Chat now with support
Chat with Support

Identity Manager 9.1.1 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and employees Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login information for Azure Active Directory user accounts Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Displaying Azure Active Directory service principal main data

The information about the Azure Active Directory service principal is loaded into One Identity Manager during synchronization. You cannot edit Azure Active Directory service principal main data.

To display an Azure Active Directory service principal's main data

  1. In the Manager, select the Azure Active Directory > Service principals category.

  2. In the result list, select the Azure Active Directory service principal.

  3. Select the Change main data task.

Table 41: General main data for an Azure Active Directory service principal

Property

Description

Display name

Name for displaying the service principal.

Alternative names Alternative names for the service principal. This is used to call service principals by subscription, to identify resource groups and full resource IDs for managing identities.

Web page

Home page of the Azure Active Directory application.

Enabled Specifies whether the service principal is enabled.
Application display name. Display name of the associated Azure Active Directory application.
App role assignment required Specifies whether users or other service principals must be assigned an app role for this service principal before they can login or obtain application tokens.

Logo URL

Link to the application's logo.

Marketing URL

Link to the application's marketing page.

Privacy statement URL

Link to the application's privacy statement.

Service URL

Link to the application's support page.

Terms of service URL

Link to the application's terms of service.

Login URL URL that the identity provider uses to reroute the user to Azure Active Directory for authentication.
Logout URL URL that the Microsoft authorization service uses to log out a user using OPENID Connect front channel, OpenID Connect back-channel, or SAML logout protocols.
Notification mail addresses

List of email addresses that Azure Active Directory sends a notification to if the active certificate is nearing the expiration date.

Preferred single sign-on mode Single sign-on mode configured for this Azure Active Directory application.

Reply URLs

URLs that user tokens are sent to for logging in with the associated application, or the redirect URIs that OAuth 2.0 authorization codes and access tokens are sent to for the associated application.

Service principal names

Contains the list of URIs that identify the associated Azure Active Directory application within its Azure Active Directory tenant, or within a verified custom domain, if the Azure Active Directory application is an Azure Active Directory multi-tenant.

Service principal type

Type of service principal, for example, an application or a managed identity. The type is set internally by Azure Active Directory.

Encryption key ID

ID of the public key for logging in using certificates.

Home realm discovery policy

Name of the home realm discovery policy.

Delete date

Time at which the service principal was deleted.

Tags

User-defined string to use for categorizing and identifying the application.

Related topics

Reports about Azure Active Directory objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. The following reports are available for Azure Active Directory.

NOTE: Other sections may be available depending on the which modules are installed.

Table 42: Data quality target system report

Report

Published for

Description

Show overview

User account

This report shows an overview of the user account and the assigned permissions.

Show overview including origin

User account

This report shows an overview of the user account and origin of the assigned permissions.

Show overview including history

User account

This report shows an overview of the user accounts including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

License overview

User account

The report contains a summary of assigned and effective subscriptions and service plans for a user account.

License overview

Subscription

The report shows an overview of a subscription license. It shows to which groups and user accounts the subscription is assigned and which service plans effectively apply to the groups and the user accounts.

Overview of all assignments

group

Subscription

Administrator role

This report finds all roles containing employees who have the selected system entitlement.

Show overview

group

This report shows an overview of the system entitlement and its assignments.

Show overview including origin

group

This report shows an overview of the system entitlement and origin of the assigned user accounts.

Show overview including history

group

This report shows an overview of the system entitlement and including its history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show entitlement drifts

Tenant

This report shows all system entitlements that are the result of manual operations in the target system rather than provisioned by One Identity Manager.

Show user accounts overview (incl. history)

Tenant

This report returns all the user accounts with their permissions including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Show user accounts with an above average number of system entitlements

Tenant

This report contains all user accounts with an above average number of system entitlements.

Show employees with multiple user accounts

Tenant

This report shows all the employees that have multiple user accounts. The report contains a risk assessment.

Show system entitlements overview (incl. history)

Tenant

This report shows the system entitlements with the assigned user accounts including a history.

Select the end date for displaying the history (Min. date). Older changes and assignments that were removed before this date, are not shown in the report.

Overview of all assignments

Tenant

This report finds all roles containing employees with at least one user account in the selected target system.

Show unused user accounts

Tenant

This report contains all user accounts, which have not been used in the last few months.

Show orphaned user accounts

Tenant

This report shows all user accounts to which no employee is assigned.

Table 43: Additional reports for the target system

Report

Description

Azure Active Directory user account and group administration

This report contains a summary of user account and group distribution in all tenants. You can find this report in the My One Identity Manager category.

Data quality summary for Azure Active Directory user accounts

This report contains different evaluations of user account data quality in all tenants. You can find this report in the My One Identity Manager category.

Handling of Azure Active Directory objects in the Web Portal

One Identity Manager enables its users to perform various tasks simply using a Web Portal.

  • Managing user accounts and employees

    An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval process. The user account is not created until it has been agreed by an authorized person, such as a manager.

  • Managing assignments of groups, administrator roles, subscriptions, and disabled service plans

    In the Web Portal, by assigning groups, administrator roles, subscriptions, and disabled service plans to an IT Shop shelf, you can request these products from shop customers. The request undergoes a defined approval process. The group, administrator role, subscription, or disabled service plan is not assigned until it has been approved by an authorized person.

    In the IT Shop, the following selves are available: Identity & Access Lifecycle > Azure Active Directory groups, Identity & Access Lifecycle > Azure Active Directory subscriptions, and Identity & Access Lifecycle > Disabled Azure Active Directory service plans.

    In the Web Portal, managers and administrators of organizations can assign groups, administrator roles, subscriptions, and disabled service plans to the departments, cost centers, or locations for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all employees who are members of these departments, cost centers, or locations.

    If the Business Roles Module is available, in the Web Portal, managers and administrators of business roles can assign groups, administrator roles, subscriptions, and disabled service plans to the business roles for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all employees who are members of these business roles.

    If the System Roles Module is available, in the Web Portal, supervisors of system roles can assign groups, administrator roles, subscriptions, and disabled service plans to the system roles. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all employees that have these system roles assigned to them.

  • Attestation

    If the Attestation Module is available, the correctness of the properties of target system objects and of entitlement assignments can be verified on request. To enable this, attestation policies are configured in the Manager. The attestors use the Web Portal to approve attestation cases.

  • Governance administration

    If the Compliance Rules Module is available, you can define rules that identify the invalid entitlement assignments and evaluate their risks. The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check and resolve rule violations and to grant exception approvals.

    If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.

  • Risk assessment

    You can use the risk index of groups, administrator roles, and subscriptions to evaluate the risk of entitlement assignments for the company.One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.

  • Reports and statistics

    The Web Portal provides a range of reports and statistics about the employees, user accounts, and their entitlements and risks.

For more information about the named topics, see Managing Azure Active Directory user accounts and employees, Managing memberships in Azure Active Directory groups, Managing Azure Active Directory administrator roles assignments, Managing Azure Active Directory subscription and Azure Active Directory service plan assignments and in refer to the following guides:

  • One Identity Manager Web Designer Web Portal User Guide

  • One Identity Manager Attestation Administration Guide

  • One Identity Manager Compliance Rules Administration Guide

  • One Identity Manager Company Policies Administration Guide

  • One Identity Manager Risk Assessment Administration Guide

Recommendations for federations

NOTE: The following modules must be installed to support federations in One Identity Manager:

  • Active Directory Module

  • Azure Active Directory Module

In a federation, the local Active Directory user accounts are connected to Azure Active Directory user accounts. The connection is established by using the ms-ds-consistencyGUID property in the Active Directory user account and the immutable property in the Azure Active Directory user account. Synchronization of Active Directory and Azure Active Directory user accounts is carried out in the federation by Azure AD Connect. For more information about Azure AD Connect, see the Azure Active Directory documentation from Microsoft.

One Identity Manager maps the connection using the Active Directory user account's Azure AD Connect anchor ID (ADSAccount.MSDsConsistencyGuid) and the Azure Active Directory user account's immutable identifier  (AADUser.OnPremImmutableId).

Some of the target system relevant properties of Azure Active Directory user accounts that are linked to local Active Directory user account cannot be changed in One Identity Manager. However, assignment of permissions to Azure Active Directory user accounts in One Identity Manager is possible.

Assignments to Azure Active Directory groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Azure Active Directory documentation from Microsoft.

The One Identity Manager supports the following scenarios for federations.

Scenario 1
  1. Active Directory user accounts are created in One Identity Manager and provisioned the local Active Directory environment.

  2. Azure AD Connect creates the Azure Active Directory user accounts in Azure Active Directory tenants.

  3. Azure Active Directory synchronization loads the Azure Active Directory user accounts in to One Identity Manager.

This is the recommended procedure. Creating Azure Active Directory user accounts through Azure AD Connect and then loading them into One Identity Manager normally takes a while. Azure Active Directory user accounts are not immediately available in One Identity Manager.

Scenario 2
  1. Active Directory user accounts and Azure Active Directory user accounts are created in One Identity Manager.

    In this case, the connection is established by using the ADSAccount.MSDsConsistencyGuid and AADUser.OnPremImmutableId columns. This can be carried using custom scripts or custom templates.

  2. Active Directory and Azure Active Directory user accounts are provisioned independently in their own target systems.

  3. Azure AD Connect detects the connection between the user accounts, establishes the connection in the federation and updates the required properties.

  4. The next Azure Active Directory synchronization updates the Azure Active Directory user accounts in One Identity Manager.

With this scenario, the Azure Active Directory user accounts are immediately available in One Identity Manager and can be issued their permissions.

NOTE:

  • If you work with account definitions, it is recommended you enter the account definition for Active Directory as a required account definition in the account definition for Azure Active Directory.

  • If you work with account definitions, it is recommended you select the Only initially value for the IT operating data overwrites property in the manage level. Then the data is only determined in the initial case.

  • Do not post-process Azure Active Directory user accounts using templates because certain target system relevant properties cannot be edited and the following errors may occur:

    [Exception]: ServiceException occured

    Code: Request_BadRequest

    Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

    [ServiceException]: Code: Request_BadRequest - Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

 

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating