立即与支持人员聊天
与支持团队交流

Active Roles 8.0 LTS - Synchronization Service Administration Guide

Synchronization Service Overview Deploying Synchronization Service Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with an OpenLDAP directory service Working with IBM RACF connector Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Configuring data synchronization with the Office 365 Connector
Creating a Microsoft 365 connection Viewing or modifying a Microsoft 365 connection Microsoft 365 data supported for data synchronization
ClientPolicy object attributes supported for Microsoft 365 data synchronization ConferencingPolicy object attributes supported for Microsoft 365 data synchronization Contact object attributes supported for Microsoft 365 data synchronization DistributionGroup object attributes supported for Microsoft 365 data synchronization Domain object attributes supported for Microsoft 365 data synchronization DynamicDistributionGroup object attributes supported for Microsoft 365 data synchronization ExternalAccessPolicy object attributes supported for Microsoft 365 data synchronization HostedVoicemailPolicy object attributes supported for Microsoft 365 data synchronization LicensePlanService object attributes supported for Microsoft 365 data synchronization Mailbox object attributes supported for Microsoft 365 data synchronization MailUser object attributes supported for Microsoft 365 data synchronization PresencePolicy object attributes supported for Microsoft 365 data synchronization SecurityGroup object attributes supported for Microsoft 365 data synchronization SPOSite object attributes supported for Microsoft 365 data synchronization SPOSiteGroup object attributes supported for Microsoft 365 data synchronization SPOWebTemplate object attributes supported for Microsoft 365 data synchronization SPOTenant object attributes supported for Microsoft 365 data synchronization User object attributes supported for Microsoft 365 data synchronization VoicePolicy object attributes supported for Microsoft 365 data synchronization Microsoft 365 Group attributes supported for Microsoft 365 data synchronization Changing the display names of synchronized Microsoft 365 licenses and services
Objects and attributes specific to Microsoft 365 services How the Office 365 Connector works with data
Configuring data synchronization with the Microsoft Azure AD Connector Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use
About scenarios Scenario 1: Create users from a .csv file to an Active Directory domain Scenario 2: Use a .csv file to update user accounts in an Active Directory domain Scenario 3: Synchronizing data between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 4: Deprovisioning between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 5: Provisioning of Groups between One Identity Manager Custom Target Systems and an Active Directory domain Scenario 6: Enabling Delta Sync mode between One Identity Manager Custom Target Systems and an Active Directory domain Example of using the Generic SCIM Connector for data synchronization
Appendix A: Developing PowerShell scripts for attribute synchronization rules Appendix B: Using a PowerShell script to transform passwords

Configuring the Microsoft Azure AD Connector as an Azure application for data synchronization

To enable the Microsoft Azure AD Connector of the Active Roles Synchronization Service read and write data in Microsoft Azure Active Directory (Azure AD), you must configure the connector as an Azure application in your Microsoft Azure AD environment.

Prerequisites

To assign all required permissions to the application, you must install the Azure AD PowerShell module. For more information on how to install the module, see Install Azure Active Directory PowerShell for Graph in the Microsoft Azure documentation, or download the module manually.

To configure Microsoft Azure AD Connector as an Azure application

  1. In the Azure Portal, register a new application in the domain of your Microsoft Azure AD environment where you want to perform data synchronization. For more information, see Register an application with the Microsoft identity platform in the Microsoft Azure documentation.

  2. Assign the required permissions to the application via a Windows PowerShell script, so that the Microsoft Azure AD Connector of the Active Roles Synchronization Service can read and write data in Microsoft Azure AD. To do so, adapt and run the following Windows PowerShell script.

    Example PowerShell Script to assign permissions to Microsoft Azure AD Connector
    # Replace <ClientId> with the Client ID of the Active Roles Azure AD Connector application (example format: 455ad643-332g-32h7-q004-8ba89ce65ae26)

$Id = “<ClientId>”

# Prompt for Microsoft Azure AD Global Admin credentials.

# Save the supplied credentials to the $creds variable.

$creds=get-credential

# Connect to Azure AD using the credentials stored in $creds.

Connect-AzureAD -credential $creds

# Get the Principal ID of the Active Roles Azure AD Connector Application and save it to the $servicePrincipal variable

$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $Id}

# Get the required role ID from the Active Roles Azure AD Connector Application and save it to the $roleId variable

$roleId = (Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}).ObjectId

# Assign the required permissions to the Active Roles Azure AD Connector application

Add-AzureADDirectoryRoleMember -ObjectId $roleId -RefObjectId $servicePrincipal.ObjectId
  3. In the Azure Portal, open the application you created and take note of the following information:

    • Client ID

    • Valid key of the application

    These information will be required when configuring the Microsoft Azure AD Connector as described in Creating a connection with the Microsoft Azure AD Connector.

Creating a connection with the Microsoft Azure AD Connector

You can configure an Active Roles Synchronization Service connection to your Microsoft Azure Active Directory (Azure AD) environment with the Microsoft Azure AD Connector.

Prerequisites

An Azure application with the required permissions for Microsoft Azure AD Connector must exist in the Azure AD environment where you want to perform data synchronization. For more information on configuring an Azure application and the required permissions, see Configuring the Microsoft Azure AD Connector as an Azure application for data synchronization.

To create a new Microsoft Azure AD Connector connection

  3. In the Active Roles Synchronization Service Console, navigate to Connections > Add Connection.

    Figure 5: Active Roles Synchronization Service Console – Adding a new connection via Connections > Add connection

  4. In the Name connection and select connector step, specify a custom Connection name. Then from the Use the specified connector drop-down list, select Microsoft Azure AD Connector and click Next.

  5. On the Specify connection settings page, configure the following options:

  6. To verify that the specified authentication settings are correct, click Test Connection. If testing fails, then:

    • Check your network connectivity.

    • Check if the Microsoft Azure service is available.

    • Make sure that the specified Azure AD domain, Client ID and Key settings are correct.

  7. If testing completed successfully, create the new Microsoft Azure AD connection by clicking Finish.

Viewing or modifying a Microsoft Azure AD connection

You can view or modify an existing connection based on the Microsoft Azure AD Connector with the Active Roles Synchronization Service Console. Modifying a Microsoft Azure AD Connector connection is typically required if any change occurs in the Azure application or the Azure AD environment to which the Active Roles Synchronization Service connection was originally configured.

To view or modify an existing Microsoft Azure AD Connector connection

  1. In the Active Roles Synchronization Service Console, click Connections.

  2. In the Connections page, search for the connection that uses the Microsoft Azure AD Connector, and click Connection settings.

  3. On the Connection Settings tab, click Specify connection settings and view or modify the following settings as required:

  4. To verify that the specified authentication settings are correct, click Test Connection. If testing fails, then:

    • Check your network connectivity.

    • Check if the Microsoft Azure service is available.

    • Make sure that the specified Azure AD domain, Client ID and Key settings are correct.

  5. To apply your changes, click Save.

Microsoft Azure AD object types supported for data synchronization

The Microsoft Azure AD Connector supports several user and group object attributes for data synchronization. The following tables list the all supported user and group objects, along with the operations you can perform on them.

Table 113: Supported objects and operations

Object

Read

Create

Delete

Update

User

Yes

Yes

Yes

Yes

Group

Yes

Yes

Yes

Yes

NOTE: When configuring a data synchronization mapping rule with the Microsoft Azure AD Connector, consider that the following User and Group attributes are currently not supported and cannot be queried via the Microsoft Graph API:

  • User attributes:

    • aboutMe

    • birthday

    • contacts

    • hireDate

    • interests

    • mySite

    • officeLocation

    • pastProjects

    • preferredName

    • responsibilites

    • schools

    • skills

  • Group attributes:

    • acceptedSenders

    • allowExternalSenders

    • autoSubscribeNewMembers

    • hasMembersWithLicenseErrors

    • hideFromAddressLists

    • hideFromOutlookClients

    • isSubscribedByMail

    • membersWithLicenseErrors

    • rejectedSenders

    • unseenCount

This means that although these user and group attributes are visible, they cannot be set in a mapping rule.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级