A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template, you must declare the synchronization base object in One Identity Manager.
Use a default project template for setting up the synchronization project initially. For custom implementations, you can extend the synchronization project with the Synchronization Editor. The various One Identity Manager tables that is used for mapping. One Identity Manager schema tables for Microsoft Azure
| Table in the One Identity Manager Schema |
Description |
| AzLocations |
Azure Locations details |
| AzManagementGroups |
Azure Management Groups details |
| AzResource |
Azure Resources details |
| AzResourceGroups |
Azure Resource Groups details |
| AzResourceTypes |
Azure Resource types details |
| AzRoles |
Azure Roles details |
| AzSubscriptions |
Azure Subscription details |
| AzRoleAssignment |
Azure Role Assignment to Scope details |
| AzGroupRoleAssignment |
Azure Roles Assigned to a Group |
| AzSPRoleAssignment |
Azure Roles Assigned to a Service Principal |
| AzUserRoleAssignment |
Azure Roles Assigned to a User |
| AzRoleScopeMap |
Azure Role’s scope definition |
One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for Microsoft Azure objects.
Table 13: Reports about Microsoft Azure objects
|
Report |
Published for |
Description |
|
CIM Azure RoleAssignments Overview By AADGroup |
AAD Group |
Get all Role Assignments for AADGroups including Role Assignments inherited through AAD Group Memberships |
|
CIM Azure RoleAssignments Overview By AADServicePrincipal |
AAD ServicePrincipal |
Get all Role Assignments for AADServicePrincipals |
|
CIM Azure RoleAssignments Overview By AADUser |
AAD User |
Get all Role Assignments for AADUsers including Role Assignments inherited through AAD Group Memberships |
|
CIM Azure RoleAssignments Overview By AADUser AADGroup AADSP |
AAD Organization |
Get all Role Assignments for AADUsers, AADGroups and AADServicePrincipals. AADUser and AADGroup Role Assignments include Role Assignments inherited through AAD Group Memberships |
|
CIM Azure RoleAssignments Overview By ManagementGroup |
Azure Management Group |
Report that provides an overview of direct Role assignments for Azure Management Groups as well as inherited role assignments. |
| CIM Azure RoleAssignments Overview By Resource |
Azure Resource |
Report that provides an overview of direct Role assignments for Azure Resource as well as inherited role assignments. |
|
CIM Azure RoleAssignments Overview By ResourceGroup |
Azure Resource Group |
Report that provides an overview of direct Role Assignments for Azure Resource Groups as well as inherited role assignments. |
|
CIM Azure Role Assignment Overview By Subscription |
Azure Subscription |
Report that provides an overview of direct Role Assignments for Azure Subscription Groups as well as inherited role assignments. |
Troubleshooting issues related to CIM module include:
- Synchronization issues - Check synchronization logs for inconsistencies after the synchronization is complete. For more details about the log, you can view the jobs server logs, which is assigned to handle CIM module synchronizations.
- Provisioning / Synchronization has Forbidden Errors in logs - Check to make sure the Azure AD Service Principal configured in Starling Connect has owner permissions at Root Scope level.
- Issues related to throttling (HTTP 429 Too Many Requests) - There are throttling limits setup for Azure objects. The connector automatically detects throttling and handles it. If there is still a throttling issue and you receive an error “HTTP 429 Too Many Requests”, this is because the requests have reached a particular limit and Azure is unable to process further requests. If it happens, please connect with to Microsoft to increase the throttling limit.
Recommendations for Synchronization project creation
- Revision filter in synchronization project should be enabled only for Role Assignment Tables - Roles, RoleAssignment, GroupRoleAssignment, SPRoleAssignment and UserRoleAssignment
- For projection to happen write permissions on synchronization project should be enabled only for Role Assignment Tables - Roles, RoleAssignment, GroupRoleAssignment, SPRoleAssignment and UserRoleAssignment.
