You can use the Active Roles Management Shell to add an Azure AD application to the Azure AD tenant.
To add an Azure AD application
On the Management Shell interface, run the New-QADConfigObject cmdlet.
Synopsis
This cmdlet enables you to add an Azure AD application to the Azure AD tenant.
Syntax
New-QADAzureConfigObject -type 'AzureApplication' -name 'AzureApplication' -DisplayName 'ApplicationDisplayName' -AzureTenantId 'AzureTenantGUID' -AzureAppPermissions 'ApplicationPermission'-
Description
Use this cmdlet to add an Azure AD application.
Parameters
Use this parameter to specify the object class of the directory object to be created. This is the name of a schema class object, such as User or Group. The cmdlet creates a directory object of the object class specified by the value of this parameter.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to set the 'name' attribute to this parameter value on the new object created by this cmdlet in the directory.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to enter the Azure AD tenant ID obtained from the default tenant created after subscribing for Microsoft Azure.
|
NOTE: The values entered for configuring Azure AD tenant must exactly match the values configured for Azure AD, else Azure AD application creation and management of Azure AD objects fail. |
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to specify the 'displayName' attribute to this parameter value.
Required |
false |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to specify the permission scope for applications for Azure AD.
Required |
true |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Use this parameter to specify the description of the Azure AD application.
Required |
false |
Position |
named |
Accepts pipeline input |
false |
Accepts wildcard characters |
false |
Example
Connect to any available domain controller with the credentials of the locally logged on user, and create a new Azure AD application:
C:\PS> New-QADAzureConfigObject -type 'Application1' -name 'CompanyApplication' -DisplayName 'ApplicationDisplayName' -AzureTenantId 'CompanyAzureID' -AzureAppPermissions 'CompanyAppPermission'
Example
Connect to the local Administration Service with the credentials of a specific user, create a new Azure AD tenant and then disconnect:
C:\PS> $pw = read-host "Enter password" -AsSecureString
C:\PS> connect-qadService -service 'localhost' -proxy -ConnectionAccount 'company\administrator' -ConnectionPassword $pw
C:\PS> New-QADAzureConfigObject -type 'Application1' -name 'CompanyApplication' -DisplayName 'ApplicationDisplayName' -AzureTenantId 'CompanyAzureID' -AzureAppPermissions 'CompanyAppPermission'
C:\PS> disconnect-qadService
To configure Active Roles to manage Hybrid AD objects, perform the following tasks:
In any hybrid environment, on-premises Active Directory objects are synchronized to Azure AD using some means such as Azure AD Connect. When Active Roles 7.1 is deployed in such a hybrid environment, the existing users and groups' information, such as Azure objectID, must be synchronized back from Azure AD to on-premises AD to continue using the functionality. To synchronize existing AD users and groups from Azure AD to Active Roles we must use the back-synchronization operation.
Back Synchronization is performed by leveraging the existing functionality of Synchronization Service component of Active Roles. Synchronization workflows are configured to identify the Azure AD unique users or groups and map them to the on-premises AD users or groups. After the back-synchronization operation is completed, Active Roles displays the configured Azure attributes for the synchronized objects.
For information on configuring Synchronization workflows for Azure AD, see One Identity Active Roles Synchronization Service Administrator Guide.
Pre-requisites to configure the back-synchronization:
|
NOTE: Before adding a replication partner in a Replication environment, make sure to perform back-synchronization in the Service that is configured with the Publisher database. |
To configure sync workflow to back-synchronize users perform the following steps:
Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD.
To configure an application:
The application must have "Application Permissions" to "read" and "write" directory data in Windows Azure Active Directory.
|
NOTE: Alternatively, to assign the required permissions to the application by running a Windows PowerShell script, see the Creating a Windows Azure Active Directory connection section in Sync Service Guide. |
|
NOTE: The Web Application that is created or is already available for Sync Service Azure AD Connector, is different from the application that is created while configuring Azure AD using ARS web interface. Both the applications must be available for performing back-sync operations. |
Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.
Create a Sync Workflow using the Azure AD and Active Roles connections. Add a Synchronization step to Update Azure User/Group to Active Roles User/Group. Configure the Forward Sync Rule to synchronize the following:
Create a Mapping Rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.
For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.
|
NOTE:
|
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy