立即与支持人员聊天
与支持团队交流

Identity Manager 9.3 - Administration Guide for Connecting to Microsoft Entra ID

Managing Microsoft Entra ID environments Synchronizing a Microsoft Entra ID environment
Setting up initial synchronization with a Microsoft Entra ID tenant Adjusting the synchronization configuration for Microsoft Entra ID environments Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing Microsoft Entra ID user accounts and identities Managing memberships in Microsoft Entra ID groups Managing Microsoft Entra ID administrator roles assignments Managing Microsoft Entra ID subscription and Microsoft Entra ID service plan assignments
Displaying enabled and disabled Microsoft Entra ID service plans forMicrosoft Entra ID user accounts and Microsoft Entra ID groups Assigning Microsoft Entra ID subscriptions to Microsoft Entra ID user accounts Assigning disabled Microsoft Entra ID service plans to Microsoft Entra ID user accounts Inheriting Microsoft Entra ID subscriptions based on categories Inheritance of disabled Microsoft Entra ID service plans based on categories
Login credentials for Microsoft Entra ID user accounts Microsoft Entra ID role management
Microsoft Entra ID role management tenants Enabling new Microsoft Entra ID role management features Microsoft Entra ID role main data Main data of Microsoft Entra ID role settings Displaying Microsoft Entra ID role settings main data Assigning temporary access passes to Microsoft Entra ID user accounts Displaying Microsoft Entra ID scoped role assignments Displaying scoped role eligibilities for Microsoft Entra ID roles Overview of Microsoft Entra ID scoped role assignments Main data of Microsoft Entra ID scoped role assignments Managing Microsoft Entra ID scoped role assignments Adding Microsoft Entra ID scoped role assignments Editing Microsoft Entra ID scoped role assignments Deleting Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role assignments to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role assignments Assigning Microsoft Entra ID business roles to scopes though role assignments Assigning Microsoft Entra ID organizations to scopes through role assignments Overview of Microsoft Entra ID scoped role eligibilities Main data of Microsoft Entra ID scoped role eligibilities Managing Microsoft Entra ID scoped role eligibilities Adding Microsoft Entra ID scoped role eligibilities Editing Microsoft Entra ID scoped role eligibilities Deleting Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID user accounts Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID groups Assigning Microsoft Entra ID scoped role eligibilities to Microsoft Entra ID service principals Assigning Microsoft Entra ID system roles to scopes through role eligibilities Assigning Microsoft Entra ID business roles to scopes though role eligibilities Assigning Microsoft Entra ID organizations to scopes through role eligibilities
Mapping Microsoft Entra ID objects in One Identity Manager
Microsoft Entra ID core directories Microsoft Entra ID user accounts Microsoft Entra ID user identities Microsoft Entra ID groups Microsoft Entra ID administrator roles Microsoft Entra ID administrative units Microsoft Entra ID subscriptions and Microsoft Entra ID service principals Disabled Microsoft Entra ID service plans Microsoft Entra ID app registrations and Microsoft Entra ID service principals Reports about Microsoft Entra ID objects Managing Microsoft Entra ID security attributes
Handling of Microsoft Entra ID objects in the Web Portal Recommendations for federations Basic data for managing a Microsoft Entra ID environment Troubleshooting Configuration parameters for managing a Microsoft Entra ID environment Default project template for Microsoft Entra ID Editing Microsoft Entra ID system objects Microsoft Entra ID connector settings

Assigning Microsoft Entra ID security attributes to user accounts

To assign a security attribute to a user account

  1. In the Manager, select the Microsoft Entra ID > User accounts category.

  2. Select the user account in the result list.

  3. Select the Assign security attributes task.

  4. Click Add and enter the following information:

    • Microsoft Entra ID security attribute: In the result list, select the Microsoft Entra ID security attribute.

    • Value(s): Specify whether the value is true or false.

    TIP: In the Remove section, remove the assignment of security attributes.

    To remove an assignment

    • Select the security attribute and click Remove.

  5. Save the changes.

Assigning Microsoft Entra ID security attributes to service principals

To assign a security attribute to a service principal

  1. In the Manager, select the Microsoft Entra ID > Service principals category.

  2. In the result list, select the service principal.

  3. Select the Assign security attributes task.

  4. Click Add and enter the following information:

    • Microsoft Entra ID security attribute: In the result list, select the Microsoft Entra ID security attribute.

    • Value(s): Specify whether the value is true or false.

    TIP: In the Remove section, remove the assignment of security attributes.

    To remove an assignment

    • Select the security attribute and click Remove.

  5. Save the changes.

Handling of Microsoft Entra ID objects in the Web Portal

One Identity Manager enables its users to perform various tasks simply using a Web Portal.

  • Managing user accounts and identities

    An account definition can be requested by shop customers in the Web Portal if it is assigned to an IT Shop shelf. The request undergoes a defined approval process. The user account is not created until it has been agreed by an authorized identity, such as a manager.

  • Managing assignments of groups, administrator roles, subscriptions, and disabled service plans

    NOTE: Assignment of Microsoft Entra ID role eligibilities and role assignments is disabled by default. To make these products available on an IT Shop shelf, you must enable them in the Manager. After enabling, the products are only available for user accounts with an RBAC or PIM license.

    In the Web Portal, by assigning groups, administrator roles, subscriptions, and disabled service plans to an IT Shop shelf, you can request these products from shop customers. The request undergoes a defined approval process. The group, administrator role, subscription, or disabled service plan is not assigned until it has been approved by an authorized identity.

    In the IT Shop, the following selves are available: Identity & Access Lifecycle > Microsoft Entra ID groups, Identity & Access Lifecycle > Microsoft Entra ID subscriptions, and Identity & Access Lifecycle > Disabled Microsoft Entra ID service plans.

    In the Web Portal, managers and administrators of organizations can assign groups, administrator roles, subscriptions, and disabled service plans to the departments, cost centers, or locations for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all identities who are members of these departments, cost centers, or locations.

    If the Business Roles Module is available, in the Web Portal, managers and administrators of business roles can assign groups, administrator roles, subscriptions, and disabled service plans to the business roles for which they are responsible. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all identities who are members of these business roles.

    If the System Roles Module is available, in the Web Portal, supervisors of system roles can assign groups, administrator roles, subscriptions, and disabled service plans to the system roles. The groups, administrator roles, subscriptions, and disabled service plans are inherited by all identities that have these system roles assigned to them.

  • Attestation

    If the Attestation Module is available, the correctness of the properties of target system objects and of entitlement assignments can be verified on request. To enable this, attestation policies are configured in the Manager. The attestors use the Web Portal to approve attestation cases.

  • Governance administration

    If the Compliance Rules Module is available, you can define rules that identify the invalid entitlement assignments and evaluate their risks. The rules are checked regularly, and if changes are made to the objects in One Identity Manager. Compliance rules are defined in the Manager. Supervisors use the Web Portal to check rule violations and to grant exception approvals.

    If the Company Policies Module is available, company policies can be defined for the target system objects mapped in One Identity Manager and their risks evaluated. Company policies are defined in the Manager. Supervisors use the Web Portal to check policy violations and to grant exception approvals.

  • Risk assessment

    You can use the risk index of groups, administrator roles, and subscriptions to evaluate the risk of entitlement assignments for the company.One Identity Manager provides default calculation functions for this. The calculation functions can be modified in the Web Portal.

  • Reports and statistics

    The Web Portal provides a range of reports and statistics about the identities, user accounts, and their entitlements and risks.

For more information about the named topics, see Managing Microsoft Entra ID user accounts and identities, Managing memberships in Microsoft Entra ID groups, Managing Microsoft Entra ID administrator roles assignments, Managing Microsoft Entra ID subscription and Microsoft Entra ID service plan assignments and in refer to the following guides:

  • One Identity Manager Web Portal User Guide

  • One Identity Manager Attestation Administration Guide

  • One Identity Manager Compliance Rules Administration Guide

  • One Identity Manager Company Policies Administration Guide

  • One Identity Manager Risk Assessment Administration Guide

Recommendations for federations

NOTE: The following modules must be installed to support federations in One Identity Manager:

  • Active Directory Module

  • Microsoft Entra ID Module

In a federation, the local Active Directory user accounts are connected to Microsoft Entra ID user accounts. The connection is established by using the ms-ds-consistencyGUID property in the Active Directory user account and the immutable property in the Microsoft Entra ID user account. Synchronization of Active Directory and Microsoft Entra ID user accounts is carried out in the federation by Microsoft Entra Connect. For more information about Microsoft Entra Connect, see the Microsoft Entra ID documentation from Microsoft.

One Identity Manager maps the connection using the Active Directory user account's Microsoft Entra Connect anchor ID (ADSAccount.MSDsConsistencyGuid) and the Microsoft Entra ID user account's immutable identifier (AADUser.OnPremImmutableId).

Some of the target system relevant properties of Microsoft Entra ID user accounts that are linked to local Active Directory user account cannot be changed in One Identity Manager. However, assignment of permissions to Microsoft Entra ID user accounts in One Identity Manager is possible.

Assignments to Microsoft Entra ID groups that are synchronized with the local Active Directory are not allowed in One Identity Manager. These groups cannot be requested through the web portal. You can only manage these groups in your locally. For more information, see the Microsoft Entra ID documentation from Microsoft.

The One Identity Manager supports the following scenarios for federations.

Scenario 1

  1. Active Directory user accounts are created in One Identity Manager and provisioned the local Active Directory environment.

  2. Microsoft Entra Connect creates the Microsoft Entra ID user accounts in the Microsoft Entra ID tenant.

  3. Microsoft Entra ID synchronization loads the Microsoft Entra ID user accounts in to One Identity Manager.

This is the recommended procedure. Creating a Microsoft Entra ID user account via Microsoft Entra Connect and then importing it into One Identity Manager usually takes some time. Microsoft Entra ID user accounts are not immediately available in One Identity Manager.

Scenario 2

  1. Active Directory user accounts and Microsoft Entra ID user accounts are created in One Identity Manager.

    In this case, the connection is established by using the ADSAccount.MSDsConsistencyGuid and AADUser.OnPremImmutableId columns. This can be carried using custom scripts or custom templates.

  2. Active Directory and Microsoft Entra ID user accounts are provisioned independently in their own target systems.

  3. Microsoft Entra Connect detects the connection between the user accounts, establishes the connection in the federation and updates the required properties.

  4. The next Microsoft Entra ID synchronization updates the Microsoft Entra ID user accounts in One Identity Manager.

With this scenario, the Microsoft Entra ID user accounts are immediately available in One Identity Manager and can be issued their permissions.

NOTE:

  • If you work with account definitions, it is recommended you enter the account definition for Active Directory as a required account definition in the account definition for Microsoft Entra ID.

  • If you work with account definitions, it is recommended you select the Only initially value for the IT operating data overwrites property in the manage level. Then the data is only determined in the initial case.

  • Do not post-process Microsoft Entra ID user accounts using templates because certain target system relevant properties cannot be edited and the following errors may occur:

    [Exception]: ServiceException occured

    Code: Request_BadRequest

    Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

    [ServiceException]: Code: Request_BadRequest - Message: Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration.

 

Related topics
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级