Chat now with support
Chat with Support

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Example: Configuring high granularity by showing only specific Azure users

This scenario describes how to use the Managed Units (MUs) and Access Templates (ATs) of the Active Roles Console together to configure Azure user administration permissions with high granularity. In this example, the MUs and ATs are used to grant a group of helpdesk users read access only to a specific group of Azure users. You can achieve this by:

  1. Configuring an MU containing all the Azure users that the helpdesk users should access. For more information on this procedure, see Configuring a Managed Unit for specific Azure users.

  2. Configuring an AT to grant access only to those Azure users for the helpdesk users. For more information on this procedure, see Configuring Access Templates to read specific Azure users.

Prerequisites

To configure this example scenario, your organization must meet the following requirements:

  • To create MUs and ATs in the Active Roles Console, you must use an Active Roles Administration Service account. For more information, see Configuring the Administration Service account in the Active Roles Quick Start Guide.

  • The organization must already have one or more Azure tenants configured and consented for use with Active Roles. For more information, see Configuring a new Azure tenant and consenting Active Roles as an Azure application.

  • The users receiving the configured permissions must be on-premises or hybrid Active Directory users. You cannot delegate the configured granular permission to cloud-only Azure users.

Configuring a Managed Unit for specific Azure users

To set up a highly-granular Azure user access logic, first you must configure a Managed Unit (MU) that will contain the Azure users that the affected helpdesk users can read.

In this example, the membership of the MU is configured via group membership, specifying that only Azure users that are members of a specific group (in this example, Engineering) are included in the MU. For more information on the available membership rule options for MUs, see Creating a Managed Unit.

To configure a Managed Unit for specific Azure users

  1. In the Active Roles Console, on the Console Tree, navigate to Configuration > Managed Units.

  2. To create a new container for the configured MU, right-click on the Managed Units node, then click New > Managed Unit Container.

    Figure 124: Active Roles Console – Launching the Managed Unit Container dialog

  3. In the Managed Unit Container dialog, specify a Name, and optionally, a Description for the new MU container.

    • Name: Allowed-Azure-Resources

    • Description: Managed Units for the granular access of Azure resources.

  4. To create the new container, click Next then Finish.

  5. To start configuring the new MU, right-click the newly-created Allowed-Azure-Resources container, then click New > Managed Unit.

  6. In the Managed Unit Container dialog, specify a Name, and optionally, a Description for the new MU container.

    • Name: Allowed-Azure-Users

    • Description: Managed Unit for the granular access of Azure users.

    To continue, click Next.

  7. To specify a new membership rule for the MU, in the Membership rule step, click Add.

  8. In the Membership Rule Type dialog, select the rule type used to populate the MU. This example uses the Include Group Members rule type. Select it, then click Next.

    Figure 125: New Managed Unit – Selecting the Include Group Members rule type

  9. In the Select Objects dialog, select the M365 group whose members you want to add to the MU.

    Figure 126: New Managed Unit – Adding the members of an M365 Group to an MU

    To do so:

    1. In the Select Objects dialog, click Browse.

    2. In the Browse for Container dialog, expand the Azure > <azure-tenant-name> node (in this example, the Azure tenant is named ARSExampleOrg.onmicrosoft.com).

    3. Select the Microsoft 365 Groups node, and click OK. The M365 groups existing in the Azure tenant will appear in the Select Objects dialog.

    4. In the Select Objects dialog, select the M365 group you want to add to the MU (in this example, the Engineering group).

    5. To apply the selection, click Add and OK.

  10. To finish creating the MU, click Next, then Next again in the Object Security / Policy Object step, and finally Finish.

  11. To verify that the MU is populated correctly, select the newly-created MU in the Console Tree. The members of the Engineering M365 group must appear in the Active Roles Console.

Configuring Access Templates to read specific Azure users

Once you set up the Managed Unit (MU) as described in Configuring a Managed Unit for specific Azure users, you must create two Access Templates (ATs) so that the affected helpdesk users:

  • Can read the Azure users of the configured MU.

  • Cannot read any other Azure users in your organization.

To create these ATs, perform the following steps. For more information on creating ATs in general, see Creating an Access Template.

To provide read access to the Azure user object class

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to Configuration > Access Templates.

  2. Create a new container where you will store the AT. In this example, the container is created in the Azure sub-container of the Access Templates node. Right-click Access Templates > Azure, then click New > Access Template Container.

    Figure 127: Active Roles Console – Launching the Access Templates Container dialog

  3. In the Access Templates Container dialog, specify a Name, and optionally, a Description for the new AT container.

    • Name: Allowed-Azure-Resources

    • Description: Access Templates for the granular access of Azure resources.

  4. To create the new container, click Next then Finish.

  5. To start configuring the new AT, right-click the Allowed-Azure-Resources container, then click New > Access Template.

  6. In the New Object - Access Template dialog, specify a Name, and optionally, a Description for the new AT.

    • Name: ReadAzureUserObject

    • Description: AT to read cloud-only Azure user objects.

    To continue with specifying the required permissions, click Next.

  7. In the Access Template permission entries step, click Add. Then, in the Select object classes to apply permissions onto dialog, select Only the following classes, and the EDS-Azure-User-Container class from the list.

    TIP: If you cannot find the class in the list, select Show all possible classes.

    Figure 128: New Access Template – Selecting the Azure Users container class to allow reading Azure users

    To continue, click Next.

  8. In the Select permission category step, select Object access, then select the List Object access permission from the list.

    Figure 129: New Access Template – Specifying the permission to read allowed objects in the Azure Users container

    To finish configuring the permission, click Finish. Then, in the Access Template permission entries step, click Add again.

  9. In the Select object classes to apply permissions onto dialog, select Only the following classes, then the EDS-Azure-User-Container class from the list again. To continue, click Next.

  10. In the Select permission category step, select Object property access, then select the Read properties access permission from the list.

    Figure 130: New Access Template – Specifying the permission to read the properties of the Azure Users container

    To continue, click Next.

  11. In the Select object properties step, leave the All properties option selected, then click Finish. The two permissions configured in the previous steps then appear in the Access Template permission entries step.

    Figure 131: New Access Template – Listing the permissions to properly read the Azure Users container

  12. To finish configuring the permissions of the AT, click Next, then Finish.

  13. In the Create in step, select Display the object properties when this wizard closes, and click Finish.

  14. To assign the AT to the helpdesk users and the Azure user container of the Azure tenant, in the Properties page that appears, click Administration > Links.

  15. In the Links dialog, click Add, then specify the Azure Users container as the directory object managed by this AT.

    Figure 132: New Access Template – Specifying the Azure Users container as the directory object in scope

    To do so:

    1. In the Select Objects dialog, click Browse.

    2. In the Browse for Container dialog, expand the Azure > <azure-tenant-name> node (in this example, the Azure tenant is named ARSExampleOrg.onmicrosoft.com).

    3. Select the Azure Users node, and click OK. The Azure Users container and the users contained in it will appear in the Select Objects dialog.

    4. In the Select Objects dialog, select the Azure Users container.

    5. To apply the selection, click Add and OK.

    The Azure Users container then appears in the Objects step. To continue configuring the AT, click Next.

  16. In the Users or Groups step, click Add, then select the users to which you want to delegate the permission. In this example, the AT is delegated to the Helpdesk group of an example Organizational Unit (OU). To add the group, click Add, then click OK.

    Figure 133: Delegation of Control Wizard – Selecting the Helpdesk group as Trustee

    To continue, in the Users or Groups step, click Next.

  17. In the Inheritance Options step, make sure that the This directory object and Child objects of this directory object settings are selected. To continue, click Next.

  18. In the Permissions Propagation step, leave the Propagate permissions to Active Directory setting in its default state. To continue, click Next.

  19. To apply your changes, click Apply and OK.

To restrict read access to the Azure users of a specific Managed Unit

  1. In the Active Roles Console, in the Active Directory (AD) tree, navigate to Configuration > Access Templates.

  2. Right-click the Azure Cloud User - Read All Attributes built-in AT, and select Copy.

  3. In the Copy Object - Access Template wizard, specify a Name and optionally, a Description for the new AT. This example uses the following values:

    • Name: AllowAzureUsers

    • Description: AT to grant read access to the specified Azure users.

    To continue, click Next.

  4. In the Create in step, select Display the object properties when this wizard closes, and click Finish.

  5. To assign the AT to the helpdesk users and the Azure user container of the Azure tenant, in the Properties page that appears, click Administration > Links.

  6. In the Links dialog, click Add, then specify the Allowed Azure Users MU as the directory object managed by this AT.

    Figure 134: New Access Template – Specifying the Allowed Azure Users MU as the directory object in scope

    To do so:

    1. In the Select Objects dialog, click Browse.

    2. In the Browse for Container dialog, select the Managed Units > Allowed-Azure-Resources node, and click OK.

    3. In the Select Objects dialog, select the Allowed-Azure-Users MU.

    4. To apply the selection, click Add and OK.

    The Allowed-Azure-Users MU then appears in the Objects step. To continue configuring the AT, click Next.

  7. In the Users or Groups step, click Add, then select the users to which you want to delegate the permission. In this example, the AT is delegated to the Helpdesk group of an example Organizational Unit (OU). To add the group, click Add, then click OK.

    Figure 135: Delegation of Control Wizard – Selecting the Helpdesk group as Trustee

    To continue, in the Users or Groups step, click Next.

  8. In the Inheritance Options step, make sure that the This directory object and Child objects of this directory object settings are selected. To continue, click Next.

  9. In the Permissions Propagation step, leave the Propagate permissions to Active Directory setting in its default state. To continue, click Next.

  10. To complete the configuration of the AT, click Finish. Then, in the Links dialog, click OK.

  11. To apply your changes, click Apply and OK. Active Roles will create the copied AT in the Configuration > Access Templates > Azure container.

  12. Move the AT to the Configuration > Access Templates > Azure > Allowed-Azure-Resources container. To do so, right-click the AT and click Move. Then, in the Move dialog, navigate to the Allowed-Azure-Resources container, select it, and click OK.

Enabling or disabling the granular access to specific Azure users

Once you configured the Managed Unit (MU) of the Azure users, and set up the Access Templates (ATs) to allow access to those Azure users only, the Helpdesk group to which the ATs are assigned can only read the Azure users included in the MU. When opening the list of Azure Users on the Active Roles Web Interface, all other Azure users included in the Azure tenant will be hidden from the Helpdesk group members.

This behavior is dynamic: adding new Azure users into the MU in the Active Roles Console will result in those Azure users appearing in the Active Roles Web Interface for the affected helpdesk users once the changes of the Console are synchronized to the Web Interface. Likewise, removing an Azure user from the MU will result in that Azure user disappearing for the affected helpdesk users in the Web Interface.

You can easily enable or disable the configured granular access later for all affected helpdesk users by enabling or disabling the AllowAzureUsers and ReadAzureUserObject ATs.

To enable or disable the configured granular access to specific Azure users

  1. In the Active Roles Console, on the Console Tree, navigate to Configuration > Access Templates > Allowed-Azure-Resources.

  2. Select the AllowAzureUsers AT.

  3. In the Advanced Details Pane, right-click the configured link, and click Disable.

    Figure 136: Active Roles Console – Disabling the configured Access Template

    TIP: If the Advanced Details Pane does not appear for you, click View > Advanced Details Pane.

  4. Select the ReadAzureUserObject AT, and disable it as you did with the AllowAzureUsers AT.

    Once both ATs are disabled, the users of the Helpdesk group can no longer read the users included in the configured Allowed-Azure-Resources MU, and can no longer see the Azure Users container in the Active Roles Web Interface either.

  5. (Optional) To re-enable the granular access, select one of the ATs, right-click the configured link, and click Enable. Then, enable the other AT similarly.

  6. (Optional) To provide general read access to the entire Azure Users container of the Azure tenant instead of the configured granular access, assign the built-in Azure Cloud User - Read All Attributes AT (or a custom AT based on this built-in AT) to the Helpdesk group. For more information, see Applying Access Templates on a user or group.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating