サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.2.1 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and identities Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login credentials for Azure Active Directory user accounts Azure Active Directory role management
Azure Active Directory role management tenants Enabling new Azure Active Directory role management features Azure Active Directory role main data Displaying Azure Active Directory scoped role assignments Displaying scoped role eligibilities for Azure Active Directory roles Overview of Azure Active Directory scoped role assignments Main data of Azure Active Directory scoped role assignments Managing Azure Active Directory scoped role assignments Adding Azure Active Directory scoped role assignments Editing Azure Active Directory scoped role assignments Deleting Azure Active Directory scoped role assignments Assigning Azure Active Directory scoped role assignments Assigning Azure Active Directory system roles to scopes through role assignments Assigning Azure Active Directory business roles to scopes though role assignments Assigning Azure Active Directory organizations to scopes through role assignments Overview of Azure Active Directory scoped role eligibilities Main data of Azure Active Directory scoped role assignments Managing Azure Active Directory scoped role eligibilities Adding Azure Active Directory scoped role eligibilities Editing Azure Active Directory scoped role eligibilities Deleting Azure Active Directory scoped role eligibilities Assigning Azure Active Directory scoped role eligibilities Assigning Azure Active Directory system roles to scopes through role eligibilities Assigning Azure Active Directory business roles to scopes though role eligibilities Assigning Azure Active Directory organizations to scopes through role eligibilities
Mapping Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory administrative units Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Reports about Azure Active Directory objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for Azure Active Directory.

NOTE: Other sections may be available depending on the which modules are installed.

Table 46: Data quality target system report

Report

Published for

Description

Show overview

User account

This report shows an overview of the user account and the assigned permissions.

Show overview including origin

User account

This report shows an overview of the user account and origin of the assigned permissions.

Show overview including history

User account

This report shows an overview of the user accounts including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

License overview

User account

The report contains a summary of assigned and effective subscriptions and service plans for a user account.

License overview

Subscription

The report shows an overview of a subscription license. It shows to which groups and user accounts the subscription is assigned and which service plans effectively apply to the groups and the user accounts.

Overview of all assignments

group

Subscription

Administrator role

This report finds all roles containing identities who have the selected system entitlement.

Show overview

group

This report shows an overview of the system entitlement and its assignments.

Show overview including origin

group

This report shows an overview of the system entitlement and origin of the assigned user accounts.

Show overview including history

group

This report shows an overview of the system entitlement and including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show entitlement drifts

Tenant

This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager.

Show user accounts overview (incl. history)

Tenant

This report returns all the user accounts with their permissions including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show user accounts with an above average number of system entitlements

Tenant

This report contains all user accounts with an above average number of system entitlements.

Show identities with multiple user accounts

Tenant

This report shows all the identities that have multiple user accounts. The report contains a risk assessment.

Show system entitlements overview (incl. history)

Tenant

This report shows the system entitlements with the assigned user accounts including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

Tenant

This report finds all roles containing identities with at least one user account in the selected target system.

Show unused user accounts

Tenant

This report contains all user accounts, which have not been used in the last few months.

Show orphaned user accounts

Tenant

This report shows all user accounts to which no identity is assigned.

Table 47: Additional reports for the target system

Report

Description

Azure Active Directory user account and group administration

This report contains a summary of user account and group distribution in all tenants. You can find this report in the My One Identity Manager category.

Data quality summary for Azure Active Directory user accounts

This report contains different evaluations of user account data quality in all tenants. You can find this report in the My One Identity Manager category.

Handling of Azure Active Directory objects in the Web Portal

One Identity Manager enables its users to perform various tasks simply using a Web Portal.

  • Managing user accounts and identities

    An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval process. The user account is not created until it has been agreed by an authorized identity, such as a manager.

  • Managing assignments of groups, administrator roles, subscriptions, and disabled service plans

    In the Web Portal, by assigning groups, administrator roles, subscriptions, and disabled service plans to an IT Shop shelf, you can request these products from shop customers. The request undergoes a defined approval process. The group, administrator role, subscription, or disabled service plan is not assigned until it has been approved by an authorized identity.

    In the IT Shop, the following selves are available: Identity & Access Lifecycle > Azure Active Directory groups, Identity & Access Lifecycle > Azure Active Directory subscriptions, and Identity & Access Lifecycle > Disabled Azure Active Directory service plans.

    In the Web Portal, managers and administrators of organizations can assign groups, administrator roles, subscriptions, and disabled service plans to the departments, cost centers, or locations for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all identities who are members of these departments, cost centers, or locations.

    If the Business Roles Module is available, in the Web Portal, managers and administrators of business roles can assign groups, administrator roles, subscriptions, and disabled service plans to the business roles for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all identities who are members of these business roles.

    If the System Roles Module is available, in the Web Portal, supervisors of system roles can assign groups, administrator roles, subscriptions, and disabled service plans to the system roles. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all identities that have these system roles assigned to them.

  • Attestation

    If the Attestation Module is available, the correctness of the properties of target system objects and of entitlement assignments can be verified on request. To enable this, attestation policies are configured in the Manager. The attestors use the Web Portal to approve attestation cases.

  • Governance administration

    If the Compliance Rules Module is available, you can define rules that identify the invalid entitlement assignments and evaluate their risks. The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check rule violations and to grant exception approvals.

    If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.

  • Risk assessment

    You can use the risk index of groups, administrator roles, and subscriptions to evaluate the risk of entitlement assignments for the company.One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.

  • Reports and statistics

    The Web Portal provides a range of reports and statistics about the identities, user accounts, and their entitlements and risks.

For more information about the named topics, see Managing Azure Active Directory user accounts and identities, Managing memberships in Azure Active Directory groups, Managing Azure Active Directory administrator roles assignments, Managing Azure Active Directory subscription and Azure Active Directory service plan assignments and in refer to the following guides:

  • One Identity Manager Web Designer Web Portal User Guide

  • One Identity Manager Attestation Administration Guide

  • One Identity Manager Compliance Rules Administration Guide

  • One Identity Manager Company Policies Administration Guide

  • One Identity Manager Risk Assessment Administration Guide

Recommendations for federations

NOTE: The following modules must be installed to support federations in One Identity Manager:

  • Active Directory Module

  • Azure Active Directory Module

In a federation, the local Active Directory user accounts are connected to Azure Active Directory user accounts. The connection is established by using the ms-ds-consistencyGUID property in the Active Directory user account and the immutable property in the Azure Active Directory user account. Synchronization of Active Directory and Azure Active Directory user accounts is carried out in the federation by Azure AD Connect. For more information about Azure AD Connect, see the Azure Active Directory documentation from Microsoft.

One Identity Manager maps the connection using the Active Directory user account's Azure AD Connect anchor ID (ADSAccount.MSDsConsistencyGuid) and the Azure Active Directory user account's immutable identifier  (AADUser.OnPremImmutableId).

Some of the target system relevant properties of Azure Active Directory user accounts that are linked to local Active Directory user account cannot be changed in One Identity Manager. However, assignment of permissions to Azure Active Directory user accounts in One Identity Manager is possible.

Assignments to Azure Active Directory groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Azure Active Directory documentation from Microsoft.

The One Identity Manager supports the following scenarios for federations.

Scenario 1
  1. Active Directory user accounts are created in One Identity Manager and provisioned the local Active Directory environment.

  2. Azure AD Connect creates the Azure Active Directory user accounts in Azure Active Directory tenants.

  3. Azure Active Directory synchronization loads the Azure Active Directory user accounts in to One Identity Manager.

This is the recommended procedure. Creating Azure Active Directory user accounts through Azure AD Connect and then loading them into One Identity Manager normally takes a while. Azure Active Directory user accounts are not immediately available in One Identity Manager.

Scenario 2
  1. Active Directory user accounts and Azure Active Directory user accounts are created in One Identity Manager.

    In this case, the connection is established by using the ADSAccount.MSDsConsistencyGuid and AADUser.OnPremImmutableId columns. This can be carried using custom scripts or custom templates.

  2. Active Directory and Azure Active Directory user accounts are provisioned independently in their own target systems.

  3. Azure AD Connect detects the connection between the user accounts, establishes the connection in the federation and updates the required properties.

  4. The next Azure Active Directory synchronization updates the Azure Active Directory user accounts in One Identity Manager.

With this scenario, the Azure Active Directory user accounts are immediately available in One Identity Manager and can be issued their permissions.

NOTE:

  • If you work with account definitions, it is recommended you enter the account definition for Active Directory as a required account definition in the account definition for Azure Active Directory.

  • If you work with account definitions, it is recommended you select the Only initially value for the IT operating data overwrites property in the manage level. Then the data is only determined in the initial case.

  • Do not post-process Azure Active Directory user accounts using templates because certain target system relevant properties cannot be edited and the following errors may occur:

    [Exception]: ServiceException occurred

    Code: Request_BadRequest

    Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

    [ServiceException]: Code: Request_BadRequest - Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

 

Related topics

Basic configuration data for managing an Azure Active Directory environment

To manage an Azure Active Directory environment in One Identity Manager, the following basic data is relevant.

  • Target system types

    Target system types are required for configuring target system comparisons. Tables with outstanding objects are maintained with the target system types and settings are configured for provisioning memberships and single objects synchronization. Target system types also map objects in the Unified Namespace.

    For more information, see Post-processing outstanding objects.

  • Target system managers

    A default application role exists for the target system manager in One Identity Manager. Assign identities to this application role who have permission to edit all tenants in One Identity Manager.

    Define additional application roles if you want to limit the permissions for target system managers to individual tenants. The application roles must be added under the default application role.

    For more information, see Target system managers for Azure Active Directory.

  • Servers

    Servers must be informed of your server functionality in order to handle Azure Active Directory-specific processes in One Identity Manager. For example, the synchronization server.

    For more information about editing Job servers for Azure Active Directory components, see the One Identity Manager Administration Guide for Connecting to Azure Active Directory.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択