Chat now with support
Chat with Support

Active Roles 8.1.1 - Administration Guide

Introduction Getting started Rule-based administrative views Role-based administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based access rules
Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configure an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Managing Hybrid AD users
Creating a new Azure AD user with the Web Interface Viewing or updating the Azure AD user properties with the Web Interface Viewing or modifying the manager of a hybrid Azure user Disabling an Azure AD user Enabling an Azure AD user Deprovisioning of an Azure AD user Undo deprovisioning of an Azure AD user Adding an Azure AD user to a group Removing an Azure AD user from a group View the change history and user activity for an Azure AD user Deleting an Azure AD user with the Web Interface Creating a new hybrid Azure user with the Active Roles Web Interface Converting an on-premises user with an Exchange mailbox to a hybrid Azure user Licensing a hybrid Azure user for an Exchange Online mailbox Viewing or modifying the Exchange Online properties of a hybrid Azure user Creating a new Azure AD user with Management Shell Updating the Azure AD user properties with the Management Shell Viewing the Azure AD user properties with the Management Shell Delete an Azure AD user with the Management Shell Assigning Microsoft 365 licenses to new hybrid users Assigning Microsoft 365 licenses to existing hybrid users Modifying or removing Microsoft 365 licenses assigned to hybrid users Updating Microsoft 365 licenses display names
Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Microsoft 365 roles management for hybrid environment users Managing Microsoft 365 contacts Managing Hybrid AD groups Managing Microsoft 365 Groups Managing cloud-only distribution groups Managing cloud-only dynamic distribution groups Managing Azure security groups Managing cloud-only Azure users Managing cloud-only Azure guest users Managing cloud-only Azure contacts Changes to Active Roles policies for cloud-only Azure objects Managing room mailboxes Managing cloud-only shared mailboxes
Modern Authentication Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Software and configuration requirements for non-Outlook integration

The ability to manage approvals from non-Outlook email clients calls for the same software and configuration prerequisites as Outlook integration (see Integration with Microsoft Outlook), with the following exceptions and additions:

  • The email client applications that can be used to manage approvals are not restricted to Microsoft Office Outlook 2010 or later. It is possible to use, for instance, earlier Outlook versions or email applications on mobile devices.

  • Active Roles Add-in for Outlook does not need to be installed on the computer running the email client application.

  • The approval rule notification settings are configured so that the notification messages originated by Active Roles have integration with the Web Interface turned off. Ensure that the Send approval response by e-mail option is selected in the properties of the email configuration that is used by the approval rule (this is the default setting).

Email transport via Exchange Web Services

Active Roles can use Exchange Web Services (rather than an SMTP server) to communicate with Exchange Server when sending notification messages and getting response to notification messages. This enables notification recipients to perform approval tasks by replying to notification messages from their regular email clients, instead of using the Web Interface pages to approve or reject the requests. With the use of Exchange Web Services, Active Roles makes it possible for an approval workflow to behave as follows:

  • A change request that requires approval causes Active Roles to send a notification message to the designated approver, with the message body containing the option to approve or reject the request.

  • The approver replies to the notification message by choosing the desired option (either approve or reject) and typing in a text to explain the reason for that choice.

  • Active Roles receives the reply message from the approver, checks to see if the approver elected to approve or reject the request, and then allows or denies the requested changes accordingly.

The use of Exchange Web Services has the following prerequisites:

  • Exchange Server 2013 or later. Exchange Web Services is deployed with the Client Access server role.

  • Dedicated mailbox hosted on Exchange Server 2013 or later. The mailbox must be reserved for the exclusive use of Active Roles.

Configuration settings for email transport

This section describes the available configuration settings with the Exchange Web Services option for email transport.

Exchange Web Services address

This setting identifies the URL of the Exchange Web Services endpoint, which locates the exchange.asmx file on the Exchange server running the Client Access server role. For example, https://CAServer.domain.com/EWS/exchange.asmx

Authentication type

This setting specifies the authentication method of the Exchange Web Service.

NOTE: Basic authentication is only available for on-premises Exchange Server services, Exchange Online mail resources should be configured with Modern authentication, as Microsoft does not support Basic authentication in Exchange Online mail resources.

Active Roles' mailbox credentials

This setting specifies the user name and password of the mailbox through which Active Roles will send and receive email. The mailbox must be located on Exchange Server 2013 or later, and must be reserved for the exclusive use of Active Roles.

IMPORTANT: This mailbox must only be accessible by Active Roles. Providing access to any other application (for example, Microsoft Outlook) to process email messages in this mailbox can negatively impact the operation of Active Roles.

Options for the Approve and Reject links

This setting controls the behavior of the Approve and Reject links in the notification messages delivered using this email configuration. Two options are available:

  • Send approval response by e-mail

  • Approve or reject via Web Interface

If Send approval response by e-mail is selected, notification recipients can perform approval tasks from within their email application. When an approver chooses one of the links provided in a notification message to approve or reject a request, the email application replies with an email message containing information about the approval decision. Active Roles receives the reply message, checks it to see if the approver elected to approve or reject the request, and then allows or denies the requested changes accordingly.

If Approve or reject via Web Interface is selected, choosing the Approve or Reject link in a notification message directs the email application to open a Web Interface page for performing the approval task. The page may not open as expected if the email application does not support HTML format or an appropriate web browser does not exist on the device running the email application.

Configuring the use of Exchange Web Services

Perform the following steps in the Active Roles Console to configure the default mail settings with the option to use Exchange Web Services:

  1. In the Active Roles Console tree, select Configuration > Server Configuration > Mail Configuration.

  2. In the Details pane, double-click Default Mail Settings.

  3. In the Default Mail Settings Properties dialog, configure the settings on the Mail Setup tab:

    1. From the Settings for list, select Exchange Web Services.

    2. In the Exchange Web Services address box:

      1. For on-premises Exchange mailbox, supply the URL of the Exchange Web Services endpoint. This URL locates the exchange.asmx file on the Exchange server that is running the Client Access server role. For example, https://CAServer.domain.com/EWS/exchange.asmx.

      2. For the Exchange mailbox on the cloud, use https://outlook.office365.com/EWS/Exchange.asmx.

    3. From the Authentication type drop-down, select the authentication method you want to use.

      NOTE: Basic authentication is only available for on-premises Exchange Server services, Exchange Online mail resources should be configured with Modern authentication, as Microsoft does not support Basic authentication in Exchange Online mail resources.

    4. Under Active Roles' mailbox credentials:

      1. For an on-premises Exchange mailbox with Basic authentication, specify the user name and password of the mailbox through which Active Roles will send and receive email.

      2. For a cloud Exchange Online mailbox or an on-premises Exchange mailbox with Modern authentication, specify the Azure user credentials of the Azure mailbox:

        • Tenant ID: The ID of the Azure tenant. To check the ID, on the Azure Portal, navigate to Azure Active Directory > Overview.

        • Client ID: The application client ID. To check the ID, on the Azure Portal, navigate to App registrations > All applications > ActiveRoles.

        • Certificate thumbprint: The most recent certificate thumbprint. To check the thumbprint, on the Azure Portal, navigate to Certificates & secrets > Certificates.

        • Impersonated mailbox: The mailbox that appears to be the sender of the email.

      This mailbox must be created on a server running Exchange 2013 or later and reserved for the exclusive use of Active Roles.

    5. Verify the settings you have configured. Click Verify Settings, supply a valid email address, and then click Send.

    This causes Active Roles to send a diagnostic email message to the address you supplied. The message is attempted to be delivered from Active Roles’ mailbox by using Exchange Web Services. You can check the mailbox with the address you supplied to see if the diagnostic message has been received.

  4. Verify that the Send approval response by email option is selected on the Mail Setup tab.

  5. Select Approve or reject via Web Interface to manage emails through the Web Interface.

  6. When finished, click OK to close the Default Mail Settings Properties dialog.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating