Configuring Active Roles to manage Hybrid AD using Management Shell
Active Roles Management Shell enables you to perform the following configuration tasks to manage Hybrid AD:
Active Roles Management Shell enables you to perform the following configuration tasks to manage Hybrid AD:
Use the Active Roles Management Shell to add an Azure AD tenant. To do so, run the New-QADAzureConfigObject cmdlet on the Management Shell interface.
New-QADAzureConfigObject lets you add an Azure AD tenant to Active Directory.
Use New-QADAzureConfigObject to add an Azure AD tenant using the tenant ID provided by Microsoft for the default tenant (created at the time of the Microsoft Azure subscription).
New-QADAzureConfigObject -type 'AzureTenant' -name 'Azuretenantname' -AzureTenantId 'AzureTenantGUID' -AzureTenantDescription 'AzureTenantDescription' -AzureAdminUserID 'AzureGlobalAdminUserID' -AzureAdminPassword 'AzureGlobalIDPassword' -AzureADTenantType 'AzureTenantType'
The New-QADAzureConfigObject cmdlet has the following parameters.
type (string): Specifies the object class of the directory object to be created (such as User or Group). The cmdlet creates a directory object of the object class specified with this parameter.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
name (string): Sets the name attribute to the value of this parameter on the new object created by New-QADAzureConfigObject in the directory.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
AzureTenantId (string): Specifies the Azure AD tenant ID obtained from the default tenant (created after subscribing to Microsoft Azure).
NOTE: The Azure AD ID value configured for this parameter must match the tenant ID configured on the Azure AD side. Otherwise, attempts to create an Azure AD application or manage Azure AD objects will fail.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
AzureTenantDescription: Specifies the required description of the Azure AD tenant.
Required |
false |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
AzureAdminUserID: Specifies the administrative user name for Microsoft Azure AD.
NOTE: The administrative user must have the required privileges (for example, License Administrator, User Administrator or Groups Administrator roles) to perform license management or Azure user, guest user, and group management.
For more information on the available privileges and for an overview of the various Azure and Azure AD administrative roles, see Azure AD built-in roles and Classic subscription administrator roles, Azure roles, and Azure AD roles in the official Microsoft documentation.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
AzureAdminPassword: Specifies the administrative user password for Microsoft Azure AD.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
AzureADTenantType: Specifies the Azure AD tenant type (Federated, Non-Federated, or Synchronized Identity).
NOTE: Make sure that you select the tenant type corresponding to your organization environment.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Accepts value |
|
See the following use cases for examples on how to use this cmdlet.
To create a new Azure AD tenant with a locally logged on user
Connect to any available domain controller with the credentials of your local user.
Create a new Azure AD tenant with the following New-QADAzureConfigObject cmdlet:
C:\PS> New-QADAzureConfigObject -type 'AzureTenant' -name 'CompanyAzuretenant' -AzureTenantId 'CompanyAzureTenantID' -AzureTenantDescription 'Azure tenant for Company' -AzureAdminUserID 'AzureAdminUser1' -AzureAdminPassword 'AzureAdminPassword1’ -AzureADTenantType 'AzureTenantType'
To create a new Azure AD tenant with a specific user and then disconnect
Connect to any available domain controller:
C:\PS> $pw = read-host "Enter password" -AsSecureString
Connect to the local Administration Service with a specific user of your choice:
C:\PS> connect-qadService -service 'localhost' -proxy -ConnectionAccount 'company\administrator' -ConnectionPassword $pw
Create the new Azure AD tenant:
C:\PS> New-QADAzureConfigObject -type 'AzureTenant' -name 'CompanyAzuretenant' -AzureTenantId 'CompanyAzureTenantID' -AzureTenantDescription 'Azure tenant for Company' -AzureAdminUserID 'AzureAdminUser1' -AzureAdminPassword 'AzureAdminPassword1’ -AzureADTenantType 'AzureTenantType'
Once the Azure AD tenant is created, disconnect your user:
C:\PS> disconnect-qadService
You can use the Active Roles Management Shell to add an Azure AD application to the Azure AD tenant.
To add an Azure AD application
On the Management Shell interface, run the New-QADConfigObject cmdlet.
Synopsis
This cmdlet enables you to add an Azure AD application to the Azure AD tenant.
Syntax
New-QADAzureConfigObject -type 'AzureApplication' -name 'AzureApplication' -DisplayName 'ApplicationDisplayName' -AzureTenantId 'AzureTenantGUID' -AzureAppPermissions 'ApplicationPermission'
Use this cmdlet to add an Azure AD application.
Parameters
Use this parameter to specify the object class of the directory object to be created. This is the name of a schema class object, such as User or Group. The cmdlet creates a directory object of the object class specified by the value of this parameter.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to set the 'name' attribute to this parameter value on the new object created by this cmdlet in the directory.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to enter the Azure AD tenant ID obtained from the default tenant created after subscribing for Microsoft Azure.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to specify the 'displayName' attribute to this parameter value.
Required |
false |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to specify the permission scope for applications for Azure AD.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to specify the description of the Azure AD application.
Required |
false |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Connect to any available domain controller with the credentials of the locally logged on user, and create a new Azure AD application:
C:\PS> New-QADAzureConfigObject -type 'AzureApplication' -name 'AzureApplication' -DisplayName 'ApplicationDisplayName' -AzureTenantId 'AzureTenantGUID' -AzureAppPermissions 'ApplicationPermission'
Example
Connect to the local Administration Service with the credentials of a specific user, create a new Azure AD tenant and then disconnect:
C:\PS> $pw = read-host "Enter password" -AsSecureString
C:\PS> connect-qadService -service 'localhost' -proxy -ConnectionAccount 'company\administrator' -ConnectionPassword $pw
C:\PS> New-QADAzureConfigObject -type 'AzureApplication' -name 'AzureApplication' -DisplayName 'ApplicationDisplayName' -AzureTenantId 'AzureTenantGUID' -AzureAppPermissions 'ApplicationPermission'
C:\PS> disconnect-qadService
To configure Active Roles to manage Hybrid AD objects, perform the following tasks:
NOTE:
After an upgrade the edsvaAzureOffice365Enabled is not available for viewing or editing from Organizational Unit | Advanced Properties or through the management shell command-let, however the organizational unit container continues to be an Azure enabled container as the azure policy is already applied.
For more information on Azure custom policies, see Changes to Azure O365 Policies in Active Roles after 7.4.1.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 利用規約 プライバシー Cookie Preference Center