立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Administration Guide for Connecting to Azure Active Directory

Managing Azure Active Directory environments Synchronizing an Azure Active Directory environment
Setting up initial synchronization with an Azure Active Directory tenant Adjusting the synchronization configuration for Azure Active Directory environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Azure Active Directory user accounts and identities Managing memberships in Azure Active Directory groups Managing Azure Active Directory administrator roles assignments Managing Azure Active Directory subscription and Azure Active Directory service plan assignments
Displaying enabled and disabled Azure Active Directory service plans forAzure Active Directory user accounts and Azure Active Directory groups Assigning Azure Active Directory subscriptions to Azure Active Directory user accounts Assigning disabled Azure Active Directory service plans to Azure Active Directory user accounts Inheriting Azure Active Directory subscriptions based on categories Inheritance of disabled Azure Active Directory service plans based on categories
Login credentials for Azure Active Directory user accounts Azure Active Directory role management Mapping Azure Active Directory objects in One Identity Manager
Azure Active Directory core directories Azure Active Directory user accounts Azure Active Directory user identities Azure Active Directory groups Azure Active Directory administrator roles Azure Active Directory administrative units Azure Active Directory subscriptions and Azure Active Directory service principals Disabled Azure Active Directory service plans Azure Active Directory app registrations and Azure Active Directory service principals Reports about Azure Active Directory objects
Handling of Azure Active Directory objects in the Web Portal Recommendations for federations Basic configuration data for managing an Azure Active Directory environment Troubleshooting Configuration parameters for managing an Azure Active Directory environment Default project template for Azure Active Directory Editing Azure Active Directory system objects Azure Active Directory connector settings

Azure Active Directory role management tenants

Azure Active Directory role management offers you a range of role management features. The scope of these features depends on the level of the Azure Active Directory license selected by the user, which is provided by the corresponding tenants.

Azure AD "Free"

This license includes basic role management functionality. Integrated roles can be used without restrictions. These roles have predefined role definitions. With this license, it is possible to add individual users to integrated roles and remove them. You can create groups.

IMPORTANT: Not included in the basic functionality are maintenance of directory roles in One Identity Manager and use of custom roles. This feature requires the Azure AD P1 license or P2 license.

IMPORTANT: Directory roles must be maintained via the Microsoft Azure Portal.

IMPORTANT: This license enables role assignment to individual users. Assigning roles to groups is only possible with the Azure AD P1 license and P2 licenses.

Azure AD Premium P1 - Role Based Access Control (RBAC)

Role-based access control is provided by the Azure Active Directory Premium P1 license. In addition to the basic features, it includes access to role definitions and role assignments. Roles can be assigned to an entire group. This allows consistent role eligibilities within a group. You can create groups.

There are two different types of partial scopes to which role-based access control can be applied.

  • Directory object limitation: Role assignments can be limited to specific objects, such as a registered application or a user, within the Azure Active Directory directory. Restricting elements of a defined administrative unit is also possible.

  • Restricting custom elements of a service: Customized roles cannot be created in One Identity Manager, only through synchronization.

IMPORTANT: This license does not include the functionality of Azure Active Directory Privileged Identity Management.

Azure AD Premium P2 - Privileged Identity Management (PIM)

In addition to the existing limitations of role-based access control, this license provides the additional functionality to restrict and control role assignments. Privileged Identity Management distinguishes between active role assignments and assignment eligibilities.

Role assignment: A principal is assigned a role.

Role eligibility: A principal has no active role assignment, but can enable a temporary role assignment if required.

Configuration of role policies, such as time limits, is possible for both assignment types. Furthermore, it is possible to create attestations for roles.

NOTE: It is not possible to create role assignments for which multi-factor authentication is mandatory.

NOTE: Due to the constraints of Microsoft GraphAPI, the role management feature in One Identity Manager in "PIM" mode only supports global directory scope for active role assignments.

Detailed information about this topic
Related topics

Enabling new Azure Active Directory role management features

The introduction of the Microsoft 365 role management makes extended features available for managing roles and their members and for limiting role assignments in Azure Active Directory parts of One Identity Manager.

New and existing synchronization projects automatically obtain the basic mode (equivalent to the Azure AD Free license of Microsoft 365) with the introduction of Azure Active Directory role management. The basic mode includes all the current features of One Identity Manager. The new role management features can be accessed by activating RBAC mode (Azure AD P1 license) and PIM mode (Azure AD P2 license). This activation is necessary for existing synchronization projects, and also when creating a new synchronization project.

NOTE: All existing Azure Active Directory features remain available in basic mode. It is only necessary to activate RBAC mode or PIM mode if you want to use extended role management features.

To enable extended role management features for RBAC

  1. In the Synchronization Editor, select the synchronization project.
  2. Select Workflows.
  3. Select the Initial Synchronization workflow and click the Enable/disable synchronization step button.
  4. Disable the DirectoryRole synchronization step.
  5. Enable the following synchronization steps.
    1. RBAC DirectoryRole
    2. RBAC DirectoryRole Assignments
  6. Save the changes.
  7. Select the Provisioning workflow and click the Enable/disable synchronization step button.
  8. Disable the DirectoryRole synchronization step.
  9. Enable the RBAC DirectoryRole Assignments synchronization step.
  10. Save the changes.
  11. In the Object Browser, select the AADOrganization table.
  12. Set the RoleBehavior value to RBAC.
  13. Save the changes.

To enable extended role management features for PIM

  1. In the Synchronization Editor, select the synchronization project.
  2. Select Workflows.
  3. Select the Initial Synchronization workflow and click the Enable/disable synchronization step button.
  4. Disable the DirectoryRole synchronization step.
  5. Enable the following synchronization steps.
    1. RBAC DirectoryRole
    2. PIM DirectoryRole Assignments
    3. PIM DirectoryRole Eligibility
    4. PIM DirectoryRole Policies
  6. Save the changes.
  7. Select the Provisioning workflow and click the Enable/disable synchronization step button.
  8. Disable the DirectoryRole synchronization step.
  9. Enable the following synchronization steps.
    1. PIM DirectoryRole Assignments
    2. PIM DirectoryRole Eligibility
  10. Save the changes.
  11. In the Object Browser, select the AADOrganization table.
  12. Set the RoleBehavior value to PIM.
  13. Save the changes.
Detailed information about this topic

Related topics

Azure Active Directory role main data

You are provided with the following general main data of a role.

Table 23: General main data

Property

Description

Display name

Name for displaying the role in the user interface of One Identity Manager tools.

Tenant

The role's Azure Active Directory tenant.

Owner (application role)

Application whose members can approve role assignment and role eligibilities.

Provider

Interface responsible for managing the role.

Version

Specifies the version of the role definition.

Description

Text field for additional explanation.

Built-in

Specifies whether the role definition is part of the Azure Active Directory basic settings or a customized definition.

Enabled

Specifies whether the role is available for assignment.

Related topics

Adding Azure Active Directory role assignments

Role management allows you to make additional role assignments for roles in Azure Active Directory partial scopes.

To assign a role assignment to a role

  1. In Manager, select the category Azure Active Directory > Roles.
  2. Select the role in the result list.
  3. Select the Add or remove role assignments task.
  4. Click Add and enter the following information.
    • Principal: The main principal whose accesses are to be assigned such as a group or single user.
    • Application scope: The application scope for which the principal should be given access. - OR -
      Directory scope: The directory scope for which the principal should be given access.
    • Specify whether this assignment is a Direct assignment.

      NOTES: The Indirect assignment and Assignment request options are set by processes and cannot be set manually.

    • Request procedure: References the request procedure that results in the assignment.

      NOTE: The request procedure is set by processes and cannot be set manually.

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级