Chat now with support
Chat with Support

Identity Manager 8.1.5 - Administration Guide for Connecting to Exchange Online

Managing Exchange Online environments Setting up Exchange Online synchronization Basic data for managing an Exchange Online environment Configuration parameters for managing an Exchange Online environment Default project template for Exchange Online Editing system objects

Assigning account definitions to a target system

The following prerequisites must be fulfilled if you implement automatic assignment of user accounts and employees resulting in administered user accounts (Linked configured state):

  • The account definition is assigned to the target system.

  • The account definition has the default manage level.

User accounts are only linked to the employee (Linked state) if no account definition is given. This is the case on initial synchronization, for example.

To assign the account definition to a target system

  1. In the Manager, select the tenant in the Azure Active Directory | Tenants category.

  2. Select the Change master data task.

  3. From the Account definition (initial) menu, select the account definition for user accounts.

  4. From the E-mail contact definition (initial) menu, select the account definition for email contacts.

  5. From the E-mail user definition (initial) menu, select the account definition for email users.

  6. Save the changes.
Related topics

Deleting an account definition

You can delete account definitions if they are not assigned to target systems, employees, hierarchical roles or any other account definitions.

To delete an account definition

  1. Remove automatic assignments of the account definition from all employees.

    1. In the Manager, select the Azure Active Directory | Basic configuration data | Account definitions | Account definitions category.

    2. Select an account definition in the result list.

    3. Select the Change master data task.

    4. On the General tab, disable the Automatic assignment to employees option.

    5. Save the changes.

  2. Remove direct assignments of the account definition to employees.

    1. In the Manager, select the Azure Active Directory | Basic configuration data | Account definitions | Account definitions category.

    2. Select an account definition in the result list.

    3. Select the Assign to employees task.

    4. In the Remove assignments pane, remove the employees.

    5. Save the changes.

  3. Remove the account definition's assignments to departments, cost centers, and locations.

    1. In the Manager, select the Azure Active Directory | Basic configuration data | Account definitions | Account definitions category.

    2. Select an account definition in the result list.

    3. Select the Assign organizations task.

    4. In the Remove assignments pane, remove the relevant departments, cost centers, and locations.

    5. Save the changes.

  4. Remove the account definition's assignments to business roles.

    1. In the Manager, select the Azure Active Directory | Basic configuration data | Account definitions | Account definitions category.

    2. Select an account definition in the result list.

    3. Select the Assign business roles task.

      In the Remove assignments pane, remove the business roles.

    4. Save the changes.

  5. If the account definition was requested through the IT Shop, it must be canceled and removed from all IT Shop shelves.

    For more detailed information about unsubscribing requests, see the One Identity Manager Web Portal User Guide.

    To remove an account definition from all IT Shop shelves

    1. In the Manager, select Azure Active Directory | Basic configuration data | Account definitions | Account definitions (non role-based login) category.

      - OR -

      In the Manager, select Entitlements | Account definitions (role-based login) category.

    2. Select an account definition in the result list.
    3. Select the Remove from all shelves (IT Shop) task.
    4. Confirm the security prompt with Yes.
    5. Click OK.

      The account definition is removed from all shelves by the One Identity Manager Service. At the same time, any requests and assignment requests with this account definition are canceled.

  6. Remove the required account definition assignment. As long as the account definition is required for another account definition, it cannot be deleted. Check all the account definitions.

    1. In the Manager, select the Azure Active Directory | Basic configuration data | Account definitions | Account definitions category.

    2. Select an account definition in the result list.

    3. Select the Change master data task.

    4. From the Required account definition menu, remove the account definition.

    5. Save the changes.

  7. Remove the account definition's assignments to target systems.

    1. In the Manager, select the tenant in the Azure Active Directory | Tenants category.

    2. Select the Change master data task.

    3. On the General tab, remove the assigned account definitions.

    4. Save the changes.

  8. Delete the account definition.

    1. In the Manager, select the Azure Active Directory | Basic configuration data | Account definitions | Account definitions category.

    2. Select an account definition in the result list.

    3. Click to delete an account definition.

Target system managers

A default application role exists for the target system manager in One Identity Manager. Assign the employees who are authorized to edit all Exchange Online objects in One Identity Manager to this application role.

Define additional application roles if you want to limit the edit permissions for target system managers to individual Exchange Online objects. The application roles must be added under the default application role.

For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers

  1. The One Identity Manager administrator allocates employees to be target system administrators.

  2. These target system administrators add employees to the default application role for target system managers.

    Target system managers with the default application role are authorized to edit all the Exchange Online objects in One Identity Manager.

  3. Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual tenants.

Table 12: Default application roles for target system managers
User Tasks

Target system managers

 

Target system managers must be assigned to the Target systems | Exchange Online application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects like user accounts or groups.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add employees who have an other identity than the Primary identity.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other employees within their area of responsibility as target system managers and create child application roles if required.

To initially specify employees to be target system administrators

  1. Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)
  2. Select the One Identity Manager Administration | Target systems | Administrators category.
  3. Select the Assign employees task.
  4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system managers

  1. Log in to the Manager as a target system administrator (Target systems | Administrators application role).

  2. Select the One Identity Manager Administration | Target systems | Exchange Online category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a target system manager

  1. Log in to the Manager as a target system manager.

  2. Select the application role in the Azure Active Directory | Basic configuration data | Target system managers category.

  3. Select the Assign employees task.

  4. Assign the employees you want and save the changes.

To specify target system managers for individual tenants

  1. Log in to the Manager as a target system manager.

  2. Select the Azure Active Directory | Tenants category.

  3. Select the tenant in the result list.

  4. Select the Change master data task.

  5. On the General tab, select the application role in the Target system manager (Exchange Online) menu.

    - OR -

    Next to the Target system manager (Exchange Online) menu, click to create a new application role.

    1. Enter the application role name and assign the Target systems | Exchange Online parent application role.

    2. Click OK to add the new application role.

  6. Save the changes.

  7. Assign employees to this application role who are permitted to edit the tenant in One Identity Manager.

Related topics

Configuration parameters for managing an Exchange Online environment

The following configuration parameters are additionally available in One Identity Manager after the module has been installed.

Table 13: Configuration parameters for managing an Exchange Online environment
Configuration parameter Meaning

TargetSystem | AzureAD | ExchangeOnline

Preprocessor relevant configuration parameter for controlling the database model components for the administration of the target system Exchange Online. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

TargetSystem | AzureAD | ExchangeOnline | Accounts

This configuration parameter permits configuration of recipient data.

TargetSystem | AzureAD | ExchangeOnline | Accounts |
MailTemplateDefaultValues

This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used.

TargetSystem | AzureAD | ExchangeOnline | DefaultAddress

The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system.

TargetSystem | AzureAD | ExchangeOnline | MaxFullsyncDuration

This configuration parameter contains the maximum runtime for synchronization. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating