Chat now with support
Chat with Support

Quest has tools and processes in place to identify, protect, detect, and remediate vulnerabilities and incidents when they occur, including external security partners. As part of our standard security operations, Quest does not use CrowdStrike in any of our operations. We are reviewing our third parties, and so far, there is minimal affect. It is Quest's policy not to provide further technical details unless they directly impact customer data.

Identity Manager 9.2 - Cloud Access Governance Administration Guide

Default project template for Microsoft Azure

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template, you must declare the synchronization base object in One Identity Manager.

Use a default project template for setting up the synchronization project initially. For custom implementations, you can extend the synchronization project with the Synchronization Editor. The various One Identity Manager tables that is used for mapping. One Identity Manager schema tables for Microsoft Azure

Table in the One Identity Manager Schema Description
AzLocations Azure Locations details
AzManagementGroups Azure Management Groups details
AzResource Azure Resources details
AzResourceGroups Azure Resource Groups details
AzResourceTypes Azure Resource types details
AzRoles Azure Roles details
AzSubscriptions Azure Subscription details
AzRoleAssignment Azure Role Assignment to Scope details
AzGroupRoleAssignment Azure Roles Assigned to a Group
AzSPRoleAssignment Azure Roles Assigned to a Service Principal
AzUserRoleAssignment Azure Roles Assigned to a User
AzRoleScopeMap Azure Role’s scope definition

Reports about Azure cloud system objects

One Identity Manager makes various reports available containing information about the selected base object and its relations to other One Identity Manager database objects. You can generate the following reports for Microsoft Azure objects.

Table 13: Reports about Microsoft Azure objects

Report

Published for

Description

CIM Azure RoleAssignments Overview By AADGroup

AAD Group

Get all Role Assignments for AADGroups including Role Assignments inherited through AAD Group Memberships

CIM Azure RoleAssignments Overview By AADServicePrincipal

AAD ServicePrincipal

Get all Role Assignments for AADServicePrincipals

CIM Azure RoleAssignments Overview By AADUser

AAD User

Get all Role Assignments for AADUsers including Role Assignments inherited through AAD Group Memberships

CIM Azure RoleAssignments Overview By AADUser AADGroup AADSP

AAD Organization

Get all Role Assignments for AADUsers, AADGroups and AADServicePrincipals. AADUser and AADGroup Role Assignments include Role Assignments inherited through AAD Group Memberships

CIM Azure RoleAssignments Overview By ManagementGroup

Azure Management Group

Report that provides an overview of direct Role assignments for Azure Management Groups as well as inherited role assignments.

CIM Azure RoleAssignments Overview By Resource Azure Resource Report that provides an overview of direct Role assignments for Azure Resource as well as inherited role assignments.

CIM Azure RoleAssignments Overview By ResourceGroup

Azure Resource Group

Report that provides an overview of direct Role Assignments for Azure Resource Groups as well as inherited role assignments.

CIM Azure Role Assignment Overview By Subscription

Azure Subscription

Report that provides an overview of direct Role Assignments for Azure Subscription Groups as well as inherited role assignments.

Troubleshooting

Troubleshooting issues related to CIM module include:

  • Synchronization issues - Check synchronization logs for inconsistencies after the synchronization is complete. For more details about the log, you can view the jobs server logs, which is assigned to handle CIM module synchronizations.
  • Provisioning / Synchronization has Forbidden Errors in logs - Check to make sure the Azure AD Service Principal configured in Starling Connect has owner permissions at Root Scope level.
  • Issues related to throttling (HTTP 429 Too Many Requests) - There are throttling limits setup for Azure objects. The connector automatically detects throttling and handles it. If there is still a throttling issue and you receive an error “HTTP 429 Too Many Requests”, this is because the requests have reached a particular limit and Azure is unable to process further requests. If it happens, please connect with to Microsoft to increase the throttling limit.

Recommendations for Synchronization project creation

  • Revision filter in synchronization project should be enabled only for Role Assignment Tables - Roles, RoleAssignment, GroupRoleAssignment, SPRoleAssignment and UserRoleAssignment
  • For projection to happen write permissions on synchronization project should be enabled only for Role Assignment Tables - Roles, RoleAssignment, GroupRoleAssignment, SPRoleAssignment and UserRoleAssignment.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating