Chat now with support
Chat with Support

Identity Manager 9.3 - Administration Guide for Connecting to Microsoft Entra ID

Managing Microsoft Entra ID environments Synchronizing a Microsoft Entra ID environment
Setting up initial synchronization with a Microsoft Entra ID tenant Adjusting the synchronization configuration for Microsoft Entra ID environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Microsoft Entra ID user accounts and identities Managing memberships in Microsoft Entra ID groups Managing Microsoft Entra ID administrator roles assignments Managing Microsoft Entra ID subscription and Microsoft Entra ID service plan assignments
Displaying enabled and disabled Microsoft Entra ID service plans forMicrosoft Entra ID user accounts and Microsoft Entra ID groups Assigning Microsoft Entra ID subscriptions to Microsoft Entra ID user accounts Assigning disabled Microsoft Entra ID service plans to Microsoft Entra ID user accounts Inheriting Microsoft Entra ID subscriptions based on categories Inheritance of disabled Microsoft Entra ID service plans based on categories
Login credentials for Microsoft Entra ID user accounts Microsoft Entra ID role management
Microsoft Entra ID role management tenants Enabling new Microsoft Entra ID role management features Microsoft Entra ID role main data Main data of Microsoft Entra ID role settings Displaying Microsoft Entra ID role settings main data Assigning temporary access passes to Microsoft Entra ID user accounts Displaying Microsoft Entra ID scoped role assignments Displaying scoped role eligibilities for Microsoft Entra ID roles Overview of Microsoft Entra ID scoped role assignments Main data of Microsoft Entra ID scoped role assignments Managing Microsoft Entra ID scoped role assignments Adding Microsoft Entra ID scoped role assignments Editing Microsoft Entra ID scoped role assignments Deleting Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role assignments Assigning Microsoft Entra ID business roles to scopes though role assignments Assigning Microsoft Entra ID organizations to scopes through role assignments Overview of Microsoft Entra ID scoped role eligibilities Main data of Microsoft Entra ID scoped role eligibilities Managing Microsoft Entra ID scoped role eligibilities Adding Microsoft Entra ID scoped role eligibilities Editing Microsoft Entra ID scoped role eligibilities Deleting Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role eligibilities Assigning Microsoft Entra ID business roles to scopes though role eligibilities Assigning Microsoft Entra ID organizations to scopes through role eligibilities
Mapping Microsoft Entra ID objects in One Identity Manager
Microsoft Entra ID core directories Microsoft Entra ID user accounts Microsoft Entra ID user identities Microsoft Entra ID groups Microsoft Entra ID administrator roles Microsoft Entra ID administrative units Microsoft Entra ID subscriptions and Microsoft Entra ID service principals Disabled Microsoft Entra ID service plans Microsoft Entra ID app registrations and Microsoft Entra ID service principals Reports about Microsoft Entra ID objects Managing Microsoft Entra ID security attributes
Handling of Microsoft Entra ID objects in the Web Portal Recommendations for federations Basic data for managing a Microsoft Entra ID environment Troubleshooting Configuration parameters for managing a Microsoft Entra ID environment Default project template for Microsoft Entra ID Editing Microsoft Entra ID system objects Microsoft Entra ID connector settings

Managing Microsoft Entra ID user accounts through account definitions

In the default installation, after synchronizing, identities are automatically created for the user accounts. If an account definition for the client is not known at the time of synchronization, user accounts are linked with identities. However, account definitions are not assigned. The user accounts are therefore in a Linked state.

To manage the user accounts using account definitions, assign an account definition and a manage level to these user accounts.

To manage user accounts through account definitions

  1. Create an account definition.

  2. Assign an account definition to the tenant.

  3. Assign a user account in the Linked state to the account definition. The account definition's default manage level is applied to the user account.

    1. In the Manager, select the Microsoft Entra ID > User accounts > Linked but not configured > <tenant> category.

    2. Select the Assign account definition to linked accounts task.

    3. In the Account definition drop-down, select the account definition.

    4. Select the user accounts that contain the account definition.

    5. Save the changes.

Related topics

Troubleshooting

Synchronization Editor helps you to analyze and eliminate synchronization errors.

  • Simulating synchronization

    The simulation allows you to estimate the result of synchronization. This means you can, for example, recognize potential errors in the synchronization configuration.

  • Analyzing synchronization

    You can generate the synchronization analysis report for analyzing problems which occur during synchronization, for example, insufficient performance.

  • Logging messages

    One Identity Manager offers different options for logging errors. These include the synchronization log, the log file for One Identity Manager Service, the logging of messages with NLOG, and similar.

  • Reset start information

    If synchronization stopped unexpectedly, for example, because a server was not available, the start information must be reset manually. Only then can the synchronization be restarted.

For more information about these topics, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics

Ignoring data error in synchronization

By default, objects with incorrect data are not synchronized. These objects can be synchronized once the data has been corrected. In certain situations, however, it might be necessary to synchronize objects like these and ignore the data properties that have errors. This synchronization behavior can be configured in One Identity Manager.

To ignoring data errors during synchronization in One Identity Manager

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Configuration > One Identity Manager connection category.

  3. In the General view, click Edit connection.

    This starts the system connection wizard.

  4. On the Additional options page, enable Try to ignore data errors.

    This option is only effective if Continue on error is set in the synchronization workflow.

    Default columns, such as primary keys, UID columns, or mandatory input columns cannot be ignored.

  5. Save the changes.

IMPORTANT: If this option is set, One Identity Manager tries to ignore commit errors that could be related to data errors in a single column. This causes the data changed in the affected column to be discarded and the object is subsequently saved again. This effects performance and leads to loss of data.

Only set this option in the exceptional circumstance of not being able to correct the data before synchronization.

Pausing handling of target system specific processes (Offline mode)

If a target system connector is not able to reach the target system temporarily, you can enable offline mode for the target system. This stops target system specific processes from being frozen and having to be manually re-enabled later.

Whether offline mode is generally available for a target system connection is set in the base object of the respective synchronization project. Once a target system is truly unavailable, the target system connection can be switched offline and online again with the Launchpad.

In offline mode, all Job servers assigned to the base object are stopped. This includes the synchronization server and all Job servers involved in load balancing. If one of the Job servers also handles other tasks, these are not processed either.

Prerequisites

Offline mode can only be specified for a base object if certain prerequisites are fulfilled.

  • The synchronization server is not used for any other base object as a synchronization server.

  • If a server function is assigned to the base object, none of the Job servers with this server function may have any other server function (for example, update server).

  • A dedicated synchronization server must be set up to exclusively process the Job queue for this base object. The same applies to all Job servers that are determined by the server function.

To allow offline mode for a base object

  1. In the Synchronization Editor, open the synchronization project.

  2. Select the Base objects category.

  3. Select a base object in the document view and click .

  4. Enable Offline mode available.

  5. Click OK.
  6. Save the changes.

IMPORTANT: To prevent data inconsistencies, the offline phase should be kept as short as possible.

The number of processes to handle depends on the extent of the changes in the One Identity Manager database and their effect on the target system during the offline phase. To establish data consistency between the One Identity Manager database and the target system, all pending processes must be handled before synchronization can start.

Only use offline mode, if possible, for short system downtimes such as maintenance windows.

To flag a target system as offline

  1. Start the Launchpad and log in on the One Identity Manager database.

  2. Select Manage > System monitoring > Flag target systems as offline.

  3. Click Run.

    This opens the Manage offline systems dialog. The Base objects section displays the base objects of target system connections that can be switched to offline.

  4. Select the base object whose target system connection is not available.

  5. Click Switch offline.

  6. Confirm the security prompt with OK.

    This stops all the Job servers assigned to the base object. No more synchronization or provisioning Jobs are performed. The Job Queue Info program shows when a Job server has been switched offline and the corresponding tasks are not being processed.

For more information about offline mode, see the One Identity Manager Target System Synchronization Reference Guide.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating