Chatta subito con l'assistenza
Chat con il supporto

Active Roles 8.2 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Default creation options for Exchange mailboxes

In the wizard for creating user accounts, either in the Active Roles Console or Web Interface, the Create an Exchange mailbox option is selected by default. As a result, when a user account is created, the user mailbox is also created. You can change this default behavior by applying an appropriate Exchange Mailbox AutoProvisioning policy.

You can configure the Exchange Mailbox AutoProvisioning policy so that the Create an Exchange mailbox option is not selected by default. Instead, the administrator who is configuring the wizard to create a user account can select that option manually, if necessary. It is also possible to configure a policy that forces the selection of the Create an Exchange mailbox option.

To configure default creation options for Exchange mailboxes

  1. Create a Policy Object containing an Exchange Mailbox AutoProvisioning policy.

  2. Open the Properties dialog for the Policy Object that you created.

  3. On the Policies tab in the Properties dialog, double-click the Exchange Mailbox AutoProvisioning policy entry.

  4. On the Mailbox Creation tab in the Exchange Mailbox AutoProvisioning Policy Properties dialog, configure the policy options based on your requirements:

    • Create the user mailbox by default: Determines whether the Create an Exchange mailbox option is selected by default in the wizard for creating user accounts. If you want user mailboxes not to be created by default, clear this policy option.

    • Enforce creation of the mailbox: Causes the Create anExchange mailbox option to be selected and unavailable so that the administrator who creates a user account cannot clear that option.

  5. Click OK to close the dialogs.

  6. Apply the Policy Object to the scope (domains, containers, or Managed Units) where you want this policy to be in effect.

Group Membership AutoProvisioning

Group Membership AutoProvisioning policies help you to automate adding or removing the specified objects (such as user objects) to or from the specified groups.

In case of cloud-only Azure objects, you can use the Group Membership Autoprovisioning policy to automatically assign (or unassign) Azure users and Azure guest users to (or from) the specified O365 group(s) in the same Azure tenant.

NOTE: Policy Object settings that are specific to Azure cloud-only objects (such as cloud-only Azure users, guest users, or contacts) are available only if your Active Roles deployment is licensed for managing cloud-only Azure objects. Contact One Identity support for more information.

Also, Policy Objects that are specific to Azure cloud-only objects will work correctly only if an Azure tenant is already configured in the AD of the organization, and Active Roles is already set as a consented Azure application for that Azure tenant. For more information on these settings, see Configuring a new Azure tenant and consenting Active Roles as an Azure applicationConfiguring a new Azure tenant and consenting Active Roles as an Azure application in the Active Roles Administration Guide.

For a detailed description of this policy, see Concept: Group Membership AutoProvisioning in the Active Roles Feature Guide.

Configuring a Group Membership AutoProvisioning policy

To configure a Group Membership AutoProvisioning policy via the Active Roles Console (also known as the MMC interface), perform the following procedure.

To configure a Group Membership AutoProvisioning policy

  1. In the Console tree, navigate to Configuration > Policies > Administration.

  2. To open the New Provisioning Policy Object Wizard dialog, right-click Administration, then select New > Provisioning Policy.

  3. On the Name and Description page, provide a unique Name for the new Policy Object. Optionally, also provide a Description. To continue, click Next.

  4. On the Policy to Configure page, select Group Membership AutoProvisioning, and then click Next.

  5. On the Object Type Selection page, to specify the type of object you want the policy to add or remove from groups, click Select, then click OK.

    TIP: If you do not see the Object type that you need, to expand the Object type list, select Show all possible object types.

  6. On the Policy Conditions page, set up conditions that specify how the policy adds or removes the selected object types to or from groups. To create a new condition with the Set Up Condition dialog, click Add.

  7. To select the object property on which you want to set up the condition, click Property to open the Object property page.

  8. Select the property you want the condition to check, then click OK.

    TIP: If you do not see the Object type that you need, to expand the Object type list, select Show all possible object types.

  9. In Operation, click the operation type you want to assign to the condition.

  10. To specify additional configuration for the condition, enter a variable into the Value field, then click OK to close the Add Value dialog.

    Alternatively, click Configure, then click Add, and configure an entry manually in the Add Entry dialog. For more information on manual configuration, see Configuring entry types. To close the Add Value dialog, click OK.

  11. (Optional) To modify or remove an existing condition, click View/Edit or Remove on the Policy Conditions page, respectively.

  12. Click Next on the Policy Conditions page to continue onto the Policy Action page.

  13. On the Policy Action page, specify whether you want the policy to add or remove objects if the configured conditions are met.

    • Select Add object to groups if object satisfies policy conditions if you want Active Roles to add the object to the specified group(s) if the configured conditions are met.

    • Select Remove object from groups if object satisfies policy conditions if you want Active Roles to remove the object from the specified group(s) if the configured conditions are met.

    Click Next to continue.

  14. On the Group Selection page, specify the group(s) you want the policy to add the objects to (or remove from, depending on your choice on the Policy Action page). Click Add to open the Select Objects dialog, and then use either the Look in: drop-down or click Browse to specify the group(s). Once you are ready, click Next to continue.

    NOTE: Consider the following limitations when configuring a Group Membership Autoprovisioning policy for cloud-only Azure objects:

    • When provisioning cloud-only Azure users or Azure guest users, you must specify an O365 Group (or O365 Groups) in this step. To do so, click Browse to open the Browse for Container dialog, and then navigate to the following node for the list of O365 Groups in the organization:

      Azure > <azure-tenant-name> > Office 365 Groups

    • The Group Membership AutoProvisioning policy can only add or remove cloud-only Azure users and guest users to or from O365 Groups that are located in the same Azure tenant as the Azure users and guest users. Selecting O365 Groups located in another Azure tenant causes the configured Policy Object to not work properly.

  15. Click Next, then follow the instructions in the wizard to create (and optionally, immediately apply) the Policy Object.

  16. To apply the Policy Object:

    • Use the Enforce Policy page in the New Policy Object Wizard.

    • Alternatively, complete the New Policy Object Wizard, then use the Enforce Policy command on the domain, OU, or Managed Unit where you want to apply the policy.

    For more information on how to apply a Policy Object, see Linking Policy Objects to directory objects.

    TIP: When provisioning cloud-only Azure users or guest users, you can either select the respective object category (such as the Azure user or Azure guest user node) in this step, or the Azure tenant that contains the Azure objects.

Example: Adding users to a specified group

This example describes how to automatically add user accounts to the specified groups depending on the Department property of user accounts. If the Department property of a user account is set to Sales, the policy adds the account to the Sales group.

To implement this example scenario

  1. Create and configure a Policy Object that defines the appropriate policy.

  2. Apply the Policy Object to a domain, OU, or Managed Unit.

As a result, when a user account in the container you selected has the Department property set to Sales, Active Roles automatically adds that account in the Sales group.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione