Chat now with support
Chat with Support

Active Roles 7.5.3 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 and Azure Tenant Selection User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure AD, Office 365, and Exchange Online management
Configuring Active Roles to manage hybrid AD objects Managing Hybrid AD Users Unified provisioning policy for Azure O365 Tenant Selection, Office 365 License Selection, and Office 365 Roles Selection, and OneDrive provisioning Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Office 365 Groups Managing Azure Security Groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling Federated Authentication Appendix F: Active Roles integration with other One Identity and Quest products Appendix G: Active Roles integration with Duo Appendix H: Active Roles integration with Okta

Configure Azure backsync automatically

Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles automatically using the Active Roles Synchronization Service Console

Pre-requisites to configure the back-synchronization:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • The user account used to perform back sync configuration must have the following privileges:

    • User Administrator
    • Privileged Role Administrator
    • Exchange Administrator
    • Application Administrator
  • The Windows Azure Active Directory (Azure AD) module version 2.0.0.131 or later must be installed for the backsync feature to work successfully.
  • Directory Writers Role must be enabled in Azure Active Directory. To enable the role use the following script:

    $psCred=Get-Credential

    Connect-AzureAD -Credential $psCred

    $roleTemplate = Get-AzureADDirectoryRoleTemplate | ? { $_.DisplayName -eq "Directory Writers" }

    # Enable an instance of the DirectoryRole template

    Enable-AzureADDirectoryRole -RoleTemplateId $roleTemplate.ObjectId

  • For the back-synchronization to work as expected, the user in ARS must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId and edsvaAzureObjectID. The user must also have a local administrator privileges where the ARS synchronization service is running.

To configure Azure backsync in Active Roles Synchronization Service

  1. In the upper right corner of the Synchronization Service Administration Console, select Settings | Configure Azure BackSync.

    The Configure BackSync operation in Azure with on-premises Active Directory objects dialog box is displayed.

  2. In the dialog box that opens:

    1. Enter the Azure domain valid Account ID credentials, and click Test Office 365 Connection.

    2. Specify whether you want to use a proxy server for the connection. You can select one of the following options:
    • Use WinHTTP settings: Causes the connector to use the proxy server settings configured for Windows HTTP Services (WinHTTP).

    • Automatically detect: Automatically detects and uses proxy server settings.

    • Do not use proxy settings: Specifies to not use proxy server for the connection.

    On successful validation, the success message that the Office 365 Connection settings are valid is displayed.

    1. Enter the valid Active Roles account details and click Test Active Roles Connection.

      On successful validation the success message that the Active Roles connection settings are valid is displayed.

  1. Click Configure BackSync.

    The Azure App registration is done automatically. The required connections, mappings, and workflow steps are created automatically.

    On successful configuration the success message is displayed.

    If the Azure BackSync settings are already configured in the system, a warning message is displayed to confirm if you want to override the existing backsync settings with the new settings. If yes, click Override BackSync Settings. Else, click Cancel to retain the existing settings.

Configuring Sync Workflow to back-synchronize manually

Configuring Sync Workflow to back-synchronize Azure AD Objects to Active Roles manually

Prerequisites to configure the back-synchronization manually:

  • The hybrid environment must have Azure AD Connect installed and configured.
  • Synchronization Service Component must be installed and configured for Active Roles.
  • Azure AD configuration and the Administrator Consent for Azure AD application through web interface must be complete.
  • Azure AD built-in policy must be enforced for the container where the back-synchronization is performed.
  • For the back-synchronization to work as expected, the user in ARS must have write permissions for edsvaAzureOffice365Enabled, edsaAzureContactObjectId, edsvaAzureObjectID, and edsvaAzureAssociatedTenantId. The user must also have a local administrator privileges where the ARS synchronization service is running.

To configure sync workflow to back-synchronize users and groups perform the following steps:

 

Step 1: Create Connection to Azure AD in the hybrid environment

Create a connection to Azure AD using the Azure AD Connector. The configuration requires the Azure domain name, the Client ID of an application in Azure AD, and the Client Key to establish the connection with Azure AD.

To configure an application:

  1. Create an Azure Web application (or use any relevant existing Azure Web Application) under the tenant of your Windows Azure Active Directory environment.

    The application must have "Application Permissions" to "read" and "write" directory data in Windows Azure Active Directory.

    NOTE: Alternatively, to assign the required permissions to the application by running a Windows PowerShell script, see the Creating a Windows Azure Active Directory connection section in the Synchronization Service Administration Console.

  1. Open the application properties and copy the following:
  • Client ID
  • Valid key of the application
  1. You need to supply the copied client ID and key when creating a new or modifying an existing connection to Windows Azure Active Directory in the Synchronization Service Administration Console.

NOTE: The Web Application that is created or is already available for Sync Service Azure AD Connector, is different from the application that is created while configuring Azure AD using Active Roles Web interface. Both the applications must be available for performing back-sync operations.

Step 2: Create Connection to Active Roles in the hybrid environment

Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.

Step 3: Create Sync Work flow

Create a Sync Workflow using the Azure AD and Active Roles connections. Add a Synchronization step to Update Azure User/Group to Active Roles User/Group.

Set the edsvaAzureAssociatedTenantId attribute in Active Roles user/group to azure tenant id. If edsvaAzureAssociatedTenantId attribute is not configured , an error is logged in the event viewer for each object.

Configure the Forward Sync Rule to synchronize the following:

  • Azure ObjectID property of a user/group to the Active Roles user/group edsvaAzureObjectID property.
  • Set the edsvaAzureOffice365Enabled attribute in Active Roles user/group to True.
  • Set edsvaAzureAssociatedTenantId with Azure Tenant ID.

Step 4: Create Mapping

Create a Mapping Rule which identifies the user/group in Azure AD and on-premises AD uniquely and map the specified properties from Azure AD to Active Roles appropriately.

For example, the property userprincipalname can be used to map users between on-premises AD and Azure AD in a federated environment.

NOTE:

  • Based on the environment, make sure to create the correct Mapping rule to identify the user or group uniquely. In-correct mapping rule may create duplicate objects and the back-sync operation may not work as expected.
  • Initial configuration and execution of back-sync operation for Azure AD users ID is a one-time activity.
  • In Federated or Synchronized environments, Azure AD group creation is not  supported. The  group is created in Active Roles and is synchronized eventually  to Azure using Microsoft Native tools, such as AAD Connect. To manage the  Azure AD group through Active Roles, you must perform periodic back- synchronization to on-premise AD.
  • Sync engine must be configured to synchronize the data back to AD based on the frequency of groups creation.

Configuring Sync Workflow to back-synchronize AD contacts

To configure sync workflow to back-synchronize contacts perform the following steps:

 

Step 1: Create Connection to Office 365 in the hybrid environment

Create a connection to Office 365 using the Microsoft Office 365 Connector. The configuration requires Microsoft Online Services ID, Password, Proxy server (if required) and Exchange Online services.

NOTE: Back synchronization of contacts uses Microsoft Office 365 Connector to establish connection to Office 365. Back synchronization of users and groups uses the Azure AD Connector to establish connection to Azure AD.
Step 2: Create Connection to Active Roles in the hybrid environment

Create a connection to Active Roles using the Active Roles Connector. The configuration requires the local domain details and Active Roles version used. Define the scope to select the container from which the objects for synchronization must be selected.

Step 3: Create Sync Workflow

Create a Sync Workflow using the Office 365 and Active Roles connections. Add a Synchronization step to Update Office 365 Contacts to Active Roles Contacts. Configure the Forward Sync Rule to synchronize the following:

  • Azure ExternalDirectoryObjectId property of a contact to the Active Roles contact edsaAzureContactObjectId property.
  • Set the edsvaAzureOffice365Enabled attribute in Active Roles contact to True.
  • Set edsvaAzureAssociatedTenantId with Azure Tenant ID.

Step 4: Create Mapping

Create a Mapping Rule, which identifies the contact in Office 365 and on-premises AD uniquely and map the specified properties from Office 365 to Active Roles appropriately.

NOTE:

  • Based on the environment, make sure to create the correct Mapping rule to identify the contacts uniquely. In-correct mapping rule may create duplicate objects and the back-sync operation may not work as expected.
  • In Federated or Synchronized environments, Office 365 contact creation is not  supported. The  contact is created in Active Roles and is synchronized eventu- ally to Office 365 using Microsoft Native tools, such as AAD Connect. To manage the Office 365 contact through Active Roles, you must perform periodic  back-synchronization to on-premise AD.

 

Changes to Azure O365 Policies in Active Roles after 7.4.1

Active Roles 7.4.3 introduces support for Azure Multi tenant model. Multiple tenants can be configured on the Web Interface. Using this feature, the Azure objects from multiple tenants can be managed from the web interface.

The previous custom policies related to Azure Roles and licenses, and OneDrive are not valid and the policy evaluation is skipped after an import or upgrade. Active Roles 7.4.3 introduces a new Azure/Office 365 Tenant Management policy that encompasses all the previous Azure related policies such as Azure Roles and Licenses, and OneDrive policies. Configure the latest Azure/Office 365 Tenant Selection policies to proceed further. The Web Interface notifies the user if any older policies are applied on the OU. Deprovisioning policy for Azure license retention is invalid and must be created again and applied. For more information on the new policy, see Office 365 and Azure Tenant Selection.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating