サポートと今すぐチャット
サポートとのチャット

Identity Manager 9.3 - Administration Guide for Connecting to Microsoft Entra ID

Managing Microsoft Entra ID environments Synchronizing a Microsoft Entra ID environment
Setting up initial synchronization with a Microsoft Entra ID tenant Adjusting the synchronization configuration for Microsoft Entra ID environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Microsoft Entra ID user accounts and identities Managing memberships in Microsoft Entra ID groups Managing Microsoft Entra ID administrator roles assignments Managing Microsoft Entra ID subscription and Microsoft Entra ID service plan assignments
Displaying enabled and disabled Microsoft Entra ID service plans forMicrosoft Entra ID user accounts and Microsoft Entra ID groups Assigning Microsoft Entra ID subscriptions to Microsoft Entra ID user accounts Assigning disabled Microsoft Entra ID service plans to Microsoft Entra ID user accounts Inheriting Microsoft Entra ID subscriptions based on categories Inheritance of disabled Microsoft Entra ID service plans based on categories
Login credentials for Microsoft Entra ID user accounts Microsoft Entra ID role management
Microsoft Entra ID role management tenants Enabling new Microsoft Entra ID role management features Microsoft Entra ID role main data Main data of Microsoft Entra ID role settings Displaying Microsoft Entra ID role settings main data Assigning temporary access passes to Microsoft Entra ID user accounts Displaying Microsoft Entra ID scoped role assignments Displaying scoped role eligibilities for Microsoft Entra ID roles Overview of Microsoft Entra ID scoped role assignments Main data of Microsoft Entra ID scoped role assignments Managing Microsoft Entra ID scoped role assignments Adding Microsoft Entra ID scoped role assignments Editing Microsoft Entra ID scoped role assignments Deleting Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role assignments Assigning Microsoft Entra ID business roles to scopes though role assignments Assigning Microsoft Entra ID organizations to scopes through role assignments Overview of Microsoft Entra ID scoped role eligibilities Main data of Microsoft Entra ID scoped role eligibilities Managing Microsoft Entra ID scoped role eligibilities Adding Microsoft Entra ID scoped role eligibilities Editing Microsoft Entra ID scoped role eligibilities Deleting Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role eligibilities Assigning Microsoft Entra ID business roles to scopes though role eligibilities Assigning Microsoft Entra ID organizations to scopes through role eligibilities
Mapping Microsoft Entra ID objects in One Identity Manager
Microsoft Entra ID core directories Microsoft Entra ID user accounts Microsoft Entra ID user identities Microsoft Entra ID groups Microsoft Entra ID administrator roles Microsoft Entra ID administrative units Microsoft Entra ID subscriptions and Microsoft Entra ID service principals Disabled Microsoft Entra ID service plans Microsoft Entra ID app registrations and Microsoft Entra ID service principals Reports about Microsoft Entra ID objects Managing Microsoft Entra ID security attributes
Handling of Microsoft Entra ID objects in the Web Portal Recommendations for federations Basic data for managing a Microsoft Entra ID environment Troubleshooting Configuration parameters for managing a Microsoft Entra ID environment Default project template for Microsoft Entra ID Editing Microsoft Entra ID system objects Microsoft Entra ID connector settings

Assigning Microsoft Entra ID scoped role eligibilities

In Microsoft Entra ID, role eligibilities for groups can be assigned in specified partial scopes. This does not mean that a principal has an active role assignment, but can activate it at any time if necessary.

To assign a system role to scope

  1. In the Manager, select the Microsoft Entra ID > Scoped role eligibilities category.

  2. Select the role in the result list.

  3. Select the Assign system roles task.

  4. In the Add assignments pane, assign system roles.

    TIP: In the Remove assignments pane, you can remove the system role assignment.

    To remove an assignment

    • Select the system role and double-click .

  5. Save the changes.

To assign a business role to a scope

  1. In the Manager, select the Microsoft Entra ID > Scoped role eligibilities category.

  2. Select the role in the result list.

  3. Select the Assign business roles task.

  4. In the Add assignments pane, select the role class and assign business roles.

    TIP: In the Remove assignments pane, you can remove assigned business roles.

    To remove an assignment

    • Select the business role and double-click .

  5. Save the changes.

To assign an organization to a scope

  1. In the Manager, select the Microsoft Entra ID > Scoped role eligibilities category.

  2. Select the role in the result list.

  3. Select the Assign organizations task.

    In the Add assignments pane, assign the organizations:

    • On the Departments tab, assign departments.

    • On the Locations tab, assign locations.

    • On the Cost centers tab, assign cost centers.

    TIP: In the Remove assignments pane, you can remove assigned organizations.

    To remove an assignment

    • Select the organization and double-click .

  4. Save the changes.

Related topics

 

Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID user accounts

To add a scoped role eligibility to a user account

  1. In the Manager, select the Microsoft Entra ID > User accounts category.

  2. Select the user account in the result list.

  3. Select the Assign role eligibilities task.

  4. Click Add and enter the following information.

    • Microsoft Entra ID role: Specify the role for authorization.

    • Application scope: Specify the organization for authorization.

      1. Click next to the field.

      2. Under Table, select the AADOrganization table.

      3. Under Application scope, select the tenant.

      4. Click OK.

      - OR -

    • Directory scope: Specify the administrative unit, application, organization, or service principal for authorization.

      1. Click next to the field.

      2. Under Table, select one of the following tables:

        • To authorize an administrative unit, select AADAdministrativeUnit.

        • To authorize an application, select AADApplication.

        • To authorize an organization, select AADOrganization.

        • To authorize a service principal, select AADServicePrincipal.

      3. Under Directory scope, select the tenant.

      4. Click OK.

    • Specify whether this assignment is a Direct assignment.

      NOTE: The assignment specifications Indirect assignment and Assignment request are determined by processes and cannot be set manually.

    • Request procedure: References the request procedure that results in the assignment.

      NOTE: The request procedure is determined by processes and cannot be set manually.

  5. Save the changes.

Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID groups

This task only available for groups with the Assignable to administrator roles option enabled.

To add a scoped role eligibility to a group

  1. In the Manager, select the Microsoft Entra ID > Groups category.

  2. Select the group in the result list.

  3. Select the Assign role eligibilities task.

  4. Click Add and enter the following information.

    • Microsoft Entra ID role: Specify the role for authorization.

    • Application scope: Specify the organization for authorization.

      1. Click next to the field.

      2. Under Table, select the AADOrganization table.

      3. Under Application scope, select the tenant.

      4. Click OK.

      - OR -

    • Directory scope: Specify the administrative unit, application, organization, or service principal for authorization.

      1. Click next to the field.

      2. Under Table, select one of the following tables:

        • To authorize an administrative unit, select AADAdministrativeUnit.

        • To authorize an application, select AADApplication.

        • To authorize an organization, select AADOrganization.

        • To authorize a service principal, select AADServicePrincipal.

      3. Under Directory scope, select the tenant.

      4. Click OK.

    • Specify whether this assignment is a Direct assignment.

      NOTE: The assignment specifications Indirect assignment and Assignment request are determined by processes and cannot be set manually.

    • Request procedure: References the request procedure that results in the assignment.

      NOTE: The request procedure is determined by processes and cannot be set manually.

  5. Save the changes.

Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID service principals

To add a scoped role eligibility to a service principal

  1. In the Manager, select the Microsoft Entra ID > Service principals category.

  2. In the result list, select the service principal.

  3. Select the Assign role eligibilities task.

  4. Click Add and enter the following information.

    • Microsoft Entra ID role: Specify the role for authorization.

    • Application scope: Specify the organization for authorization.

      1. Click next to the field.

      2. Under Table, select the AADOrganization table.

      3. Under Application scope, select the tenant.

      4. Click OK.

      - OR -

    • Directory scope: Specify the administrative unit, application, organization, or service principal for authorization.

      1. Click next to the field.

      2. Under Table, select one of the following tables:

        • To authorize an administrative unit, select AADAdministrativeUnit.

        • To authorize an application, select AADApplication.

        • To authorize an organization, select AADOrganization.

        • To authorize a service principal, select AADServicePrincipal.

      3. Under Directory scope, select the tenant.

      4. Click OK.

    • Enter Permanent if it is a permanent assignment.

    • Start time: The time from which the role eligibility is assigned.

    • End time: The time at which the role eligibility expires.

      NOTE: Select Permanent, disables the End time entry.

    • Valid from: Time at which the role eligibility becomes valid.

    • Specify whether this assignment is a Direct assignment.

      NOTE: The assignment specifications Indirect assignment and Assignment request are determined by processes and cannot be set manually.

    • Request procedure: References the request procedure that results in the assignment.

      NOTE: The request procedure is determined by processes and cannot be set manually.

  5. Save the changes.

関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択