Chatta subito con l'assistenza
Chat con il supporto

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Deleting a user with a linked mailbox

You can delete users with linked mailboxes by using the Delete action of the Active Roles Web Interface. When doing so, Active Roles deletes the master account, then disables the linked mailbox of the corresponding shadow account.

CAUTION: Hazard of data loss!

After you delete a user, it cannot be recovered. Therefore, One Identity recommends either deprovisioning or disabling user accounts before permanently deleting them. For more information on deprovisioning users with linked mailboxes, see Deprovisioning a user with a linked mailbox.

To delete a user with a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to the OU for which ERFM is configured.

    Figure 146: Active Roles Web Interface – Navigating to the OU supporting linked mailboxes

  2. Select the master user account you want to delete.

  3. In the list of actions available for the selected master account, click Delete.

  4. To confirm deletion, in the pop-up dialog, click OK. To deprovision a user instead of permanently deleting them, click Deprovision.

Active Roles then deletes the master account in the account forest, then disables the linked mailbox of the associated shadow account in the resource forest.

Configuring remote mailboxes for on-premises users

Active Roles supports remote mailboxes, that is, managing cloud-only Exchange Online mailboxes assigned to on-premises users. Configuring cloud mailboxes for on-premises users allows your organization to store user mailboxes and mailbox data in the Exchange Online cloud, even if the user accounts in your organization are not hybrid or cloud-only user accounts.

By configuring remote mailboxes for your on-premises users, you can:

  • Improve mailbox availability and accessibility.

  • Improve data security by storing mailbox content in the Exchange Online cloud.

  • Improve mailbox security via the integration of your on-premises Active Directory environment with Exchange Online.

  • Use the flexibility and scalability of Exchange Online cloud mailboxes.

  • Use the feature set of Microsoft 365 (such as real-time collaboration, document sharing, simultaneous editing, and so on).

  • Use the administration automation features of Exchange Online.

To assign a remote mailbox for an on-premises user, you must set the user to a mail-enabled state, then assign a cloud email address to them in the Active Roles Console.

NOTE: Alternatively, Active Roles supports configuring remote mailboxes for existing on-premises users by converting them to hybrid users. After the conversion, you can configure and manage the remote mailbox settings of the new hybrid users either via the Active Roles Console or in the Active Roles Web Interface.

  • For more information on converting an on-premises user to a hybrid user, see Sample Azure Hybrid Migration and Converting an on-premises user with an Exchange mailbox to a hybrid Azure user in the Active Roles Web Interface User Guide.

  • For more information on managing the remote mailbox of a hybrid user, see Viewing or modifying the Exchange Online properties of a hybrid Azure user in the Active Roles Web Interface User Guide.

Assigning a remote mailbox to an on-premises user

You can assign a remote Exchange Online mailbox to an on-premises Active Directory (AD) user via the Active Roles Console.

Prerequisites

To assign a remote mailbox to an on-premises user, make sure that the following conditions are met.

  • Your organization must have an on-premises Exchange server deployed in the same forest or domain where you want to configure remote mailboxes for on-premises users. The Exchange server will indicate later for Active Roles that the affected users have remote mailboxes.

  • The on-premises user must already exist, and it cannot have a mailbox.

  • The Exchange Online mailbox that you will assign to the on-premises user must already exist. To create a new cloud mailbox, use any of the following:

    CAUTION: After the cloud mailbox is created, it will enter into a 30-day grace period. To prevent deleting the remote mailbox after this period, you must assign an Exchange Online (Plan 2) license to it.

    To assign an Exchange Online license to the cloud mailbox, in the Microsoft 365 Admin Center, select the user, then navigate to Manage product licenses.

  • Note down the value of the Microsoft Online Services ID (that is, the MicrosoftOnlineServicesID attribute) of the remote mailbox. You will need to specify the value of this attribute to connect the on-premises user with the remote mailbox. You can check the value of the attribute either in the Microsoft 365 Admin Center, or via the Get-User PowerShell command.

    TIP: If the remote mailbox has multiple aliases configured, the MicrosoftOnlineServicesID attribute always takes the value of the primary email address and user name.

To assign a remote mailbox to an on-premises user

  1. Open the Advanced Properties of the on-premises user for which you want to assign the remote mailbox. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the Organizational Unit (OU) where the user is located, double-click the user, then in the Properties window, click Object > Advanced Properties.

    Figure 147: Active Roles Console – Opening the Advanced Properties of a user

  2. Search for the edsvaMsExchEnableRemoteMailRoutingAddress property.

    TIP: To find the property faster, enter its name (or part of its name) in the Look for property field. If you cannot find the property, select Show all possible attributes and Include attributes with empty values, too.

    After you found the property, open its settings by double-clicking it.

  3. In the Edit Attribute dialog, in Value, enter the value of the MicrosoftOnlineServicesID attribute (that is, the primary email address of the remote mailbox).

  4. To apply your changes, click OK in each open window.

NOTE: Assigning a remote mailbox to an on-premises user may take up to 15 minutes to complete, with Active Roles attempting to establish connection up to 9 times. If the procedure fails (for example, because Active Roles cannot find the specified email address), Active Roles will log an error in the Windows Event Viewer under the Applications and Services Logs > Active Roles Admin Service category.

For more information on how to check if Active Roles could assign the remote mailbox to the user, see Verifying that a remote mailbox is assigned to an on-premises user.

TIP: If Active Roles could not assign the remote mailbox to the on-premises user within the expected time frame, perform the following troubleshooting steps:

  • Check network connectivity.

  • Check the status of the on-premises Exchange server and the Exchange Online service.

  • Verify that the specified remote mailbox email address is correct.

Verifying that a remote mailbox is assigned to an on-premises user

Once you assigned an Exchange Online mailbox to an on-premises user, you can check if Active Roles completed the remote mailbox assignment by any of the following methods.

NOTE: Assigning a remote mailbox to an on-premises user may take up to 15 minutes to complete, with Active Roles attempting to establish connection up to 9 times. If the procedure fails (for example, because Active Roles cannot find the specified email address), Active Roles will log an error in the Windows Event Viewer under the Applications and Services Logs > Active Roles Admin Service category.

NOTE: If your environment has a large number of Microsoft Exchange mailboxes (or a complex Microsoft Exchange deployment), Active Roles may retrieve the properties of users with Exchange mailboxes slower than for users without Exchange mailboxes.

To solve this problem, enable a performance fix by creating a new registry key as described in Knowledge Base Article 4336544:

  1. On the machine(s) running the Administration Service and the Web Interface, launch the Windows Registry Editor.

  2. In the Registry Editor, navigate to the following registry path:

    HKEY_LOCAL_ MACHINE\SOFTWARE\One Identity\Active Roles\Configuration

  3. Create a new DWORD (32-bit) Value named PerformanceFlag.

  4. Double-click the new PerformanceFlag DWORD, and set its Value data to 1.

  5. To apply the fix, restart the Active Roles Administration Service and IIS. If the fix is enabled successfully, the following Active Roles event log with Event ID 2508 will appear in the Event Viewer:

    Performance flag value set to 1.
  6. (Optional) To deactivate the fix later, set the Value data of the PerformanceFlag DWORD to 0.

The PerformanceFlag registry key accepts only a value of 1 (to activate the fix) or 0 (to deactivate it).

To verify with the msExchRemoteRecipientType property whether Active Roles assigned the remote mailbox

  1. Open the Advanced Properties of the on-premises user to which you assigned the remote mailbox. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the Organizational Unit (OU) where the user is located, double-click the user, then in the Properties window, click Object > Advanced Properties.

    Figure 148: Active Roles Console – Opening the Advanced Properties of a user

  2. Search for the msExchRemoteRecipientType property.

    TIP: To find the property faster, enter its name (or part of its name) in the Look for property field. If you cannot find the property, select Show all possible attributes and Include attributes with empty values, too.

  3. Check the value of the msExchRemoteRecipientType property. For users with no mailboxes, the value of this property is empty. Once Active Roles finished assigning the remote Exchange Online mailbox to the user, the value of the property changes to 1.

To verify with the Exchange mailbox GUID whether Active Roles assigned the remote mailbox

  1. Open Windows PowerShell, and connect to Exchange Online with the following command:

    Connect-ExchangeOnline
  2. In the Microsoft login popup that appears, log in with the Azure AD administrator account associated with the Azure tenant that stores the remote mailbox.

  3. After logging in, in Windows PowerShell, fetch the identity information of the remote mailbox with the following command:

    Get-Mailbox -Identity '<email-address>' | Format-List ExchangeGUID

    <email-address> is the Microsoft Exchange alias of the mailbox.

  4. Note down the value of the ExchangeGUID parameter.

  5. In the Active Roles Console, open the Advanced Properties of the on-premises user to which you assigned the remote mailbox. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the Organizational Unit (OU) where the user is located, double-click the user, then in the Properties window, click Object > Advanced Properties.

  6. Search for the msExchMailboxGuid property.

    TIP: To find the property faster, enter its name (or part of its name) in the Look for property field. If you cannot find the property, select Show all possible attributes and Include attributes with empty values, too.

  7. Compare the value of the msExchMailboxGuid property with the Exchange GUID returned by the Get-Mailbox PowerShell command. If the two values match, Active Roles successfully assigned the remote mailbox to the on-premises user.

To verify with the RecipientType attribute of the user whether Active Roles assigned the remote mailbox

  1. On the on-premises Microsoft Exchange server that stores the mailbox data of the user, open Windows PowerShell and run the following command:

    Get-User '<user-name>'

    <user-name> is the fully qualified user name of the on-premises user.

  2. Check the value of the RecipientType property:

    • If the value is MailUser, Active Roles assigned the remote mailbox to the user.

    • If the value is User, the on-premises user does not have any mailboxes assigned to them.

TIP: If Active Roles could not assign the remote mailbox to the on-premises user within the expected time frame, perform the following troubleshooting steps:

  • Check network connectivity.

  • Check the status of the on-premises Exchange server and the Exchange Online service.

  • Verify that the specified remote mailbox email address is correct.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione