Target system managers
A default application role exists for the target system manager in One Identity Manager. Assign the employees who are authorized to edit all Exchange Online objects in One Identity Manager to this application role.
Define additional application roles if you want to limit the edit permissions for target system managers to individual Exchange Online objects. The application roles must be added under the default application role.
For detailed information about implementing and editing application roles, see the One Identity Manager Authorization and Authentication Guide.
Implementing application roles for target system managers
-
The One Identity Manager administrator allocates employees to be target system administrators.
-
These target system administrators add employees to the default application role for target system managers.
Target system managers with the default application role are authorized to edit all the Exchange Online objects in One Identity Manager.
-
Target system managers can authorize other employees within their area of responsibility as target system managers and if necessary, create additional child application roles and assign these to individual tenants.
Table 12: Default application roles for target system managers
|
Target system managers
|
Target system managers must be assigned to the Target systems | Exchange Online application role or a child application role.
Users with this application role:
-
Assume administrative tasks for the target system.
-
Create, change, or delete target system objects like user accounts or groups.
-
Edit password policies for the target system.
-
Prepare groups to add to the IT Shop.
-
Can add employees who have an other identity than the Primary identity.
-
Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.
-
Edit the synchronization's target system types and outstanding objects.
-
Authorize other employees within their area of responsibility as target system managers and create child application roles if required. |
To initially specify employees to be target system administrators
- Log in to the Manager as a One Identity Manager administrator (Base role | Administrators application role)
- Select the One Identity Manager Administration | Target systems | Administrators category.
- Select the Assign employees task.
- Assign the employee you want and save the changes.
To add the first employees to the default application as target system managers
-
Log in to the Manager as a target system administrator (Target systems | Administrators application role).
-
Select the One Identity Manager Administration | Target systems | Exchange Online category.
-
Select the Assign employees task.
-
Assign the employees you want and save the changes.
To authorize other employees as target system managers when you are a target system manager
-
Log in to the Manager as a target system manager.
-
Select the application role in the Azure Active Directory | Basic configuration data | Target system managers category.
-
Select the Assign employees task.
-
Assign the employees you want and save the changes.
To specify target system managers for individual tenants
-
Log in to the Manager as a target system manager.
-
Select the Azure Active Directory | Tenants category.
-
Select the tenant in the result list.
-
Select the Change master data task.
-
On the General tab, select the application role in the Target system manager (Exchange Online) menu.
- OR -
Next to the Target system manager (Exchange Online) menu, click 
to create a new application role.
-
Enter the application role name and assign the Target systems | Exchange Online parent application role.
-
Click OK to add the new application role.
- Save the changes.
-
Assign employees to this application role who are permitted to edit the tenant in One Identity Manager.
Related topics
Configuration parameters for managing an Exchange Online environment
The following configuration parameters are additionally available in One Identity Manager after the module has been installed.
Table 13: Configuration parameters for managing an Exchange Online environment
|
TargetSystem | AzureAD | ExchangeOnline |
Preprocessor relevant configuration parameter for controlling the database model components for the administration of the target system Exchange Online. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled. |
|
TargetSystem | AzureAD | ExchangeOnline | Accounts |
This configuration parameter permits configuration of recipient data. |
|
TargetSystem | AzureAD | ExchangeOnline | Accounts |
MailTemplateDefaultValues |
This configuration parameter contains the mail template used to send notifications if default IT operating data mapping values are used for automatically creating a user account. The Employee - new user account with default properties created mail template is used. |
|
TargetSystem | AzureAD | ExchangeOnline | DefaultAddress |
The configuration parameter contains the recipient's default email address for sending notifications about actions in the target system. |
|
TargetSystem | AzureAD | ExchangeOnline | MaxFullsyncDuration |
This configuration parameter contains the maximum runtime for synchronization. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated. |
Default project template for Exchange Online
A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.
The template uses mappings for the following schema types.
Table 14: Mapping Exchange Online schema types to tables in the One Identity Manager schema
| DistributionGroup |
O3EDL |
| DynamicDistributionGroup |
O3EDynDL |
| Mailbox |
O3EMailbox |
| MailContact |
O3EMailContact |
| MailPublicFolder |
O3EMailPublicFolder |
| MailUser |
O3EMailUser |
| MobileDeviceMailboxPolicy |
O3EMobileDeviceMBPolicy |
| OWAMailboxPolicy |
O3EOwaMailboxPolicy |
| PublicFolder |
O3EPublicFolder |
| RetentionPolicy |
O3ERetentionPolicy |
| RoleAssignmentPolicy |
O3ERoleAssignmentPolicy |
| SharingPolicy |
O3ESharingPolicy |
| UnifiedGroup |
O3EUnifiedGroup |
Editing system objects
The following table describes permitted processing methods of Exchange Online schema types and names restrictions required by system object processing.
Adding and deleting user mailboxes can only be done in One Identity Manager through assignment subscriptions in Azure Active Directory. This creates a mailbox that does not appear in the database until it has been synchronized. Afterward, it can be provisioned automatically in Exchange Online.
Table 15: Methods available for editing schema types
| Role assignments policy |
Yes |
No |
No |
No |
| Mobile device mailbox policy |
Yes |
No |
No |
No |
|
Sharing policy |
Yes |
No |
No |
No |
| Retention policy |
Yes |
No |
No |
No |
| Outlook Web App mailbox policy |
Yes |
No |
No |
No |
| Public Folder |
Yes |
No |
No |
No |
| Mail-enabled public folder |
Yes |
No |
No |
No |
| Resource mailbox |
Yes |
Yes |
Yes |
Yes |
| Shared mailbox |
Yes |
Yes |
Yes |
Yes |
| User mailbox |
Yes |
No |
No |
No |
| Email contact |
Yes |
Yes |
Yes |
Yes |
| Email user |
Yes |
Yes |
Yes |
Yes |
| Distribution group |
Yes |
Yes |
Yes |
Yes |
| Dynamic distribution group |
Yes |
No |
Yes |
Yes |
| Office 365 group |
Yes |
Yes |
Yes |
Yes |
