rules. This rule can only be enforced by domain - Select the number of days before a user can change their password. -NOTE: The Minimum Age rule is unique because users cannot comply with it by choosing a different +:::note +The Minimum Age rule is unique because users cannot comply with it by choosing a different password; they must wait until the required number of days has elapsed. + +::: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/usersgroups.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/usersgroups.md index 24e2b61334..77ab90ba7b 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/usersgroups.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/ppe/usersgroups.md @@ -72,8 +72,11 @@ Managers OUs are children of the Info Tech OU, then any policy assigned to the I applies to the two child OUs. If this behavior is not desired, then you can assign a different policy to a child OU. -NOTE: Different assignment types can be used for a single policy. For example, you may assign users +:::note +Different assignment types can be used for a single policy. For example, you may assign users to a policy by both OU and group at the same time. +::: + 1. Click **+Add Container** to add groups for the policy assignment. 2. On the Add Container (s) dialog box, click **+** to expand the Entire Directory. diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/prefixes.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/prefixes.md index 00979797d7..cba3e68fad 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/prefixes.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/prefixes.md @@ -10,8 +10,11 @@ You can standardize group names in the directory by defining prefixes. When user using the Directory Manager portal, they must select a prefix, which is added to the group’s name and display name. -NOTE: The Group Name Prefixes policy does not apply when a user creates a group using Directory +:::note +The Group Name Prefixes policy does not apply when a user creates a group using Directory Manager Management Shell. +::: + You can define group name prefixes (a) for an identity store, (b) for security roles in an identity store, or (c) both at the identity store and role levels. @@ -26,12 +29,15 @@ store, or (c) both at the identity store and role levels. a group’s name. However, when prefixes are enforced at the role level, role members can only select a role-specific prefix to append a group’s name. -NOTE: (1) For a user with multiple roles, prefixes for all roles are displayed when creating or +:::note +(1) For a user with multiple roles, prefixes for all roles are displayed when creating or updating groups. (2) If prefixes are enforced for the highest priority role of a user, he or she must select a prefix from the list of prefixes defined for this highest priority role. (3) If prefixes are enforced for a role other than the highest priority role of a user, enforcement does not apply to him or her. +::: + Consider the following: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/profilevalidation.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/profilevalidation.md index 7d1ec7f384..1d0000ecb3 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/profilevalidation.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/profilevalidation.md @@ -32,16 +32,22 @@ When performing profile validation, a user can: the request. If any of them accepts it, the user’s manager is changed. If any approver rejects it, the user remains with Manager A. - NOTE: This is the default flow of the _change manage_ workflow for the identity store. If the + :::note + This is the default flow of the _change manage_ workflow for the identity store. If the administrator disables the workflow or changes the approver, the flow changes accordingly. + ::: + - Transfer his or her direct reports to another manager - When a user transfers his or her direct report, the new manager is notified by email to accept or reject the transfer. If the manager accepts it, the direct report is transferred to him or her. If the manager rejects the transfer, the direct report remains with the old manager. - NOTE: This is the default flow of the _transfer a user_ workflow for the identity store. If the + :::note + This is the default flow of the _transfer a user_ workflow for the identity store. If the administrator disables the workflow or changes the approver, the flow changes accordingly. + ::: + - Terminate his or her direct reports - When a user terminates his or her direct report, it takes effect immediately when the _terminate a user_ workflow is disabled. If enabled, a request is sent diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/secondwayauthentication.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/secondwayauthentication.md index 867244712e..c1fbdb6eeb 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/secondwayauthentication.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/secondwayauthentication.md @@ -71,11 +71,14 @@ it, you must enable one or more authentication types. 4. On the **Second Way Authentication** page, use the toggle button for **Enable Second Way Authentication via Mobile** to enable it. - NOTE: If an SMS gateway account is not linked with the identity store, **Configure Now** is + :::note + If an SMS gateway account is not linked with the identity store, **Configure Now** is displayed in place of the toggle button. Click it to go to the **SMS Authentication** page, where you can link an SMS gateway account with the identity store. See the [Link an SMS Gateway Account to an Identity Store](smsauthentication.md#link-an-sms-gateway-account-to-an-identity-store) topic. + ::: + 5. In the **Mobile Attribute** drop-down list, select an attribute that stores mobile numbers in the directory. @@ -93,9 +96,12 @@ it, you must enable one or more authentication types. 4. On the **Second Way Authentication** page, use the toggle button for **Enable Second Way Authentication via Email** to enable it. - NOTE: If an SMTP server is not defined for the identity store, **Configure Now** is displayed in + :::note + If an SMTP server is not defined for the identity store, **Configure Now** is displayed in place of the toggle button. Click it to go to the **Notifications** page for configuring an SMTP server. See the [Configure an SMTP Server](/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md) topic. + ::: + 5. In the **Email Attribute** drop-down list, select an attribute that stores email addresses in the directory. diff --git a/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md b/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md index fbeb14928b..a2b11377f3 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md @@ -12,8 +12,11 @@ server deployed in your environment or an external SMTP server; for example, Gma When configuring a provider that supports modern authentication, such as Exchange Online and Office 365, you have the option to use OAuth for modern authentication. -NOTE: With Microsoft Entra ID's mandatory multifactor authentication policy, basic authentication +:::note +With Microsoft Entra ID's mandatory multifactor authentication policy, basic authentication cannot be used for an Office 365 SMTP server. You can only use OAuth for modern authentication. +::: + You can also specify notification recipients, that can be: @@ -77,15 +80,21 @@ server. OAuth settings are available when you specify a provider that supports modern authentication, such as Exchange Online and Office 365. - NOTE: For OAuth to work, you must enable the Graph API’s ‘SMTP.Send’ permission for the + :::note + For OAuth to work, you must enable the Graph API’s ‘SMTP.Send’ permission for the Directory Manager app in Microsoft Entra Admin Center: + ::: + 1. Click the **OAuth 2.0** tile. 2. In the **Token Endpoint** box, provide the following URL: https://login.microsoftonline.com/organizations/oauth2/v2.0/token - NOTE: In case of Office 365 provider, you need to provide Graph Endpoint of your CloudType + :::note + In case of Office 365 provider, you need to provide Graph Endpoint of your CloudType in the **Token Endpoint** box, for example, https://graph.microsoft.com/v1.0 + ::: + 3. In the **Client ID** box, provide the client ID assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. @@ -95,14 +104,20 @@ server. 5. In the **Scope** box, provide the following URL: https://outlook.office365.com/SMTP.Send - NOTE: In case of Office 365 provider, provide name of the tenant the **Scope** box, for + :::note + In case of Office 365 provider, provide name of the tenant the **Scope** box, for example, abcd.onmicrosoft.com + ::: + 6. In the **Username** and **Password** boxes, provide the credentials to connect to the SMTP server. - NOTE: The user account used for SMTP Authentication for OAuth should have no MFA applied to it + :::note + The user account used for SMTP Authentication for OAuth should have no MFA applied to it or have a conditional bypass for GraphAPI requests. + ::: + **Test the connection** @@ -179,7 +194,10 @@ The list contains URLs of all Directory Manager portals linked with the identity Step 5 – Click **Save** on the **Notifications** page. -NOTE: Password expiry Smart Groups cannot be created in a Microsoft Entra ID identity store. +:::note +Password expiry Smart Groups cannot be created in a Microsoft Entra ID identity store. +::: + ## Manage Membership Life Cycle Notifications diff --git a/docs/directorymanager/11.1/admincenter/identitystore/create.md b/docs/directorymanager/11.1/admincenter/identitystore/create.md index 9ebf55fe20..91cb1cd7c4 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/create.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/create.md @@ -58,9 +58,12 @@ Skip this box for a gMSA. Step 8 – Select the **SSL Enabled** check box if the directory server is LDAP over SSL enabled. -NOTE: Directory Manager 11 supports LDAPS; however, the Replication Service will still connect to +:::note +Directory Manager 11 supports LDAPS; however, the Replication Service will still connect to the domain controller via the LDAP 389 port. Hence, both LDAP and LDAPS protocols must be enabled on the domain controller. +::: + Step 9 – Click **Create Identity Store**. The **Replicate Identity Store** message is displayed. Select: @@ -122,10 +125,13 @@ Select: The identity store is available on the Identify Stores page. You can specify different configurations for it. -NOTE: Microsoft’s throttling policy restricts an application (such as Directory Manager) to create a +:::note +Microsoft’s throttling policy restricts an application (such as Directory Manager) to create a maximum of 3 concurrent sessions with Microsoft Entra ID. With this in view, Directory Manager allows only one active session at any given time, which is used by Data service and Replication service. +::: + ## Create an Identity Store for Generic LDAP diff --git a/docs/directorymanager/11.1/admincenter/identitystore/link/manage.md b/docs/directorymanager/11.1/admincenter/identitystore/link/manage.md index 0d3a8e95df..ae7abab3b8 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/link/manage.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/link/manage.md @@ -103,10 +103,13 @@ stores. 5. Click **Add Filter for Users** in the bottom right corner of the **Add Filter for Users** or **Add Filter for Groups** pane. - NOTE: If you have added multiple clauses but do not group them using the AND/OR operator, + :::note + If you have added multiple clauses but do not group them using the AND/OR operator, Directory Manager auto groups them using AND. Similarly, if you add two groups of clauses but do not group them using the AND/OR operator, Directory Manager auto groups them using AND. + ::: + The filter is added and displayed on the **Link Identity Stores** page. You can specify one filter expression for the user object and one filter expression for the @@ -117,9 +120,12 @@ stores. 7. Click **Create Link** to save the link. - NOTE: An identity store link is effective when the two identity stores linked together are also + :::note + An identity store link is effective when the two identity stores linked together are also associated with a Directory Manager portal, say Portal A. If a portal does not exist with both identity store associated with it, a message is displayed to alert you to it. + ::: + The link is displayed on the **Identity Stores** page. @@ -189,8 +195,11 @@ You can edit a link to: object to delete it. Deleting the filter expression for the user or group object breaks the link for the respective objects in the linked identity stores. - NOTE: At least one filter expression for the user object and one filter expression for the + :::note + At least one filter expression for the user object and one filter expression for the group object must exist for the identity store link. Else changes will not be saved. + ::: + 3. After making the required changes, click **Update Link**. diff --git a/docs/directorymanager/11.1/admincenter/identitystore/link/overview.md b/docs/directorymanager/11.1/admincenter/identitystore/link/overview.md index 739e30d824..bfa25b1ad7 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/link/overview.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/link/overview.md @@ -16,8 +16,11 @@ For example, you can create a link between the following types of identity store - Two Microsoft Entra ID identity stores - An Active Directory identity store and a Google Workspace identity store -NOTE: (1) Two identity stores built on the same domain cannot be linked. +:::note +(1) Two identity stores built on the same domain cannot be linked. (2) An identity store must be replicated in Directory Manager before it can be linked. +::: + ## Linked Identity Stores and the Directory Manager Portal @@ -102,7 +105,10 @@ value for the distinguishedname attribute in dentityStoreA and an object has _Ma for the cn attribute in dentityStoreB, Directory Manager identifies them as identical objects existing in two distinct directories, and links them. -RECOMMENDED: For mapping, always use attributes that store unique values. +:::info +For mapping, always use attributes that store unique values. +::: + ## How to Link Multiple Identity Stores diff --git a/docs/directorymanager/11.1/admincenter/identitystore/manage.md b/docs/directorymanager/11.1/admincenter/identitystore/manage.md index fcaafdb699..e6466ba234 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/manage.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/manage.md @@ -207,16 +207,22 @@ In a nutshell 5. Click **Save**. -NOTE: When you change the DC priority for a domain or a child domain, it takes effect instantly. +:::note +When you change the DC priority for a domain or a child domain, it takes effect instantly. Data service reestablishes a connection with a DC based on new priority. +::: + ## Delete an Identity Store You can delete an identity store with all its configurations. As a result, Directory Manager cannot be connected to that identity store, nor can it be used in a Synchronize job. -NOTE: You cannot delete an identity store that has been linked to another identity store. You must +:::note +You cannot delete an identity store that has been linked to another identity store. You must first delete the link(s) before deleting the identity store. +::: + **To delete an identity store:** diff --git a/docs/directorymanager/11.1/admincenter/identitystore/overview.md b/docs/directorymanager/11.1/admincenter/identitystore/overview.md index 0b7d4e62b2..e2f8fd81af 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/overview.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/overview.md @@ -32,5 +32,7 @@ Synchronize jobs for bulk user management tasks. You can also link Active Directory and Microsoft Entra ID identity stores to sync identical objects there. -NOTE: You can define a custom identity store for non-supported identity providers in Directory -Manager. Contact Netwrix Client Services for support. \ No newline at end of file +:::note +You can define a custom identity store for non-supported identity providers in Directory +Manager. Contact Netwrix Client Services for support. +::: diff --git a/docs/directorymanager/11.1/admincenter/identitystore/replication.md b/docs/directorymanager/11.1/admincenter/identitystore/replication.md index a3a145a194..5540d02d4e 100644 --- a/docs/directorymanager/11.1/admincenter/identitystore/replication.md +++ b/docs/directorymanager/11.1/admincenter/identitystore/replication.md @@ -44,13 +44,16 @@ Step 6 – The Select Replication Attributes dialog box displays a list of the s the provider. Select the check boxes for the attributes you want to replicate for the identity store and click **Save**. The attributes are added to the Attribute Name column on the Replication page. -NOTE: If in a Microsoft Entra ID based identity store extension attributes are added, Directory +:::note +If in a Microsoft Entra ID based identity store extension attributes are added, Directory Manager Schema Replication schedule fetches the latest schema at its next run and add the newly added extension attributes to the Select Replication Attributes list. See the [Schema Replication Schedule](/docs/directorymanager/11.1/admincenter/schedule/schemareplication.md) for additional information. Select the required extension attributes from the Select Replication Attributes list and add them to the attribute to replicate list. See the Specify Object Attributes to Replicate section of the Manage Local Replication Settings topic. +::: + Step 7 – Click **Save**. @@ -84,9 +87,12 @@ Step 6 – Click **Save** on the Replication page. Step 7 – Click **Restore** on the **Restore Data** card to restore object data to Elasticsearch for the identity store. -NOTE: When a Smart Group, created with a custom attribute in a previous Directory Manager version, +:::note +When a Smart Group, created with a custom attribute in a previous Directory Manager version, is upgraded using the Upgrade wizard, you will have to replicate the respective object type from scratch. +::: + ## Force Run the Replication Service (for Object Replication) diff --git a/docs/directorymanager/11.1/admincenter/notification/customize.md b/docs/directorymanager/11.1/admincenter/notification/customize.md index 11ab5e15bd..ec6fe44404 100644 --- a/docs/directorymanager/11.1/admincenter/notification/customize.md +++ b/docs/directorymanager/11.1/admincenter/notification/customize.md @@ -81,7 +81,10 @@ You can do the following in the Source Code view: - Replace the tags with other relevant tags. By using a tag, you can display an attribute’s value in the notification. -NOTE: Do not insert tables or custom photos in a notification template. +:::note +Do not insert tables or custom photos in a notification template. +::: + After making the required changes, click **Save** on the menu bar. diff --git a/docs/directorymanager/11.1/admincenter/replication/overview.md b/docs/directorymanager/11.1/admincenter/replication/overview.md index e4cf68264a..7439769210 100644 --- a/docs/directorymanager/11.1/admincenter/replication/overview.md +++ b/docs/directorymanager/11.1/admincenter/replication/overview.md @@ -36,8 +36,11 @@ Synchronize history is saved to Elasticsearch when Active Directory, Microsoft E LDAP, or Google Workspace is the destination provider in the respective Synchronize job. This history is replicated to the Directory Manager database by the Data s ervice. -NOTE: The **Recycle Bin** in the Directory Manager portal fetches data from the directory server and +:::note +The **Recycle Bin** in the Directory Manager portal fetches data from the directory server and not from Elasticsearch. +::: + ## Replication Settings @@ -51,9 +54,12 @@ specific to an identity store. - For an identity store, you can specify the object attributes the service should replicate to Elasticsearch. See the [Manage Local Replication Settings](/docs/directorymanager/11.1/admincenter/identitystore/replication.md) topic. -NOTE: The Replication service does not replicate excluded domains for an identity store. See the +:::note +The Replication service does not replicate excluded domains for an identity store. See the [Exclude an Active Directory Domain from Replication](/docs/directorymanager/11.1/admincenter/identitystore/manage.md#exclude-an-active-directory-domain-from-replication) topic. +::: + ## Replication Service Logs diff --git a/docs/directorymanager/11.1/admincenter/replication/settings.md b/docs/directorymanager/11.1/admincenter/replication/settings.md index 592230336d..eaac6ae1c6 100644 --- a/docs/directorymanager/11.1/admincenter/replication/settings.md +++ b/docs/directorymanager/11.1/admincenter/replication/settings.md @@ -18,9 +18,12 @@ On every successful run of the Replication service, Directory Manager generates status of object types for each domain in an identity store and alerts you to any errors that may have occurred during the replication process. -NOTE: The Replication service does not replicate excluded domains for an identity store. See the +:::note +The Replication service does not replicate excluded domains for an identity store. See the [Exclude an Active Directory Domain from Replication](/docs/directorymanager/11.1/admincenter/identitystore/manage.md#exclude-an-active-directory-domain-from-replication) topic. +::: + ### How to Resolve Replication Errors diff --git a/docs/directorymanager/11.1/admincenter/schedule/grouplifecycle.md b/docs/directorymanager/11.1/admincenter/schedule/grouplifecycle.md index af2d6a7a11..078c395623 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/grouplifecycle.md +++ b/docs/directorymanager/11.1/admincenter/schedule/grouplifecycle.md @@ -71,11 +71,14 @@ Step 9 – You can specify containers as targets for the schedule. To do so, fol topic. The schedule will process all groups in the containers and their sub-containers listed in the Target(s) area in keeping with the Group Lifecycle settings for the identity store. -NOTE: In Group Lifecycle settings, the administrator can specify container(s) for exclusively +:::note +In Group Lifecycle settings, the administrator can specify container(s) for exclusively applying or not applying the Group Life cycle policy. See the [Apply Policy on Specific Containers](/docs/directorymanager/11.1/admincenter/identitystore/configure/grouplifecycle.md#apply-policy-on-specific-containers) topic. With containers specified in the Target(s) area, there may be a conflict or overlapping of containers, in which case, the Group Lifecycle settings take precedence. +::: + Step 10 – Click **Add Triggers** in the Triggers area to specify a triggering criterion for the schedule, that, when met, starts the execution of the schedule. Follow step 11 in the diff --git a/docs/directorymanager/11.1/admincenter/schedule/groupusageservice.md b/docs/directorymanager/11.1/admincenter/schedule/groupusageservice.md index 41f3b9ee55..99b0d31694 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/groupusageservice.md +++ b/docs/directorymanager/11.1/admincenter/schedule/groupusageservice.md @@ -109,13 +109,19 @@ The Authentication dialog box displays your accounts in the respective identity used for signing in. Select an account to authenticate with it or click **Login with a different user** to provide the credentials of another account to run the schedule in the identity store. -NOTE: Make sure this account falls under a high priority security role that has elevated permissions +:::note +Make sure this account falls under a high priority security role that has elevated permissions in the identity store (for example, Administrator). +::: -NOTE: If you are creating this schedule in a Microsoft Entra ID identity store, you can only specify + +:::note +If you are creating this schedule in a Microsoft Entra ID identity store, you can only specify the logged-in user's account. See the [Schedules for Microsoft Entra ID Identity Store](overview.md#schedules-for-microsoft-entra-id-identity-store) section of the [Schedules](/docs/directorymanager/11.1/admincenter/schedule/overview.md) topic for additional information. +::: + Step 14 – On the Create Schedule page, click **Create Schedule**. diff --git a/docs/directorymanager/11.1/admincenter/schedule/historyretention.md b/docs/directorymanager/11.1/admincenter/schedule/historyretention.md index 6329097bc8..56408f9eb5 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/historyretention.md +++ b/docs/directorymanager/11.1/admincenter/schedule/historyretention.md @@ -34,10 +34,13 @@ These files are available at the following location on the Directory Manager ser History data moved to these files is not longer displayed in Directory Manager. -NOTE: Admin Center history does not fall in a specific identity store, so its retention mechanism is +:::note +Admin Center history does not fall in a specific identity store, so its retention mechanism is different. Directory Manager checks the identity store of the user who performed an action logged in Admin Center history, and archives that record according to the history retention setting of the identity store that user belongs to. +::: + After the History Retention schedule runs, the following information is displayed on the **History** page in identity store configurations: diff --git a/docs/directorymanager/11.1/admincenter/schedule/membershiplifecycle.md b/docs/directorymanager/11.1/admincenter/schedule/membershiplifecycle.md index 94c205f569..3448cb12f3 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/membershiplifecycle.md +++ b/docs/directorymanager/11.1/admincenter/schedule/membershiplifecycle.md @@ -90,8 +90,11 @@ in the [Create a Group Usage Service Schedule](groupusageservice.md#create-a-group-usage-service-schedule) topic for additional information. -NOTE: Membership Lifecycle policies are not applied to OUs specified here. Target OUs and groups are +:::note +Membership Lifecycle policies are not applied to OUs specified here. Target OUs and groups are set in the respective policy. +::: + Step 10 – Click **Add Triggers** in the Triggers area to specify a triggering criterion for the schedule, that, when met, starts the execution of the schedule. Follow step 11 in the diff --git a/docs/directorymanager/11.1/admincenter/schedule/overview.md b/docs/directorymanager/11.1/admincenter/schedule/overview.md index 510e974059..0fcfe6e321 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/overview.md +++ b/docs/directorymanager/11.1/admincenter/schedule/overview.md @@ -44,10 +44,13 @@ You can define the following schedules for an identity store: - A [Workflow Acceleration Schedule](/docs/directorymanager/11.1/admincenter/schedule/workflowacceleration.md) forwards workflow requests to approvers and auto approves requests according to workflow approver acceleration rules. -NOTE: Role members with the _Manage Scheduling_ permission in an identity store can create and +:::note +Role members with the _Manage Scheduling_ permission in an identity store can create and manage scheduled jobs. See the [Modify Role Permissions](/docs/directorymanager/11.1/admincenter/securityrole/manage.md#modify-role-permissions) topic for additional information. +::: + Schedules are saved in the Directory Manager database. The GroupIDSchedulerService, created in the GroupIDSite11 site in native IIS is responsible for initiating schedule runs. @@ -74,5 +77,8 @@ configure a schedule: Use the Login with a different user option to provide the credentials of another account to run the schedule in the identity store is not available for a Microsoft Entra ID identity store. -NOTE: The existing schedules will continue to work. The SAML provider authentication does not apply +:::note +The existing schedules will continue to work. The SAML provider authentication does not apply on them. + +::: diff --git a/docs/directorymanager/11.1/admincenter/schedule/reports.md b/docs/directorymanager/11.1/admincenter/schedule/reports.md index 7f60c91b43..2471fd2c24 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/reports.md +++ b/docs/directorymanager/11.1/admincenter/schedule/reports.md @@ -54,9 +54,12 @@ Please note the following while selecting a Scheduler service: Step 8 – To add reports to the schedule, click **Add Report(s)** in the Reports area. The Add Reports to Schedule dialog box is displayed. -NOTE: You can only add reports that have been generated in the Directory Manager portal, since the +:::note +You can only add reports that have been generated in the Directory Manager portal, since the schedule uses the settings provided there to generate the report. Moreover, you cannot change the settings here, such as the container and filter settings. +::: + 1. In the Object Category drop-down list, select a report category. Available categories are: _All Categories, Users, Groups, Contacts and Computers_. In the Directory Manager portal, reports are diff --git a/docs/directorymanager/11.1/admincenter/schedule/schemareplication.md b/docs/directorymanager/11.1/admincenter/schedule/schemareplication.md index f8cbc6a8dd..e6c4b030b8 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/schemareplication.md +++ b/docs/directorymanager/11.1/admincenter/schedule/schemareplication.md @@ -24,7 +24,10 @@ can choose the object attributes you actually want to use in an identity store. [Specify Object Attributes to Replicate](/docs/directorymanager/11.1/admincenter/identitystore/replication.md#specify-object-attributes-to-replicate) topic for details. -NOTE: For Microsoft Entra ID, schema is replicated from the schema file for Graph API v 3.26.0. +:::note +For Microsoft Entra ID, schema is replicated from the schema file for Graph API v 3.26.0. +::: + The Schema Replication schedule runs in the context of the super admin account in the Directory Manager provider. You cannot create or delete a Schema Replication schedule; only update the diff --git a/docs/directorymanager/11.1/admincenter/schedule/smartgroupupdate.md b/docs/directorymanager/11.1/admincenter/schedule/smartgroupupdate.md index c06e9236db..c522104436 100644 --- a/docs/directorymanager/11.1/admincenter/schedule/smartgroupupdate.md +++ b/docs/directorymanager/11.1/admincenter/schedule/smartgroupupdate.md @@ -109,18 +109,24 @@ dialog box, specify an event for triggering notifications for the schedule and a notification recipients, using a semicolon to separate multiple addresses. These recipients will get a report on the event you select for **Send Notification**. - NOTE: If the email ID of a target group’s additional owner is specified in this box, the + :::note + If the email ID of a target group’s additional owner is specified in this box, the additional owner will receive notifications even if the Do not Notify check box is selected for it in the respective group’s properties. + ::: + 3. Select the **Send Report to group owner(s)** check box to send a report to each unique group owner of the groups processed by the schedule. A Dynasty owner receives a notification for its groups and direct child Dynasties. Group owners include the primary owner, additional owner(s), and Exchange additional owner(s). - NOTE: An additional owner of a target group will not receive notifications when the Do not + :::note + An additional owner of a target group will not receive notifications when the Do not Notify check box is selected for it in the respective group’s properties, even with the Send Report to group owner(s) check box selected. + ::: + 4. In the Send Notification area, select one of the following options: @@ -135,11 +141,14 @@ dialog box, specify an event for triggering notifications for the schedule and a 5. Click **Save**. - NOTE: When a Smart Group Update schedule is bound to a single OU that contains all expired Smart + :::note + When a Smart Group Update schedule is bound to a single OU that contains all expired Smart Groups/Dynasties, notifications will not be sent, even if the _Always_ option is selected. Expired Smart Groups and Dynasties are not evaluated for the update process. However, even if one group in the OU is not expired, notifications will be sent for all objects with _failed_ status for expired objects. + ::: + Step 13 – On the Create Schedule page, click **Create Schedule**. diff --git a/docs/directorymanager/11.1/admincenter/securityrole/create.md b/docs/directorymanager/11.1/admincenter/securityrole/create.md index e8d698e6f6..d4c059676b 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/create.