Chat now with support
Chat with Support

Identity Manager 9.2 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and identities Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login credentials for Azure Active Directory user accounts Azure Active Directory role management Mapping Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory administrative units Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Providing administrative user accounts for one identity

Use this task to create an administrative user account that can be used by an identity.

Prerequisites
  • The user account must be labeled as a personalized administrator identity.

  • The identity that will be using the user account must be marked as a personalized administrator identity.

  • The identity that will be using the user account must be linked to a main identity.

To prepare an administrative user account for an identity

  1. Label the user account as a personalized administrator identity.

    1. In the Manager, select the Azure Active Directory > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity selection list, select Personalized administrator identity.

  2. Link the user account to the identity that will be using this administrative user account.

    1. In the Manager, select the Azure Active Directory > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity selection list, select the identity that will be using this administrative user account.

      TIP: If you are the target system manager, you can selected to create a new identity.

Related topics

Providing administrative user accounts for several people

Use this task to create an administrative user account that can be used by more that one identity.

Prerequisite
  • The user account must be labeled as a shared identity.

  • There must be an identity with the type Shared identity available. The shared identity must have a manager.

  • The identities who are permitted to use the user account must be labeled as a primary identity.

To prepare an administrative user account for multiple identities

  1. Label the user account as a shared identity.

    1. In the Manager, select the Azure Active Directory > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity menu, select Shared identity.

  2. Link the user account to an identity.

    1. In the Manager, select the Azure Active Directory > User accounts category.

    2. Select the user account in the result list.

    3. Select the Change main data task.

    4. On the General tab, in the Identity menu, select an identity the type Shared identity.

      TIP: If you are the target system manager, you can use the button to create a new shared identity.

  3. Assign the identities who will use this administrative user account to the user account.

    1. In the Manager, select the Azure Active Directory > User accounts category.

    2. Select the user account in the result list.

    3. Select the Assign identities authorized to use task.

    4. In the Add assignments pane, add identities.

      TIP: In the Remove assignments pane, you can remove assigned identities.

      To remove an assignment

      • Select the identity and double-click .

Related topics

Privileged user accounts

Privileged user accounts are used to provide identities with additional privileges. This includes administrative user accounts or service accounts, for example. The user accounts are labeled with the Privileged user account property (IsPrivilegedAccount column).

NOTE: The criteria according to which user accounts are automatically identified as privileged are defined as extensions to the view definition (ViewAddOn) in the TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is done in the TSB_SetIsPrivilegedAccount script.

To create privileged users through account definitions

  1. Create an account definition. Create a new manage level for privileged user accounts and assign this manage level to the account definition.

  2. If you want to prevent the properties for privileged user accounts from being overwritten, set the IT operating data overwrites property for the manage level to Only initially. In this case, the properties are populated just once when the user accounts are created.

  3. Specify how an identity's temporary deactivation, permanent deactivation, deletion, and security risks affect its user accounts and group memberships in the manage level.

  4. Create a formatting rule for the IT operating data.

    You use the mapping rule to define which rules are used to map IT operating data for user accounts and which default values are used if no IT operating data can be determined through an identity's primary roles.

    The type of IT operating data required depends on the target system. The following settings are recommended for privileged user accounts:

    • In the mapping rule for the IsPrivilegedAccount column, use the default value 1 and set the Always use default value option.

    • You can also specify a mapping rule for the IdentityType column. The column owns different permitted values that represent user accounts.

    • To prevent privileged user accounts from inheriting the entitlements of the default user, define a mapping rule for the IsGroupAccount_Group, IsGroupAccount_SubSku, and IsGroupAccount_DeniedService columns with a default value of 0 and set the Always use default value option.

  5. Enter the effective IT operating data for the target system.

    Specify in the departments, cost centers, locations, or business roles which IT operating data should apply when you set up a user account.

  6. Assign the account definition directly to identities who work with privileged user accounts.

    When the account definition is assigned to an identity, a new user account is created through the inheritance mechanism and subsequent processing.

TIP: If customization requires that the login names of privileged user accounts follow a defined naming convention, specify how the login names are formatted in the template.

  • To use a prefix for the login name, in the Designer, set the TargetSystem | AzureAD | Accounts | PrivilegedAccount | AccountName_Prefix configuration parameter.

  • To use a postfix for the login name, in the Designer, set the TargetSystem | AzureAD | Accounts | PrivilegedAccount | AccountName_Postfix configuration parameter.

These configuration parameters are evaluated in the default installation, if a user account is marked with the Privileged user account property (IsPrivilegedAccount column). The user account login names are renamed according to the formatting rules. This also occurs if the user accounts are labeled as privileged using the Mark selected user accounts as privileged schedule. If necessary, modify the schedule in the Designer.

Related topics

Updating identities when Azure Active Directory user account are modified

In One Identity Manager, modifications to identity properties are forwarded to the associated user accounts and subsequently provisioned in the target system. In certain circumstances, it may be necessary to forward user account modifications in the target system to identity properties in One Identity Manager.

Example:

During testing, user accounts from the target system are only read into One Identity Manager and identities created. User account administration (creating, modifying, and deleting) should be done later through One Identity Manager. During testing, user accounts are modified further in the target system, which can lead to drifts in user account properties and identity properties. Due to this, user account modifications loaded on resynchronization should be temporarily published to identities who are already created. This means data is not lost when user account administration is put into effect through One Identity Manager.

To update identities when user accounts are modified

  • In the Designer, set the TargetSystem | AzureAD | PersonUpdate configuration parameter.

Modifications to user accounts are loaded into One Identity Manager during synchronization. These modifications are forwarded to the associated identities through subsequent scripting and processing.

NOTE:

  • When making changes to user accounts, the identities are only updated for user accounts with the Unmanaged manage level and that are linked to an identity.

  • Only the identity created by the modified user account is updated. The data source from which the identity was created is shown in the Import data source property. If other user accounts are assigned to the identity, changes to these user accounts do not cause the identity to be updated.

  • For identities who do not yet have the Import data source set, the user account's target system is entered as the data source for the import during the first update of the connected user account.

User account properties are mapped to identity properties using the AAD_PersonUpdate_AADUser script. To make the mapping easier to customize, the script is overwritable.

To customize, create a copy of the script and start the script coding follows:

Public Overrides Function AAD_PersonUpdate_AADUser (ByVal UID_Account As String, oldUserPrincipalName As String, ProcID As String)

This redefines the script and overwrites the original. The process does not have to be changed in this case.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating