Chat now with support
Chat with Support

Identity Manager 9.0 LTS - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and employees Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login information for Azure Active Directory user accounts Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Assigning owner to Azure Active Directory service principals

Use this task to assign owners to an Azure Active Directory service principal or to remove them from a service principal.

To assign owners to an Azure Active Directory application

  1. In the Manager, select the Azure Active Directory > Service principals category.

  2. In the result list, select the Azure Active Directory service principal.

  3. Select the Assign owner task.

  4. In the Table menu, select the Azure Active Directory user accounts (AADUser) item.

  5. In the Add assignments pane, assign owners.

    TIP: In the Remove assignments pane, you can remove assigned owners.

    To remove an assignment

    • Select the owner and double-click .

  6. Save the changes.

Editing authorizations for Azure Active Directory service principals

There are so-called app roles defined for app registrations. Azure Active Directory users, Azure Active Directory groups, or Azure Active Directory service principals can use app roles to provide permissions or functions for the application.

App roles and their assignments are loaded into One Identity Manager by synchronization. However, you cannot create new app roles in One Identity Manager. In One Identity Manager, you can add or remove authorizations for the service principals and their app registrations respectively.

To assign authorizations to an Azure Active Directory service principal

  1. In the Manager, select the Azure Active Directory > Service principals category.

  2. In the result list, select the Azure Active Directory service principal.

  3. Select the Assign authorizations task.

  4. In the Assignments pane, click Add and enter the following data.

    • Authorized for: Specify the user account, group, or service principal for the authorization.

      1. Click next to the field.

      2. Under Table, select one of the following tables:

        • To authorize a user account, select AADUser.

        • To authorize a group, select AADGroup.

        • To authorize a service principal, select AADServicePrincipal.

      3. Under Authorized for, select the user account, group, or service principal.

      4. Click OK.

    • App role: Select the app role for the authorization.

      NOTE: If there is no app role defined for a service principal, leave this item empty to authorize the user account, group, or service principal.

  5. Save the changes.

To remove authorizations from an Azure Active Directory service principal

  1. In the Manager, select the Azure Active Directory > Service principals category.

  2. In the result list, select the Azure Active Directory service principal.

  3. Select the Assign authorizations task.

  4. In the Assignments pane, select the authorization you want to remove.

  5. Click Remove.

  6. Save the changes.

Displaying Azure Active Directory service principals for enterprise applications

This task allows you to display the service principals that represent enterprise applications.

To display enterprise applications

  1. In the Manager, select the Azure Active Directory > Service principals category.

  2. Select one of the following entries:

    • By type > Application > Enterprise applications

    • By type > Legacy > Enterprise applications

  3. In the result list, select the Azure Active Directory service principal.

  4. Select one of the following tasks:

    • Azure Active Directory service principal overview: This shows you an overview of the Azure Active Directory service principal and its dependencies.

    • Change main data: This displays the Azure Active Directory service principal's main data.

    • Assign owners: This displays the Azure Active Directory service principals owners. You can assign owners to a service principal or remove them.

    • Assign authorizations: This displays user accounts, groups, and service principals with their assigned app roles. You can create more authorizations or removed them.

Related topics

Displaying Azure Active Directory service principal main data

The information about the Azure Active Directory service principal is loaded into One Identity Manager during synchronization. You cannot edit Azure Active Directory service principal main data.

To display an Azure Active Directory service principal's main data

  1. In the Manager, select the Azure Active Directory > Service principals category.

  2. In the result list, select the Azure Active Directory service principal.

  3. Select the Change main data task.

Table 40: General main data for an Azure Active Directory service principal

Property

Description

Display name

Name for displaying the service principal.

Alternative names Alternative names for the service principal. This is used to call service principals by subscription, to identify resource groups and full resource IDs for managing identities.

Web page

Home page of the Azure Active Directory application.

Enabled Specifies whether the service principal is enabled.
Application display name. Display name of the associated Azure Active Directory application.
App role assignment required Specifies whether users or other service principals must be assigned an app role for this service principal before they can login or obtain application tokens.

Logo URL

Link to the application's logo.

Marketing URL

Link to the application's marketing page.

Privacy statement URL

Link to the application's privacy statement.

Service URL

Link to the application's support page.

Terms of service URL

Link to the application's terms of service.

Login URL URL that the identity provider uses to reroute the user to Azure Active Directory for authentication.
Logout URL URL that the Microsoft authorization service uses to log out a user using OPENID Connect front channel, OpenID Connect back-channel, or SAML logout protocols.
Notification mail addresses

List of email addresses that Azure Active Directory sends a notification to if the active certificate is nearing the expiration date.

Preferred single sign-on mode Single sign-on mode configured for this Azure Active Directory application.

Reply URLs

URLs that user tokens are sent to for logging in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.

Service principal names

Contains the list of URIs that identify the associated Azure Active Directory application within its Azure Active Directory tenant, or within a verified custom domain, if the Azure Active Directory application is an Azure Active Directory multi-tenant.

Service principal type

Type of service principal, for example, an application or a managed identity. The type is set internally by Azure Active Directory.

Encryption key ID

ID of the public key for logging in using certificates.

Home realm discovery policy

Name of the home realm discovery policy.

Delete date

Time at which the service principal was deleted.

Tags

User-defined string to use for categorizing and identifying the application.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating