Chat now with support
Chat with Support

Active Roles 7.4.1 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 License Management Office 365 Roles Management User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure_Overview
Config ARS to Manage Hybrid AD Objects Managing Hybrid AD Users Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Azure O365 or Unified Groups
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling delegation for Federated Authentication

Configure Azure backsync automatically

Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles automatically using the Active Roles Synchronization Service Console

Pre-requisites to configure the back-synchronization:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • The user account used to perform back sync configuration must have the following privileges:

    • User Administrator
    • Privileged Role Administrator
    • Exchange Administrator
    • Application Administrator
  • The Windows Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed for the backsync feature to work successfully.
  • Directory Writers Role must be enabled in Azure Active Directory. To enable the role use the following script:

    $psCred=Get-Credential

    Connect-AzureAD -Credential $psCred

    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }

    # Enable an instance of the DirectoryRole template

    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

To configure Azure backsync in Active Roles Synchronization Service

  1. In the upper right corner of the Synchronization Service Administration Console, select Settings | Configure Azure BackSync.

    The Configure BackSync operation in Azure with on-premises Active Directory objects dialog box is displayed.

  2. In the dialog box that opens:

    1. Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.

    2. Specify whether you want to use a proxy server for the connection. You can select one of the following options:
    • Use Internet Explorer settings: Causes the connector to automatically detect and use the proxy server settings specified in Microsoft Internet Explorer installed on the Synchronization Service computer.

    • Use WinHTTP settings: Causes the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).

    • Automatically detect: Automatically detects and uses proxy server settings.

    • Do not use proxy settings: Specifies to not use proxy server for the connection.

    On successful validation, the success message that the Office 365 Connection settings are valid is displayed.

    1. Enter the valid Active Roles account details and click Test Active Roles Connection.

      On successful validation the success message that the Active Roles connection settings are valid is displayed.

  1. Click Configure BackSync.

    The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically.

    On successful configuration the success message is displayed.

    If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm if you want to override the existing backsync settings with the new settings. If yes, click Override BackSync Settings. Else, click Cancel to retain the existing settings.

Configuring Sync Workflow to back-synchronize manually

Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles manually

Prerequisites to configure the back-synchronization manually:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • Synchronization Service Component must be installed and configured for Active Roles.
  • Azure AD configuration and the Administrator Consent for Azure AD application through web interface must be complete.
  • Azure AD built-in policy must be enforced and the attribute edsvaazureOffice365enabled must be set to true for the container where the back-synchronization is performed.

NOTE: Before adding a replication partner in a Replication environment, make sure to perform back-synchronization in the Service that is configured with the Publisher database.

To configure sync workflow to back-synchronize users and groups perform the following steps:

 

Step 1: Create Connection to Azure AD in the hybrid environment

Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD.

To configure an application:

  1. Create an Azure Web application (or use any relevant existing Azure Web Application) under the tenant of your Windows Azure Active Directory environment.

    The application must have "Application Permissions" to "read" and "write" directory data in Windows Azure Active Directory.

    NOTE: Alternatively, to assign the required permissions to the application by running a Windows PowerShell script, see the Creating a Windows Azure Active Directory connection section in the Synchronization Service Administration Console.

  1. Open the application properties and copy the following:
  • Client ID
  • Valid key of the application
  1. You need to supply the copied client ID and key when creating a new or modifying an existing connection to Windows Azure Active Directory in the Synchronization Service Administration Console.

NOTE: The Web Application that is created or is already available for Sync Service Azure AD Connector, is different from the application that is created while configuring Azure AD using Active Roles Web interface. Both the applications must be available for performing back-sync operations.

Step 2: Create Connection to Active Roles in the hybrid environment

Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.

Step 3: Create Sync Work flow

Create a Sync Workflow using the Azure AD and Active Roles connections. Add a Synchronization step to Update Azure User/Group to Active Roles User/Group. Configure the Forward Sync Rule to synchronize the following:

  • Azure ObjectID property of a user/group to the Active Roles user/group edsvaAzureObjectID property.
  • Set the edsvaAzureOffice365Enabled attribute in Active Roles user/group to True.
Step 4: Create Mapping

Create a Mapping Rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

NOTE:

  • Based on the environment, make sure to create the correct Mapping rule to identify the user or group uniquely. In-correct mapping rule may create duplicate objects and the back-sync operation may not work as expected.
  • Initial configuration and execution of back-sync operation for Azure AD users ID is a one-time activity.
  • In Federated or Synchronized environments, Azure AD group creation is not  supported. The  group is created in Active Roles and is synchronized eventually  to Azure using Microsoft Native tools, such as AAD Connect. To manage the  Azure AD group through Active Roles, you must perform periodic back- synchronization to on-premise AD.
  • Sync engine must be configured to synchronize the data back to AD based on the frequency of groups creation.

Configuring Sync Workflow to back-synchronize AD contacts

To configure sync workflow to back-synchronize contacts perform the following steps:

 

Step 1: Create Connection to Office 365 in the hybrid environment

Create a connection to Office 365 using the Microsoft Office 365 Connector. The configuration requires Microsoft Online Services ID, Password, Proxy server (if required) and Exchange Online services.

NOTE: Back synchronization of contacts uses Microsoft Office 365 Connector to establish connection to Office 365. Back synchronization of users and groups uses the Azure AD Connector to establish connection to Azure AD.
Step 2: Create Connection to Active Roles in the hybrid environment

Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.

Step 3: Create Sync Workflow

Create a Sync Workflow using the Office 365 and Active Roles connections. Add a Synchronization step to Update Office 365 Contacts to Active Roles Contacts. Configure the Forward Sync Rule to synchronize the following:

  • Azure ExternalDirectoryObjectId property of a contact to the Active Roles contact edsaAzureContactObjectId property.
  • Set the edsvaAzureOffice365Enabled attribute in Active Roles contact to True.
Step 4: Create Mapping

Create a Mapping Rule, which identifies the contact in Office 365 and on-premises AD uniquely and map the specified properties from Office 365 to Active Roles appropriately.

NOTE:

  • Based on the environment, make sure to create the correct Mapping rule to identify the contacts uniquely. In-correct mapping rule may create duplicate objects and the back-sync operation may not work as expected.
  • In Federated or Synchronized environments, Office 365 contact creation is not  supported. The  contact is created in Active Roles and is synchronized eventu- ally to Office 365 using Microsoft Native tools, such as AAD Connect. To  manage the Office 365 contact through Active Roles, you must perform periodic  back-synchronization to on-premise AD.

 

Managing Hybrid AD Users

The Active Roles web interface enables you to perform administrative tasks such as create, read, update, deprovision, undo-deprovison, and delete Azure AD users in Hybrid environment. You can also perform other operations such as add and remove Azure AD users to Groups and assign Office 365 licenses to users. Some of the user operations can be performed using the Management Shell in addition to the web interface. The following section guides you through the Active Roles web interface and Management Shell to manage Azure AD users.

Related Documents