Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Active Roles 7.5 - Administration Guide

Table of Contents

Introduction About Active Roles

Active Roles Main features Technical overview

Presentation components

Active Roles console (MMC Interface) Web Interface Custom Interfaces Active Roles ADSI Provider Reporting

Service components

Data processing component Configuration database Audit trail

Network data sources Security and administration elements

Access Templates for role-based administration Policy Objects to enforce corporate rules Managed Units to provide administrative views

Active Directory security management

Management of native security

Customization using ADSI Provider and script policies

Custom applications and user interfaces Custom script policies

Dynamic groups Workflows Operation in multi-forest environments

Examples of use

Distributing administration Integrating with other systems Managing a multi-forest Simplifying Active Directory Handling organizational changes User Account Management

Getting Started

Starting the Active Roles console

Delegating control to users for accessing MMC interface Getting and using help

User Interface overview

Console tree Details pane Advanced pane

Active Roles Security, Links Active Roles Policy Native Security Member Of, Members

Customizable Web Interface

Key features Different interfaces Role-based management

Controlled objects

Using Managed Units Setting up filter

Steps for sorting and filtering lists in the details pane

Finding objects

Steps for searching for a user, contact, or group Steps for searching for a computer Steps for searching for an Organizational Unit Steps for using advanced search options Steps for building a custom search LDAP syntax

Search filter format Operators Wildcards Special characters

Getting policy-related information Performing Batch operations

Performing bulk operation Performing bulk users password reset operation

Active Roles service account minimum permissions

Rule-based Administrative Views

About Managed Units

How Managed Units work

Administering Managed Units

Creating a Managed Unit

Steps for creating a Managed Unit Steps for modifying Managed Unit properties Steps for modifying permission settings on a Managed Unit Steps for modifying policy settings on a Managed Unit

Displaying members of a Managed Unit

Steps for displaying members of a Managed Unit

Adding or removing members from a Managed Unit

Steps for adding membership rules to a Managed Unit Steps for removing membership rules from a Managed Unit Steps for including a member to a Managed Unit Steps for excluding a member from a Managed Unit Steps for adding group members to a Managed Unit Steps for removing group members from a Managed Unit

Copying a Managed Unit

Steps for copying a Managed Unit

Exporting and importing a Managed Unit Renaming a Managed Unit

Steps for renaming a managed Unit

Deleting a Managed Unit

Steps for deleting a Managed Unit

Scenario: Implementing role-based administration across multiple OUs

Step 1: Creating the Managed Unit Step 2: Adding users to the Managed Unit Step 3: Preparing the Access Template Step 4: Applying the Access Template

Deployment considerations

Managed Unit membership rules Delegation of Managed Units

Working with Federated Authentication

Configuring Federated Authentication settings

Role-based Administration

Access Templates as administrative roles

How Access Templates work Security synchronization

Access Template management tasks

Using predefined Access Templates

Active Directory Azure AD LDS (ADAM) Computer Resources Configuration Exchange Starling User Interfaces User Self-management

Creating an Access Template

Add Permission Entries wizard Full Control access Object access Object property access Creation/Deletion of child objects permission Steps for creating an Access Template

Applying Access Templates

Steps for applying an Access Template

Managing Access Template links

Steps for managing Access Template links

Synchronizing permissions to Active Directory

Steps for synchronizing permissions to Active Directory Managing Active Directory permission entries

Adding, modifying, or removing permissions

Steps for adding permissions to an Access Template Steps for modifying permissions in an Access Template Steps for removing permissions from an Access Template

Nesting Access Templates

Steps for managing nested Access Templates

Copying an Access Template

Steps for copying an Access Template

Exporting and importing Access Templates Renaming an Access Template

Steps for renaming an Access Template

Deleting an Access Template

Steps for deleting an Access Template

Examples of use

Scenario 1: Implementing a Help Desk

Step 1: Preparing a Help Desk Access Template Step 2: Creating a Help Desk group Step 3: Applying the Help Desk Access Template

Scenario 2: Implementing Self-administration

Step 1: Preparing a self-administration Access Template Step 2: Applying the self-administration Access Template

Deployment considerations

Delegation of Organizational Unit administration Delegation of group administration Delegation in a functional vs. hosted environment

Delegation in a functional environment Delegation in a hosted environment

Windows claims-based Access Rules

Understanding Access Rules

Conditional Access Template links Prerequisites for using Access Rules

Configuring the Administration Service to support Kerberos authentication

Managing Windows claims

Enabling claim support

Domain controller Client computer

Claim Type management overview

Source attribute setting Claim type identifier setting Display name setting Description setting User or computer claim issuance setting Protection from accidental deletion Suggested values setting

Steps for managing Claim Types

Enabling and disabling claim types

Populating claim source attributes

Managing and applying Access Rules

Conditional expression editor Applying an Access Rule Steps for managing and applying Access Rules

Create or modify an Access Rule Configure a conditional expression for an Access Rule Apply an Access Rule to Access Template links

Deploying an Access Rule (demonstration steps)

Step 1. Prerequisites Step 2. Enable claim support Step 3. Create Claim Type Step 4. Create Access Rule Step 5. Apply Access Rule

Rule-based AutoProvisioning and Deprovisioning

About Policy Objects

Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work

Policy Object management tasks

Creating a Policy Object

Steps for creating a Policy Object

Adding, modifying, or removing policies

Steps for adding policies to a Policy Object Steps for modifying policies in a Policy Object Steps for removing policies from a Policy Object

Applying Policy Objects

Adding Managed Units or containers to policy scope Adding Policy Objects to policy list for directory object Steps for applying a Policy Object

Managing policy scope

Steps for managing Policy Object links Steps for excluding an object from policy scope

Copying a Policy Object

Steps for copying a Policy Object

Renaming a Policy Object

Steps for renaming a Policy Object

Exporting and importing Policy Objects Deleting a Policy Object

Steps for deleting a Policy Object

Policy configuration tasks

Property Generation and Validation

How this policy works How to configure a Property Generation and Validation policy

Entry type: Text Entry type: <Object> Property Entry type: Parent OU Property Entry type: Parent Domain Property Entry type: Mask Steps for configuring a Property Generation and Validation policy Steps for configuring entries Scenario 1: Using mask to control phone number format

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Scenario 2: Using regular expressions to control phone number format

Step 1: Configuring the Policy Object Step 2: Applying the Policy Object

User Logon Name Generation

How this policy works How to configure a User Logon Name Generation policy

Configuring a logon name generation rule Entry type: Uniqueness Number

Steps for configuring a User Logon Name Generation policy Scenario 1: Using uniqueness number

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Scenario 2: Using multiple rules

Step 1: Configuring the Policy Object Step 2: Applying the Policy Object

Group Membership AutoProvisioning

How this policy works How to configure a Group Membership AutoProvisioning policy Steps for configuring a Group Membership AutoProvisioning policy Scenario: Adding users to a specified group

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

E-mail Alias Generation

How this policy works How to configure an E-mail Alias Generation policy

Configuring a custom generation rule

Steps for configuring an E-mail Alias Generation policy Scenario: Generating e-mail alias based on user names

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Exchange Mailbox AutoProvisioning

How this policy works How to configure an Exchange Mailbox AutoProvisioning policy Steps for configuring an Exchange Mailbox AutoProvisioning policy Scenario: Mailbox store load balancing

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Default creation options for Exchange mailbox

AutoProvisioning for SaaS products

How this policy works Create Provisioning policy for Starling Connect

OneDrive Provisioning

How this policy works Creating provisioning policy for OneDrive

Home Folder AutoProvisioning

How this policy works

Creating home folders and shares when creating user accounts Renaming home folders when renaming user accounts Option to prevent operation on file server

How to configure a Home Folder AutoProvisioning policy

Connect <Drive Letter> To <Network Path> Enforce this home folder setting in Active Directory Apply this home folder setting when user account is created Apply this home folder setting when user account is renamed Create or rename home folder on file server as needed Copy user permissions on home folder from parent folder Set user as home folder owner Set user permissions on home folder

Steps for configuring a Home Folder AutoProvisioning policy Using the built-in policy for home folder provisioning Configuring the Home Folder Location Restriction policy Scenario: Creating and assigning home folders

Step 1: Verifying the Home Folder Location Restriction policy Step 2: Creating and Configuring the Policy Object Step 3: Applying the Policy Object

Script Execution

How this policy works How to configure Script Execution policy

Importing a script Creating a script Editing a script Configuring a policy to execute a script

Steps for configuring a Script Execution policy Scenario: Restricting group scope

Step 1: Preparing the script module Step 2: Creating and configuring the Policy Object Step 3: Applying the Policy Object

Office 365 and Azure Tenant Selection

How this policy works Configuring an O365 and Azure Tenant Selection policy Applying a new policy

User Account Deprovisioning

How this policy works How to configure a User Account Deprovisioning policy

Configuring a property update rule Entry type: Date and Time Entry type: Initiator ID Configuring a custom rule to build the Initiator ID

Steps for configuring a User Account Deprovisioning policy Scenario 1: Disabling and renaming the user account upon deprovisioning

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned user accounts

Step 1: Creating and configuring the Managed Unit Step 2: Configuring the Policy Object Step 3: Applying the Policy Object

Office 365 Licenses Retention

How this policy works How to configure the Office 365 Licenses Retention policy Steps for configuring Office 365 Licenses Retention policy Report on O365 Lic Retention deprovisioning policy

Group Membership Removal

How this policy works How to configure a Group Membership Removal policy Steps for configuring a Group Membership Removal policy Scenario: Removing deprovisioned users from all groups

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Exchange Mailbox Deprovisioning

How this policy works How to configure an Exchange Mailbox Deprovisioning policy Steps for configuring an Exchange Mailbox Deprovisioning policy Scenario: Hide mailbox and forward e-mail to manager

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Home Folder Deprovisioning

How this policy works How to configure a Home Folder Deprovisioning policy Steps for configuring a Home Folder Deprovisioning policy Scenario: Removing access to home folder

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

User Account Relocation

How this policy works How to configure a User Account Relocation policy Steps for configuring a User Account Relocation policy Scenario: Organizational Unit for deprovisioned user accounts

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

User Account Permanent Deletion

How this policy works How to configure a User Account Permanent Deletion policy Steps for configuring a User Account Permanent Deletion policy Scenario: Deleting deprovisioned user accounts

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Group Object Deprovisioning

How this policy works How to configure a Group Object Deprovisioning policy Steps for configuring a Group Object Deprovisioning policy Scenario 1: Disabling and renaming the group upon deprovisioning

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Scenario 2: Managed Unit for deprovisioned groups

Step 1: Creating and configuring the Managed Unit Step 2: Configuring the Policy Object Step 3: Applying the Policy Object

Group Object Relocation

How this policy works How to configure a Group Object Relocation policy Steps for configuring a Group Object Relocation policy Scenario: Organizational Unit for deprovisioned groups

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Group Object Permanent Deletion

How this policy works How to configure a Group Object Permanent Deletion policy Steps for configuring a Group Object Permanent Deletion policy Scenario: Deleting deprovisioned groups

Step 1: Creating and configuring the Policy Object Step 2: Applying the Policy Object

Notification Distribution

How this policy works How to configure a Notification Distribution policy Configuring e-mail settings Steps for configuring a Notification Distribution policy Scenario: Sending deprovisioning notification

Step 1: Creating the e-mail configuration Step 2: Creating, configuring, and applying the Policy Object

Report Distribution

How this policy works How to configure a Report Distribution policy Steps for configuring a Report Distribution policy Scenario: Sending deprovisioning report

Step 1: Creating the e-mail configuration Step 2: Creating, configuring, and applying the Policy Object

Deployment considerations Checking for policy compliance

Steps to check for policy compliance

Deprovisioning users or groups

Default deprovisioning options Delegating the Deprovision task Using the Deprovision command Report on deprovisioning results

Report contents

Report section: User Account Deprovisioning Report section: Group Membership Removal Report section: Exchange Mailbox Deprovisioning Report section: Home Folder Deprovisioning Report section: User Account Relocation Report section: User Account Permanent Deletion Report section: Group Object Deprovisioning Report section: Group Object Relocation Report section: Group Object Permanent Deletion Report section: Notification Distribution Report section: Report Distribution

Restoring deprovisioned users or groups

Policy options to undo user deprovisioning Delegating the task to undo deprovisioning Using the Undo Deprovisioning command Report on results of undo deprovisioning

Report contents

Report section: Undo User Account Deprovisioning Report section: Undo Group Membership Removal Report section: Undo Exchange Mailbox Deprovisioning Report section: Undo Home Folder Deprovisioning Report section: Undo User Account Relocation Report section: Undo User Account Permanent Deletion Report section: Undo Group Object Deprovisioning Report section: Undo Group Object Relocation Report section: Undo Group Object Permanent Deletion

Container Deletion Prevention policy

Protecting objects from accidental deletion

Picture management rules Policy extensions

Design elements

Policy type deployment Policy type usage Policy Type objects

Creating and managing custom policy types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting policy types Importing policy types Configuring a policy of a custom type Deleting a Policy Type object

Understanding workflow

Key features and definitions

Workflow Workflow definition Workflow start conditions Workflow instance Workflow activity Workflow Designer Workflow engine E-mail Notifications

About workflow processes Workflow processing overview

About start conditions

Workflow activities overview

Approval activity

Approvers and escalation Request for information Customization Notification

Notification recipients Notification delivery Notification message Web Interface address E-mail server

Notification activity

Notification recipients Notification message Web Interface address E-mail server

Script activity

Notification Error handling

If-Else activity

If-Else branch conditions Error handling

Stop/Break activity Add Report Section activity Search activity

Search scenario Object type Search scope Search options Search for inactive accounts Search filter Notification Error handling “Run as” options Additional settings Stop Search activity

CRUD activities

“Create” activity “Update” activity “Add to group” activity “Remove from group” activity “Move” activity “Deprovision” activity “Undo deprovision” activity “Delete” activity Activity target Notification Error handling “Run as” options Additional settings

Save Object Properties activity

Retrieving saved properties

Modify Requested Changes activity

Configuring a workflow

Creating a workflow definition Configuring workflow start conditions

Operation conditions Initiator conditions Filtering conditions

Steps to configure filtering conditions Configuring script-based conditions “Run as” options Enforce approval

Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity

Configure approvers Configure escalation Configure request for additional information Configure request for review Customize the header of the approval task page Customize approval action buttons

Configuring a Notification activity

Events, recipients and messages Active Roles Web Interface E-mail server settings

Configuring a Script activity Configuring an If-Else activity

Steps to configure error handling Configuring conditions for an If-Else branch

Configuring a script-based condition

Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity

Configure scope and filter

Configuring a search filter

Configure notification Configure error handling Configure “run as” options Configure additional settings

Configuring CRUD activities

“Create” activity “Update” activity “Add to group” activity “Remove from group” activity “Move” activity “Deprovision” activity “Undo deprovision” activity “Delete” activity Configuring notification Configuring error handling Configuring “run-as” options Configuring additional settings

Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script

Example: Approval workflow

Definition of terms

Approval Approval rule (Approval activity) Approval task Approver Initiator (requestor) Notification Operation Operation target object

Action: Approve Action: Reject Multiple approvers Multiple tasks

Creating and configuring an approval workflow

Creating a workflow definition Specifying workflow start conditions Specifying approvers Configuring notification

Notification recipients Notification delivery Notification message template

E-mail based approval

Integration with Microsoft Outlook

Software and configuration requirements

Integration with non-Outlook e-mail clients

Software and configuration requirements

E-mail transport via Exchange Web Services

Configuration settings

Exchange Web Services address Active Roles mailbox credentials Options for the Approve and Reject links

Steps to configure the use of Exchange Web Services

Automation workflow

Automation workflow options and start conditions

Run the workflow on a schedule

Server to run the workflow

Allow the workflow to be run on demand “Run as” options

Enforce approval

Additional settings Parameters Initialization script

Using automation workflow

Creating an automation workflow definition Configuring start conditions for an automation workflow Adding activities to an automation workflow Running an automation workflow on demand Viewing run history of an automation workflow Terminating a running automation workflow Disabling an automation workflow from running Re-enabling an automation workflow to run Delegating automation workflow tasks

Allowing access to workflow containers Delegating full control of automation workflows Delegating the task of running automation workflow Delegating the task of viewing run history of automation workflow

Sample Azure Hybrid Migration

Managing Remote Mailbox

Office 365 automation workflow

Creating Office 365 shared mailbox Enabling Azure Roles

Activity extensions

Design elements

Activity type deployment Activity type usage Policy Type objects

Creating and managing custom activity types

Creating a Policy Type object Changing an existing Policy Type object Using Policy Type containers Exporting activity types Importing activity types Configuring an activity of a custom type Deleting a Policy Type object

Temporal Group Memberships

Understanding temporal group memberships Using temporal group memberships

Adding temporal members Viewing temporal members Rescheduling temporal group memberships Removing temporal members

Understanding Group Family

Design overview How it works

Cross-domain Group Family

Group Family policy options

Creating a Group Family

Start the New Group Family wizard Name the Group Family Grouping Options Location of managed objects Selection of managed objects Group-by properties

About multi-valued group-by properties

Capture existing groups manually Group naming rule

Entry type: Group-by Property Separate rule for each naming property

Group type and scope Location of groups Exchange-related settings Group Family scheduling Steps for creating a Group Family

Administering Group Family

Controlled groups General tab Controlled Groups tab

Group creation-related rules

Groupings tab Schedule tab Action Summary tab

Action summary log

Steps for administering a Group Family

Scenario: Departmental Group Family

Understanding dynamic groups

Cross-domain membership

Dynamic groups policy options Managing dynamic groups

Converting a basic group to a dynamic group Displaying the members of a dynamic group Adding a membership rule to a dynamic group Removing a membership rule from a dynamic group Converting a dynamic group to a basic group Modifying, renaming, or deleting a dynamic group

Scenario: Automatically moving users between groups

Step 1: Creating the groups Step 2: Configuring the membership rules

Active Roles Reporting

Introduction Collector to prepare data for reports

Starting the Active Roles Collector wizard Collecting data from the network

Steps for collecting data from the network

Processing gathered events

Steps for processing gathered events

Importing events from an earlier database version Deploying reports to the Report Server

Working with reports

Configuring the data source Generating and viewing a report Contents of the Active Roles Report Pack

Active Directory Assessment/Domains Active Directory Assessment/Users/Account Information Active Directory Assessment/Users/Exchange Active Directory Assessment/Users/Obsolete Accounts Active Directory Assessment/Users/Miscellaneous Information Active Directory Assessment/Groups Active Directory Assessment/Group Membership Active Directory Assessment/Organizational Units Active Directory Assessment/Other Directory Objects Active Directory Assessment/Potential Issues Active Roles Tracking Log/Active Directory Management Active Roles Tracking Log/Dashboard Active Roles Events Active Roles Configuration Changes Active Roles Workflow Administrative Roles Managed Units Policy Objects Policy Compliance

Management History

Understanding Management History

Considerations and best practices

Management History configuration

Change-tracking policy Change Tracking log configuration Replication of Management History data

Replication is not yet configured Replication is already configured Re-configuring replication of Management History data

Centralized Management History storage

Importing data to the new Management History database

Viewing change history

Workflow activity report sections

“Approval” activity “Script” activity “Stop/Break” activity “Add Report Section” activity “Create” activity “Update” activity “Add to group” activity “Remove from group” activity “Move” activity “Deprovision” activity “Undo deprovision” activity “Delete” activity

Policy report items

Report section: Executing the 'User Logon Name Generation' policy Report section: Executing the 'E-mail Alias Generation' policy Report section: Executing the 'Exchange Mailbox AutoProvisioning' policy Report section: Executing the 'Group Membership AutoProvisioning' policy Report section: Executing the 'Home Folder AutoProvisioning' policy Report section: Executing the 'Property Generation and Validation' policy Report section: Executing policy script 'name'

Active Roles internal policy report items

Report section: Creating user mailbox Report section: Creating linked mailbox Report section: Creating equipment mailbox Report section: Creating room mailbox Report section: Creating shared mailbox Report section: Moving mailbox Report section: Deleting mailbox Report section: Removing Exchange attributes Report section: Enabling mailbox for Unified Messaging Report section: Disabling Unified Messaging for mailbox Report section: Resetting Unified Messaging PIN Report section: Establishing e-mail address for group Report section: Creating query-based distribution group Report section: Establishing e-mail address for user Report section: Establishing e-mail address for contact Report section: Deleting e-mail address for group Report section: Deleting e-mail address for user Report section: Deleting e-mail address for contact Report section: Converting user mailbox to linked mailbox Report section: Converting linked mailbox to user mailbox

Examining user activity

Entitlement Profile

Understanding entitlement profile

About entitlement profile specifiers

Entitlement type Entitlement rules Resource display About entitlement profile build process

Entitlement profile configuration

Creating entitlement profile specifiers Changing entitlement profile specifiers Pre-defined specifiers

Viewing entitlement profile

Authorizing access to entitlement profile

Understanding Recycle Bin Finding and listing deleted objects

Searching the Deleted Objects container Searching for objects deleted from a certain OU or MU

Restoring a deleted object Delegating operations on deleted objects Applying policy or workflow rules

AD LDS Data Management

Registering an AD LDS instance Managing AD LDS objects

Adding an AD LDS user to the directory Adding an AD LDS group to the directory Adding or removing members from an AD LDS group Disabling or enabling an AD LDS user account Setting or modifying the password of an AD LDS user Adding an organizational unit to the directory Adding an AD LDS proxy object (user proxy)

Configuring Active Roles for AD LDS

Configuring Managed Units to include AD LDS objects Viewing or setting permissions on AD LDS objects Viewing or setting policies on AD LDS objects

One Identity Starling Management

Starling Join Pre-requisites to configure One Identity Starling Configuring Active Roles to join One Identity Starling Disconnecting One Identity Starling from Active Roles

One Identity Starling Two-factor Authentication for Active Roles

Starling Two-Factor Authentication User Access template ARS 2FA Users group Pre-requisites to use One Identity Starling 2FA Allowing two-factor authentication for Active Roles users Steps to create ARS 2FA Users group manually Registering to One Identity Starling 2FA Logging in to Web interface through 2FA authentication Logging in to MMC interface through 2FA authentication Disallowing two-factor authentication for Active Roles users Disabling or Enabling Starling 2FA Users from Configuration Centre

Managing One Identity Starling Connect

Viewing Starling Connect settings in Active Roles Configuration Center Create Provisioning policy for Starling Connect Provision a new SaaS user using the Web interface Provision an existing Active Roles user for SaaS products Update the SaaS product user properties Delete the SaaS product user Deprovision an existing Active Roles user for SaaS products Notifications for Starling operations SCIM attribute mapping with Active Directory

Azure AD, Office 365, and Exchange Online management

Configuring Active Roles to manage hybrid AD objects

Configuring Active Roles to manage Azure AD using the GUI

Configuring a new Azure tenant and consenting Active Roles as an Azure application Importing an Azure tenant and consenting Active Roles as an Azure application Viewing or modifying the Azure AD tenant type Enabling OneDrive in an Azure tenant

Prerequisites of enabling OneDrive in an Azure tenant

Checking and adding the Sites.FullControl.All permission for Active Roles

Configuring OneDrive for an Azure tenant

Removing an Azure AD tenant View Azure Health for Azure AD tenants and applications View Azure Licenses Report View Office 365 Roles Report Azure Tenant Association

Configuring ARS using Mgt Shell to Manage Hybrid AD Objects

Add an Azure AD tenant using Mgt Shell Add an Azure AD Application

Active Roles Configuration steps

Configuring the Azure - Default Rules to Generate Properties policy

Active Roles Configuration to synchronize

Configure Azure backsync automatically Configuring Sync Workflow to back-synchronize manually

Configuring Sync Workflow to back-synchronize AD contacts

Changes to Azure O365 Policies in Active Roles after 7.4.1

Managing Hybrid AD Users

Azure AD user management tasks using UI

Create a new Azure AD user View or update the Azure AD Modify the Azure AD user Manager Disable or re-enable an Azure AD user Deprovision or undo deprovision Ad user Add or remove a Azure AD View the Change History Delete an Azure AD user

Hybrid User Management tasks using web interface

Create new hybrid user Migrate from Exchange on-prem user to hybrid user View Exchange Online Properties for an Office 365 user

View or modify the message size restrictions

View or modify the message delivery options

View or modify Mailbox delegation settings View or modify Email Address settings View or modify Mailbox features

Specify Archive Mailbox name

View or modify Mailbox settings

Azure AD user management tasks using MShell

Create a new Azure AD user using Mshell Update the Azure AD View the Azure AD Delete an Azure AD user using MShell

Office 365 license management

Assign Office 365 licenses to new users Assign Office 365 licenses to existing Modify or remove Office 365 licenses Update Office 365 licenses display names

Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning

How this policy works Configuring an O365 and Azure Tenant Selection policy Applying a new policy

Office 365 roles management for hybrid environment users

Assign Office 365 roles to existing hybrid users Modify Office 365 roles assigned to hybrid users

Managing Office 365 Contacts

Office 365 contact management tasks using UI

Create a new Office 365 contact View or update the Office 365 contact View the Change History for Office 365 Contacts Delete an Office 365 contact

Managing Hybrid AD Groups

Azure AD Group management UI

Create an Azure AD group View or modify Azure AD group Add or remove members to AD group View the Change History Ad group Delete an Azure AD group

Azure AD Group management tasks Mshell

Create a new Azure AD Group Update the Azure AD Group Delete an Azure AD group Add a member to Azure AD Group Remove a member from Azure AD Group

Managing Office 365 Groups

Configuring O365 Groups with the Web Interface

Creating an O365 Group with the Web Interface Modifying an O365 Group with the Web Interface Adding or removing owners from an O365 Group with the Web Interface Adding or removing members from an O365 Group with the Web Interface Viewing the members of a dynamic O365 Group with the Web Interface Viewing the change history of an O365 Group in the Web Interface Deleting an O365 Group with the Web Interface

Office 365 Group management tasks using Management Shell interface

Create a new Office 365 Group Update the Office 365 Group properties Delete an Office 365 group Adding members to an Office 365 Group with the Management Shell Get a member from Office 365 Group Get group from Office 365 Group Removing members from an Office 365 Group with the Management Shell

Scheduling an O365 group synchronization task

Managing Azure Security Groups

Creating an Azure Security Group with the Web Interface Modifying an Azure Security Group with the Web Interface Adding or removing owners from an Azure Security Group with the Web Interface Adding or removing members from an Azure Security Group with the Web Interface Viewing the members of a dynamic Azure Security Group with the Web Interface Viewing the change history of an Azure Security Group in the Web Interface Deleting an Azure Security Group with the Web Interface

Managing cloud-only Azure users

Viewing cloud-only Azure user Creating a new cloud-only Azure user Viewing or modifying cloud-only Azure user properties Configuring Microsoft OneDrive for cloud-only Azure users Disabling cloud-only Azure user Viewing and modifying Exchange Online properties Resetting password for a cloud-only Azure user Renaming Azure user Viewing Azure membership Viewing change history Deleting an Azure user account

Managing cloud-only Azure guest users

Inviting an Azure guest user Viewing Azure guest users Disabling or Enabling an Azure guest user Revoking the session of an Azure guest user Resending the invitation to an Azure guest user Renaming an Azure guest user Viewing and updating the properties of an Azure guest user

Configuring the Identity settings of an Azure guest user Configuring the Settings of an Azure guest user Configuring the Job Info settings of an Azure guest user Configuring the Contact Info settings of an Azure guest user Configuring the Licenses settings of an Azure guest user Configuring the O365 Admin Roles settings of an Azure guest user

Viewing or updating the Exchange Online properties of an Azure guest user

Configuring the Mail Flow Settings of an Azure guest user Configuring the Delegation settings of an Azure guest user Configuring Email Address settings for Azure guest users Configuring Mailbox Features for Azure guest users Configuring Mailbox Settings for Azure guest users

Deleting an Azure guest user Configuring the O365 Group membership of an Azure guest user Viewing the change history of an Azure guest user

Managing cloud-only Azure contacts

View cloud only Azure contacts Create new cloud only Azure contacts View or modify Azure contacts properties Renaming Azure cloud contacts Viewing and modifying Exchange Online properties Viewing change history Deleting an Azure contact

Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes

Creating a new room mailbox Viewing or modifying a room mailbox Deleting a room mailbox

Managing Configuration of Active Roles

Connecting to the Administration Service

Delegating control to users for accessing MMC interface Steps for connecting to the Administration Service

Adding and removing managed domains

Steps for adding or removing a managed domain

Using unmanaged domains

Configuring an unmanaged domain

Evaluating product usage

Viewing product usage statistics

Delegating access to the managed object statistics

Scheduled task to count managed objects Managed scope to control product usage Voluntary thresholds for the managed object count Installation label

Creating and using virtual attributes

Scenario: Implementing a Birthday attribute

Examining client sessions Monitoring performance Customizing the console

“Other Properties” page in object creation wizard “Other Properties” tab in the Properties dialog box Customizing object display names

Using Configuration Center

Configuration Center design elements Configuring a local or remote Active Roles instance Running Configuration Center

Pre-requisites to run the Configuration Center

Tasks you can perform in Configuration Center

Initial configuration tasks

Configure the Administration Service Configure the Web Interface

Administration Service management tasks

View the core Administration Service settings Change the core Administration Service settings Import configuration data Import management history data View the state of the Administration Service Start, stop or restart the Administration Service

Web Interface management tasks

Identify Web Interface sites Create a Web Interface site Modify a Web Interface site Delete a Web Interface site Export a Web Interface site’s configuration object to a file Configure Web interface for secure communication Disabling secure communication for Web interface sites Configuring Federated authentication

Starling Join configuration task MMC interface access management Logging management tasks Solution Intelligence

Enabling or disabling Solution Intelligence

Configuring gMSA as an Active Roles Service account

Configuring the Active Roles Service account to use a gMSA account Changing the Active Roles Service account to use a gMSA account

Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer

Using Log Viewer

SQL Server Replication

Publisher Subscribers Distributor Replication group Standalone database server Articles and publications SQL Server Agent Replication Agents

Replication model overview

Replication group management Data synchronization and conflict resolution

SQL Server-related permissions Configuring SQL Server Configuring replication The replication group

Creating a replication group Adding members to a replication group

Steps for adding members to a replication group

Removing members from a replication group

Steps for removing members from a replication group

Monitoring replication Using AlwaysOn Availability Groups

Availability Group setup in Active Roles

Configuring the database connection to use the listener

Management History data stored in a separate database

Using database mirroring

Role switching Database Mirroring setup in Active Roles

Viewing replication settings

Replication Agent schedule

Monitoring replication Viewing database connection settings Modifying database connection settings Changing the service account Changing the SQL Server Agent logon account Modifying Replication Agent credentials

Windows authentication SQL Server authentication

Moving the Publisher role Recovering replication if Publisher is not available Troubleshooting

Replication Agent malfunction

Solution

Replication Agent authentication problems

Solution

SQL Server identification problems

Solution

Appendix A: Using regular expressions

Examples of regular expressions Order of precedence

Appendix B: Administrative Template

Active Roles snap-in settings Administration Service auto-connect settings

'Allowed Servers for Auto-connect' setting 'Disallowed Servers for Auto-connect' setting 'Additional Servers for Auto-connect' setting

Loading the Administrative Template

Appendix C: Communication ports

Access to the managed environment

Access to DNS servers Access to domain controllers Access to Exchange servers Computer resource management Computer restart Home folder provisioning and deprovisioning Access to SMTP server for e-mail integration Access to AD LDS instances

Access to SMTP server for e-mail integration Access to Active Roles Administration Service Access to Web Interface

Appendix D: Active Roles and supported Azure environments

Azure Object Management supported in various Azure environments Azure Object Management in Non-Federated environment Azure Object Management in Federated and Synchronized Identity environments

Appendix E: Enabling Federated Authentication

Configuring the domain service account for Federated Authentication Updating Local Policies Creating SPN entries for the domain service account Enabling delegation for Federated Authentication Redistributable STS

Installing Redistributable STS Configuring Redistributable STS in RStsApiAdmin Configuring Redistributable STS in Configuration Center

Examples of configuring identity providers

Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo MFA

Configuring Duo for Active Roles Integrating Active Roles with Duo Validating Duo Multi-Factor Authentication

Appendix H: Active Roles integration with Okta MFA

Configuring Okta for Active Roles Integrating Active Roles with Okta Validating Okta Multi-Factor Authentication

One Identity Starling Two-factor Authentication for Active Roles

Since Active Roles manages confidential Active Directory user details in both on-premises and cloud based environments, it is appropriate and safer to have an additional security measure such as the two-factor authentication. Active Roles now supports One Identity's Starling Two-Factor Authentication service.

The Starling Two-factor authentication provides enhanced security by necessitating users to provide two forms of authentication to Active Roles, namely a user name and password combination along with a token response. The token response is collected through an SMS, Phone call, or push notification received on a physical device such as a mobile or any other device other than the browser.

Starling Two-Factor Authentication User Access template

On installing Active Roles on a computer, the Starling Join feature is included by default. The Starling Two-Factor Authentication User Access template is generated and displayed as part of the Builtin Access templates. The Starling - Two Factor Authentication User Access template provides the Active Roles users with minimal permissions that includes enabling of mobile and email property for the users.

ARS 2FA Users group

After the Starling Join operation is completed successfully, the ARS 2FA Users group is generated and displayed in the Builtin Container by default. All members of the 2FA group have the Starling Two-Factor Authentication User Access template applied by default.

Pre-requisites to use One Identity Starling 2FA

Active Roles users who can use the Starling Two-factor Authentication feature must satisfy the following conditions:

The Active Roles users must be members of the ARS 2FA Users group.
The Active Roles users must have Starling Two-Factor Authentication User Access template permissions applied.
The Active Roles users must have their mobile number and Email address properties populated.

For information on the mobile number formats that are allowed, see the One Identity Starling User Guide on https://support.oneidentity.com/technical-documents.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center