立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and identities Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login credentials for Azure Active Directory user accounts Azure Active Directory role management Mapping Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory administrative units Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Synchronizing an Azure Active Directory environment

NOTE: Synchronization of the following national cloud deployments with the Azure Active Directory connector is not supported.

  • Microsoft Cloud for US Government (L5)

  • Microsoft Cloud Germany

  • Azure Active Directory and Office 365 operated by 21Vianet in China

For more information, see https://support.oneidentity.com/KB/312379.

The One Identity Manager Service is responsible for synchronizing data between the One Identity Manager database and the Azure Active Directory tenant.

This sections explains how to:

  • Set up synchronization to import initial data from Azure Active Directory tenant to the One Identity Manager database.

  • Adjust a synchronization configuration to synchronize different Azure Active Directory tenants with the same synchronization project, for example.

  • Start and deactivate the synchronization.

  • Analyze synchronization results.

TIP: Before you set up synchronization with an Azure Active Directory tenant, familiarize yourself with the Synchronization Editor. For more information about this tool, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Setting up initial synchronization with an Azure Active Directory tenant

The Synchronization Editor provides a project template that can be used to set up the synchronization of user accounts and permissions for the Azure Active Directory environment. You use these project templates to create synchronization projects with which you import the data from an Azure Active Directory tenant into your One Identity Manager database. In addition, processes are created that are required to provision changes to target system objects from the One Identity Manager database into the target system.

To load Azure Active Directory tenant objects into the One Identity Manager database for the first time

  1. Ensure the Azure Active Directory tenant has a license for the SharePoint Online service.

    NOTE: If no such license is available, an error will occur when loading the Azure Active Directory user accounts. For more information, see Possible errors when synchronizing an Azure Active Directory tenant.

  2. Register an One Identity Manager application in your Azure Active Directory tenant.

    Depending on how the One Identity Manager application is registered in the Azure Active Directory tenant, either a user account with sufficient permissions or the secret key is required.

  3. The One Identity Manager components for managing Azure Active Directory tenants are available if the TargetSystem | AzureAD configuration parameter is set.

    • In the Designer, check if the configuration parameter is set. Otherwise, set the configuration parameter and compile the database.

      NOTE: If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

    • Other configuration parameters are installed when the module is installed. Check the configuration parameters and modify them as necessary to suit your requirements.

  4. Install and configure a synchronization server and declare the server as a Job server in One Identity Manager.
  5. Create a synchronization project with the Synchronization Editor.
Detailed information about this topic

Registering an enterprise application for One Identity Manager in the Azure Active Directory tenant

To synchronize data between One Identity Manager and Azure Active Directory, you must register an application in the Azure Active Directory tenants. The Azure Active Directory connector uses the One Identity Manager application to authenticate itself to the Azure Active Directory tenant.

  • Register the One Identity Manager application in the Microsoft Azure portal (https://portal.azure.com/) or in the Azure Active Directory admin center (https://admin.microsoft.com/).

    NOTE: An application ID is created when you add One Identity Manager as an application to Azure Active Directory. You need the application ID for setting up the synchronization project.

    For more information about registering an application, see https://docs.microsoft.com/azure/active-directory/develop/quickstart-register-app.

  • There are two different ways to authenticate the application.

    • Authentication in the directory user context (delegated permissions)

      If you use authentication in the directory user context, you need a user account with sufficient permissions when setting up the synchronization project.

    • Authentication in the application context (application entitlements)

      If you use authentication in the context of an application, you need the value of the secret when setting up the synchronization project. The secret is generated when the One Identity Manager application is registered with the Azure Active Directory tenant.

      NOTE: The key is only valid for a limited period and must be renewed when it expires.

To configure authentication in the directory user context (delegated permissions)

  1. In the Microsoft Azure portal, select your app under App registrations.

  2. Configure the following settings under Manage > Authentication.

    1. In the Platform configurations section, click Add a platform and, under Configure platforms, select the Mobile and desktop applications tile.

      1. Under Custom redirect URIs, you can specify any URI.

      2. Click Configure.

    2. In the Supported account types section, select Accounts in this organization directory only (single tenant).

    3. In the Advanced settings section, enable the Allow public client flows option.

  3. Configure the permissions under Manage > API permissions.

    1. In the Configured permissions section, click Add a permission.

      1. Under Request API permissions > Microsoft APIs, select the tile Microsoft Graph.

      2. Select Delegated permissions and select the following permissions:

        • Directory.AccessAsUser.All (Access directory as the signed in user)

        • Directory.ReadWrite.All (Read and write directory data)

        • AuditLog.Read.All (Read all login times)

        • User.ReadWrite.All (Read and write all users’ full profile)

        • Group.ReadWrite.All (Read and write all groups)

        • openid (Sign users in)

      3. Click Add permissions.

    2. In the Configured permissions section, click Grant admin consent for ... and confirm the security prompt with Yes.

      This enables the configured permissions.

To configure authentication in the application context (application entitlements)

  1. In the Microsoft Azure portal, select your app under App registrations.

  2. Configure the following settings under Manage > Authentication.

    1. In the Platform configurations section, click Add platform, and under Configure platforms, select the Web tile.

      1. Under Redirect URIs, you can specify any URI.

      2. Click Configure.

    2. In the Supported account types section, select Accounts in this organization directory only (single tenant).

    3. In the Advanced settings section, enable the Allow public client flows option.

  3. Configure the permissions under Manage > API permissions.

    1. In the Configured Permissions section, click Add a permission.

      1. Under Request API permissions > Microsoft APIs, select the tile Microsoft Graph.

      2. Select Application entitlements and select the following permissions:

        • Application.ReadWrite.All (Read and write all applications)

        • Directory.ReadWrite.All (Read directory data)

        • Group.ReadWrite.All (Read and write all groups)

        • Policy.Read.All (Read your organization's policies)

        • RoleManagement.ReadWrite.Directory (Read and write all directory RBAC settings)

        • User.ReadWrite.All (Read and write all users’ full profile)

      3. Click Add permissions.

    2. In the Configured permissions section, click Grant admin consent for ... and confirm the security prompt with Yes.

      This enables the configured permissions.

  4. Under Manage > Certificates & secrets, create a secret or use a certificate.

    1. Using a secret:

      1. In the Client secrets section, click New client secret.
      2. Enter a description and the validity period for the secret.

      3. Click Add.

      4. The secret is generated and displayed in the Client secrets section.

    2. Using a connection certificate:

      1. You require an X.509 certificate including a private key as a *.CER or a *.PFX file.

      2. You can use a self-signed certificate. For information on how to create it, see https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate.

      3. Import the certificate (*.PFX) into the certificate store of the Job server and the administrative workstation used to set up synchronization.

        - OR -

        Open the '.CER file and copy the "Thumbprint" value from the properties. This is required in the connection dialog-

  5. In the Azure Active Directory portal, assign the user administrator role.

    1. In the Roles and Administrators section, select the User administrator role.

    2. Under Add assignments, select the application you want to assign.

    3. Click Assign.

Related topics

Users and permissions for synchronizing with Azure Active Directory

The following users play a role in synchronizing One Identity Manager with an Azure Active Directory tenant.

Table 2: Users for synchronization
User Permissions

User for accessing Azure Active Directory

or

The secret's value

Depending on how the One Identity Manager application is registered in the Azure Active Directory tenant, either a user account with sufficient permissions or the secret is required.

  • If you use authentication in the context of a directory user (delegated permissions), you require a user account that is a member in the Global administrator Azure Active Directory administration role when you set up the synchronization project.

    Use the Azure Active Directory Admin Center to assign the Azure Active Directory administrator role to the user account. For more information on managing permissions in Azure Active Directory, see the Microsoft documentation.

    NOTE: The user account used to access Azure Active Directory must not use multifactor authentication to allow automated logins in a user context.

  • If you use authentication in the context of an application (application entitlements), you need the value of the secret when you set up the synchronization project. The secret is generated when the One Identity Manager application is registered with the Azure Active Directory tenant.

    NOTE: The key is only valid for a limited period and must be renewed when it expires.

One Identity Manager Service user account

The user account for the One Identity Manager Service requires user permissions to carry out operations at file level (adding and editing directories and files).

The user account must belong to the Domain users group.

The user account must have the Login as a service extended user permissions.

The user account requires permissions for the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can grant permissions for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update One Identity Manager.

In the default installation, One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)

  • %ProgramFiles%\One Identity (on 64-bit operating systems)

User for accessing the One Identity Manager database

The Synchronization default system user is provided to run synchronization using an application server.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级