Azure Active Directory user accounts can be grouped into Azure Active Directory groups that can be used to regulate access to resources.
In One Identity Manager, you can assign Azure Active Directory groups directly to user accounts or they can be inherited through departments, cost centers, locations, or business roles. Users can also request the groups through the Web Portal. To do this, groups are provided in the IT Shop.
NOTE: Assignments to Azure Active Directory groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Azure Active Directory documentation from Microsoft.
