Chat now with support
Chat with Support

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Email transport via Exchange Web Services

Active Roles can use Exchange Web Services (rather than an SMTP server) to communicate with Exchange Server when sending notification messages and getting response to notification messages. This enables notification recipients to perform approval tasks by replying to notification messages from their regular email clients, instead of using the Web Interface pages to approve or reject the requests. With the use of Exchange Web Services, Active Roles makes it possible for an approval workflow to behave as follows:

  • A change request that requires approval causes Active Roles to send a notification message to the designated approver, with the message body containing the option to approve or reject the request.

  • The approver replies to the notification message by choosing the desired option (either approve or reject) and typing in a text to explain the reason for that choice.

  • Active Roles receives the reply message from the approver, checks to see if the approver elected to approve or reject the request, and then allows or denies the requested changes accordingly.

The use of Exchange Web Services has the following prerequisites:

  • A supported Exchange Server installation, with Exchange Web Services deployed on it with the Client Access server role. For more information on the Microsoft Exchange Server versions supported by Active Roles, see System requirements in the Active Roles Release Notes.

  • A dedicated mailbox hosted on Exchange Server. The mailbox must be reserved for the exclusive use of Active Roles.

Configuration settings for email transport

This section describes the available configuration settings with the Exchange Web Services option for email transport.

Exchange Web Services address

This setting identifies the URL of the Exchange Web Services endpoint, which locates the exchange.asmx file on the Exchange server running the Client Access server role. For example, https://CAServer.domain.com/EWS/exchange.asmx

Authentication type

This setting specifies the authentication method of the Exchange Web Service.

NOTE: Basic authentication is only available for on-premises Exchange Server services, Exchange Online mail resources should be configured with Modern authentication, as Microsoft does not support Basic authentication in Exchange Online mail resources.

Active Roles' mailbox credentials

This setting specifies the user name and password of the mailbox through which Active Roles will send and receive email. The mailbox must be located on a supported Exchange Server installation, and must be reserved for the exclusive use of Active Roles. For more information on the Microsoft Exchange Server versions supported by Active Roles, see System requirements in the Active Roles Release Notes.

IMPORTANT: This mailbox must only be accessible by Active Roles. Providing access to any other application (for example, Microsoft Outlook) to process email messages in this mailbox can negatively impact the operation of Active Roles.

Options for the Approve and Reject links

This setting controls the behavior of the Approve and Reject links in the notification messages delivered using this email configuration. Two options are available:

  • Send approval response by e-mail

  • Approve or reject via Web Interface

If Send approval response by e-mail is selected, notification recipients can perform approval tasks from within their email application. When an approver chooses one of the links provided in a notification message to approve or reject a request, the email application replies with an email message containing information about the approval decision. Active Roles receives the reply message, checks it to see if the approver elected to approve or reject the request, and then allows or denies the requested changes accordingly.

If Approve or reject via Web Interface is selected, choosing the Approve or Reject link in a notification message directs the email application to open a Web Interface page for performing the approval task. The page may not open as expected if the email application does not support HTML format or an appropriate web browser does not exist on the device running the email application.

Configuring the use of Exchange Web Services

Perform the following steps in the Active Roles Console to configure the default mail settings with the option to use Exchange Web Services:

  1. In the Active Roles Console tree, select Configuration > Server Configuration > Mail Configuration.

  2. In the Details pane, double-click Default Mail Settings.

  3. In the Default Mail Settings Properties dialog, configure the settings on the Mail Setup tab:

    1. From the Settings for list, select Exchange Web Services.

    2. In the Exchange Web Services address box:

      1. For on-premises Exchange mailbox, supply the URL of the Exchange Web Services endpoint. This URL locates the exchange.asmx file on the Exchange server that is running the Client Access server role. For example, https://CAServer.domain.com/EWS/exchange.asmx.

      2. For the Exchange mailbox on the cloud, use https://outlook.office365.com/EWS/Exchange.asmx.

    3. From the Authentication type drop-down, select the authentication method you want to use.

      NOTE: Basic authentication is only available for on-premises Exchange Server services, Exchange Online mail resources should be configured with Modern authentication, as Microsoft does not support Basic authentication in Exchange Online mail resources.

    4. Under Active Roles' mailbox credentials:

      1. For an on-premises Exchange mailbox with Basic authentication, specify the user name and password of the mailbox through which Active Roles will send and receive email.

      2. For a cloud Exchange Online mailbox or an on-premises Exchange mailbox with Modern authentication, specify the Azure user credentials of the Azure mailbox:

        • Tenant ID: The ID of the Azure tenant. To check the ID, on the Azure Portal, navigate to Azure Active Directory > Overview.

        • Client ID: The application client ID. To check the ID, on the Azure Portal, navigate to App registrations > All applications > ActiveRoles.

        • Certificate thumbprint: The most recent certificate thumbprint. To check the thumbprint, on the Azure Portal, navigate to Certificates & secrets > Certificates.

        • Impersonated mailbox: The mailbox that appears to be the sender of the email.

      This mailbox must be created on a server running a supported Exchange Server version, reserved for the exclusive use of Active Roles. For more information on the Microsoft Exchange Server versions supported by Active Roles, see System requirements in the Active Roles Release Notes.

    5. Verify the settings you have configured. Click Verify Settings, supply a valid email address, and then click Send.

    This causes Active Roles to send a diagnostic email message to the address you supplied. The message is attempted to be delivered from Active Roles’ mailbox by using Exchange Web Services. You can check the mailbox with the address you supplied to see if the diagnostic message has been received.

  4. Verify that the Send approval response by email option is selected on the Mail Setup tab.

  5. Select Approve or reject via Web Interface to manage emails through the Web Interface.

  6. When finished, click OK to close the Default Mail Settings Properties dialog.

Automation workflow

An Active Roles "Workflow" is a sequence of actions that leads to the completion of a certain task. The sequence is carried out according to a set of rules or policies. A workflow can be configured to start upon a change request that satisfies the start conditions of the workflow. An example is a workflow that coordinates the process of approving certain changes to directory data such as creation of new users or population of security groups. In Active Roles, this kind of workflow is referred to as a change workflow.

A workflow can also perform routine administrative tasks either on a scheduled basis or on user demand. In these cases, the workflow is not attached to any change request. With Active Roles, you can configure a workflow to perform certain actions at a specific time. You can also allow users to run a workflow at any time on demand. This workflow category is referred to as an automation workflow.

Automation workflows can automate the completion of complex administrative tasks to help you manage large task volumes. It also allows you to build checks or restrictions in directory administration processes to ensure consistency and compliance with your company policies and legal requirements. By using automation workflow, you can ensure that directory administration tasks are performed in a consistent and efficient manner.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating