Chat now with support
Chat with Support

Active Roles 8.1.5 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Undo deprovisioning for a user with a linked mailbox (re-provisioning)

You can undo the deprovisioning of users with linked mailboxes by using the Undo Deprovisioning action of the Active Roles Web Interface. When re-provisioning a user, Active Roles rolls back the changes of the deprovisioning policies in effect in your organization by:

  • Restoring access to the user account.

  • Reassigning the user to all security and distribution groups it was originally a member of.

  • Re-enabling the linked mailbox.

  • Re-enabling the home folder of the user.

Re-provisioning a deprovisioned user is typically required if the person is reinstated in your organization: for example, their suspension is lifted or they are returning to work from an extended leave.

When re-provisioning a user with a linked mailbox, Active Roles first re-provisions the master account, then re-provisions the shadow account. After the shadow account is re-provisioned, the linked mailbox also returns to its original provisioned state.

Prerequisites

Active Roles can perform the Undo Deprovisioning action on the shadow account of a re-provisioned master account only if the Active Directory (AD) container holding the deprovisioned master accounts is in the scope of the Built-in Policy - ERFM - Mailbox Management policy, or a copy of that policy.

Therefore, if the deprovisioning workflow of your organization moves deprovisioned master accounts to a container separate from provisioned master accounts, make sure that the Built-in Policy - ERFM - Mailbox Management policy is also applied to the container where the deprovisioned master accounts are stored. For more information on configuring the policy, see Applying the ERFM Mailbox Management policy to an OU.

To undo the deprovisioning of a user with a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to the OU for which ERFM is configured.

    Figure 156: Active Roles Web Interface – Navigating to the OU supporting linked mailboxes

  2. Select the deprovisioned master user account for which you want to undo deprovisioning. Then, in the list of available actions, click Undo Deprovisioning.

  3. To confirm the restoration of the user account, click OK.

  4. In the Password Options dialog, configure the password settings of the restored user:

    • Leave the password unchanged: The user account will be re-provisioned with its original password. Select this option if the user password will be reset by an organizational workflow outside the scope of Active Roles (for example by helpdesk, or another password management solution).

    • Reset the password: Select this option to immediately change the password of the re-provisioned user in Active Roles, either by specifying a new password manually, or generating one that meets the password policy requirements of your organization.

      To clear the specified password, click Clear. To spell out each character of the password for clarification, click Spell out.

      Figure 157: Active Roles Web Interface – Spelling out the characters of the generated or specified password

    • Account options: Use these options to specify additional security settings for the user (for example, to have them change the configured password during their next login attempt, or have the configured password expire after some time).

  5. To apply your changes, click OK.

Active Roles then re-provisions the master user account, the shadow user account and the linked mailbox.

Deleting a user with a linked mailbox

You can delete users with linked mailboxes by using the Delete action of the Active Roles Web Interface. When doing so, Active Roles deletes the master account, then disables the linked mailbox of the corresponding shadow account.

CAUTION: Hazard of data loss!

After you delete a user, it cannot be recovered. Therefore, One Identity recommends either deprovisioning or disabling user accounts before permanently deleting them. For more information on deprovisioning users with linked mailboxes, see Deprovisioning a user with a linked mailbox.

To delete a user with a linked mailbox

  1. In the Active Roles Web Interface, under Directory Management > Tree > Active Directory, navigate to the OU for which ERFM is configured.

    Figure 158: Active Roles Web Interface – Navigating to the OU supporting linked mailboxes

  2. Select the master user account you want to delete.

  3. In the list of actions available for the selected master account, click Delete.

  4. To confirm deletion, in the pop-up dialog, click OK. To deprovision a user instead of permanently deleting them, click Deprovision.

Active Roles then deletes the master account in the account forest, then disables the linked mailbox of the associated shadow account in the resource forest.

Configuring remote mailboxes for on-premises users

Active Roles supports remote mailboxes, that is, managing cloud-only Exchange Online mailboxes assigned to on-premises users. Configuring cloud mailboxes for on-premises users allows your organization to store user mailboxes and mailbox data in the Exchange Online cloud, even if the user accounts in your organization are not hybrid or cloud-only user accounts.

By configuring remote mailboxes for your on-premises users, you can:

  • Improve mailbox availability and accessibility.

  • Improve data security by storing mailbox content in the Exchange Online cloud.

  • Improve mailbox security via the integration of your on-premises Active Directory environment with Exchange Online.

  • Use the flexibility and scalability of Exchange Online cloud mailboxes.

  • Use the feature set of Microsoft 365 (such as real-time collaboration, document sharing, simultaneous editing, and so on).

  • Use the administration automation features of Exchange Online.

To assign a remote mailbox for an on-premises user, you must set the user to a mail-enabled state, then assign a cloud email address to them in the Active Roles Console.

NOTE: Alternatively, Active Roles supports configuring remote mailboxes for existing on-premises users by converting them to hybrid users. After the conversion, you can configure and manage the remote mailbox settings of the new hybrid users either via the Active Roles Console or in the Active Roles Web Interface.

  • For more information on converting an on-premises user to a hybrid user, see Sample Azure Hybrid Migration and Converting an on-premises user with an Exchange mailbox to a hybrid Azure user in the Active Roles Web Interface User Guide.

  • For more information on managing the remote mailbox of a hybrid user, see Viewing or modifying the Exchange Online properties of a hybrid Azure user in the Active Roles Web Interface User Guide.

Assigning a remote mailbox to an on-premises user

You can assign a remote Exchange Online mailbox to an on-premises Active Directory (AD) user via the Active Roles Console.

Prerequisites

To assign a remote mailbox to an on-premises user, make sure that the following conditions are met.

  • Your organization must have an on-premises Exchange server deployed in the same forest or domain where you want to configure remote mailboxes for on-premises users. The Exchange server will indicate later for Active Roles that the affected users have remote mailboxes.

  • The on-premises user must already exist, and it cannot have a mailbox.

  • The Exchange Online mailbox that you will assign to the on-premises user must already exist. To create a new cloud mailbox, use any of the following:

    CAUTION: After the cloud mailbox is created, it will enter into a 30-day grace period. To prevent deleting the remote mailbox after this period, you must assign an Exchange Online (Plan 2) license to it.

    To assign an Exchange Online license to the cloud mailbox, in the Microsoft 365 Admin Center, select the user, then navigate to Manage product licenses.

  • Note down the value of the Microsoft Online Services ID (that is, the MicrosoftOnlineServicesID attribute) of the remote mailbox. You will need to specify the value of this attribute to connect the on-premises user with the remote mailbox. You can check the value of the attribute either in the Microsoft 365 Admin Center, or via the Get-User PowerShell command.

    TIP: If the remote mailbox has multiple aliases configured, the MicrosoftOnlineServicesID attribute always takes the value of the primary email address and user name.

To assign a remote mailbox to an on-premises user

  1. Open the Advanced Properties of the on-premises user for which you want to assign the remote mailbox. In the Active Roles Console, in the Active Directory (AD) tree, navigate to the Organizational Unit (OU) where the user is located, double-click the user, then in the Properties window, click Object > Advanced Properties.

    Figure 159: Active Roles Console – Opening the Advanced Properties of a user

  2. Search for the edsvaMsExchEnableRemoteMailRoutingAddress property.

    TIP: To find the property faster, enter its name (or part of its name) in the Look for property field. If you cannot find the property, select Show all possible attributes and Include attributes with empty values, too.

    After you found the property, open its settings by double-clicking it.

  3. In the Edit Attribute dialog, in Value, enter the value of the MicrosoftOnlineServicesID attribute (that is, the primary email address of the remote mailbox).

  4. To apply your changes, click OK in each open window.

NOTE: Assigning a remote mailbox to an on-premises user may take up to 15 minutes to complete, with Active Roles attempting to establish connection up to 9 times. If the procedure fails (for example, because Active Roles cannot find the specified email address), Active Roles will log an error in the Windows Event Viewer under the Applications and Services Logs > Active Roles Admin Service category.

For more information on how to check if Active Roles could assign the remote mailbox to the user, see Verifying that a remote mailbox is assigned to an on-premises user.

TIP: If Active Roles could not assign the remote mailbox to the on-premises user within the expected time frame, perform the following troubleshooting steps:

  • Check network connectivity.

  • Check the status of the on-premises Exchange server and the Exchange Online service.

  • Verify that the specified remote mailbox email address is correct.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating