Chatee ahora con Soporte
Chat con el soporte

Active Roles 8.1.1 - Synchronization Service Administration Guide

Synchronization Service overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector Objects and operations supported by the SCIM Connector Example of using the Generic SCIM Connector for data synchronization
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

Creating a Microsoft Azure Active Directory connection

Synchronization Service reads and writes data in Microsoft Azure Active Directory by using an Azure application in your Microsoft Azure Active Directory environment. To configure such an Azure application, perform the following steps.

To configure an Azure application for a Microsoft Azure Active Directory connection

  1. Create an application in any domain of your Microsoft Azure Active Directory environment. The application must have sufficient permissions to read and write data in Microsoft Azure Active Directory.

    You can assign the required permissions to the application by running a Windows PowerShell script. To run the script, you need to install Microsoft Azure PowerShell on your computer.

    Script example
    # Replace <ClientId> with the Client ID of the Active Roles Azure AD Connector Application (example format: 455ad643-332g-32h7-q004-8ba89ce65ae26)
    
    $Id = “<ClientId>”
    
    # Prompt for Microsoft Azure AD Global Admin credentials.
    
    # Save the supplied credentials to the $creds variable.
    
    $creds=get-credential
    
    # Connect to Azure AD using the credentials stored in $creds.
    
    Connect-AzureAD -credential $creds
    
    # Get the Principal ID of the Active Roles Azure AD Connector Application and save it to the $servicePrincipal variable
    
    $servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $Id}
    
    # Get the required role ID from the Active Roles Azure AD Connector Application and save it to the $roleId variable
    
    $roleId = (Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}).ObjectId
    
    # Assign the required permissions to the Active Roles Azure AD Connector Application
    
    Add-AzureADDirectoryRoleMember -ObjectId $roleId -RefObjectId $servicePrincipal.ObjectId
  2. Open the application properties and copy the following information:

    • Client ID

    • Valid key of the application

    Supply the copied client ID and application key when creating a new Microsoft Azure Active Directory connection or modifying an existing one in the Synchronization Service Console.

To create a new connection

  1. In the Synchronization Service Console, open the Connections tab.
  2. Click Add connection, then use the following options:
    • Connection name: Type a descriptive name for the connection.
    • Use the specified connector: Select Microsoft Azure AD Connector.

  3. Click Next.

  4. On the Specify connection settings page, use the following options:
    • Azure AD domain: Specify the name of any domain in the Microsoft Azure Active Directory environment you want to manage with Synchronization Service.

    • Client ID: Enter the client ID you copied in Open the application properties and copy the following.

    • Key: Enter the application key you copied in Open the application properties and copy the following.

    • Test Connection: Click this button to verify the specified connection settings.
  5. To finish creating the connection to Microsoft Azure Active Directory, click Finish.

Modifying a Microsoft Azure Active Directory connection

You can modify the settings of an existing Microsoft Azure AD Connector with the Synchronization Service Console.

To modify the connection settings of a Microsoft Azure AD Connector

  1. In the Synchronization Service Console, open the Connections tab.
  2. Click Connection settings below the existing Microsoft Azure AD Connector you want to modify.

  3. On the Connection Settings tab, click the Specify connection settings item to expand it and use the following options:
    • Azure AD domain: Specify the name of any domain in the Microsoft Azure Active Directory environment you want to manage with Synchronization Service.

    • Client ID: Enter the client ID you copied in Open the application properties and copy the following.

    • Key: Enter the application key you copied in Open the application properties and copy the following.

    • Test Connection: Click this button to verify the specified connection settings.

    For more information, see Creating a Microsoft Azure Active Directory connection.

  4. When you are finished, click Save.

Microsoft Azure Active Directory data supported for synchronization

The next table lists the Microsoft Azure Active Directory object types supported by the Microsoft Azure AD Connector. The table also provides information about the operations you can perform on these objects by using the Microsoft Azure AD Connector.

Table 99: Supported objects and operations

Object

Read

Create

Delete

Update

User

Yes

Yes

Yes

Yes

Group

Yes

Yes

Yes

Yes

The following sections describe the attributes provided by the Microsoft Azure AD Connector. By using these attributes, you can read and/or write data related to a particular object in Microsoft Azure Active Directory.

Microsoft Azure AD user attributes supported for data synchronization

The Microsoft Azure AD Connector of the Active Roles Synchronization Service supports the following Azure Active Directory (Azure AD) user attributes for data synchronization.

NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure AD Connector, consider that the following user attributes are currently not supported and cannot be queried via the Microsoft Graph API:

  • aboutMe

  • birthday

  • contacts

  • hireDate

  • interests

  • mySite

  • officeLocation

  • pastProjects

  • preferredName

  • responsibilites

  • schools

  • skills

This means that although these user attributes are visible, they cannot be set in a mapping rule.

Table 100: Azure AD user attributes supported for data synchronization

Attribute

Description

Supported operations

accountEnabled

Gets or sets whether the user account is enabled.

NOTE: This attribute is required when creating a user.

Read, Write

assignedLicenses

Gets the licenses assigned to the user.

Read

assignedPlans

Gets the plans assigned to the user.

Read

city

Gets or sets the user city.

Read, Write

country

Gets or sets the user country.

Read, Write

department

Gets or sets the user department.

Read, Write

dirSyncEnabled

Gets or sets whether the user was synchronized from the on-premises Active Directory Domain Services (AD DS).

Read, Write

directReports

Gets the direct reports of the user.

Read

displayName

Gets or sets the user name in the address book.

NOTE: This attribute is required when creating a user.

Read, Write

facsimileTelephoneNumber

Gets or sets the user fax number.

Read, Write

givenName

Gets or sets the given name of the user.

Read, Write

jobTitle

Gets or sets the user job title.

Read, Write

lastDirSyncTime

Gets the time when the user was last synchronized with the on-premises AD DS.

Read

mail

Gets or sets the primary e-mail address of the user.

Read, Write

mailNickName

Gets or sets the mail alias of the user.

NOTE: This attribute is required when creating a user.

Read, Write

manager

Gets or sets the manager of the user.

Read, Write

memberOf

Gets the group membership of the user.

Read

mobile

Gets or sets the mobile phone number o the user.

Read, Write

objectId

Gets the unique identifier of the user.

Read

objectType

Gets the object type of the user.

Read

otherMails

Gets or sets other e-mail addresses for the user.

Read, Write

passwordPolicies

Gets or sets password policies applicable to the user.

Read, Write

passwordProfile

Gets or sets the password profile of the user.

NOTE: This attribute is required when creating a user.

Read, Write

physicalDeliveryOfficeName

Gets or sets the office location of the user.

Read, Write

postalCode

Gets or sets the postal code of the user.

Read, Write

preferredLanguage

Gets or sets the preferred language of the user.

Read, Write

provisionedPlans

Gets the provisioned plans of the user.

Read

provisioningErrors

Gets the errors encountered when provisioning the user.

Read

proxyAddresses

Gets the known address entries of the user.

Read

state

Gets or sets the state or province of the user.

Read, Write

streetAddress

Gets or sets the street address of the user.

Read, Write

surname

Gets or sets the family name of the user.

Read, Write

telephoneNumber

Gets or sets the telephone number of the user.

Read, Write

thumbnailPhoto

Gets or sets the thumbnail photo of the user.

Read, Write

usageLocation

Gets or sets the usage location, that is the geographical location where the user is located and operating from.

Read, Write

userPrincipalName

Gets or sets the user principal name of the user.

NOTE: This attribute is required when creating a user.

Read, Write

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación