Chat now with support
Chat with Support

Identity Manager 8.1.5 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Setting up synchronization with an Azure Active Directory tenant Basic data for managing an Azure Active Directory environment Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory subscriptions and service plans
Azure Active Directory subscriptions Disabled Azure Active Directory service plans
Reports about Azure Active Directory objects Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory

Editing master data for Azure Active Directory groups

Groups are loaded into One Identity Manager by synchronization. You can create new security groups in One Identity Manager. You can only edit the other group types and the data you can edit depends on the group type.

To edit group master data

  1. In the Manager, select the Azure Active Directory | Groups category.

  2. Select the group in the result list and run the Change master data task.

  3. On the master data form, edit the master data for the group.

  4. Save the changes.
Detailed information about this topic

General master data for an Azure Active Directory group

Enter the following data on the General tab.

Table 30: General master data
Property Description

Display name

The display name is used to display the group in the One Identity Manager tools user interface.

Tenant

The group's tenant.

Alias

Email alias for the group.

Email address

Group's email address

Proxy addresses

Other email addresses for the group. You can also add other mail connectors (for example, CCMail, MS) in addition to the standard address type (SMTP, X400).

Use the following syntax to set up other proxy addresses:

Address type: new email address

Group type Specifies a group's type. The value is Unified for Office 365 groups and is empty for security and distribution groups. For dynamic groups, the value entered is DynamicMembership.

Security group

Specifies whether this group is a security group. Resource permissions are distributed through security groups. User accounts and other groups are added to security groups, which makes administration easier.

Mail-enabled

Specifies whether the email is enabled for the group. If this option is set for a security group, it is a mail-enabled security group. Otherwise, it is a distribution group.

IT Shop

Specifies whether the group can be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. The group can still be assigned directly to hierarchical roles.

Only for use in IT Shop

Specifies whether the group can only be requested through the IT Shop. If this option is set, the group can be requested by the employees through the Web Portal and distributed with a defined approval process. Direct assignment of the group to hierarchical roles or user accounts is not permitted.

Service item

Service item data for requesting the group through the IT Shop.

Risk index

Value for evaluating the risk of assigning the group to user accounts. Enter a value between 0 and 1. This input field is only visible if the QER | CalculateRiskIndex configuration parameter is activated.

For more detailed information about risk assessment, see the One Identity Manager Risk Assessment Administration Guide.

Category

Categories for group inheritance. Groups can be selectively inherited by user accounts. To do this, groups and user accounts are divided into categories. Select one or more categories from the menu.

Description

Text field for additional explanation.

Related topics

Information about local Active Directory groups

The Federation tab shows information about the local Active Directory user account that is linked to the Azure Active Directory user account.

Table 31: Local Active Directory group data
Property Description

Synchronization with local Active Directory enabled

Specifies whether synchronization with a local Active Directory is enabled.

Last synchronization

Time of the last Azure Active Directory group synchronization with the local Active Directory.

SID of local group

Security ID of the local Active Directory group.

Assigning Azure Active Directory groups to Azure Active Directory user accounts

Groups can be assigned directly or indirectly to user accounts. In the case of indirect assignment, employees, and groups are assigned to hierarchical roles, such as departments, cost centers, locations, or business roles. The groups assigned to an employee are calculated from the position in the hierarchy and the direction of inheritance.

If you add an employee to roles and that employee owns a user account, the user account is added to the groups. Prerequisites for the indirect assignment of employees to user accounts include:

  • Assignment of employees and groups is permitted for role classes (departments, cost centers, locations, or business roles).
  • User accounts are marked with the Groups can be inherited option.

Groups can also be assigned to employees through IT Shop requests. So that groups can be assigned using IT Shop requests, employees are added to a shop as customers. All groups assigned to this shop can be requested by the customers. Requested groups are assigned to the employees after approval is granted.

Detailed information about this topic
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating