Azure Object Management in Federated and Synchronized Identity environments
Synchronization methods are applicable only in Synchronized and Federated environments and AAD Connect is used to perform the synchronization. Azure non-federated environment does not require synchronization and the direct GRAPH API calls are used to make the Azure or Office 365 object management.
The following table provides information about the operations and methods of operation that can be performed on Azure Objects in Federated and Synchronized Identity environments.
Table 117: Supported Azure configurations comparison chart
User |
Create |
|
|
Created by GRAPH API |
Read |
|
|
Using GRAPH API and Exchange Online Command-lets |
Update
|
Azure properties
|
Identity |
Synced using AAD Connect |
Settings |
Using GRAPH API |
Job Info |
Synced using AAD Connect |
Contact Info |
Synced using AAD Connect |
Licenses |
Using GRAPH API |
Office 365 Admin Roles |
Using GRAPH API |
OneDrive |
Created by OneDrive Policy using PowerShell commands |
Exchange Online properties
|
Mail flow Settings |
Using Exchange Online cmdlets |
Delegation |
Using Exchange Online cmdlets |
Email Address |
Synced using AAD Connect |
Mailbox Features |
Using Exchange Online cmdlets |
Mailbox Settings |
Using Exchange Online cmdlets |
Delete |
|
|
Using GRAPH API |
Security Group |
Create |
|
|
Created in Azure, Back Synced to Active Roles, Synced using AAD Connect |
Read |
|
|
Using GRAPH API |
Update |
|
|
Synced using AAD Connect |
Delete |
|
|
Using GRAPH API |
Mail Enabled Security Group |
Create |
|
|
Created in Azure, Back Synced to Active Roles, Synced using AAD Connect |
Read |
|
|
Using GRAPH API |
Update |
|
|
Synced using AAD Connect |
Delete |
|
|
Using GRAPH API |
Distribution Group |
Create |
|
|
Created in Azure, Back Synced to Active Roles, Synced using AAD Connect |
Read |
|
|
Using GRAPH API |
Update |
|
|
Synced using AAD Connect |
Delete |
|
|
Using GRAPH API |
Native Office 365 Group (Cloud-only*)
|
Create |
|
|
Using GRAPH API |
Read |
|
|
Using GRAPH API |
Update |
|
|
Using GRAPH API |
Delete |
|
|
Using GRAPH API |
Contacts |
Create |
|
|
Synced using AAD Connect |
Read |
|
|
Using GRAPH API |
Update |
|
|
Synced using AAD Connect |
Delete |
|
|
Using GRAPH API |
|
NOTE:
|
Appendix E: Enabling delegation for Federated Authentication
Appendix E: Enabling delegation for Federated Authentication
To enable delegation for Federated Authentication follow the steps provided here.
Configuring internet explorer settings
-
Navigate to Internet options | Security | Local Intranet click Custom Level.
- In the User Authentication section choose Automatic Logon with current user name and password option.
-
Navigate to Internet options | Security | Local Intranet | Sites | Advanced, add the domain as a trusted site.
-
Add the domain and web server machine name, such as <https://*.mydomain.com, https://webservermachinename>.
Configuring distributed COM and IIS_USR group membership
-
In Active Directory Users and Computers, add the Active Roles service account to the Distributed COM Users group if it is not already added.
-
If the server hosting Active Roles Web Interface is a member server (non-DC), navigate to Computer Management | System Tools | Local Users and Groups.
-
Add the Active Roles service account to both Distributed COM Users and IIS_USRS groups.
Creating ServicePrincipalName entries for the Active Roles service account
- setspn -U -S HTTP/webserver.domain.com domain\AppPoolAccount
- setspn -U -S HTTP/webserver domain\AppPoolAccount
- setspn -U -S ArAdminSvc/serviceserver.domain.com domain\AppPoolAccount
- setspn -U -S ArAdminSvc/serviceserver domain\AppPoolAccount
Open Active Directory Users and Computers Snap in or type dsa.msc in Run
-
Open the properties of the user for which ServicePrincipalName is set.
-
Click the Delegation tab.
-
select Trust this user for delegation to specified services only option.
-
Select Use any authentication protocol option.
-
Click Add and provide the user account for which ServicePrincipalName is added.
-
Select the SPNs that were added and click OK.
-
Click OK and close the window.
Local security policy
Open Local Security Policy | Local Policies | User Rights Assignment and add the above user as part of Act as part of the operating system policy.
Installing Redistributable STS
To install the Redistributable STS (RSTS) application, follwo the steps provided here.
Installing Redistributable STS (RSTS)
- Open command prompt with Administrator privileges.
- At the command prompt, type the web location of the Redistributable STS (RSTS). By default, RSTS is available in C:\Program Files\One Identity\Active Roles\7.4\Web\RSTS.
- Type RSTS /install to install the RSTS application.
- After the RSTS application is installed, in C:\Program Files\One Identity\Active Roles\7.4\Web\RSTS\ApiAdminApplication, Open RStsApiAdmin application.
- In Connection Settings, enter localhost in the Server field and click Login.
After the successful connection, The STS Server section in the General settings tab is populated with information.
The fields are populated with the Active Directory information in the Directory Service Providers tab.
- Click on Claim Definitions tab, right-click to add a new attribute claim (UPN) as below:
-
Claim ID: Preferred name
- Claim Type: Browse http://localhost/rsts/wsfedmetadata and pick the URI of the IUser.AccountName attribute. For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn.
- Attribute ID: userPrincipalName
- Click Save.
In the Configuration Center, while configuring RSTS provider, you have to provide the Claim Type provided above.
- In the list of services check if the RedistributableSecureTokenServer service is running.
Examples for configuring identity providers
Here is an example of configuring the identity providers when using the Federated Authentication feature.
Azure
- Metadata url: https://login.microsoftonline.com/<AzureTenantID>/FederationMetadata/2007-06/FederationMetadata.xml
- realm: spn:<Azure Application ID>
- replyurl: https://<Web Server Name>/arwebadmin/
ADFS
- Metadata url: https://<ADFS Server name>/FederationMetadata/2007-06/FederationMetadata.xml
- realm: https://<Web Server Name>/arwebadmin/
- replyurl: https://<Web Server Name>/arwebadmin/
RSTS
- Metadata url: http://localhost/rsts/wsfedmetadata
- realm: https://<Web Server Name>/arwebadmin/
- replyurl: https://<Web Server Name>/arwebadmin/
Switching STS providers, restart IIS and clear the browser cache.