Chat now with support
Chat with Support

Active Roles 7.4.4 - Release Notes

Release Notes

One Identity Active Roles 7.4.4

Release Notes

May 2021

These release notes provide information about the One Identity Active Roles release. For the most recent documents and product information, see Active Roles online product documentation.

About this release

About One Identity Active Roles 7.4.4

NOTE: If you are currently utilizing the Office 365 Add-on, uninstall the add-on before performing the Active Roles upgrade to version 7.4.4. For more information regarding the changes to Office 365 support see Impact on Office 365 add-on.

Before proceeding with the upgrade ensure to perform a database backup.

Active Roles (formerly known as ActiveRoles®), provides out-of-the-box user and group account management, strictly enforced administrator-based role security, day-to-day identity administration and built-in auditing and reporting for Active Directory and Azure Active Directory (AD) environments. The following features and capabilities make Active Roles a practical solution for secure management of objects in Active Directory and Active Directory-joined systems:

  • Secure access  Acts as a virtual firewall around Active Directory, enabling you to control access through delegation using a least privilege model. Based on defined administrative policies and associated permissions generates and strictly enforces access rules, eliminating the errors and inconsistencies common with native approaches to AD management. Plus, robust and personalized approval procedures establish an IT process and oversight consistent with business requirements, with responsibility chains that complement the automated management of directory data.
  • Automate object creation  Automates a wide variety of tasks, including:
    • Creating user, groups, and contacts in Active Directory and Azure AD
    • Creating mailboxes on Exchange Server and assigning licenses in Office 365
    • Managing on-premise Exchange and Exchange Online properties
    • Provisioning objects in SaaS products

    Active Roles also automates the process of reassigning and removing user access rights in AD and AD-joined systems (including user and group deprovisioning) to ensure an efficient and secure administrative process over the user and group lifetimes. When a user’s access needs to be changed or removed, updates are made automatically in Active Directory, Azure AD, Exchange, Exchange Online, SharePoint, Skype for Business, and Windows, as well as any AD-joined systems such as Unix, Linux, and Mac OS X.

    NOTE: Mailboxes can be created only for Users, enabling mailbox for a Contact is not allowed.

  • Day-to-day directory management  Simplifies management of:
    • Exchange recipients, including mailbox assignment, creation, movement, deletion, permissions, and distribution list management
    • Groups
    • Computers, including shares, printers, local users and groups
    • Active Directory, Azure AD, Exchange Online and AD LDS

    Active Roles also includes intuitive interfaces for improving day-to-day administration and help desk operations via both an MMC snap-in and a Web interface.

  • Manage users, groups, and contacts in a hosted environment  Provides Synchronization Service to operate in hosted environments where accounts from client AD domains are synchronized with host domains. Active Roles enables user, group, and contact management from the client domain to the hosted domain, while also synchronizing attributes and passwords.
  • Consolidate management points through integration  Complements your existing technology and identity and access management strategy. Simplifies and consolidates management points by ensuring easy integration with many One Identity products and Quest products, including One Identity Manager, Privileged Password Manager, Authentication Services, Defender, Password Manager, ChangeAuditor, and GPO Admin. Active Roles also automates and extends the capabilities of PowerShell, ADSI, SPML and customizable Web interfaces.

Active Roles 7.4.4 is a service pack release, with new features and functionality. See New features for details.

Supported platforms

Active Roles 7.4.4 introduces the following changes to system requirements from those for Active Roles 6.9.0:

  • Windows Server 2012 or a later version of the Windows Server operating system is required to run the Administration Service or Web Interface.
  • The following SQL Server versions are supported: Microsoft SQL Server 2012, 2014, 2016, 2017, and 2019.
  • You can use Active Roles to manage Exchange recipients on Exchange Server 2019, 2016, or 2013.

    NOTE: Microsoft Exchange 2013 CU11 is no longer supported. For more information, see Knowledge Base Article 202695.

  • Internet Explorer is no longer supported for the Web Interface access. You can use the following Web browsers to access the Web Interface: Google Chrome, Mozilla Firefox, and Microsoft Edge on Windows 10.
  • The Web Interface is optimized for screen resolutions of 1280 x 800 or higher. The minimum supported screen resolution is 1024 x 768.

See also System requirements.

New Features

Active Roles 7.4.4 contains the following new features:

Azure AD configuration changes

In Active Roles 7.4.4, the process of setting up Azure tenants and configuring Active Roles as a consented Azure application for administering objects in Azure tenants has changed:

  • In the Active Roles Configuration Center, a new Azure AD Configuration option has been added, allowing you to:

    • Configure Active Roles as a consented Azure application with a secure client ID and secret ID-based authentication.

    • Add or remove Azure tenants to or from your organization.

    For more information, see Configuring an Azure tenant and Active Roles as an Azure application in the Active Roles Administration Guide.

    NOTE: Azure Multi-Factor Authentication (MFA) is enforced by default for all users and guest users in newly-created Azure tenants. To disable Azure MFA for the Azure tenant, sign in to the Azure portal and navigate to Tenant > Properties > Manage Security defaults and set Enable Security defaults to No.

  • In the Active Roles Web Interface, the following Azure tenant and Azure application-specific settings and configuration containers have been removed from the Directory Management > Tree > Azure > Azure Configuration node:

    • The Azure Applications and Azure Domains configuration containers.

    • The Add Azure Tenant and Add Azure Application options on the right-side pane when selecting the Azure Tenants, Azure Applications or Azure Domains configuration containers.

    • The General tab when viewing the properties of an existing Azure tenant.

    To access and configure the settings of these removed components, use the Azure AD Configuration option of the Active Roles Configuration Center.

    NOTE: The Directory Management > Tree > Azure node of the Active Roles Web Interface still retains the following Azure-specific features:

    • The Azure Tenants configuration object remains in the Web Interface, and provides access to the Azure AD Tenant Type and MFA security settings of the selected Azure tenant. These allow you change the type of the Azure tenant (non-federated domain, federated domain or synchronized identity domain) even after the Azure tenant has been created, and enable or disable Azure MFA for the users and guest users of the tenant.

    • Configured Azure tenants (and their directory objects) are still listed in the Directory Management > Tree > Azure node of the Active Roles Web Interface, allowing you to administer their O365 Groups, Azure users, Azure contacts and Azure guest users.

    • The Azure Configuration node still provides access to the Azure Health Check, Azure Licenses Report and Office 365 Roles Report pages.

Azure SQL database support

Active Roles now supports the administration of Azure SQL databases.

Cloud-only Azure object support

Active Roles now supports the administration of cloud-only Azure users, guest users and contacts in a configured Azure tenant. For more information, see the following topics of the Active Roles Administration Guide:

  • For details on cloud-only Azure users, see Managing cloud-only Azure users.

  • For details on cloud-only Azure guest users, see Managing cloud-only Azure guest users.

  • For details on cloud-only Azure contacts, see Managing cloud-only Azure contacts.

Cloud-only Azure object policy support

The following Active Roles provisioning policies have been updated to support cloud-only Azure objects as well:

  • Property Generation and Validation: This policy now also supports specifying object property rules for cloud-only Azure objects. For more information, see Property Generation and Validation in the Active Roles Administration Guide.

  • Group Membership AutoProvisioning: This policy now also supports specifying group membership rules to automatically assign (or unassign) cloud-only Azure objects to (or from) O365 Groups of the same Azure tenant. For more information, see Group Membership AutoProvisioning in the Active Roles Administration Guide.

  • Script Execution: This policy now also supports PowerShell and other custom scripts for provisioning cloud-only Azure objects. For more information, see Script Execution in the Active Roles Administration Guide.

In addition, as part of extending policy support for cloud-only Azure objects, Active Roles also received the following new built-in Policy Object and Script Module:

  • Azure CloudOnly Policy - Default Rules to Generate Properties: Provides provisioning rules for the properties of cloud-only Azure objects, specifying whether they are mandatory or optional, along with their supported values. Find the policy in the Configuration > Policies > Administration > BuiltIn node of the Active Roles MMC interface, and use it as a template for creating your own custom policies.

  • Generate User Password - Azure only: Provides a new PowerShell script to generate passwords for cloud-only Azure users that fulfill Azure password policy conditions. Find the script module in the Configuration > Script Modules > BuiltIn node of the Active Roles MMC interface, and use it as a template for creating your own password generation policy for cloud-only Azure users.

Duo and Okta integration support

Duo and Okta are both cloud-based identity management services offering identity, authentication, and access control functions as a service. Active Roles can be integrated with Duo Multi-Factor Authentication (MFA) or Okta MFA to complement and extend identity and access management.

For more information, see the following topics of the Active Roles Administration Guide:

  • Appendix G: Active Roles integration with Duo MFA.

  • Appendix H: Active Roles integration with Okta MFA.

Other changes
  • Cloud-only objects have a uniqueness policy check upon creation.

  • Support for creating and managing B2C guest user accounts.

  • Support for SQL Server 2019.

  • Granular built-in access templates for Azure-only objects that allow delegating control.

  • Internet Explorer is no longer supported.

  • PowerShell modules AzureRM, MSOnline and SharePoint are no longer supported.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating