Chat now with support
Chat with Support

Active Roles 8.0 LTS - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Microsoft 365 Groups Managing Azure Security Groups Managing cloud-only distribution groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Active Roles integration with other One Identity and Quest products Appendix F: Active Roles integration with Duo Appendix G: Active Roles integration with Okta Active Roles Language Pack

Configuring the Azure - Default Rules to Generate Properties policy

If you want to manage hybrid Azure objects (such as hybrid Azure users) in your Organization Unit (OU), then use the built-in Azure - Default Rules to Generate Properties Policy Object of the Active Roles Console (also known as the MMC Interface) to provision the default properties and accepted values or hybrid objects.

To configure the built-in Azure - Default Rules to Generate Properties policy

  1. In the Active Roles Console, navigate to Configuration > Policies > Administration > BuiltIn.

  2. Right-click on Built-in Policy - Azure - Default Rules to Generate Properties and click Policy Scope.

  3. To open the Select Objects dialog for specifying the OU for provisioning, click Add.

  4. To specify the OU for provisioning hybrid Azure users, click Add, browse the OU you want to provision, and click Add.

    TIP: If no elements are displayed in the Select Objects dialog, select Click here to display objects.

  5. To apply the changes and close the dialog, click OK.

NOTE: The new provisioning policy settings will be applied automatically only to objects created after configuring the Azure - Default Rules to Generate Properties policy object.

To create cloud Azure users for existing on-premises users, you must configure the cloud Azure users manually for each existing on-premises user on the Active Roles Web Interface. To do so:

  1. Navigate to the folder of the hybrid users of the OU under Directory Management > Tree > Active Directory > <your-AD-folder> > <your-OU-folder>.

  2. Select the on-premises user for which you want to create a cloud Azure user.

  3. To open the New Azure User dialog, on the right pane, click Create Azure User. For more information on the steps of creating a new cloud Azure user, see Creating a new cloud-only Azure user.

Active Roles Configuration to synchronize

Active Roles Configuration to synchronize existing Azure AD objects to Active Roles

In any hybrid environment, on-premises Active Directory objects are synchronized to Azure AD using Azure AD Connect. When Active Roles is deployed in such a hybrid environment, the existing users and groups' information, such as Azure objectID, must be synchronized back from Azure AD to on-premises AD to continue using the functionality. To synchronize existing AD users and groups from Azure AD to Active Roles we must use the back-synchronization operation.

In Federated or synchronized Identity environment, while creating objects like users, groups, or contacts they are created in on-premise and then synchronized from on-premise to Azure using AAD Connect. Backsync operation is performed to obtain the ObjectID of these objects and update the edsvaAzureObjectID in Active Roles to allow further management.

The back-synchronization operation can be performed automatically or manually using the Active Roles Active Roles Synchronization Service Console:

  • Automatic Back Synchronization is performed using the Azure Backsync Configuration feature in Active Roles Synchronization Service that allows you to configure the backsync operation in Azure with on-premises Active Directory objects through the Active Roles Synchronization Service Console. After the backsync operation is completed successfully the Azure application registration and the required connections, mappings, and sync workflow steps are created automatically.

    For information on configuring the backsync operation automatically using the Active Roles Synchronization Service Console, see Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles automatically using the Active Roles Synchronization Service Console.

    For more information on the results of the backsync operation see the One Identity Active Roles Synchronization Service Administration Guide.

  • Manual Back Synchronization is performed by leveraging the existing functionality of Synchronization Service component of Active Roles. Synchronization workflows are configured to identify the Azure AD unique users or groups and map them to the on-premises AD users or groups. After the back-synchronization operation is completed, Active Roles displays the configured Azure attributes for the synchronized objects.

    For information on configuring Synchronization workflows for Azure AD, see One Identity Active Roles Synchronization Service Administration Guide.

Configure Azure backsync automatically

Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles automatically using the Active Roles Synchronization Service Console

Pre-requisites to configure the back-synchronization:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • The user account used to perform back sync configuration must have the following privileges:

    • User Administrator
    • Exchange Administrator
    • Application Administrator
  • The Windows Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed for the backsync feature to work successfully.
  • Directory Writers Role must be enabled in Azure Active Directory. To enable the role use the following script:

    $psCred=Get-Credential

    Connect-AzureAD -Credential $psCred

    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }

    # Enable an instance of the DirectoryRole template

    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

  • For the back-synchronization to work as expected, the user in ARS must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId and edsvaAzureObjectID. The user must also have a local administrator privileges where the ARS synchronization service is running.

To configure Azure backsync in Active Roles Synchronization Service

  1. In the upper right corner of the Synchronization Service Administration Console, select Settings | Configure Azure BackSync.

    The Configure BackSync operation in Azure with on-premises Active Directory objects dialog box is displayed.

  2. In the dialog box that opens:

    1. Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.

    2. Specify whether you want to use a proxy server for the connection. You can select one of the following options:
    • Use WinHTTP settings: Causes the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).

    • Automatically detect: Automatically detects and uses proxy server settings.

    • Do not use proxy settings: Specifies to not use proxy server for the connection.

    On successful validation, the success message that the Office 365 Connection settings are valid is displayed.

    1. Enter the valid Active Roles account details and click Test Active Roles Connection.

      On successful validation the success message that the Active Roles connection settings are valid is displayed.

  1. Click Configure BackSync.

    The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically.

    On successful configuration the success message is displayed.

    If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm if you want to override the existing backsync settings with the new settings. If yes, click Override BackSync Settings. Else, click Cancel to retain the existing settings.

Configuring Sync Workflow to back-synchronize manually

Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles manually

Prerequisites to configure the back-synchronization manually:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • Synchronization Service Component must be installed and configured for Active Roles.
  • Azure AD configuration and the Administrator Consent for Azure AD application through web interface must be complete.
  • Azure AD built-in policy must be enforced for the container where the back-synchronization is performed.
  • For the back-synchronization to work as expected, the user in ARS must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId, edsvaAzureObjectID, and edsvaAzureAssociatedTenantId. The user must also have a local administrator privileges where the ARS synchronization service is running.

To configure sync workflow to back-synchronize users and groups perform the following steps:

 

Step 1: Create Connection to Azure AD in the hybrid environment

Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD.

To configure an application:

  1. Create an Azure Web application (or use any relevant existing Azure Web Application) under the tenant of your Windows Azure Active Directory environment.

    The application must have "Application Permissions" to "read" and "write" directory data in Windows Azure Active Directory.

    NOTE: Alternatively, to assign the required permissions to the application by running a Windows PowerShell script, see the Creating a Windows Azure Active Directory connection section in the Synchronization Service Administration Console.

  1. Open the application properties and copy the following:
  • Client ID
  • Valid key of the application
  1. You need to supply the copied client ID and key when creating a new or modifying an existing connection to Windows Azure Active Directory in the Synchronization Service Administration Console.

NOTE: The Web Application that is created or is already available for Sync Service Azure AD Connector, is different from the application that is created while configuring Azure AD using Active Roles Web interface. Both the applications must be available for performing back-sync operations.

Step 2: Create Connection to Active Roles in the hybrid environment

Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.

Step 3: Create Sync Work flow

Create a Sync Workflow using the Azure AD and Active Roles connections. Add a Synchronization step to Update Azure User/Group to Active Roles User/Group.

Set the edsvaAzureAssociatedTenantId attribute in Active Roles user/group to azure tenant id. If edsvaAzureAssociatedTenantId attribute is not configured , an error is logged in the event viewer for each object.

Configure the Forward Sync Rule to synchronize the following:

  • Azure ObjectID property of a user/group to the Active Roles user/group edsvaAzureObjectID property.
  • Set the edsvaAzureOffice365Enabled attribute in Active Roles user/group to True.
  • Set edsvaAzureAssociatedTenantId with Azure Tenant ID.

Step 4: Create Mapping

Create a Mapping Rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

NOTE:

  • Based on the environment, make sure to create the correct Mapping rule to identify the user or group uniquely. In-correct mapping rule may create duplicate objects and the back-sync operation may not work as expected.
  • Initial configuration and execution of back-sync operation for Azure AD users ID is a one-time activity.
  • In Federated or Synchronized environments, Azure AD group creation is not  supported. The  group is created in Active Roles and is synchronized eventually  to Azure using Microsoft Native tools, such as AAD Connect. To manage the  Azure AD group through Active Roles, you must perform periodic back- synchronization to on-premise AD.
  • Sync engine must be configured to synchronize the data back to AD based on the frequency of groups creation.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating