The following is a list of issues addressed in this release.
Resolved Issue | Issue ID |
---|---|
Previously, when performing an in-place upgrade from Active Roles 8.2 to a newer version of Active Roles, the RSTS configuration did not transfer to the new Active Roles version, and the RSTS connection could fail. This issue is now resolved and the RSTS configuration is retained after the upgrade. |
465344 |
Resolved Issue | Issue ID |
---|---|
Previously, attempting to load Active Roles Add-on Manager in the Active Roles Console resulted in the Active Roles Console hanging for several minutes, then failing to properly display Add-on Manager. The issue was caused by a character encoding problem during the Add-on Manager registration process, and was fixed by adjusting the related loading settings. |
426052 |
Resolved Issue | Issue ID |
---|---|
Previously, if Synchronization Service mappings and synchronization workflows were used to synchronize data from an Active Roles 8.2 instance using an imported configuration, mappings and synchronization workflows using the Active Roles Connector might fail with the following error: Synchronization steps aborted. Details: An error occurred while import from 'DC=<dc-name>,DC=com This issue is now fixed. |
467585 |
Previously, in environments where multiple Active Roles service instances were configured, if the Execute on setting of the Dynamic Group Checker built-in scheduled task has been set to its default All servers value instead of a specific service in the Active Roles Console, then the value of the edsaDGOriginatingService attribute of dynamic groups was set to Unknown. Because of this:
This issue is fixed, so that selecting All servers for the Execute on setting of the Dynamic Group Checker scheduled task now correctly assigns the Active Roles service instance running the scheduled task, allowing the Dynamic Group Updater scheduled task to correctly rebuild the membership list of dynamic groups. |
449923 |
Previously, Active Roles kept the entries of deprovisioning and undo deprovisioning operations in the change history database indefinitely, even if a Change Tracking Cleanup scheduled task was configured to delete older change tracking log entries. Keeping Deprovision and UndoDeprovision entries indefinitely caused the leftover data to grow in size over time. This issue is now fixed, so the Deprovision and UndoDeprovision entries of the management history database are now also deleted during cleanup. |
399889 |
Previously, if you had any temporal group membership changes (such as adding or removing a temporal member from a group) scheduled to occur, upgrading to a new version of Active Roles resulted in the scheduled temporal group membership change not being performed. This issue is now fixed, so starting from version 8.2.1, Active Roles will perform scheduled temporal group membership changes even after upgrading to a newer Active Roles version. |
319037 |
Resolved Issue | Issue ID |
---|---|
Previously, the Management History import process could fail, because the maximum length of the operationid value was 10 characters. This caused an error for operation IDs that were longer than 10 characters. This issue was fixed by increasing the maximum length of operation IDs to 40 characters. |
467560 |
Previously, the Management History import process could fail, because Active Roles added a duplicate of the completionTime attribute in the XML file, causing an XML validation error. This issue is now fixed and the import process is completed successfully. |
466571 |
Previously, the upgrade process could fail if you performed a gradual in-place upgrade using the Upgrade configuration wizard as follows:
In such cases, the process might have failed with the following error message: Object reference not set to an instance of an object. This issue is now resolved and the in-place upgrade to a service pack release can be performed gradually. |
464334 |
Previously, importing a configuration database from a previous Active Roles version created on a different computer resulted in the following error, when configuring the settings of the Source database step in the Import configuration wizard: Object reference not set to an instance of an object. This issue is now fixed. |
406609 |
Previously, when importing an existing configuration, even if you specified an encryption key backup file in the Import of Encrypted Data step of the Import configuration wizard, the wizard displayed the following warning: Unable to retrieve the Active Roles data encryption key from the source database. If you have a backup of the encryption key for the source database, then, after data import is complete, you can use Restore-AREncryptionKey to restore the key from the backup to the destination database. This issue occurred because despite specifying the encryption key backup file, the wizard always tried to import the encryption key directly from the source database. This issue is now fixed, and the wizard reads the encryption key from the backup file when specified. |
315646 |
Resolved Issue | Issue ID |
---|---|
Fixed a crash that previously occurred when launching the Active Roles Collector and Report Pack. |
394394 |
Resolved Issue | Issue ID |
---|---|
Previously, when trying to run an automation workflow that contained a password reset script, the workflow would fail. This was introduced by fixing another bug (432430). The issue was resolved by reverting the changes that were introduced by the 432430 bugfix. |
466580 |
Previously, after configuring an Include by Query membership rule for a dynamic group, Active Roles replaced the query parameters of the saved membership rule with custom search parameters. This issue is now resolved, so the Include by Query configuration is now retained for newly-created dynamic groups. NOTE: For existing issues, this fix will only take effect if you re-create the affected dynamic groups. |
468216 |
Previously, when using the Find Users, Contacts, and Groups view to search for a boolean attribute, the search returned no results. This issue is now fixed, so you can search boolean values successfully. |
467292, 467252 |
Previously, when configuring a Policy Object, the list of directory objects for Azure tenant containers appeared empty. The following object types were affected:
This issue is now resolved and the list is populated correctly with directory objects. |
465796 |
Previously, if a notification message for an automation workflow was configured and the notification message format was set as plain text, Active Roles failed to send the notification email after the workflow was run. This issue is now fixed, and Active Roles sends the notification email successfully. |
462976 |
Previously, the Deleted Objects container did not appear if additional Active Directory features (for example, Privileged Access Management) were enabled. This issue is now fixed, and the Deleted Objects container appears regardless of the number of AD features enabled in your environment. |
455321 |
Previously, during undo deprovisioning, if a virtual attribute could not be restored because it had been deleted and no longer existed, undo deprovisioning failed. The issue is now fixed: if a virtual attribute cannot be restored because it was deleted, in the undo deprovisioning report, an error message will appear for that virtual attribute. After the other virtual attributes are restored, the remaining undo deprovisioning actions will be performed. |
449231 |
Previously, approving a workflow caused it to fail with the following error message: Activity name: approvalActivity1 Activity type: ActiveRoles.Workflow.Activities.ApprovalActivity This activity has terminated this workflow instance. Approval rule activity has terminated this workflow instance. Administrative Policy returned an error. Specified method is not supported. The issue was caused by the integrated Change Auditor. When an approver accepted a workflow request, the Active Roles Service attempted to set the dynamic directory control value of the Change Auditor in sub-requests (sent by the Active Roles Service) where they were not applicable, causing the workflow operation to run into an error. The issue is now resolved. |
447794 |
Previously, when delegating any permission using an Access Template related to moving objects, permission precedence was not honored, which caused policy errors and did not reflect original Active Directory functionality. The issue is now fixed, and the following permission precedence is now honored, the first being the highest precedence:
|
440163 |
Previously, if an approval workflow was pending approval, assigning either the subject AD object or the approver group of the request to a different Organizational Unit resulted in the following error when attempting to approve the workflow: Administration Service encountered an error when retrieving properties of the object. Directory object not found.
This error occurred because Active Roles always attempted to find the subject AD object or the approver group of the workflow via their DN, which changed if the object was moved to a different Organizational Unit. This issue was fixed by improving the fault tolerance of approver search operations. |
437535 |
Previously, Active Directory users who had permissions to run Active Roles workflows could modify AD objects via workflows, even if they had no permission to any AD objects. This issue was fixed by adding a new check in the Access Check policy to verify the permissions of the workflow's parent initiator. Now, if the user has permission to run workflows but no permission to the objects that would be modified by running that workflow, the workflow activity will fail with an error message in the Active Roles Console and/or the Web Interface. |
432430 |
To prevent potential memory leaks, the following built-in Script Modules in the Configuration/Script Modules/Builtin/ container were updated to use the $context.O365RemoveAllModulesSessions() method:
|
432381 |
Previously, when querying Azure users in a Managed Unit with the edsvaOnPremisesSyncEnabled attribute as the filtering condition, filtering did not work and the query did not return any results. The issue is now fixed. |
420919 |
Previously, if a hybrid Azure user was added to cloud-only groups, the deprovisioning procedure did not remove the hybrid user from cloud-only distribution groups (and potentially from other subsequent cloud-only groups). However, all other deprovisioning steps (such as deactivating the Azure user) continued. The Active Roles Console and Web Interface also did not notify users about the partial deprovisioning failure. This issue is now fixed, and group membership removal now works correctly for all supported cloud-only Azure group types that were assigned manually to the user. The edsvaAzureUserDeprovisionMemberOfList attribute was also updated to include more structured information about the removed role assignments. |
424099 |
Previously, when configuring the membership rules of a Managed Unit, the Include Group Members > Select objects window incorrectly listed not just groups, but Azure users as well. Selecting an Azure user and saving your change then resulted in a This Managed Unit has invalid membership rules error. This issue was fixed by making sure that Azure users are no longer listed in the Include Group Members > Select objects window, and that you can only select groups. |
402761 |
Previously, when adding members to a room mailbox with the Properties > Resource Information > Resource in-policy requests > Selected recipients setting, deleting an added user either via Active Roles or system-provided Active Directory tools resulted in Active Roles failing to load the list of added users. This issue occurred because Active Roles Console could not load the list of assigned users due to the null value of deleted users, and was fixed by filtering out deleted users from the list. |
390095 |
Previously, if you linked one or more Access Templates to an Azure tenant, changing the Azure tenant type in the Active Roles Configuration Center resulted in the Access Templates losing all their directory object links to the modified Azure tenant. This issue is now fixed. |
386340 |
Previously, Active Roles scheduled tasks were affected by two issues:
These issues were caused by:
These issues are now fixed, so task scheduling now works correctly, and Active Roles determines DST and Standard Time periods properly. |
258338 |
Resolved Issue | Issue ID |
---|---|
Security fixes to the Get-AllAuthenticationProviderConfiguration -ApiBaseUrl "<RSTS_URL>" -IsDataNeededFromDb $false cmdlet. |
465851 |
Resolved Issue | Issue ID |
---|---|
Previously, the Microsoft 365 Connector (formerly known as the Office 365 Connector) could fail with a Task was cancelled error message when importing M365 data. This issue could occur if HttpClient timed out during Graph API requests, for example because of network issues. In such cases, the Microsoft 365 Connector could not handle the timeout correctly. The issue was fixed by implementing a new retry policy which retries the request up to 3 times before timeout, minimizing the chance of the issue occurring. |
435112 |
Previously, attempting to synchronize the telephoneNumber AD attribute of a hybrid Azure user to the BusinessPhones Azure AD attribute failed with the following error if the BusinessPhones attribute was empty: Invalid value specified for property 'businessPhones' of resource 'User'. This issue is now fixed. |
426228 |
Previously, the Microsoft 365 Connector could only retrieve a single service plan instead of the complete list of service plans. For example, in case of an Enterprise license containing 30 service plans, the connector retrieved only the first service plan. This issue is now fixed, so the Microsoft 365 Connector retrieves all service plans of a license plan. |
426028 |
Fixed a performance issue affecting sync workflows between One Identity Manager and Active Roles Synchronization Service if Active Roles was connected to any Azure tenants. |
424016 |
Previously, attempting to synchronize (add) a group member from a plain-text source to the members attribute of a group with the Azure AD Connector failed with the following error: Invalid property 'members'. This error occurred because the Azure AD Connector was not prepared to handle modifying various group types: while certain Azure groups can be modified via Graph API, others can only be modified via the ExchangeOnlineManagement PowerShell module. The issue was solved by updating the Azure AD Connector to properly identify the member attribute to synchronize and the type of Azure group to update. |
414643 |
Previously, when checking the history of any sync workflow where GUIDs were synchronized (such as Active Directory object GUIDs, Azure user IDs, or Microsoft 365 user object IDs), opening the list of processed objects then copy-pasting any GUID into the GUID filter resulted in an empty processed object list. This issue is now fixed. |
319664 |
Resolved Issue | Issue ID |
---|---|
Previously, opening the Azure Licenses Report page could result in an HTTP 500 error. This issue would occur when the Active Roles Web Interface needed to load an extensive amount of license information data. This issue was resolved by decreasing the size of license information data, allowing the Web Interface to load the page. |
465543 |
Previously, in the Exchange admin center, after logging in to your tenant, when you added a mail-enabled security group as a member to a distribution group, then in the Active Roles Web Interface, you navigated to the distribution group and opened its Members, the following error message appeared: Error: Object reference not set to an instance of an object. The issue is now resolved, so in the Web Interface, opening the Members list of a distribution group that contains a mail-enabled security group as a member does not cause any errors. NOTE: The Active Roles Web Interface does not support the listing of mail-enabled security groups in the Members list of distribution groups. |
459648 |
Previously, if you have specified a value of 150,000 KB (or higher) for the Shared Mailboxes > Email settings > Sent message maximum size or Received message maximum size setting, the text box of these settings showed a different value than what you have set for them. This issue has been fixed. |
456672 |
Previously, when clicking Menu > Choose columns, moving an advanced attribute from the Hidden columns list to the Displayed columns list and saving it, the previously hidden advanced attribute still did not appear in a new column for users. The issue is resolved: columns added to the Displayed columns list are displayed for users, and you can also remove previously added columns individually. |
449966 |
Previously, saving a new personal view saved the view URL field incorrectly with the name of the view missing from the end. This resulted in the saved view not storing various attributes, such as the search or filter container, criteria, column settings, or sort order. The issue has been fixed so now every attribute is saved with the correct URL value, and opening the personal view works as intended. |
432199 |
Previously, when a group was assigned to the managedBy attribute of another group and adding a member to this first group required approval, the subgroup members of the managedBy group were not notified of the approval task. Consequently, the task did not appear among the approval tasks on the Self-Service Site of the Web Interface for members of subgroups. The issue is now resolved by expanding the approval task so that members of subgroups within the group designated in the managedBy attribute are now included. |
432073 |
Previously, when creating a hybrid Azure user, the Create Azure Account form was not validated against the policies that administrators set, and let users proceed even if the policies failed. The issue is now fixed by adding the option to customize or skip validation to every form that validates policies. |
420648 |
Previously, when using the Customization > Directory Objects > user - (My Account) > Create New Command menu of the Active Roles Self-Service Portal, saving and reloading your changes, then opening the new command via the User Profile Editor resulted in the page of the new command appearing in a nested Active Roles Self-Service Portal instance. This issue was fixed by removing all unnecessary elements from the custom command page, so that no element appears twice on the page. |
409603 |
Previously, after creating a new hybrid Azure user, the Azure Properties > Settings > Usage Location field of the user was always empty, even if a usage location was specified when creating the user. Selecting a value from the Azure Properties > Settings > Usage Location drop-down and saving the change then fixed the problem. This issue is now fixed, so that the configured usage location appears in the Azure Properties > Settings > Usage Location drop-down immediately after creating the user. |
393882 |
Previously, when selecting an AD LDS user, the Web Interface returned an Unable to load contents error instead of listing the available user management actions. This issue is now fixed, and the list of actions is populated correctly. |
386102 |
Previously, when using an approval workflow to extend the expiration time of the accountExpires parameter for users, the notification email and the workflow form showed the old and new expiration times in a non-human readable LDAP format until double-clicking the values. This issue was fixed by implementing a converter to show the expiration times in a readable date and time format by default. |
324293 |
Previously, users who had the Users - Help Desk Access Template assigned to them could not perform bulk password resets when selecting multiple users at once. Instead, they could reset passwords for single users only. The issue was fixed by adding the edsva-Bulk-Operation-Object-List (Write Bulk Operation Objects) permission to the Users - Help Desk Access Template. |
320823 |
Previously, if a user was assigned to a group with a temporary membership, attempting to assign the same group membership again to the user via the Member of > Add command resulted in Active Roles overwriting the temporary group membership of the user. This behavior differed from the Active Roles Console, which returned an error message in this scenario. To ensure that the Web Interface works the same as the Active Roles Console, the Web Interface was updated to filter out already added elements, and return the following message when attempting to assign the user again to the same group: The object <group-name> is already in the list and cannot be added for the second time. |
289342 |