Chat now with support
Chat with Support

Active Roles 7.5.3 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo Appendix H: Active Roles integration with Okta

Viewing or modifying the Azure AD tenant type

Use the Active Roles Administration Center to view or modify the tenant type of an existing Azure AD tenant. This is useful if you need to change the default domain settings of an Azure tenant due to an IT or organizational change.

NOTE: Consider the following limitations when modifying the properties of the selected Azure AD tenant:

  • If you set the tenant type of an on-premises or hybrid Azure AD to Federated Domain or Synchronized Identity Domain, then the Azure properties fields of the objects (Azure users, Azure guest users, groups and contacts) in the Azure tenant will be disabled and cannot be edited in the Active Roles Web Interface.

  • You cannot modify the tenant ID and the authentication settings of the Azure AD tenant.

To view or modify the Azure AD tenant properties

  1. In the Active Roles Configuration Center, on the left pane, click Azure AD Configuration.

    The list of existing Azure AD tenants appears.

  2. Select the Azure AD tenant you want to view or modify, then click Modify.

    The Tenant details window appears.

  3. (Optional) To change the domain type of the Azure tenant, select the applicable type from the Tenant type drop-down list.

    • Non-Federated Domain: When selected, on-premises domains are not registered in Azure AD, and Azure AD Connect is not configured. Azure users and Azure guest users are typically created with the onmicrosoft.com UPN suffix.

    • Federated Domain: On-premises domains are registered in Azure AD and Azure AD Connect. Also, Active Directory Federation Services (ADFS) is configured. Azure users and Azure guest users are typically created with the UPN suffix of the selected on-premises domain.

    • Synchronized Identity Domain: On-premises domains may or may not be registered in Azure AD. Azure AD Connect is configured. Azure users and Azure guest users can be created either with the selected on-premises domain, or with the onmicrosoft.com UPN suffix.

  4. (Optional) To enable, disable or modify the provisioned OneDrive storage of the Azure tenant, select or deselect Enable OneDrive, and (when selected), configure the SharePoint and OneDrive settings listed in the Tenant details window. For more information on configuring OneDrive storage in an Azure tenant, see Enabling OneDrive in an Azure tenant.

  5. To close the Tenant details window without any changes, click Cancel. To apply your changes, click Save.

Enabling OneDrive in an Azure tenant

You can enable OneDrive in your consented Azure tenant(s) for cloud-only and hybrid Azure users in the Azure AD Configuration > Tenant details window of the Active Roles Configuration Center.

To enable OneDrive in an Azure tenant, you must:

  1. Configure a SharePoint App-Only for authentication.

  2. Specify the required application permissions for the configured SharePoint App-Only.

  3. Specify the SharePoint admin site URL of your Azure tenant.

  4. Configure the default size of the OneDrive storage provisioned for Azure users in the Azure tenant.

For the detailed procedure, see Configuring OneDrive for an Azure tenant.

NOTE: Once OneDrive is enabled, consider the following limitations:

  • Active Roles supports creating OneDrive storage for new cloud-only and hybrid Azure users only if OneDrive is preprovisioned in your organization. For more information, see Pre-provision OneDrive for users in your organization in the official Microsoft documentation.

  • When creating new cloud-only Azure users with OneDrive storage in the Active Roles Web Interface, make sure that the General > Allow user to sign in and access services setting is selected. Otherwise, Active Roles will not provision and create the OneDrive storage of the new Azure user. For more information on creating a new cloud-only Azure user in the Active Roles Web Interface, see Creating a new cloud-only Azure user.

  • The OneDrive admin site URL and OneDrive storage default size (in GB) settings of the Tenant details window are applicable to cloud-only Azure users only, and do not affect OneDrive provisioning for hybrid users in your Azure tenant. To configure the OneDrive admin site URL and the default OneDrive storage size for hybrid users, you must set these settings in the Active Roles Console (also known as the MMC Interface) by configuring an O365 and Azure Tenant Selection policy for your Azure tenant, after configuring OneDrive in the Active Roles Configuration Center. For more information, see Configuring an O365 and Azure Tenant Selection policy.

Prerequisites of enabling OneDrive in an Azure tenant

Before configuring OneDrive for an Azure tenant in the Active Roles Configuration Center, make sure that the Azure tenant meets the following conditions:

  • The Azure tenant has the Sites.FullControl.All SharePoint application permission. Active Roles automatically configures this permission when consenting Active Roles as an Azure application for a newly-configured Azure tenant.

    However, if the Azure tenant for which you want to enable OneDrive has already been used in an Active Roles version earlier than Active Roles 7.5, you must add the Sites.FullControl.All SharePoint application permission manually for Active Roles in the Azure tenant. Failure of doing so will result in an error in the Tenant Details window of the Active Roles Configuration Center when testing the configured SharePoint credentials.

    For more information, see Checking and adding the Sites.FullControl.All permission for Active Roles.

Checking and adding the Sites.FullControl.All permission for Active Roles

If the Azure tenant for which you want to enable OneDrive has already been used in an Active Roles version earlier than Active Roles 7.5, you must add the Sites.FullControl.All SharePoint application permission manually for Active Roles in the Azure tenant. Failure of doing so will result in an error in the Tenant Details window of the Active Roles Configuration Center when testing the configured SharePoint credentials.

To check that Active Roles has the Sites.FullControl.All application permission in an Azure tenant

  1. Log in to Azure Portal.

  2. Open the Azure tenant of your organization by clicking Azure Active Directory on the main screen.

  3. To open the list of applications registered for your Azure tenant, navigate to Manage > App registrations.

  4. Select your Active Roles deployment either by finding it in the All applications or Owned applications list, or by searching it in the search bar.

  5. To open the list of API permissions, navigate to Manage > API permissions.

  6. Check that the Sites.FullControl.All permission is listed under the API / Permissions name > SharePoint heading.

    Figure 108: List of configured permissions under Azure Active Directory > Manage > API Permissions of Azure Portal

If Sites.FullControl.All is not listed, add it to Active Roles in the Azure tenant by completing the next procedure.

To add the Sites.FullControl.All application permission to Active Roles in an Azure tenant

  1. In the Configured permissions list (available under Manage > API permissions) click Add a permission.

    The list of available API permissions will appear on the right side of the screen under Request API permissions.

  2. In the list of available API permissions, click SharePoint.

  3. Click Application permissions.

  4. Under Select permissions > Sites, select Sites.FullControl.All and click Add permissions.

  5. To apply your changes, select Sites.FullControl.All under Configured permissions and click Grant admin consent for <azure-tenant-name>.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating