Chat now with support
Chat with Support

Identity Manager 9.1.1 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and employees Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login information for Azure Active Directory user accounts Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Adding Azure Active Directory groups automatically to the IT Shop

The following steps can be used to automatically add Azure Active Directory groups to the IT Shop. Synchronization ensures that the Azure Active Directory groups are added to the IT Shop. If necessary, you can manually start synchronization with the Synchronization Editor. New Azure Active Directory groups created in One Identity Manager also are added automatically to the IT Shop.

To add Azure Active Directory groups automatically to the IT Shop

  1. In the Designer, set the QER | ITShop | AutoPublish | AADGroup configuration parameter.

  2. In order not to add Azure Active Directory groups to the IT Shop automatically, in the Designer, set the QER | ITShop | AutoPublish | AADGroup | ExcludeList configuration parameter.

    This configuration parameter contains a listing of all Azure Active Directory groups that should not be allocated to the IT Shop automatically. You can extend this list if required. To do this, enter the name of the groups in the configuration parameter. Names are listed in a pipe (|) delimited list. Regular expressions are supported.

  3. Compile the database.

The Azure Active Directory groups are added automatically to the IT Shop from now on.

The following steps are run to add an Azure Active Directory group to the IT Shop.

  1. A service item is determined for the Azure Active Directory group.

    The service item is tested for each Azure Active Directory group and modified if necessary. The name of the service item corresponds to the name of the Azure Active Directory group.

    • The service item is modified for Azure Active Directory groups with service items.

    • Azure Active Directory groups without service items are allocated new service items.

  2. The service item is assigned to either the Azure Active Directory groups | Security groups default service category or the Azure Active Directory groups | Distribution groups default service category.

  3. An application role for product owners is determined and assigned to the service item.

    Product owners can approve requests for membership in these Azure Active Directory groups. The default product owner is the Azure Active Directory group's owner.

    NOTE: The application role for the product owner must be added under the Request & Fulfillment | IT Shop | Product owner application role.
    • If the owner of the Azure Active Directory group is already a member of an application role for product owners, this application role is assigned to the service item. Therefore, all members of this application role become product owners of the Azure Active Directory group.

    • If the owner of the Azure Active Directory group is not yet a member of an application role for product owners, a new application role is created. The name of the application corresponds to the name of the owner.

      • If the owner is a user account, the user account's employee is added to the application role.

      • If it is a group of owners, the employees of all this group's user accounts are added to the application role.

  4. The Azure Active Directory group is labeled with the IT Shop option and assigned to the IT Shop groups Azure Active Directory shelf in the Identity & Access Lifecycle shop.

Then the shop customers can use the Azure Active Directory to request memberships in Web Portal groups.

NOTE: If an Azure Active Directory group is irrevocably deleted from the One Identity Manager database, the associated service item is also deleted.

For more information about configuring the One Identity Manager IT Shop Administration Guide, see the IT Shop. For more information about requesting access requests in the Web Portal, see the One Identity Manager Web Portal User Guide.

Related topics

Assigning Azure Active Directory user accounts directly to Azure Active Directory groups

To react quickly to special requests, you can assign groups directly to user accounts. You cannot directly assign groups that have the Only use in IT Shop option.

NOTE: User accounts cannot be manually added to dynamic groups.

To assign user accounts directly to a group

  1. In the Manager, select the Azure Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Assign user accounts task.

  4. In the Add assignments pane, assign the user accounts.

    TIP: In the Remove assignments pane, you can remove assigned user accounts.

    To remove an assignment

    • Select the user account and double-click .

  5. Save the changes.
Related topics

Assigning Azure Active Directory groups directly to Azure Active Directory user accounts

To react quickly to special requests, you can assign groups directly to user accounts. You cannot directly assign groups that have the Only use in IT Shop option.

NOTE: User accounts cannot be manually added to dynamic groups.

To assign groups directly to user accounts

  1. In the Manager, select the Azure Active Directory > User accounts category.

  2. Select the user account in the result list.

  3. Select the Assign groups task.

  4. In the Add assignments pane, assign the groups.

    TIP: In the Remove assignments pane, you can remove the assignment of groups.

    To remove an assignment

    • Select the group and double-click .

  5. Save the changes.
Related topics

Effectiveness of group memberships

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group at any time either directly, indirectly, or with an IT Shop request. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
  • One Identity Manager does not check if membership of an excluded group is permitted in another group ( table).

The effectiveness of the assignments is mapped in the AADUserInGroup and AADBaseTreeHasGroup tables by the XIsInEffect column.

Example: The effect of group memberships
  • Group A is defined with permissions for triggering requests in a tenant. A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the "Marketing" department, group B through "Finance", and group C through the "Control group" business role.

Jo User1 has a user account in this tenant. They primarily belong to the "Marketing" department. The "Control group" business role and the "Finance" department are assigned to them secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B, and C.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, groups A, B, and C are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 15: Specifying excluded groups (AADGroupExclusion table)

Effective group

Excluded group

Group A

Group B

Group A

Group C

Group B

Table 16: Effective assignments

Employee

Member in role

Effective group

Pat Identity1

Marketing

Group A

Jan User3

Marketing, finance

Group B

Jo User1

Marketing, finance, control group

Group C

Chris User2

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Jo User1. It is published in the target system. If Jo User1 leaves the "control group" business role at a later date, group B also takes effect.

The groups A and C are in effect for Chris User2 because the groups are not defined as mutually exclusive. That means that the employee is authorized to trigger requests and to check invoices. If this should not be allowed, define further exclusion for group C.

Table 17: Excluded groups and effective assignments

Employee

Member in role

Assigned group

Excluded group

Effective group

Chris User2

 

Marketing

Group A

 

Group C

 

Control group

Group C

Group B

Group A

Prerequisites
  • The QER | Structures | Inherite | GroupExclusion configuration parameter is set.

    In the Designer, set the configuration parameter and compile the database.

    NOTE: If you disable the configuration parameter at a later date, model components and scripts that are not longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

  • Mutually exclusive groups belong to the same tenant.

To exclude a group

  1. In the Manager, select the Azure Active Directory > Groups category.

  2. Select a group in the result list.

  3. Select the Exclude groups task.

  4. In the Add assignments pane, assign the groups that are mutually exclusive to the selected group.

    - OR -

    In the Remove assignments pane, remove the groups that are no longer mutually exclusive.

  5. Save the changes.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating