지금 지원 담당자와 채팅
지원 담당자와 채팅

Identity Manager 9.1.1 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and employees Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login information for Azure Active Directory user accounts Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Information required for Azure Active Directory synchronization projects

Have the following information available for setting up a synchronization project.

Table 4: Information required to set up a synchronization project
Data Explanation

Application ID

The application ID is generated when registering the One Identity Manager application in the Azure Active Directory tenant.

Login domain

Azure Active Directory name of the domain for logging in to Azure Active Directory. You can use the base domain or your Azure Active Directory tenant's verified domain.

User account and password for logging in

or

The secret's value

Depending on how the One Identity Manager application is registered in the Azure Active Directory tenant, either a user account with sufficient permissions or the secret is required.

For more information, see Users and permissions for synchronizing with Azure Active Directory.

Synchronization server for Azure Active Directory

All One Identity Manager Service actions are run against the target system environment on the synchronization server. Data entries required for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

The One Identity Manager Service with the Azure Active Directory connector must be installed on the synchronization server.

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

  • Server function: Azure Active Directory connector (via Microsoft Graph)

  • Machine role: Server | Job Server | Azure Active Directory

One Identity Manager database connection data

  • Database server

  • Database name

  • SQL Server login and password

  • Specifies whether integrated Windows authentication is used

    Use of the integrated Windows authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Remote connection server

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with the target system to do this. Sometimes direct access from the workstation, on which the Synchronization Editor is installed, is not possible. For example, because of the firewall configuration or the workstation does not fulfill the necessary hardware and software requirements. If direct access is not possible from the workstation, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started

  • RemoteConnectPlugin is installed

  • Azure Active Directory connector is installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

TIP: The remote connection server requires the same configuration as the synchronization server (with regard to the installed software and entitlements). Use the synchronization as remote connection server at the same time by installing the RemoteConnectPlugin as well.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Creating an initial synchronization project for an Azure Active Directory tenant

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:

  • Run in default mode

  • Started from the Launchpad

If you run the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

NOTE: Just one synchronization project can be created per target system and default project template used.

To set up an initial synchronization project for an Azure Active Directory tenant

  1. Start the Launchpad and log in on the One Identity Manager database.

    NOTE: If synchronization is run by an application server, connect the database through the application server.

  2. Select the Target system type Azure Active Directory entry and click Start.

    This starts the Synchronization Editor's project wizard.

  1. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Enable the Connect using remote connection server option and select the server to be used for the connection under Job server.

  1. On the Azure Active Directory tenant page, enter the following information:

    • Deployment: Select your cloud deployment. Select from Microsoft Graph global service or Microsoft Cloud for US Government (L4) .

    • Application ID: Enter the application ID. The application ID was generated when registering the One Identity Manager application in the Azure Active Directory tenant.

    • Login domain: Enter the base domain or a verified domain of your Azure Active Directory tenant.

  2. On the Authentication page, select the type of login and enter the required login data. The information is required depends on how the One Identity Manager application is registered with the Azure Active Directory tenant.

    • If you have integrated the One Identity Manager as a mobile device and desktop application in your Azure Active Directory tenant, select Authenticate as mobile device or desktop application and enter the user account and password for logging in.

    • If you have integrated One Identity Manager as a web application in your Azure Active Directory tenant, select the option Authenticate as web application and enter the value in the secret.

      The secret was generated when the One Identity Manager application was registered with the Azure Active Directory tenant.

  3. On the last page of the system connection wizard, you can save the connection data.

    • Set the Save connection locally option to save the connection data. This can be reused when you set up other synchronization projects.

    • Click Finish, to end the system connection wizard and return to the project wizard.

  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE:

    • If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again.

    • This page is not shown if a synchronization project already exists.

  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. On the Select project template page, select the Azure Active Directory Synchronization template.

  1. On the Restrict target system access page, specify how system access should work. You have the following options: Read-only access to target system.
    Table 5: Specify target system access
    Option Meaning

    Specifies that a synchronization workflow is only to be set up for the initial loading of the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of One Identity Manager.

    • Processing methods in the synchronization steps are only defined for synchronization in the direction of One Identity Manager.

    Read/write access to target system. Provisioning available.

    Specifies whether a provisioning workflow is set up in addition to the synchronization workflow for the initial loading of the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization is in the direction of the Target system.

    • Processing methods are only defined in the synchronization steps for synchronization in the direction of the Target system.

    • Synchronization steps are only created for such schema classes whose schema types have write access.

  1. On the Synchronization server page, select the synchronization server to run the synchronization.

    If the synchronization server is not declared as a Job server in the One Identity Manager database yet, you can add a new Job server.

    1. Click to add a new Job server.

    2. Enter a name for the Job server and the full server name conforming to DNS syntax.

    3. Click OK.

      The synchronization server is declared as Job server for the target system in the One Identity Manager database.

    4. NOTE: After you save the synchronization project, ensure that this server is set up as a synchronization server.

  1. To close the project wizard, click Finish.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    This sets up, saves and immediately activates the synchronization project.

    NOTE:

    • If enabled, a consistency check is carried out. If errors occur, a message appears. You can decide whether the synchronization project can remain activated or not.

      Check the errors before you use the synchronization project. To do this, in the General view on the Synchronization Editor‘s start page, click Verify project.

    • If you do not want the synchronization project to be activated immediately, disable the Activate and save the new synchronization project automatically option. In this case, save the synchronization project manually before closing the Synchronization Editor.

    • The connection data for the target system is saved in a variable set and can be modified in the Synchronization Editor in the Configuration > Variables category.

Related topics

Configuring the synchronization log

All the information, tips, warnings, and errors that occur during synchronization are recorded in the synchronization log. You can configure the type of information to record separately for each system connection.

To configure the content of the synchronization log

  1. To configure the synchronization log for target system connection, select the Configuration > Target system category in the Synchronization Editor.

    - OR -

    To configure the synchronization log for the database connection, select the Configuration > One Identity Manager connection category in the Synchronization Editor.

  2. Select the General view and click Configure.

  3. Select the Synchronization log view and set Create synchronization log.

  4. Enable the data to be logged.

    NOTE: Some content generates a particularly large volume of log data. The synchronization log should only contain data required for error analysis and other analyzes.

  5. Click OK.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

  • In the Designer, enable the DPR | Journal | LifeTime configuration parameter and enter the maximum retention period.

Related topics

Adjusting the synchronization configuration for Azure Active Directory environments

Having used the Synchronization Editor to set up a synchronization project for initial synchronization of an Azure Active Directory tenant, you can use the synchronization project to load Azure Active Directory objects into the One Identity Manager database. If you manage user accounts and their authorizations with One Identity Manager, changes are provisioned in the Azure Active Directory environment.

You must customize the synchronization configuration to be able to regularly compare the database with the Azure Active Directory environment and to synchronize changes.

  • To use One Identity Manager as the primary system during synchronization, create a workflow with synchronization in the direction of the Target system.

  • You can use variables to create generally applicable synchronization configurations that contain the necessary information about the synchronization objects when synchronization starts. Variables can be implemented in base objects, schema classes, or processing method, for example.

  • Use variables to set up a synchronization project for synchronizing different tenants. Store a connection parameter as a variable for logging in to the tenants.

  • To specify which Azure Active Directory objects and database objects are included in synchronization, edit the scope of the target system connection and the One Identity Manager database connection. To prevent data inconsistencies, define the same scope in both systems. If no scope is defined, all objects will be synchronized.

  • Update the schema in the synchronization project if the One Identity Manager schema or target system schema has changed. Then you can add the changes to the mapping.

  • To synchronize additional schema properties, update the schema in the synchronization project. Include the schema extensions in the mapping.

For more information about configuring synchronization, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic
관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택