Chat now with support
Chat with Support

Identity Manager 8.1.4 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Setting up synchronization with an Azure Active Directory tenant Basic data for managing an Azure Active Directory environment Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory subscriptions and service plans
Azure Active Directory subscriptions Disabled Azure Active Directory service plans
Reports about Azure Active Directory objects Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory

Testing password generation

When you generate a password, all the password policy settings, custom scripts and the restricted passwords are taken into account.

To generate a password that conforms to the password policy

  1. In the Manager, select the Azure Active Directory | Basic configuration data | Password policies category.

  2. In the result list, select the password policy.
  3. Select the Change master data task.
  4. Select the Test tab.
  5. Click Generate.

    This generates and displays a password.

Initial password for new Azure Active Directory user accounts

You can issue an initial password for a new Azure Active Directory user account in the following ways:

  • Create user accounts manually and enter a password in their master data.

  • Assign a randomly generated initial password to enter when you create user accounts.

    • In the Designer, set the TargetSystem | AzureAD | Accounts | InitialRandomPassword configuration parameter.

    • Apply target system specific password policies and define the character sets that the password must contain.

    • Specify which employee will receive the initial password by email.

  • Use the employee's central password. The employee’s central password is mapped to the user account password. For detailed information about an employee’s central password, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

Email notifications about login data

You can configure the login information for new user accounts to be sent by email to a specified person. In this case, two messages are sent with the user name and the initial password. Mail templates are used to generate the messages. The mail text in a mail template is defined in several languages. This means the recipient’s language can be taken into account when the email is generated. Mail templates are supplied in the default installation with which you can configure the notification procedure.

The following prerequisites must be fulfilled in order to use notifications:

  1. Ensure that the email notification system is configured in One Identity Manager. For more detailed information, see the One Identity Manager Installation Guide.
  2. In the Designer, set the Common | MailNotification | DefaultSender configuration parameter and enter the sender address for sending the email notifications.
  3. Ensure that all employees have a default email address. Notifications are sent to this address. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.
  4. Ensure that a language can be determined for all employees. Only then can they receive email notifications in their own language. For more detailed information, see the One Identity Manager Identity Management Base Module Administration Guide.

When a randomly generated password is issued for the new user account, the initial login data for a user account is sent by email to a previously specified person.

To send initial login data by email

  1. In the Designer, set the TargetSystem | AzureAD | Accounts | InitialRandomPassword configuration parameter.
  2. In the Designer, set the TargetSystem | AzureAD | Accounts | InitialRandomPassword | SendTo configuration parameter and enter the recipient of the notification as a value.
  3. In the Designer, set the TargetSystem | AzureAD | Accounts | InitialRandomPassword | SendTo | MailTemplateAccountName configuration parameter.

    By default, the message sent uses the Employee - new user account created mail template. The message contains the name of the user account.

  4. In the Designer, set the TargetSystem | AzureAD | Accounts | InitialRandomPassword | SendTo | MailTemplatePassword configuration parameter.

    By default, the message sent uses the Employee - initial password for new user account mail template. The message contains the initial password for the user account.

TIP: To use custom mail templates for emails of this type, change the value of the configuration parameter.

Target system managers

A default application role exists for the target system manager in One Identity Manager. Assign the employees who are authorized to edit all tenants in One Identity Manager to this application role.

Define additional application roles if you want to limit the edit permissions for target system managers to individual tenants. The application roles must be added under the default application role.

For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers
  1. The One Identity Manager administrator allocates employees to be target system administrators.

  2. These target system administrators add employees to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the tenants in One Identity Manager.

  3. Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual tenants.

Table 15: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | Azure Active Directory application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add employees who have an other identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

To initially specify employees to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)
  2. Select the One Identity Manager Administration | Target systems | Administrators category.
  3. Select the Assign employees task.
  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration | Target systems | Azure Active Directory category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the Azure Active Directory | Basic configuration data | Target system managers category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To specify target system managers for individual tenants

  1. Log in to the Manager as a target system manager.

  2. Select the Azure Active Directory | Tenants category.

  3. Select the tenant in the result list.

  4. Select the Change master data task.

  5. On the General tab, select the application role in the Target system manager menu.

    - OR -

    Next to the Target system manager menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Azure Active Directory parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.
  7. Assign employees to this application role who are permitted to edit the tenant in One Identity Manager.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating