Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Configuring a Managed Unit for specific Azure users

To set up a highly-granular Azure user access logic, first you must configure a Managed Unit (MU) that will contain the Azure users that the affected helpdesk users can read.

In this example, the membership of the MU is configured via group membership, specifying that only Azure users that are members of a specific group (in this example, Engineering) are included in the MU. For more information on the available membership rule options for MUs, see Creating a Managed Unit.

To configure a Managed Unit for specific Azure users

  1. In the Active Roles Console, on the Console tree, navigate to Configuration > Managed Units.

  2. To create a new container for the configured MU, right-click on the Managed Units node, then click New > Managed Unit Container.

    Figure 99: Active Roles Console – Launching the Managed Unit Container dialog

  3. In the Managed Unit Container dialog, specify a Name, and optionally, a Description for the new MU container.

    • Name: Allowed-Azure-Resources

    • Description: Managed Units for the granular access of Azure resources.

  4. To create the new container, click Next then Finish.

  5. To start configuring the new MU, right-click the newly-created Allowed-Azure-Resources container, then click New > Managed Unit.

  6. In the Managed Unit Container dialog, specify a Name, and optionally, a Description for the new MU container.

    • Name: Allowed-Azure-Users

    • Description: Managed Unit for the granular access of Azure users.

    To continue, click Next.

  7. To specify a new membership rule for the MU, in the Membership rule step, click Add.

  8. In the Membership Rule Type dialog, select the rule type used to populate the MU. This example uses the Include Group Members rule type. Select it, then click Next.

    Figure 100: New Managed Unit – Selecting the Include Group Members rule type

  9. In the Select Objects dialog, select the M365 group whose members you want to add to the MU.

    Figure 101: New Managed Unit – Adding the members of an M365 Group to an MU

    To do so:

    1. In the Select Objects dialog, click Browse.

    2. In the Browse for Container dialog, expand the Azure > <azure-tenant-name> node (in this example, the Azure tenant is named ARSExampleOrg.onmicrosoft.com).

    3. Select the Microsoft 365 Groups node, and click OK. The M365 groups existing in the Azure tenant will appear in the Select Objects dialog.

    4. In the Select Objects dialog, select the M365 group you want to add to the MU (in this example, the Engineering group).

    5. To apply the selection, click Add and OK.

  10. To finish creating the MU, click Next, then Next again in the Object Security / Policy Object step, and finally Finish.

  11. To verify that the MU is populated correctly, select the newly-created MU in the Console Tree. The members of the Engineering M365 group must appear in the Active Roles Console.

Configuring Access Templates to read specific Azure users

Once you set up the Managed Unit (MU) as described in Configuring a Managed Unit for specific Azure users, you must create two Access Templates (ATs) so that the affected helpdesk users:

  • Can read the Azure users of the configured MU.

  • Cannot read any other Azure users in your organization.

To create these ATs, perform the following steps. For more information on creating ATs in general, see Creating an Access Template.

To provide read access to the Azure user object class

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to Configuration > Access Templates.

  2. Create a new container where you will store the AT. In this example, the container is created in the Azure sub-container of the Access Templates node. Right-click Access Templates > Azure, then click New > Access Template Container.

    Figure 102: Active Roles Console – Launching the Access Templates Container dialog

  3. In the Access Templates Container dialog, specify a Name, and optionally, a Description for the new AT container.

    • Name: Allowed-Azure-Resources

    • Description: Access Templates for the granular access of Azure resources.

  4. To create the new container, click Next then Finish.

  5. To start configuring the new AT, right-click the Allowed-Azure-Resources container, then click New > Access Template.

  6. In the New Object - Access Template dialog, specify a Name, and optionally, a Description for the new AT.

    • Name: ReadAzureUserObject

    • Description: AT to read cloud-only Azure user objects.

    To continue with specifying the required permissions, click Next.

  7. In the Access Template permission entries step, click Add. Then, in the Select object classes to apply permissions onto dialog, select Only the following classes, and the EDS-Azure-User-Container class from the list.

    TIP: If you cannot find the class in the list, select Show all possible classes.

    Figure 103: New Access Template – Selecting the Azure Users container class to allow reading Azure users

    To continue, click Next.

  8. In the Select permission category step, select Object access, then select the List Object access permission from the list.

    Figure 104: New Access Template – Specifying the permission to read allowed objects in the Azure Users container

    To finish configuring the permission, click Finish. Then, in the Access Template permission entries step, click Add again.

  9. In the Select object classes to apply permissions onto dialog, select Only the following classes, then the EDS-Azure-User-Container class from the list again. To continue, click Next.

  10. In the Select permission category step, select Object property access, then select the Read properties access permission from the list.

    Figure 105: New Access Template – Specifying the permission to read the properties of the Azure Users container

    To continue, click Next.

  11. In the Select object properties step, leave the All properties option selected, then click Finish. The two permissions configured in the previous steps then appear in the Access Template permission entries step.

    Figure 106: New Access Template – Listing the permissions to properly read the Azure Users container

  12. To finish configuring the permissions of the AT, click Next, then Finish.

  13. In the Create in step, select Display the object properties when this wizard closes, and click Finish.

  14. To assign the AT to the helpdesk users and the Azure user container of the Azure tenant, in the Properties page that appears, click Administration > Links.

  15. In the Links dialog, click Add, then specify the Azure Users container as the directory object managed by this AT.

    Figure 107: New Access Template – Specifying the Azure Users container as the directory object in scope

    To do so:

    1. In the Select Objects dialog, click Browse.

    2. In the Browse for Container dialog, expand the Azure > <azure-tenant-name> node (in this example, the Azure tenant is named ARSExampleOrg.onmicrosoft.com).

    3. Select the Azure Users node, and click OK. The Azure Users container and the users contained in it will appear in the Select Objects dialog.

    4. In the Select Objects dialog, select the Azure Users container.

    5. To apply the selection, click Add and OK.

    The Azure Users container then appears in the Objects step. To continue configuring the AT, click Next.

  16. In the Users or Groups step, click Add, then select the users to which you want to delegate the permission. In this example, the AT is delegated to the Helpdesk group of an example Organizational Unit (OU). To add the group, click Add, then click OK.

    Figure 108: Delegation of Control Wizard – Selecting the Helpdesk group as Trustee

    To continue, in the Users or Groups step, click Next.

  17. In the Inheritance Options step, make sure that the This directory object and Child objects of this directory object settings are selected. To continue, click Next.

  18. In the Permissions Propagation step, leave the Propagate permissions to Active Directory setting in its default state. To continue, click Next.

  19. To apply your changes, click Apply and OK.

To restrict read access to the Azure users of a specific Managed Unit

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to Configuration > Access Templates.

  2. Right-click the Azure Cloud User - Read All Attributes built-in AT, and select Copy.

  3. In the Copy Object - Access Template wizard, specify a Name and optionally, a Description for the new AT. This example uses the following values:

    • Name: AllowAzureUsers

    • Description: AT to grant read access to the specified Azure users.

    To continue, click Next.

  4. In the Create in step, select Display the object properties when this wizard closes, and click Finish.

  5. To assign the AT to the helpdesk users and the Azure user container of the Azure tenant, in the Properties page that appears, click Administration > Links.

  6. In the Links dialog, click Add, then specify the Allowed Azure Users MU as the directory object managed by this AT.

    Figure 109: New Access Template – Specifying the Allowed Azure Users MU as the directory object in scope

    To do so:

    1. In the Select Objects dialog, click Browse.

    2. In the Browse for Container dialog, select the Managed Units > Allowed-Azure-Resources node, and click OK.

    3. In the Select Objects dialog, select the Allowed-Azure-Users MU.

    4. To apply the selection, click Add and OK.

    The Allowed-Azure-Users MU then appears in the Objects step. To continue configuring the AT, click Next.

  7. In the Users or Groups step, click Add, then select the users to which you want to delegate the permission. In this example, the AT is delegated to the Helpdesk group of an example Organizational Unit (OU). To add the group, click Add, then click OK.

    Figure 110: Delegation of Control Wizard – Selecting the Helpdesk group as Trustee

    To continue, in the Users or Groups step, click Next.

  8. In the Inheritance Options step, make sure that the This directory object and Child objects of this directory object settings are selected. To continue, click Next.

  9. In the Permissions Propagation step, leave the Propagate permissions to Active Directory setting in its default state. To continue, click Next.

  10. To complete the configuration of the AT, click Finish. Then, in the Links dialog, click OK.

  11. To apply your changes, click Apply and OK. Active Roles will create the copied AT in the Configuration > Access Templates > Azure container.

  12. Move the AT to the Configuration > Access Templates > Azure > Allowed-Azure-Resources container. To do so, right-click the AT and click Move. Then, in the Move dialog, navigate to the Allowed-Azure-Resources container, select it, and click OK.

Enabling or disabling the granular access to specific Azure users

Once you configured the Managed Unit (MU) of the Azure users, and set up the Access Templates (ATs) to allow access to those Azure users only, the Helpdesk group to which the ATs are assigned can only read the Azure users included in the MU. When opening the list of Azure Users on the Active Roles Web Interface, all other Azure users included in the Azure tenant will be hidden from the Helpdesk group members.

This behavior is dynamic: adding new Azure users into the MU in the Active Roles Console will result in those Azure users appearing in the Active Roles Web Interface for the affected helpdesk users once the changes of the Console are synchronized to the Web Interface. Likewise, removing an Azure user from the MU will result in that Azure user disappearing for the affected helpdesk users in the Web Interface.

You can easily enable or disable the configured granular access later for all affected helpdesk users by enabling or disabling the AllowAzureUsers and ReadAzureUserObject ATs.

To enable or disable the configured granular access to specific Azure users

  1. In the Active Roles Console, on the Console Tree, navigate to Configuration > Access Templates > Allowed-Azure-Resources.

  2. Select the AllowAzureUsers AT.

  3. In the Advanced Details Pane, right-click the configured link, and click Disable.

    Figure 111: Active Roles Console – Disabling the configured Access Template

    TIP: If the Advanced Details Pane does not appear for you, click View > Advanced Details Pane.

  4. Select the ReadAzureUserObject AT, and disable it as you did with the AllowAzureUsers AT.

    Once both ATs are disabled, the users of the Helpdesk group can no longer read the users included in the configured Allowed-Azure-Resources MU, and can no longer see the Azure Users container in the Active Roles Web Interface either.

  5. (Optional) To re-enable the granular access, select one of the ATs, right-click the configured link, and click Enable. Then, enable the other AT similarly.

  6. (Optional) To provide general read access to the entire Azure Users container of the Azure tenant instead of the configured granular access, assign the built-in Azure Cloud User - Read All Attributes AT (or a custom AT based on this built-in AT) to the Helpdesk group. For more information, see Applying Access Templates on a user or group.

Workflows

Active Roles provides a rich workflow system for directory data management automation and integration, allowing you to create, view, update or delete automation and approval workflows.

For more information on workflows in general, see Workflows in the Active Roles Feature Guide.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating