Azure Role can be assigned to the AAD security principal directly.
To assign Azure Role directly to the AAD User
- In One Identity Manager, navigate to Azure Active Directory.
- Select the User account to which the Azure role must be assigned.
- Select Azure Role Assignment from Tasks.
- To add the Role, select the role scope mapping from the Add assignments list.
- Save the changes.
To assign Azure Role directly to the AAD Group
- In One Identity Manager, navigate to Azure Active Directory.
- Select the Group to which the Azure role must be assigned.
- Select Azure Role Assignment from Tasks.
- To add the Role, click Add in the form.
- Select the Role Scope mapping from the dropdown list.
- To add new Role Scope mapping click on ‘+’ button.
- Click on Add new dynamic key button
- Select Scope from Table and item from scope as per requirement.
- Click on Ok.
- Save the changes.
To assign Azure Role directly to the AAD Service Principal
- In One Identity Manager, navigate to Azure Active Directory.
- Select the Service Principal to which the Azure role must be assigned.
- Select Azure Role Assignment from Tasks.
- To add the Role, click Add in the form.
- Select the Role Scope mapping from the dropdown list.
- To add new Role Scope mapping click on ‘+’ button.
- Click on Add new dynamic key button
- Select Scope from Table and item from scope as per requirement.
- Click on Ok.
- Save the changes.
To add new Role Scope Mapping
A new Role Scope Mapping for Role Assignment can also be created from Tenant node from Azure Cloud Access Governance in One Identity Manager.
- In One Identity Manager, navigate to Azure Cloud Access Governance.
- To view/add Role Scope Mapping for specific tenant, Click on Tenants
- Extend the node of Tenant where you want to add the Role Scope Mapping
- Select Role Scope Mapping
- To add new Role Scope mapping click on ‘+’ button.
- Click on Add new dynamic key button
- Select Scope from Table and item from scope as per requirement.
- Click on Ok.
- Save the changes.
- To view/add for All Tenants, after clicking on Node ‘Tenants’ follow the same procedure from Step 4
Assigning Azure Roles to the AAD Security Principal through ITShop
Azure Role can be assigned to the AAD Security Principal through ITShop. Employee with Azure Active Directory account can raise request for Role Assignment for his own user account, any AAD Group and any AAD Service Principal belonging to the tenant.
Once the request is raised, the owner of the scope object for which role assignment request is created (scope here refers to management group, subscription, resource group or resource) approves the request.
The way approval works is that if the owner of the scope object is not found, then request for approval is sent to the owner of the parent scope object and so on in the hierarchy and if none of the scope object owners are configured, the request for approval goes to the Target System Manager.
The hierarchy for approval workflow is:
Resource Scope Owner -> Resource Group Scope Owner -> Subscription Scope Owner -> Management Group Scope Owner -> Parent Management Group Scope Owner -> Tenant Root Scope Owner -> Target System Manager.
To assign Azure Role to the AAD Security Principal through ITShop
- Login in to ITShop portal
- Add new request
- Request Product from ITShop to Add to cart:
- Azure Infrastructure Azure AD Group Role Assignment, Azure Infrastructure Azure AD Service Principal Role Assignment, Azure Infrastructure Azure AD User Role Assignment.
- Enter required values:
- AAD Organization Name, AAD Group/Service Principal/User Name, Azure Scope, Azure Roles
- Click Submit.
- Once approved by approver, the role assignment will be done.
Remove Azure Roles directly from AAD Security Principal
Azure Role Assignments can be removed for an AAD User, AAD Group or AAD Service Principal. Using One Identity Managers role assignments done at Root Scope can also be removed.
To remove Azure Role from the AAD User
- In One Identity Manager, navigate to Azure Active Directory.
- Select the User account from which the Azure role must be assigned.
- Select Azure Role Assignment from Tasks.
- To remove the Role Assignment, select the role scope mapping from the Remove Assignments list.
- Save the changes.
To remove Azure Role from the AAD Group
- In One Identity Manager, navigate to Azure Active Directory.
- Select the Group from which the Azure role must be removed.
- Select Azure Role Assignment from Tasks.
- To remove the Role Assignment, select Azure Role Assignment to be removed from the list.
- Click on Remove.
- Save the changes.
To remove Azure Role from AAD Service Principal
- In One Identity Manager, navigate to Azure Active Directory.
- Select the Service Principal from which the Azure role must be removed.
- Select Azure Role Assignment from Tasks.
- To remove the Role Assignment, select Azure Role Assignment to be removed from the list.
- Click on Remove.
- Save the changes.
Remove Azure Roles from AAD Security Principal through IT Shop
To remove Azure Role for an AAD Security Principal through ITShop
- Login to the ITShop portal as the user who raised the ITShop request
- Go to request history
- Click on Details
- Click on Unsubscribe Product
- Add comment and Save
A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template, you must declare the synchronization base object in One Identity Manager.
Use a default project template for setting up the synchronization project initially. For custom implementations, you can extend the synchronization project with the Synchronization Editor. The various One Identity Manager tables that is used for mapping. One Identity Manager schema tables for Microsoft Azure
Table in the One Identity Manager Schema |
Description |
AzLocations |
Azure Locations details |
AzManagementGroups |
Azure Management Groups details |
AzResource |
Azure Resources details |
AzResourceGroups |
Azure Resource Groups details |
AzResourceTypes |
Azure Resource types details |
AzRoles |
Azure Roles details |
AzSubscriptions |
Azure Subscription details |
AzRoleAssignment |
Azure Role Assignment to Scope details |
AzGroupRoleAssignment |
Azure Roles Assigned to a Group |
AzSPRoleAssignment |
Azure Roles Assigned to a Service Principal |
AzUserRoleAssignment |
Azure Roles Assigned to a User |
AzRoleScopeMap |
Azure Role’s scope definition |
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for Microsoft Azure objects.
Table 13: Reports about Microsoft Azure objects
Report |
Published for |
Description |
CIM Azure RoleAssignments Overview By AADGroup |
AAD Group |
Get all Role Assignments for AADGroups including Role Assignments inherited through AAD Group Memberships |
CIM Azure RoleAssignments Overview By AADServicePrincipal |
AAD ServicePrincipal |
Get all Role Assignments for AADServicePrincipals |
CIM Azure RoleAssignments Overview By AADUser |
AAD User |
Get all Role Assignments for AADUsers including Role Assignments inherited through AAD Group Memberships |
CIM Azure RoleAssignments Overview By AADUser AADGroup AADSP |
AAD Organization |
Get all Role Assignments for AADUsers, AADGroups and AADServicePrincipals. AADUser and AADGroup Role Assignments include Role Assignments inherited through AAD Group Memberships |
CIM Azure RoleAssignments Overview By ManagementGroup |
Azure Management Group |
Report that provides an overview of direct Role assignments for Azure Management Groups as well as inherited role assignments. |
CIM Azure RoleAssignments Overview By Resource |
Azure Resource |
Report that provides an overview of direct Role assignments for Azure Management Groups as well as inherited role assignments. |
CIM Azure RoleAssignments Overview By ResourceGroup |
Azure Resource Group |
Report that provides an overview of direct Role Assignments for Azure Resource Groups as well as inherited role assignments. |
CIM Azure Role Assignment Overview By Subscription |
Azure Subscription |
Report that provides an overview of direct Role Assignments for Azure Subscription Groups as well as inherited role assignments. |
Troubleshooting issues related to CIM module include:
- Synchronization issues - Check synchronization logs for inconsistencies after the synchronization is complete. For more details about the log, you can view the jobs server logs, which is assigned to handle CIM module synchronizations.
- Provisioning / Synchronization has Forbidden Errors in logs - Check to make sure the Azure AD Service Principal configured in Starling Connect has owner permissions at Root Scope level.
- Issues related to throttling (HTTP 429 Too Many Requests) - There are throttling limits setup for Azure objects. The connector automatically detects throttling and handles it. If there is still a throttling issue and you receive an error “HTTP 429 Too Many Requests”, this is because the requests have reached a particular limit and Azure is unable to process further requests. If it happens, please connect with to Microsoft to increase the throttling limit.
- Synchronization Failure - If the entire Sync operation fails, configure the reload threshold to1, make sure the Revision filter is enabled only for Role and Role Assignment Schema classes - Roles, RoleAssignment, GroupRoleAssignment, SPRoleAssignment and UserRoleAssignment and re-run the sync operation again. Also make sure the projector DLL configured is of minimum version supported.
“VI.Projector.dll” file version#9.1.337.2183 and Product Ver#9.1 V91-207999
- Warning in Sync logs - If there are warning in Sync logs like ' Property (CIMAzRoleAsgn.vrtObjectScopeKey) was unable to resolve reference value(s) (/subscriptions/6296c692-fc26-4d7b-a089- 0e71fb9ef4b4/resourcegroups/defaultresourcegroup-cus/providers/microsoft.devtestlab/labs/testlab5/users/4d0e351a-132d-4e90- 91df-4151b2858720) for object (CN=subscriptions$$6296c692-fc26-4d7b-a089- 0e71fb9ef4b4$$resourcegroups$$defaultresourcegroup-cus$$providers$$microsoft.devtestlab$$labs$$testlab5$$users$$4d0e351a132d-4e90-91df-4151b2858720$$providers$$Microsoft.Authorization$$roleAssignments$$62e9714e-f823-41fe-b530- ebac9f5463dd,O=RoleAssignments,DC=https://connect-supervisordev.cloud.oneidentity.com/tiny/v1/VYQKUGQFaJduFQAtBzEuauNwQS/scim)’, it implies that Azure Dev Labs are not synced up as resources in to OneIM but Resource Assignments gets synced up and causes warning in logs’. These assignments won’t be synced up.
- If the synchronization logs contains warning/error like “Object reference not set to an instance of an object. on Initial Sync”, check the Synchronization log for error “URL is not wellformed.”. This is because of Umlaut characters e.g. The letter o with umlaut (ö) appears in the German alphabet. Please make sure that your installation folder should contain “VI.Projector.SCIM.Connector.dll” file with minimum version details as follows: file version#9.1.337.2183 and Product Ver#9.1 V91-207999.
- If the synchronization logs contains warning/error like ‘Unable to cast object of type VI.Projector.Schema.Properties.SchemaPropertyJoin' to type 'VI.Projector.SCIM.Connector.ProjectorSCIMConnectorSchemaProperty'. System.InvalidCastException: Unable to cast object of type 'VI.Projector.Schema.Properties.SchemaPropertyJoin' to type 'VI.Projector.SCIM.Connector.ProjectorSCIMConnectorSchemaProperty’ - please ensure that your installation folder contains the following DLLs with the specified version as minimum version - File version 9.1.332.1784
- VI.Projector.SCIM.Connector.UI.dll
- VI.Projector.SCIM.Connector.dll
- VI.Projector.SCIM.Connector.Data.dll
Recommendations for Synchronization project creation
- Revision filter in synchronization project should be enabled only for Role Assignment Tables - Roles, RoleAssignment, GroupRoleAssignment, SPRoleAssignment and UserRoleAssignment
- For projection to happen write permissions on synchronization project should be enabled only for Role Assignment Tables - Roles, RoleAssignment, GroupRoleAssignment, SPRoleAssignment and UserRoleAssignment.