Updating Access Tokens

Each access token has an expiration date, so it needs to be reissued regularly.
The following describes the procedure for updating an access token with Directory Sync.

For an On-premise Active Directory Server
StepOperationComments
1Log in to IIJ ID Console as an ID Administrator user of IIJ ID Service from which the access token was obtained when Directory Sync was deployed.Although it is also possible to use a different ID Administrator user, attention is required because the operator of the job to be generated by synchronization of Directory Sync is changed.
2

Issue a new access token with the following items, and record their values in Notepad or a similar tool.

  • Access token name: (Any name)
  • Resource server to use: IIJ ID Service API
  • Granted scopes: escim_read_users, escim_write_users, escim_read_groups, escim_write_groups
  • Expiration date: (Any date)

Refer to "Issuing Access Tokens" for more information on issuing an access token.

When recording information on the access token in Notepad or a similar tool, do not insert line feeds.
3

Check the expiration date of the access token that was issued in step 2.

You are supposed to update the access token on this expiration date next time.

If you want to update the access token less frequently, reissue an access token with a longer expiration date.
4Stop Task Scheduler of Directory Sync so that Directory Sync will not be run.Skip this step for Directory Sync that is not targeted for scheduled executions.
5

Open Directory Sync’s secret.yml configuration file and rewrite the access token values to those of the access token obtained in step 2.

Refer to "Configuration File Samples" for more information on settings of secret.yml.


6

Execute recovery_mode_dry_run.bat for Directory Sync to confirm that a proper connection can be made to the IIJ ID Service with the new access token.

Refer to "Types of Executable Files" for more information on executable files.

The default setup location of executable files for Directory Sync is as follows.

  • C:\Program Files\IIJ ID Service Directory Sync\bin

Refer to "File Structure" for more information on the file structure.

7Restart Task Scheduler of Directory Sync.Skip this step for Directory Sync that is not targeted for scheduled executions.
8

Access IIJ ID Console as the user in step 1 and revoke the existing access token.

Refer to "Revoking Access Tokens" for more information on how to revoke an access token.

If there is no need to revoke the existing access token, skip this step.

Be careful not to revoke the access token you have newly issued.

For an Active Directory Server for IIJ Directory Service for Microsoft
StepOperationComments
1Issue a new access token with the following items, and record their values in Notepad or a similar tool.Although it is also possible to use a different ID Administrator user, attention is required because the operator of the job to be generated by synchronization of Directory Sync is changed.
2

Issue a new access token with the following items, and record their values in Notepad or a similar tool.

  • Access token name: (Any name)
  • Resource server to use: IIJ ID Service API
  • Scope to use: escim_read_users, escim_write_users, escim_read_groups, escim_write_groups
  • Expiration date: (Any date)
Refer to "Issuing Access Tokens" for more information on issuing an access token.
When recording information on the access token in Notepad or a similar tool, do not insert line feeds.
3

Check the expiration date of the access token that was issued in step 2.

You are supposed to update the access token on this expiration date next time.

If you want to update the access token less frequently, reissue an access token with a longer expiration date.
4

Stop Directory Sync’s Task Scheduler so that Directory Sync will not be executed.
Refer to "Disabling Synchronization from Directory Sync in IIJ Directory Service for Microsoft" for more information on synchronization of Directory Sync.


5

Open Directory Sync’s secret.yml configuration file and rewrite the access token values to those of the access token obtained in step 2.

Refer to "Configuration File Samples" for more information on settings of secret.yml.

6

Use the manual shown below as a reference to re-upload the existing config.yml configuration file and the secret.yml configuration file that has been rewritten this time, for Director Sync.

This runs the recovery mode automatically.

Skip this step for Directory Sync that is not targeted for scheduled executions.
7Check Event Viewer for IIJ Directory Service for Microsoft to confirm that Directory Sync is operating normally.Skip this step for Directory Sync that is not targeted for scheduled executions.
8

Access IIJ ID Console as the user in step 1 and revoke the existing access token.

Refer to "Revoking Access Tokens" for more information on how to revoke an access token.

If there is no need to revoke the existing access token, skip this step.

Be careful not to revoke the access token you have newly issued.