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/create.md @@ -19,9 +19,12 @@ To create a security role for an identity store, you have to specify the followi You can create a role from scratch or by copying an existing role. See the [Security Roles](/docs/directorymanager/11.1/admincenter/securityrole/overview.md) topic for additional information on security roles. -NOTE: You can disable a role to prevent its members from accessing Directory Manager. To prevent an +:::note +You can disable a role to prevent its members from accessing Directory Manager. To prevent an individual role member from accessing Directory Manager, you must remove him or her from the group or container specified as role criteria. +::: + ## Create a Security Role from Scratch diff --git a/docs/directorymanager/11.1/admincenter/securityrole/manage.md b/docs/directorymanager/11.1/admincenter/securityrole/manage.md index d88293ea4e..27df2f0ad5 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/manage.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/manage.md @@ -32,8 +32,11 @@ You can disable a role to prevent its members from signing into Directory Manage enable a disabled role to allow its members to access Directory Manager. By default, all new roles created for an identity store are enabled. -NOTE: To prevent an individual role member from accessing Directory Manager, you must remove him or +:::note +To prevent an individual role member from accessing Directory Manager, you must remove him or her from the group or container specified as role criteria. +::: + **To enable or disable a security role:** diff --git a/docs/directorymanager/11.1/admincenter/securityrole/overview.md b/docs/directorymanager/11.1/admincenter/securityrole/overview.md index 6d0ea3c107..0435d36059 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/overview.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/overview.md @@ -15,7 +15,10 @@ store in Directory Manager has the following built-in roles that you can assign passwords and unlock identity store accounts on behalf of other users. Admin Center for this role, by default, is available in the Helpdesk mode only. - NOTE: The Helpdesk role is not available by default for a Microsoft Entra ID identity store. + :::note + The Helpdesk role is not available by default for a Microsoft Entra ID identity store. + ::: + - **User:** This role can be assigned to standard users, who can create new groups, manage their groups, update their directory profiles, and manage their direct reports. diff --git a/docs/directorymanager/11.1/admincenter/securityrole/permissions.md b/docs/directorymanager/11.1/admincenter/securityrole/permissions.md index 3032b372ec..7387f0d0e9 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/permissions.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/permissions.md @@ -47,8 +47,17 @@ Permissions are discussed in the following table: | 8. | Manage Any Profile | Enables role members to update the profiles of other users. | | 9. | Manage My Profile | Enables role members to update their directory profiles. | +:::tip +:::tip +:::tip Remember, Generalized permissions override limited permissions. Hence, if Manage My Profile is denied and Manage Any Profile allowed, role members can manage their own profiles as well. +::: +::: +::: + + + ## Groups @@ -66,8 +75,17 @@ Permissions are discussed in the following table: | 3. | Create Smart Group | Enables role members to create Smart Groups and Dynasties (managed groups). | | 4. | Manage Any Group | Enables role members to update the properties of any group, delete any group, expire any group, and more. | +:::tip +:::tip +:::tip Remember, Generalized permissions override limited permissions. So, if Manage My Groups is denied and Manage Any Group allowed, role members can manage all groups, including their own groups. +::: +::: +::: + + + ## Admin Center @@ -136,8 +154,17 @@ Permissions are discussed in the following table: | 6. | Unenroll | Enables helpdesk users to unenroll a user’s identity store account in Directory Manager. | | 7. | Unlock Any Account | Enables helpdesk users to unlock the identity store account for any user. | +:::tip +:::tip +:::tip Remember, Generalized permissions override limited permissions. For example, if Unlock My Account is denied and Unlock Any Account allowed, role members can unlock all accounts, including their own. +::: +::: +::: + + + ## Miscellaneous @@ -195,6 +222,9 @@ Permissions are discussed in the following table: | 4. | Modify user / group | Enables role members to update the permissions assigned to users and groups on document libraries in the site. The Type column lists the effective permissions. Role members will only be able to modify the permissions that you enable here. | | 5. | Remove user / group | Enables role members to remove users and groups from the permission list of document libraries in the site. Removed users and groups will not be able to access the respective document library in the site. | -NOTE: For more information on role permissions, see the +:::note +For more information on role permissions, see the [User Roles in Microsoft Entra ID and Directory Manager ](/docs/directorymanager/11.1/admincenter/identitystore/advsentraid.md#user-roles-in-microsoft-entra-id-and-directory-manager) topic. + +::: diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/authentication.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/authentication.md index 0252b51374..2acc5714a1 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/authentication.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/authentication.md @@ -14,8 +14,11 @@ Having enabled and configured authentication types for an identity store, you ca the identity store. - Enable second factor authentication (SFA) for a security role in an identity store. -NOTE: For MFA and SFA to work for an identity store, make sure you enable enrollment for it. See the +:::note +For MFA and SFA to work for an identity store, make sure you enable enrollment for it. See the [Enable Enrollment](/docs/directorymanager/11.1/admincenter/identitystore/configure/authtypes.md#enable-enrollment) topic. +::: + ## Enforce Authentication Types for Multifactor Authentication diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/groupowners.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/groupowners.md index 327c9e3ece..836a9cadb3 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/groupowners.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/groupowners.md @@ -40,8 +40,11 @@ group can change the primary owner, but cannot remove it. If this check box is clear, role members can choose to remove the primary owner while creating or updating groups. - NOTE: In a Microsoft Entra ID identity store, a primary owner must be specified for groups, + :::note + In a Microsoft Entra ID identity store, a primary owner must be specified for groups, regardless of whether the Group Owners policy enforces it or not. + ::: + 7. Click **OK**. 8. On the **Edit Security Role** page, click **Update Security Role**. @@ -76,6 +79,8 @@ role members can have any number of additional owners and even no additional own 9. On the **Edit Security Role** page, click **Update Security Role**. 10. On the **Security Roles** page, click **Save**. -NOTE: When additional owners have been added using an earlier version of Directory Manager, and +:::note +When additional owners have been added using an earlier version of Directory Manager, and their number exceeds the value of this setting, Directory Manager will retain them. However, more -additional owners cannot be added. \ No newline at end of file +additional owners cannot be added. +::: diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md index 288017f132..180cc70f37 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md @@ -14,8 +14,11 @@ in Directory Manager. Moreover, they can view the actions that users perform in such as password change/reset, account enrollment/unenrollment, and the date and time they logged into Directory Manager. -NOTE: The helpdesk role must be granted the following permissions in an identity store to enable +:::note +The helpdesk role must be granted the following permissions in an identity store to enable them to perform their job: +::: + - Reset Any Password - Unlock Any Account @@ -130,8 +133,11 @@ interaction** check box, and then select one of the following options: authentication types in the box (say, 2). Suppose an end-user is enrolled with 4 authentication types. A helpdesk user can choose any 2 of these types to authenticate that user. -NOTE: Helpdesk users cannot authenticate end-users with the Linked account, Windows Hello, and +:::note +Helpdesk users cannot authenticate end-users with the Linked account, Windows Hello, and YubiKey authentication types. +::: + Step 9 – Click **OK**. @@ -144,10 +150,13 @@ Step 11 – On the Security Roles page, click **Save**. You can specify the minimum number of security questions helpdesk role members must use to authenticate end-users before unlocking their identity store accounts or resetting their passwords. -RECOMMENDED: As a prerequisite to applying this setting, make sure that the Security Questions +:::info +As a prerequisite to applying this setting, make sure that the Security Questions authentication type is enabled and configured for the identity store, as well as enforced as an account enrollment method for security roles. See the [Set up Authentication via Security Questions](/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/securityquestions.md) topic. +::: + Follow the steps to enforce security questions for authentication. @@ -173,9 +182,12 @@ number that indicates the number of questions to be answered. For security and privacy concerns, answers to security questions are not visible to helpdesk users. Helpdesk users have to type in the answers that end-users provide over phone for verification. -NOTE: If a user has not enrolled his or her account using security questions, the helpdesk user will +:::note +If a user has not enrolled his or her account using security questions, the helpdesk user will get an error message when he or she attempts to authenticate this user for password reset/account unlock. +::: + Step 9 – Click **OK**. @@ -228,8 +240,17 @@ As part of the Helpdesk policy, you can: and communicate it to the end-users. - Force end-users to change the password the next time they sign to their workstations. +:::tip +:::tip +:::tip Remember, These settings are available if the _Reset Any Password_ permission is granted to the Helpdesk role in the identity store. +::: +::: +::: + + + ### Specify a Password Reset Method @@ -276,12 +297,15 @@ Step 9 – On the Edit Security Role page, click **Update Security Role**. Step 10 – On the Security Roles page, click **Save**. -NOTE: (1) An SMS gateway account must be linked with the identity store for an SMS to be sent on the +:::note +(1) An SMS gateway account must be linked with the identity store for an SMS to be sent on the end-users’ mobile phones. See the [Link an SMS Gateway Account to an Identity Store](/docs/directorymanager/11.1/admincenter/identitystore/configure/smsauthentication.md#link-an-sms-gateway-account-to-an-identity-store) topic. - (2) An SMTP server must be configured for the identity store for email to be sent to end-users. See +(2) An SMTP server must be configured for the identity store for email to be sent to end-users. See the [Configure an SMTP Server](/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md) topic. +::: + ### Force Users to Change Password on Next Logon diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/newobject.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/newobject.md index 1c3eca8e5a..6d44cfcf7b 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/newobject.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/newobject.md @@ -24,11 +24,14 @@ By default, or when no OU is set for an object type, role members can select any store to create objects of that type. For example, when no OU is specified for the User object, role members can create user objects in any OU in the identity store. -NOTE: (1) When a user has multiple roles in an identity store with a different New Object policy for +:::note +(1) When a user has multiple roles in an identity store with a different New Object policy for each role, then the policies configured for all roles apply to the user. Hence, a user with three roles - where a different OU for the Group object is specified for each role - can create groups in any of the three OUs. (2( The New Object policy does not apply to a Microsoft Entra ID identity store. +::: + ## Limit Object Creation to the OU the User Resides in @@ -47,8 +50,11 @@ any of the three OUs. 9. On the **Edit Security Role** page, click **Update Security Role**. 10. On the **Security Roles** page, click **Save**. -NOTE: When role members create a new object, the _Container_ option shows the distinguished name of +:::note +When role members create a new object, the _Container_ option shows the distinguished name of the OU the logged-in user resides in as read-only. +::: + ## Restrict Role Members to Create Objects in Specific OUs @@ -76,10 +82,13 @@ create group objects in those container(s) only. 11. On the **Edit Security Role** page, click **Update Security Role**. 12. On the **Security Roles** page, click **Save**. -NOTE: When role members create a new object, the _Container_ option shows the containers specified +:::note +When role members create a new object, the _Container_ option shows the containers specified for the respective object type. The user can select the desired container to create the object there. When one container is specified, the _Container_ option displays its distinguished name as read-only. +::: + ## Remove an OU diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/overview.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/overview.md index 72dcc53a4c..10dbccf96a 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/overview.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/overview.md @@ -22,12 +22,15 @@ You can define the following policies for a role: - [Synchronize Policy](/docs/directorymanager/11.1/admincenter/securityrole/policy/synchronize.md) - [Membership Object Type Enforcement Policy](/docs/directorymanager/11.1/admincenter/securityrole/policy/membershipobjecttypeenforcement.md) -NOTE: For users with multiple roles, the policies specified for the highest priority role apply (see +:::note +For users with multiple roles, the policies specified for the highest priority role apply (see [Priority](/docs/directorymanager/11.1/admincenter/securityrole/manage.md)). The _[Search Policy](/docs/directorymanager/11.1/admincenter/securityrole/policy/search.md)_, _[New Object Policy](/docs/directorymanager/11.1/admincenter/securityrole/policy/newobject.md)_, and _[Group Name Prefixes](/docs/directorymanager/11.1/admincenter/identitystore/configure/prefixes.md)_ policy, however, apply with respect to all assigned roles. For example, if different search containers are specified for two different roles of a user, that user can search and view objects in both containers. See the following topics for additional information on security roles: +::: + - [Security Roles](/docs/directorymanager/11.1/admincenter/securityrole/overview.md) - [Create a Security Role](/docs/directorymanager/11.1/admincenter/securityrole/create.md) diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/password.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/password.md index dcfabc7761..58686ceb56 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/password.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/password.md @@ -64,8 +64,11 @@ following: With authentication disabled, role members cannot sign into Directory Manager. -NOTE: The authentication lockout policy only disables the user account in Directory Manager. It does +:::note +The authentication lockout policy only disables the user account in Directory Manager. It does not disable it in the provider, such as Active Directory. +::: + **To specify an authentication lockout policy:** diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/querydesigner.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/querydesigner.md index d2c117eb6d..df1c6a6ef0 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/querydesigner.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/querydesigner.md @@ -185,8 +185,11 @@ The Query Designer has multiple tabs, where each tab groups similar settings. Th You can hide any of these tabs from role members. -NOTE: The General tab is displayed to all users and cannot be hidden. However, you can hide the +:::note +The General tab is displayed to all users and cannot be hidden. However, you can hide the objects displayed on it, as discussed in the Limit the Objects for Use in a Query topic. +::: + **To hide a tab:** @@ -241,9 +244,12 @@ the query (see the **Filter Criteria** tab of the Query Designer). You can: ‘Contains’ and ‘Equals’ operators for the ‘cn’ attribute, then only these operators will be displayed when role members select the ‘cn’ attribute. - NOTE: This schema attribute setting will override the schema attribute setting specified on the + :::note + This schema attribute setting will override the schema attribute setting specified on the Smart Group Attribute page in portal's design settings. See the [ Specify Smart Group Query Attributes](/docs/directorymanager/11.1/admincenter/applications/portal/displaytype/queryattributes.md) topic. + ::: + 9. Click **Save Selection** on the **Allowed Attributes** dialog box. The **Attributes** area displays the allowed attributes count. @@ -268,8 +274,11 @@ Value: Human Resources You can specify a default criteria, that will be displayed to role members on the **Filter Criteria** tab. They can change it as required -NOTE: If you have limited the attributes and operators for role members, then only the allowed +:::note +If you have limited the attributes and operators for role members, then only the allowed attributes and operators are available to create a default filter criteria. +::: + **To specify a default filter criteria:** diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/search.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/search.md index ac318e1e69..54de2c5372 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/search.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/search.md @@ -14,8 +14,11 @@ store. Use the Search policy to: - Limit the search scope to one container for role members. - Designate a criterion to limit the objects that role members can search. -NOTE: Microsoft Entra ID supports a single container only, so the search scope cannot be restricted +:::note +Microsoft Entra ID supports a single container only, so the search scope cannot be restricted container-wise in a Microsoft Entra ID identity store. +::: + ## How does the Search Policy Work? @@ -57,10 +60,13 @@ The Search policy has the following impact on the Directory Manager portal: 10. On the **Edit Security Role** page, click **Update Security Role**. 11. On the **Security Roles** page, click **Save**. -NOTE: An advanced setting for the Directory Manager portal, _Search Default_, controls the search +:::note +An advanced setting for the Directory Manager portal, _Search Default_, controls the search scope of the portal. If its value is "Global Catalog", the container specified here is ignored and the portal shows objects from the entire directory. See the [Manage Advanced Settings](/docs/directorymanager/11.1/admincenter/applications/portal/server/advanced.md) topic. +::: + ## Set the Search Scope to all Containers in the Identity Store diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/synchronize.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/synchronize.md index 4091c73479..397ae1f5e8 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/synchronize.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/synchronize.md @@ -72,11 +72,14 @@ stores and data sources build on specific provider(s) in a job. 8. On the **Edit Security Role** page, click **Update Security Role**. 9. On the **Security Roles** page, click **Save**. -NOTE: If you disallow a provider as a source, all Synchronize jobs already using an identity +:::note +If you disallow a provider as a source, all Synchronize jobs already using an identity store/data source for that provider as source will become read-only for role members and they will not be able to run them. Similarly, if you disallow a provider as a destination, all Synchronize jobs already using an identity store/data source for that provider as destination will become read-only for role members and they will not be able to run them. +::: + ## Prevent Role Members from Using an Identity Store or Data Source as Source or Destination @@ -115,11 +118,14 @@ identity store or data source in a job. 9. On the **Edit Security Role** page, click **Update Security Role**. 10. On the **Security Roles** page, click **Save**. -NOTE: If you disallow an identity store or data source as a source, all Synchronize jobs already +:::note +If you disallow an identity store or data source as a source, all Synchronize jobs already using it as source will become read-only for role members and they will not be able to run them. Similarly, if you disallow an identity store or data source as destination, all Synchronize jobs already using it as destination will become read-only for role members and they will not be able to run them. +::: + ## Prevent Role Members from Manipulating Specific Object Type(s) @@ -141,7 +147,8 @@ disallowed objects at the destination. For example, if you disallow the user obj IdentityStore_A, role members will not be able to provision, update and deprovision user objects in identityStore_A through a Synchronize job. -NOTE: If you disallow an object type in an identity store or data source, all Synchronize jobs +:::note +If you disallow an object type in an identity store or data source, all Synchronize jobs already using that identity store or data source (either as source or destination) while only provisioning or updating the disallowed object type, will become read-only for role members and they will not be able to run them. If a job provisions or updates multiple objects, where the disallowed @@ -152,6 +159,8 @@ store is already used as a destination in a Synchronize job that provisions mail the job will become read-only for role members and they will not be able to run it. If IdentityStore_A is used as a source or destination in a Synchronize job that provisions multiple objects types, then the job will run as usual, except that the mailbox object will not be processed. +::: + For data sources, you can disallow the following to role members as an alternate to object types: diff --git a/docs/directorymanager/11.1/admincenter/service/dataservice/create.md b/docs/directorymanager/11.1/admincenter/service/dataservice/create.md index a6e5c907cc..2701803127 100644 --- a/docs/directorymanager/11.1/admincenter/service/dataservice/create.md +++ b/docs/directorymanager/11.1/admincenter/service/dataservice/create.md @@ -129,7 +129,10 @@ container for the service there and run the service from within that container. For an overview on application deployment in Docker, see the [Prerequisites for Deployments in Docker](/docs/directorymanager/11.1/admincenter/applications/dockerprerequisites.md) topic. -NOTE: To host the Data service, Docker daemon should be configured to run Windows containers. +:::note +To host the Data service, Docker daemon should be configured to run Windows containers. +::: + Follow the steps to create a Data service. diff --git a/docs/directorymanager/11.1/admincenter/service/dataservice/manage.md b/docs/directorymanager/11.1/admincenter/service/dataservice/manage.md index dcefcd7e26..883413c165 100644 --- a/docs/directorymanager/11.1/admincenter/service/dataservice/manage.md +++ b/docs/directorymanager/11.1/admincenter/service/dataservice/manage.md @@ -146,7 +146,10 @@ For details on file logging and Windows logging, see the [Windows Logging](/docs/directorymanager/11.1/admincenter/applications/portal/server/log.md#windows-logging) topics. Replace references to the portal with the respective service. -NOTE: Windows logging is not available for Data service and Security service. +:::note +Windows logging is not available for Data service and Security service. +::: + ### Change the File Logging Level for a Service @@ -275,5 +278,8 @@ Step 2 – On the **Applications** page, click the **Data Service** tab. Step 3 – On the **Data Service** tab page, click the ellipsis button for a Data service and select **Delete**. -NOTE: You cannot delete the default Data service. You cannot also delete a Data service that has +:::note +You cannot delete the default Data service. You cannot also delete a Data service that has been linked with a Directory Manager client, such as the Directory Manager portal. + +::: diff --git a/docs/directorymanager/11.1/admincenter/service/replicationservice.md b/docs/directorymanager/11.1/admincenter/service/replicationservice.md index c44ca550d8..30f42727c2 100644 --- a/docs/directorymanager/11.1/admincenter/service/replicationservice.md +++ b/docs/directorymanager/11.1/admincenter/service/replicationservice.md @@ -52,9 +52,12 @@ You can manage the following settings for a Replication service. In an environment with multiple Elasticsearch clusters, you can choose to sync data between clusters. You can also specify an interval for syncing. -NOTE: In Directory Manager, a separate Replication service is created for each node in a cluster. To +:::note +In Directory Manager, a separate Replication service is created for each node in a cluster. To enable data syncing between clusters, simply enable the sync option for one Replications service within each cluster. +::: + Follow the steps to sync data between clusters. diff --git a/docs/directorymanager/11.1/admincenter/service/securityservice/create.md b/docs/directorymanager/11.1/admincenter/service/securityservice/create.md index 8ca660d8e5..dc76dd4172 100644 --- a/docs/directorymanager/11.1/admincenter/service/securityservice/create.md +++ b/docs/directorymanager/11.1/admincenter/service/securityservice/create.md @@ -95,7 +95,10 @@ container for the service there and run the service from within that container. For an overview on application deployment in Docker, see the [Prerequisites for Deployments in Docker](/docs/directorymanager/11.1/admincenter/applications/dockerprerequisites.md) topic. -NOTE: To host the Security service, Docker daemon should be configured to run Windows containers. +:::note +To host the Security service, Docker daemon should be configured to run Windows containers. +::: + **To create a Security service:** diff --git a/docs/directorymanager/11.1/admincenter/service/securityservice/manage.md b/docs/directorymanager/11.1/admincenter/service/securityservice/manage.md index 576fca93e0..65720c7a6b 100644 --- a/docs/directorymanager/11.1/admincenter/service/securityservice/manage.md +++ b/docs/directorymanager/11.1/admincenter/service/securityservice/manage.md @@ -94,5 +94,8 @@ Step 2 – On the **Applications** page, click the **Security Service** tab. Step 3 – Click the ellipsis button for a Security service and select **Delete**. -NOTE: You cannot delete the default Security service. You cannot also delete a Security service that +:::note +You cannot delete the default Security service. You cannot also delete a Security service that has been linked with a Directory Manager client, such as the Directory Manager portal. + +::: diff --git a/docs/directorymanager/11.1/admincenter/service/securityservice/signkeyutility.md b/docs/directorymanager/11.1/admincenter/service/securityservice/signkeyutility.md index c7b919882e..55edb1f501 100644 --- a/docs/directorymanager/11.1/admincenter/service/securityservice/signkeyutility.md +++ b/docs/directorymanager/11.1/admincenter/service/securityservice/signkeyutility.md @@ -45,7 +45,10 @@ folder. Using Netwrix Directory Manager (formerly GroupID) Signing Key Utility you can generate a new signing key. -RECOMMENDED: Generate the new signing key on your Directory Manager server machine. +:::info +Generate the new signing key on your Directory Manager server machine. +::: + Follow the steps to generate a new signing key. diff --git a/docs/directorymanager/11.1/admincenter/signin.md b/docs/directorymanager/11.1/admincenter/signin.md index 9e657b175b..fb73cab3c0 100644 --- a/docs/directorymanager/11.1/admincenter/signin.md +++ b/docs/directorymanager/11.1/admincenter/signin.md @@ -20,18 +20,24 @@ Use any of the following methods to connect and sign in: - Select an identity store and enter the username and password of your identity store account. - NOTE: To sign in using the Directory Manager provider, enter the username and password you + :::note + To sign in using the Directory Manager provider, enter the username and password you provided for the _GroupID administrator_ on the Service Account Settings page of the Configuration Tool. See the [Configure a New Directory Manager Server with a New or an Existing Database](/docs/directorymanager/11.1/install/configure/gidserver.md) topic. + ::: + - Select an identity store and sign in using a SAML provider. This option is available if a SAML provider is configured with the selected identity store. - NOTE: Microsoft Entra ID MFA enabled users cannot log into Directory Manager using their + :::note + Microsoft Entra ID MFA enabled users cannot log into Directory Manager using their username and password. They will be authenticated through the SAML provider configured for in Directory Manager. + ::: + Next, you may have to pass second factor authentication, depending on whether it is enabled for your role in the identity store. You can perform tasks in the Admin Center in keeping with your role and @@ -76,8 +82,11 @@ SAML provider configuration: On the **GroupID Authenticate** page, click the button or image for the provider and proceed to sign in. -NOTE: For Microsoft Entra ID MFA enabled users, a SAML provider must be configured for signing into +:::note +For Microsoft Entra ID MFA enabled users, a SAML provider must be configured for signing into Directory Manager. +::: + ### Pass Second Factor Authentication diff --git a/docs/directorymanager/11.1/admincenter/workflow/advancedsettings.md b/docs/directorymanager/11.1/admincenter/workflow/advancedsettings.md index 386c9a029e..6dc9fab399 100644 --- a/docs/directorymanager/11.1/admincenter/workflow/advancedsettings.md +++ b/docs/directorymanager/11.1/admincenter/workflow/advancedsettings.md @@ -9,8 +9,11 @@ sidebar_position: 20 You can specify advanced settings for workflow, such as set a default approver for workflow requests and define approver acceleration settings. -NOTE: Functions discussed in this topic are licensed under different add-ons. See the +:::note +Functions discussed in this topic are licensed under different add-ons. See the [ Licensing ](/docs/directorymanager/11.1/admincenter/general/licensing.md) topic. +::: + ## Specify a Default Approver diff --git a/docs/directorymanager/11.1/admincenter/workflow/approveracceleration.md b/docs/directorymanager/11.1/admincenter/workflow/approveracceleration.md index ab5a3dbfd6..412416fed7 100644 --- a/docs/directorymanager/11.1/admincenter/workflow/approveracceleration.md +++ b/docs/directorymanager/11.1/admincenter/workflow/approveracceleration.md @@ -42,9 +42,12 @@ auto approve requests, and send notifications. See the 3. Click **Workflows** under **Settings** in the left pane. 4. On the **Workflows** page, click the **Advanced Workflow Settings** tab. - NOTE: When an SMTP server is not defined for the identity store, approver acceleration settings + :::note + When an SMTP server is not defined for the identity store, approver acceleration settings are disabled and a message is displayed with a **Configure Now** link to redirect you to the **Notifications** page. + ::: + 5. Use the **Approver Acceleration** toggle button to apply the approver acceleration settings and rules to all workflows defined for the identity store. @@ -65,9 +68,12 @@ Directory Manager applies certain rules to forward it to another approver. On acceleration, the new approver receives an email notification to approve/deny the request. -NOTE: Even after acceleration, all previous approvers are authorized to approve/deny the requests. +:::note +Even after acceleration, all previous approvers are authorized to approve/deny the requests. Administrators can also approve or deny these requests at any given time from the _All Requests_ node in the Directory Manager portal. +::: + Workflow acceleration rules are discussed below, with these assumed acceleration settings: @@ -90,7 +96,10 @@ Acceleration rules for a user approver are: for 5 days, the request goes to the default approver. If the default approver is not specified, the request becomes static. -NOTE: Consider the following: +:::note +Consider the following: +::: + 1. If, in the acceleration chain, any approver is disabled, the workflow request is directly sent to the primary manager of the disabled approver in the same acceleration hop. Referring to the diff --git a/docs/directorymanager/11.1/admincenter/workflow/implement.md b/docs/directorymanager/11.1/admincenter/workflow/implement.md index 1e800ad927..98e6e10086 100644 --- a/docs/directorymanager/11.1/admincenter/workflow/implement.md +++ b/docs/directorymanager/11.1/admincenter/workflow/implement.md @@ -82,9 +82,12 @@ attribute, it triggers the workflow. 7. In the **Events** drop-down list, select the event (Create, Edit, Delete) that will trigger the workflow. - NOTE: (1) For the Create event, you can define only one workflow for an object. - (2) A workflow for the Group object with the Delete event will be triggered when the group is + :::note + (1) For the Create event, you can define only one workflow for an object. + (2) A workflow for the Group object with the Delete event will be triggered when the group is manually deleted. + ::: + 8. Select the **Mail Approval** check box to enable the approver to approve or deny a workflow request from within the workflow email notification. These notifications contain the **Accept** @@ -164,8 +167,11 @@ attribute, it triggers the workflow. 2. On the **Add Fields** dialog box, select the check box for a field to add it to the workflow and click **Add**. - NOTE: The **Field(s)** section is not available when _Create_ is selected in the **Events** + :::note + The **Field(s)** section is not available when _Create_ is selected in the **Events** drop-down list. + ::: + 15. By default, the workflow is enabled, as indicated by the **Enabled** toggle button at the top of the page. If required, use the toggle button to disable it. diff --git a/docs/directorymanager/11.1/admincenter/workflow/integrate.md b/docs/directorymanager/11.1/admincenter/workflow/integrate.md index ad5ffe9c16..a10afa0b2d 100644 --- a/docs/directorymanager/11.1/admincenter/workflow/integrate.md +++ b/docs/directorymanager/11.1/admincenter/workflow/integrate.md @@ -24,9 +24,12 @@ be linked to flows. Consequently, when the identity store workflow is triggered, the linked flow is auto triggered. -NOTE: When the flow is approved in Power Automate, the identity store workflow request is auto +:::note +When the flow is approved in Power Automate, the identity store workflow request is auto approved. However, if the identity store workflow request is approved first, the flow would not be auto approved. +::: + ### Connect an Identity Store to Power Automate @@ -34,9 +37,12 @@ To connect an identity tore to Power Automate, you must configure a Power Automa identity store. This will establish a communication channel between the Directory Manager Data service and the Power Automate platform. -NOTE: Make sure the Directory Manager server is deployed on a machine that is exposed over the +:::note +Make sure the Directory Manager server is deployed on a machine that is exposed over the Internet, as Power Automate needs to communicate with the Directory Manager server for processing requests. Power Automate cannot communicate with a server deployed on a machine behind NAT. +::: + **To configure a Power Automate client for an identity store:** @@ -60,9 +66,12 @@ requests. Power Automate cannot communicate with a server deployed on a machine - **Client ID** - the application ID assigned to the Directory Manager application when you registered it in Microsoft Entra Admin Center. - NOTE: The Directory Manager application in Microsoft Entra Admin Center must have the following + :::note + The Directory Manager application in Microsoft Entra Admin Center must have the following permissions for Power Automate: - ![pa_permissions](/img/product_docs/directorymanager/11.1/admincenter/workflow/pa_permissions.webp) + ![pa_permissions](/img/product_docs/directorymanager/11.1/admincenter/workflow/pa_permissions.webp) + ::: + 7. Click **Save** on the **Advanced Workflow Settings** page. diff --git a/docs/directorymanager/11.1/admincenter/workflow/overview.md b/docs/directorymanager/11.1/admincenter/workflow/overview.md index 9f3c0ebd38..a74f61c500 100644 --- a/docs/directorymanager/11.1/admincenter/workflow/overview.md +++ b/docs/directorymanager/11.1/admincenter/workflow/overview.md @@ -17,8 +17,11 @@ A workflow triggers when a certain operation, performed by a user, meets the cri that workflow. Designated users can approve or deny workflow requests using the Directory Manager portal. -NOTE: Workflows require an SMTP server to be configured for the identity store. See the +:::note +Workflows require an SMTP server to be configured for the identity store. See the [Configure an SMTP Server](/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md) topic. +::: + ## System Workflows @@ -38,8 +41,11 @@ trigger when their associated events occur: You can also define new workflows for an identity store. -NOTE: You cannot delete a system workflow, but you can disable it. You can also modify it to a +:::note +You cannot delete a system workflow, but you can disable it. You can also modify it to a limited extent. +::: + ## Synchronize Jobs and Workflows diff --git a/docs/directorymanager/11.1/authenticate/asidentityprovider/register.md b/docs/directorymanager/11.1/authenticate/asidentityprovider/register.md index e0ffd363c2..0ecadc5862 100644 --- a/docs/directorymanager/11.1/authenticate/asidentityprovider/register.md +++ b/docs/directorymanager/11.1/authenticate/asidentityprovider/register.md @@ -42,8 +42,11 @@ store for authentication. Step 7 – Click **Browse** under Identity Provider Image to upload an image for the application, such as the application logo. -NOTE: Supported image formats: .jpg, .bmp, .webp, and .gif +:::note +Supported image formats: .jpg, .bmp, .webp, and .gif Image file dimensions: 210 x 60 pixels +::: + Step 8 – Expand the Advanced section by clicking the down arrow head to specify advanced settings for the application. diff --git a/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/configureadfsindirectorymanager.md b/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/configureadfsindirectorymanager.md index 1bab8d557e..f3172e9dae 100644 --- a/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/configureadfsindirectorymanager.md +++ b/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/configureadfsindirectorymanager.md @@ -85,8 +85,11 @@ FS option as an image or as a button. To display the AD FS option as an image, you have to upload an image for it. On the Create New Provider page, use the Browse button under Identity Provider Image to upload an image for AD FS. -NOTE: Supported image formats: .jpg, .bmp, .webp, .gif +:::note +Supported image formats: .jpg, .bmp, .webp, .gif Required image file dimensions: 210 x 60 pixels +::: + If you do not upload an image, AD FS authentication will be shown as a button. This button would have the same name as you entered in the Name box on the Create New Provider page. diff --git a/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/generateurls.md b/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/generateurls.md index 2a0134623e..a55aa0c9e7 100644 --- a/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/generateurls.md +++ b/docs/directorymanager/11.1/authenticate/asserviceprovider/adfs/generateurls.md @@ -35,8 +35,11 @@ Step 3 – The URL displayed in the Consumer URL box is a unique identifier for It is used to set up relying party trust in AD FS. Click **Copy** to copy it. Then paste it in a file, preferably a text file, to save it. -NOTE: On upgrade to Directory Manager 11, you must generate the consumer URL again for the Directory +:::note +On upgrade to Directory Manager 11, you must generate the consumer URL again for the Directory Manager client configured with AD FS, and update it in AD FS. +::: + ## Generate Entity ID/Audience URL diff --git a/docs/directorymanager/11.1/configureentraid/createid.md b/docs/directorymanager/11.1/configureentraid/createid.md index b6170666ab..d770cf0e35 100644 --- a/docs/directorymanager/11.1/configureentraid/createid.md +++ b/docs/directorymanager/11.1/configureentraid/createid.md @@ -17,11 +17,14 @@ See the [Create an Identity Store for Microsoft Entra ID](/docs/directorymanager/11.1/admincenter/identitystore/create.md#create-an-identity-store-for-microsoft-entra-id) topic for creating an Microsoft Entra ID identity store. -NOTE: If you intend to use a service account user with Global Administrator directory role, then no +:::note +If you intend to use a service account user with Global Administrator directory role, then no change is required in the default Directory Manager security roles settings of Microsoft Entra ID identity store. And if you intend to use a service account user with any role, other than Global administrator directory role (i.e. User Administrator + Exchange Administrator), then the Directory Manager Administrator security role criteria group must be changed to User Account Administrator. +::: + ## Directory Manager Security Role Setting diff --git a/docs/directorymanager/11.1/configureentraid/register/appregister.md b/docs/directorymanager/11.1/configureentraid/register/appregister.md index b85c6968a3..153449088d 100644 --- a/docs/directorymanager/11.1/configureentraid/register/appregister.md +++ b/docs/directorymanager/11.1/configureentraid/register/appregister.md @@ -77,10 +77,13 @@ Step 10 – On the **All roles** page, add your registered application to a dire Administrators can change passwords for users, Helpdesk administrators, and other User Account Administrators only. - NOTE: By default, the Directory Manager Administrator security role in a Microsoft Entra + :::note + By default, the Directory Manager Administrator security role in a Microsoft Entra IDidentity store binds to Global Administrator. If minimum role assignment for the service account is used, the default Admin Security role criteria should also be changed to the _User Account Administrators_ group. + ::: + Step 11 – Click **Add**. diff --git a/docs/directorymanager/11.1/configureentraid/register/overview.md b/docs/directorymanager/11.1/configureentraid/register/overview.md index f331702785..aa52ea8580 100644 --- a/docs/directorymanager/11.1/configureentraid/register/overview.md +++ b/docs/directorymanager/11.1/configureentraid/register/overview.md @@ -18,7 +18,8 @@ Directory Manager requires: - A Microsoft Entra ID Directory Role for the service account for the Microsoft Entra ID identity store. - NOTE: See the + :::note + See the [All Role](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#all-role) section for [User Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#user-administrator) @@ -26,3 +27,5 @@ Directory Manager requires: [Exchange Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#exchange-administrator) role permissions in [Microsoft Entra built-in roles](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#microsoft-entra-built-in-roles). + + ::: diff --git a/docs/directorymanager/11.1/credentialprovider/installcp.md b/docs/directorymanager/11.1/credentialprovider/installcp.md index 2977ca3cd1..05ac89bd77 100644 --- a/docs/directorymanager/11.1/credentialprovider/installcp.md +++ b/docs/directorymanager/11.1/credentialprovider/installcp.md @@ -119,8 +119,11 @@ Having Orca successfully installed, follow these steps to deploy Credential Prov ![Group Policy Management console](/img/product_docs/directorymanager/11.1/portal/user/manage/gp_policy.webp) - NOTE: Group Policy Management console is available if the Group Policy Management feature has + :::note + Group Policy Management console is available if the Group Policy Management feature has been installed. + ::: + 2. Right-click the domain or organizational unit for the computers that you want the Credential Provider installed on. Select **Create a GPO in this domain, and link it here...**: @@ -138,7 +141,10 @@ Having Orca successfully installed, follow these steps to deploy Credential Prov ![New Package option](/img/product_docs/directorymanager/11.1/portal/user/manage/software_installation.webp) - NOTE: This documentation describes steps for editing the default policy. + :::note + This documentation describes steps for editing the default policy. + ::: + 4. Browse to the shared folder. The folder must have the following files in it: diff --git a/docs/directorymanager/11.1/install/configure/database.md b/docs/directorymanager/11.1/install/configure/database.md index d40dbbb354..c42bfb6400 100644 --- a/docs/directorymanager/11.1/install/configure/database.md +++ b/docs/directorymanager/11.1/install/configure/database.md @@ -49,8 +49,11 @@ Step 5 – Depending on the authentication mode selected, do the following: Step 6 – In the SQL Database box, specify name of the SQL database being used by the master Directory Manager node. This new Directory Manager instance will use the same database. -NOTE: While configuring a new Directory Manager machine with an existing database option, the Copy +:::note +While configuring a new Directory Manager machine with an existing database option, the Copy Database button has no relevance here. +::: + Step 7 – Click **Next**. @@ -87,7 +90,10 @@ Step 10 – Directory Manager requires two services: - Admin Center: Admin Center is a web-based application that can be accessed over the Internet and Intranet. -NOTE: This Directory Manager instance will use Email and Scheduler services of the selected cluster. +:::note +This Directory Manager instance will use Email and Scheduler services of the selected cluster. +::: + Step 11 – Click **Next**. @@ -109,7 +115,10 @@ Select the relevant option: 3. TCP Port: the default port for communication between nodes within the cluster. Modify the port number if the mentioned default port is not available. - NOTE: Make sure that the specified ports are available and unblocked. + :::note + Make sure that the specified ports are available and unblocked. + ::: + I will install and manage Elasticsearch myself: If you select this option, the following page is displayed: @@ -126,14 +135,20 @@ Step 13 – Click **Next**. ![Service Account Settings page](/img/product_docs/directorymanager/11.1/install/configure/service_account_settings_w_existing_db.webp) -NOTE: If you configure a Group Managed Service Account (gMSA) as an App Pool service account then +:::note +If you configure a Group Managed Service Account (gMSA) as an App Pool service account then the Directory ManagerConfiguration tool will add this account in the local administrators and IIS_IUSRS groups. +::: -NOTE: If you configure a normal user account as an App Pool service account and an AD identity store + +:::note +If you configure a normal user account as an App Pool service account and an AD identity store is created with a gMSA service account, then the App Pool service account must have the _PrincipalsAllowedToRetrieveManagedPassword_ property. The App Pool service account also must be a member of Backup Operators and IIS_IUSRS groups. +::: + Step 14 – On the Service Account Settings page, specify the service account to use for the Directory Manager app pool in IIS and Windows services. @@ -148,10 +163,16 @@ Manager app pool in IIS and Windows services. - You can specify a local account (with local administrator rights) in app pool for a machine that is not joined to any domain (this applies to an Microsoft Entra ID identity store only). - NOTE: For Directory Manager App Pool, a domain account can be used for a machine joined to a + :::note + For Directory Manager App Pool, a domain account can be used for a machine joined to a domain. + ::: + + + :::note + Before you use a Group Managed Service Account, make sure that: + ::: - NOTE: Before you use a Group Managed Service Account, make sure that: - Key Distribution Service (KDS) is enabled on the Directory Manager machine. - Microsoft AD module for PowerShell is installed on the machine. @@ -171,10 +192,16 @@ Step 15 – You can specify a service accounts for the app pool in any of the fo On the Create Service Account dialog box, select the kind of account you want to create. Enter a name, container and password for the account. Click **Create**. - NOTE: The logged-in user must have appropriate rights to create a new account. + :::note + The logged-in user must have appropriate rights to create a new account. + ::: - NOTE: If Key Distribution Service (KDS) is not configured in the environment, a warning will be + + :::note + If Key Distribution Service (KDS) is not configured in the environment, a warning will be displayed that you cannot use a Group Managed Service Account. + ::: + Step 16 – Provide password for the App Pool service account (except for a Group Managed Service Account) in the Password box. diff --git a/docs/directorymanager/11.1/install/configure/gidserver.md b/docs/directorymanager/11.1/install/configure/gidserver.md index 9f3f2a0f57..5163da5c31 100644 --- a/docs/directorymanager/11.1/install/configure/gidserver.md +++ b/docs/directorymanager/11.1/install/configure/gidserver.md @@ -85,7 +85,10 @@ Select the relevant option: 3. TCP Port: the default port for communication between nodes within the cluster. Modify the port number if the mentioned default port is not available. - NOTE: Make sure that the specified ports are available and unblocked. + :::note + Make sure that the specified ports are available and unblocked. + ::: + I will install and manage Elasticsearch myself: If you select this option, the following page is displayed: @@ -133,14 +136,20 @@ Select the relevant option: ![Service Account Setting page](/img/product_docs/directorymanager/11.1/install/configure/serviceaccount.webp) - NOTE: If you configure a Group Managed Service Account (gMSA) as an App Pool service account + :::note + If you configure a Group Managed Service Account (gMSA) as an App Pool service account then the Directory Manager Configuration tool will add this account in the local administrators and IIS_IUSRS groups. + ::: + - NOTE: If you configure a normal user account as an App Pool service account and an AD identity + :::note + If you configure a normal user account as an App Pool service account and an AD identity store is created with a gMSA service account, then the App Pool service account must have the _PrincipalsAllowedToRetrieveManagedPassword_ property. The App Pool service account also must be a member of Backup Operators and IIS_IUSRS groups. + ::: + Step 15 – Directory Manager enables you to specify the service accounts to use for the Directory Manager App Pool and a default Administrative account for Directory Manager Admin Center. @@ -150,10 +159,16 @@ Select the relevant option: | Directory Manager App Pool | Use a domain account or a Group Managed Service Account (gMSA). The account must be a member of the Administrators group or both the Backup Operators and IIS_IUSRS groups. The account you specify will be used to manage the Directory Manager app pool in IIS. Directory Manager Data Service, Security Service, and the portals run under the app pool. By default, a local account, GroupIDSSuser, is set for the Directory Manager app pool, but you cannot proceed unless you change it to a domain account or gMSA. You can specify a local account (with local administrator rights) in app pool for a machine that is not joined to any domain (this applies to an Microsoft Entra ID identity store only). | | Directory Manager Administrator | Use this account as default Administrative account for first time login to Directory Manager Admin Center. This account is not associated with any identity store, but one that is specific to Directory Manager. This account works as an Admin of all Admin accounts of defined identity stores in Admin Center. | - NOTE: For Directory Manager App Pool, a domain account can be used for a machine joined to a + :::note + For Directory Manager App Pool, a domain account can be used for a machine joined to a domain. + ::: + + + :::note + Before you use a Group Managed Service Account, make sure that: + ::: - NOTE: Before you use a Group Managed Service Account, make sure that: - Key Distribution Service (KDS) is enabled on the Directory Manager machine. - Microsoft AD module for PowerShell is installed on the machine. @@ -174,10 +189,16 @@ Create a new service account: Click the **Create New** button on the Service Acc On the Create Service Account dialog box, select the kind of account you want to create. Enter a name, container and password for the account. Click **Create**. -NOTE: The logged-in user must have appropriate rights to create a new account. +:::note +The logged-in user must have appropriate rights to create a new account. +::: + -NOTE: If Key Distribution Service (KDS) is not configured in the environment, a warning will be +:::note +If Key Distribution Service (KDS) is not configured in the environment, a warning will be displayed that you cannot use a Group Managed Service Account. +::: + Step 17 – Provide password for the App Pool service account (except for a Group Managed Service Account) in the Password box. diff --git a/docs/directorymanager/11.1/install/configure/setupauthentication.md b/docs/directorymanager/11.1/install/configure/setupauthentication.md index d70025ceaa..9e60b85cbd 100644 --- a/docs/directorymanager/11.1/install/configure/setupauthentication.md +++ b/docs/directorymanager/11.1/install/configure/setupauthentication.md @@ -23,9 +23,15 @@ Definition Language) and DML (Data Manipulation Language) commands. However, unl Authentication mode setup, you do not need to add the account to the _db_owner_ role because SQL Server _db_creator_ is mapped to the _db_owner_ database role by default. -NOTE: Note: For SQL Server 2016, 2017, 2019 and 2022 families, every SQL Server account is assigned +:::note +:::note +For SQL Server 2016, 2017, 2019 and 2022 families, every SQL Server account is assigned the _public_ role. Therefore, the Directory Manager SQL account belongs to two server roles: _db_creator_ and _public_. +::: +::: + + To add the Directory Manager SQL account to the db_creator role: diff --git a/docs/directorymanager/11.1/install/configure/signingkeyinfo.md b/docs/directorymanager/11.1/install/configure/signingkeyinfo.md index 9bef6e1cb8..35c2c1b0ce 100644 --- a/docs/directorymanager/11.1/install/configure/signingkeyinfo.md +++ b/docs/directorymanager/11.1/install/configure/signingkeyinfo.md @@ -22,9 +22,18 @@ Manager is successfully configured page as follows: ![GroupID is successfully configured page with Signing Key Disclaimer](/img/product_docs/directorymanager/11.1/install/configure/signkeydisclaimer.webp) +:::tip +:::tip +:::tip Remember, after the Signing Key update, your existing schedules will not work as their authentication mechanism will no longer be considered valid. Therefore, the authentication mechanism must be updated for schedules using one of the following way: +::: +::: +::: + + + - Signing Key Utility – See the Signing Key utility guide for information on how to download the utility and update the schedules. @@ -65,9 +74,18 @@ without the disclaimer. ![GroupID is successfully configured page](/img/product_docs/directorymanager/11.1/install/configure/success.webp) +:::tip +:::tip +:::tip Remember, after the Signing Key update, your existing schedules will not work as their authentication mechanism will no longer be considered valid. Therefore, the authentication mechanism must be updated for schedules using one of the following way: +::: +::: +::: + + + - Signing Key Utility – See the Signing Key utility guide for information on how to download the utility and update the schedules. @@ -122,9 +140,18 @@ copied Signing Key file using the commandlet given in the of the [Signing Key Utility](/docs/directorymanager/11.1/admincenter/service/securityservice/signkeyutility.md) topic for information on how to import the Signing Key. +:::tip +:::tip +:::tip Remember, after the Signing Key update, your existing schedules will not work as their authentication mechanism will no longer be considered valid. Therefore, the authentication mechanism must be updated for schedules using one of the following way: +::: +::: +::: + + + - Signing Key Utility – See the Signing Key utility guide for information on how to download the utility and update the schedules. diff --git a/docs/directorymanager/11.1/install/installer/installer.md b/docs/directorymanager/11.1/install/installer/installer.md index 8fb23534a0..d3bb7936f8 100644 --- a/docs/directorymanager/11.1/install/installer/installer.md +++ b/docs/directorymanager/11.1/install/installer/installer.md @@ -28,9 +28,12 @@ The Directory Manager installation package consists of: Before installing Directory Manager, make sure that the logged-in user is a member of the local Administrators group on that machine. -NOTE: (1) There should be a dedicated server for Directory Manager. +:::note +(1) There should be a dedicated server for Directory Manager. (2) Do not install Directory Manager on the domain controller. (3) Do not install Directory Manager and Microsoft Exchange Server on the same machine. +::: + ## Installation Cases @@ -51,7 +54,13 @@ Next, run the Upgrade wizard to make the copied database compatible with Directo upgraded, the database schema changes, making it incompatible with the previous Directory Manager version. -NOTE: When Directory Manager 11 co-exists with a previous Directory Manager version (case # 1 and +:::note +When Directory Manager 11 co-exists with a previous Directory Manager version (case # 1 and 2), the two must have separate databases. Data is not replicated between these databases. +::: + + +:::note +This section does not apply to a fresh Directory Manager installation. -NOTE: This section does not apply to a fresh Directory Manager installation. +::: diff --git a/docs/directorymanager/11.1/install/installer/preparationtool.md b/docs/directorymanager/11.1/install/installer/preparationtool.md index c022a10abd..c9e059f03b 100644 --- a/docs/directorymanager/11.1/install/installer/preparationtool.md +++ b/docs/directorymanager/11.1/install/installer/preparationtool.md @@ -71,7 +71,10 @@ below is installed, otherwise uninstall them manually: - Microsoft Edge Webview2 Rnntime - NOTE: If you need to re-run the preparation tool, uninstall this component first. + :::note + If you need to re-run the preparation tool, uninstall this component first. + ::: + After uninstalling the prerequisites, follow the steps given in the Run the Preparation Tool first time on a fresh machine section above. diff --git a/docs/directorymanager/11.1/install/installer/uninstall.md b/docs/directorymanager/11.1/install/installer/uninstall.md index d9fbd829b3..e1d6c5e4fd 100644 --- a/docs/directorymanager/11.1/install/installer/uninstall.md +++ b/docs/directorymanager/11.1/install/installer/uninstall.md @@ -96,5 +96,8 @@ Follow these steps to remove Directory Manager certificates from IIS: - GroupIDSecurityService - Imanami GroupID Certificate -NOTE: Do not remove these certificates if another Directory Manager version is installed on the +:::note +Do not remove these certificates if another Directory Manager version is installed on the machine. + +::: diff --git a/docs/directorymanager/11.1/install/securityutility.md b/docs/directorymanager/11.1/install/securityutility.md index 5ded9b446e..0a11627c05 100644 --- a/docs/directorymanager/11.1/install/securityutility.md +++ b/docs/directorymanager/11.1/install/securityutility.md @@ -57,8 +57,11 @@ comma. ![Restrict IP Addresses](/img/product_docs/directorymanager/11.1/install/iprestrict.webp) -RECOMMENDED: Use a static IP address for the Directory Manager server and the additional IP +:::info +Use a static IP address for the Directory Manager server and the additional IP addresses you specify here to include in the IP security rules. +::: + Step 3 – After successful configuration, the following message is displayed. @@ -67,12 +70,15 @@ Step 3 – After successful configuration, the following message is displayed. In the event of a Directory Manager multi-instance deployment, execute the above steps on each Directory Manager server in your environment. -NOTE: In case you deploy a new Directory Manager server/instance, add the IP address of the new +:::note +In case you deploy a new Directory Manager server/instance, add the IP address of the new server to the primary server's IP security rule allowed list. Run the NDM11-ADV-2025-014 utility on the primary server to add the additional IP. This should be done before the new server connects to the Data service on the primary server (this connection is required while configuring the new server). Once the new server is configured, you can remove the IP from the allowed list of the primary server. +::: + ## Generate a Secure Password diff --git a/docs/directorymanager/11.1/install/upgrade/backuprestore.md b/docs/directorymanager/11.1/install/upgrade/backuprestore.md index 51daa78e08..84f43837e5 100644 --- a/docs/directorymanager/11.1/install/upgrade/backuprestore.md +++ b/docs/directorymanager/11.1/install/upgrade/backuprestore.md @@ -122,8 +122,11 @@ Step 2 – Copy the Jobs folder. Step 3 – Create a new folder (ideally on a different drive) and paste the **Jobs** folder into it. -NOTE: If some scheduled tasks are defined for Synchronize jobs, you do not need to create their +:::note +If some scheduled tasks are defined for Synchronize jobs, you do not need to create their backup. On restoring, the scheduled tasks remain functional for Synchronize jobs. +::: + ### Restore @@ -155,8 +158,14 @@ Step 2 – Copy all data at the location. Step 3 – Create a new folder (ideally on a different drive) and paste the copied data into that folder. -NOTE: Note: You do not need to create a backup of scheduled tasks that include report criteria. On +:::note +:::note +You do not need to create a backup of scheduled tasks that include report criteria. On restoring, the scheduled tasks remain functional for these reports. +::: +::: + + ### Restore diff --git a/docs/directorymanager/11.1/install/upgrade/notes.md b/docs/directorymanager/11.1/install/upgrade/notes.md index 1fb3eb642e..b2c06b156a 100644 --- a/docs/directorymanager/11.1/install/upgrade/notes.md +++ b/docs/directorymanager/11.1/install/upgrade/notes.md @@ -8,8 +8,11 @@ sidebar_position: 20 Consider the following when upgrading to Directory Manager 11 from GroupID 9 and 10. -NOTE: In the following text, the term ‘source version’ refers to the GroupID version you are +:::note +In the following text, the term ‘source version’ refers to the GroupID version you are upgrading from. +::: + **Notes** diff --git a/docs/directorymanager/11.1/install/upgrade/overview.md b/docs/directorymanager/11.1/install/upgrade/overview.md index 9bddd9d0c6..163649da4f 100644 --- a/docs/directorymanager/11.1/install/upgrade/overview.md +++ b/docs/directorymanager/11.1/install/upgrade/overview.md @@ -15,8 +15,11 @@ Directory Manager 11 supports upgrade from the following: The following must be in place before you run the Upgrade wizard. -NOTE: In the following text, the term ‘source version’ refers to the GroupID version you are +:::note +In the following text, the term ‘source version’ refers to the GroupID version you are upgrading from. +::: + Step 1 – For upgrade on a different box, the source version file system must be present on the Directory Manager 11 server. For that, do the following: diff --git a/docs/directorymanager/11.1/install/upgrade/upgrade.md b/docs/directorymanager/11.1/install/upgrade/upgrade.md index ef87a32b47..592bd53c39 100644 --- a/docs/directorymanager/11.1/install/upgrade/upgrade.md +++ b/docs/directorymanager/11.1/install/upgrade/upgrade.md @@ -26,8 +26,11 @@ Step 2 – Read the welcome message and click **Next**. Step 3 – From the Select the previous version to upgrade list, select the Directory Manager version to upgrade from. -NOTE: The following steps discuss the upgrade process with Directory Manager 10 as the source +:::note +The following steps discuss the upgrade process with Directory Manager 10 as the source version. The process may vary for different source versions. +::: + Step 4 – Click **Next**. @@ -42,13 +45,16 @@ can choose to upgrade all or selective data of the previous version. Options are ![3-select_modules-custom](/img/product_docs/directorymanager/11.1/install/upgrade/3-select_modules-custom.webp) - NOTE: If later on, you wish to upgrade specific groups and their history via the Upgrade-Group + :::note + If later on, you wish to upgrade specific groups and their history via the Upgrade-Group commandlet, then you must upgrade the Configuration and History in the first upgrade run. This will upgrade the history in the database as per Directory Manager 11.1 format and replicates it to Elasticsearch. Later on, when you upgrade specific groups and their history using the Upgrade-Group commandlet, that will be done successfully. See the [Upgrade-Group](/docs/directorymanager/11.1/managementshell/smartgroup/upgradegroup.md) commandlet for additional information. + ::: + If you want to upgrade configurations, history and all groups using the Directory Manager Upgrade wizard , then you must select the Configurations, History, and Groups checkboxes. @@ -103,8 +109,11 @@ messaging providers. ![synchronize_upgrade](/img/product_docs/directorymanager/11.1/install/upgrade/synchronize_upgrade.webp) - NOTE: The service account you provide here should have at least _read_ permission in the entire + :::note + The service account you provide here should have at least _read_ permission in the entire forest, so that all objects from the forest can be replicated to Elasticsearch. + ::: + The wizard does not create a separate identity store for each child domain in the same forest. In case it cannot determine a forest structure, it creates separate identity stores for each @@ -140,15 +149,27 @@ for that domain exists or not. Directory Manager 11.1. ![reports_upgrade](/img/product_docs/directorymanager/11.1/install/upgrade/reports_upgrade.webp) -NOTE: If no report has been generated in Directory Manager 10, the page related to reports upgrade +:::note +If no report has been generated in Directory Manager 10, the page related to reports upgrade will not be displayed. +::: + Step 13 – During upgrade, Synchronize schedules are also moved to identity stores. The Upgrade wizard will check the jobs added to a schedule. If the destination in a job is a directory provider, it will automatically move the schedule to the respective identity store. +:::tip +:::tip +:::tip Remember, during upgrade, identity stores are created for destination directory providers of Synchronize jobs (i.e., for providers that do not have an identity store in the source version). +::: +::: +::: + + + Consider the following: @@ -170,9 +191,12 @@ Step 14 – Click **Next**. This page displays a complete summary of the data to be copied/upgraded for your selected options. These options were selected on the Select modules to upgrade page.. -NOTE: If there are any disabled identity store(s) in the source Directory Manager version, Directory +:::note +If there are any disabled identity store(s) in the source Directory Manager version, Directory Manager will not upgrade those identity store(s). However, data of those identity store(s) will remain intact in the source Directory Manager version. +::: + Step 15 – Review the summary and click **Next**. diff --git a/docs/directorymanager/11.1/managementshell/identitystore/clearmessagingserver.md b/docs/directorymanager/11.1/managementshell/identitystore/clearmessagingserver.md index 4d65afa536..56cd5cb699 100644 --- a/docs/directorymanager/11.1/managementshell/identitystore/clearmessagingserver.md +++ b/docs/directorymanager/11.1/managementshell/identitystore/clearmessagingserver.md @@ -9,9 +9,12 @@ sidebar_position: 10 The commandlet Clear-MessagingServer removes the configured messaging server from the specified identity store. -NOTE: This cmdlet will also clear the SMTP settings, notification settings, password expiry +:::note +This cmdlet will also clear the SMTP settings, notification settings, password expiry settings, membership lifecycle notification settings, and managed by notification settings for the identity store. +::: + ## Syntax diff --git a/docs/directorymanager/11.1/managementshell/identitystore/clearsmtpserver.md b/docs/directorymanager/11.1/managementshell/identitystore/clearsmtpserver.md index 6c85fd4bcc..99557793b8 100644 --- a/docs/directorymanager/11.1/managementshell/identitystore/clearsmtpserver.md +++ b/docs/directorymanager/11.1/managementshell/identitystore/clearsmtpserver.md @@ -8,9 +8,12 @@ sidebar_position: 30 The commandlet Clear-SmtpServer removes the SMTP server configurations from an identity store. -NOTE: This cmdlet will also clear the notification settings for the identity store recipients, +:::note +This cmdlet will also clear the notification settings for the identity store recipients, password expiry group notifications, membership lifecycle notifications, and managed by notification options for the specified identity store. +::: + ## Syntax diff --git a/docs/directorymanager/11.1/managementshell/identitystore/newidentitystore.md b/docs/directorymanager/11.1/managementshell/identitystore/newidentitystore.md index 39136b04b4..febfa040ec 100644 --- a/docs/directorymanager/11.1/managementshell/identitystore/newidentitystore.md +++ b/docs/directorymanager/11.1/managementshell/identitystore/newidentitystore.md @@ -66,7 +66,10 @@ credentials for the new identity store. New-IdentityStore -IdentityStoreType ActiveDirectory -IdentityStoreName DemoAdStore2 -Credential $cred -Domain pucit.local ``` -NOTE: For an Active Directory based identity store, Domain parameter is mandatory. +:::note +For an Active Directory based identity store, Domain parameter is mandatory. +::: + Example 2: @@ -86,8 +89,11 @@ This example creates an Microsoft Entra ID based identity store. New-IdentityStore -IdentityStoreType MicrosoftAzure -IdentityStoreName DemoAzStore1 -UserName admin@mydomain.onmicrosoft.com -Password password123 -Domain mydomain.onmicrosoft.com -AppId 'aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee' ``` -NOTE: In case of an Microsoft Entra ID based identity store, Domain and AppId parameters are +:::note +In case of an Microsoft Entra ID based identity store, Domain and AppId parameters are mandatory. +::: + Example 4: @@ -97,8 +103,11 @@ This example creates a Google Apps (Google Workspace) based identity store. New-IdentityStore -IdentityStoreType GoogleWorkspace -IdentityStoreName DemoGStore1 -UserName svcacc@myproject-111222.iam.gserviceaccount.com -AdminUsername admin@mydomain.com -P12CertificatePath 'C:\Keys\gsuite\key.p12' ``` -NOTE: For Google Apps based identity store, AdminUserName and P12CertificatePath parameters are +:::note +For Google Apps based identity store, AdminUserName and P12CertificatePath parameters are mandatory. However, ‘Password’ parameter is ignored. +::: + Example 5: diff --git a/docs/directorymanager/11.1/managementshell/identitystore/setidentitystore.md b/docs/directorymanager/11.1/managementshell/identitystore/setidentitystore.md index 61fc0ff87e..90d99dd096 100644 --- a/docs/directorymanager/11.1/managementshell/identitystore/setidentitystore.md +++ b/docs/directorymanager/11.1/managementshell/identitystore/setidentitystore.md @@ -8,8 +8,11 @@ sidebar_position: 160 The commandlet Set-IdentityStore modifies the identity store settings and configurations. -NOTE: Many parameters of this cmdlet require the user to specify schema attribute names. You can use +:::note +Many parameters of this cmdlet require the user to specify schema attribute names. You can use Get-SchemaAttributes commandlet to retrieve a list of attributes available for an identity store. +::: + ## Syntax @@ -110,9 +113,12 @@ Set-IdentityStore [] ``` -NOTE: You can use the **Set-IdentityStore** commandlet in a secure way by using the _Credential_ +:::note +You can use the **Set-IdentityStore** commandlet in a secure way by using the _Credential_ parameter or by specifying the credentials through _Username_ and _Password_ parameters in plain text format which is not a secure way. +::: + ## Required Parameters @@ -217,8 +223,11 @@ Example 12: This example creates a new role – DemoRole1 – for the AdStore9 identity store by specifying the minimum possible parameters. -NOTE: By default, all permissions are declined to the role created through this commandlet. +:::note +By default, all permissions are declined to the role created through this commandlet. Moreover, no criteria filters or scope (group / container) are added to the role. +::: + ``` Set-IdentityStore -IdentityStoreName AdStore9 -Credential $creds -Domain pucit.local -RoleOperation add -RoleName DemoRole1 -RolePriority 50 -RoleCriteriaScope Container @@ -229,7 +238,10 @@ Example 13: This example creates a new security role – DemoRole1 – in AdStore9 identity store and a container is set as its role criteria. -NOTE: By default, all permissions are declined to the role created through this commandlet. +:::note +By default, all permissions are declined to the role created through this commandlet. +::: + ``` Set-IdentityStore -IdentityStoreName AdStore9 -Credential $creds -Domain pucit.local -RoleOperation add -RoleName DemoRole1 -RolePriority 50 -RoleCriteriaScope Container -RoleCriteriaDN 'ou=workingou,dc=pucit,dc=local' @@ -254,9 +266,12 @@ This example creates a new security role by specifying the container, criteria f permissions. In this example, only Manage My Groups and Create User permissions are granted to the created role. -NOTE: By default, all the permissions except those specified in RolePermissions parameter are denied +:::note +By default, all the permissions except those specified in RolePermissions parameter are denied to the role created through this commandlet. The role permission names can be retrieved from **Get-RolePermissionNames** commandlet. +::: + ``` Set-IdentityStore -IdentityStoreName AdStore9 -Credential $creds -Domain pucit.local -RoleOperation add -RoleName DemoRole6 -RolePriority 55 -RoleCriteriaScope Container -RoleCriteriaDN 'ou=workingou,dc=pucit,dc=local' -RoleCriteriaOperator Or -RoleCriteriaFilters @('name', 'is exactly', 'automate arslanahmadvm'), @('type', 'is not', 'managementshell') -RolePermissions 'manage my groups', 'create user' diff --git a/docs/directorymanager/11.1/managementshell/overview.md b/docs/directorymanager/11.1/managementshell/overview.md index f18b58cc29..a30934f486 100644 --- a/docs/directorymanager/11.1/managementshell/overview.md +++ b/docs/directorymanager/11.1/managementshell/overview.md @@ -31,8 +31,11 @@ stores for creating an identity store: - Generic LDAP - Google Workspace -NOTE: The commandlets covered in this section are for Active Directory and Microsoft Entra ID based +:::note +The commandlets covered in this section are for Active Directory and Microsoft Entra ID based identity stores. +::: + ## Access Directory Manager Management Shell @@ -48,14 +51,20 @@ connect to. ![Login page](/img/product_docs/directorymanager/11.1/managementshell/login.webp) -NOTE: If your required identity store is not listed, contact the Directory Manager administrator. +:::note +If your required identity store is not listed, contact the Directory Manager administrator. +::: + Step 3 – In the **Username** and **Password** boxes, provide the user name and password of your identity store account and click **Sign In**. ![Login page](/img/product_docs/directorymanager/11.1/managementshell/login-2.webp) -NOTE: Click the **Edit** icon if you want to select another identity store to connect to. +:::note +Click the **Edit** icon if you want to select another identity store to connect to. +::: + The Management Shell window appears as follows: @@ -100,8 +109,11 @@ enable-psremoting ![powershellwindow](/img/product_docs/directorymanager/11.1/managementshell/powershellwindow.webp) -NOTE: By default, on Windows Server 2016, Windows PowerShell remoting is enabled. Use this command +:::note +By default, on Windows Server 2016, Windows PowerShell remoting is enabled. Use this command to re-enable remoting on Windows Server 2016 if it becomes disabled. +::: + You have to run this command only one time on each computer that will receive commands. You do not have to run it on computers that only send commands. Because the configuration starts listeners, it diff --git a/docs/directorymanager/11.1/managementshell/scheduling/newschedule.md b/docs/directorymanager/11.1/managementshell/scheduling/newschedule.md index c456f5521a..9258dd7aa9 100644 --- a/docs/directorymanager/11.1/managementshell/scheduling/newschedule.md +++ b/docs/directorymanager/11.1/managementshell/scheduling/newschedule.md @@ -58,7 +58,10 @@ insecure password. New-Schedule -ScheduleName SmuTest1 -IdentityStoreName AdStore8 -UserName user -Password password1 -Targets 'OU=ArslanAhmadOU,OU=WorkingOU,DC=pucit,DC=local', 'OU=ArslanAhmadOU,OU=WorkingOU,DC=pucit,DC=local' -JobType SmartGroup -TriggerType Daily -StartTime '16:56' ``` -NOTE: This example uses insecure credentials. +:::note +This example uses insecure credentials. +::: + Example 2: diff --git a/docs/directorymanager/11.1/managementshell/smartgroup/newsmartgroup.md b/docs/directorymanager/11.1/managementshell/smartgroup/newsmartgroup.md index 7319cbb0f2..4af62ee173 100644 --- a/docs/directorymanager/11.1/managementshell/smartgroup/newsmartgroup.md +++ b/docs/directorymanager/11.1/managementshell/smartgroup/newsmartgroup.md @@ -93,8 +93,11 @@ logged-on to the identity store. New-SmartGroup  -OrganizationalUnit "OU=Recruiting,DC=HR,DC=Imanami,DC=US" -Name "Smart_Training" -GroupAlias "Smart_Training" -MailEnable True -SamAccountName "Smart_Training" -GroupScope "Universal Group" -Type "Distribution" ``` -NOTE: In Microsoft Exchange 2007 and later, mail-enabled groups are created with _Universal Group +:::note +In Microsoft Exchange 2007 and later, mail-enabled groups are created with _Universal Group Scope_. +::: + Example 2: diff --git a/docs/directorymanager/11.1/managementshell/smartgroup/upgradegroup.md b/docs/directorymanager/11.1/managementshell/smartgroup/upgradegroup.md index 5a55c4c7db..7a9ae4324a 100644 --- a/docs/directorymanager/11.1/managementshell/smartgroup/upgradegroup.md +++ b/docs/directorymanager/11.1/managementshell/smartgroup/upgradegroup.md @@ -59,7 +59,10 @@ the parent OU as well as from its child OUs as well. Upgrade-Group -SearchContainerScopeList "1" -SearchContainer "GIDsmart1""OU=Jobs,DC=Demo1,DC=com" GroupType "3" ``` -NOTE: The group types 4 and 5 which are for middle and leaf dynasties are not supported in this +:::note +The group types 4 and 5 which are for middle and leaf dynasties are not supported in this commandlet. See the [Parameters](/docs/directorymanager/11.1/managementshell/parameters.md) topic for additional information on the supported parameters. See the [Parameters](/docs/directorymanager/11.1/managementshell/parameters.md) topic to get information about the parameters which you can use in the Directory Manager Management Shell commandlets. + +::: diff --git a/docs/directorymanager/11.1/managementshell/userlifecycle/terminatedirectreports.md b/docs/directorymanager/11.1/managementshell/userlifecycle/terminatedirectreports.md index 884af2ca43..324235705e 100644 --- a/docs/directorymanager/11.1/managementshell/userlifecycle/terminatedirectreports.md +++ b/docs/directorymanager/11.1/managementshell/userlifecycle/terminatedirectreports.md @@ -9,7 +9,10 @@ sidebar_position: 40 Use the Terminate-DirectRreports command to terminate user(s). Specify manager of the user you want to terminate. -NOTE: You can perform this function in directory as per your role and permissions. +:::note +You can perform this function in directory as per your role and permissions. +::: + ## Syntax diff --git a/docs/directorymanager/11.1/managementshell/userlifecycle/transferdirectreports.md b/docs/directorymanager/11.1/managementshell/userlifecycle/transferdirectreports.md index a1bce6343a..1f115d8c2a 100644 --- a/docs/directorymanager/11.1/managementshell/userlifecycle/transferdirectreports.md +++ b/docs/directorymanager/11.1/managementshell/userlifecycle/transferdirectreports.md @@ -9,7 +9,10 @@ sidebar_position: 50 Use the Transfer-DirectReports commandlet to transfer direct report(s) in the connected identity store. Specify manager who will approve this transfer. -NOTE: You can perform this function in directory as per your role and permissions. +:::note +You can perform this function in directory as per your role and permissions. +::: + ## Syntax diff --git a/docs/directorymanager/11.1/portal/entitlement/fileservers.md b/docs/directorymanager/11.1/portal/entitlement/fileservers.md index 1ee53be7ad..a29db001ef 100644 --- a/docs/directorymanager/11.1/portal/entitlement/fileservers.md +++ b/docs/directorymanager/11.1/portal/entitlement/fileservers.md @@ -40,7 +40,10 @@ displayed, showcasing the following information: ![fileservercard](/img/product_docs/directorymanager/11.1/portal/entitlement/fileservercard.webp) -NOTE: Date format: mm/dd/yyyy +:::note +Date format: mm/dd/yyyy +::: + - For child folders, the path is as: servername.parentsharedfoldername. diff --git a/docs/directorymanager/11.1/portal/entitlement/sharepointsites.md b/docs/directorymanager/11.1/portal/entitlement/sharepointsites.md index 71103728b9..104021522e 100644 --- a/docs/directorymanager/11.1/portal/entitlement/sharepointsites.md +++ b/docs/directorymanager/11.1/portal/entitlement/sharepointsites.md @@ -36,7 +36,10 @@ showcasing the following information: - The date and time the library was last created. - NOTE: Date format: mm/dd/yyyy + :::note + Date format: mm/dd/yyyy + ::: + - You can view the files and folders within a document library till the nth level. Double-click a folder card to view its direct child files and folders. Continue till the nth level. @@ -72,8 +75,11 @@ Information includes: You can view and update properties, depending on your rights and privileges. - NOTE: For groups, this functionality is available for domain groups only; SharePoint groups are + :::note + For groups, this functionality is available for domain groups only; SharePoint groups are not linked. + ::: + - Clicking a level for a user displays the effective permissions assigned to this user on the file/folder. diff --git a/docs/directorymanager/11.1/portal/generalfeatures/find.md b/docs/directorymanager/11.1/portal/generalfeatures/find.md index fb95ac0c9b..6776006692 100644 --- a/docs/directorymanager/11.1/portal/generalfeatures/find.md +++ b/docs/directorymanager/11.1/portal/generalfeatures/find.md @@ -45,7 +45,10 @@ Step 4 – Click the **Advanced Search** link to display additional search field description, first name, last name, and company) to search for objects using attributes other than the object's display name. -NOTE: The fields available for Advanced Search may vary, depending on the portal's configuration. +:::note +The fields available for Advanced Search may vary, depending on the portal's configuration. +::: + Step 5 – Click the **Search** button to display the search results. diff --git a/docs/directorymanager/11.1/portal/generalfeatures/querysearch.md b/docs/directorymanager/11.1/portal/generalfeatures/querysearch.md index 2f0ebe7bdd..2eb29354b7 100644 --- a/docs/directorymanager/11.1/portal/generalfeatures/querysearch.md +++ b/docs/directorymanager/11.1/portal/generalfeatures/querysearch.md @@ -26,8 +26,11 @@ Step 2 – On the **Advanced Search** page, click **Or use the new query based s The **Queries** page is displayed. -NOTE: If you are creating a search query for the first time the **Query Designer** dialog box opens +:::note +If you are creating a search query for the first time the **Query Designer** dialog box opens automatically. +::: + Step 3 – Click **Query Designer** to create queries to search directory objects. diff --git a/docs/directorymanager/11.1/portal/generalfeatures/search.md b/docs/directorymanager/11.1/portal/generalfeatures/search.md index 57ae7efc64..c23abe4626 100644 --- a/docs/directorymanager/11.1/portal/generalfeatures/search.md +++ b/docs/directorymanager/11.1/portal/generalfeatures/search.md @@ -9,7 +9,10 @@ sidebar_position: 30 Using the Directory Manager portal, you can search and manage different directory objects (users, groups, contacts and mailboxes). -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: + ## Search directory objects (Quick Search) @@ -26,9 +29,12 @@ Step 2 – Select your required object or click magnifying glass icon. Matches are displayed on the **Search Results** page. -NOTE: Display name, first name and email address are the default schema attributes for Quick Search. +:::note +Display name, first name and email address are the default schema attributes for Quick Search. If the Directory Manager administrator specifies different attributes, you will not get the desired results when you perform a search with the display name, first name or email address. +::: + ## Search directory objects (Advanced Search) @@ -39,8 +45,11 @@ directory, depending on search permissions granted to your role in the identity Multiple filters are available to search for objects. You can use them individually or in combination to get the most appropriate search results. -NOTE: In portal's linked mode, you cannot search contacts in linked Azure / Google Workspace / +:::note +In portal's linked mode, you cannot search contacts in linked Azure / Google Workspace / Generic LDAP store as contact object is not available in these providers. +::: + Step 1 – Click **Advanced Search** at the top. The **Advanced Search** page is displayed. @@ -50,8 +59,11 @@ In **Stand-alone** mode: select the check boxes for the entire directory or the search in. You can also specify the default search OUs using the **Domains to Search** setting on the User Settings panel. -NOTE: In **Linked** mode: the **Search** and the **Domains to Search** boxes will list all the +:::note +In **Linked** mode: the **Search** and the **Domains to Search** boxes will list all the domains of the linked identity stores. You can select domain(s) or OUs you want to search in. +::: + Step 3 – In the **Objects** box, select the objects (User, mailboxes, contact, group) you want to search for. @@ -77,8 +89,11 @@ Directory Manager portal enables you to search directory objects (users, mailbox groups) in the identity store based on a query. See the [Query Based Advanced Search](/docs/directorymanager/11.1/portal/generalfeatures/querysearch.md) topic. -NOTE: In portal's linked mode, you cannot search contacts in linked Azure / Google Workspace / +:::note +In portal's linked mode, you cannot search contacts in linked Azure / Google Workspace / Generic LDAP store as contact object is not available in these providers. +::: + ## View Search Results diff --git a/docs/directorymanager/11.1/portal/generalfeatures/user.md b/docs/directorymanager/11.1/portal/generalfeatures/user.md index 202ed3895a..03640bdc6c 100644 --- a/docs/directorymanager/11.1/portal/generalfeatures/user.md +++ b/docs/directorymanager/11.1/portal/generalfeatures/user.md @@ -22,8 +22,11 @@ Step 1 – Make the required changes to your profile on the My Profile page. Step 2 – Click **Save**. -NOTE: If the administrator has specified this action for review, your changes will not take effect +:::note +If the administrator has specified this action for review, your changes will not take effect until verified by an approver. +::: + ## Add a photo to your profile @@ -47,8 +50,11 @@ Step 5 – Click **OK** to close the **Manage Photo** dialog box. Step 6 – Click **Save.** -NOTE: If the administrator has specified this action for review, your changes will not take effect +:::note +If the administrator has specified this action for review, your changes will not take effect until verified by an approver. +::: + ## Set a user account to never expire diff --git a/docs/directorymanager/11.1/portal/group/create/AD/general.md b/docs/directorymanager/11.1/portal/group/create/AD/general.md index 6febb31ce1..dac06b9c7f 100644 --- a/docs/directorymanager/11.1/portal/group/create/AD/general.md +++ b/docs/directorymanager/11.1/portal/group/create/AD/general.md @@ -20,10 +20,13 @@ Use this page to specify basic information about the group. 2. In the **Group Name** box, provide a name for the group by selecting a prefix and then entering a name for the group. - NOTE: The prefix box is displayed if the administrator has defined the prefixes. See Group name + :::note + The prefix box is displayed if the administrator has defined the prefixes. See Group name prefixes. - These prefixes, when appended to group names, help standardize the group naming convention + These prefixes, when appended to group names, help standardize the group naming convention across the enterprise. + ::: + 3. The **Name Preview** is displayed if the prefix list is available and displays a preview of the prefix combined with the group name. @@ -50,7 +53,10 @@ Use this page to specify basic information about the group. resources. - **Distribution** - this group will only be used for email distribution. - NOTE: If the administrator has predefined a group type, you cannot change it. + :::note + If the administrator has predefined a group type, you cannot change it. + ::: + 8. In the **Group Scope** list, select a scope for the group. @@ -60,9 +66,12 @@ Use this page to specify basic information about the group. - **Universal Group** - if the group is to contain users and groups from any domain and be visible in the Global Catalog. - NOTE: (1) If the administrator has predefined a group scope, you cannot change it. + :::note + (1) If the administrator has predefined a group scope, you cannot change it. (2) To create a mail-enabled group (with Exchange 2013/2016/2019 as the messaging provider), you must select **Universal** as the group scope. + ::: + 9. In the **Security** list, select a security type for the group. 10. Enter a description for the group in the **Description** box. diff --git a/docs/directorymanager/11.1/portal/group/create/AD/group.md b/docs/directorymanager/11.1/portal/group/create/AD/group.md index 37f813200b..fb2c4342c6 100644 --- a/docs/directorymanager/11.1/portal/group/create/AD/group.md +++ b/docs/directorymanager/11.1/portal/group/create/AD/group.md @@ -9,9 +9,12 @@ sidebar_position: 20 Using Directory Manager portal, you can create static groups and Smart Groups in an Active Directory identity store. -NOTE: If the Directory Manager administrator has specified the group creation action for review, the +:::note +If the Directory Manager administrator has specified the group creation action for review, the new group will be created after it is verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md)topic for additional information. +::: + ## Create a Static Group @@ -73,7 +76,10 @@ A password expiry group is a Smart Group whose membership contains users whose i account passwords are approaching their expiry dates. Members of this group are notified by email to reset their passwords. When they do so, they are automatically removed from the group membership. -NOTE: Password Expiry group is not supported in Microsoft Entra ID. +:::note +Password Expiry group is not supported in Microsoft Entra ID. +::: + Follow the steps to create a Password Expiry Group: diff --git a/docs/directorymanager/11.1/portal/group/create/AD/smartgroup.md b/docs/directorymanager/11.1/portal/group/create/AD/smartgroup.md index e1e87b25a8..dc1ec23fdd 100644 --- a/docs/directorymanager/11.1/portal/group/create/AD/smartgroup.md +++ b/docs/directorymanager/11.1/portal/group/create/AD/smartgroup.md @@ -41,7 +41,10 @@ From the **Scheduled Job** list, select a Smart Group Update job to associate wi This list contains Smart Group Update jobs defined in the identity store. -NOTE: If the administrator has enforced the job selection option, you cannot proceed unless you +:::note +If the administrator has enforced the job selection option, you cannot proceed unless you select a scheduled job for this group. +::: + Step 3 – Click **Next**. diff --git a/docs/directorymanager/11.1/portal/group/create/EntraID/general.md b/docs/directorymanager/11.1/portal/group/create/EntraID/general.md index 3a86f13176..67aaaa5a12 100644 --- a/docs/directorymanager/11.1/portal/group/create/EntraID/general.md +++ b/docs/directorymanager/11.1/portal/group/create/EntraID/general.md @@ -17,11 +17,14 @@ Use this page to specify basic information about the group. 2. In the **Group Name** box, provide a name for the group by selecting a prefix and then entering a name for the group. - NOTE: The prefix box is displayed if the administrator has defined the prefixes. See the + :::note + The prefix box is displayed if the administrator has defined the prefixes. See the [Group Name Prefixes](/docs/directorymanager/11.1/admincenter/identitystore/configure/prefixes.md) topic for additional information. - These prefixes, when appended to group names, help standardize the group naming convention + These prefixes, when appended to group names, help standardize the group naming convention across the enterprise. + ::: + 3. The **Name Preview** is displayed if the prefix list is available and displays a preview of the prefix combined with the group name. diff --git a/docs/directorymanager/11.1/portal/group/create/EntraID/group.md b/docs/directorymanager/11.1/portal/group/create/EntraID/group.md index 4ad118dcf5..2998a1525e 100644 --- a/docs/directorymanager/11.1/portal/group/create/EntraID/group.md +++ b/docs/directorymanager/11.1/portal/group/create/EntraID/group.md @@ -9,9 +9,12 @@ sidebar_position: 30 Using Directory Manager portal, you can create static groups and Smart Groups in an Microsoft Entra ID identity store. -NOTE: If the Directory Manager administrator has specified the group creation action for review, the +:::note +If the Directory Manager administrator has specified the group creation action for review, the new group will be created after it is verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic for additional information. +::: + ## Create a Static Group @@ -22,8 +25,11 @@ Follow the steps to create a static group. The **Create Group** wizard opens to the **Group Type** page. - NOTE: Pages and fields on the Create Group wizard may vary, since the administrator can + :::note + Pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing tabs and fields. + ::: + 2. On the [Group Type page](/docs/directorymanager/11.1/portal/group/create/grouptype.md), select the **Static Group** option button and click **Next**. @@ -50,8 +56,17 @@ Follow the steps to create a Smart Group. The **Create Group** wizard opens to the **Group Type** page. - Remember, pages and fields on the Create Group wizard may vary, since the administrator can - customize the wizard by adding or removing tabs and fields. + :::tip + :::tip + :::tip + Remember, pages and fields on the Create Group wizard may vary, since the administrator can + customize the wizard by adding or removing tabs and fields. + ::: + ::: + ::: + + + 2. On the [Group Type page](/docs/directorymanager/11.1/portal/group/create/grouptype.md) page, select the **Smart Group** option button and click **Next**. diff --git a/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md b/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md index 7cc703f187..b9ea1d4dee 100644 --- a/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md +++ b/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md @@ -21,14 +21,23 @@ custom group-by attributes to expand the Dynasty levels to suit your organizatio also combine an external data source with the templates to provide extended criteria for determining group membership. -NOTE: Settings related to Dynasty membership are configured at the identity store level. +:::note +Settings related to Dynasty membership are configured at the identity store level. +::: -NOTE: Do not move a Dynasty from one domain to another. Child Dynasties would get orphaned and + +:::note +Do not move a Dynasty from one domain to another. Child Dynasties would get orphaned and subsequently deleted. +::: + -NOTE: You cannot create mail-enabled Dynasties of the Office 365 group type in a Microsoft Entra ID +:::note +You cannot create mail-enabled Dynasties of the Office 365 group type in a Microsoft Entra ID based identity store, since an Office 365 group cannot have groups as its members. Only non mail-enabled Dynasties of the security group type are supported. +::: + Naming conventions for Child Dynasties @@ -47,12 +56,15 @@ Dynasty names help you group a parent Dynasty with its respective child Dynastie To modify the display name template for child Dynasties, see [Modify alias and display name templates](/docs/directorymanager/11.1/portal/group/workingwithgroups/dynastyfunction.md#modify-alias-and-display-name-templates). -NOTE: In the Dynasty creation/update process, a child Dynasty will not be created if it bears the +:::note +In the Dynasty creation/update process, a child Dynasty will not be created if it bears the same name as that of an existing object in the directory. For example, when you create a custom Dynasty, test1, on one attribute, SamAccountName, it’s child Dynasties would be named as test1-Robert, test1-John, and so on. However, if test1-Robert already exists as a user object, Directory Manager will skip the test1-Robert child Dynasty and continue to create the rest of the Dynasty. +::: + ## Create a Dynasty using the Organizational/Geographical/Custom template @@ -63,8 +75,11 @@ Follow the steps to create a dynasty using the the Organizational/Geographical/C The **Create Group** wizard opens to the **Group Type** page. - NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard + :::note + Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. + ::: + 2. On the [Group Type page](/docs/directorymanager/11.1/portal/group/create/grouptype.md), select the **Organizational Dynasty**, **Geographical Dynasty**, or **Custom Dynasty** option button and click **Next**. @@ -90,12 +105,15 @@ Follow the steps to create a dynasty using the the Organizational/Geographical/C 6. On the [Owners page](/docs/directorymanager/11.1/portal/group/create/AD/owners.md), specify primary and additional owners for the Dynasty. - NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties + :::note + (1) Additional owners are only set for the parent and are not inherited by child Dynasties during update. - (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: - Even when the **Do not Notify** check box is selected, the additional owner will receive the + (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: + Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. + ::: + 7. On the [Summary Page](/docs/directorymanager/11.1/portal/user/create/AD/summary.md), review the settings and then click Finish to complete the wizard. @@ -109,8 +127,11 @@ Follow the steps to create a Dynasty using the Managerial template. The **Create Group** wizard opens to the **Group Type** page. - NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard + :::note + Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. + ::: + 2. On the [Group Type page](/docs/directorymanager/11.1/portal/group/create/grouptype.md), select the **Managerial Dynasty** option button and click **Next**. @@ -137,16 +158,19 @@ Follow the steps to create a Dynasty using the Managerial template. 6. On the [Owners page](/docs/directorymanager/11.1/portal/group/create/AD/owners.md), specify primary and additional owners for the Dynasty. - NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties + :::note + (1) Additional owners are only set for the parent and are not inherited by child Dynasties during update. - (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: - Even when the **Do not Notify** check box is selected, the additional owner will receive the + (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: + Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. - (3) If you have selected the **Set Manager as owner** option on the **Dynasty Options** page, + (3) If you have selected the **Set Manager as owner** option on the **Dynasty Options** page, the top manager would be displayed as the primary owner instead of the logged-in user. - In case you change the owner, the new recipient would be the Dynasty’s primary owner even if + In case you change the owner, the new recipient would be the Dynasty’s primary owner even if the **Set Manager as owner** check box is selected. + ::: + 7. On the [Summary Page](/docs/directorymanager/11.1/portal/user/create/AD/summary.md), review the settings and then click Finish to complete the wizard. diff --git a/docs/directorymanager/11.1/portal/group/dynasty/EntraID/createdynasty.md b/docs/directorymanager/11.1/portal/group/dynasty/EntraID/createdynasty.md index 8d4501a9b8..56084609df 100644 --- a/docs/directorymanager/11.1/portal/group/dynasty/EntraID/createdynasty.md +++ b/docs/directorymanager/11.1/portal/group/dynasty/EntraID/createdynasty.md @@ -21,14 +21,23 @@ custom group-by attributes to expand the Dynasty levels to suit your organizatio also combine an external data source with the templates to provide extended criteria for determining group membership. -NOTE: Settings related to Dynasty membership are configured at the identity store level. +:::note +Settings related to Dynasty membership are configured at the identity store level. +::: -NOTE: Do not move a Dynasty from one domain to another. Child Dynasties would get orphaned and + +:::note +Do not move a Dynasty from one domain to another. Child Dynasties would get orphaned and subsequently deleted. +::: + -NOTE: You cannot create mail-enabled Dynasties of the Office 365 group type in a Microsoft Entra ID +:::note +You cannot create mail-enabled Dynasties of the Office 365 group type in a Microsoft Entra ID based identity store, since an Office 365 group cannot have groups as its members. Only non mail-enabled Dynasties of the security group type are supported. +::: + **Naming conventions for Child Dynasties** @@ -48,12 +57,15 @@ To modify the display name template for child Dynasties, see [Modify alias and display name templates](/docs/directorymanager/11.1/portal/group/workingwithgroups/dynastyfunction.md#modify-alias-and-display-name-templates)topic for additional information. -NOTE: In the Dynasty creation/update process, a child Dynasty will not be created if it bears the +:::note +In the Dynasty creation/update process, a child Dynasty will not be created if it bears the same name as that of an existing object in the directory. For example, when you create a custom Dynasty, test1, on one attribute, SamAccountName, it’s child Dynasties would be named as test1-Robert, test1-John, and so on. However, if test1-Robert already exists as a user object, Directory Manager will skip the test1-Robert child Dynasty and continue to create the rest of the Dynasty. +::: + ## Create a Dynasty using the Organization/Geographical/Custom template @@ -64,8 +76,11 @@ Follow the steps to create a dynasty using the Organization/Geographical/Custom The **Create Group** wizard opens to the **Group Type** page. - NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard + :::note + Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. + ::: + 2. On the [Group Type page](/docs/directorymanager/11.1/portal/group/create/grouptype.md), select the **Organizational Dynasty**, **Geographical Dynasty**, or **Custom Dynasty** option button and click **Next**. @@ -91,12 +106,15 @@ Follow the steps to create a dynasty using the Organization/Geographical/Custom 6. On the [Owners page](/docs/directorymanager/11.1/portal/group/create/AD/owners.md), specify primary and additional owners for the Dynasty. - NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties + :::note + (1) Additional owners are only set for the parent and are not inherited by child Dynasties during update. - (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: - Even when the **Do not Notify** check box is selected, the additional owner will receive the + (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: + Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. + ::: + 7. On the [Summary Page](/docs/directorymanager/11.1/portal/user/create/AD/summary.md), review the settings and then click **Finish** to complete the wizard. @@ -110,8 +128,11 @@ Follow the steps to create a dynasty using the Managerial template. The **Create Group** wizard opens to the **Group Type** page. - NOTE: Pages and fields on the wizard may vary, since the administrator can customize the wizard + :::note + Pages and fields on the wizard may vary, since the administrator can customize the wizard by adding or removing pages and fields. + ::: + 2. On the [Group Type page](/docs/directorymanager/11.1/portal/group/create/grouptype.md), select the **Managerial Dynasty** option button and click **Next**. @@ -139,16 +160,19 @@ Follow the steps to create a dynasty using the Managerial template. 6. On the [Owners page](/docs/directorymanager/11.1/portal/group/create/AD/owners.md), specify primary and additional owners for the Dynasty. - NOTE: (1) Additional owners are only set for the parent and are not inherited by child Dynasties + :::note + (1) Additional owners are only set for the parent and are not inherited by child Dynasties during update. - (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: - Even when the **Do not Notify** check box is selected, the additional owner will receive the + (2) When a Smart Group Update job runs on a group, the notification behavior is as follows: + Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. - (3) If you have selected the **Set Manager as owner** option on the **Dynasty Options** page, + (3) If you have selected the **Set Manager as owner** option on the **Dynasty Options** page, the top manager would be displayed as the primary owner instead of the logged-in user. - In case you change the owner, the new recipient would be the Dynasty’s primary owner even if + In case you change the owner, the new recipient would be the Dynasty’s primary owner even if the **Set Manager as owner** check box is selected. + ::: + 7. On the [Summary Page](/docs/directorymanager/11.1/portal/user/create/AD/summary.md), review the settings and then click **Finish** to complete the wizard. diff --git a/docs/directorymanager/11.1/portal/group/dynasty/EntraID/general.md b/docs/directorymanager/11.1/portal/group/dynasty/EntraID/general.md index 85b17ae54b..0588787a15 100644 --- a/docs/directorymanager/11.1/portal/group/dynasty/EntraID/general.md +++ b/docs/directorymanager/11.1/portal/group/dynasty/EntraID/general.md @@ -20,11 +20,14 @@ Use this page to specify basic information about the group. 2. In the **Group Name** box, provide a name for the group by selecting a prefix and then entering a name for the group. - NOTE: The prefix box is displayed if the administrator has defined the prefixes. See the + :::note + The prefix box is displayed if the administrator has defined the prefixes. See the [Group Name Prefixes](/docs/directorymanager/11.1/admincenter/identitystore/configure/prefixes.md) topic. - These prefixes, when appended to group names, help standardize the group naming convention + These prefixes, when appended to group names, help standardize the group naming convention across the enterprise. + ::: + 3. In the **Security** list, select a security type for the group. 4. Set the group type by selecting an option for **Group Type**. @@ -36,7 +39,10 @@ Use this page to specify basic information about the group. - **Microsoft 365** - this group will be used to select a set of people to collaborate and use a collection of resources. - NOTE: If the administrator has predefined a group type, you cannot change it. + :::note + If the administrator has predefined a group type, you cannot change it. + ::: + 5. Enter a description for the group in the **Description** box. 6. Click **Next**. diff --git a/docs/directorymanager/11.1/portal/group/overview.md b/docs/directorymanager/11.1/portal/group/overview.md index 6c7fe8a0c6..f4f20df68d 100644 --- a/docs/directorymanager/11.1/portal/group/overview.md +++ b/docs/directorymanager/11.1/portal/group/overview.md @@ -25,9 +25,15 @@ groups, thus ensuring that groups are never out of date. This allows administrators to easily maintain large groups without having to manually add and remove members. -NOTE: You must [Log in](/docs/directorymanager/11.1/portal/login.md#log-in) before using it for group management. +:::note +You must [Log in](/docs/directorymanager/11.1/portal/login.md#log-in) before using it for group management. +::: -NOTE: When two identity stores (say, ID1 and ID2) are connected to the same domain (for example, + +:::note +When two identity stores (say, ID1 and ID2) are connected to the same domain (for example, demo1.com), then objects in demo1.com would have a distinct state in ID1 and ID2. For example, an object’s state (such as expiry policy, Smart Group criteria, additional owners, etc.) would be different in both identity stores. + +::: diff --git a/docs/directorymanager/11.1/portal/group/properties/advanced.md b/docs/directorymanager/11.1/portal/group/properties/advanced.md index 778fce8d6b..8372479b76 100644 --- a/docs/directorymanager/11.1/portal/group/properties/advanced.md +++ b/docs/directorymanager/11.1/portal/group/properties/advanced.md @@ -22,8 +22,11 @@ Set a mail-enabled group (Group A) to send out-of-office auto-replies to the mes (sender), when the group (Group A) receives a message and one or more group members have out-of-office status. -NOTE: This setting applies if Microsoft Exchange is configured as the messaging system for the +:::note +This setting applies if Microsoft Exchange is configured as the messaging system for the identity store. +::: + **Hide membership** @@ -45,4 +48,7 @@ Options are: a message sent to the group was not delivered to group members. - **Do not send delivery report** - Non-delivery reports are not sent to anyone. -NOTE: Non-delivery reports are sent if an SMTP server is configured for the identity store. +:::note +Non-delivery reports are sent if an SMTP server is configured for the identity store. + +::: diff --git a/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md b/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md index 82cf6b4e1e..2fd9c202eb 100644 --- a/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md +++ b/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md @@ -16,8 +16,11 @@ membership. You can: Your changes will be reflected on the next update of the Dynasty. -NOTE: Advanced Dynasty options are available for Dynasties of the parent and middle level, but not +:::note +Advanced Dynasty options are available for Dynasties of the parent and middle level, but not for the leaf level. +::: + ## For an Organizational/Geographical/Custom Dynasty @@ -35,7 +38,47 @@ The following table lists the valid characters the supported messaging systems. | Messaging System | Valid Characters | | ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 | - Uppercase letters (A–Z) - Lowercase letters (a–z) - Numeric digits (0–9) - Special characters: `#`, `$`, `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed, but each must be preceded and followed by at least one other valid character | +| Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 | - Uppercase letters (A–Z) - Lowercase letters (a–z) - Numeric digits (0–9) - Special characters: `#`, `--- +title: "Dynasty Options tab" +description: "Group properties - Dynasty Options tab" +sidebar_position: 100 +--- + +# Dynasty Options tab + +Directory Managerprovides advanced options that you can use to enhance the Dynasty structure and its +membership. You can: + +- Modify the attributes an Organizational/Geographical/Custom Dynasty is build on +- Modify the structure of a managerial Dynasty +- Edit the template used to generate the alias and display names of child groups +- Control the attribute inheritance behavior + +Your changes will be reflected on the next update of the Dynasty. + +:::note +Advanced Dynasty options are available for Dynasties of the parent and middle level, but not +for the leaf level. +::: + + +## For an Organizational/Geographical/Custom Dynasty + +**Alias Template** + +This setting generates the alias names of child groups. **%GROUPBY%** is replaced with the actual +value of the Attributes. + +If Exchange Server is the designated messaging system for the identity store, the alias length is +limited to 64 characters and must be unique to the forest. For other messaging systems, the alias +length must not exceed the number of characters supported by the respective messaging system. + +Also, the alias must not contain characters that are invalid for the configured messaging system. +The following table lists the valid characters the supported messaging systems. + +| Messaging System | Valid Characters | +| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +, `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed, but each must be preceded and followed by at least one other valid character | | All other messaging systems | - Uppercase letters (A–Z) - Lowercase letters (a–z) - Numeric digits (0–9) | **Display Name Template** @@ -97,7 +140,8 @@ managers as members of a single group. You can view and change these structure options for parent and middle Dynasties. For details, see the [Dynasty Options page (Managerial Dynasty)](/docs/directorymanager/11.1/portal/group/dynasty/AD/dynastyoptionsmanagerial.md). -NOTE: (1) If the **Set manager as owner** check box is selected, the **Always inherit** option is +:::note +(1) If the **Set manager as owner** check box is selected, the **Always inherit** option is set for Inheritance, and the managedBy attribute is specified for inheritance, the **Set manager as owner** option takes priority over the managedBy attribute inheritance. Hence, the manager of a child Dynasty would be set as its respective primary owner. @@ -107,6 +151,8 @@ child Dynasty may be updated, depending on the Dynasty inheritance options. For **Always inherit** option is set for Inheritance and the managedBy attribute is specified for inheritance, the primary owner of the parent Dynasty would be set as the primary owner for all child Dynasties, replacing their respective primary owners. +::: + **Attributes** @@ -160,7 +206,215 @@ The following table lists the valid characters the supported messaging systems. | Messaging System | Valid Characters | | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 | - Uppercase letters (`A–Z`) - Lowercase letters (`a–z`) - Numeric digits (`0–9`) - Special characters: `#`, `$`, `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed in aliases, but each must be preceded and followed by at least one other valid character | +| Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 | - Uppercase letters (`A–Z`) - Lowercase letters (`a–z`) - Numeric digits (`0–9`) - Special characters: `#`, `--- +title: "Dynasty Options tab" +description: "Group properties - Dynasty Options tab" +sidebar_position: 100 +--- + +# Dynasty Options tab + +Directory Managerprovides advanced options that you can use to enhance the Dynasty structure and its +membership. You can: + +- Modify the attributes an Organizational/Geographical/Custom Dynasty is build on +- Modify the structure of a managerial Dynasty +- Edit the template used to generate the alias and display names of child groups +- Control the attribute inheritance behavior + +Your changes will be reflected on the next update of the Dynasty. + +:::note +Advanced Dynasty options are available for Dynasties of the parent and middle level, but not +for the leaf level. +::: + + +## For an Organizational/Geographical/Custom Dynasty + +**Alias Template** + +This setting generates the alias names of child groups. **%GROUPBY%** is replaced with the actual +value of the Attributes. + +If Exchange Server is the designated messaging system for the identity store, the alias length is +limited to 64 characters and must be unique to the forest. For other messaging systems, the alias +length must not exceed the number of characters supported by the respective messaging system. + +Also, the alias must not contain characters that are invalid for the configured messaging system. +The following table lists the valid characters the supported messaging systems. + +| Messaging System | Valid Characters | +| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 | - Uppercase letters (A–Z) - Lowercase letters (a–z) - Numeric digits (0–9) - Special characters: `#`, `--- +title: "Dynasty Options tab" +description: "Group properties - Dynasty Options tab" +sidebar_position: 100 +--- + +# Dynasty Options tab + +Directory Managerprovides advanced options that you can use to enhance the Dynasty structure and its +membership. You can: + +- Modify the attributes an Organizational/Geographical/Custom Dynasty is build on +- Modify the structure of a managerial Dynasty +- Edit the template used to generate the alias and display names of child groups +- Control the attribute inheritance behavior + +Your changes will be reflected on the next update of the Dynasty. + +:::note +Advanced Dynasty options are available for Dynasties of the parent and middle level, but not +for the leaf level. +::: + + +## For an Organizational/Geographical/Custom Dynasty + +**Alias Template** + +This setting generates the alias names of child groups. **%GROUPBY%** is replaced with the actual +value of the Attributes. + +If Exchange Server is the designated messaging system for the identity store, the alias length is +limited to 64 characters and must be unique to the forest. For other messaging systems, the alias +length must not exceed the number of characters supported by the respective messaging system. + +Also, the alias must not contain characters that are invalid for the configured messaging system. +The following table lists the valid characters the supported messaging systems. + +| Messaging System | Valid Characters | +| ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +, `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed, but each must be preceded and followed by at least one other valid character | +| All other messaging systems | - Uppercase letters (A–Z) - Lowercase letters (a–z) - Numeric digits (0–9) | + +**Display Name Template** + +The template to use to generate the display names of the child groups. **%GROUPBY%** is replaced +with the actual value of theAttributes. + +**Attributes** + +Dynasties create Smart Groups for each distinct value of each attribute listed in the **Attributes** +area. + +You can view and change the attributes for parent and middle Dynasties. + +- Click **Add** to select a new attribute to add a new level to the Dynasty. +- Select an attribute and click **Edit** to modify it. +- Click **Remove** to remove the selected attribute. + +See the [Dynasty Options page](/docs/directorymanager/11.1/portal/group/dynasty/AD/dynastyoptionsorggeocus.md) for details. + +**Inheritance** + +Use this setting to specify when Dynasty children inherit attributes. Options are: + +- **Inherit on creation**: Dynasty children will inherit the attributes’ values only when the + Dynasty is created. Moreover, whenever a new child group is created, it will inherit the + attributes’ values. +- **Always inherit**: Dynasty children will inherit the attributes’ values every time the parent + Dynasty is updated. +- **Never inherit**: Dynasty children will never inherit attribute values from the parent. + +The attributes to be inherited are specified at the identity store level. See Dynasty Settings. + +When, for a child Dynasty, you change the value of an inherited attribute, the new value may or may +not persist, depending on the inheritance option selected for the parent Dynasty. Here is an +example: + +Suppose the administrator has set the managedBy attribute for inheritance. + +- With the **Always inherit** option selected for the parent Dynasty, any modifications made to the + value of the managedBy attribute for a child Dynasty will be replaced with the value of the + managedBy attribute set for the parent Dynasty, whenever the Dynasty is updated. +- With the **Never inherit** option selected, any modifications made to the value of the managedBy + attribute for a child Dynasty will persist after update + +## For a Managerial Dynasty + +Top Manager, Include manager as member, Set manager as owner, Create a Flat managerial list, Exclude +nested lists of direct reports, Create groups in same container as manager, Create groups in this +container + +When you create a managerial Dynasty, you specify a Dynasty structure that determines how query +results are grouped. + +For example, you specify whether you want to create a separate Smart Group for the direct reports of +the top manager and sub-level managers, or add all direct reports of the top manager and sub-level +managers as members of a single group. + +You can view and change these structure options for parent and middle Dynasties. For details, see +the [Dynasty Options page (Managerial Dynasty)](/docs/directorymanager/11.1/portal/group/dynasty/AD/dynastyoptionsmanagerial.md). + +:::note +(1) If the **Set manager as owner** check box is selected, the **Always inherit** option is +set for Inheritance, and the managedBy attribute is specified for inheritance, the **Set manager as +owner** option takes priority over the managedBy attribute inheritance. Hence, the manager of a +child Dynasty would be set as its respective primary owner. +(2) When you clear the **Set manager as owner** check box, the manager set as the primary owner of a +parent Dynasty will not be removed. However, when the Dynasty is updated, the primary owner of a +child Dynasty may be updated, depending on the Dynasty inheritance options. For example, if the +**Always inherit** option is set for Inheritance and the managedBy attribute is specified for +inheritance, the primary owner of the parent Dynasty would be set as the primary owner for all child +Dynasties, replacing their respective primary owners. +::: + + +**Attributes** + +Set a custom attribute to create a managerial lineage in the context of this attribute. + +See the [Dynasty Options page (Managerial Dynasty)](/docs/directorymanager/11.1/portal/group/dynasty/AD/dynastyoptionsmanagerial.md)for a +discussion on attributes. + +In addition to the scenarios discussed, the following also apply on Dynasty update: + +- Specify the ‘XadditionalManager’ attribute in addition to the ‘Manager’ attribute for a parent + managerial Dynasty. + + On update, new child Dynasties are created with respect to the additional manager attribute data + and added in their respective managers’ direct reports and additional manager's direct reports. + +- Remove the ‘XadditionalManager’ attribute for a parent managerial Dynasty. + + On update, the direct reports of users created with respect to the additional manager attribute + data are removed from their respective managers’ and additional managers’ direct reports. + + If the Delete Empty and Orphan Dynasty children setting is applied, direct reports of users + created due to the additional manager attribute data are not only removed from their respective + managers’ and additional managers’ direct reports; they also get deleted. + +**Alias Template** + +This setting is used to generate the alias names of the Dynasty's child groups. **%MANAGER%** is +replaced with the alias of the manager being processed. Normally, the mailnickname attribute is used +to store the alias. However, if this attribute is not set, then **%MANAGER%** is replaced with the +display name of the manager. + +To use an attribute other than mailNickname for generating the alias for child groups, update the +**%MANAGER%** statement with the desired attribute name. Note that the value of the attribute must +be unique. + +Example using the cn attribute: + +%MANAGER.cn% + +Example using the name attribute: + +%MANAGER.name% + +If Exchange Server is the designated messaging system for the identity store, the alias length is +limited to 64 characters and must be unique to the forest. For other messaging systems, the alias +length must not exceed the number of characters supported by the respective messaging system. + +Also, the alias must not contain characters that are invalid for the configured messaging system. +The following table lists the valid characters the supported messaging systems. + +| Messaging System | Valid Characters | +| ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +, `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed in aliases, but each must be preceded and followed by at least one other valid character | | All other messaging systems | - Uppercase letters (`A–Z`) - Lowercase letters (`a–z`) - Numeric digits (`0–9`) | **Display Name Template** @@ -178,9 +432,12 @@ Example using the name attribute: %MANAGER.name% -NOTE: For a managerial Dynasty, the **%MANAGER%** variable for the alias and display name templates +:::note +For a managerial Dynasty, the **%MANAGER%** variable for the alias and display name templates must be the same. The selected attribute must be a string and cannot include characters that are not supported in pre-Windows 2000 group names. +::: + **Inheritance** diff --git a/docs/directorymanager/11.1/portal/group/properties/email.md b/docs/directorymanager/11.1/portal/group/properties/email.md index 37888e375c..e032a1987e 100644 --- a/docs/directorymanager/11.1/portal/group/properties/email.md +++ b/docs/directorymanager/11.1/portal/group/properties/email.md @@ -35,4 +35,7 @@ along with the group’s primary owner and additional owners. See search. - To remove an Exchange additional owner, select it and click **Remove**. -NOTE: Only mail-enabled users can be designated as Exchange additional owners. +:::note +Only mail-enabled users can be designated as Exchange additional owners. + +::: diff --git a/docs/directorymanager/11.1/portal/group/properties/general.md b/docs/directorymanager/11.1/portal/group/properties/general.md index 14c1f41dfc..243859ed91 100644 --- a/docs/directorymanager/11.1/portal/group/properties/general.md +++ b/docs/directorymanager/11.1/portal/group/properties/general.md @@ -34,11 +34,17 @@ example, the manager is granted the following permissions: - Create, delete and manage groups. - Modify the membership of a group. -NOTE: Do not update Smart Group membership manually; changes might be reversed when the Smart Group +:::note +Do not update Smart Group membership manually; changes might be reversed when the Smart Group Update job runs. +::: -NOTE: The _manager can update membership_ feature is not available for groups in a Microsoft Entra + +:::note +The _manager can update membership_ feature is not available for groups in a Microsoft Entra ID based identity store. +::: + **Description** @@ -73,10 +79,16 @@ The scope set for this group. - **Universal Group** - Can contain users and groups from any domain and is visible in the Global Catalog. -NOTE: With Exchange 2013/2016/2019 configured as the messaging provider for the identity store, the +:::note +With Exchange 2013/2016/2019 configured as the messaging provider for the identity store, the group scope must be set to _Universal_ for mail-enabled groups. +::: + + +:::note +In a Microsoft Entra ID based identity store, the group scope does not apply. +::: -NOTE: In a Microsoft Entra ID based identity store, the group scope does not apply. **Group Type** @@ -86,8 +98,11 @@ The group type set for the group. resources. - **Distribution** - this group will only be used for email distribution. -NOTE: In a Microsoft Entra ID based identity store, the group type is set to 'security' by default +:::note +In a Microsoft Entra ID based identity store, the group type is set to 'security' by default and this option is not displayed. +::: + **Security** diff --git a/docs/directorymanager/11.1/portal/group/properties/importmembers.md b/docs/directorymanager/11.1/portal/group/properties/importmembers.md index 4414d91c54..f0606a4e94 100644 --- a/docs/directorymanager/11.1/portal/group/properties/importmembers.md +++ b/docs/directorymanager/11.1/portal/group/properties/importmembers.md @@ -77,9 +77,12 @@ launch the **Import Members** wizard. 2. In the **Map Field** area, map a field in the source file (**Source Field**) with a directory attribute (**Destination**). - NOTE: While establishing mapping between a source field and a destination directory + :::note + While establishing mapping between a source field and a destination directory attribute, select a source field that has unique values, such as email address or sAMAccountName. + ::: + The value in the selected source field is compared to the value of the selected destination field, and records with matching values are added to the group as members. diff --git a/docs/directorymanager/11.1/portal/group/properties/members.md b/docs/directorymanager/11.1/portal/group/properties/members.md index 03f7e197a8..85474fbf98 100644 --- a/docs/directorymanager/11.1/portal/group/properties/members.md +++ b/docs/directorymanager/11.1/portal/group/properties/members.md @@ -9,8 +9,11 @@ sidebar_position: 30 Use this tab to view or modify the members of a group. By default, the primary owner is also a member of the group. -NOTE: In a Microsoft Entra ID based identity store, only user objects can be added as members of an +:::note +In a Microsoft Entra ID based identity store, only user objects can be added as members of an Office 365 group. +::: + **Members** @@ -25,9 +28,12 @@ Displays a list of member objects in this group. | Beginning | Shows the beginning date of the temporary addition or removal. | | Ending | Shows the ending date of the temporary addition or removal. | -NOTE: For each column, an item level filter is also available that lets you filter records based on +:::note +For each column, an item level filter is also available that lets you filter records based on a particular criterion. For example; to show objects whose display names start with D, type **D** in the box under the **Display Name** header and press Enter. +::: + The Membership Life Cycle job updates the temporary membership of groups. It adds and removes temporary members from group membership on the specified dates. @@ -45,10 +51,13 @@ search. The selected members get listed in the **Members** grid. -NOTE: This button is disabled for Smart Groups and Dynasties since their memberships is determined +:::note +This button is disabled for Smart Groups and Dynasties since their memberships is determined by the query set on the [Group properties - Smart Group/Query Designer tab](/docs/directorymanager/11.1/portal/group/properties/smartgroup.md). - See +See [Schedule periodic membership updates for Smart Groups/Dynasties](/docs/directorymanager/11.1/portal/group/workingwithgroups/scheduleupdate.md#schedule-periodic-membership-updates-for-smart-groupsdynasties). +::: + **Import** diff --git a/docs/directorymanager/11.1/portal/group/properties/overview.md b/docs/directorymanager/11.1/portal/group/properties/overview.md index fe49b3745a..3706c28068 100644 --- a/docs/directorymanager/11.1/portal/group/properties/overview.md +++ b/docs/directorymanager/11.1/portal/group/properties/overview.md @@ -68,5 +68,8 @@ displayed. only) - [Group properties - Dynasty Options tab](/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md) (for Dynasties only) -NOTE: The **Delivery Restrictions**, **Attributes**, **Email**, and **Advanced** tabs are not +:::note +The **Delivery Restrictions**, **Attributes**, **Email**, and **Advanced** tabs are not available for groups in a Microsoft Entra IDbased identity store. + +::: diff --git a/docs/directorymanager/11.1/portal/group/properties/owner.md b/docs/directorymanager/11.1/portal/group/properties/owner.md index 252c754bc2..e95203889f 100644 --- a/docs/directorymanager/11.1/portal/group/properties/owner.md +++ b/docs/directorymanager/11.1/portal/group/properties/owner.md @@ -14,17 +14,23 @@ depending on the Group Owner policy. Additional owners have the same privileges as the primary owner to manage the group. -NOTE: Only users, contacts and security groups can be set as the primary and additional owners of a +:::note +Only users, contacts and security groups can be set as the primary and additional owners of a group. - If you specify a group, all its members are considered additional owners. +If you specify a group, all its members are considered additional owners. +::: + You can also specify Exchange additional owners for the group. See the [Group properties - Email tab](/docs/directorymanager/11.1/portal/group/properties/email.md) in group properties. -NOTE: 1. For groups in an Microsoft Entra ID based identity store, only users can be set as primary +:::note +1. For groups in an Microsoft Entra ID based identity store, only users can be set as primary owners. Moreover, Microsoft Entra ID supports multiple primary owners for a group. Exchange additional owners are not supported. 2. A group must have at least one primary owner. +::: + **Owner** @@ -37,8 +43,11 @@ If the administrator has not enforced the selection of a primary owner in the Gr you can also remove the primary owner. Click the **Remove** button next to the **Owner** box to remove the primary owner. -NOTE: In a Microsoft Entra ID based identity store, use the **Add** and **Remove** buttons to update +:::note +In a Microsoft Entra ID based identity store, use the **Add** and **Remove** buttons to update the group's primary owners. +::: + **Suggested Owners** @@ -71,11 +80,14 @@ The **Additional Owners** grid displays the following information: | Ending | Displays the ending date of the temporary addition or removal. | | Do not notify | By default, all group-related notifications (such as expiry, deletion, and renewal notifications) are sent to the primary owner and all additional owners, so they can take the necessary action indicated. To exclude an additional owner from receiving notifications, select the **Do not notify** check box. NOTE: When a Smart Group Update job runs on a group, the notification behavior is as follows: Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. | -NOTE: For each column, a filter is also available that lets you filter records based on a criterion. +:::note +For each column, a filter is also available that lets you filter records based on a criterion. For example; to show objects whose display names start with D, type D in the box under the **Name** header and press **Enter**. The Managed By Life Cycle job updates the temporary ownership of groups by adding and removing temporary owners on the specified dates. +::: + Consider a scenario where the Managed By Life Cycle job is scheduled to run once a week, say Mondays. If an object is to be added as a group’s temporary additional owner for three days - @@ -108,7 +120,10 @@ Select the attributes you want to export. For information and instructions, see To remove an object from the additional owners list, select it and click **Remove**. -NOTE: On saving group properties, you may observe a message, asking you to select X number of +:::note +On saving group properties, you may observe a message, asking you to select X number of additional owners. It occurs because the Group Owner policy defined for your role at the identity store level requires that the group must have at least x number of additional owners. Do the needful and then save the information. + +::: diff --git a/docs/directorymanager/11.1/portal/group/properties/smartgroup.md b/docs/directorymanager/11.1/portal/group/properties/smartgroup.md index b61cb7ff6c..a6d820ee27 100644 --- a/docs/directorymanager/11.1/portal/group/properties/smartgroup.md +++ b/docs/directorymanager/11.1/portal/group/properties/smartgroup.md @@ -11,8 +11,11 @@ updates. The group’s membership is updated with the records fetched by the query. -NOTE: In case of an Office 365 group in a Microsoft Entra ID based identity store, group membership +:::note +In case of an Office 365 group in a Microsoft Entra ID based identity store, group membership is updated with user objects only. +::: + Membership update settings defined for the identity store also impact Smart Group and Dynasty membership update. @@ -56,8 +59,11 @@ From the **Scheduled Job** list, select a Smart Group Update job to associate wi This list contains Smart Group Update jobs define for the identity store. -NOTE: If the administrator has enforced the job selection option, you cannot save any changes unless +:::note +If the administrator has enforced the job selection option, you cannot save any changes unless you associate a scheduled job with this group. +::: + **Updated On** diff --git a/docs/directorymanager/11.1/portal/group/querydesigner/filtercriteria.md b/docs/directorymanager/11.1/portal/group/querydesigner/filtercriteria.md index 07d31d304d..b2fa3591ea 100644 --- a/docs/directorymanager/11.1/portal/group/querydesigner/filtercriteria.md +++ b/docs/directorymanager/11.1/portal/group/querydesigner/filtercriteria.md @@ -40,8 +40,11 @@ Houston, select the City attribute from this list. From here, select the condition that identifies search results. The following table lists the available conditions: -NOTE: Depending on configurations made by the GroupID administrator for the portal, all of the +:::note +Depending on configurations made by the GroupID administrator for the portal, all of the following or specific conditions will be displayed in the list. +::: + The condition list for query based searches may vary. diff --git a/docs/directorymanager/11.1/portal/group/querydesigner/general.md b/docs/directorymanager/11.1/portal/group/querydesigner/general.md index 6d0b2ccd59..99bd8b6bd6 100644 --- a/docs/directorymanager/11.1/portal/group/querydesigner/general.md +++ b/docs/directorymanager/11.1/portal/group/querydesigner/general.md @@ -21,8 +21,11 @@ The following table lists the options available on the **General** tab for each | Custom | By default, it includes all object options for Messaging System Recipients, Computers, and Users, Contact, and Groups. For this reason, the General tab does not display any option for this object type. | | Users, Contacts and Groups | - Users – Includes users - Contacts – Includes contacts - Groups – Includes groups | -NOTE: The Computer and Contact object types are not supported in a Microsoft Entra ID identity +:::note +The Computer and Contact object types are not supported in a Microsoft Entra ID identity store. +::: + Preview diff --git a/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md b/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md index 155dd95542..f6a06abd23 100644 --- a/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md +++ b/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md @@ -19,8 +19,11 @@ update process: Update command, Directory Manager obtains the query results, adds the objects to include, and then removes the objects to exclude. -NOTE: For best performance, use query criteria to include or exclude objects as opposed to +:::note +For best performance, use query criteria to include or exclude objects as opposed to statically selecting the objects using this tab. +::: + **Include** diff --git a/docs/directorymanager/11.1/portal/group/querydesigner/overview.md b/docs/directorymanager/11.1/portal/group/querydesigner/overview.md index 1038fb57ad..3d7ea799e0 100644 --- a/docs/directorymanager/11.1/portal/group/querydesigner/overview.md +++ b/docs/directorymanager/11.1/portal/group/querydesigner/overview.md @@ -61,8 +61,11 @@ Select an option to specify the type of object to include in the membership of t - **Users, Contacts, and Groups** - Any user, contact, or group, whether mail-enabled or not. -NOTE: The _Computers_ and _Contact_ object types are not supported in a Microsoft Entra ID identity +:::note +The _Computers_ and _Contact_ object types are not supported in a Microsoft Entra ID identity store. +::: + **Start in** @@ -100,5 +103,8 @@ The Query Designer has the following tabs: - [Query Designer - Password Expiry Options tab](/docs/directorymanager/11.1/portal/group/querydesigner/passwordexpiryoptions.md)[Query Designer - Password Expiry Options tab](/docs/directorymanager/11.1/portal/group/querydesigner/passwordexpiryoptions.md) (only available for Smart Groups with a password expiry condition) -NOTE: The **Storage** and **Script** tabs are not available for groups in a Microsoft Entra ID +:::note +The **Storage** and **Script** tabs are not available for groups in a Microsoft Entra ID identity store. + +::: diff --git a/docs/directorymanager/11.1/portal/group/recyclebin/overview.md b/docs/directorymanager/11.1/portal/group/recyclebin/overview.md index befef45604..7ec80107e0 100644 --- a/docs/directorymanager/11.1/portal/group/recyclebin/overview.md +++ b/docs/directorymanager/11.1/portal/group/recyclebin/overview.md @@ -22,7 +22,10 @@ restored. A Smart Group and Dynasty is restored as a static group with no members and no query. -NOTE: Tombstone groups are not available in Microsoft Entra ID. +:::note +Tombstone groups are not available in Microsoft Entra ID. +::: + ## Logical Deletion @@ -87,10 +90,19 @@ Follow the steps to restore a deleted group. The group / groups will be restored in the directory. -NOTE: You can only restore a physically deleted group from the Recycle Bin if the service account +:::note +You can only restore a physically deleted group from the Recycle Bin if the service account for the connected identity store has the ‘Reanimate Tombstone’ permissions. +::: + -NOTE: While all searches in Directory Manager are catered through Elasticsearch, the Recycle Bin is +:::note +While all searches in Directory Manager are catered through Elasticsearch, the Recycle Bin is an exception, as it fetches data from the directory. +::: + + +:::note +The Recycle Bin does not display data for a Microsoft Entra ID based identity store. -NOTE: The Recycle Bin does not display data for a Microsoft Entra ID based identity store. +::: diff --git a/docs/directorymanager/11.1/portal/group/transferownership.md b/docs/directorymanager/11.1/portal/group/transferownership.md index 7699b8f0ae..2ce8cbb8ef 100644 --- a/docs/directorymanager/11.1/portal/group/transferownership.md +++ b/docs/directorymanager/11.1/portal/group/transferownership.md @@ -41,9 +41,12 @@ Follow the steps to transfer the ownership of a group. | Domain | Includes all organizational units and their sub-trees in the search for required groups. | | Entire Directory | Searches the entire forest. | - NOTE: For Active Directory, if the search container is set to Global Catalog and Extension Data + :::note + For Active Directory, if the search container is set to Global Catalog and Extension Data is not replicated to the Global Catalog, additional ownership of the groups will not be transferred. + ::: + 3. Click **Next**. 4. On the **Existing Owner** page, select one of the following: diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/attestation.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/attestation.md index b9115296a1..8e04beb54a 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/attestation.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/attestation.md @@ -61,10 +61,13 @@ Follow the steps to attest a group. - If the **Active All** and **Inactive All** buttons are not available, the group owner must verify each member one by one (by individually specifying its status as active or inactive. - NOTE: Setting ‘active’ as status for a disabled user does not activate or enable the user's + :::note + Setting ‘active’ as status for a disabled user does not activate or enable the user's account. - Setting ‘active’ as status for users who have not logged in during the last 30 days does not + Setting ‘active’ as status for users who have not logged in during the last 30 days does not move them to the **All Members** listing. + ::: + 6. The **Membership** column displays the membership type for active members. diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/generalfunction.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/generalfunction.md index a8a5360ffb..a29ffd17a9 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/generalfunction.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/generalfunction.md @@ -52,7 +52,10 @@ required. You can allow or restrict a group from receiving emails from specified recipients. -NOTE: This feature is not available for groups in a Microsoft Entra ID based identity store. +:::note +This feature is not available for groups in a Microsoft Entra ID based identity store. +::: + 1. In Directory Manager portal, click **Groups** in the left navigation pane, select **My Groups**. diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupexpiryfunction.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupexpiryfunction.md index ca000e5749..90c4202634 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupexpiryfunction.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupexpiryfunction.md @@ -20,7 +20,10 @@ Follow the steps to expire a group manually. 2. On the page displayed, select the required group and click **Expire** on the toolbar. -NOTE: Note the following: +:::note +Note the following: +::: + - When you try to manually expire a group with the expiry policy set to ‘Never Expire’, an error message is displayed, informing you that the group cannot be expired. @@ -67,8 +70,11 @@ to the [My Expired Groups](/docs/directorymanager/11.1/portal/group/mygroups/mye 4. Click **Save**. -NOTE: If the Directory Manager administrator has specified this action for review, your changes will +:::note +If the Directory Manager administrator has specified this action for review, your changes will not take effect until verified by an approver. See [Requests](/docs/directorymanager/11.1/portal/request/overview.md). +::: + ## Attest an expiring group diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupjoinleave.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupjoinleave.md index 8509510e2c..ddde93957e 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupjoinleave.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupjoinleave.md @@ -25,8 +25,11 @@ When a user joins a Smart Group or Dynasty, he or she is added to the **Include* [Query Designer - Include/Exclude tab](/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user remains a group member even when it does not fall in the scope of the query. -NOTE: For a semi-private group, the group owner must approve your _join_ request before you are +:::note +For a semi-private group, the group owner must approve your _join_ request before you are added to group membership. See [Requests](/docs/directorymanager/11.1/portal/request/overview.md). +::: + ## Join a group temporarily @@ -54,8 +57,11 @@ When a user joins a Smart Group or Dynasty, he or she is added to the **Include* [Query Designer - Include/Exclude tab](/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user remains a group member even when it does not fall in the scope of the query. -NOTE: For a semi-private group, the group owner must approve your _join_ request before you are +:::note +For a semi-private group, the group owner must approve your _join_ request before you are added to group membership. See [Requests](/docs/directorymanager/11.1/portal/request/overview.md). +::: + ## Leave a group permanently @@ -80,8 +86,11 @@ When a user leaves a Smart Group or Dynasty, he or she is added to the **Exclude [Query Designer - Include/Exclude tab](/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user is not added to group membership even when it falls in the scope of the query. -NOTE: For a semi-private group, the group owner must approve your _leave_ request before you are +:::note +For a semi-private group, the group owner must approve your _leave_ request before you are removed from group membership. See [Requests](/docs/directorymanager/11.1/portal/request/overview.md). +::: + ## Leave a group temporarily @@ -116,8 +125,11 @@ When a user leaves a Smart Group or Dynasty, he or she is added to the **Exclude [Query Designer - Include/Exclude tab](/docs/directorymanager/11.1/portal/group/querydesigner/includeexclude.md) of the Query Designer. As a result, the user is not added to group membership even when it falls in the scope of the query. -NOTE: For a semi-private group, the group owner must approve your _leave_ request before you are +:::note +For a semi-private group, the group owner must approve your _leave_ request before you are removed from group membership. See [Requests](/docs/directorymanager/11.1/portal/request/overview.md). +::: + ## Join or leave a group on behalf of a direct report or peer @@ -198,6 +210,9 @@ When a user is removed on behalf from a Smart Group or Dynasty, he or she is add of the Query Designer. As a result, the user is not added to group membership even when it falls in the scope of the query. -NOTE: For a semi-private group, workflow is triggered and a notification is sent to the group’s +:::note +For a semi-private group, workflow is triggered and a notification is sent to the group’s primary owner for approval. If the requester is the default approver, the request is auto approved. Else, the request must be approved by an authorized user for changes to take effect. + +::: diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupmembershipfunction.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupmembershipfunction.md index 90b88ded49..f113cd90a4 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupmembershipfunction.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupmembershipfunction.md @@ -36,11 +36,14 @@ Since the count exceeds 500, it breaks the membership into 2 child groups (Group and Group 2 with 120 members) and nests them into Group A. Hence, Directory Manager checks the member count and takes necessary action before adding members to the group. -NOTE: An Office 365 group cannot have other groups as members. Therefore, the option to break the +:::note +An Office 365 group cannot have other groups as members. Therefore, the option to break the membership into child groups would have the following impact: - An Office 365 group (Group A) will be updated according to the Smart Group update process. When the +An Office 365 group (Group A) will be updated according to the Smart Group update process. When the maximum membership limit is hit, the update process will create child group(s). These child groups will exist but without any link to Group A. Hence, Group A’s membership will be empty. +::: + ## Add members to a group @@ -48,8 +51,11 @@ You can add one or more objects to the membership of one or more groups. These o added as permanent members. You will find them listed as members on the Members tab in [Group Properties](/docs/directorymanager/11.1/portal/group/properties/overview.md). -NOTE: In a Microsoft Entra ID based identity store, only user objects can be added as members of an +:::note +In a Microsoft Entra ID based identity store, only user objects can be added as members of an Office 365 group. +::: + Use any of the following methods to add members to groups. @@ -72,9 +78,12 @@ Use any of the following methods to add members to groups. [Find Dialog Box](/docs/directorymanager/11.1/portal/generalfeatures/find.md) for performing a search. 5. Save the changes. -NOTE: These methods for adding members are recommended for static (unmanaged) groups only. For Smart +:::note +These methods for adding members are recommended for static (unmanaged) groups only. For Smart Groups, Directory Manager will discard any manual membership changes when it updates the group through the Smart Group Update job. +::: + To add a member temporarily to a group, see Change the membership type of a group member . @@ -164,9 +173,12 @@ Follow the steps to remove members permanently from a group. 3. On the **Members** tab, select the group members you want to remove and click **Remove**. 4. Save the changes. -NOTE: This method of removing members is recommended for static (unmanaged) groups only. For Smart +:::note +This method of removing members is recommended for static (unmanaged) groups only. For Smart Groups, Directory Manager will discard any manual membership changes when it updates the group through the Smart Group Update job. +::: + To remove a member temporarily from a group, see Change the membership type of a group member . @@ -185,8 +197,11 @@ Follow the steps to add a group to the membership of another group (nesting). You can import members to a group using an external file. -NOTE: In a Microsoft Entra ID based identity store, only user objects can be added as members of an +:::note +In a Microsoft Entra ID based identity store, only user objects can be added as members of an Office 365 group. +::: + 1. In Directory Manager portal, click **Groups** in the left navigation pane, select Groups. @@ -255,9 +270,12 @@ Microsoft Entra ID tenant to the membership of a group in your domain. 3. Add any message for the guest user in the **Personal Message** box. 4. Click **Invite User**. - NOTE: If the group you want to invite a guest user to is a distribution group and the + :::note + If the group you want to invite a guest user to is a distribution group and the invited user is not in the guest user list of Microsoft 365 Admin portal than the invited user is not added into the group on the first invite but on the second invite. + ::: + 5. The guest user is sent an email with the redirect link. On clicking this link, the guest user is successfully invited. diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupownershipfunction.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupownershipfunction.md index aaf1f434a3..61d338f9ff 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/groupownershipfunction.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/groupownershipfunction.md @@ -43,13 +43,22 @@ _msExchangecoManagedby_ attribute. Directory Manager sends group expiry, deletion, and renewal notifications to all Exchange additional owners along with the group’s primary owner and additional owners. -NOTE: For email notifications to be sent, an SMTP server must be configured for the connected +:::note +For email notifications to be sent, an SMTP server must be configured for the connected identity store. +::: -NOTE: Only users, contacts and security groups can be set as the primary and additional owners of a + +:::note +Only users, contacts and security groups can be set as the primary and additional owners of a group. Moreover, only mail-enabled users can be set as Exchange additional owners. +::: + + +:::note +Note the following for a Microsoft Entra ID based identity store: +::: -NOTE: Note the following for a Microsoft Entra ID based identity store: - Only users can be set as primary owners. - Microsoft Entra ID supports multiple primary owners for a group. @@ -80,10 +89,16 @@ You can add and remove additional owners for a group. Additional owners have the same privileges as the primary owner to manage the group. -NOTE: Only users, contacts and security groups can be set as the additional owners of a group. - If you specify a group, all its members are considered additional owners. +:::note +Only users, contacts and security groups can be set as the additional owners of a group. +If you specify a group, all its members are considered additional owners. +::: + + +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. If the administrator has specified the Group Owner policy for the identity store, it may have an impact on the number of additional owners the group can have. @@ -102,7 +117,10 @@ impact on the number of additional owners the group can have. notifications) are sent to the primary owner and all additional owners. To exclude an additional owner from receiving notifications, select the **Do not notify** check box. - NOTE: When a Smart Group Update job runs on a group, the notification behavior is as follows: + :::note + When a Smart Group Update job runs on a group, the notification behavior is as follows: + ::: + Even with the **Do not Notify** check box selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific @@ -257,6 +275,9 @@ Exchange additional group owners. 5. Enter a search string to locate the object to add as an Exchange additional owner, or click **Advance** to use the [Find Dialog Box](/docs/directorymanager/11.1/portal/generalfeatures/find.md) for performing a search. - NOTE: Only mail-enabled users can be set as Exchange additional owners. + :::note + Only mail-enabled users can be set as Exchange additional owners. + ::: + 6. Save the changes on the **Email** tab. diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/scheduleupdate.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/scheduleupdate.md index 3bfb9cf4e5..780c272aa8 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/scheduleupdate.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/scheduleupdate.md @@ -16,8 +16,11 @@ When a Smart Group or Dynasty is updated using a scheduled job, it involves the [ Query Designer Policy](/docs/directorymanager/11.1/admincenter/securityrole/policy/querydesigner.md)topic for additional information. - NOTE: Whatever the records returned by the query, the membership of an Office 365 group is + :::note + Whatever the records returned by the query, the membership of an Office 365 group is updated with user objects only. + ::: + - The values of certain attribute(s) is updated. @@ -63,8 +66,11 @@ In Directory Manager portal, you can perform the following functions for Smart G 4. Save the changes. -NOTE: For an Office 365 group in a Microsoft Entra ID based identity store, group membership is +:::note +For an Office 365 group in a Microsoft Entra ID based identity store, group membership is updated with user objects only. +::: + ## Schedule periodic membership updates for Smart Groups/Dynasties @@ -93,8 +99,11 @@ membership update. When this job runs, it updates the group's membership. - NOTE: The schedule job will update the group taking into account Query Designer policy of group + :::note + The schedule job will update the group taking into account Query Designer policy of group owner role, if defined. + ::: + 4. Save the changes. diff --git a/docs/directorymanager/11.1/portal/group/workingwithgroups/sendassendonbehalf.md b/docs/directorymanager/11.1/portal/group/workingwithgroups/sendassendonbehalf.md index 340cf02823..cbd286e69f 100644 --- a/docs/directorymanager/11.1/portal/group/workingwithgroups/sendassendonbehalf.md +++ b/docs/directorymanager/11.1/portal/group/workingwithgroups/sendassendonbehalf.md @@ -29,5 +29,8 @@ The administrator can provide the Send As and Send on Behalf features on any tab Use the **Add** and **Remove** buttons to add and remove objects in the Send As and Send on Behalf lists. -NOTE: Only mailboxes and mail-enabled groups can add objects to their Send As and Send on Behalf +:::note +Only mailboxes and mail-enabled groups can add objects to their Send As and Send on Behalf lists. + +::: diff --git a/docs/directorymanager/11.1/portal/history/mydirectreport.md b/docs/directorymanager/11.1/portal/history/mydirectreport.md index 23c7c3f6a9..fd4996a978 100644 --- a/docs/directorymanager/11.1/portal/history/mydirectreport.md +++ b/docs/directorymanager/11.1/portal/history/mydirectreport.md @@ -16,7 +16,10 @@ The following events are logged on this page: - When a direct report is removed from your direct reports. - When you or any other user makes certain changes to the properties of a direct report. -NOTE: When any of your direct reports is deleted, its history is also deleted. +:::note +When any of your direct reports is deleted, its history is also deleted. +::: + ## History view modes diff --git a/docs/directorymanager/11.1/portal/login.md b/docs/directorymanager/11.1/portal/login.md index 9d74e7ef35..d7be43208f 100644 --- a/docs/directorymanager/11.1/portal/login.md +++ b/docs/directorymanager/11.1/portal/login.md @@ -57,8 +57,11 @@ account, or click **Edit** next to the identity store name to connect to a diffe Step 4 – After providing your credentials, click **Sign In**. -NOTE: Microsoft Entra ID MFA enabled users cannot log into Directory Manager using their username +:::note +Microsoft Entra ID MFA enabled users cannot log into Directory Manager using their username and password. They will be authenticated through the SAML provider configured in Directory Manager. +::: + With a SAML Provider diff --git a/docs/directorymanager/11.1/portal/reports/dashboard.md b/docs/directorymanager/11.1/portal/reports/dashboard.md index 5a81553e30..607f652b62 100644 --- a/docs/directorymanager/11.1/portal/reports/dashboard.md +++ b/docs/directorymanager/11.1/portal/reports/dashboard.md @@ -16,8 +16,11 @@ Directory Manager reports are organized into four categories: - [Computer Reports](/docs/directorymanager/11.1/portal/reports/computer.md) - [Contact Reports](/docs/directorymanager/11.1/portal/reports/contact.md) -NOTE: A Microsoft Entra ID based identity store does not support the computer and contact object +:::note +A Microsoft Entra ID based identity store does not support the computer and contact object types. +::: + You can view, edit, and delete the created reports. You can also download them in Excel and PDF formats. diff --git a/docs/directorymanager/11.1/portal/request/overview.md b/docs/directorymanager/11.1/portal/request/overview.md index 024d3e314d..1413bc5636 100644 --- a/docs/directorymanager/11.1/portal/request/overview.md +++ b/docs/directorymanager/11.1/portal/request/overview.md @@ -43,8 +43,11 @@ connected identity store. Expanding this node displays the following tabs: view, approve, deny, or reroute these requests. - [All Requests](/docs/directorymanager/11.1/portal/request/allrequest.md) lists all pending workflow requests generated by enterprise users. -NOTE: If the user is high priority such as _Administrator_, only then they will see the _All +:::note +If the user is high priority such as _Administrator_, only then they will see the _All Requests_ tab. +::: + ## Workflow Implementation @@ -67,7 +70,10 @@ generated for such workflow requests contain the **Accept** and **Deny** buttons these, the approver is redirected to the Directory Manager portal, where he or she can approve or deny the request. Navigation within the portal will require authentication. -NOTE: Email notifications are sent when an SMTP server has been configured for the identity store. +:::note +Email notifications are sent when an SMTP server has been configured for the identity store. +::: + ## Approving authority for a Workflow Request (without Workflow Acceleration) diff --git a/docs/directorymanager/11.1/portal/secondfactorauthentication/secondfactorauthentication.md b/docs/directorymanager/11.1/portal/secondfactorauthentication/secondfactorauthentication.md index 52886c6d55..cc6600bc52 100644 --- a/docs/directorymanager/11.1/portal/secondfactorauthentication/secondfactorauthentication.md +++ b/docs/directorymanager/11.1/portal/secondfactorauthentication/secondfactorauthentication.md @@ -60,8 +60,11 @@ authenticate. number. The portal then sends a confirmation code on this number; the user has to enter the code in the portal for authentication. -NOTE: The SMS authentication type is available if the Directory Manager administrator has linked an +:::note +The SMS authentication type is available if the Directory Manager administrator has linked an SMS gateway account with the identity store. +::: + ### Email Verification @@ -75,8 +78,11 @@ authenticate. enrollment. The portal then sends a confirmation code to this email address; the user has to enter the code in the portal for authentication. -NOTE: The Email authentication type is available if the administrator has defined an SMTP server for +:::note +The Email authentication type is available if the administrator has defined an SMTP server for the identity store. +::: + ### Authenticator app @@ -122,8 +128,11 @@ IE and Microsoft Edge are not supported. - To authenticate with this YubiKey, insert the device in your computer and then tap on the device in the portal. -NOTE: Users can enroll and authenticate with a YubiKey only on a physical machine. Virtual machines +:::note +Users can enroll and authenticate with a YubiKey only on a physical machine. Virtual machines are not supported. +::: + ### Windows Hello authentication @@ -144,6 +153,9 @@ Having set a PIN, proceed to add biometric data. Step 4 – In the **Windows Hello** section, click **Set up** under **Face** or **Fingerprint** to add the recognition data. -NOTE: If your device does not meet the hardware requirements, Windows Hello is not available, even +:::note +If your device does not meet the hardware requirements, Windows Hello is not available, even if Windows 10 is installed on it. - Window Hello supports the Microsoft Edge browser only. +Window Hello supports the Microsoft Edge browser only. + +::: diff --git a/docs/directorymanager/11.1/portal/synchronize/collection/create.md b/docs/directorymanager/11.1/portal/synchronize/collection/create.md index 2d8e8993a1..abb0456c7b 100644 --- a/docs/directorymanager/11.1/portal/synchronize/collection/create.md +++ b/docs/directorymanager/11.1/portal/synchronize/collection/create.md @@ -34,8 +34,11 @@ collection. You can either add existing jobs or create new jobs to add them to t Step 6 – On the [Scheduling and Notifications](/docs/directorymanager/11.1/portal/synchronize/collection/schedulingandnotification.md) page, choose a schedule for a job collection and set up notification settings. -NOTE: After creating the job collection, you can modify the schedule for the job collection and you +:::note +After creating the job collection, you can modify the schedule for the job collection and you can also create a new schedule. +::: + Step 7 – Select **Preview job collection when finished** checkbox to preview the job collection before executing it. diff --git a/docs/directorymanager/11.1/portal/synchronize/collection/schedulingandnotification.md b/docs/directorymanager/11.1/portal/synchronize/collection/schedulingandnotification.md index 3925bb5fc9..d214cbfcee 100644 --- a/docs/directorymanager/11.1/portal/synchronize/collection/schedulingandnotification.md +++ b/docs/directorymanager/11.1/portal/synchronize/collection/schedulingandnotification.md @@ -30,7 +30,10 @@ Step 3 – Enter the email address of notification recipients in the given box. Step 4 – From the **Send notification** list, select the notification trigger event. Options are: -NOTE: This step requires that the identity store of the destination should be configured. +:::note +This step requires that the identity store of the destination should be configured. +::: + - **Always**: Send a notification every time the job collection is run, regardless of outcome. - **Records are updated**: Send a notification only when one or more records have been updated. diff --git a/docs/directorymanager/11.1/portal/synchronize/create/create.md b/docs/directorymanager/11.1/portal/synchronize/create/create.md index 4a2d9e38f5..6295dafc75 100644 --- a/docs/directorymanager/11.1/portal/synchronize/create/create.md +++ b/docs/directorymanager/11.1/portal/synchronize/create/create.md @@ -59,8 +59,11 @@ destination fields and apply transformations. Step 8 – On the [Schedule Job and Notifications](/docs/directorymanager/11.1/portal/synchronize/create/scheduleandnotification.md) page, choose a schedule for a job and set up notification settings. -NOTE: After creating the job, you can modify the schedule for the job and you can also create a new +:::note +After creating the job, you can modify the schedule for the job and you can also create a new schedule. +::: + Step 9 – Select **Preview job when finished** checkbox to preview the job. diff --git a/docs/directorymanager/11.1/portal/synchronize/create/objectfieldsandmapping.md b/docs/directorymanager/11.1/portal/synchronize/create/objectfieldsandmapping.md index d08239cda8..4894c7f92e 100644 --- a/docs/directorymanager/11.1/portal/synchronize/create/objectfieldsandmapping.md +++ b/docs/directorymanager/11.1/portal/synchronize/create/objectfieldsandmapping.md @@ -150,9 +150,12 @@ On the **Object, Fields and Mappings** page, map the a attributes with source fi creating a new object. Fields that are not selected are continually updated. Key fields are selected by default as New Only fields as a requirement; you cannot change this selection. - NOTE: For Microsoft Entra ID objects, primary key fields are: - (1) UserPrincipleName attribute for “User/Mailbox” object - (2) DisplayName attribute for “Group” object. + :::note + For Microsoft Entra ID objects, primary key fields are: + (1) UserPrincipleName attribute for “User/Mailbox” object + (2) DisplayName attribute for “Group” object. + ::: + 4. Select **Show field reference** check box to view a list of attributes from the schema of the source provider. diff --git a/docs/directorymanager/11.1/portal/synchronize/create/scheduleandnotification.md b/docs/directorymanager/11.1/portal/synchronize/create/scheduleandnotification.md index d8af3a1d1d..15362f9418 100644 --- a/docs/directorymanager/11.1/portal/synchronize/create/scheduleandnotification.md +++ b/docs/directorymanager/11.1/portal/synchronize/create/scheduleandnotification.md @@ -37,9 +37,12 @@ run in future and set the notifications settings for the job. 4. **Job fails**: Send a notification only when a fatal error occurs causing the job to fail. - RECOMMENDED: This step requires that notification settings are already configured in the + :::info + This step requires that notification settings are already configured in the connected identity store. Click Configure Notifications if notifications are not configured. + ::: + 3. Click on **Advanced Settings** to go to **Advanced Setting For the Job** page: @@ -78,10 +81,13 @@ run in future and set the notifications settings for the job. **Update only records that have changed** option. From here, select the attribute or field in the source that would contain a value for the time stamp. - NOTE: Synchronizing all fields every time the job runs can be inefficient. If your data + :::note + Synchronizing all fields every time the job runs can be inefficient. If your data source has a time stamp field that indicates the last time the row was updated or modified, Synchronize can use it to selectively update only the rows that have changed since the last time the job was run. + ::: + 4. Click **Save**. diff --git a/docs/directorymanager/11.1/portal/synchronize/create/selectedfield.md b/docs/directorymanager/11.1/portal/synchronize/create/selectedfield.md index 7403b3ba78..9aad7611a5 100644 --- a/docs/directorymanager/11.1/portal/synchronize/create/selectedfield.md +++ b/docs/directorymanager/11.1/portal/synchronize/create/selectedfield.md @@ -94,9 +94,12 @@ take if the data or object being exported from the source does not exist at the Select the required Active Directory attribute from it to search matching group members in the destination. - NOTE: A Synchronize job can only create groups at the destination. In order to sync group + :::note + A Synchronize job can only create groups at the destination. In order to sync group members, it searches Active Directory for the matching objects based on the Member Key field and adds them to the group membership. + ::: + 6. To select all the fields, check the **All Fields** checkbox below. 7. Click **Save**. diff --git a/docs/directorymanager/11.1/portal/synchronize/dtmscript/visualbasicnetbasic.md b/docs/directorymanager/11.1/portal/synchronize/dtmscript/visualbasicnetbasic.md index 6bc89dcf98..e6933db343 100644 --- a/docs/directorymanager/11.1/portal/synchronize/dtmscript/visualbasicnetbasic.md +++ b/docs/directorymanager/11.1/portal/synchronize/dtmscript/visualbasicnetbasic.md @@ -110,7 +110,10 @@ With extensive string manipulation, statement lines frequently become quite long a statement into two or more lines, insert a space followed by an underline (”\_”) just prior to each line break. -NOTE: Be sure to insert the line break characters ("\_") outside of a string literal. +:::note +Be sure to insert the line break characters ("\_") outside of a string literal. +::: + Example: diff --git a/docs/directorymanager/11.1/portal/synchronize/manage/jobcollection.md b/docs/directorymanager/11.1/portal/synchronize/manage/jobcollection.md index 49c7df5d72..3d0515c615 100644 --- a/docs/directorymanager/11.1/portal/synchronize/manage/jobcollection.md +++ b/docs/directorymanager/11.1/portal/synchronize/manage/jobcollection.md @@ -20,8 +20,11 @@ You can do the following in a job collection: - Set up job run notifications – Email notifications contain a brief numerical summary of the objects processed by the job collection and a detailed log of statistics and errors. - NOTE: Notification settings for individual jobs do not apply when they are run as part of a job + :::note + Notification settings for individual jobs do not apply when they are run as part of a job collection. + ::: + ## Filter Job Collection diff --git a/docs/directorymanager/11.1/portal/synchronize/transformation/autogenerateuniquepassword.md b/docs/directorymanager/11.1/portal/synchronize/transformation/autogenerateuniquepassword.md index 1c8fc87aba..5f20d2d70f 100644 --- a/docs/directorymanager/11.1/portal/synchronize/transformation/autogenerateuniquepassword.md +++ b/docs/directorymanager/11.1/portal/synchronize/transformation/autogenerateuniquepassword.md @@ -104,8 +104,11 @@ Step 13 – Select the Special Symbols check box if you want the password to con characters. When the check box is selected, the box next to it becomes available. You can specify special characters in the box that you want the password to contain. -NOTE: For Active Directory destinations, if password complexity requirements are enabled for the +:::note +For Active Directory destinations, if password complexity requirements are enabled for the domain, then you must select three of the preceding four settings. +::: + Step 14 – Select the **Exclude similar symbols** check box if you do not want a special character to appear more than once in the password. @@ -130,5 +133,8 @@ Use unique password generated dynamically against each row option on the Transfo dialog box, then the new password for each object is sent to the administrator by email when the job runs. -NOTE: Notifications will be sent if an SMTP server and notification recipients have been configured +:::note +Notifications will be sent if an SMTP server and notification recipients have been configured for the destination identity store. + +::: diff --git a/docs/directorymanager/11.1/portal/synchronize/transformation/overview.md b/docs/directorymanager/11.1/portal/synchronize/transformation/overview.md index a9a9a2f62d..c6241e6780 100644 --- a/docs/directorymanager/11.1/portal/synchronize/transformation/overview.md +++ b/docs/directorymanager/11.1/portal/synchronize/transformation/overview.md @@ -69,8 +69,11 @@ fields. destination: The target location to which to copy data. Destinations must be Exchange 5.5, Active Directory, SQL Server, or Excel. -NOTE: This transformation can adversely affect performance, as it adds an additional query to each +:::note +This transformation can adversely affect performance, as it adds an additional query to each record. It applies to Active Directory and Exchange only. +::: + ## Join diff --git a/docs/directorymanager/11.1/portal/user/create/AD/contact.md b/docs/directorymanager/11.1/portal/user/create/AD/contact.md index bf78301ba2..7f4a6f684e 100644 --- a/docs/directorymanager/11.1/portal/user/create/AD/contact.md +++ b/docs/directorymanager/11.1/portal/user/create/AD/contact.md @@ -8,10 +8,16 @@ sidebar_position: 20 The Directory Manager portal enables you to create the contact object in the directory. -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. +::: -NOTE: Pages and fields on the Create Contact wizard may vary from those discussed here, since the + +:::note +Pages and fields on the Create Contact wizard may vary from those discussed here, since the administrator can customize the wizard by adding or removing pages and fields. +::: + ## Create a contact @@ -39,6 +45,9 @@ Step 4 – Use the Exchange page to mail-enable the contact. Step 5 – On the Summary page, review the settings and then click Finish to complete the wizard. -NOTE: If the Directory Manager administrator has specified the contact creation action for review, +:::note +If the Directory Manager administrator has specified the contact creation action for review, your changes will not take effect until verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic for additional information. + +::: diff --git a/docs/directorymanager/11.1/portal/user/create/AD/mailbox.md b/docs/directorymanager/11.1/portal/user/create/AD/mailbox.md index fe776f6f48..cb80c0a488 100644 --- a/docs/directorymanager/11.1/portal/user/create/AD/mailbox.md +++ b/docs/directorymanager/11.1/portal/user/create/AD/mailbox.md @@ -11,8 +11,11 @@ configured for the identity store. A mailbox is a user with a mailbox, such as an Exchange mailbox. -NOTE: Pages and fields on the Create Mailbox wizard may vary from those discussed here, since the +:::note +Pages and fields on the Create Mailbox wizard may vary from those discussed here, since the administrator can customize the wizard by adding or removing pages and fields. +::: + ## Create a mailbox in Active Directory @@ -32,6 +35,9 @@ Step 4 – On the [Exchange page](/docs/directorymanager/11.1/portal/user/create Step 5 – On the [Summary Page](/docs/directorymanager/11.1/portal/user/create/AD/summary.md), review the settings and then click **Finish** to complete the wizard. -NOTE: If the Directory Manager administrator has specified the mailbox creation action for review, +:::note +If the Directory Manager administrator has specified the mailbox creation action for review, your changes will not take effect until verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic for additional information. + +::: diff --git a/docs/directorymanager/11.1/portal/user/create/AD/messaging.md b/docs/directorymanager/11.1/portal/user/create/AD/messaging.md index ed2fd35690..dce3a47800 100644 --- a/docs/directorymanager/11.1/portal/user/create/AD/messaging.md +++ b/docs/directorymanager/11.1/portal/user/create/AD/messaging.md @@ -21,6 +21,9 @@ email address to send email notifications to the user. Step 5 – Click **Next**. -NOTE: To create a mail-enabled user, a messaging provider (such as Microsoft Exchange) must be +:::note +To create a mail-enabled user, a messaging provider (such as Microsoft Exchange) must be configured for the identity store. - If it is not configured, the Messaging page is disabled. +If it is not configured, the Messaging page is disabled. + +::: diff --git a/docs/directorymanager/11.1/portal/user/create/AD/user.md b/docs/directorymanager/11.1/portal/user/create/AD/user.md index f0b54d08a0..b2ae1da69c 100644 --- a/docs/directorymanager/11.1/portal/user/create/AD/user.md +++ b/docs/directorymanager/11.1/portal/user/create/AD/user.md @@ -8,11 +8,17 @@ sidebar_position: 10 In Directory Manager portal, you can create mail-enabled and non mail-enabled users. -NOTE: In a Microsoft Entra ID based identity store, users can only be created as non mail-enabled. +:::note +In a Microsoft Entra ID based identity store, users can only be created as non mail-enabled. Create a mailbox as an alternative to a mail-enabled user. +::: -NOTE: Pages and fields on the Create User wizard may vary from those discussed here, since the + +:::note +Pages and fields on the Create User wizard may vary from those discussed here, since the administrator can customize the wizard by adding or removing pages and fields. +::: + ## Create a mail-enabled user in Active Directory @@ -32,9 +38,12 @@ Step 4 – Use the [Exchange page](/docs/directorymanager/11.1/portal/user/creat Step 5 – On the [Summary Page](/docs/directorymanager/11.1/portal/user/create/AD/summary.md), review the settings and then click Finish to complete the wizard. -NOTE: If the Directory Manager administrator has specified the user creation action for review, your +:::note +If the Directory Manager administrator has specified the user creation action for review, your changes will not take effect until verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic for additional information. +::: + ## Create a non mail-enabled user in Active Directory @@ -57,6 +66,9 @@ A non mail-enabled user does not have an email address. Step 5 – On the [Summary Page](/docs/directorymanager/11.1/portal/user/create/AD/summary.md), review the settings and then click Finish to complete the wizard. -NOTE: If the Directory Manager administrator has specified the user creation action for review, your +:::note +If the Directory Manager administrator has specified the user creation action for review, your changes will not take effect until verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic for additional information. + +::: diff --git a/docs/directorymanager/11.1/portal/user/create/EntraID/mailbox.md b/docs/directorymanager/11.1/portal/user/create/EntraID/mailbox.md index ffbcc948f4..993be74fde 100644 --- a/docs/directorymanager/11.1/portal/user/create/EntraID/mailbox.md +++ b/docs/directorymanager/11.1/portal/user/create/EntraID/mailbox.md @@ -11,8 +11,11 @@ configured for the identity store. A mailbox is a user with a mailbox, such as an Exchange mailbox. -NOTE: Pages and fields on the Create Mailbox wizard may vary from those discussed here, since the +:::note +Pages and fields on the Create Mailbox wizard may vary from those discussed here, since the administrator can customize the wizard by adding or removing pages and fields. +::: + ## Create a mailbox in an Microsoft Entra ID @@ -32,6 +35,9 @@ Step 4 – On the Exchange page, set the alias and Office 365 subscriptions for Step 5 – On the Summary page, review the settings and then click **Finish** to complete the wizard. -NOTE: If the Directory Manager administrator has specified the mailbox creation action for review, +:::note +If the Directory Manager administrator has specified the mailbox creation action for review, your changes will not take effect until verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic for additional information. + +::: diff --git a/docs/directorymanager/11.1/portal/user/create/EntraID/user.md b/docs/directorymanager/11.1/portal/user/create/EntraID/user.md index 314bd7ac9a..098623c779 100644 --- a/docs/directorymanager/11.1/portal/user/create/EntraID/user.md +++ b/docs/directorymanager/11.1/portal/user/create/EntraID/user.md @@ -8,11 +8,17 @@ sidebar_position: 10 In Directory Manager portal, you can create mail-enabled and non mail-enabled users. -NOTE: In a Microsoft Entra ID based identity store, users can only be created as non mail-enabled. +:::note +In a Microsoft Entra ID based identity store, users can only be created as non mail-enabled. Create a mailbox as an alternative to a mail-enabled user. +::: -NOTE: Pages and fields on the Create User wizard may vary from those discussed here, since the + +:::note +Pages and fields on the Create User wizard may vary from those discussed here, since the administrator can customize the wizard by adding or removing pages and fields. +::: + ## Create a user in Microsoft Entra ID @@ -33,6 +39,9 @@ information. Step 5 – On the Summary page, review the settings and then click **Finish** to complete the wizard. -NOTE: If the Directory Manager administrator has specified the user creation action for review, your +:::note +If the Directory Manager administrator has specified the user creation action for review, your changes will not take effect until verified by an approver. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic for additional information. + +::: diff --git a/docs/directorymanager/11.1/portal/user/linkedaccounts.md b/docs/directorymanager/11.1/portal/user/linkedaccounts.md index ba28dff4fa..c5661a9150 100644 --- a/docs/directorymanager/11.1/portal/user/linkedaccounts.md +++ b/docs/directorymanager/11.1/portal/user/linkedaccounts.md @@ -45,7 +45,10 @@ to link to the master account. A message, _Account has been successfully linked_ If the master account is not enrolled yet, it automatically gets enrolled when an account is linked to it. -NOTE: An already enrolled or linked account cannot be linked to a master account. +:::note +An already enrolled or linked account cannot be linked to a master account. +::: + Step 4 – Select the **Allow Authentication** option for the account(s) you want to use to authenticate with, while unlocking any linked accounts or resetting passwords of linked accounts. @@ -93,7 +96,10 @@ displayed. If the master account is not enrolled yet, it automatically gets enrolled when an account is linked to it. -NOTE: An already enrolled or linked account cannot be linked to a master account. +:::note +An already enrolled or linked account cannot be linked to a master account. +::: + Step 5 – Turn on the **Allow Authentication** button against the account(s) you want to use to authenticate with, while unlocking any linked accounts or resetting passwords of linked accounts. diff --git a/docs/directorymanager/11.1/portal/user/manage/changepassword.md b/docs/directorymanager/11.1/portal/user/manage/changepassword.md index e1959f841f..eae71b7db4 100644 --- a/docs/directorymanager/11.1/portal/user/manage/changepassword.md +++ b/docs/directorymanager/11.1/portal/user/manage/changepassword.md @@ -15,8 +15,11 @@ Administrator can either enable [Directory Manage Password Policy ](/docs/directorymanager/11.1/admincenter/securityrole/policy/password.md) or Netwrix Password Policy Enforcer policies for the identity store. -NOTE: MFA enabled Microsoft Entra ID users cannot change their passwords in Directory Manager. If +:::note +MFA enabled Microsoft Entra ID users cannot change their passwords in Directory Manager. If they try to do so, the following message is displayed: +::: + ![Change Password error message for Entra ID user](/img/product_docs/directorymanager/11.1/portal/user/manage/changepasswordentraiduser.webp) diff --git a/docs/directorymanager/11.1/portal/user/manage/directreport.md b/docs/directorymanager/11.1/portal/user/manage/directreport.md index bfe6912cf2..8716ce8a6d 100644 --- a/docs/directorymanager/11.1/portal/user/manage/directreport.md +++ b/docs/directorymanager/11.1/portal/user/manage/directreport.md @@ -42,9 +42,12 @@ You can control the number of records to be displayed per page by modifying the page** setting on the User Settings panel. You can modify the search results in Modify Search Directory. You can select entire directory or a domain to search active groups from. -NOTE: You cannot add or remove direct reports on this page. Use the Organization tab of your profile +:::note +You cannot add or remove direct reports on this page. Use the Organization tab of your profile to add or remove your direct reports. You can also transfer and terminate your direct reports while you validate your Profile. +::: + To view any changes made to your direct reports, see the [My Direct Reports' History](/docs/directorymanager/11.1/portal/history/mydirectreport.md) topic for additional information. diff --git a/docs/directorymanager/11.1/portal/user/manage/unlockaccount.md b/docs/directorymanager/11.1/portal/user/manage/unlockaccount.md index bf630ee7f7..895dd73909 100644 --- a/docs/directorymanager/11.1/portal/user/manage/unlockaccount.md +++ b/docs/directorymanager/11.1/portal/user/manage/unlockaccount.md @@ -205,5 +205,8 @@ This type of account unlock can be resolved in one of the following two ways: - You wait for the specified duration, after which the account will be unlocked automatically. -NOTE: Helpdesk cannot unlock accounts that get locked out on providing a wrong response to the +:::note +Helpdesk cannot unlock accounts that get locked out on providing a wrong response to the authentication type(s). + +::: diff --git a/docs/directorymanager/11.1/portal/user/manage/validateprofile.md b/docs/directorymanager/11.1/portal/user/manage/validateprofile.md index 0d8ff21e92..52bb6ca9e1 100644 --- a/docs/directorymanager/11.1/portal/user/manage/validateprofile.md +++ b/docs/directorymanager/11.1/portal/user/manage/validateprofile.md @@ -32,7 +32,10 @@ these accounts, users’ managers must send a request to the administrator or He administrator or Helpdesk user can extend the profile validation period on the [Disabled Users](/docs/directorymanager/11.1/portal/user/manage/disableduser.md) page of the portal. -NOTE: For notifications to be sent, an SMTP server must be configured for the identity store. +:::note +For notifications to be sent, an SMTP server must be configured for the identity store. +::: + ### Profile Validation for New Users @@ -79,8 +82,11 @@ options for each of your direct reports: Step 5 – After verifying and updating the information, click the **Validate Now** button. Your profile is validated and a message is displayed that your changes have been saved. -NOTE: You can also manage your direct reports and managers on the Organization tab of the my profile +:::note +You can also manage your direct reports and managers on the Organization tab of the my profile window. +::: + ## Change your primary manager @@ -93,9 +99,12 @@ When you change your primary manager (Manager A), then Manager A is notified by reject the request. If Manager A accepts, your manager is changed. If Manager A rejects the request, you remain with Manager A and a notification is sent to you and Manager A. -NOTE: This is the default flow of the ‘Workflow to Change Manager’ workflow. If the administrator +:::note +This is the default flow of the ‘Workflow to Change Manager’ workflow. If the administrator disables the workflow or changes the approver, the flow changes accordingly. See [Requests](/docs/directorymanager/11.1/portal/request/overview.md). +::: + ## Transfer your direct report @@ -104,9 +113,12 @@ transfer. If the direct report accepts the transfer, he or she has to select ano and validate his or her profile. If the direct report rejects the transfer, he or she is transferred back to the old manager, i.e., you. -NOTE: This is the default flow of the ‘Workflow to Transfer a User’ workflow, with the direct report +:::note +This is the default flow of the ‘Workflow to Transfer a User’ workflow, with the direct report set as the workflow approver. If the administrator disables the workflow or changes the approver, the flow changes accordingly. See [Requests](/docs/directorymanager/11.1/portal/request/overview.md). +::: + ## Terminate your direct report diff --git a/docs/directorymanager/11.1/portal/user/overview.md b/docs/directorymanager/11.1/portal/user/overview.md index 58d79eed11..4f4298cdc3 100644 --- a/docs/directorymanager/11.1/portal/user/overview.md +++ b/docs/directorymanager/11.1/portal/user/overview.md @@ -42,4 +42,7 @@ The table below displays the major functions that users can perform in Directory | Validate Your Profile | Validate your profile after a particular time in order to ensure the user information in the directory. | | User Account Settings | Modify your profile information. Administrators can manage the user information, enable/disable the user, or expire a user. | -NOTE: The contact object type is not supported in a Microsoft Entra ID based identity store. +:::note +The contact object type is not supported in a Microsoft Entra ID based identity store. + +::: diff --git a/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md b/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md index ecffd37057..35317fb8c4 100644 --- a/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md +++ b/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md @@ -16,9 +16,12 @@ Furthermore, this tab shows the direct reports of this user or contact. Direct r users or contacts that report directly to the user or contact. You can add direct reports as well as transfer or terminate a direct report. -NOTE: A user can also manage his/her direct reports and change his/her primary manager while +:::note +A user can also manage his/her direct reports and change his/her primary manager while validating his/her profile in the portal. See the [Validate your profile](/docs/directorymanager/11.1/portal/user/manage/validateprofile.md) topic. +::: + ## Dotted line management @@ -30,9 +33,12 @@ When a user changes his or her primary or additional manager, the primary manage through email to accept or reject the request. If the primary manager accepts, the user’s manager is changed. If the primary manager rejects the request, the user remains with the manager. -NOTE: This is the default flow for the ‘Workflow to Change Manager’ workflow, with the primary +:::note +This is the default flow for the ‘Workflow to Change Manager’ workflow, with the primary manager set as the approver. If the administrator disables the workflow or changes the workflow approver, the flow changes accordingly. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic. +::: + Manager @@ -57,9 +63,12 @@ groups and contacts. primary manager and validate his or her profile. If the direct report rejects the transfer, he or she is transferred back to the old manager, i.e., you. - NOTE: This is the default flow for the ‘Workflow to Transfer a User’ workflow, with the direct + :::note + This is the default flow for the ‘Workflow to Transfer a User’ workflow, with the direct report set as the approver. If the administrator disables the workflow or changes the approver, the flow changes accordingly. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic. + ::: + - To terminate a direct report, select it and click **Terminate**. @@ -86,9 +95,12 @@ This section displays a list of the additional managers of the user or contact. | Beginning | Shows the beginning date of the temporary addition or removal. | | Ending | Shows the ending date of the temporary addition or removal. | -NOTE: For each column, a filter is also available that lets you filter records based on a criterion. +:::note +For each column, a filter is also available that lets you filter records based on a criterion. For example; to show objects whose display names start with D, type D in the box under the Name header and press Enter. +::: + The Managed By Life Cycle job updates the temporary managers of users/contacts by adding and removing temporary additional managers on the specified dates. diff --git a/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md b/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md index b493ca8dfa..9e676da6c1 100644 --- a/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md +++ b/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md @@ -36,9 +36,12 @@ The user type assigned to the user in Microsoft Entra ID, such as _Member_ or _G external collaborator, partner, customer, or similar user. Such a user wouldn't be expected to receive a CEO's internal memo, or receive company benefits, for example. -NOTE: The User Type has no link to the user login function, the directory role of the user, and so +:::note +The User Type has no link to the user login function, the directory role of the user, and so on. It simply indicates the user's relationship to the host organization and allows the organization to enforce policies that depend on this property. +::: + Object ID diff --git a/docs/directorymanager/11.1/portal/user/properties/overview.md b/docs/directorymanager/11.1/portal/user/properties/overview.md index ee9ddb04a9..49bf53d6ad 100644 --- a/docs/directorymanager/11.1/portal/user/properties/overview.md +++ b/docs/directorymanager/11.1/portal/user/properties/overview.md @@ -62,7 +62,10 @@ ID based identity store. Following is the list of all the properties that Contacts have in Active Directory based identity store. -NOTE: Contact object is not supported in Microsoft Entra ID. +:::note +Contact object is not supported in Microsoft Entra ID. +::: + - [Object properties - General tab](/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/general.md) - [Object properties - Organization tab](/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md) diff --git a/docs/directorymanager/11.1/portal/welcome.md b/docs/directorymanager/11.1/portal/welcome.md index fc937d531c..3be5189256 100644 --- a/docs/directorymanager/11.1/portal/welcome.md +++ b/docs/directorymanager/11.1/portal/welcome.md @@ -36,5 +36,8 @@ that users enter correct data before changes are committed to the directory. A Directory Manager portal can be linked with multiple identity stores, thus eliminating the need to create a separate portal for each identity store. Users can select an identity store to log in. -NOTE: Since the administrator can customize the portal for different identity stores and for +:::note +Since the administrator can customize the portal for different identity stores and for different user roles within an identity stores, you may not have access to all portal features. + +::: diff --git a/docs/directorymanager/11.1/requirements/database.md b/docs/directorymanager/11.1/requirements/database.md index 8fdf72dbc7..1c5c7e7305 100644 --- a/docs/directorymanager/11.1/requirements/database.md +++ b/docs/directorymanager/11.1/requirements/database.md @@ -27,8 +27,11 @@ manually. To enable the SQL Server Browser service, see [How to: Start and Stop the SQL Server Browser Service](http://technet.microsoft.com/en-us/library/ms189093(v=sql.105).aspx). -NOTE: Directory Manager now uses .NetCore 8 and it requires a SQL certificate to access database +:::note +Directory Manager now uses .NetCore 8 and it requires a SQL certificate to access database using Windows Authentication. Therefore, if you want to access the Directory Manager database using Windows Authentication, then a SQL certificate must be added to the Trusted Root Certification Authorities certificate store on connecting clients or servers such as Directory Manager. See the [SQL Certificate for Windows Authentication](/docs/directorymanager/11.1/requirements/sqlcertificate.md) topic for additional information. + +::: diff --git a/docs/directorymanager/11.1/requirements/hardware.md b/docs/directorymanager/11.1/requirements/hardware.md index 76fb170df7..2391dff626 100644 --- a/docs/directorymanager/11.1/requirements/hardware.md +++ b/docs/directorymanager/11.1/requirements/hardware.md @@ -13,10 +13,13 @@ Minimum hardware requirements for Directory Manager are: 6 GB of RAM in case of self-managed Elasticsearch - RECOMMENDED: We recommend a dedicated server for Directory Manager. If you install any other + :::info + We recommend a dedicated server for Directory Manager. If you install any other application on the Directory Manager server, then adjust RAM requirements accordingly. For example, if you install SQL Server, you may need to add 2-4 GB RAM depending on the edition of the SQL Server. + ::: + Different editions of SQL Server have varying resource requirements. For example: diff --git a/docs/directorymanager/11.1/requirements/permissions/adserviceaccount.md b/docs/directorymanager/11.1/requirements/permissions/adserviceaccount.md index 29803b3442..808a04b319 100644 --- a/docs/directorymanager/11.1/requirements/permissions/adserviceaccount.md +++ b/docs/directorymanager/11.1/requirements/permissions/adserviceaccount.md @@ -15,8 +15,11 @@ You can use an existing account, provided it has the required permissions, or yo one. Instructions for both options are discussed in the following sections, although it is recommended that you create a new service account rather than using an existing account. -NOTE: You must add the service account to the membership of the Local Administrator group of the +:::note +You must add the service account to the membership of the Local Administrator group of the member server on which Directory Manager is installed. +::: + ## Use an Existing Account as a Service Account diff --git a/docs/directorymanager/11.1/requirements/permissions/gmsarequirements.md b/docs/directorymanager/11.1/requirements/permissions/gmsarequirements.md index 27b8462f2a..df3bbab643 100644 --- a/docs/directorymanager/11.1/requirements/permissions/gmsarequirements.md +++ b/docs/directorymanager/11.1/requirements/permissions/gmsarequirements.md @@ -55,7 +55,10 @@ used effectively, verify the following: 'PrincipalsAllowedToRetrieveManagedPassword' parameter of the Set-ADServiceAccount cmdlet to add the missing principals (Directory Manager server and/or app pool account). -NOTE: Restart the Directory Manager server if you apply any of the above. +:::note +Restart the Directory Manager server if you apply any of the above. +::: + **See Also** From 3d6227529790b0e17441fcaa6d8cf071e96fdb61 Mon Sep 17 00:00:00 2001 From: Sreeparna Singhal Date: Thu, 17 Jul 2025 12:22:03 +0100 Subject: [PATCH 3/3] Conflict markers removed --- .../applications/remoteiisprerequisites.md | 15 ++------------- .../admincenter/authpolicy/setupauth/email.md | 5 ----- .../authpolicy/setupauth/windowshello.md | 5 ----- .../11.1/admincenter/general/history.md | 5 ----- .../11.1/admincenter/general/licensing.md | 5 ----- .../admincenter/securityrole/policy/helpdesk.md | 13 ------------- .../11.1/install/configure/setupauthentication.md | 10 ---------- .../11.1/portal/group/create/EntraID/group.md | 15 ++------------- .../11.1/portal/group/dynasty/AD/createdynasty.md | 5 ----- .../portal/group/properties/dynastyoptions.md | 10 ---------- .../11.1/portal/group/properties/owner.md | 4 ---- docs/directorymanager/11.1/portal/login.md | 5 ----- .../properties/AD/useroverview/organization.md | 9 --------- .../portal/user/properties/EntraID/identity.md | 5 ----- 14 files changed, 4 insertions(+), 107 deletions(-) diff --git a/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md b/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md index 5d72d11e23..6356c2bfa0 100644 --- a/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md +++ b/docs/directorymanager/11.1/admincenter/applications/remoteiisprerequisites.md @@ -118,21 +118,10 @@ The next step is to assign permissions on the physical folder that binds to your ``` :::tip -<<<<<<< HEAD - :::tip - :::tip - Remember, to provide values for alias "site name" and path "physical folder location of the - site", created in the section Create a Site in Remote IIS. - ::: - ::: - ::: - - -======= - Remember, to provide values for alias "site name" and path "physical folder location of the + Remember, to provide values for alias "site name" and path "physical folder location of the site", created in the section Create a Site in Remote IIS. ::: ->>>>>>> origin/dev + ## Generate an Access Key diff --git a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md index 0677228f95..7178bac3b9 100644 --- a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md +++ b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/email.md @@ -18,11 +18,6 @@ these languages. Before configuring Email authentication, make sure that an SMTP server is configured for the identity store. See the [Configure an SMTP Server](/docs/directorymanager/11.1/admincenter/identitystore/configure/smtpserver.md) topic. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - ## Enable Email Authentication for an Identity Store diff --git a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md index 3237991197..68c3d5fcb6 100644 --- a/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md +++ b/docs/directorymanager/11.1/admincenter/authpolicy/setupauth/windowshello.md @@ -12,11 +12,6 @@ hardware installed, such as fingerprint reader and 3D camera. :::note Windows Hello supports the Microsoft Edge browser only. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - ## Enable Windows Hello on Windows 10 diff --git a/docs/directorymanager/11.1/admincenter/general/history.md b/docs/directorymanager/11.1/admincenter/general/history.md index 74e975339c..5a40e411dd 100644 --- a/docs/directorymanager/11.1/admincenter/general/history.md +++ b/docs/directorymanager/11.1/admincenter/general/history.md @@ -61,11 +61,6 @@ Manager portal. Both actions are logged in Admin Center history. However, histor of IdentityStoreA will apply to the SMS gateway account creation action and that of IdentityStoreB will apply to the Directory Manager portal creation action. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - **Event Logging** diff --git a/docs/directorymanager/11.1/admincenter/general/licensing.md b/docs/directorymanager/11.1/admincenter/general/licensing.md index dbe92abd64..b847a3b998 100644 --- a/docs/directorymanager/11.1/admincenter/general/licensing.md +++ b/docs/directorymanager/11.1/admincenter/general/licensing.md @@ -69,11 +69,6 @@ Licenses for certain add-ons are dependent on other licenses, such as the Group license is dependent on the Group Usage Service license, which in turn is dependent on the Group Management license. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - **What happens when your license expires** diff --git a/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md b/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md index a8dc9975d9..bfc75a4fe3 100644 --- a/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md +++ b/docs/directorymanager/11.1/admincenter/securityrole/policy/helpdesk.md @@ -241,22 +241,9 @@ As part of the Helpdesk policy, you can: - Force end-users to change the password the next time they sign to their workstations. :::tip -<<<<<<< HEAD -:::tip -:::tip -Remember, These settings are available if the _Reset Any Password_ permission is granted to the -Helpdesk role in the identity store. -::: -::: -::: - - -======= Remember, These settings are available if the _Reset Any Password_ permission is granted to the Helpdesk role in the identity store. ::: ->>>>>>> origin/dev - ### Specify a Password Reset Method diff --git a/docs/directorymanager/11.1/install/configure/setupauthentication.md b/docs/directorymanager/11.1/install/configure/setupauthentication.md index 43966a96d3..f8040faa8b 100644 --- a/docs/directorymanager/11.1/install/configure/setupauthentication.md +++ b/docs/directorymanager/11.1/install/configure/setupauthentication.md @@ -24,20 +24,10 @@ Authentication mode setup, you do not need to add the account to the _db_owner_ Server _db_creator_ is mapped to the _db_owner_ database role by default. :::note -<<<<<<< HEAD -:::note -======= ->>>>>>> origin/dev For SQL Server 2016, 2017, 2019 and 2022 families, every SQL Server account is assigned the _public_ role. Therefore, the Directory Manager SQL account belongs to two server roles: _db_creator_ and _public_. ::: -<<<<<<< HEAD -::: - -======= ->>>>>>> origin/dev - To add the Directory Manager SQL account to the db_creator role: diff --git a/docs/directorymanager/11.1/portal/group/create/EntraID/group.md b/docs/directorymanager/11.1/portal/group/create/EntraID/group.md index cf7e47362e..7c428feb3f 100644 --- a/docs/directorymanager/11.1/portal/group/create/EntraID/group.md +++ b/docs/directorymanager/11.1/portal/group/create/EntraID/group.md @@ -57,21 +57,10 @@ Follow the steps to create a Smart Group. The **Create Group** wizard opens to the **Group Type** page. :::tip -<<<<<<< HEAD - :::tip - :::tip - Remember, pages and fields on the Create Group wizard may vary, since the administrator can - customize the wizard by adding or removing tabs and fields. - ::: - ::: - ::: - - -======= - Remember, pages and fields on the Create Group wizard may vary, since the administrator can + Remember, pages and fields on the Create Group wizard may vary, since the administrator can customize the wizard by adding or removing tabs and fields. ::: ->>>>>>> origin/dev + 2. On the [Group Type page](/docs/directorymanager/11.1/portal/group/create/grouptype.md) page, select the **Smart Group** option button and diff --git a/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md b/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md index 1eb9afb0fd..749b73bd08 100644 --- a/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md +++ b/docs/directorymanager/11.1/portal/group/dynasty/AD/createdynasty.md @@ -37,11 +37,6 @@ You cannot create mail-enabled Dynasties of the Office 365 group type in a Micro based identity store, since an Office 365 group cannot have groups as its members. Only non mail-enabled Dynasties of the security group type are supported. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - **Naming conventions for Child Dynasties** diff --git a/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md b/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md index bc4bf39999..cd4a00cc8e 100644 --- a/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md +++ b/docs/directorymanager/11.1/portal/group/properties/dynastyoptions.md @@ -36,7 +36,6 @@ length must not exceed the number of characters supported by the respective mess Also, the alias must not contain characters that are invalid for the configured messaging system. The following table lists the valid characters the supported messaging systems. -<<<<<<< HEAD | Messaging System | Valid Characters | | ---------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 | - Uppercase letters (A–Z) - Lowercase letters (a–z) - Numeric digits (0–9) - Special characters: `#`, `--- @@ -86,7 +85,6 @@ The following table lists the valid characters the supported messaging systems. | --- | --- | | Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 |
  • Uppercase letters (A–Z)
  • Lowercase letters (a–z)
  • Numeric digits (0–9)
  • Special characters: `#`, `$`, `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed, but each must be preceded and followed by at least one other valid character
| | All other messaging systems |
  • Uppercase letters (A–Z)
  • Lowercase letters (a–z)
  • Numeric digits (0–9)
| ->>>>>>> origin/dev **Display Name Template** @@ -211,7 +209,6 @@ length must not exceed the number of characters supported by the respective mess Also, the alias must not contain characters that are invalid for the configured messaging system. The following table lists the valid characters the supported messaging systems. -<<<<<<< HEAD | Messaging System | Valid Characters | | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 | - Uppercase letters (`A–Z`) - Lowercase letters (`a–z`) - Numeric digits (`0–9`) - Special characters: `#`, `--- @@ -424,13 +421,6 @@ The following table lists the valid characters the supported messaging systems. | ---------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | , `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed in aliases, but each must be preceded and followed by at least one other valid character | | All other messaging systems | - Uppercase letters (`A–Z`) - Lowercase letters (`a–z`) - Numeric digits (`0–9`) | -======= -| Messaging System | Valid Characters | -| --- | --- | -| Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 |
  • Uppercase letters (`A–Z`)
  • Lowercase letters (`a–z`)
  • Numeric digits (`0–9`)
  • Special characters: `#`, `$`, `%`, `&`, `'`, `*`, `+`, `-`, `/`, `=`, `?`, `^`, `_`, `` ` ``, `\{`, `\|`, `\}`, `~` - Periods (`.`) are allowed in aliases, but each must be preceded and followed by at least one other valid character
| -| All other messaging systems |
  • Uppercase letters (`A–Z`)
  • Lowercase letters (`a–z`)
  • Numeric digits (`0–9`)
| ->>>>>>> origin/dev - **Display Name Template** The template is used to generate the display names of the Dynasty's child groups. **%MANAGER%** is diff --git a/docs/directorymanager/11.1/portal/group/properties/owner.md b/docs/directorymanager/11.1/portal/group/properties/owner.md index 1a89078906..34af5e1171 100644 --- a/docs/directorymanager/11.1/portal/group/properties/owner.md +++ b/docs/directorymanager/11.1/portal/group/properties/owner.md @@ -80,10 +80,6 @@ The **Additional Owners** grid displays the following information: | Ending | Displays the ending date of the temporary addition or removal. | | Do not notify | By default, all group-related notifications (such as expiry, deletion, and renewal notifications) are sent to the primary owner and all additional owners, so they can take the necessary action indicated.
To exclude an additional owner from receiving notifications, select the **Do not notify** check box.
**NOTE:** When a Smart Group Update job runs on a group, the notification behavior is as follows: Even when the **Do not Notify** check box is selected, the additional owner will receive the notifications if the administrator has included its email address for job-specific notifications. | -<<<<<<< HEAD -======= - ->>>>>>> origin/dev :::note For each column, a filter is also available that lets you filter records based on a criterion. For example; to show objects whose display names start with D, type D in the box under the **Name** diff --git a/docs/directorymanager/11.1/portal/login.md b/docs/directorymanager/11.1/portal/login.md index 0a1fa83a43..21f7ce930b 100644 --- a/docs/directorymanager/11.1/portal/login.md +++ b/docs/directorymanager/11.1/portal/login.md @@ -61,11 +61,6 @@ Step 4 – After providing your credentials, click **Sign In**. Microsoft Entra ID MFA enabled users cannot log into Directory Manager using their username and password. They will be authenticated through the SAML provider configured in Directory Manager. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - **With a SAML Provider** diff --git a/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md b/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md index 34810d9c40..c885eb50c3 100644 --- a/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md +++ b/docs/directorymanager/11.1/portal/user/properties/AD/useroverview/organization.md @@ -38,11 +38,6 @@ This is the default flow for the ‘Workflow to Change Manager’ workflow, with manager set as the approver. If the administrator disables the workflow or changes the workflow approver, the flow changes accordingly. See the [Requests](/docs/directorymanager/11.1/portal/request/overview.md) topic. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - **Manager** @@ -99,10 +94,6 @@ This section displays a list of the additional managers of the user or contact. | Beginning | Shows the beginning date of the temporary addition or removal. | | Ending | Shows the ending date of the temporary addition or removal. | -<<<<<<< HEAD -======= - ->>>>>>> origin/dev :::note For each column, a filter is also available that lets you filter records based on a criterion. For example; to show objects whose display names start with D, type D in the box under the Name diff --git a/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md b/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md index fda38a76f3..182e15f4fa 100644 --- a/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md +++ b/docs/directorymanager/11.1/portal/user/properties/EntraID/identity.md @@ -41,11 +41,6 @@ The User Type has no link to the user login function, the directory role of the on. It simply indicates the user's relationship to the host organization and allows the organization to enforce policies that depend on this property. ::: -<<<<<<< HEAD - -======= ->>>>>>> origin/dev - **Object ID**