Chat now with support
Chat with Support

Identity Manager 9.3 - Administration Guide for Connecting to Microsoft Entra ID

Managing Microsoft Entra ID environments Synchronizing a Microsoft Entra ID environment
Setting up initial synchronization with a Microsoft Entra ID tenant Adjusting the synchronization configuration for Microsoft Entra ID environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Microsoft Entra ID user accounts and identities Managing memberships in Microsoft Entra ID groups Managing Microsoft Entra ID administrator roles assignments Managing Microsoft Entra ID subscription and Microsoft Entra ID service plan assignments
Displaying enabled and disabled Microsoft Entra ID service plans forMicrosoft Entra ID user accounts and Microsoft Entra ID groups Assigning Microsoft Entra ID subscriptions to Microsoft Entra ID user accounts Assigning disabled Microsoft Entra ID service plans to Microsoft Entra ID user accounts Inheriting Microsoft Entra ID subscriptions based on categories Inheritance of disabled Microsoft Entra ID service plans based on categories
Login credentials for Microsoft Entra ID user accounts Microsoft Entra ID role management
Microsoft Entra ID role management tenants Enabling new Microsoft Entra ID role management features Microsoft Entra ID role main data Main data of Microsoft Entra ID role settings Displaying Microsoft Entra ID role settings main data Assigning temporary access passes to Microsoft Entra ID user accounts Displaying Microsoft Entra ID scoped role assignments Displaying scoped role eligibilities for Microsoft Entra ID roles Overview of Microsoft Entra ID scoped role assignments Main data of Microsoft Entra ID scoped role assignments Managing Microsoft Entra ID scoped role assignments Adding Microsoft Entra ID scoped role assignments Editing Microsoft Entra ID scoped role assignments Deleting Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role assignments Assigning Microsoft Entra ID business roles to scopes though role assignments Assigning Microsoft Entra ID organizations to scopes through role assignments Overview of Microsoft Entra ID scoped role eligibilities Main data of Microsoft Entra ID scoped role eligibilities Managing Microsoft Entra ID scoped role eligibilities Adding Microsoft Entra ID scoped role eligibilities Editing Microsoft Entra ID scoped role eligibilities Deleting Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role eligibilities Assigning Microsoft Entra ID business roles to scopes though role eligibilities Assigning Microsoft Entra ID organizations to scopes through role eligibilities
Mapping Microsoft Entra ID objects in One Identity Manager
Microsoft Entra ID core directories Microsoft Entra ID user accounts Microsoft Entra ID user identities Microsoft Entra ID groups Microsoft Entra ID administrator roles Microsoft Entra ID administrative units Microsoft Entra ID subscriptions and Microsoft Entra ID service principals Disabled Microsoft Entra ID service plans Microsoft Entra ID app registrations and Microsoft Entra ID service principals Reports about Microsoft Entra ID objects Managing Microsoft Entra ID security attributes
Handling of Microsoft Entra ID objects in the Web Portal Recommendations for federations Basic data for managing a Microsoft Entra ID environment Troubleshooting Configuration parameters for managing a Microsoft Entra ID environment Default project template for Microsoft Entra ID Editing Microsoft Entra ID system objects Microsoft Entra ID connector settings

Synchronizing a Microsoft Entra ID environment

NOTE: Synchronization of the following national cloud deployments with the Microsoft Entra ID connector is not supported.

  • Microsoft Cloud for US Government (L5)

  • Microsoft Cloud Germany

  • Microsoft Entra ID and Microsoft 365 operated by 21Vianet in China

For more information, see https://support.oneidentity.com/KB/312379.

The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and the Microsoft Entra ID tenant.

This sections explains how to:

  • Set up synchronization to import initial data from Microsoft Entra ID tenant to the One Identity Manager database.

  • Adjust a synchronization configuration to synchronize different Microsoft Entra ID tenants with the same synchronization project, for example.

  • Start and deactivate the synchronization.

  • Analyze synchronization results.

TIP: Before you set up synchronization with a Microsoft Entra ID tenant, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up initial synchronization with a Microsoft Entra ID tenant

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the Microsoft Entra ID environment. You use these project templates to create synchronization projects with which you import the data from a Microsoft Entra ID tenant into your One Identity Manager database. In addition, processes are created that are required to provision changes to target system objects from the One Identity Manager database into the target system.

To load Microsoft Entra ID tenant objects into the One Identity Manager database for the first time

  1. Ensure the Microsoft Entra ID tenant has a license for the SharePoint Online service.

    NOTE: If no such license is available, an error will occur when loading the Microsoft Entra ID user accounts. For more information, see Possible errors when synchronizing an Microsoft Entra ID tenant.

  2. Register a One Identity Manager application in your Microsoft Entra ID tenant.

    Depending on how the One Identity Manager application is registered in the Microsoft Entra ID tenant, either a user account with sufficient permissions or the secret key is required.

  3. The One Identity Manager components for managing Microsoft Entra ID tenants are available if the TargetSystem | AzureAD configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  4. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  5. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Registering an enterprise application for One Identity Manager in the Microsoft Entra ID tenant

To synchronize data between One Identity Manager and Microsoft Entra ID, you must register an application in the Microsoft Entra ID tenants. The Microsoft Entra ID connector uses the One Identity Manager application to authenticate itself to the Microsoft Entra ID tenant.

  • Register the One Identity Manager application in the Microsoft Azure management portal (https://portal.azure.com/) or in the Microsoft Entra ID admin center (https://admin.microsoft.com/).

    NOTE: An application ID is created when you add One Identity Manager as an application to Microsoft Entra ID. You need the application ID for setting up the synchronization project.

    For more information about registering an application, see https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=certificate.

  • There are two different ways to authenticate the application.

    • Authentication in the directory user context (delegated permissions)

      If you use authentication in the directory user context, you need a user account with sufficient permissions when setting up the synchronization project.

    • Authentication in the application context (application entitlements)

      If you use authentication in the context of an application, you need the value of the secret when setting up the synchronization project. The secret is generated when the One Identity Manager application is registered with the Microsoft Entra ID tenant.

      NOTE: The key is only valid for a limited period and must be renewed when it expires.

To configure authentication in the directory user context (delegated permissions)

  1. In the Microsoft Azure management portal, select your application under App registrations.

  2. Configure the following settings under Manage > Authentication.

    1. In the Platform configurations section, click Add a platform and, under Configure platforms, select the Mobile and desktop applications tile.

      1. Under Custom redirect URIs, you can specify any URI.

      2. Click Configure.

    2. In the Supported account types section, select Accounts in this organization directory only (single tenant).

    3. In the Advanced settings section, enable the Allow public client flows option.

  3. Configure the permissions under Manage > API permissions.

    1. In the Configured permissions section, click Add a permission.

      1. Under Request API permissions > Microsoft APIs, select the tile Microsoft Graph.

      2. Select Delegated permissions and select the following permissions:

        • Directory.AccessAsUser.All (Access directory as the signed in user)

        • Directory.ReadWrite.All (Read and write directory data)

        • AuditLog.Read.All (Read all login times)

        • CustomSecAttributeDefinition.Read.All (Read all custom security attribute definitions)

        • CustomSecAttributeAssignment.ReadWrite.All (Read and write all custom security assignments for all users and applications)

        • UserAuthenticationMethod.ReadWrite.All (Read and write authentication methods for all users)

          NOTE: This permission is not available in B2C tenants.

        • User.ReadWrite.All (Read and write all users’ full profile)

        • Group.ReadWrite.All (Read and write all groups)

        • RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings)

        • RoleAssignmentSchedule.ReadWrite.Directory (Read, update, and delete all policies for privileged role assignments of your company's directory)

        • RoleEligibilitySchedule.ReadWrite.Directory (Read, update, and delete all eligible role assignments and schedules for your company's directory)

        • Policy.Read.All (Policy.Read.All)

        • openid (Sign users in)

        • ChannelMember.Read.All (Read the members of channels)

          NOTE: This is only required if you are synchronizing Microsoft Teams.

      3. Click Add permissions.

    2. In the Configured permissions section, click Grant admin consent for ... and confirm the security prompt with Yes.

      This enables the configured permissions.

To configure authentication in the application context (application entitlements)

  1. In the Microsoft Azure management portal, under App registrations, select your application.

  2. Configure the following settings under Manage > Authentication.

    1. In the Platform configurations section, click Add platform, and under Configure platforms, select the Web tile.

      1. Under Redirect URIs, you can specify any URI.

      2. Click Configure.

    2. In the Supported account types section, select Accounts in this organization directory only (single tenant).

    3. In the Advanced settings section, enable the Allow public client flows option.

  3. Configure the permissions under Manage > API permissions.

    1. In the Configured Permissions section, click Add a permission.

      1. Under Request API permissions > Microsoft APIs, select the tile Microsoft Graph.

      2. Select Application entitlements and select the following permissions:

        • Application.ReadWrite.All (Read and write all applications)

        • CustomSecAttributeDefinition.Read.All (Read all custom security attribute definitions)

        • CustomSecAttributeAssignment.ReadWrite.All (Read and write all custom security assignments for all users and applications)

        • Directory.ReadWrite.All (Read directory data)

        • Group.ReadWrite.All (Read and write all groups)

        • Policy.Read.All (Read your organization's policies)

        • RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings)

        • RoleAssignmentSchedule.ReadWrite.Directory (Read, update, and delete all policies for privileged role assignments of your company's directory)

        • RoleEligibilitySchedule.ReadWrite.Directory (Read, update, and delete all eligible role assignments and schedules for your company's directory)

        • User.ReadWrite.All (Read and write all users’ full profile)

        • UserAuthenticationMethod.ReadWrite.All (Read and write authentication methods for all users)

          NOTE: This permission is not available in B2C tenants.

        • AuditLog.Read.All (Read all login times)

        • ChannelMember.Read.All (Read the members of all channels)

          NOTE: This is only required if you are synchronizing Microsoft Teams.

      3. Click Add permissions.

    2. In the Configured permissions section, click Grant admin consent for ... and confirm the security prompt with Yes.

      This enables the configured permissions.

  4. Under Manage > Certificates & secrets, create a secret or use a certificate.

    1. Using a secret:

      1. In the Client secrets section, click New client secret.

      2. Enter a description and the validity period for the secret.

      3. Click Add.

      4. The secret is generated and displayed in the Client secrets section.

    2. Using a connection certificate:

      1. You require an X.509 certificate including a private key as a *.CER or a *.PFX file.

      2. You can use a self-signed certificate. For information on how to create it, see https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate.

      3. Import the certificate (*.PFX) into the certificate store of the Job server and the administrative workstation used to set up synchronization.

        - OR -

        Open the '.CER file and copy the "Thumbprint" value from the properties. This is required in the connection dialog-

  5. In the Microsoft Entra ID portal, assign the user administrator role.

    1. Select Roles and admins and select the following roles:

      • User Administrator

      • Privileged Authentication Administrator

    2. Under Add assignments, select the application you want to assign.

    3. Click Assign.

Related topics

Users and permissions for synchronizing with Microsoft Entra ID

The following users play a role in synchronizing One Identity Manager with a Microsoft Entra ID tenant.

Table 2: Users for synchronization
User Permissions

User for accessing Microsoft Entra ID

or

The secret's value

Depending on how the One Identity Manager application is registered in the Microsoft Entra ID tenant, either a user account with sufficient permissions or the secret is required.

  • If you use authentication in the context of a directory user (delegated permissions), you require a user account that is a member in the Global administrator Microsoft Entra ID administration role when you set up the synchronization project.

    Use the Microsoft Entra ID Admin Center to assign the Microsoft Entra ID administrator role to the user account. For more information on managing permissions in Microsoft Entra ID, see the Microsoft documentation.

    NOTE: The user account used to access Microsoft Entra ID must not use multifactor authentication to allow automated logins in a user context.

  • If you use authentication in the context of an application (application entitlements), you need the value of the secret when you set up the synchronization project. The secret is generated when the One Identity Manager application is registered with the Microsoft Entra ID tenant.

    NOTE: The key is only valid for a limited period and must be renewed when it expires.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Related topics
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating