Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Identity Manager 9.2 - Administration Guide for Connecting to Azure Active Directory

Table of Contents

Managing Azure Active Directory environments

Architecture overview One Identity Manager users for managing an Azure Active Directory environment Configuration parameters for managing Azure Active Directory environments

Synchronizing an Azure Active Directory environment

Setting up initial synchronization with an Azure Active Directory tenant

Registering an enterprise application for One Identity Manager in the Azure Active Directory tenant Users and permissions for synchronizing with Azure Active Directory Setting up the Azure Active Directory synchronization server

System requirements for the Azure Active Directory synchronization server Installing One Identity Manager Service with an Azure Active Directory connector

Creating a synchronization project for initial synchronization of an Azure Active Directory tenant

Information required for Azure Active Directory synchronization projects Creating an initial synchronization project for an Azure Active Directory tenant

Configuring the synchronization log

Adjusting the synchronization configuration for Azure Active Directory environments

Configuring synchronization with Azure Active Directory tenants Configuring synchronization of different Azure Active Directory tenants Customizing synchronization projects to invite guest users Supporting custom Azure Active Directory extensions Changing system connection settings of Azure Active Directory tenants

Editing connection parameters in the variable set Editing target system connection properties

Updating schemas Speeding up synchronization Configuring the provisioning of memberships Configuring single object synchronization Accelerating provisioning and single object synchronization

Running synchronization

Starting synchronization Deactivating synchronization Displaying synchronization results Synchronizing single objects

Tasks following synchronization

Post-processing outstanding objects Adding custom tables to the target system synchronization Managing Azure Active Directory user accounts through account definitions

Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)

Managing Azure Active Directory user accounts and identities

Account definitions for Azure Active Directory user accounts

Creating account definitions Editing account definitions Main data for an account definition Editing manage levels Creating manage levels Assigning manage levels to account definitions Main data for manage levels Creating mapping rules for IT operating data Entering IT operating data Modify IT operating data Assigning account definitions to identities

Assigning account definitions to departments, cost centers, and locations Assigning account definitions to business roles Assigning account definitions to all identities Assigning account definitions directly to identities Assigning account definitions to system roles Adding account definitions in the IT Shop

Assigning account definitions to Azure Active Directory tenants Deleting account definitions

Assigning identities automatically to Azure Active Directory user accounts

Editing search criteria for automatic identity assignment Finding identities and directly assigning them to user accounts Changing manage levels for Azure Active Directory user accounts

Supported user account types

Default user accounts Administrative user accounts

Providing administrative user accounts for one identity Providing administrative user accounts for several people

Privileged user accounts

Updating identities when Azure Active Directory user account are modified Specifying deferred deletion for Azure Active Directory user accounts

Managing memberships in Azure Active Directory groups

Assigning Azure Active Directory groups to Azure Active Directory user accounts

Prerequisites for indirect assignment of Azure Active Directory groups to Azure Active Directory user accounts Assigning Azure Active Directory groups to departments, cost centers and locations Assigning Azure Active Directory groups to business roles Adding Azure Active Directory groups to system roles Adding Azure Active Directory groups to the IT Shop Adding Azure Active Directory groups automatically to the IT Shop Assigning Azure Active Directory user accounts directly to Azure Active Directory groups Assigning Azure Active Directory groups directly to Azure Active Directory user accounts

Effectiveness of group memberships Azure Active Directory group inheritance based on categories Overview of all assignments

Managing Azure Active Directory administrator roles assignments

Assigning Azure Active Directory administrator roles to Azure Active Directory user accounts

Prerequisites for indirect assignment of Azure Active Directory administration roles to Azure Active Directory user accounts Assigning Azure Active Directory administrator roles to departments, cost centers, and locations Assigning Azure Active Directory administrator roles to business roles Adding Azure Active Directory administrator roles to system roles Adding Azure Active Directory administrator roles in the IT Shop Assigning Azure Active Directory user accounts directly to Azure Active Directory administrator roles Assigning Azure Active Directory administrator roles directly to Azure Active Directory user accounts

Azure Active Directory administrator role inheritance based on categories

Managing Azure Active Directory subscription and Azure Active Directory service plan assignments

Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts

Prerequisites for indirect assignment of Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning Azure Active Directory subscriptions to departments, cost centers, and locations Assigning Azure Active Directory subscriptions to business roles Adding Azure Active Directory subscriptions to system roles Adding Azure Active Directory subscriptions to the IT Shop Adding Azure Active Directory subscriptions automatically to the IT Shop Assigning Azure Active Directory user account directly to Azure Active Directory subscriptions Assigning Azure Active Directory subscriptions directly to Azure Active Directory user accounts

Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts

Prerequisites for indirect assignment of disabled Azure Active Directory service plans to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans directly to departments, cost centers, and locations Assigning disabled Azure Active Directory service plans to business roles Adding disabled Azure Active Directory service plans to system roles Adding disabled Azure Active Directory service plans to the IT Shop Adding disabled Azure Active Directory service plans automatically to the IT Shop Assigning Azure Active Directory user accounts directly to disabled Azure Active Directory service plans Assigning disabled Azure Active Directory service plans directly to Azure Active Directory user accounts

Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories

Login credentials for Azure Active Directory user accounts

Password policies for Azure Active Directory user accounts

Predefined password policies Using password policies Creating password policies Editing password policies General main data of password policies Policy settings Character classes for passwords Custom scripts for password requirements

Checking passwords with a script Generating passwords with a script

Password exclusion list Checking passwords Testing password generation

Initial password for new Azure Active Directory user accounts Email notifications about login data

Azure Active Directory role management

Azure Active Directory role management tenants Enabling new Azure Active Directory role management features Azure Active Directory role main data Adding Azure Active Directory role assignments Adding Azure Active Directory role eligibilities Assigning Azure Active Directory scoped role assignments Assigning Azure Active Directory scoped role eligibilities Managing Azure Active Directory role assignments Managing Azure Active Directory role eligibilities

Mapping Azure Active Directory objects in One Identity Manager

Azure Active Directory core directories

Azure Active Directory tenant General main data of Azure Active Directory tenants Information about local Active Directory Defining categories for the inheritance of entitlements Editing the synchronization project for an Azure Active Directory tenant Azure Active Directory domains Azure Active Directory policies for activity-based timeouts Azure Active Directory policies for home realm discovery Azure Active Directory policies for issuing tokens Azure Active Directory policies for token lifetime

Azure Active Directory user accounts

Creating and editing Azure Active Directory user accounts General main data of Azure Active Directory user accounts Contact data for Azure Active Directory user accounts Information about the user profile for Azure Active Directory user accounts Organizational data for Azure Active Directory user accounts Information about the local Active Directory user account Audit data for Azure Active Directory user accounts Assigning extended properties to Azure Active Directory user accounts Disabling Azure Active Directory user accounts Deleting and restoring Azure Active Directory user accounts Displaying the Azure Active Directory user account overview Displaying Active Directory user accounts for Azure Active Directory user accounts

Azure Active Directory user identities

Deploying user identities for Azure Active Directory user accounts Displaying user identities for Azure Active Directory user accounts Displaying Azure Active Directory user identities' main data Displaying the Azure Active Directory user identity overview

Azure Active Directory groups

Editing main data of Azure Active Directory groups General main data for Azure Active Directory groups Information about local Active Directory groups Adding Azure Active Directory groups to Azure Active Directory groups Assigning Azure Active Directory administrator roles to Azure Active Directory groups Assigning owners to Azure Active Directory groups Assigning extended properties to Azure Active Directory groups Deleting Azure Active Directory groups Displaying the Azure Active Directory group overview Displaying Active Directory groups for Azure Active Directory groups

Azure Active Directory administrator roles

Editing main data of Azure Active Directory administrator roles Assigning Azure Active Directory groups to Azure Active Directory administrator roles Assigning extended properties to Azure Active Directory administrator roles Displaying the Azure Active Directory administration role overview

Azure Active Directory administrative units

Editing main data of administrative units Assigning user accounts to administrative units Assigning groups to administrative units

Azure Active Directory subscriptions and Azure Active Directory service principals

Editing Azure Active Directory subscription main data Assigning additional properties to Azure Active Directory subscriptions Displaying the Azure Active Directory subscriptions and service plan overview

Disabled Azure Active Directory service plans

Editing main data of disabled Azure Active Directory service plans Assigning extended properties to disabled Azure Active Directory service plans Displaying the disabled Azure Active Directory service plan overview

Azure Active Directory app registrations and Azure Active Directory service principals

Displaying information about Azure Active Directory app registrations Assigning owners to Azure Active Directory app registrations Displaying Azure Active Directory app registration main data Displaying information about Azure Active Directory service principals Assigning owner to Azure Active Directory service principals Editing authorizations for Azure Active Directory service principals Displaying Azure Active Directory service principals for enterprise applications Displaying Azure Active Directory service principal main data

Reports about Azure Active Directory objects

Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment

Target system managers for Azure Active Directory Job server for Azure Active Directory-specific process handling

General main data of Job servers Specifying server functions

Troubleshooting

Possible errors when synchronizing an Azure Active Directory tenant

Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory

Project template for Azure Active Directory tenants Project template for Azure Active Directory B2C tenants

Editing Azure Active Directory system objects Azure Active Directory connector settings

Adding Azure Active Directory role eligibilities

Role management allows you to assign additional role eligibilities to roles in Azure Active Directory partial scopes. These role eligibilities can be enabled by the assigned principal as required.

To assign a role eligibility to a role

In Manager, select the category Azure Active Directory > Roles.
Select the role in the result list.
Select the Add or remove role eligibilities task.
Click Add and enter the following information.
- Principal: The main principal, such as a group or single user, whose scope should be assigned access.
- Application scope: The application scope for which the principal should be given access.
  - OR -
  Directory scope: The directory scope for which the principal should be given access.
- Enter Permanent if it is a permanent assignment.
- Start time: The time at which the role eligibility is assigned.
- End time: The time at which the role eligibility expires.
  
  NOTE: Select Permanent, disables the End time entry.
- Valid from: The role eligibility is valid from this point on.
- Valid until: The role eligibility is expired from at this point on.
- Specify whether this assignment is a Direct assignment.
  
  NOTES: The Indirect assignment and Assignment request options are set by processes and cannot be set manually.
- Request procedure: References the request procedure that results in the assignment.

Related topics

Assigning Azure Active Directory scoped role assignments

In Azure Active Directory, active role assignments for groups can be assigned in specified partial scopes.

To assign a system role to scope

In the Manager, select the Azure Active Directory > Scoped role assignments category.
Select the role in the result list.
Select the Assign system roles task.
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.

To remove an assignment
- Select the system role and double-click .
Save the changes.

To assign a business role to a scope

In the Manager, select the Azure Active Directory > Scoped role assignments category.
Select the role in the result list.
Select the Assign business roles task.
In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
- Select the business role and double-click .
Save the changes.

To assign an organization to a scope

In the Manager, select the Azure Active Directory > Scoped role assignments category.
Select the role in the result list.
Select the Assign organizations task.

In the Add assignments pane, assign the organizations:
- On the Departments tab, assign departments.
- On the Locations tab, assign locations.
- On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

To remove an assignment
- Select the organization and double-click .
Save the changes.

Related topics

Assigning Azure Active Directory scoped role eligibilities

In Azure Active Directory, role eligibilities for groups can be assigned in specified partial scopes. This does not mean that a principal has an active role assignment, but can activate it at any time if necessary.

To assign a system role to scope

In the Manager, select the Azure Active Directory > Scoped role eligibilities category.
Select the role in the result list.
Select the Assign system roles task.
In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.

To remove an assignment
- Select the system role and double-click .
Save the changes.

To assign a business role to a scope

In the Manager, select the Azure Active Directory > Scoped role eligibilities category.
Select the role in the result list.
Select the Assign business roles task.
In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
- Select the business role and double-click .
Save the changes.

To assign an organization to a scope

In the Manager, select the Azure Active Directory > Scoped role eligibilities category.
Select the role in the result list.
Select the Assign organizations task.

In the Add assignments pane, assign the organizations:
- On the Departments tab, assign departments.
- On the Locations tab, assign locations.
- On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

To remove an assignment
- Select the organization and double-click .
Save the changes.

Related topics

Managing Azure Active Directory role assignments

To edit a role assignment

In Manager, select the category Azure Active Directory > Roles.
Select the role in the result list.
Select the Add or remove role assignments task.
Select the principal in the result list.
Enter the data.
Save the changes.

Related topics

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center