Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and identities Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login credentials for Azure Active Directory user accounts Azure Active Directory role management
Azure Active Directory role management tenants Enabling new Azure Active Directory role management features Azure Active Directory role main data Displaying Azure Active Directory scoped role assignments Displaying scoped role eligibilities for Azure Active Directory roles Overview of Azure Active Directory scoped role assignments Main data of Azure Active Directory scoped role assignments Managing Azure Active Directory scoped role assignments Adding Azure Active Directory scoped role assignments Editing Azure Active Directory scoped role assignments Deleting Azure Active Directory scoped role assignments Assigning Azure Active Directory scoped role assignments Assigning Azure Active Directory system roles to scopes through role assignments Assigning Azure Active Directory business roles to scopes though role assignments Assigning Azure Active Directory organizations to scopes through role assignments Overview of Azure Active Directory scoped role eligibilities Main data of Azure Active Directory scoped role assignments Managing Azure Active Directory scoped role eligibilities Adding Azure Active Directory scoped role eligibilities Editing Azure Active Directory scoped role eligibilities Deleting Azure Active Directory scoped role eligibilities Assigning Azure Active Directory scoped role eligibilities Assigning Azure Active Directory system roles to scopes through role eligibilities Assigning Azure Active Directory business roles to scopes though role eligibilities Assigning Azure Active Directory organizations to scopes through role eligibilities
Mapping Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory administrative units Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Specifying deferred deletion for Azure Active Directory user accounts

You can use deferred deletion to specify how long the user accounts remain in the database after deletion is triggered before they are finally removed. By default, user accounts are finally deleted from the database after 30 days. First, the user accounts are disabled or locked. You can reenable the user accounts up until deferred deletion runs. After deferred deletion is run, the user accounts are deleted from the database and cannot be restored anymore.

You have the following options for configuring deferred deletion.

  • Global deferred deletion: Deferred deletion applies to user accounts in all target system. The default value is 30 days.

    In the Designer, enter a different value for deferred deletion in the Deferred deletion [days] property of the AADUser table.

  • Object-specific deferred deletion: Deferred deletion can be configured depending on certain properties of the accounts.

    To use object-specific deferred deletion, in the Designer, create a Script (deferred deletion) for the AADUser table.

    Example:

    Deferred deletion of privileged user accounts is 10 days. The following Script (deferred deletion) is entered in the table.

    If Not $IsPrivilegedAccount:Bool$ Then

    Value = 10

    End If

For more information on editing table definitions and configuring deferred deletion in the Designer, see the One Identity Manager Configuration Guide.

Managing memberships in Azure Active Directory groups

Azure Active Directory user accounts can be grouped into Azure Active Directory groups that can be used to regulate access to resources.

In One Identity Manager, you can assign Azure Active Directory groups directly to user accounts or they can be inherited through departments, cost centers, locations, or business roles. Users can also request the groups through the Web Portal. To do this, groups are provided in the IT Shop.

NOTE: Assignments to Azure Active Directory groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Azure Active Directory documentation from Microsoft.

Detailed information about this topic

Assigning Azure Active Directory groups to Azure Active Directory user accounts

Azure Active Directory groups can be assigned directly or indirectly to Azure Active Directory user accounts.

In the case of indirect assignment, identities and Azure Active Directory groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. The Azure Active Directory groups assigned to an identity are calculated from the position in the hierarchy and the direction of inheritance. If you add an identity to roles and that identity owns an Azure Active Directory user account, the Azure Active Directory user account is added to the Azure Active Directory group.

Furthermore, Azure Active Directory groups can be requested through the Web Portal. To do this, add identities to a shop as customers. All Azure Active Directory groups are assigned to this shop can be requested by the customers. Requested Azure Active Directory groups are assigned to the identities after approval is granted.

Through system roles, Azure Active Directory groups can be grouped together and assigned to identities and workdesks as a package. You can create system roles that contain only Azure Active Directory groups. You can also group any number of company resources into a system role.

To react quickly to special requests, you can assign Azure Active Directory groups directly to Azure Active Directory user accounts.

For more information see the following guides:

Topic

Guide

Basic principles for assigning and inheriting company resources

One Identity Manager Identity Management Base Module Administration Guide

One Identity Manager Business Roles Administration Guide

Assigning company resources through IT Shop requests

One Identity Manager IT Shop Administration Guide

System roles

One Identity Manager System Roles Administration Guide

Detailed information about this topic

Prerequisites for indirect assignment of Azure Active Directory groups to Azure Active Directory user accounts

In the case of indirect assignment, identities and Azure Active Directory groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. When assigning Azure Active Directory groups indirectly, check the following settings and modify them if necessary:

  1. Assignment of identities and Azure Active Directory groups is permitted for role classes (departments, cost centers, locations, or business roles).

    For more information, see the One Identity Manager Identity Management Base Module Administration Guide.

  2. Settings for assigning Azure Active Directory groups to Azure Active Directory user accounts.

    • The Azure Active Directory user account is linked to an identity.

    • The Azure Active Directory user account has the Groups can be inherited option set.

NOTE: There are other configuration settings that play a role when company resources are inherited through departments, cost centers, locations, and business roles. For example, role inheritance might be blocked or inheritance of identities not allowed. For more detailed information about the basic principles for assigning company resources, see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating