サポートと今すぐチャット
サポートとのチャット

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Active Roles configuration to synchronize existing Azure AD objects to Active Roles

In any hybrid environment, on-premises Active Directory objects are synchronized to Azure AD using Azure AD Connect. When Active Roles is deployed in such a hybrid environment, to continue using the functionality, you must synchronize back the existing users and groups' information, such as Azure objectID from Azure AD to on-premises AD. To synchronize existing AD users and groups from Azure AD to Active Roles use back synchronization.

When creating objects such as users, groups, or contacts in Federated or synchronized Identity environment, they are first created on-premise and then they are synchronized to Azure using AAD Connect. To allow further management, the BackSync is performed to obtain the ObjectID of these objects and update the edsvaAzureObjectID in Active Roles.

Back synchronization can be performed automatically or manually using the Active Roles Synchronization Service Console:

  • Automatic Back Synchronization is performed using the Azure BackSync Configuration feature in Active Roles Synchronization Service that allows you to configure the BackSync operation in Azure with on-premises Active Directory objects through the Active Roles Synchronization Service Console. After the BackSync operation is completed successfully, the Azure application registration and the required connections, mappings, and sync workflow steps are created automatically.

    For more information on the results of the BackSync operation see the Active Roles Synchronization Service Administration Guide.

  • Manual Back Synchronization is performed by using the existing functionality of Synchronization Service component of Active Roles. Sync workflows are configured to identify the Azure AD unique users or groups and map them to the on-premises AD users or groups. After the back synchronization operation is completed, Active Roles displays the configured Azure attributes for the synchronized objects.

    For information on configuring sync workflows for Azure AD, see Active Roles Synchronization Service Administration Guide.

Configuring Sync Workflow to back synchronize Azure AD objects to Active Roles automatically using the Active Roles Synchronization Service Console

Prerequisites
  • You must install and configure Azure AD Connect for the hybrid environment.
  • The user account that is used for performing back synchronization configuration must have the following privileges:

    • User Administrator

    • Exchange Administrator

    • Application Administrator

  • For the back synchronization to work as expected, install the Windows Azure Active Directory (Azure AD) module version 2.0.0.131 or later.

  • You must enable the Directory Writers Role in Azure Active Directory. To enable the role, run the following script:

    $psCred=Get-Credential

    Connect-AzureAD -Credential $psCred

    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }

    # Enable an instance of the DirectoryRole template

    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

  • For the back synchronization to work as expected, the user in ARS must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId and edsvaAzureObjectID. The user must also have a local administrator privilege where the ARS synchronization service is running.

To configure Azure BackSync in Active Roles Synchronization Service

  1. In the upper right corner of the Synchronization Service Administration Console, select Settings > Configure Azure BackSync.

    The Configure BackSync operation in Azure with on-premises Active Directory objects dialog is displayed.

  2. In the dialog that opens:

    1. Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.

    2. Specify whether you want to use a proxy server for the connection. You can select one of the following options:

      • Use WinHTTP settings: Prompts the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).

      • Automatically detect: Automatically detects and uses proxy server settings.

      • Do not use proxy settings: Specifies to not use proxy server for the connection.

      On successful validation, the success message that the Office 365 Connection settings are valid is displayed.

    3. Enter the valid Active Roles account details and click Test Active Roles Connection.

      On successful validation the success message that the Active Roles connection settings are valid is displayed.

  3. Click Configure BackSync.

    The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically.

    On successful configuration the success message is displayed.

    If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm whether you want to override the existing back synchronization settings with the new settings.

    • To override the existing back synchronization settings with the new settings, click Override BackSync Settings.

    • To retain the existing back synchronization settings, click Cancel.

Configuring Sync Workflow to back synchronize Azure AD objects to Active Roles manually

Prerequisites
  • You must install and configure Azure AD Connect for the hybrid environment.
  • You must install and configure the Synchronization Service Component for Active Roles.

  • You must complete the Azure AD configuration and the Administrator Consent for Azure AD application through the web interface.

  • You must enforce the Azure AD built-in policy for the container where Active Roles performs the back synchronization.

  • For the back synchronization to work as expected, the user in Active Roles must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId, edsvaAzureObjectID, and edsvaAzureAssociatedTenantId. The user must also have a local administrator privileges where the Active Roles Synchronization Service is running.

To configure sync workflow to back synchronize users and groups

  1. Create a connection to Azure AD in the hybrid environment

    Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD. To configure an application:

    1. Create an Azure Web Application (or use any relevant existing Azure Web Application) under the tenant of your Windows Azure Active Directory environment.

      The application must have Application Permissions set to read and write directory data in Windows Azure Active Directory.

      NOTE: Alternatively, to assign the required permissions to the application by running a Windows PowerShell script, see the Creating a Windows Azure Active Directory connection section in the Synchronization Service Administration Console.

    2. Open the application properties and copy the following:

      • Client ID

      • Valid key of the application

    3. You need to supply the copied client ID and key when creating a new or modifying an existing connection to Windows Azure Active Directory in the Synchronization Service Administration Console.

      NOTE: The Web Application that is created or is already available for Synchronization Service Azure AD Connector, is different from the application that is created while configuring Azure AD using Active Roles Web Interface. Both the applications must be available for performing back synchronization operations.

  2. Create a connection to Active Roles in the hybrid environment

    Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. To select the container that the objects for synchronization must be selected from, define the scope.

  3. Create a Sync Workflow

    Create a Sync Workflow using the Microsoft 365 and Active Roles connections. Add a Synchronization step to update Microsoft 365 Contacts to Active Roles Contacts. To synchronize the following, configure the Forward Sync Rule:

    • Set the Azure ExternalDirectoryObjectId property of a contact to the Active Roles contact edsaAzureContactObjectId property.

    • Set the edsvaAzureOffice365Enabled attribute in Active Roles contact to True.

    • Set edsvaAzureAssociatedTenantId with Azure Tenant ID.

  4. Create a Mapping rule

    Create a Mapping rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

    For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

    NOTE: Consider the following when creating a Mapping rule:

    • Based on the environment, make sure to create the correct Mapping rule to identify the contacts uniquely. An incorrect mapping rule might create duplicate objects and the back-sync operation might not work as expected.
    • The initial configuration and running of the back synchronization operation for Azure AD users ID is a one-time activity.

    • In Federated or Synchronized environments, Azure AD group creation is not supported. The group is created in Active Roles and it is synchronized eventually to Azure using Microsoft Native tools, such as AAD Connect. To manage the Azure AD group through Active Roles, you must perform periodic back-synchronization to on-premise AD.
    • You must configure the Sync engine to synchronize the data back to AD based on the frequency of groups creation.

Configuring Sync Workflow to back synchronize AD contacts

To configure sync workflow to back synchronize contacts

  1. Create Connection to Microsoft 365 in the hybrid environment

    Create a connection to Microsoft 365 using the Microsoft 365 Connector. The configuration requires Microsoft Online Services ID, Password, Proxy server (if required) and Exchange Online services.

    NOTE: The back-synchronization of contacts uses Microsoft 365 Connector to establish connection to Microsoft 365. The back synchronization of users and groups uses the Azure AD Connector to establish connection to Azure AD.

  2. Create a connection to Active Roles in the hybrid environment

    Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. To select the container that the objects for synchronization must be selected from, define the scope.

  3. Create a Sync Workflow

    Create a Sync Workflow using the Microsoft 365 and Active Roles connections. Add a Synchronization step to update Microsoft 365 Contacts to Active Roles Contacts. To synchronize the following, configure the Forward Sync Rule:

    • Set the Azure ExternalDirectoryObjectId property of a contact to the Active Roles contact edsaAzureContactObjectId property.

    • Set the edsvaAzureOffice365Enabled attribute in Active Roles contact to True.

    • Set edsvaAzureAssociatedTenantId with Azure Tenant ID.

  4. Create a Mapping rule

    Create a Mapping rule, which identifies the contact in Microsoft 365 and on-premises AD uniquely and map the specified properties from Microsoft 365 to Active Roles appropriately.

    NOTE: Consider the following when creating a Mapping rule:

    • Based on the environment, make sure to create the correct Mapping rule to identify the contacts uniquely. An incorrect mapping rule might create duplicate objects and the back-sync operation might not work as expected.
    • In Federated or Synchronized environments, Azure AD group creation is not supported. The group is created in Active Roles and it is synchronized eventually to Azure using Microsoft Native tools, such as AAD Connect. To manage the Azure AD group through Active Roles, you must perform periodic back-synchronization to on-premise AD.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択