지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.2 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and identities Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login credentials for Azure Active Directory user accounts Azure Active Directory role management Mapping Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory administrative units Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Troubleshooting

Possible errors when synchronizing an Azure Active Directory tenant

Issue

An error occurs when loading the Azure Active Directory user accounts:

[Exception]: ServiceException occurred

Code: BadRequest

Message: Tenant does not have a SPO license.

[ServiceException]: Code: BadRequest - Message: Tenant does not have a SPO license.

Cause

An Azure Active Directory tenant is synchronized that does not have a license for the SharePoint Online service.

Possible solutions
  • Ensure the Azure Active Directory tenant has a license that includes the SharePoint Online service. (Recommended)

  • If you want to synchronize an Azure Active Directory tenant that does not have a license for the SharePoint Online service, change the synchronization project with the Synchronization Editor.

    In Users mapping, disable the property mapping rules for the following schema properties. To do this, set the mapping direction to the Do not map.

    • BirthDay

    • PreferredName

    • Responsibilities

    • Schools

    • Skills

    • PastProjects

    • Interests

    • HireDate

    • EmployeeID

    • AboutMe

    • MySite

    • ImAddresses

    • FaxNumber

    • OtherMails

    For more information about editing property mapping rules in the Synchronization Editor, see the One Identity Manager Target System Synchronization Reference Guide.

Configuration parameters for managing an Azure Active Directory environment

The following configuration parameters are available in One Identity Manager after the module has been installed.

Table 49: Configuration parameters
Configuration parameter Description

TargetSystem | AzureAD

Preprocessor relevant configuration parameter for controlling database model components for Azure Active Directory target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | AzureAD | Accounts

Allows configuration of user account data.

TargetSystem | AzureAD | Accounts |
InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | AzureAD | Accounts |
InitialRandomPassword | SendTo

Identity to receive an email with the random generated password (manager cost center/department/location/role, identity’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the TargetSystem | AzureAD | DefaultAddress configuration parameter.

TargetSystem | AzureAD | Accounts |
InitialRandomPassword | SendTo |
MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Identity - new user account created mail template is used.

TargetSystem | AzureAD | Accounts |
InitialRandomPassword | SendTo |
MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Identity - initial password for new user account mail template is used.

TargetSystem | AzureAD | Accounts |
MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Identity - new user account with default properties created mail template is used.

TargetSystem | AzureAD | Accounts |
PrivilegedAccount

Allows configuration of privileged Azure Active Directory user account settings.

TargetSystem | AzureAD | Accounts |
PrivilegedAccount |
AccountName_Postfix

Postfix for formatting the login name of privileged user accounts.

TargetSystem | AzureAD | Accounts |
PrivilegedAccount |
AccountName_Prefix

Prefix for formatting a login name of privileged user accounts.

TargetSystem | AzureAD | DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | AzureAD | DeltaTokenDirectory

Directory where the delta token files for the delta synchronization are stored.

TargetSystem | AzureAD |
MaxFullsyncDuration

Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem | AzureAD |
PersonAutoDefault

Mode for automatic identity assignment for user accounts added to the database outside synchronization.

TargetSystem | AzureAD |
PersonAutoDisabledAccounts

Specifies whether identities are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | AzureAD |
PersonAutoFullSync

Mode for automatic identity assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | AzureAD |
PersonExcludeList

Listing of all user account without automatic identity assignment. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

TargetSystem | AzureAD | PersonUpdate

Specifies whether identities are updated if their user accounts are changed. This configuration parameter is set to allow ongoing update of identities from associated user accounts.

QER | ITShop | AutoPublish | AADGroup

Preprocessor relevant configuration parameter for automatically adding Azure Active Directory groups to the IT Shop. If the parameter is set, all groups are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | ITShop | AutoPublish | AADGroup | ExcludeList

List of all Azure Active Directory groups that must not be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation.

Example:

.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

QER | ITShop | AutoPublish | AADSubSku

Preprocessor relevant configuration parameter for automatically adding Azure Active Directory subscriptions to the IT Shop. If the parameter is set, all subscriptions are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | ITShop | AutoPublish | AADSubSku | ExcludeList

List of all Azure Active Directory subscriptions that must not be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation.

QER | ITShop | AutoPublish | AADDeniedServicePlan

Preprocessor relevant configuration parameter for automatically adding Azure Active Directory service plans to the IT Shop. If the parameter is set, all service plans are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | ITShop | AutoPublish | AADDeniedServicePlan | ExcludeList

List of all Azure Active Directory service plans that must not be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation.

Default project template for Azure Active Directory

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

Detailed information about this topic
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택