Chat now with support
Chat with Support

Active Roles 7.5 - Release Notes

Enhancements

The following is a list of enhancements implemented in Active Roles 7.5.

Table 1: Synchronization Service enhancements
Enhancement Enhancement ID

Azure O365 groups received two enhancements:

  • You can now configure dynamic membership rules for new and existing O365 groups in the Active Roles Web Interface, enabling Active Roles to automatically add or remove members based on the configured attribute-based rules.

    • For more information on setting up a new dynamic O365 group, see Creating a new O365 group in the Active Roles 7.5 Administration Guide.

    • For more information on modifying an existing O365 group to dynamic membership, see Viewing or modifying an O365 group in the Active Roles 7.5 Administration Guide.

  • You can now view the change history of existing O365 groups in the Active Roles Web Interface. For more information, see Viewing the change history of an O365 group in the Active Roles7.5 Administration Guide.

 282832

Resolved issues

Active Roles 7.5 addresses the following reported issues.

Table 2: Resolved Issues – Active Roles Installer

Resolved issue

Issue ID

Previously, the Active Roles installer did not require Administrator privileges when launching it, resulting in the installation process unable to complete.

This issue is now fixed, and the installer requests elevated privileges on start.

277310

During the installation of Active Roles, attempting to install the Microsoft Teams PowerShell module on a machine that has the PowerShell Module for Skype for Business installed results in an error.

The error is caused by several factors:

  • The Microsoft Teams PowerShell module is a successor of the Skype for Business PowerShell module, with the majority of their commands being the same. Therefore, when installing the Microsoft Teams PowerShell module without uninstalling the Skype for Business PowerShell module first, the PowerShell installer will warn users to use the -AllowClobbers parameter to overwrite the shared commands.

  • The obsolete commands of the Skype for Business PowerShell module can remain in the machine if the module is not uninstalled before installing the Microsoft Teams PowerShell module.

To solve this problem, the Ready to Install page of the Active Roles installer has been updated with a Note that instructs users to remove PowerShell Module for Skype for Business Online before installing the Microsoft Teams PowerShell module.

 275276
Table 3: Resolved Issues – Active Roles Configuration Center
Resolved issue Issue ID

Due to the SharePoint Online PowerShell module not supporting client ID and client secret-based authentication, support for that PowerShell module has been deprecated in Active Roles 7.4.4, resulting in the various OneDrive configuration interfaces becoming unusable.

This issue is now fixed, so Active Roles 7.5 reintroduces the OneDrive configuration settings in the Active Roles Configuration Center and the Active Roles Console. In addition, the Active Roles Web Interface now also displays the configured OneDrive storage provisioning settings for Azure users again.

For more information on how to configure OneDrive provisioning, see Configuring OneDrive in an Azure tenant in the Active Roles 7.5 Administration Guide.

278521

Table 4: Resolved Issues – Active Roles Console (MMC Interface)
Resolved Issue

Issue ID

Previously, while Starling 2FA was configured for Active Roles, users attempting to open the Active Roles Console (also known as the MMC Interface) could receive the following error in the Active Roles Starling 2FA Verify Token pop-up:

One or more errors occurred: Failed while getting token from Starling: Could not load file or assembly 'Newtonsoft.Json'.

This error prevented users from accessing and using the Active Roles Console, forcing administrators to disable Starling 2FA as a workaround, whenever the Active Roles Console had to be used.

The issue was caused by version conflicts among the external components of Starling 2FA, and is now fixed.

289723

Previously, configuring a dynamic group in the Active Roles Console with a membership rule set to Include by Query, and using an LDAP query containing LDAP_MATCHING_RULE_TRANSITIVE_EVAL (1.2.840.113556.1.4.1941) resulted in the membership of the dynamic group not being updated.

This issue is now fixed, and dynamic groups using LDAP matching rule 1.2.840.113556.1.4.1941 are now updated correctly.

 91690
Table 5: Resolved Issues – Active Roles Web Interface

Resolved issue

Issue ID

Previously, when setting up the email account of the selected Azure user as a shared mailbox in the Exchange Online Properties > Delegation tab in the Active Roles Web Interface, the Send As permission could not be granted to the added users because they did not appear in the Send As list.

The issue has been resolved and now the added users are correctly displayed in the Send As list.

284175

Previously, when selecting an Azure guest user in the Active Roles Web Interface, in Azure properties, the Reset Password option was available. Clicking Reset Password opened a window allowing you to specify and save a new password, but even if the operation failed, you got the following message:

The operation is successfully completed.

The issue is now fixed and the Reset password option is removed from the properties of Azure guest users.

For more information, see the FAQ entry on password reset support for Azure AD B2B collaboration users in the Microsoft Azure Documentation.

277972

Previously, attempting to consent Active Roles as an Azure application in an Azure tenant could result in the following error message:

Could not create Application in Azure. Bad Request: Values of identifierUris property must use a verified domain of the organization or its subdomain: 'http://ActiveRoles

This issue was introduced because of a change in the Azure Active Directory (AAD) application creation system, introducing stricter requirements for identifierUris.

This issue is now fixed, and Azure tenants can now be added or reauthenticated again.

291638

Previously, when creating a new Azure guest user in the Active Roles Web Interface, licenses, roles and optional attributes (such as First Name, Last Name, Job Title, Department or Usage Location) were not replicated to Azure AD by default.

This issue is now fixed by making sure that the Azure guest user modify requests are sent appropriately from Active Roles to Azure AD.

288597

Previously, when opening the Office 365 Groups container of an Azure tenant in the Active Roles Web Interface, it could occur that the container appeared empty, with no Office 365 groups listed in it.

This issue has been fixed.

282828

Previously, when opening the Azure Users container of an Azure tenant in the Active Roles Web Interface, it could occur that the Active Roles Web Interface did not list every Azure user managed in the Azure tenant.

This issue was caused by an Active Roles caching mechanism problem, and has been fixed.

282182

Previously, objects whose ShowInAdvanceViewOnly property was set true were not shown in the Active Roles Web Interface, even when searching specifically for those objects.

This issue has been fixed by removing the ShowInAdvanceViewOnly property from the LDAP search filters of the Active Roles Web Interface, ensuring that all directory objects now appear.

282169

Previously, when managing users with Exchange Online licenses (assigned either via Active Roles or the Microsoft Azure Portal), checking the Exchange Online Properties of users in the Active Roles Web Interface could result in an Unable to retrieve Exchange Online Mailbox properties error appearing after some time. Restarting the Active Roles Administration Service could resolve this issue for a while.

This issue occurred because the Microsoft Modern Authentication access tokens (generated when first checking the Exchange Online Properties of the users) expired, as Active Roles did not request a new Exchange Online connection whenever the Exchange Online Properties option was used, resulting in a timeout over time. This issue is now fixed.

281545

Previously, after upgrading between major Active Roles versions, the Active Roles Web Interface Personal Views were lost, because they were not imported to the newly-created database. Instead, users had to import personal settings manually, requiring significant workaround.

This issue is now fixed, and in-place Active Roles upgrades now import personal settings for configured websites.

91729

Previously, the Licenses step of the Azure (guest) user configuration process listed the Office 365 Content Explorer with the non-user friendly name Content_Explorer.

This issue is now fixed, and the list of licenses shows the resource as Content Explorer.

 272301
Table 6: Resolved Issues – Active Roles Synchronization Service

Resolved issue

Issue ID

Previously, attempting to open the One Identity Manager (OneIM) Connector with the OneIM check box deselected resulted in the following error message:

D1IM web service is not connected.

The typo D1IM in the error message has been fixed to One Identity Manager.

 91671

Previously, attempting to create the same user twice with an Active Directory (AD) and Active Directory Lightweight Directory Services (AD LDS) connection workflow resulted in the following error message:

An error occured while creating the object <object-name>. The object already exists.

The typo occured in the error message has been fixed to occurred.

 92036
Table 7: Resolved Issues – Active Roles Collector and Report Pack

Resolved issue

Issue ID

Previously, specifying a blank Azure SQL Database with the Specify Database > Use existing database option of the Active Roles Collector and Report Pack returned the following error message:

Unable to use the specified database because the database is not empty and is not a Collector database.

Active Roles Collector and Report Pack returned this error because it considers an existing database empty only if it contains no tables at all. However, existing Azure SQL Databases always contain at least one system table, even if they are otherwise blank; therefore, Active Roles Collector and Report Pack cannot recognize them as usable empty databases.

The error message received in this scenario has been clarified to make it clear that existing blank Azure SQL Databases cannot be selected when configuring the Active Roles Collector and Report Pack with the Use existing database option.

TIP: In such cases, One Identity recommends selecting the Create database option, and creating an empty Azure SQL Database during the configuration process.

 272581
Table 8: Resolved Issues – Active Roles SPML Provider

Resolved issue

Issue ID

Previously, when using Constrained Delegation in the SPML Provider, submitting a modification request returned an Unsupported operation error because the SPLM Provider could not cast a com_object properly.

The issue is now fixed and the data of the com_object returns without error.

289838

Known issues

The following is a list of issues in Active Roles 7.5, which are known to exist at the time of its release.

Table 9: Active Roles known issues
Known Issue Issue ID

Trying to reset the password of an Azure user in the Active Roles Web Interface returns the following error message:

One or more errors occurred. Http Exception - Status Code Forbidden. Reason phrase Forbidden {"error":{"code":Authorization_RequestDenied","message":"Insufficient privileges to complete the operation"}}

This error occurs because of a Microsoft Graph API-related issue, described in the Authorization_RequestDenied error when you try to change a password using Graph API article of the Microsoft Azure Troubleshooting documentation.

Workaround

To solve this problem, assign the Company Administrator Office 365 administrative role to Active Roles with the following PowerShell cmdlets:

Connect-MsolService
$displayName = "ActiveRoles"
$objectId = (Get-MsolServicePrincipal -SearchString $displayName).ObjectId
$roleName = "Company Administrator"
Add-MsolRoleMember -RoleName $roleName -RoleMemberType ServicePrincipal -RoleMemberObjectId $objectId

293601

Importing an Active Roles configuration with the Administration Service > Active Roles databases > Import configuration wizard of the Active Roles Configuration Center can result in an inconsistent Web Interface configuration state if the Web Interface has been previously configured with the Dashboard > Web Interface > Configure setting. This issue is caused by a discrepancy between the previously-configured Web Interface configuration and the imported Web Interface configuration.

Workaround

To avoid this issue, One Identity recommends configuring the Web Interface in the Active Roles Configuration Center only after importing any Active Roles configurations.

275240

When configured for Group and Contacts, the Office 365 and Azure Tenant Selection policy displays additional tabs.

229031

Tenant selection supports selecting only a single tenant.

229030

Automation workflow with Office 365 script fails, if multiple workflows share the same script and the script is scheduled to execute at the same time.

Workaround

One Identity recommends scheduling the workflows with different scripts or at a different time.

200328

In the Active Roles Web Interface, Azure roles are not restored automatically after performing an Undo Deprovision action on a user.

Workaround

After the Undo Deprovision action is completed, assign the Azure roles to the user manually.

172655

When a workflow is copied from built-in workflows, it may not be executed as expected.

153539

In the Starling Connect Connection Settings link, clicking Next displays progress, but the functionality is not affected, so the button is not required.

126892

After running the get-qcworkflowstatus cmdlet in the Synchronization Service, the workflow status is not accurate.

125768

Active Roles does not support creating Azure groups for existing groups.

117015

Azure Group Properties are not available if they are added to the Office 365 Portal or Hybrid Exchange Properties from the forwarding address attribute of Exchange online users.

98186

Activating the EnableAntiForgery key (<add key="EnableAntiForgery" value="true"/> in web.config) may cause the following error message:

Session timeout due to inactivity. Please reload the page to continue.

Workaround

Update the IgnoreValidation key in the<appSettings> section by adding a property value in lowercase:

  1. Open the IIS Manager.

  2. In the left pane, under Connections, expand the tree view to Sites > Default Web Site.

  3. Under Default Web Site, click on the Active Roles application (ARWebAdmin by default).

  4. Double-click Configuration Editor.

  5. From the Section drop-down, select appSettings.

  6. Find the IgnoreForValidation key.

  7. Append the comma-separated value to IgnoreForValidation, for example: lowercasecontrolname.

  8. In the right pane, under Actions, click Apply.

  9. Recycle the App pool.

91977

After upgrading Active Roles, the pending approval tasks are not displayed in the Active Roles Web Interface.

91933

Active Roles Web Interface does not support setting the Exchange Online Property of the ProhibitSendQuota value in Storage Quotas.

91905

In Active Roles with the Office 365 Licenses Retention policy applied, after deprovisioning the Azure AD user, the Deprovisioning Results for the Office 365 Licenses Retention policy are not displayed in the same window.

Workaround

To view the Deprovisioning Results after deprovisioning the Azure AD user:

  • In Active Roles MMC Console, right-click and select Deprovisioning Results.

  • In the right pane of the Active Roles Web Interface, click Deprovisioning Results.

  • To refresh the form, press F5.

91901

System requirements

Before installing Active Roles 7.5, ensure that your system meets the following minimum hardware and software requirements.

Active Roles includes the following components:

This section lists the hardware and software requirements for installing and running each of these components.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating