Chat now with support
Chat with Support

Active Roles 8.2.1 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Configuring rule-based autoprovisioning and deprovisioning
Configuring Provisioning Policy Objects
User Logon Name Generation E-mail Alias Generation Exchange Mailbox AutoProvisioning Group Membership AutoProvisioning Home Folder AutoProvisioning Property Generation and Validation Script Execution O365 and Azure Tenant Selection AutoProvisioning in SaaS products
Configuring Deprovisioning Policy Objects
User Account Deprovisioning Group Membership Removal User Account Relocation Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Permanent Deletion Office 365 Licenses Retention Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Script Execution Notification Distribution Report Distribution
Configuring entry types Configuring a Container Deletion Prevention policy Configuring picture management rules Managing Policy Objects Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Configuring policy extensions
Using rule-based and role-based tools for granular administration Workflows
About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Azure tenant types and environment types supported by Active Roles Using Active Roles to manage Azure AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports and URLs used by Active Roles Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

Viewing or modifying the Azure tenant type

Use the Active Roles Configuration Center to view or modify the tenant type of an existing Azure tenant. This is useful if you need to change the default domain settings of an Azure tenant due to an IT or organizational change.

NOTE: Consider the following limitations when modifying the properties of the selected Azure tenant:

  • If you set the tenant type of your Azure tenant to Federated Domain or Synchronized Identity Domain, then the Azure properties fields of the objects (Azure users, Azure guest users, groups and contacts) in the Azure tenant will be disabled and cannot be edited in the Active Roles Web Interface.

  • You cannot modify the Tenant name, Tenant ID, Tenant Environment Type and authentication settings of the Azure tenant.

To view or modify the Azure tenant properties

  1. In the Active Roles Configuration Center, on the left pane, click Azure AD Configuration.

    The list of existing Azure tenants appears.

  2. Select the Azure tenant you want to view or modify, then click Modify.

    The Tenant details window appears.

  3. (Optional) To change the Tenant type of the Azure tenant, select the applicable type from the drop-down list.

    • Non-Federated Domain: When selected, on-premises domains are not registered in Azure AD , and Azure AD Connect is not configured. Azure users and Azure guest users are typically created with the onmicrosoft.com UPN suffix.

    • Federated Domain: On-premises domains are registered in Azure AD and Azure AD Connect. Also, Active Directory Federation Services (ADFS) is configured. Azure users and Azure guest users are typically created with the UPN suffix of the selected on-premises domain.

    • Synchronized Identity Domain: On-premises domains may or may not be registered in Azure AD. Azure AD Connect is configured. Azure users and Azure guest users can be created either with the selected on-premises domain, or with the onmicrosoft.com UPN suffix.

  4. (Optional) To enable, disable or modify the provisioned OneDrive storage of the Azure tenant, select or clear Enable OneDrive, and (when selected), configure the SharePoint and OneDrive settings listed in the Tenant details window. For more information on configuring OneDrive storage in an Azure tenant, see Enabling OneDrive in an Azure tenant.

  5. To close the Tenant details window without any changes, click Cancel. To apply your changes, click Save.

Enabling OneDrive in an Azure tenant

You can enable OneDrive in your consented Azure tenant(s) for cloud-only and hybrid Azure users in the Azure AD Configuration > Tenant details window of the Active Roles Configuration Center.

To enable OneDrive in an Azure tenant, you must:

  1. Configure a SharePoint App-Only for authentication.

  2. Specify the required application permissions for the configured SharePoint App-Only.

  3. Specify the SharePoint admin site URL of your Azure tenant.

  4. Configure the default size of the OneDrive storage provisioned for Azure users in the Azure tenant.

For the detailed procedure, see Configuring OneDrive for an Azure tenant.

NOTE: Once OneDrive is enabled, consider the following limitations:

  • Active Roles supports creating OneDrive storage for new cloud-only and hybrid Azure users only if OneDrive is pre-provisioned in your organization. For more information, see Pre-provision OneDrive for users in your organization in the Microsoft SharePoint documentation.

  • When creating new cloud-only Azure users with OneDrive storage in the Active Roles Web Interface, make sure that the General > Allow user to sign in and access services setting is selected. Otherwise, Active Roles will not provision and create the OneDrive storage of the new Azure user. For more information on creating a new cloud-only Azure user in the Active Roles Web Interface, see Creating a new cloud-only Azure user in the Active Roles Web Interface User Guide.

  • The OneDrive admin site URL and OneDrive storage default size (in GB) settings of the Tenant details window are applicable to cloud-only Azure users only, and do not affect OneDrive provisioning for hybrid users in your Azure tenant. To configure the OneDrive admin site URL and the default OneDrive storage size for hybrid users, you must set these settings in the Active Roles Console (also known as the MMC Interface) by configuring an O365 and Azure Tenant Selection policy for your Azure tenant, after configuring OneDrive in the Active Roles Configuration Center. For more information, see Configuring an O365 and Azure Tenant Selection policy.

Prerequisites of enabling OneDrive in an Azure tenant

Before configuring OneDrive for an Azure tenant in the Active Roles Configuration Center, make sure that the Azure tenant meets the following conditions:

  • The Azure tenant has the Sites.FullControl.All SharePoint application permission. Active Roles automatically configures this permission when consenting Active Roles as an Azure application for a newly-configured Azure tenant.

    However, if the Azure tenant for which you want to enable OneDrive has already been used in an Active Roles version earlier than Active Roles 7.5, you must add the Sites.FullControl.All SharePoint application permission manually for Active Roles in the Azure tenant. Failure of doing so will result in an error in the Tenant Details window of the Active Roles Configuration Center when testing the configured SharePoint credentials.

    For more information, see Checking and adding the Sites.FullControl.All permission for Active Roles.

Checking and adding the Sites.FullControl.All permission for Active Roles

If the Azure tenant for which you want to enable OneDrive has already been used in an Active Roles version earlier than Active Roles 7.5, you must add the Sites.FullControl.All SharePoint application permission manually for Active Roles in the Azure tenant. Failure of doing so will result in an error in the Tenant Details window of the Active Roles Configuration Center when testing the configured SharePoint credentials.

To check that Active Roles has the Sites.FullControl.All application permission in an Azure tenant

  1. Log in to Azure Portal.

  2. Open the Azure tenant of your organization by clicking Azure AD on the main screen.

  3. To open the list of applications registered for your Azure tenant, navigate to Manage > App registrations.

  4. Select your Active Roles deployment either by finding it in the All applications or Owned applications list, or by searching it in the search bar.

  5. To open the list of API permissions, navigate to Manage > API permissions.

  6. Check that the Sites.FullControl.All permission is listed under the API / Permissions name > SharePoint heading.

    Figure 152: List of configured permissions under Azure AD > Manage > API Permissions of Azure Portal

If Sites.FullControl.All is not listed, add it to Active Roles in the Azure tenant by completing the next procedure.

To add the Sites.FullControl.All application permission to Active Roles in an Azure tenant

  1. In the Configured permissions list (available under Manage > API permissions) click Add a permission.

    The list of available API permissions will appear on the right side of the screen under Request API permissions.

  2. In the list of available API permissions, click SharePoint.

  3. Click Application permissions.

  4. Under Select permissions > Sites, select Sites.FullControl.All and click Add permissions.

  5. To apply your changes, select Sites.FullControl.All under Configured permissions and click Grant admin consent for <azure-tenant-name>.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating