立即与支持人员聊天
与支持团队交流

Active Roles 8.2.1 - Synchronization Service Administration Guide

Synchronization Service overview Deploying Synchronization Service Deploying Synchronization Service for use with AWS Managed Microsoft AD Getting started Connections to external data systems
External data systems supported with built-in connectors
Working with Active Directory Working with an AD LDS (ADAM) instance Working with Skype for Business Server Working with Oracle Database Working with Oracle Database user accounts Working with Exchange Server Working with Active Roles Working with One Identity Manager Working with a delimited text file Working with Microsoft SQL Server Working with Micro Focus NetIQ Directory Working with Salesforce Working with ServiceNow Working with Oracle Unified Directory Working with an LDAP directory service Working with an OpenLDAP directory service Working with IBM DB2 Working with IBM AS/400 Working with IBM RACF Working with MySQL database Working with an OLE DB-compliant relational database Working with SharePoint Working with Microsoft 365 Working with Microsoft Azure Active Directory Configuring data synchronization with the SCIM Connector Configuring data synchronization with the Generic SCIM Connector
Using connectors installed remotely Creating a connection Renaming a connection Deleting a connection Modifying synchronization scope for a connection Using connection handlers Specifying password synchronization settings for a connection
Synchronizing identity data Mapping objects Automated password synchronization Synchronization history Scenarios of use Developing PowerShell scripts for attribute synchronization rules Using PowerShell script to transform passwords

Modifying the manual configuration settings of a Microsoft 365 connector

You can modify the manual configuration settings of an existing M365 connector in the Synchronization Service Console.

IMPORTANT: If you are upgrading from an older version of Active Roles to Active Roles 8.1.3 or later, and the connector was configured manually, then you must update the authentication data to be able to run a synchronization workflow.

To update the authentication data, you can:

  • Use Auto configuration. One Identity recommends this approach, as the process is handled automatically by the Active Roles Synchronization Service.

    For more information on automatic configuration, see Modifying the automatic configuration settings of a Microsoft 365 connector.

  • Enter the Certificate thumbprint of the Azure tenant manually, and select the Tenant Environment Type.

To modify the manual configuration settings of an M365 connector

  1. In the Synchronization Service Console, open the Connections tab.

  2. Click Connection settings under the existing Microsoft 365 connection you want to modify.

  3. On the Connection Settings tab, click Specify connection settings to expand it and use the following options.

  4. To use an existing Azure application, select Manual configuration.

    NOTE: Alternatively, to use and update an existing Azure application, you can also select Auto configuration. Under Auto configuration, click Log in to Azure, then select the Tenant environment type of the Azure tenant. After logging in to Azure with your tenant, the Tenant ID, Application ID, Certificate thumbprint and Tenant environment type parameters will be automatically filled in.

  5. Enter the Tenant ID, Application ID and Certificate thumbprint of the Azure tenant as they appear on the Azure portal. Then, select the Tenant Environment Type of the Azure tenant.

  6. To test the connection with the new parameters, click Test connection.

  7. To modify the connection settings, click Save.

Modifying the automatic configuration settings of a Microsoft 365 connector

You can modify the automatic configuration settings of an existing M365 connector in the Synchronization Service Console.

Prerequisites

To create, consent and delete Azure AD applications for Active Roles Synchronization Service, the user account performing the procedure must have the following permissions:

  • Application Administrator

  • Privileged Role Administrator

To modify the auto configuration settings of an M365 connector

  1. In the Synchronization Service Console, open the Connections tab.

  2. Click Connection settings under the existing Microsoft 365 connection you want to modify.

  3. On the Connection Settings tab, click Specify connection settings to expand it and use the following options.

  4. To create a new Azure application or update an existing one, select Auto configuration.

    NOTE: If you have more than one Azure Active Directory (Azure AD) service in your Azure tenant, select I have more than one Azure AD in my Azure tenant, and use the Tenant ID field to specify the GUID of the Azure AD for which you want to set up synchronization. For more information, see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.

  5. Select one of the following options based on the number of Azure AD services in your Azure tenant:

    • I have one Azure AD in my Azure tenant.

    • I have more than one Azure AD in my Azure tenant.

  6. Authenticate your access to Azure AD:

    • If you have selected I have one Azure AD in my Azure tenant, to authenticate your access to Azure AD, click Log in to Azure, and from the Select Environment Type drop-down, select the environment type of your Azure tenant.

      NOTE: Active Roles supports Azure Cloud, Azure GCC and Azure GCC-H government tenants.

    • If you have selected I have more than one Azure AD in my Azure tenant, in Tenant ID, enter the GUID of the Azure AD for which you want to set up synchronization.

      TIP: For more information on how to find the GUID of an Azure AD service, see Finding the GUID (Tenant ID) of an Azure AD for Azure BackSync.

      After specifying the tenant ID, to authenticate your access to Azure AD, click Log in to Azure, and in the Select Environment Type drop-down, select the environment of your Azure tenant.

      NOTE: If you select I have more than one Azure AD in my Azure tenant, the Log in to Azure button will be enabled only if you specify a well-formed Azure AD GUID in the Tenant ID text box.

  7. Azure application name: Enter the name of the new or existing Azure application.

  8. To create or update the Azure application in Azure AD, click Create or update Azure application.

    The created or updated Azure application has the following directory roles assigned to it:

    • Directory Writers

    • Exchange Administrator

    • User Administrator

    The following permissions are also added, for which you must give admin consent:

    • Sign in and read user profile

    • Manage Exchange As Application

    NOTE: You may need to set additional permissions depending on your needs, or remove permissions later if the Azure AD app is no longer used. To add additional permissions to the Azure application or remove any of them, sign in to the Azure Portal, then under Microsoft Entra ID > Manage > Roles and Administrators, manage the currently assigned roles of the app.

  9. To give admin consent for the permissions of the Azure application, click Consent. Then, in the Azure Tenant Consent dialog, click Accept.

  10. To test the connection with the new parameters, click Test connection.

  11. To modify the connection settings, click Save.

Microsoft 365 data supported out of the box

The next table lists the Microsoft 365 object types supported by the Microsoft 365 Connector out of the box and provides information about the operations you can perform on these objects by using the Microsoft 365 Connector.

Table 72: Supported objects and operations

Object

Read

Create

Delete

Update

ClientPolicy

Allows you to work with client policies in Skype for Business Online. You can use client policies to determine the features of Skype for Business Online that are available to users.

For more information on what data you can read and write, see ClientPolicy object attributes.

Yes

No

No

No

ConferencingPolicy

Allows you to work with conferencing policies in Skype for Business Online. You can use conferencing policies to determine the features available to the users participating in a conference.

For more information on what data you can read and write, see ConferencingPolicy object attributes.

Yes

No

No

No

Contact

Allows you to work with external contact properties in Microsoft 365.

For more information on what data you can read and write, see Contact object attributes.

Yes

Yes

Yes

Yes

DistributionGroup

Allows you to work with distribution group properties in Microsoft 365.

For more information on what data you can read and write, see DistributionGroup object attributes.

Yes

Yes

Yes

Yes

Domain

Allows you to retrieve information about domains in Microsoft 365.

For more information on what data you can retrieve, see Domain object attributes.

Yes

No

No

No

DynamicDistributionGroup

Allows you to work with dynamic distribution group properties in Microsoft 365.

For more information on what data you can read and write, see DynamicDistributionGroup object attributes.

Yes

Yes

Yes

Yes

ExternalAccessPolicy

Allows you to work with external access policies in Skype for Business Online.

For more information on what data you can read and write, see ExternalAccessPolicy object attributes.

Yes

No

No

No

HostedVoicemailPolicy

Allows you to work with voice mail policies in Skype for Business Online.

For more information on what data you can read and write, see HostedVoicemailPolicy object attributes.

Yes

No

No

No

LicensePlanService

Allows you to retrieve information related to the license plans and services that are currently in use in Microsoft 365.

For more information on what data you can read and write, see LicensePlanService object attributes.

Yes

No

No

No

Mailbox

Allows you to work with Exchange Online mailboxes in Microsoft 365.

For more information on what data you can read and write, see Mailbox object attributes.

Yes

Yes

Yes

Yes

MailUser

Allows you to work with mail user properties in Microsoft 365.

For more information on what data you can read and write, see MailUser object attributes.

Yes

Yes

Yes

Yes

PresencePolicy

Allows you to work with presence policies in Skype for Business Online.

For more information on what data you can read and write, see PresencePolicy object attributes.

Yes

No

No

No

SecurityGroup

Allows you to work with security group properties in Microsoft 365.

For more information on what data you can read and write, see SecurityGroup objects attributes.

Yes

Yes

Yes

Yes

SPOSite

Allows you to work with the properties of site collections in SharePoint Online.

For more information on what data you can read and write, see SPOSite object attributes.

Yes

Yes

Yes

Yes

SPOSiteGroup

Allows you to work with groups inside site collections in SharePoint Online.

For more information on what data you can read and write, see SPOSiteGroup object attributes.

Yes

Yes

Yes

Yes

SPOWebTemplate

Allows you to work with web templates in SharePoint Online.

For more information on what data you can read and write, see SPOWebTemplate object attributes.

Yes

No

No

No

SPOTenant

Allows you to work with SharePoint Online organization.

For more information on what data you can read and write, see SPOTenant object attributes.

Yes

No

No

Yes

User

Allows you to read and write user properties in Microsoft 365.

For more information on what data you can read and write, see User object attributes.

Yes

Yes

Yes

Yes

VoicePolicy

Allows you to read or write data related to voice policies in Skype for Business Online.

For more information on what data you can read and write, see VoicePolicy object attributes.

Yes

No

No

No

Microsoft 365 Group

Allows you to read or write data related to Microsoft 365 group.

For more information on what data you can read and write, see Microsoft 365 group attributes.

Yes

Yes Yes Yes

ClientPolicy object attributes

Table 73: ClientPolicy object attributes

Attribute

Description

Supported operations

Anchor

Gets the Anchor property value of the policy.

Read

Description

Gets the policy description.

Read

Identity

Gets the unique identifier assigned to the policy.

Read

Members

Gets the users who have been assigned the policy.

Read

ObjectID

Gets the unique object identifier (GUID).

Read

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级