Chatta subito con l'assistenza
Chat con il supporto

Identity Manager 9.3 - Administration Guide for Connecting to Microsoft Entra ID

Managing Microsoft Entra ID environments Synchronizing a Microsoft Entra ID environment
Setting up initial synchronization with a Microsoft Entra ID tenant Adjusting the synchronization configuration for Microsoft Entra ID environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Microsoft Entra ID user accounts and identities Managing memberships in Microsoft Entra ID groups Managing Microsoft Entra ID administrator roles assignments Managing Microsoft Entra ID subscription and Microsoft Entra ID service plan assignments
Displaying enabled and disabled Microsoft Entra ID service plans forMicrosoft Entra ID user accounts and Microsoft Entra ID groups Assigning Microsoft Entra ID subscriptions to Microsoft Entra ID user accounts Assigning disabled Microsoft Entra ID service plans to Microsoft Entra ID user accounts Inheriting Microsoft Entra ID subscriptions based on categories Inheritance of disabled Microsoft Entra ID service plans based on categories
Login credentials for Microsoft Entra ID user accounts Microsoft Entra ID role management
Microsoft Entra ID role management tenants Enabling new Microsoft Entra ID role management features Microsoft Entra ID role main data Main data of Microsoft Entra ID role settings Displaying Microsoft Entra ID role settings main data Assigning temporary access passes to Microsoft Entra ID user accounts Displaying Microsoft Entra ID scoped role assignments Displaying scoped role eligibilities for Microsoft Entra ID roles Overview of Microsoft Entra ID scoped role assignments Main data of Microsoft Entra ID scoped role assignments Managing Microsoft Entra ID scoped role assignments Adding Microsoft Entra ID scoped role assignments Editing Microsoft Entra ID scoped role assignments Deleting Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role assignments Assigning Microsoft Entra ID business roles to scopes though role assignments Assigning Microsoft Entra ID organizations to scopes through role assignments Overview of Microsoft Entra ID scoped role eligibilities Main data of Microsoft Entra ID scoped role eligibilities Managing Microsoft Entra ID scoped role eligibilities Adding Microsoft Entra ID scoped role eligibilities Editing Microsoft Entra ID scoped role eligibilities Deleting Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role eligibilities Assigning Microsoft Entra ID business roles to scopes though role eligibilities Assigning Microsoft Entra ID organizations to scopes through role eligibilities
Mapping Microsoft Entra ID objects in One Identity Manager
Microsoft Entra ID core directories Microsoft Entra ID user accounts Microsoft Entra ID user identities Microsoft Entra ID groups Microsoft Entra ID administrator roles Microsoft Entra ID administrative units Microsoft Entra ID subscriptions and Microsoft Entra ID service principals Disabled Microsoft Entra ID service plans Microsoft Entra ID app registrations and Microsoft Entra ID service principals Reports about Microsoft Entra ID objects Managing Microsoft Entra ID security attributes
Handling of Microsoft Entra ID objects in the Web Portal Recommendations for federations Basic data for managing a Microsoft Entra ID environment Troubleshooting Configuration parameters for managing a Microsoft Entra ID environment Default project template for Microsoft Entra ID Editing Microsoft Entra ID system objects Microsoft Entra ID connector settings

Microsoft Entra ID role management

Role management describes extended role management functionality of role-based access control in Microsoft 365. This allows the user to manage roles and their members, as well as limiting role assignments to partial scopes in Microsoft Entra ID.

Microsoft Entra ID roles are read into One Identity Manager by synchronization. You can edit individual main data of the Microsoft Entra ID roles.

Related topics

Microsoft Entra ID role management tenants

Microsoft Entra ID role management offers you a range of role management features. The scope of these features depends on the level of the Microsoft Entra ID license selected by the user, which is provided by the corresponding tenants.

Microsoft Entra ID "Free"

This license includes basic role management functionality. Integrated roles can be used without restrictions. These roles have predefined role definitions. With this license, it is possible to add individual users to integrated roles and remove them. You can create groups.

IMPORTANT: Not included in the basic functionality are maintenance of directory roles in One Identity Manager and use of custom roles. This feature requires the Microsoft Entra ID P1 license or P2 license.

IMPORTANT: Directory roles must be maintained via the Microsoft Azure management portal.

IMPORTANT: This license enables role assignment to individual users. Assigning roles to groups is only possible with the Microsoft Entra ID P1 license and P2 licenses.

Microsoft Entra ID Premium P1 - Role Based Access Control (RBAC)

Role-based access control is provided by the Microsoft Entra ID Premium P1 license. In addition to the basic features, it includes access to role definitions and role assignments. Roles can be assigned to an entire group. This allows consistent role eligibilities within a group.

There are two different types of partial scopes to which role-based access control can be applied.

  • Directory object limitation: Role assignments can be limited to specific objects, such as a registered application or a user, within the Microsoft Entra ID directory. Restricting elements of a defined administrative unit is also possible.

  • Restricting custom elements of a service: Customized roles cannot be created in One Identity Manager, only through synchronization.

IMPORTANT: This license does not include the functionality of Microsoft Entra ID Privileged Identity Management.

Microsoft Entra ID Premium P2 - Privileged Identity Management (PIM)

In addition to the existing limitations of role-based access control, this license provides additional functionality to restrict and control role assignments. Privileged Identity Management distinguishes between active role assignments and assignment eligibilities.

Role assignment: A principal is assigned a role.

Role eligibility: A principal has no active role assignment, but can enable a temporary role assignment if required.

Configuration of role policies, such as time limits, is possible for both assignment types. Furthermore, it is possible to create attestations for roles.

NOTE: It is not possible to create role assignments for which multi-factor authentication is mandatory.

NOTE: Due to the constraints of Microsoft GraphAPI, the role management feature in One Identity Manager in PIM mode only supports the global directory scope for active role assignments.

Detailed information about this topic
Related topics

Enabling new Microsoft Entra ID role management features

The introduction of the Microsoft 365 role management makes extended features available for managing roles and their members and for limiting role assignments in Microsoft Entra ID parts of One Identity Manager.

New and existing synchronization projects automatically obtain the basic mode (equivalent to the Entra ID Free license from Microsoft 365) with the introduction of Microsoft Entra ID role management. The basic mode includes all the current features of One Identity Manager. The new role management features can be accessed by activating RBAC mode (Entra ID P1 license) and PIM mode (Entra ID P2 license). This activation is necessary for existing synchronization projects, and also when creating a new synchronization project.

NOTE: All existing Microsoft Entra ID features remain available in basic mode. It is only necessary to activate RBAC mode or PIM mode if you want to use extended role management features.

To enable extended role management features for RBAC

  1. In the Synchronization Editor, select the synchronization project.
  2. Select Workflows.
  3. Select the Initial Synchronization workflow and click the Enable/disable synchronization step button.
  4. Disable the DirectoryRole synchronization step.
  5. Enable the following synchronization steps.
    1. RBAC DirectoryRole
    2. RBAC DirectoryRole Assignments
  6. Save the changes.
  7. Select the Provisioning workflow and click the Enable/disable synchronization step button.
  8. Disable the DirectoryRole synchronization step.
  9. Enable the RBAC DirectoryRole Assignments synchronization step.
  10. Save the changes.
  11. In the Object Browser, select the AADOrganization table.
  12. Set the RoleBehavior value to RBAC.
  13. Save the changes.

To enable extended role management features for PIM

  1. In the Synchronization Editor, select the synchronization project.
  2. Select Workflows.
  3. Select the Initial Synchronization workflow and click the Enable/disable synchronization step button.
  4. Disable the DirectoryRole synchronization step.
  5. Enable the following synchronization steps.
    1. RBAC DirectoryRole
    2. PIM DirectoryRole Assignments
    3. PIM DirectoryRole Eligibility
    4. PIM DirectoryRole Policies
  6. Save the changes.
  7. Select the Provisioning workflow and click the Enable/disable synchronization step button.
  8. Disable the DirectoryRole synchronization step.
  9. Enable the following synchronization steps.
    1. PIM DirectoryRole Assignments
    2. PIM DirectoryRole Eligibility
  10. Save the changes.
  11. In the Object Browser, select the AADOrganization table.
  12. Set the RoleBehavior value to PIM.
  13. Save the changes.
Detailed information about this topic

Related topics

Microsoft Entra ID role main data

You are provided with the following general main data of a role.

Table 23: General main data

Property

Description

Display name

Name for displaying the role in the user interface of One Identity Manager tools.

Tenant

The role's Microsoft Entra ID tenant.

Owner (application role)

Application whose members can configure role assignment and role eligibilities.

Provider

Interface responsible for managing the role.

Version

Specifies the version of the role definition.

Description

Text field for additional explanation.

Built-in

Specifies whether the role definition is part of the Microsoft Entra ID basic settings or a customized definition.

Enabled

Specifies whether the role is available for assignment.

Related topics
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione