Chat now with support
Chat with Support

Identity Manager 9.1.1 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and employees Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login information for Azure Active Directory user accounts Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Azure Active Directory groups

Azure Active Directory recognizes several group types into which you can organize users and groups to regulate access to resources or email distribution, for example.

Azure Active Directory groups are loaded into One Identity Manager by synchronization. You can edit individual main data of the group and you can create new security groups in One Identity Manager. However, you cannot create more group types in One Identity Manager.

To add users to groups, you assign the groups directly to users. This can be assignments of groups to departments, cost centers, locations, business roles, or the IT Shop.

NOTE: Assignments to Azure Active Directory groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Azure Active Directory documentation from Microsoft.

The group types supported in One Identity Manager are listed below.

Table 34: Support groups types

Group type

Description

Security group

Resource permissions are distributed through security groups. User accounts and other groups are added to security groups, which makes administration easier.

Security groups are loaded into One Identity Manager by synchronization. You can edit security groups in One Identity Manager and also create new ones.

Office 365 group

Office 365 groups are loaded into One Identity Manager by synchronization. You can edit Office 365 groups in One Identity Manager but

you can only create new Office 365 groups in One Identity Manager if the Exchange Online Module in installed. For more information, see the One Identity Manager Administration Guide for Connecting to Exchange Online.

Distribution group

Distribution groups are used to send emails to group members. Distribution groups are loaded into One Identity Manager by synchronization. You can edit distribution groups in One Identity Manager but you cannot create them in One Identity Manager.

Mail-enabled security groups

Mail-enabled security groups are security groups that are used as distribution groups.

Mail-enabled security groups are loaded into One Identity Manager by synchronization. You can edit mail-enabled security groups in One Identity Manager but you can only create new mail-enabled security groups in One Identity Manager if the Exchange Online Module is installed. For more information, see the One Identity Manager Administration Guide for Connecting to Exchange Online.

Dynamic group

Members of a dynamic group are not strictly assigned, but determined through defined rules. Dynamic groups are loaded into One Identity Manager by synchronization. You can change dynamic groups in One Identity Manager. You cannot create new dynamic groups in One Identity Manager.

Related topics

Editing main data of Azure Active Directory groups

Azure Active Directory groups are loaded into One Identity Manager by synchronization. You can create security groups in One Identity Manager. You cannot create distribution group and dynamic groups in One Identity Manager.

You can only create mail-enabled security groups and Office 365 groups in One Identity Manager if the Exchange Online Module is installed. For more information, see the One Identity Manager Administration Guide for Connecting to Exchange Online.

the data you can edit depends on the group type.

To edit group main data

  1. In the Manager, select the Azure Active Directory > Groups category.

  2. Select the group in the result list.

  3. Select the Change main data task.

  4. On the main data form, edit the main data of the group.

  5. Save the changes.
Detailed information about this topic

General main data for Azure Active Directory groups

Enter the following data on the General tab.

Table 35: General main data
Property Description

Display name

Name for displaying the group in the user interface of One Identity Manager tools.

Tenant

The group's Azure Active Directory tenant.

Alias

Email alias for the group.

Email address

Group's email address

Proxy addresses

Other email addresses for the group. You can also add other mail connectors (for example, CCMail, MS) in addition to the standard address type (SMTP, X400).

Use the following syntax to set up other proxy addresses:

Address type: new email address

Group type

The type of group. is empty for security and distribution groups. The value is Unified for Office 365 groups and For dynamic groups, the value entered is DynamicMembership.

Security group

Specifies whether this group is a security group. Resource permissions are distributed through security groups. User accounts and other groups are added to security groups, which makes administration easier.

Mail-enabled

Specifies whether the email is enabled for the group. If this option is set for a security group, it is a mail-enabled security group. Otherwise, it is a distribution group.

Assignable to administrator roles

Specifies whether the group can be assigned to administrator roles. The option can be enabled only when creating a new group.

NOTE: Groups with this option can only be created in Azure Active Directory if there is an Azure Active Directory Premium license for the Azure Active Directory tenant. Otherwise, an error message will be displayed:

Code: Authorization_RequestDenied

Message: Only companies who have purchased AAD Premium may perform this operation.

Read-only memberships

Specifies whether memberships are read-only. For example, dynamic groups. The memberships are regulated by the target system. Manual changes to memberships in One Identity Manager are not permitted.

IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Service item

Service item data for requesting the group through the IT Shop.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Set a value in the range 0 to 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

For more information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu.

Membership rule

Rule that controls how members of the dynamic group are determined in Azure Active Directory. The property is only shown for groups with the DynamicMembership group type.

Membership rule state

Processing state of the membership rule for a dynamic group. The property is only shown for groups with the DynamicMembership group type.

Description

Text field for additional explanation.

Related topics

Information about local Active Directory groups

The Federation tab shows information about the local Active Directory user account that is linked to the Azure Active Directory user account.

Assignments to Azure Active Directory groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Azure Active Directory documentation from Microsoft.

Table 36: Local Active Directory group data
Property Description

Synchronization with local Active Directory enabled

Specifies whether synchronization with a local Active Directory is enabled.

Last synchronization

Time of the last Azure Active Directory group synchronization with the local Active Directory.

SID of local group

Security ID of the local Active Directory group.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating