Scribd
Upload
42 views248 pages

OneIM AzureActiveDirectory Administration

Uploaded by

MadLoou
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
42 views248 pages

OneIM AzureActiveDirectory Administration

Uploaded by

MadLoou
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 248

One Identity Manager 8.2.

Administration Guide for Connecting


to Azure Active Directory
Copyright 2022 One Identity LLC.
ALL RIGHTS RESERVED.
This guide contains proprietary information protected by copyright. The software described in this guide
is furnished under a software license or nondisclosure agreement. This software may be used or copied
only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
One Identity LLC .
The information in this document is provided in connection with One Identity products. No license,
express or implied, by estoppel or otherwise, to any intellectual property right is granted by this
document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE
TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT,
ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR
STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-
INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT
LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF
INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF
ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no
representations or warranties with respect to the accuracy or completeness of the contents of this
document and reserves the right to make changes to specifications and product descriptions at any
time without notice. One Identity does not make any commitment to update the information
contained in this document.
If you have any questions regarding your potential use of this material, contact:
One Identity LLC.
Attn: LEGAL Dept
4 Polaris Way
Aliso Viejo, CA 92656
Refer to our Web site (http://www.OneIdentity.com) for regional and international office information.
Patents
One Identity is proud of our advanced technology. Patents and pending patents may apply to this
product. For the most current information about applicable patents for this product, please visit our
website at http://www.OneIdentity.com/legal/patents.aspx.
Trademarks
One Identity and the One Identity logo are trademarks and registered trademarks of One Identity
LLC. in the U.S.A. and other countries. For a complete list of One Identity trademarks, please visit
our website at www.OneIdentity.com/legal. All other trademarks are the property of their
respective owners.
Legend

WARNING: A WARNING icon highlights a potential risk of bodily injury or property


damage, for which industry-standard safety precautions are advised. This icon is
often associated with electrical hazards related to hardware.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if


instructions are not followed.

One Identity Manager Administration Guide for Connecting to Azure Active Directory
Updated - 03 June 2022, 00:21
Version - 8.2.1
Contents

Managing Azure Active Directory environments 10


Architecture overview 10
One Identity Manager users for managing an Azure Active Directory environment 11
Configuration parameters for managing Azure Active Directory environments 13

Synchronizing an Azure Active Directory environment 15


Setting up initial synchronization with an Azure Active Directory tenant 16
Registering an enterprise application for One Identity Manager in the Azure Active
Directory tenant 17
Users and permissions for synchronizing with Azure Active Directory 20
Setting up the Azure Active Directory synchronization server 21
System requirements for the Azure Active Directory synchronization server 21
Installing One Identity Manager Service with an Azure Active Directory connector 22
Creating a synchronization project for initial synchronization of an Azure Active
Directory tenant 25
Information required for Azure Active Directory synchronization projects 25
Creating an initial synchronization project for an Azure Active Directory tenant 26
Configuring the synchronization log 29
Adjusting the synchronization configuration for Azure Active Directory environments 30
Configuring synchronization with Azure Active Directory tenants 31
Configuring synchronization of different Azure Active Directory tenants 32
Customizing synchronization projects to invite guest users 32
Supporting custom Azure Active Directory extensions 33
Changing system connection settings of Azure Active Directory tenants 34
Editing connection parameters in the variable set 35
Editing target system connection properties 36
Updating schemas 36
Speeding up synchronization 37
Configuring the provisioning of memberships 42
Configuring single object synchronization 44
Accelerating provisioning and single object synchronization 45
Running synchronization 46

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
3
Starting synchronization 46
Deactivating synchronization 47
Displaying synchronization results 48
Synchronizing single objects 49
Tasks following synchronization 50
Post-processing outstanding objects 50
Adding custom tables to the target system synchronization 52
Managing Azure Active Directory user accounts through account definitions 52
Troubleshooting 53
Ignoring data error in synchronization 54

Managing Azure Active Directory user accounts and employees 55


Account definitions for Azure Active Directory user accounts 56
Creating account definitions 57
Editing account definitions 58
Main data for an account definition 58
Editing manage levels 62
Creating manage levels 63
Assigning manage levels to account definitions 64
Main data for manage levels 64
Creating mapping rules for IT operating data 65
Entering IT operating data 66
Modify IT operating data 68
Assigning account definitions to employees 68
Assigning account definitions to departments, cost centers, and locations 70
Assigning account definitions to business roles 70
Assigning account definitions to all employees 71
Assigning account definitions directly to employees 72
Assigning account definitions to system roles 72
Adding account definitions in the IT Shop 73
Assigning account definitions to Azure Active Directory tenants 75
Deleting account definitions 76
Assigning employees automatically to Azure Active Directory user accounts 78
Editing search criteria for automatic employee assignment 80
Finding employees and directly assigning them to user accounts 81
Changing manage levels for Azure Active Directory user accounts 83

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
4
Supported user account types 83
Default user accounts 85
Administrative user accounts 86
Providing administrative user accounts for one employee 86
Providing administrative user accounts for several employees 87
Privileged user accounts 88
Updating employees when Azure Active Directory user account are modified 90
Specifying deferred deletion for Azure Active Directory user accounts 91

Managing memberships in Azure Active Directory groups 93


Assigning Azure Active Directory groups to Azure Active Directory user accounts 93
Prerequisites for indirect assignment of Azure Active Directory groups to Azure
Active Directory user accounts 95
Assigning Azure Active Directory groups to departments, cost centers and locations 96
Assigning Azure Active Directory groups to business roles 97
Adding Azure Active Directory groups to system roles 98
Adding Azure Active Directory groups to the IT Shop 99
Adding Azure Active Directory groups automatically to the IT Shop 101
Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups 103
Assigning Azure Active Directory groups directly to Azure Active Directory user
accounts 104
Effectiveness of group memberships 104
Azure Active Directory group inheritance based on categories 107
Overview of all assignments 109

Managing Azure Active Directory administrator roles assignments 111


Assigning Azure Active Directory administrator roles to Azure Active Directory user
accounts 111
Prerequisites for indirect assignment of Azure Active Directory administration
roles to Azure Active Directory user accounts 113
Assigning Azure Active Directory administrator roles to departments, cost centers,
and locations 114
Assigning Azure Active Directory administrator roles to business roles 115
Adding Azure Active Directory administrator roles to system roles 116
Adding Azure Active Directory administrator roles in the IT Shop 117
Assigning Azure Active Directory user accounts directly to Azure Active Directory
administrator roles 119

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
5
Assigning Azure Active Directory administrator roles directly to Azure Active
Directory user accounts 120
Azure Active Directory administrator role inheritance based on categories 120

Managing Azure Active Directory subscription and Azure Active Directory


service plan assignments 122
Displaying enabled and disabled Azure Active Directory service plans forAzure
Active Directory user accounts and Azure Active Directory groups 126
Assigning Azure Active Directory subscriptions to Azure Active Directory user
accounts 128
Prerequisites for indirect assignment of Azure Active Directory subscriptions to
Azure Active Directory user accounts 129
Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations 130
Assigning Azure Active Directory subscriptions to business roles 132
Adding Azure Active Directory subscriptions to system roles 133
Adding Azure Active Directory subscriptions to the IT Shop 134
Adding Azure Active Directory subscriptions automatically to the IT Shop 136
Assigning Azure Active Directory user account directly to Azure Active Directory
subscriptions 138
Assigning Azure Active Directory subscriptions directly to Azure Active Directory
user accounts 139
Assigning disabled Azure Active Directory service plans to Azure Active Directory
user accounts 140
Prerequisites for indirect assignment of disabled Azure Active Directory service
plans to Azure Active Directory user accounts 142
Assigning disabled Azure Active Directory service plans directly to departments,
cost centers, and locations 143
Assigning disabled Azure Active Directory service plans to business roles 144
Adding disabled Azure Active Directory service plans to system roles 145
Adding disabled Azure Active Directory service plans to the IT Shop 146
Adding disabled Azure Active Directory service plans automatically to the IT Shop 148
Assigning Azure Active Directory user accounts directly to disabled Azure Active
Directory service plans 149
Assigning disabled Azure Active Directory service plans directly to Azure Active
Directory user accounts 150
Inheriting Azure Active Directory subscriptions based on categories 151
Inheritance of disabled Azure Active Directory service plans based on categories 152

Login information for Azure Active Directory user accounts 153

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
6
Password policies for Azure Active Directory user accounts 153
Predefined password policies 154
Using password policies 155
Creating password policies 156
Editing password policies 157
General main data of password policies 158
Policy settings 158
Character classes for passwords 159
Custom scripts for password requirements 161
Checking passwords with a script 161
Generating passwords with a script 163
Password exclusion list 164
Checking passwords 164
Testing password generation 165
Initial password for new Azure Active Directory user accounts 165
Email notifications about login data 165

Mapping of Azure Active Directory objects in One Identity Manager 167


Azure Active Directory core directories 167
Azure Active Directory tenant 168
General main data of Azure Active Directory tenants 169
Information about local Active Directory 170
Defining categories for the inheritance of entitlements 171
Editing the synchronization project for an Azure Active Directory tenant 172
Azure Active Directory domains 172
Azure Active Directory policies for activity-based timeouts 173
Azure Active Directory policies for home realm discovery 174
Azure Active Directory policies for issuing tokens 174
Azure Active Directory policies for token lifetime 175
Azure Active Directory user accounts 176
Creating and editing Azure Active Directory user accounts 177
General main data of Azure Active Directory user accounts 178
Contact data for Azure Active Directory user accounts 184
Information about the user profile for Azure Active Directory user accounts 185
Organizational data for Azure Active Directory user accounts 185
Information about the local Active Directory user account 186

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
7
Assigning extended properties to Azure Active Directory user accounts 187
Disabling Azure Active Directory user accounts 188
Deleting and restoring Azure Active Directory user accounts 189
Displaying the Azure Active Directory user account overview 190
Displaying Active Directory user accounts for Azure Active Directory user accounts 190
Azure Active Directory groups 191
Editing main data of Azure Active Directory groups 192
General main data of Azure Active Directory groups 193
Information about local Active Directory groups 194
Adding Azure Active Directory groups to Azure Active Directory groups 195
Assigning owners to Azure Active Directory groups 196
Assigning extended properties to Azure Active Directory groups 196
Deleting Azure Active Directory groups 197
Displaying the Azure Active Directory group overview 197
Displaying Active Directory groups for Azure Active Directory groups 198
Azure Active Directory administrator roles 198
Editing main data of Azure Active Directory administrator roles 199
Assigning extended properties to Azure Active Directory administrator roles 200
Displaying the Azure Active Directory administration role overview 201
Azure Active Directory subscriptions and Azure Active Directory service principals 201
Editing Azure Active Directory subscription main data 202
Assigning additional properties to Azure Active Directory subscriptions 203
Displaying the Azure Active Directory subscriptions and service plan overview 204
Disabled Azure Active Directory service plans 204
Editing main data of disabled Azure Active Directory service plans 205
Assigning extended properties to disabled Azure Active Directory service plans 206
Displaying the disabled Azure Active Directory service plan overview 206
Azure Active Directory applications and Azure Active Directory service principals 207
Displaying information about Azure Active Directory applications 207
Assigning owners to Azure Active Directory applications 208
Displaying Azure Active Directory applications 209
Displaying information about Azure Active Directory service principals 210
Assigning owner to Azure Active Directory service principals 211
Editing authorizations for Azure Active Directory service principals 212
Displaying Azure Active Directory service principal main data 213

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
8
Reports about Azure Active Directory objects 215

Handling of Azure Active Directory objects in the Web Portal 218

Recommendations for federations 220

Basic configuration data for managing an Azure Active Directory envir-


onment 223
Target system managers for Azure Active Directory 224
Job server for Azure Active Directory-specific process handling 226
General main data of Job servers 227
Specifying server functions 229

Appendix: Troubleshooting 231


Possible errors when synchronizing an Azure Active Directory tenant 231

Appendix: Configuration parameters for managing an Azure Active


Directory environment 233

Appendix: Default project template for Azure Active Directory 237

Appendix: Editing Azure Active Directory system objects 239

Appendix: Azure Active Directory connector settings 241

About us 243
Contacting us 243
Technical support resources 243

Index 244

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
9
1

Managing Azure Active Directory


environments

One Identity Manager offers simplified user account administration for Azure Active
Directory. One Identity Manager concentrates on setting up and editing user accounts and
providing the required permissions. To equip users with the required permissions, One
Identity Manager maps subscriptions, service plans, groups, and administration roles. This
makes it possible to use Identity and Access Governance processes, including attestation,
Identity Audit, user account management and system entitlements, IT Shop, or report
subscriptions for Azure Active Directory tenants.
One Identity Manager provides company employees with the user accounts required to
allow you to use different mechanisms for connecting employees to their user accounts.
You can also manage user accounts independently of employees and therefore set up
administrator user accounts.
Additional information about the Azure Active Directory core directory, such as tenants and
verified domains, is loaded into the One Identity Manager database by data
synchronization. There are limited options for customizing this information in One Identity
Manager due to the complex dependencies and far-reaching effects of any changes.
For more information about the Azure Active Directory structure, see the Azure Active
Directory documentation from Microsoft.
NOTE: The Azure Active Directory module must be installed as a prerequisite for
managing One Identity Manager in Azure Active Directory Module For more information
about installing, see the One Identity Manager Installation Guide.

Architecture overview
To access Azure Active Directory tenant data, the Azure Active Directory connector is
installed on a synchronization server. The synchronization server ensures data is
compared between the One Identity Manager database and Azure Active Directory. The
Azure Active Directory connector uses the Microsoft Graph API for accessing Azure Active
Directory data.
The Azure Active Directory connector must authenticate itself on the Azure Active Directory
tenant to access Azure Active Directory tenant data. Authentication is carried out by an

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 10
Managing Azure Active Directory environments
application for One Identity Manager that is integrated in the Azure Active Directory tenant
and equipped with the respective access permissions.

Figure 1: Architecture for synchronization

One Identity Manager users for


managing an Azure Active Directory
environment
The following users are involved in the administration of Azure Active Directory.

Table 1: Users

User Tasks

Target system Target system administrators must be assigned to the Target


administrators systems | Administrators application role.
Users with this application role:

l Administer application roles for individual target system


types.
l Specify the target system manager.
l Set up other application roles for target system managers

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 11
Managing Azure Active Directory environments
User Tasks

if required.
l Specify which application roles for target system
managers are mutually exclusive.
l Authorize other employees to be target system
administrators.
l Do not assume any administrative tasks within the target
system.

Target system Target system managers must be assigned to the Target


managers systems | Azure Active Directory application role or a child
application role.
Users with this application role:

l Assume administrative tasks for the target system.


l Create, change, or delete target system objects.
l Edit password policies for the target system.
l Prepare groups to add to the IT Shop.
l Can add employees who have another identity than the
Primary identity.
l Configure synchronization in the Synchronization Editor
and define the mapping for comparing target systems and
One Identity Manager.
l Edit the synchronization's target system types and
outstanding objects.
l Authorize other employees within their area of
responsibility as target system managers and create child
application roles if required.

One Identity Manager One Identity Manager administrator and administrative system
administrators users Administrative system users are not added to application
roles.
One Identity Manager administrators:

l Create customized permissions groups for application


roles for role-based login to administration tools in the
Designer as required.
l Create system users and permissions groups for non role-
based login to administration tools in the Designer as
required.
l Enable or disable additional configuration parameters in
the Designer as required.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 12
Managing Azure Active Directory environments
User Tasks

l Create custom processes in the Designer as required.


l Create and configure schedules as required.
l Create and configure password policies as required.

Administrators for the Administrators must be assigned to the Request &


IT Shop Fulfillment | IT Shop | Administrators application role.
Users with this application role:

l Assign groups to IT Shop structures.

Product owners for the Product owners must be assigned to the Request &
IT Shop Fulfillment | IT Shop | Product owners application role or
a child application role.
Users with this application role:

l Approve through requests.


l Edit service items and service categories under their
management.

Administrators for Administrators must be assigned to the Identity Management


organizations | Organizations | Administrators application role.
Users with this application role:

l Assign groups to departments, cost centers, and


locations.

Business roles Administrators must be assigned to the Identity Management


administrators | Business roles | Administrators application role.
Users with this application role:

l Assign groups to business roles.

Configuration parameters for managing


Azure Active Directory environments
Use configuration parameters to configure the behavior of the system's basic settings. One
Identity Manager provides default settings for different configuration parameters. Check
the configuration parameters and modify them as necessary to suit your requirements.
Configuration parameters are defined in the One Identity Manager modules. Each One
Identity Manager module can also install configuration parameters. In the Designer, you
can find an overview of all configuration parameters in the Base data > General >
Configuration parameters category.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 13
Managing Azure Active Directory environments
For more information, see Configuration parameters for managing an Azure Active
Directory environment on page 233.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 14
Managing Azure Active Directory environments
2

Synchronizing an Azure Active


Directory environment

NOTE: Synchronization of the following national cloud deployments with the Azure Active
Directory connector is not supported.

l Microsoft Cloud for US Government (L5)


l Microsoft Cloud Germany
l Azure Active Directory and Office 365 operated by 21Vianet in China

For more information, see https://support.oneidentity.com/KB/312379.


The One Identity Manager Service is responsible for synchronizing data between the One
Identity Manager database and the Azure Active Directory tenant.
This sections explains how to:

l Set up synchronization to import initial data from Azure Active Directory tenant to
the One Identity Manager database.
l Adjust a synchronization configuration to synchronize different Azure Active
Directory tenants with the same synchronization project, for example.
l Start and deactivate the synchronization.
l Analyze synchronization results.

TIP: Before you set up synchronization with an Azure Active Directory tenant, familiarize
yourself with the Synchronization Editor. For more information about this tool, see the
One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

l Setting up initial synchronization with an Azure Active Directory tenant on page 16


l Adjusting the synchronization configuration for Azure Active Directory
environments on page 30
l Running synchronization on page 46
l Tasks following synchronization on page 50

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 15
Synchronizing an Azure Active Directory environment
l Troubleshooting on page 53
l Editing Azure Active Directory system objects on page 239

Setting up initial synchronization with


an Azure Active Directory tenant
The Synchronization Editor provides a project template that can be used to set up the
synchronization of user accounts and permissions for the Azure Active Directory
environment. You use these project templates to create synchronization projects with
which you import the data from an Azure Active Directory tenant into your One Identity
Manager database. In addition, the required processes are created that are used for the
provisioning of changes to target system objects from the One Identity Manager database
into the target system.

To load Azure Active Directory tenant objects into the One Identity Manager
database for the first time

1. Ensure the Azure Active Directory tenant has a license for the SharePoint
Online service.
NOTE: If no such license is available, an error will occur when loading the Azure
Active Directory user accounts. For more information, see Possible errors when
synchronizing an Azure Active Directory tenant on page 231.
2. Register an One Identity Manager application in your Azure Active Directory tenant.
Depending on how the One Identity Manager application is registered in the Azure
Active Directory tenant, either a user account with sufficient permissions or the
secret key is required.
3. The One Identity Manager components for managing Azure Active Directory tenants
are available if the TargetSystem | AzureAD configuration parameter is set.
l In the Designer, check if the configuration parameter is set. Otherwise, set the
configuration parameter and compile the database.
NOTE: If you disable the configuration parameter at a later date, model
components and scripts that are not longer required, are disabled. SQL
procedures and triggers are still carried out. For more information about the
behavior of preprocessor relevant configuration parameters and conditional
compiling, see the One Identity Manager Configuration Guide.
l Other configuration parameters are installed when the module is installed.
Check the configuration parameters and modify them as necessary to suit your
requirements.
4. Install and configure a synchronization server and declare the server as a Job server
in One Identity Manager.
5. Create a synchronization project with the Synchronization Editor.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 16
Synchronizing an Azure Active Directory environment
Detailed information about this topic

l Registering an enterprise application for One Identity Manager in the Azure Active
Directory tenant on page 17
l Users and permissions for synchronizing with Azure Active Directory on page 20
l Setting up the Azure Active Directory synchronization server on page 21
l Creating a synchronization project for initial synchronization of an Azure Active
Directory tenant on page 25
l Customizing synchronization projects to invite guest users on page 32
l Configuration parameters for managing an Azure Active Directory environment
on page 233
l Default project template for Azure Active Directory on page 237

Registering an enterprise application for


One Identity Manager in the Azure Active
Directory tenant
To synchronize data between One Identity Manager and Azure Active Directory, you must
register an application in the Azure Active Directory tenants. The Azure Active Directory
connector uses the One Identity Manager application to authenticate itself to the Azure
Active Directory tenant.

l Register the One Identity Manager application in the Microsoft Azure portal
(https://portal.azure.com/) or in the Azure Active Directory admin center
(https://admin.microsoft.com/).
NOTE: An application ID is created when you add One Identity Manager as an
application to Azure Active Directory. You need the application ID for setting up the
synchronization project.
For more information about registering an application, see
https://docs.microsoft.com/de-de/azure/active-directory/develop/quickstart-
register-app.
l There are two different ways to authenticate the application.
l Authentication in the directory user context (delegated permissions)
Authentication in the context of a directory user is recommended, as this is the
only way to reset user passwords.
If you use authentication in the directory user context, you need a user account
with sufficient permissions when setting up the synchronization project.
l Authentication in the application context (application permissions)
If you use authentication in the context of an application, you need the value of
the secret when setting up the synchronization project. The secret is generated

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 17
Synchronizing an Azure Active Directory environment
when the One Identity Manager application is registered with the Azure Active
Directory tenant.
NOTE: The key is only valid for a limited period and must be renewed
when it expires.

To configure authentication in the directory user context (delegated


permissions)

1. In the Microsoft Azure portal, select your app under App registrations.
2. Configure the following settings under Manage > Authentication.
a. In the Platform configurations section, click Add a platform and, under
Configure platforms, select the Mobile and desktop applications tile.
i. Under Custom redirect URIs, you can specify any URI.
ii. Click Configure.
b. In the Supported account types section, select Accounts in this
organization directory only (single tenant).
c. In the Advanced settings section, enable the Allow public client
flows option.
3. Configure the permissions under Manage > API permissions.
a. In the Configured permissions section, click Add a permission.
i. Under Request API permissions > Microsoft APIs, select the tile
Microsoft Graph.
ii. Select Delegated permissions and select the following permissions:
l Directory.AccessAsUser.All (Access directory as the signed
in user)
l Directory.ReadWrite.All (Read and write directory data)
l User.ReadWrite.All (Read and write all users’ full profile)
l Group.ReadWrite.All (Read and write all groups)
l openid (Sign users in)
iii. Click Add permissions.
b. In the Configured permissions section, click Grant admin consent for ...
and confirm the security prompt with Yes.
This enables the configured permissions.

To configure authentication in the application context (application permissions)

1. In the Microsoft Azure portal, select your app under App registrations.
2. Configure the following settings under Manage > Authentication.
a. In the Platform configurations section, click Add platform, and under
Configure platforms, select the Web tile.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 18
Synchronizing an Azure Active Directory environment
i. Under Redirect URIs, you can specify any URI.
ii. Click Configure.
b. In the Supported account types section, select Accounts in this
organization directory only (single tenant).
c. In the Advanced settings section, enable the Allow public client
flows option.
3. Configure the permissions under Manage > API permissions.
a. In the Configured Permissions section, click Add a permission.
i. Under Request API permissions > Microsoft APIs, select the tile
Microsoft Graph.
ii. Select Application permissions and select the following permissions:
l Application.ReadWrite.All (Read and write all applications)
l Directory.ReadWrite.All (Read directory data)
l Group.ReadWrite.All (Read and write all groups)
l Policy.Read.All (Read your organization's policies)
l RoleManagement.ReadWrite.Directory (Read and write all
directory RBAC settings)
l User.ReadWrite.All (Read and write all users’ full profile)
iii. Click Add permissions.
b. In the Configured permissions section, click Grant admin consent for ...
and confirm the security prompt with Yes.
This enables the configured permissions.
4. Create a secret under Manage > Certificates & secrets.
a. In the Client secrets section, click New client secret.
i. Enter a description and the validity period for the secret.
ii. Click Add.
b. The secret is generated and displayed in the Client secrets section.

Related topics

l Users and permissions for synchronizing with Azure Active Directory on page 20
l Creating a synchronization project for initial synchronization of an Azure Active
Directory tenant on page 25

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 19
Synchronizing an Azure Active Directory environment
Users and permissions for synchronizing
with Azure Active Directory
The following users are involved in synchronizing One Identity Manager with an Azure
Active Directory tenant.

Table 2: Users for synchronization

User Permissions

User for Depending on how the One Identity Manager application is registered in
accessing the Azure Active Directory tenant, either a user account with sufficient
Azure Active permissions or the secret is required.
Directory
l If you use authentication in the context of a directory user
or (delegated permissions), you require a user account that is a
The secret's member in the Global administrator Azure Active Directory
value administration role when you set up the synchronization project.
Use the Azure Active Directory Admin Center to assign the Azure
Active Directory administrator role to the user account. For more
information on managing permissions in Azure Active Directory, see
the Microsoft documentation.
NOTE: The user account used to access Azure Active Directory
must not use multifactor authentication to allow automated logins
in a user context.
l If you use authentication in the context of an application (application
entitlements), you need the value of the secret when you set up the
synchronization project. The secret is generated when the One
Identity Manager application is registered with the Azure Active
Directory tenant.
NOTE: The key is only valid for a limited period and must be
renewed when it expires.

One Identity The user account for the One Identity Manager Service requires user
Manager permissions to carry out operations at file level (adding and editing
Service user directories and files).
account
The user account must belong to the Domain users group.
The user account must have the Login as a service extended user
permissions.
The user account requires permissions for the internal web service.
NOTE: If the One Identity Manager Service runs under the network
service (NT Authority\NetworkService), you can grant permissions
for the internal web service with the following command line call:
netsh http add urlacl url=http://<IP address>:<port number>/
user="NT AUTHORITY\NETWORKSERVICE"

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 20
Synchronizing an Azure Active Directory environment
User Permissions

The user account needs full access to the One Identity Manager Service
installation directory in order to automatically update One Identity
Manager.
In the default installation, One Identity Manager is installed under:

l %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)


l %ProgramFiles%\One Identity (on 64-bit operating systems)

User for The Synchronization default system user is provided to run


accessing synchronization using an application server.
the One
Identity
Manager
database

Related topics

l Registering an enterprise application for One Identity Manager in the Azure Active
Directory tenant on page 17

Setting up the Azure Active Directory


synchronization server
All One Identity Manager Service actions are run against the target system environment on
the synchronization server. Data entries required for synchronization and administration
with the One Identity Manager database are processed by the synchronization server.
The One Identity Manager Service with the Azure Active Directory connector must be
installed on the synchronization server.

Detailed information about this topic

l System requirements for the Azure Active Directory synchronization server on


page 21
l Installing One Identity Manager Service with an Azure Active Directory
connector on page 22

System requirements for the Azure Active


Directory synchronization server
To set up synchronization with an Azure Active Directory tenant, a server must be available
with the following software installed on it:

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 21
Synchronizing an Azure Active Directory environment
l Windows operating system
The following versions are supported:
l Windows Server 2022
l Windows Server 2019
l Windows Server 2016
l Windows Server 2012 R2
l Windows Server 2012
l Microsoft .NET Framework Version 4.7.2 or later
NOTE: Take the target system manufacturer's recommendations into account.

Installing One Identity Manager Service with an


Azure Active Directory connector
The One Identity Manager Service with the Azure Active Directory connector must be
installed on the synchronization server. The synchronization server must be declared as a
Job server in One Identity Manager.

Table 3: Properties of the Job server

Property Value

Server function Azure Active Directory connector

Machine role Server | Job server | Azure Active Directory

NOTE: If several target system environments of the same type are synchronized under
the same synchronization server, it is recommended that you set up a Job server for
each target system for performance reasons. This avoids unnecessary swapping of
connections to target systems because a Job server only has to process tasks of the
same type (re-use of existing connections).
Use the One Identity Manager Service to install the Server Installer. The program runs the
following steps:

l Sets up a Job server.


l Specifies machine roles and server function for the Job server.
l Remotely installs One Identity Manager Service components corresponding to the
machine roles.
l Configures the One Identity Manager Service.
l Starts the One Identity Manager Service.

NOTE: The program performs a remote installation of the One Identity Manager Service.
Local installation of the service is not possible with this program.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 22
Synchronizing an Azure Active Directory environment
To remotely install the One Identity Manager Service, you must have an
administrative workstation on which the One Identity Manager components are
installed. For detailed information about installing a workstation, see the One Identity
Manager Installation Guide.
NOTE: To generate processes for the Job server, you need the provider, connection
parameters, and the authentication data. By default, this information is determined from
the database connection data. If the Job server runs through an application server, you
must configure extra connection data in the Designer. For detailed information about
setting up Job servers, see the One Identity Manager Configuration Guide.

To remotely install and configure One Identity Manager Service on a server

1. Start the Server Installer program on your administrative workstation.

2. On the Database connection page, enter the valid connection credentials for the
One Identity Manager database.
3. On the Server properties page, specify the server on which you want to install the
One Identity Manager Service.
a. Select a Job server from the Server menu.
- OR -
To create a new Job server, click Add.
b. Enter the following data for the Job server.
l Server: Name of the Job server.
l Queue: Name of the queue to handle the process steps. Each Job server
within the network must have a unique queue identifier. The process
steps are requested by the Job queue using this exact queue name. The
queue identifier is entered in the One Identity Manager Service
configuration file.
l Full server name: Full server name in accordance with DNS syntax.
Syntax:
<Name of servers>.<Fully qualified domain name>
NOTE: You can use the Extended option to make changes to other properties
for the Job server. You can also edit the properties later with the Designer.

4. On the Machine roles page, select Azure Active Directory.


5. On the Server functions page, select Azure Active Directory connector (via
Microsoft Graph).
6. On the Service Settings page, enter the connection data and check the One Identity
Manager Service configuration.
NOTE: The initial service configuration is predefined. If further changes need to be
made to the configuration, you can do this later with the Designer. For detailed
information about configuring the service, see the One Identity Manager Config-
uration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 23
Synchronizing an Azure Active Directory environment
l For a direct connection to the database:
1. Select Process collection > sqlprovider.
2. Click the Connection parameter entry, then click the Edit button.
3. Enter the connection data for the One Identity Manager database.
l For a connection to the application server:
1. Select Process collection, click the Insert button and select
AppServerJobProvider.
2. Click the Connection parameter entry, then click the Edit button.
3. Enter the connection data for the application server.
4. Click the Authentication data entry and click the Edit button.
5. Select the authentication module. Depending on the authentication
module, other data may be required, such as user and password. For
detailed information about One Identity Manager authentication modules,
see the One Identity Manager Authorization and Authentication Guide.
7. To configure remote installations, click Next.

8. Confirm the security prompt with Yes.


9. On the Select installation source page, select the directory with the install files.
Change the directory if necessary.
10. If the database is encrypted, on the Select private key file page, select the file
with the private key.
11. On the Service access page, enter the service's installation data.
l Computer: Enter the name or IP address of the server that the service is
installed and started on.
l Service account: Enter the details of the user account that the One Identity
Manager Service is running under. Enter the user account, the user account's
password and password confirmation.
The service is installed using the user account with which you are logged in to
the administrative workstation. If you want to use another user account for
installing the service, you can enter it in the advanced options. You can also
change the One Identity Manager Service details, such as the installation
directory, name, display name, and the One Identity Manager Service description,
using the advanced options.
12. Click Next to start installing the service.
Installation of the service occurs automatically and may take some time.
13. Click Finish on the last page of the Server Installer.
NOTE: In a default installation, the service is entered in the server’s service
management with the name One Identity Manager Service.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 24
Synchronizing an Azure Active Directory environment
Creating a synchronization project for initial
synchronization of an Azure Active
Directory tenant
Use the Synchronization Editor to configure synchronization between the One Identity
Manager database and Azure Active Directory. The following describes the steps for
initial configuration of a synchronization project. For more information about setting up
synchronization, see the One Identity Manager Target System Synchronization
Reference Guide.
After the initial configuration, you can customize and configure workflows within the
synchronization project. Use the workflow wizard in the Synchronization Editor for this.
The Synchronization Editor also provides different configuration options for a
synchronization project.

Related topics

l Information required for Azure Active Directory synchronization projects on page 25


l Creating an initial synchronization project for an Azure Active Directory tenant
on page 26
l Customizing synchronization projects to invite guest users on page 32

Information required for Azure Active Directory


synchronization projects
(missing or bad snippet)

Related topics

l Registering an enterprise application for One Identity Manager in the Azure Active
Directory tenant on page 17
l Users and permissions for synchronizing with Azure Active Directory on page 20
l Setting up the Azure Active Directory synchronization server on page 21

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 25
Synchronizing an Azure Active Directory environment
Creating an initial synchronization project for an
Azure Active Directory tenant
NOTE: The following sequence describes how to configure a synchronization project if the
Synchronization Editor is both:

l Run in default mode


l Started from the Launchpad

If you run the project wizard in expert mode or directly from the Synchronization Editor,
additional configuration settings can be made. Follow the project wizard instructions
through these steps.
NOTE: Just one synchronization project can be created per target system and default
project template used.

To set up an initial synchronization project for an Azure Active Directory tenant

1. Start the Launchpad and log in on the One Identity Manager database.
NOTE: If synchronization is run by an application server, connect the database
through the application server.
2. Select the Target system type Azure Active Directory entry and click Start.
This starts the Synchronization Editor's project wizard.

3. On the System access page, specify how One Identity Manager can access the
target system.
l If access is possible from the workstation on which you started the
Synchronization Editor, do not change any settings.
l If access is not possible from the workstation on which you started the
Synchronization Editor, you can set up a remote connection.
Enable the Connect using remote connection server option and select the
server to be used for the connection under Job server.

4. On the Azure Active Directory tenant page, enter the following information:
l Deployment: Select your cloud deployment. Select from Microsoft Graph
global service or Microsoft Cloud for US Government (L4) .
l Application ID: Enter the application ID. The application ID was generated
when registering the One Identity Manager application in the Azure Active
Directory tenant.
l Login domain: Enter the base domain or a verified domain of your Azure
Active Directory tenant.
5. On the Authentication page, select the type of login and enter the required login
data. The information is required depends on how the One Identity Manager
application is registered with the Azure Active Directory tenant.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 26
Synchronizing an Azure Active Directory environment
l If you have integrated One Identity Manager as a mobile device and desktop
application in your Azure Active Directory tenant, select Authenticate as
mobile device or desktop application and enter the user account and
password for logging in.
l If you have integrated One Identity Manager as a web application in your Azure
Active Directory tenant, select the option Authenticate as web application
and enter the value in the secret.
The secret was generated when the One Identity Manager application was
registered with the Azure Active Directory tenant.
6. On the last page of the system connection wizard, you can save the connection data.
l Set the Save connection locally option to save the connection data. This can
be reused when you set up other synchronization projects.
l Click Finish, to end the system connection wizard and return to the
project wizard.

7. On the One Identity Manager Connection tab, test the data for connecting to the
One Identity Manager database. The data is loaded from the connected database.
Reenter the password.
NOTE:
l If you use an unencrypted One Identity Manager database and have not yet
saved any synchronization projects to the database, you need to enter all
connection data again.
l This page is not shown if a synchronization project already exists.
8. The wizard loads the target system schema. This may take a few minutes depending
on the type of target system access and the size of the target system.

9. On the Select project template page, select the Azure Active Directory
Synchronization template.

10. On the Restrict target system access page, specify how system access should
work. You have the following options:

Table 4: Specify target system access

Option Meaning

Specifies that a synchronization workflow is only to be set


up for the initial loading of the target system into the One
Identity Manager database.
The synchronization workflow has the following
characteristics:
l Synchronization is in the direction of One Identity
Manager.
l Processing methods in the synchronization steps are
only defined for synchronization in the direction of

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 27
Synchronizing an Azure Active Directory environment
Option Meaning

One Identity Manager.

Read/write access to Specifies whether a provisioning workflow is set up in


target system. addition to the synchronization workflow for the initial
Provisioning available. loading of the target system.
The provisioning workflow displays the following
characteristics:
l Synchronization is in the direction of the Target
system.
l Processing methods are only defined in the
synchronization steps for synchronization in the
direction of the Target system.
l Synchronization steps are only created for such
schema classes whose schema types have write
access.

11. On the Synchronization server page, select the synchronization server to run the
synchronization.
If the synchronization server is not declared as a Job server in the One Identity
Manager database yet, you can add a new Job server.
a. Click to add a new Job server.
b. Enter a name for the Job server and the full server name conforming to
DNS syntax.
c. Click OK.
The synchronization server is declared as Job server for the target system in
the One Identity Manager database.
d. NOTE: After you save the synchronization project, ensure that this server is
set up as a synchronization server.

12. To close the project wizard, click Finish.


This creates and allocates a default schedule for regular synchronization. Enable the
schedule for regular synchronization.
This sets up, saves and immediately activates the synchronization project.
NOTE:
l If enabled, a consistency check is carried out. If errors occur, a message
appears. You can decide whether the synchronization project can remain
activated or not.
Check the errors before you use the synchronization project. To do this,
in the General view on the Synchronization Editor‘s start page, click
Verify project.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 28
Synchronizing an Azure Active Directory environment
l If you do not want the synchronization project to be activated immediately,
disable the Activate and save the new synchronization project
automatically option. In this case, save the synchronization project
manually before closing the Synchronization Editor.
l The connection data for the target system is saved in a variable set and can
be modified in the Synchronization Editor in the Configuration >
Variables category.

Related topics

l Users and permissions for synchronizing with Azure Active Directory on page 20
l Information required for Azure Active Directory synchronization projects on page 25
l Registering an enterprise application for One Identity Manager in the Azure Active
Directory tenant on page 17
l Setting up the Azure Active Directory synchronization server on page 21
l Configuring the synchronization log on page 29
l Adjusting the synchronization configuration for Azure Active Directory
environments on page 30
l Running synchronization on page 46
l Tasks following synchronization on page 50
l Possible errors when synchronizing an Azure Active Directory tenant on page 231
l Default project template for Azure Active Directory on page 237
l Azure Active Directory connector settings on page 241

Configuring the synchronization log


All the information, tips, warnings, and errors that occur during synchronization are
recorded in the synchronization log. You can configure the type of information to record
separately for each system connection.

To configure the content of the synchronization log

1. To configure the synchronization log for target system connection, select the
Configuration > Target system category in the Synchronization Editor.
- OR -
To configure the synchronization log for the database connection, select the
Configuration > One Identity Manager connection category in the
Synchronization Editor.
2. Select the General view and click Configure.
3. Select the Synchronization log view and set Create synchronization log.
4. Enable the data to be logged.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 29
Synchronizing an Azure Active Directory environment
NOTE: Some content generates a particularly large volume of log data. The
synchronization log should only contain data required for error analysis and
other analyzes.
5. Click OK.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

l In the Designer, enable the DPR | Journal | LifeTime configuration parameter and
enter the maximum retention period.

Related topics

l Displaying synchronization results on page 48

Adjusting the synchronization


configuration for Azure Active Directory
environments
Having used the Synchronization Editor to set up a synchronization project for initial
synchronization of an Azure Active Directory tenant, you can use the synchronization
project to load Azure Active Directory objects into the One Identity Manager database. If
you manage user accounts and their authorizations with One Identity Manager, changes are
provisioned in the Azure Active Directory environment.
You must customize the synchronization configuration to be able to regularly compare the
database with the Azure Active Directory environment and to synchronize changes.

l To use One Identity Manager as the primary system during synchronization, create a
workflow with synchronization in the direction of the Target system.
l You can use variables to create generally applicable synchronization configurations
that contain the necessary information about the synchronization objects when
synchronization starts. Variables can be implemented in base objects, schema
classes, or processing method, for example.
l Use variables to set up a synchronization project for synchronizing different clients.
Store a connection parameter as a variable for logging in to the clients.
l To specify which Azure Active Directory objects and database objects are included in
synchronization, edit the scope of the target system connection and the One Identity
Manager database connection. To prevent data inconsistencies, define the same
scope in both systems. If no scope is defined, all objects will be synchronized.
l Update the schema in the synchronization project if the One Identity Manager
schema or target system schema has changed. Then you can add the changes to
the mapping.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 30
Synchronizing an Azure Active Directory environment
l To synchronize additional schema properties, update the schema in the
synchronization project. Include the schema extensions in the mapping.

For more information about configuring synchronization, see the One Identity Manager
Target System Synchronization Reference Guide.

Detailed information about this topic

l Configuring synchronization with Azure Active Directory tenants on page 31


l Configuring synchronization of different Azure Active Directory tenants on page 32
l Customizing synchronization projects to invite guest users on page 32
l Supporting custom Azure Active Directory extensions on page 33
l Changing system connection settings of Azure Active Directory tenants on page 34
l Updating schemas on page 36
l Configuring the provisioning of memberships on page 42
l Configuring single object synchronization on page 44
l Accelerating provisioning and single object synchronization on page 45

Configuring synchronization with Azure


Active Directory tenants
The synchronization project for initial synchronization provides a workflow for initial
loading of target system objects (initial synchronization) and one for provisioning object
modifications from the One Identity Manager database to the target system (provisioning).
To use One Identity Manager as the primary system during synchronization, you also
require a workflow with synchronization in the direction of the Target system.

To create a synchronization configuration for synchronizing in Azure Active


Directory tenants

1. In the Synchronization Editor, open the synchronization project.


2. Check whether the existing mappings can be used to synchronize into the target
system. Create new maps if required.
3. Create a new workflow with the workflow wizard.
This creates a workflow with Target system as its direction of synchronization.
4. Create a new start up configuration. Use the new workflow to do this.
5. Save the changes.
6. Run a consistency check.

Related topics

l Configuring synchronization of different Azure Active Directory tenants on page 32

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 31
Synchronizing an Azure Active Directory environment
Configuring synchronization of different
Azure Active Directory tenants
If you want to customize a synchronization project to synchronize another Azure Active
Directory tenant, make sure that you use the same type of authentication on the
application when registering it in the Azure Active Directory tenant.
Depending on how the One Identity Manager application is registered in the Azure Active
Directory tenant, either a user account with sufficient permissions or the secret key is
required. For more information, see Registering an enterprise application for One Identity
Manager in the Azure Active Directory tenant on page 17.

To customize a synchronization project for synchronizing another Azure Active


Directory tenant

1. In the Synchronization Editor, open the synchronization project.

2. Create a new base object for every other client.


l Use the wizard to attach a base object.
l In the wizard, select the Azure Active Directory connector.
l Declare the connection parameters. The connection parameters are saved in a
special variable set.
A start up configuration is created that uses the newly created variable set.
3. Change other elements of the synchronization configuration as required.
4. Save the changes.
5. Run a consistency check.

Related topics

l Configuring synchronization with Azure Active Directory tenants on page 31


l Registering an enterprise application for One Identity Manager in the Azure Active
Directory tenant on page 17

Customizing synchronization projects to


invite guest users
For detailed information about guest users in Azure Active Directory, see the Azure Active
Directory documentation from Microsoft.
In One Identity Manager you can set up user account with the following user types:

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 32
Synchronizing an Azure Active Directory environment
l Member: Normal Azure Active Directory user account.
l Guest: User account for guest users. The Azure Active Directory connector creates a
user account for guest users and ensures that an invitation is sent by email to the
given email address.

To send guest user invitations, you must alter the variables in the synchronization project.

Variable Description

GuestInviteSendMail Specifies whether the guest user invitation will be sent.


Default: True

GuestInviteLanguage Language to use for sending the guest user invitation.


Default: en-us

GuestInviteCustomMessage Personal welcome greeting for the guest user.

GuestInviteRedirectUrl URL to reroute guest users after they have accepted the
invitation and registered.
Default: http://www.office.com

To edit a variable

1. In the Synchronization Editor, open the synchronization project.


2. Select the Configuration > Variables category.
3. Select the variable and edit its value.
4. Save the changes.

Related topics

l General main data of Azure Active Directory user accounts on page 178
l Editing connection parameters in the variable set on page 35

Supporting custom Azure Active Directory


extensions
In Azure Active Directory, you can add schema extensions for Azure Active Directory
applications that are registered in the company. Schema extensions in Azure Active
Directory have the format extension_<appId>_<propertyName>. For more information about
schema extensions, see the Microsoft Graph API under https://docs.microsoft.com/en-
us/graph/extensibility-overview.
The Azure Active Directory connector can read and write Azure Active Directory schema
extensions.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 33
Synchronizing an Azure Active Directory environment
To map and synchronize Azure Active Directory schema extensions in One
Identity Manager

1. Extend the One Identity Manager schema by the custom columns. Use the Schema
Extension program to do this.
For more information about extending the One Identity Manager schema, see the
One Identity Manager Configuration Guide.
2. Use the Synchronization Editor to update the target system schema in your
synchronization project and the One Identity Manager connection's schema.
For more information about updating schema in the Synchronization Editor, see the
One Identity Manager Target System Synchronization Reference Guide.
3. In the Synchronization Editor, extend the mappings in your synchronization project
by the respective property mapping rules for schema extensions.
For more information about editing property mapping rules in the
Synchronization Editor, see the One Identity Manager Target System
Synchronization Reference Guide.

Changing system connection settings of


Azure Active Directory tenants
When you set up synchronization for the first time, the system connection properties are
set to default values that you can modify. There are two ways to do this:

a. Specify a specialized variable set and change the values of the affected variables.
The default values remain untouched in the default variable set. The variables can be
reset to the default values at any time. (Recommended action).
b. Edit the target system connection with the system connection wizard and change the
effected values.
The system connection wizard supplies additional explanations of the settings. The
default values can only be restored under particular conditions.

Detailed information about this topic

l Editing connection parameters in the variable set on page 35


l Editing target system connection properties on page 36
l Customizing synchronization projects to invite guest users on page 32
l Azure Active Directory connector settings on page 241

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 34
Synchronizing an Azure Active Directory environment
Editing connection parameters in the variable set
The connection parameters were saved as variables in the default variable set when
synchronization was set up. You can change the values in these variables to suit you
requirements and assign the variable set to a start up configuration and a base object. This
means that you always have the option to use default values from the default variable set.
NOTE: To guarantee data consistency in the connected target system, ensure that the
start-up configuration for synchronization and the base object for provisioning use the
same variable set. This especially applies if a synchronization project for synchronization
uses different Azure Active Directory tenants.

To customize connection parameters in a specialized variable set

1. In the Synchronization Editor, open the synchronization project.


2. Select the Configuration > Target system category.
3. Open the Connection parameters view.
Some connection parameters can be converted to variables here. For other
parameters, variables are already created.
4. Select a parameter and click Convert.
5. Select the Configuration > Variables category.
All specialized variable sets are shown in the lower part of the document view.
6. Select a specialized variable set or click on in the variable set view's toolbar.
l To rename the variable set, select the variable set and click the variable set
view in the toolbar . Enter a name for the variable set.
7. Select the previously added variable and enter a new value.
8. Select the Configuration > Start up configurations category.
9. Select a start up configuration and click Edit.
10. Select the General tab.
11. Select the specialized variable set in the Variable set menu.
12. Select the Configuration > Base objects category.
13. Select the base object and click .
- OR -
To add a new base object, click .
14. Select the specialized variable set in the Variable set menu.
15. Save the changes.

For detailed information about using variables and variable sets, or restoring default
values and adding base objects, see the One Identity Manager Target System
Synchronization Reference Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 35
Synchronizing an Azure Active Directory environment
Related topics

l Editing target system connection properties on page 36

Editing target system connection properties


You can also use the system connection wizard to change the connection parameters. If
variables are defined for the settings, the changes are transferred to the active
variable set.
NOTE: In the following circumstances, the default values cannot be restored:

l The connection parameters are not defined as variables.


l The default variable set is selected as an active variable set.

In both these cases, the system connection wizard overwrites the default values. They
cannot be restored at a later time.

To edit connection parameters using the system connection wizard

1. In the Synchronization Editor, open the synchronization project.


2. In the toolbar, select the active variable set to be used for the connection to the
target system.
NOTE: If the default variable set is selected, the default values are overwritten and
cannot be restored at a later time.
3. Select the Configuration > Target system category.
4. Click Edit connection.
This starts the system connection wizard.

5. Follow the system connection wizard instructions and change the relevant properties.
6. Save the changes.

Related topics

l Editing connection parameters in the variable set on page 35

Updating schemas
All the schema data (schema types and schema properties) of the target system schema
and the One Identity Manager schema are available when you are editing a synchronization
project. Only a part of this data is really needed for configuring synchronization. If a
synchronization project is finished, the schema is compressed to remove unnecessary data
from the synchronization project. This can speed up the loading of the synchronization
project. Deleted schema data can be added to the synchronization configuration again at a
later point.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 36
Synchronizing an Azure Active Directory environment
If the target system schema or the One Identity Manager schema has changed, these
changes must also be added to the synchronization configuration. Then the changes can be
added to the schema property mapping.
To include schema data that have been deleted through compression and schema
modifications in the synchronization project, update each schema in the synchronization
project. This may be necessary if:

l A schema was changed by:


l Changes to a target system schema
l Customizations to the One Identity Manager schema
l A One Identity Manager update migration
l A schema in the synchronization project was shrunk by:
l Enabling the synchronization project
l Saving the synchronization project for the first time
l Compressing a schema

To update a system connection schema

1. In the Synchronization Editor, open the synchronization project.


2. Select the Configuration > Target system category.
- OR -
Select the Configuration > One Identity Manager connection category.
3. Select the General view and click Update schema.
4. Confirm the security prompt with Yes.
This reloads the schema data.

To edit a mapping

1. In the Synchronization Editor, open the synchronization project.


2. Select the Mappings category.
3. Select a mapping in the navigation view.
Opens the Mapping Editor. For more information about mappings, see the One
Identity Manager Target System Synchronization Reference Guide.

NOTE: The synchronization is deactivated if the schema of an activated synchronization


project is updated. Reactivate the synchronization project to synchronize.

Speeding up synchronization
The Azure Active Directory connector supports delta synchronization to speed up Azure
Active Directory synchronization. The method is based on the delta query function from
Microsoft Graph. It supports the schema types User (user account), Group (group), and

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 37
Synchronizing an Azure Active Directory environment
DirectoryRole (administrator role). Delta synchronization is not enabled by default. It is a
custom setup.

Implementing delta synchronization

1. Set up a regular Azure Active Directory synchronization project.


2. Run initial synchronization.
3. Modify the TargetSystem | AzureAD | DeltaTokenDirectory configuration
parameter.
The configuration parameter contains the directory where the delta token files are
stored. In the Designer, modify the value of the configuration parameter. Ensure that
the One Identity Manager Service user account has write access to the directory.
4. (Optional) Modify the AAD_Organization_DeltaSync process.
The process is made up of three process steps. Each process step handles on of
the three supported schema types. Each process step is configured such that it
synchronizes all supported delta properties of the schema types. Furthermore,
each of these process step adds its own delta token file. The order of process
steps is as follows:
l Synchronize user accounts (Synchronize User process step)
l Synchronize groups (Synchronize Group process step)
l Synchronize administration roles (Synchronize DirectoryRole process step)
If customized, ensure that the process is only generated if there is no other similar
process is in the Job queue. In the same way, the process may not start during a
regular synchronization.
5. (Optional) Customize processing scripts for supporting schema types.
l Process user accounts (AAD_ProcessDeltaQueryUser script)
l Process groups (AAD_ProcessDeltaQueryGroup script)
l PRocess administration roles (AAD_ProcessDeltaQueryDirectoryRole script)
The AAD_ProcessDeltaQueryGroup script has had comments added to it to simplify
editing and custom development.
6. Adjust and enable the Azure Active Directory delta synchronization schedule
The schedule ensures regular delta synchronization of the Azure Active Directory
tenants. The schedule is run by default at 15 minute intervals. You can change this
interval in the Designer if necessary. Enable the schedule.

The delta synchronization sequence

1. An initial query is run for a schema type (user account, group, administrator role).
The initial query returns a complete list for the schema type, such as all user
accounts, including the queried properties. This also returns a state token. This token
represents the state of the data at the time of the query in Azure Active Directory.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 38
Synchronizing an Azure Active Directory environment
The state token and the queried properties are written to a delta token file. By
default, there is no initial processing of the data.
Delta token file storage structure
<Directory in TargetSystem | AzureAD | DeltaTokenDirectory configuration
parameter>\<UID_AADOrganization>_<SchemaTyp>Query.token
Example:
C:\Temp\OneIM\DeltaToken\2da43fd4-ce7b-48af-9a00-686e5e3fb8a5_UserQuery.token
2. The rest of the queries use the state token of the previous query. Apart from the new
state token, they only return the objects that have changed since the last query.
l Tries to add new objects if all mandatory properties have been queried.
l Objects deleted in the target system are generally marked as Outstanding.
Objects that fail during processing are logged in the process step's messages.
The new state token is written in the delta token file.

Restrictions

With respect to the stability of repetitions, the difference query method has certain
limitations. If a state token has been used once, it is generally invalid and the query cannot
be run again. If an error occurs processing the return date, the respective change cannot
be loaded until the next time synchronization is scheduled to run. For example, this
happens to new group memberships if the member themselves has not been loaded yet.
Another disadvantage is the runtime of the initial query and initial data processing. This
process is not recommended. However, because initial processing is meant to be carried
out during scheduled synchronization, it is recommended to set the DoNotProcessOffset
parameter in the process steps to True (default).
You should also take into account that not all properties can be queried using the Microsoft
Graph API delta query.
If the data in the delta token file does not match the calling parameters of a query, the
existing file is renamed to <alterName>.backup in order not to lose the state token and a new
file is created. In this case, a new initial query is run. This also happens if the file does not
exist or is empty.

Supported schema types

The following tables contain the supported schema types and their supported properties. As
long as new objects are imported into the database, the mandatory properties in the delta
synchronization must be queried.

Table 5: Supported properties for user accounts (schema type: User)

Property Mandatory Remark

AccountEnabled

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 39
Synchronizing an Azure Active Directory environment
Property Mandatory Remark

AgeGroup

BusinessPhones

City

CompanyName

ConsentProvidedForMinor

Country

Department

DisplayName X

ExternalUserState

ExternalUserStateChangeDateTime

GivenName

ID X

JobTitle

LastPasswordChangeDateTime

LegalAgeGroupClassification

Licenses When this property is queried, another


query runs about the user account's
assignment status
(LicenseAssignmentStates). This
increases the runtime massively.
Contains a list of objects with the
DisabledPlans, SkuId, AssignedByGroup,
State, and Error properties.

Mail

MailNickname

Manager

MobilePhone

OfficeLocation

OnPremisesDistinguishedName

OnPremisesDomainName

OnPremisesImmutableId

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 40
Synchronizing an Azure Active Directory environment
Property Mandatory Remark

OnPremisesLastSyncDateTime

OnPremisesSamAccountName

OnPremisesSecurityIdentifier

OnPremisesSyncEnabled

OnPremisesUserPrincipalName

PostalCode

PreferredLanguage

ProxyAddresses

State

StreetAddress

Surname

UsageLocation

UserDomain x

UserPrincipalName x

UserType x

Table 6: Unterstützte Eigenschaften für Gruppen (Schematyp: Group)

Property Mandatory Remark

Description

DisplayName x

GroupTypes x

ID x

Licenses Contains a list of objects with the


DisabledPlans and SkuId properties.

Mail

MailEnabled x

MailNickName x

Members The property is not available in an initial


query. The result contains the schema type
and the ID.

OnPremisesSecurityIdentifier

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 41
Synchronizing an Azure Active Directory environment
Property Mandatory Remark

OnPremisesSyncEnabled

Owners The property is not available in an initial


query. The result contains the schema type
and the ID.

ProxyAddresses

SecurityEnabled x

Table 7: Support properties for administration role (schema type:


DirectoryRole)

Property Mandatory Remark

Description

DisplayName x

ID x

Members The property is not available in an initial query. The result


contains the schema type and the ID.

Configuring the provisioning of memberships


Memberships, such as user accounts in groups, are saved in assignment tables in the One
Identity Manager database. During provisioning of modified memberships, changes made
in the target system may be overwritten. This behavior can occur under the following
conditions:

l Memberships are saved as an object property in list form in the target system.
Example: List of user accounts in the Member property of an Azure Active Directory
group (Group)
l Memberships can be modified in either of the connected systems.
l A provisioning workflow and provisioning processes are set up.

If one membership in One Identity Manager changes, by default, the complete list of
members is transferred to the target system. Therefore, memberships that were
previously added to the target system are removed in the process and previously deleted
memberships are added again.
To prevent this, provisioning can be configured such that only the modified membership is
provisioned in the target system. The corresponding behavior is configured separately for
each assignment table.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 42
Synchronizing an Azure Active Directory environment
To allow separate provisioning of memberships

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Target system types category.
2. In the result list, select the Azure Active Directory target system type.
3. Select the Configure tables for publishing task.
4. Select the assignment tables that you want to set up for single provisioning. Multi-
select is possible.
5. Click Merge mode.
NOTE:
l This option can only be enabled for assignment tables that have a base table
with a XDateSubItem column.
l Assignment tables that are grouped together in a virtual schema property in
the mapping must be marked identically.
Example: AADUserInGroup and AADGroupInGroup
6. Save the changes.

For each assignment table labeled like this, the changes made in One Identity Manager are
saved in a separate table. Therefore, only newly added and deleted assignments are
processed. During modification provisioning, the members list in the target system is
compared to the entries in this table. This means that only modified memberships are
provisioned and not the entire members list.
NOTE: The complete members list is updated by synchronization. During this process,
objects with changes but incomplete provisioning are not handled. These objects are
logged in the synchronization log.
You can restrict single provisioning of memberships with a condition. Once merge mode
has been disabled for a table, the condition is deleted. Tables that have had the condition
deleted or edited are marked with the following icon: . You can restore the original
condition at any time.

To restore the original condition

1. Select the auxiliary table for which you want to restore the condition.
2. Right-click on the selected row and select the Restore original values
context menu item.
3. Save the changes.

NOTE: To create the reference to the added or deleted assignments in the condition, use
the i table alias.
Example of a condition on the AADUserInGroup assignment table:
exists (select top 1 1 from AADGroup g
where g.UID_AADGroup = i.UID_AADGroup
and <limiting condition>)
For more information about provisioning memberships, see the One Identity Manager
Target System Synchronization Reference Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 43
Synchronizing an Azure Active Directory environment
Configuring single object synchronization
Changes made to individual objects in the target system can be immediately applied in the
One Identity Manager database without having to start a full synchronization of the target
system environment. Individual objects can only be synchronized if the object is already
present in the One Identity Manager database. The changes are applied to the mapped
object properties. If a membership list belongs to one of these properties, the entries in
the assignment table will also be updated. If the object is no longer present in the target
system, then it is deleted from the One Identity Manager database.

Prerequisites

l A synchronization step exists that can import the changes to the changed object into
One Identity Manager.
l The path to the base object of the synchronization is defined for the table that
contains the changed object.

Single object synchronization is fully configured for synchronization projects created using
the default project template. If you want to incorporate custom tables into this type of
synchronization project, you must configure single object synchronization for these tables.
For more information about this, see the One Identity Manager Target System
Synchronization Reference Guide.

To define the path to the base object for synchronization for a custom table

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Target system types category.
2. In the result list, select the Azure Active Directory target system type.
3. Select the Assign synchronization tables task.
4. In the Add assignments pane, assign the custom table for which you want to use
single object synchronization.
5. Save the changes.
6. Select the Configure tables for publishing task.
7. Select the custom table and enter the Root object path.
Enter the path to the base object in the ObjectWalker notation of the VI.DB.
Example: FK(UID_AADOrganization).XObjectKey
8. Save the changes.

Related topics

l Synchronizing single objects on page 49


l Post-processing outstanding objects on page 50

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 44
Synchronizing an Azure Active Directory environment
Accelerating provisioning and single object
synchronization
To smooth out spikes in data traffic, handling of processes for provisioning and single
object synchronization can be distributed over several Job servers. This will also accelerate
these processes.
NOTE: You should not implement load balancing for provisioning or single object
synchronization on a permanent basis. Parallel processing of objects might result in
dependencies not being resolved because referenced objects from another Job server
have not been completely processed.
Once load balancing is no longer required, ensure that the synchronization server runs
the provisioning processes and single object synchronization.

To configure load balancing

1. Configure the server and declare it as a Job server in One Identity Manager.
l Job servers that share processing must have the No process assignment
option enabled.
l Assign the Azure Active Directory connector server function to the
Job server.
All Job servers must access the same Azure Active Directory tenant as the
synchronization server for the respective base object.
2. In the Synchronization Editor, assign a custom server function to the base object.
This server function is used to identify all the Job servers being used for load
balancing.
If there is no custom server function for the base object, create a new one.
For more information about editing base objects, see the One Identity Manager
Target System Synchronization Reference Guide.
3. In the Manager, assign this server function to all the Job servers that will be
processing provisioning and single object synchronization for the base object.
Only select those Job servers that have the same configuration as the base object's
synchronization server.

Once all the processes have been handled, the synchronization server takes over
provisioning and single object synchronization again.

To use the synchronization server without load balancing.

l In the Synchronization Editor, remove the server function from the base object.

For detailed information about load balancing, see the One Identity Manager Target System
Synchronization Reference Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 45
Synchronizing an Azure Active Directory environment
Detailed information about this topic

l Job server for Azure Active Directory-specific process handling on page 226

Running synchronization
Synchronization is started using scheduled process plans. It is possible to start
synchronization manually in the Synchronization Editor. You can simulate synchronization
beforehand to estimate synchronization results and discover errors in the synchronization
configuration. If synchronization stopped unexpectedly, you must reset the start
information to be able to restart synchronization.
If you want to specify the order in which target systems are synchronized, use the start up
sequence to run synchronization. In a start up sequence, you can combine start up
configurations from different synchronization projects and specify the order in which they
are run. For more information about start up sequences, see the One Identity Manager
Target System Synchronization Reference Guide.

Detailed information about this topic

l Starting synchronization on page 46


l Deactivating synchronization on page 47
l Displaying synchronization results on page 48
l Synchronizing single objects on page 49

Starting synchronization
When you set up the initial synchronization project using the Launchpad, a default schedule
for regular synchronization is created and assigned. Activate this schedule to synchronize
on a regular basis.

To synchronize on a regular basis

1. In the Synchronization Editor, open the synchronization project.


2. Select the Configuration > Start up configurations category.
3. Select a start up configuration in the document view and click Edit schedule.
4. Edit the schedule properties.
5. To enable the schedule, click Activate.
6. Click OK.

You can also start synchronization manually if there is no active schedule.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 46
Synchronizing an Azure Active Directory environment
To start initial synchronization manually

1. In the Synchronization Editor, open the synchronization project.


2. Select the Configuration > Start up configurations category.
3. Select a start up configuration in the document view and click Run.
4. Confirm the security prompt with Yes.

IMPORTANT: As long as a synchronization process is running, you must not start another
synchronization process for the same target system. This especially applies, if the same
synchronization objects would be processed.

l If another synchronization process is started with the same start up configuration,


the process is stopped and is assigned Frozen status. An error message is written
to the One Identity Manager Service log file.
l Ensure that start up configurations that are used in start up sequences are
not started individually at the same time. Assign start up sequences and start
up configurations different schedules.
l Starting another synchronization process with different start up configuration that
addresses same target system may lead to synchronization errors or loss of data.
Specify One Identity Manager behavior in this case, in the start up configuration.
l Use the schedule to ensure that the start up configurations are run in
sequence.
l Group start up configurations with the same start up behavior.

Deactivating synchronization
Regular synchronization cannot be started until the synchronization project and the
schedule are active.

To prevent regular synchronization

1. In the Synchronization Editor, open the synchronization project.


2. Select the start up configuration and deactivate the configured schedule.
Now you can only start synchronization manually.

An activated synchronization project can only be edited to a limited extend. The schema in
the synchronization project must be updated if schema modifications are required. The
synchronization project is deactivated in this case and can be edited again.
Furthermore, the synchronization project must be deactivated if synchronization should not
be started by any means (not even manually).

To deactivate the synchronization project

1. In the Synchronization Editor, open the synchronization project.


2. Select the General view on the home page.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 47
Synchronizing an Azure Active Directory environment
3. Click Deactivate project.

Related topics

l Creating a synchronization project for initial synchronization of an Azure Active


Directory tenant on page 25

Displaying synchronization results


Synchronization results are summarized in the synchronization log. You can specify the
extent of the synchronization log for each system connection individually. One Identity
Manager provides several reports in which the synchronization results are organized under
different criteria.

To display a synchronization log

1. In the Synchronization Editor, open the synchronization project.


2. Select the Logs category.
3. Click in the navigation view toolbar.
Logs for all completed synchronization runs are displayed in the navigation view.
4. Select a log by double-clicking it.
An analysis of the synchronization is shown as a report. You can save the report.

To display a provisioning log

1. In the Synchronization Editor, open the synchronization project.


2. Select the Logs category.
3. Click in the navigation view toolbar.
Logs for all completed provisioning processes are displayed in the navigation view.
4. Select a log by double-clicking it.
An analysis of the provisioning is shown as a report. You can save the report.

The log is marked in color in the navigation view. This mark shows you the status of the
synchronization/provisioning.
TIP: The logs are also displayed in the Manager under the <target system> >
synchronization log category.

Related topics

l Configuring the synchronization log on page 29


l Troubleshooting on page 53

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 48
Synchronizing an Azure Active Directory environment
Synchronizing single objects
Individual objects can only be synchronized if the object is already present in the One
Identity Manager database. The changes are applied to the mapped object properties. If a
membership list belongs to one of these properties, the entries in the assignment table will
also be updated.
NOTE: If the object is no longer present in the target system, then it is deleted from the
One Identity Manager database.

To synchronize a single object

1. In the Manager, select the Azure Active Directory category.


2. Select the object type in the navigation view.
3. In the result list, select the object that you want to synchronize.
4. Select the Synchronize this object task.
A process for reading this object is entered in the job queue.

Features of synchronizing memberships

If you synchronize changes in an object's member list, run single object synchronization on
the assignment's root object, The base table of an assignment contains an XDateSubItem
column containing information about the last change to the memberships.

Example:

Base object for assigning user accounts to groups is the group.


In the target system, a user account was assigned to a group. To synchronize this
assignment, in the Manager, select the group that the user account was assigned to
and run single object synchronization. In the process, all of the group's memberships
are synchronized.
The user account must already exist as an object in the One Identity Manager
database for the assignment to be made.

NOTE: To load changes to the assignment of subscriptions to user accounts, run single
object synchronization on the user account.

Detailed information about this topic

l Configuring single object synchronization on page 44

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 49
Synchronizing an Azure Active Directory environment
Tasks following synchronization
After the synchronization of data from the target system into the One Identity Manager
database, rework may be necessary. Check the following tasks:

l Post-processing outstanding objects on page 50


l Adding custom tables to the target system synchronization on page 52
l Managing Azure Active Directory user accounts through account definitions on
page 52

Post-processing outstanding objects


Objects, which do not exist in the target system, can be marked as outstanding in One
Identity Manager by synchronizing. This prevents objects being deleted because of an
incorrect data situation or an incorrect synchronization configuration.
Outstanding objects:

l Cannot be edited in One Identity Manager.


l Are ignored by subsequent synchronizations.
l Are ignored by inheritance calculations.

This means, all memberships and assignments remain intact until the outstanding objects
have been processed.
Start target system synchronization to do this.

To post-process outstanding objects

1. In the Manager, select the Azure Active Directory > Target system
synchronization: Azure Active Directory category.
The navigation view lists all the synchronization tables assigned to the Azure Active
Directory target system type.
2. On the Target system synchronization form, in the Table / object column, open
the node of the table for which you want to post-process outstanding objects.
All objects that are marked as outstanding are shown. The Last log entry and Last
method run columns display the time at which the last entry was made in the
synchronization log and which processing method was run. The No log available
entry can mean the following:
l The synchronization log has already been deleted.
- OR -
l An assignment from a member list has been deleted from the target system.
The base object of the assignment was updated during the synchronization. A
corresponding entry appears in the synchronization log. The entry in the

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 50
Synchronizing an Azure Active Directory environment
assignment table is marked as outstanding, but there is no entry in the
synchronization log.
l An object that contains a member list has been deleted from the target system.
During synchronization, the object and all corresponding entries in the
assignment tables are marked as outstanding. However, an entry in the
synchronization log appears only for the deleted object.
TIP:

To display object properties of an outstanding object


1. Select the object on the target system synchronization form.
2. Open the context menu and click Show object.

3. Select the objects you want to rework. Multi-select is possible.


4. Click on one of the following icons in the form toolbar to run the respective method.

Table 8: Methods for handling outstanding objects

Icon Method Description

Delete The object is immediately deleted from the One Identity Manager
database. Deferred deletion is not taken into account.
Indirect memberships cannot be deleted.

Publish The object is added to the target system. The Outstanding label
is removed from the object.
This runs a target system specific process that triggers the provi-
sioning process for the object.
Prerequisites:
l The table containing the object can be published.
l The target system connector has write access to the target
system.

Reset The Outstanding label is removed for the object.

5. Confirm the security prompt with Yes.

NOTE: By default, the selected objects are processed in parallel, which speeds up the
selected method. If an error occurs during processing, the action is stopped and all
changes are discarded.
Bulk processing of objects must be disabled if errors are to be localized, which means the
objects are processed sequentially. Failed objects are named in the error message. All
changes that were made up until the error occurred are saved.

To disable bulk processing

l Disable the icon in the form's toolbar.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 51
Synchronizing an Azure Active Directory environment
NOTE: The target system connector must have write access to the target system in order
to publish outstanding objects that are being post-processed. That means, the Connec-
tion is read-only option must not be set for the target system connection.

Adding custom tables to the target system


synchronization
You must customize your target system synchronization to synchronize custom tables.

To add custom tables to target system synchronization

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Target system types category.
2. In the result list, select the Azure Active Directory target system type.
3. Select the Assign synchronization tables task.
4. In the Add assignments pane, assign custom tables to the outstanding objects you
want to handle.
5. Save the changes.
6. Select the Configure tables for publishing task.
7. Select the custom tables that contain the outstanding objects that can be published in
the target system and set the Publishable option.
8. Save the changes.

Related topics

l Post-processing outstanding objects on page 50

Managing Azure Active Directory user


accounts through account definitions
In the default installation, after synchronizing, employees are automatically created for the
user accounts.If an account definition for the tenant is not known at the time of
synchronization, user accounts are linked with employees. However, account definitions
are not assigned. The user accounts are therefore in a Linked state.
To manage the user accounts using account definitions, assign an account definition and a
manage level to these user accounts.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 52
Synchronizing an Azure Active Directory environment
To manage user accounts through account definitions

1. Create an account definition.


2. Assign an account definition to the tenant.
3. Assign a user account in the Linked state to the account definition. The account
definition's default manage level is applied to the user account.
a. In the Manager, select the Azure Active Directory > User accounts >
Linked but not configured > Client> category.
b. Select the Assign account definition to linked accounts task.
c. In the Account definition menu, select the account definition.
d. Select the user accounts that contain the account definition.
e. Save the changes.

Related topics

l Account definitions for Azure Active Directory user accounts on page 56

Troubleshooting
Synchronization Editor helps you to analyze and eliminate synchronization errors.

l Simulating synchronization
The simulation allows you to estimate the result of synchronization. This means you
can, for example, recognize potential errors in the synchronization configuration.
l Analyzing synchronization
You can generate the synchronization analysis report for analyzing problems which
occur during synchronization, for example, insufficient performance.
l Logging messages
One Identity Manager offers different options for logging errors. These include the
synchronization log, the log file for One Identity Manager Service, the logging of
messages with NLOG, and similar.
l Reset start information
If synchronization stopped unexpectedly, for example, because a server was not
available, the start information must be reset manually. Only then can the
synchronization be restarted.

For more information about these topics, see the One Identity Manager Target System
Synchronization Reference Guide.

Related topics

l Displaying synchronization results on page 48

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 53
Synchronizing an Azure Active Directory environment
Ignoring data error in synchronization
By default, objects with incorrect data are not synchronized. These objects can be
synchronized once the data has been corrected. In certain situations, however, it might be
necessary to synchronize objects like these and ignore the data properties that have
errors. This synchronization behavior can be configured in One Identity Manager.

To ignoring data errors during synchronization in One Identity Manager

1. In the Synchronization Editor, open the synchronization project.


2. Select the Configuration > One Identity Manager connection category.
3. In the General view, click Edit connection.
This starts the system connection wizard.
4. On the Additional options page, enable Try to ignore data errors.
This option is only effective if Continue on error is set in the
synchronization workflow.
Default columns, such as primary keys, UID columns, or mandatory input columns
cannot be ignored.
5. Save the changes.

IMPORTANT: If this option is set, One Identity Manager tries to ignore commit errors that
could be related to data errors in a single column. This causes the data changed in the
affected column to be discarded and the object is subsequently saved again. This effects
performance and leads to loss of data.
Only set this option in the exceptional circumstance of not being able to correct the data
before synchronization.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 54
Synchronizing an Azure Active Directory environment
3

Managing Azure Active Directory


user accounts and employees

The main feature of One Identity Manager is to map employees together with the main data
and permissions available to them in different target systems. To achieve this, information
about user accounts and permissions can be read from the target system into the One
Identity Manager database and linked to employees. This provides an overview of the
permissions for each employee in all of the connected target systems. One Identity
Manager offers the option of managing user accounts and their permissions. You can
provision modifications in the target systems. Employees are supplied with the necessary
permissions in the connected target systems according to their function in the company.
Regular synchronization keeps data consistent between target systems and the One
Identity Manager database.
Because requirements vary between companies, One Identity Manager offers different
methods for supplying user accounts to employees. One Identity Manager supports the
following methods for linking employees and their user accounts:

l Employees can automatically obtain their account definitions using user account
resources. If an employee does not yet have a user account in a tenant, a new user
account is created. This is done by assigning account definitions to an employee
using the integrated inheritance mechanism and subsequent process handling.
When you manage account definitions through user accounts, you can specify the
way user accounts behave when employees are enabled or deleted.
l When user accounts are inserted, they can be automatically assigned to an existing
employee or a new employee can be created if necessary. In the process, the
employee main data is created on the basis of existing user account main data. This
mechanism can be implemented if a new user account is created manually or by
synchronization. However, this is not the One Identity Manager default method. You
must define criteria for finding employees for automatic employee assignment.
l Employees and user accounts can be entered manually and assigned to each other.

For more information about employee handling and administration, see the One Identity
Manager Target System Base Module Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 55
Managing Azure Active Directory user accounts and employees
Related topics

l Account definitions for Azure Active Directory user accounts on page 56


l Assigning employees automatically to Azure Active Directory user accounts on
page 78
l Supported user account types on page 83
l Updating employees when Azure Active Directory user account are modified on
page 90
l Specifying deferred deletion for Azure Active Directory user accounts on page 91
l Creating and editing Azure Active Directory user accounts on page 177

Account definitions for Azure Active


Directory user accounts
One Identity Manager has account definitions for automatically allocating user accounts to
employees. You can create account definitions for every target system. If an employee
does not yet have a user account in a target system, a new user account is created. This is
done by assigning account definitions to an employee.
The data for the user accounts in the respective target system comes from the basic
employee data. The employees must have a central user account. The assignment of the IT
operating data to the employee’s user account is controlled through the primary
assignment of the employee to a location, a department, a cost center, or a business role.
Processing is done through templates. There are predefined templates for determining the
data required for user accounts included in the default installation. You can customize
templates as required.
Specify the manage level for an account definition for managing user accounts. The user
account’s manage level specifies the extent of the employee’s properties that are inherited
by the user account. This allows an employee to have several user accounts in one target
system, for example:

l Default user account that inherits all properties from the employee.
l Administrative user account that is associated to an employee but should not inherit
the properties from the employee.

For more detailed information about the principles of account definitions, manage levels,
and determining the valid IT operating data, see the One Identity Manager Target System
Base Module Administration Guide.
The following steps are required to implement an account definition:

l Creating account definitions


l Configuring manage levels
l Creating the formatting rules for IT operating data

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 56
Managing Azure Active Directory user accounts and employees
l Collecting IT operating data
l Assigning account definitions to employees and target systems

Detailed information about this topic

l Creating account definitions on page 57


l Editing account definitions on page 58
l Main data for an account definition on page 58
l Editing manage levels on page 62
l Creating manage levels on page 63
l Assigning manage levels to account definitions on page 64
l Creating mapping rules for IT operating data on page 65
l Entering IT operating data on page 66
l Modify IT operating data on page 68
l Assigning account definitions to employees on page 68
l Assigning account definitions to Azure Active Directory tenants on page 75
l Deleting account definitions on page 76

Creating account definitions


To create a new account definition

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Click in the result list.
3. On the main data form, enter the main data of the account definition.
4. Save the changes.

Related topics

l Main data for an account definition on page 58


l Editing account definitions on page 58
l Assigning manage levels to account definitions on page 64

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 57
Managing Azure Active Directory user accounts and employees
Editing account definitions
To edit an account definition

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Change main data task.
4. Enter the account definition's main data.
5. Save the changes.

Related topics

l Main data for an account definition on page 58


l Creating account definitions on page 57
l Assigning manage levels to account definitions on page 64

Main data for an account definition


Enter the following data for an account definition:

Table 9: Main data for an account definition

Property Description

Account definition Account definition name.

User account table Table in the One Identity Manager schema that maps user
accounts.
For Azure Active Directory user accounts, select AADUser.

Target system Target system to which the account definition applies.

Required account Specifies the required account definition. Define the depend-
definition encies between account definitions. When this account defin-
ition is requested or assigned, the required account definition
is assigned automatically.
Leave empty for Azure Active Directory tenants. In feder-
ations, you can enter the account definition of the Active
Directory domain.

Description Text field for additional explanation.

Manage level (initial) Manage level to use by default when you add new user
accounts.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 58
Managing Azure Active Directory user accounts and employees
Property Description

Risk index Value for evaluating the risk of assigning the account
definition to employees. Set a value in the range 0 to 1. This
input field is only visible if the QER | CalculateRiskIndex
configuration parameter is set.
For detailed information, see the One Identity Manager Risk
Assessment Administration Guide.

Service item Service item through which you can request the account
definition resource in the IT Shop. Assign an existing service
item or add a new one.

IT Shop Specifies whether the account definition can be requested


through the IT Shop. The account definition can be requested
by an employee through the Web Portal and distributed using
a defined approval process. The resource can also be
assigned directly to employees and roles outside the IT Shop.

Only for use in IT Shop Specifies whether the account definition can only be
requested through the IT Shop. The account definition can be
requested by an employee through the Web Portal and
distributed using a defined approval process. The account
definition cannot be directly assigned to roles outside the IT
Shop.

Automatic assignment to Specifies whether the account definition is automatically


employees assigned to all internal employees. To automatically assign
the account definition to all internal employee, use the
Enable automatic assignment to employees The account
definition is assigned to every employee that is not marked as
external. Once a new internal employee is created, they
automatically obtain this account definition.
To automatically remove the account definition assignment
from all employees, use the Disable automatic
assignment to employees. The account definition cannot
be reassigned to employees from this point on. Existing
account definition assignments remain intact.

Retain account definition Specifies the account definition assignment to permanently


if permanently disabled deactivated employees.
Option set: The account definition assignment remains in
effect. The user account remains intact.
Option not set (default): The account definition assignment is
not in effect. The associated user account is deleted.

Retain account definition Specifies the account definition assignment to temporarily


if temporarily disabled deactivated employees.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 59
Managing Azure Active Directory user accounts and employees
Property Description

Option set: The account definition assignment remains in


effect. The user account remains intact.
Option not set (default): The account definition assignment is
not in effect. The associated user account is deleted.

Retain account definition Specifies the account definition assignment on deferred


on deferred deletion deletion of employees.
Option set: The account definition assignment remains in
effect. The user account remains intact.
Option not set (default): The account definition assignment is
not in effect. The associated user account is deleted.

Retain account definition Specifies the account definition assignment to employees


on security risk posing a security risk.
Option set: The account definition assignment remains in
effect. The user account remains intact.
Option not set (default): The account definition assignment is
not in effect. The associated user account is deleted.

Resource type Resource type for grouping account definitions.

Spare field 01 - spare Additional company-specific information. Use the Designer to


field 10 customize display names, formats, and templates for the
input fields.

Groups can be inherited Specifies whether the user account can inherit groups through
the linked employee. If the option is set, the user account
inherits groups through hierarchical roles, in which the
employee is a member, or through IT Shop requests.

l If you add an employee with a user account to a


department, for example, and you have assigned
groups to this department, the user account inherits
these groups.
l If an employee has requested group membership in the
IT Shop and the request is granted approval, the
employee's user account only inherits the group if the
option is set.

Subscriptions can be Specifies whether the user account can inherit Azure Active
inherited Directory subscriptions through the employee. If this option is
set, the user account inherits Azure Active Directory subscrip-
tions through hierarchical roles or IT Shop requests.

l If you add an employee with a user account to a


department, for example, and you have assigned Azure

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 60
Managing Azure Active Directory user accounts and employees
Property Description

Active Directory subscriptions to this department, the


user account inherits these Azure Active Directory
subscriptions.
l If an employee has requested an Azure Active Directory
subscription in the IT Shop and the request is granted
approval, the employee's user account only inherits the
Azure Active Directory subscription if the option is set.

Administrator roles can Specifies whether the user account can inherit Azure Active
be inherited Directory administrator roles through the employee If this
option is set, the user account inherits administrator roles
through hierarchical roles or IT Shop requests.

l If you add an employee with a user account to a


department, for example, and you have assigned
administrator roles to this department, the user account
inherits these administrator roles.
l If an employee has requested an administrator role in
the IT Shop and the request is granted approval, the
employee's user account only inherits the administrator
role if the option is set.

Disabled service plans Specifies whether the user account can inherit disabled Azure
can be inherited Active Directory service plans through the employee. If this
option is set, the user account inherits disabled service plans
through hierarchical roles or IT Shop requests.

l If you add an employee with a user account to a


department, for example, and you have assigned
disabled service plans to this department, the user
account inherits these disabled service plans.
l If an employee has requested a disabled service plan in
the IT Shop and the request is granted approval, the
employee's user account only inherits the disabled
service plan if the option is set.

Office 365 groups can be NOTE: This property is only available if the Exchange Online
inherited Module is installed.
Specifies whether the user account can inherit Office 365
groups through the linked employee. If the option is set, the
user account inherits Office 365 groups through hierarchical
roles, in which the employee is a member, or through IT Shop
requests.

l If you add an employee with a user account to a


department, for example, and you have assigned Office

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 61
Managing Azure Active Directory user accounts and employees
Property Description

365 groups to this department, the Azure Active


Directory user account inherits these Office 365 groups.
l If an employee has requested group membership in the
IT Shop and the request is granted approval, the
employee's Azure Active Directory user account only
inherits the Office 365 group if the option is set.

For more information about Office 365 groups, see the One
Identity Manager Administration Guide for Connecting to
Exchange Online.

Editing manage levels


One Identity Manager supplies a default configuration for manage levels:

l Unmanaged: User accounts with the Unmanaged manage level are linked to the
employee but they do no inherit any further properties. When a new user account is
added with this manage level and an employee is assigned, some of the employee's
properties are transferred initially. If the employee properties are changed at a later
date, the changes are not passed onto the user account.
l Full managed: User accounts with the Full managed manage level inherit defined
properties of the assigned employee. When a new user account is created with this
manage level and an employee is assigned, the employee's properties are
transferred in an initial state. If the employee properties are changed at a later date,
the changes are passed onto the user account.

NOTE: The Full managed and Unmanaged manage levels are analyzed in templates.
You can customize the supplied templates in the Designer.
You can define other manage levels depending on your requirements. You need to amend
the templates to include manage level approaches.
Specify the effect of temporarily or permanently disabling, deleting, or the security risk of
an employee on its user accounts and group memberships for each manage level. For
detailed information about manage levels, see the One Identity Manager Target System
Base Module Administration Guide.

l Employee user accounts can be locked when they are disabled, deleted, or rated as a
security risk so that permissions are immediately withdrawn. If the employee is
reinstated at a later date, the user accounts are also reactivated.
l You can also define group membership inheritance. Inheritance can be discontinued
if desired when, for example, the employee’s user accounts are disabled and
therefore cannot be members in groups. During this time, no inheritance processes
should be calculated for this employee. Existing group memberships are deleted.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 62
Managing Azure Active Directory user accounts and employees
To edit a manage level

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Manage levels category.
2. Select the manage level in the result list.
3. Select the Change main data task.
4. Edit the manage level's main data.
5. Save the changes.

Related topics

l Main data for manage levels on page 64


l Creating manage levels on page 63
l Assigning manage levels to account definitions on page 64

Creating manage levels


One Identity Manager supplies a default configuration for the Unmanaged and Full
managed manage levels. You can define other manage levels depending on your
requirements.
IMPORTANT: In the Designer, extend the templates by adding the procedure for the
additional manage levels. For detailed information about templates, see the One Identity
Manager Configuration Guide.

To create a manage level

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Manage levels category.
2. Click in the result list.
3. On the main data form, edit the main data of the manage level.
4. Save the changes.

Related topics

l Main data for manage levels on page 64


l Editing account definitions on page 58
l Assigning manage levels to account definitions on page 64

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 63
Managing Azure Active Directory user accounts and employees
Assigning manage levels to account
definitions
IMPORTANT: The Unmanaged manage level is assigned automatically when you create
an account definition and it cannot be removed.

To assign manage levels to an account definition

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Assign manage level task.
4. In the Add assignments pane, assign the manage level.
TIP: In the Remove assignments pane, you can remove assigned manage levels.

To remove an assignment
l Select the manage level and double-click .
5. Save the changes.

Main data for manage levels


Enter the following data for a manage level.

Table 10: Main data for manage levels

Property Description

Manage level Name of the manage level.

Description Text field for additional explanation.

IT operating data Specifies whether user account data formatted from IT


overwrites operating data is automatically updated. Permitted values are:

l Never: Data is not updated. (Default)


l Always: Data is always updated.
l Only initially: Data is only determined at the start.

Retain groups if Specifies whether user accounts of temporarily deactivated


temporarily disabled retain their group memberships.

Lock user accounts if Specifies whether user accounts of temporarily deactivated


temporarily disabled employees are locked.

Retain groups if Specifies whether user accounts of permanently deactivated

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 64
Managing Azure Active Directory user accounts and employees
Property Description

permanently disabled employees retain group memberships.

Lock user accounts if Specifies whether user accounts of permanently deactivated


permanently disabled employees are locked.

Retain groups on Specifies whether user accounts of employees marked for


deferred deletion deletion retain their group memberships.

Lock user accounts if Specifies whether user accounts of employees marked for
deletion is deferred deletion are locked.

Retain groups on Specifies whether user accounts of employees posing a security


security risk risk retain their group memberships.

Lock user accounts if Specifies whether user accounts of employees posing a security
security is at risk risk are locked.

Retain groups if user Specifies whether disabled user accounts retain their group
account disabled memberships.

Creating mapping rules for IT operating data


An account definition specifies which rules are used to form the IT operating data and
which default values will be used if no IT operating data can be found through the
employee's primary roles.
The following IT operating data is used in the One Identity Manager default configuration
for automatically creating user accounts for an employee in the target system and
modifying them.

l Groups can be inherited


l Administrator roles can be inherited
l Subscriptions can be inherited
l Disabled service plans can be inherited
l Change password at next login
l Identity
l Privileged user account.

To create a mapping rule for IT operating data

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Edit IT operating data mapping task.
4. Click Add and enter the following information:

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 65
Managing Azure Active Directory user accounts and employees
l Column: User account property for which the value is set. In the menu, you
can select the columns that use the TSB_ITDataFromOrg script in their template.
For more information about this, see the One Identity Manager Target System
Base Module Administration Guide.
l Source: Specifies which roles to use in order to find the user account
properties. You have the following options:
l Primary department
l Primary location
l Primary cost center
l Primary business roles
NOTE: The business role can only be used if the Business Roles Module
is available.
l Empty
If you select a role, you must specify a default value and set the Always
use default value option.
l Default value: Default value of the property for an employee's user account
if the value is not determined dynamically from the IT operating data.
l Always use default value: Specifies whether the user account property is
always set with the default value. IT operating data is not determined
dynamically from a role.
l Notify when applying the default: Specifies whether an email is sent to a
specific mailbox when the default value is used. The Employee - new user
account with default properties created mail template is used.
To change the mail template, in the Designer, adjust the TargetSystem
| AzureAD | Accounts | MailTemplateDefaultValues configuration
parameter.
To change the mail template, in the Designer, adjust the TargetSystem |
AzureAD | ExchangeOnline | Accounts | MailTemplateDefaultValues
configuration parameter.
5. Save the changes.

Related topics

l Entering IT operating data on page 66

Entering IT operating data


To create user accounts with the Full managed manage level, the required IT operating
data must be determined. The operating data required to automatically supply an
employee with IT resources is shown in the business roles, departments, locations, or cost
centers. An employee is assigned a primary business role, primary location, primary
department, or primary cost center. The necessary IT operating data is ascertained from

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 66
Managing Azure Active Directory user accounts and employees
these assignments and used in creating the user accounts. Default values are used if valid
IT operating data cannot be found over the primary roles.
You can also specify IT operating data directly for a specific account definition.

Example:

Normally, each employee in department A obtains a default user account in the client
A. In addition, certain employees in department A obtain administrative user
accounts in the client A.
Create an account definition A for the default user account of the tenant A and an
account definition B for the administrative user account of tenant A.In the IT
operating data mapping rule for the account definitions A and B, specify the
Department property in order to determine the valid IT operating data.
Specify the effective IT operating data of department A for the tenant A. This IT
operating data is used for standard user accounts. In addition, for department A,
specify the effective IT operating data of account definition B. This IT operating data
is used for administrative user accounts.

To define IT operating data

1. In the Manager, select the role in the Organizations or Business roles category.
2. Select the Edit IT operating data task.
3. Click Add and enter the following data.
l Effects on: Specify an IT operating data application scope. The IT operating
data can be used for a target system or a defined account definition.

To specify an application scope


a. Click next to the field.
b. Under Table, select the table that maps the target system for select the
TSBAccountDef table or an account definition.
c. Select the specific target system or account definition under Effects on.
d. Click OK.
l Column: Select the user account property for which the value is set.
In the menu, you can select the columns that use the TSB_ITDataFromOrg script
in their template. For more information about this, see the One Identity
Manager Target System Base Module Administration Guide.
l Value: Enter a fixed value to assign to the user account's property.
4. Save the changes.

Related topics

l Creating mapping rules for IT operating data on page 65

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 67
Managing Azure Active Directory user accounts and employees
Modify IT operating data
If IT operating data changes, you must transfer the changes to the existing user accounts.
To do this, templates must be rerun on the affected columns. Before you can run the
templates, you can check what effect a change to the IT operating data has on the existing
user accounts. You can decide whether the change is transferred to the One Identity
Manager database in the case of each affected column in each affected database.

Prerequisites

l The IT operating data of a department, a cost center, a business role, or a location


have been changed.
- OR -
l The default values in the IT operating data template were modified for an account
definition.

NOTE: If the assignment of an employee to a primary department, cost center, to a


primary business role or to a primary location changes, the templates are
automatically run.

To run the template

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Run templates task.
This displays a list of all user accounts that were created with the selected account
definition and whose properties were changed by modifying the IT operating data.
That means:
l Old value: Value of the object property before changing the IT operating data.
l New value: Value of the object property after changing the IT operating data.
l Selection: Specifies whether the new value is copied to the user account.
4. Mark all the object properties in the selection column that will be given the
new value.
5. Click Apply.
The templates are applied to all selected user accounts and properties.

Assigning account definitions to employees


Account definitions are assigned to company employees.
Indirect assignment is the default method for assigning account definitions to employees.
Account definitions are assigned to departments, cost centers, locations, or roles. The

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 68
Managing Azure Active Directory user accounts and employees
employees are categorized into these departments, cost centers, locations, or roles
depending on their function in the company and thus obtain their account definitions. To
react quickly to special requests, you can assign individual account definitions directly to
employees.
You can automatically assign special account definitions to all company employees. It is
possible to assign account definitions to the IT Shop as requestable products. Department
managers can then request user accounts from the Web Portal for their staff. It is also
possible to add account definitions to system roles. These system roles can be assigned to
employees through hierarchical roles or added directly to the IT Shop as products.
In the One Identity Manager default installation, the processes are checked at the start to
see if the employee already has a user account in the target system that has an account
definition. If no user account exists, a new user account is created with the account
definition’s default manage level.
NOTE: If a user account already exists and is disabled, then it is re-enabled. In this case,
you must change the user account manage level afterward.
NOTE: As long as an account definition for an employee is valid, the employee retains the
user account that was created by it. If the account definition assignment is removed, the
user account that was created from this account definition, is deleted.

Prerequisites for indirect assignment of account definitions to


employees

l Assignment of employees and account definitions is permitted for role classes


(departments, cost centers, locations, or business roles).

To configure assignments to roles of a role class

1. In the Manager, select role classes in the Organizations > Basic configuration
data > Role classes category.
- OR -
In the Manager, select role classes in the Business roles > Basic configuration
data > Role classes category.
2. Select the Configure role assignments task and configure the permitted
assignments.
l To generally allow an assignment, enable the Assignments allowed column.
l To allow direct assignment, enable the Direct assignments permitted
column.
3. Save the changes.

For detailed information about preparing role classes to be assigned, see the One Identity
Manager Identity Management Base Module Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 69
Managing Azure Active Directory user accounts and employees
Detailed information about this topic

l Assigning account definitions to departments, cost centers, and locations on page 70


l Assigning account definitions to business roles on page 70
l Assigning account definitions to all employees on page 71
l Assigning account definitions directly to employees on page 72
l Assigning account definitions to system roles on page 72
l Adding account definitions in the IT Shop on page 73

Assigning account definitions to departments,


cost centers, and locations
To add account definitions to hierarchical roles

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Assign organizations task.
4. In the Add assignments pane, assign the organizations:
l On the Departments tab, assign departments.
l On the Locations tab, assign locations.
l On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

To remove an assignment
l Select the organization and double-click .
5. Save the changes.

Related topics

l Assigning account definitions to business roles on page 70


l Assigning account definitions to all employees on page 71
l Assigning account definitions directly to employees on page 72
l Assigning account definitions to system roles on page 72
l Adding account definitions in the IT Shop on page 73

Assigning account definitions to business roles


NOTE: This function is only available if the Business Roles Module is installed.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 70
Managing Azure Active Directory user accounts and employees
To add account definitions to hierarchical roles

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Assign business roles task.
4. In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
l Select the business role and double-click .
5. Save the changes.

Related topics

l Assigning account definitions to departments, cost centers, and locations on page 70


l Assigning account definitions to all employees on page 71
l Assigning account definitions directly to employees on page 72
l Assigning account definitions to system roles on page 72
l Adding account definitions in the IT Shop on page 73

Assigning account definitions to all employees


Use this task to assign the account definition to all internal employees. Employees that are
marked as external do not obtain this account definition. Once a new internal employee is
created, they automatically obtain this account definition. The assignment is calculated by
the DBQueue Processor.
IMPORTANT: Only run this task if you can ensure that all current internal employees in
the database and all pending newly added internal employees obtain a user account in
this target system.

To assign an account definition to all employees

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Change main data task.
4. Select the Disable automatic assignment to employees task.
5. Confirm the security prompt with Yes.
6. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 71
Managing Azure Active Directory user accounts and employees
NOTE: To automatically remove the account definition assignment from all
employees, run the DISABLE AUTOMATIC ASSIGNMENT TO EMPLOYEES task. The
account definition cannot be reassigned to employees from this point on. Existing
assignments remain intact.

Related topics

l Assigning account definitions to departments, cost centers, and locations on page 70


l Assigning account definitions to business roles on page 70
l Assigning account definitions directly to employees on page 72
l Assigning account definitions to system roles on page 72
l Adding account definitions in the IT Shop on page 73

Assigning account definitions directly to


employees
To assign an account definition directly to employees

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Assign to employees task.
4. In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned employees.

To remove an assignment
l Select the employee and double-click .
5. Save the changes.

Related topics

l Assigning account definitions to departments, cost centers, and locations on page 70


l Assigning account definitions to business roles on page 70
l Assigning account definitions to all employees on page 71
l Assigning account definitions to system roles on page 72
l Adding account definitions in the IT Shop on page 73

Assigning account definitions to system roles


NOTE: This function is only available if the System Roles Module is installed.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 72
Managing Azure Active Directory user accounts and employees
Account definitions with the Only use in IT Shop option can only be assigned to system
roles that also have this option set.

To add account definitions to a system role

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Assign system roles task.
4. In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.

To remove an assignment
l Select the system role and double-click .
5. Save the changes.

Related topics

l Assigning account definitions to departments, cost centers, and locations on page 70


l Assigning account definitions to business roles on page 70
l Assigning account definitions to all employees on page 71
l Assigning account definitions directly to employees on page 72
l Adding account definitions in the IT Shop on page 73

Adding account definitions in the IT Shop


An account definition can be requested by shop customers when it is assigned to an IT Shop
shelf. To ensure it can be requested, further prerequisites need to be guaranteed.

l The account definition must be labeled with the IT Shop option.


l The account definition must be assigned to a service item.
TIP: In the Web Portal, all products that can be requested are grouped together by
service category. To make the account definition easier to find in the Web Portal,
assign a service category to the service item.
l If the account definition is only assigned to employees using IT Shop assignments,
you must also set the Only for use in IT Shop option. Direct assignment to
hierarchical roles may not be possible.

NOTE: IT Shop administrators can assign account definitions to IT Shop shelves if login is
role-based. Target system administrators are not authorized to add account definitions in
the IT Shop.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 73
Managing Azure Active Directory user accounts and employees
To add an account definition to the IT Shop (role-based login)

1. In the Manager, select the Entitlements > Account definitions category.


2. Select an account definition in the result list.
3. Select the Add to IT Shop task.
4. In the Add assignments pane, assign the account definitions to the IT Shop
shelves.
5. Save the changes.

To add an account definition to the IT Shop (non role-based login)

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Add to IT Shop task.
4. In the Add assignments pane, assign the account definitions to the IT Shop
shelves.
5. Save the changes.

To remove an account definition from individual IT Shop shelves (role-


based login)

1. In the Manager, select the Entitlements > Account definitions category.


2. Select an account definition in the result list.
3. Select the Add to IT Shop task.
4. In the Remove assignments pane, remove the account definitions from the IT
Shop shelves.
5. Save the changes.

To remove an account definition from individual IT Shop shelves (non role-


based login)

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Add to IT Shop task.
4. In the Remove assignments pane, remove the account definitions from the IT
Shop shelves.
5. Save the changes.

To remove an account definition from all IT Shop shelves (role-based login)

1. In the Manager, select the Entitlements > Account definitions category.


2. Select an account definition in the result list.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 74
Managing Azure Active Directory user accounts and employees
3. Select the Remove from all shelves (IT Shop) task.
4. Confirm the security prompt with Yes.
5. Click OK.
The account definition is removed from all shelves by the One Identity Manager
Service. At the same time, any requests and assignment requests with this account
definition are canceled.

To remove an account definition from all IT Shop shelves (non role-based login)

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Account definitions > Account definitions category.
2. Select an account definition in the result list.
3. Select the Remove from all shelves (IT Shop) task.
4. Confirm the security prompt with Yes.
5. Click OK.
The account definition is removed from all shelves by the One Identity Manager
Service. At the same time, any requests and assignment requests with this account
definition are canceled.

For detailed information about requesting company resources through the IT Shop, see the
One Identity Manager IT Shop Administration Guide.

Related topics

l Main data for an account definition on page 58


l Assigning account definitions to departments, cost centers, and locations on page 70
l Assigning account definitions to business roles on page 70
l Assigning account definitions to all employees on page 71
l Assigning account definitions directly to employees on page 72
l Assigning account definitions to system roles on page 72

Assigning account definitions to Azure


Active Directory tenants
The following prerequisites must be fulfilled if you implement automatic assignment of
user accounts and employees resulting in administered user accounts (Linked
configured state):

l The account definition is assigned to the target system.


l The account definition has the default manage level.

User accounts are only linked to the employee (Linked state) if no account definition is
given. This is the case on initial synchronization, for example.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 75
Managing Azure Active Directory user accounts and employees
To assign the account definition to a target system

1. In the Manager, select the Azure Active Directory tenant in the Azure Active
Directory > Tenants category.
2. Select the Change main data task.
3. From the Account definition (initial) menu, select the account definition for
user accounts.
4. Save the changes.

Detailed information about this topic

l Assigning employees automatically to Azure Active Directory user accounts on


page 78

Deleting account definitions


You can delete account definitions if they are not assigned to target systems, employees,
hierarchical roles or any other account definitions.

To delete an account definition

1. Remove automatic assignments of the account definition from all employees.


a. In the Manager, select the Azure Active Directory > Basic configuration
data > Account definitions > Account definitions category.
b. Select an account definition in the result list.
c. Select the Change main data task.
d. Select the Disable automatic assignment to employees task.
e. Confirm the security prompt with Yes.
f. Save the changes.
2. Remove direct assignments of the account definition to employees.
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Account definitions > Account definitions category.
b. Select an account definition in the result list.
c. Select the Assign to employees task.
d. In the Remove assignments pane, remove employees.
e. Save the changes.
3. Remove the account definition's assignments to departments, cost centers, and
locations.
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Account definitions > Account definitions category.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 76
Managing Azure Active Directory user accounts and employees
b. Select an account definition in the result list.
c. Select the Assign organizations task.
d. In the Remove assignments pane, remove the relevant departments, cost
centers, and locations.
e. Save the changes.
4. Remove the account definition's assignments to business roles.
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Account definitions > Account definitions category.
b. Select an account definition in the result list.
c. Select the Assign business roles task.
d. In the Remove assignments pane, remove the business roles.
e. Save the changes.
5. If the account definition was requested through the IT Shop, it must be canceled and
removed from all IT Shop shelves.
For more detailed information about unsubscribing requests, see the One Identity
Manager Web Designer Web Portal User Guide.

To remove an account definition from all IT Shop shelves (role-based


login)
a. In the Manager, select the Entitlements > Account definitions category.
b. Select an account definition in the result list.
c. Select the Remove from all shelves (IT Shop) task.
d. Confirm the security prompt with Yes.
e. Click OK.
The account definition is removed from all shelves by the One Identity Manager
Service. At the same time, any requests and assignment requests with this
account definition are canceled.

To remove an account definition from all IT Shop shelves (non role-


based login)
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Account definitions > Account definitions category.
b. Select an account definition in the result list.
c. Select the Remove from all shelves (IT Shop) task.
d. Confirm the security prompt with Yes.
e. Click OK.
The account definition is removed from all shelves by the One Identity Manager
Service. At the same time, any requests and assignment requests with this
account definition are canceled.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 77
Managing Azure Active Directory user accounts and employees
6. Remove the required account definition assignment. As long as the account definition
is required for another account definition, it cannot be deleted. Check all the account
definitions.
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Account definitions > Account definitions category.
b. Select an account definition in the result list.
c. Select the Change main data task.
d. From the Required account definition menu, remove the account definition.
e. Save the changes.
7. Remove the account definition's assignments to target systems.
a. In the Manager, select the Azure Active Directory tenant in the Azure Active
Directory > Tenants category.
b. Select the Change main data task.
c. On the General tab, remove the assigned account definitions.
d. Save the changes.
8. Delete the account definition.
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Account definitions > Account definitions category.
b. Select an account definition in the result list.
c. Click to delete an account definition.

Assigning employees automatically to


Azure Active Directory user accounts
When you add a user account, an existing employee can automatically be assigned to it. If
necessary, a new employee can be created. The identity's main data is created on the basis
of existing user account main data. This mechanism can be triggered after a new user
account is created either manually or through synchronization.After synchronization,
identities are automatically assigned to all new user accounts. If no matching identity can
be found, a new identity is created using existing user main data.
Define criteria for finding employees to apply to automatic employee assignment. If a user
account is linked to an employee through the current mode, the user account is given,
through an internal process, the default manage level of the account definition entered in
the user account's target system. You can customize user account properties depending on
how the behavior of the manage level is defined.
If you run this procedure during working hours, automatic assignment of employees to
user accounts takes place from that moment onwards. If you disable the procedure again
later, the changes only affect user accounts added or updated after this point in time.
Existing employee assignments to user accounts remain intact.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 78
Managing Azure Active Directory user accounts and employees
NOTE: It is not recommended to assign employees using automatic employee assign-
ment in the case of administrative user accounts. Use Change main data to assign
employees to administrative user accounts for the respective user account.
For more information about assigning employees automatically, see the One Identity
Manager Target System Base Module Administration Guide.
Run the following tasks to assign employees automatically:

l If you want employees to be assigned during the synchronization of user accounts, in


the Designer, set the TargetSystem | AzureAD | PersonAutoFullsync
configuration parameter and select the required mode.
l If you want employees to be assigned outside synchronization in the Designer, set
the TargetSystem | AzureAD | PersonAutoDefault configuration parameter and
select the required mode.
l In the TargetSystem | AzureAD | PersonExcludeList configuration
parameter, define the user accounts for which no automatic assignment to
employees is to take place.
Example:
ADMINISTRATOR|GUEST
TIP: You can edit the value of the configuration parameter in the Exclude list for
automatic employee assignment dialog.

To edit the exclude list for automatic employee assignment


1. In the Designer, edit the PersonExcludeList configuration parameter.
2. Click ... next to the Value field.
This opens the Exclude list for Azure Active Directory user
accounts dialog.
3. To add a new entry, click Add.
To edit an entry, select it and click Edit.
4. Enter the name of the user account that does not allow employees to be
assigned automatically.
Each entry in the list is handled as part of a regular expression. You are
allowed to use the usual special characters for regular expressions.
5. To delete an entry, select it and click Delete.
6. Click OK.
l Use the TargetSystem | AzureAD | PersonAutoDisabledAccounts configuration
parameter to specify whether employees can be automatically assigned to disabled
user accounts. User accounts do not obtain an account definition.
l Assign an account definition to the tenant. Ensure that the manage level to be used is
entered as the default manage level.
l Define the search criteria for employee assignment in the tenant.

NOTE:

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 79
Managing Azure Active Directory user accounts and employees
The following applies for synchronization:

l Automatic employee assignment takes effect if user accounts are added or


updated.

The following applies outside synchronization:

l Automatic employee assignment takes effect if user accounts are added.

NOTE:
In the default installation, after synchronizing, employees are automatically created for
the user accounts.If an account definition for the tenant is not known at the time of
synchronization, user accounts are linked with employees. However, account definitions
are not assigned. The user accounts are therefore in a Linked state.
To manage the user accounts using account definitions, assign an account definition and a
manage level to these user accounts.
For more information, see Managing Azure Active Directory user accounts through
account definitions on page 52.

Related topics

l Creating account definitions on page 57


l Assigning account definitions to Azure Active Directory tenants on page 75
l Changing manage levels for Azure Active Directory user accounts on page 83
l Editing search criteria for automatic employee assignment on page 80
l Finding employees and directly assigning them to user accounts on page 81

Editing search criteria for automatic


employee assignment
NOTE: One Identity Manager supplies a default mapping for employee assignment. Only
carry out the following steps when you want to customize the default mapping.
The criteria for employee assignments are defined for the tenant. You specify which user
account properties must match the employee’s properties such that the employee can be
assigned to the user account. You can limit search criteria further by using format
definitions.
The search criterion is written in XML notation to the Search criteria for
automatic employee assignment column (AccountToPersonMatchingRule) in the
AADOrganization table.
Search criteria are evaluated when employees are automatically assigned to user
accounts. Furthermore, you can create a suggestion list for assignments of employees to
user accounts based on the search criteria and make the assignment directly.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 80
Managing Azure Active Directory user accounts and employees
NOTE: Object definitions for user accounts that can have search criteria applied to them
are predefined. For example, if you require other objects definitions that limit a preselec-
tion of user accounts, set up the respective custom object definitions in the Designer. For
more information, see the One Identity Manager Configuration Guide.

To specify criteria for employee assignment

1. In the Manager, select the Azure Active Directory > Tenants category.
2. Select the tenant in the result list.
3. Select the Define search criteria for employee assignment task.
4. Specify which user account properties must match with which employee so that the
employee is linked to the user account.

Table 11: Default search criteria for user accounts and contacts

Apply to Column for employee Column for user


account

Azure Active Directory user Central user account Alias (MailNickName)


accounts (CentralAccount)

5. Save the changes.

For more information about defining search criteria, see the One Identity Manager Target
System Base Module Administration Guide.

Related topics

l Assigning employees automatically to Azure Active Directory user accounts on


page 78
l Finding employees and directly assigning them to user accounts on page 81

Finding employees and directly assigning


them to user accounts
Based on the search criteria, you can create a suggestion list for the assignment of
employees to user accounts and make the assignment directly. User accounts are grouped
in different views for this.

Table 12: Manual assignment view

View Description

Suggested This view lists all user accounts to which One Identity Manager can assign
assignments an employee. All employees are shown who were found using the search
criteria and can be assigned.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 81
Managing Azure Active Directory user accounts and employees
View Description

Assigned This view lists all user accounts to which an employee is assigned.
user
accounts

Without This view lists all user accounts to which no employee is assigned and for
employee which no employee was found using the search criteria.
assignment

To apply search criteria to user accounts

1. In the Manager, select the Azure Active Directory > Tenants category.
2. Select the tenant in the result list.
3. Select the Define search criteria for employee assignment task.
4. At the bottom of the form, click Reload.
All possible assignments based on the search criteria are found in the target system
for all user accounts. The three views are updated.

TIP: By double-clicking on an entry in the view, you can view the user account and
employee main data.
The assignment of employees to user accounts creates connected user accounts (Linked
state). To create managed user accounts (Linked configured state), you can assign an
account definition at the same time.

To assign employees directly over a suggestion list

l Click Suggested assignments.


1. Click the Selection box of all user accounts to which you want to assign the
suggested employees. Multi-select is possible.
2. (Optional) Select an account definition in the Assign this account
definition menu, and select a manage level in the Assign this account
manage level menu.
3. Click Assign selected.
4. Confirm the security prompt with Yes.
The employees determined using the search criteria are assigned to the
selected user accounts. If an account definition was selected, this is assigned
to all selected user accounts.
- OR -
l Click No employee assignment.
1. Click Select employee for the user account to which you want to assign an
employee. Select an employee from the menu.
2. Click the Selection box of all user accounts to which you want to assign the
selected employees. Multi-select is possible.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 82
Managing Azure Active Directory user accounts and employees
3. (Optional) Select an account definition in the Assign this account
definition menu, and select a manage level in the Assign this account
manage level menu.
4. Click Assign selected.
5. Confirm the security prompt with Yes.
The employees displayed in the Employee column are assigned to the
selected user accounts. If an account definition was selected, this is assigned
to all selected user accounts.

To remove assignments

l Click Assigned user accounts.


1. Click the Selection box of all the user accounts you want to delete the
employee assignment from. Multi-select is possible.
2. Click Remove selected.
3. Confirm the security prompt with Yes.
The assigned employees are removed from the selected user accounts.

Changing manage levels for Azure Active


Directory user accounts
The default manage level is applied if you create user accounts using automatic employee
assignment. You can change a user account manage level later.

To change the manage level for a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Change main data task.
4. Select the manage level in the Manage level list on the General tab.
5. Save the changes.

Related topics

l Creating and editing Azure Active Directory user accounts on page 177

Supported user account types


Different types of user accounts, such as default user accounts, administrative user
accounts, service accounts, or privileged user accounts, can be mapped in One Identity

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 83
Managing Azure Active Directory user accounts and employees
Manager.
The following properties are used for mapping different user account types.

l Identity
The Identity property (IdentityType column) is used to describe the type of
user account.

Table 13: Identities of user accounts

Identity Description Value of the


IdentityType
column

Primary Employee's default user account. Primary


identity

Organizational Secondary user account used for different roles in Organizational


identity the organization, for example for subcontracts
with other functional areas.

Personalized User account with administrative permissions, Admin


admin identity used by one employee.

Sponsored User account used for a specific purpose. For Sponsored


identity example, for training purposes.

Shared User account with administrative permissions, Shared


identity used by several employees.

Service Service account. Service


identity

NOTE: To enable working with identities for user accounts, the employees also
need identities. You can only link user accounts to which an identity is assigned
with employees who have this same identity.
The primary identity, the organizational identity, and the personalized admin identity
are used for different user accounts, which can be used by the same actual employee
to perform their different tasks within the company.
To provide user accounts with a personalized admin identity or an organizational
identity for an employee, you create subidentities for the employee. These
subidentities are then linked to user accounts, enabling you to assign the required
permissions to the different user accounts.
User accounts with a sponsored identity, shared identity, or service identity are
linked to pseudo employees that do not refer to a real employee. These pseudo
employees are needed so that permissions can be inherited by the user accounts.
When evaluating reports, attestations, or compliance checks, check whether pseudo
employees need to be considered separately.
For more information about mapping employee identities, see the One Identity
Manager Identity Management Base Module Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 84
Managing Azure Active Directory user accounts and employees
l Privileged user account
Privileged user accounts are used to provide employees with additional privileges.
This includes administrative user accounts or service accounts, for example. The
user accounts are labeled with the Privileged user account property
(IsPrivilegedAccount column).

Detailed information about this topic

l Default user accounts on page 85


l Administrative user accounts on page 86
l Providing administrative user accounts for one employee on page 86
l Providing administrative user accounts for several employees on page 87
l Privileged user accounts on page 88

Default user accounts


Normally, each employee obtains a default user account, which has the permissions they
require for their regular work. The user accounts are linked to the employee. The effect of
the link and the scope of the employee’s inherited properties on the user accounts can be
configured through an account definition and its manage levels.

To create default user accounts through account definitions

1. Create an account definition and assign the Unmanaged and Full managed
manage levels.
2. Specify the effect of temporarily or permanently disabling, deleting, or the
security risk of an employee on its user accounts and group memberships for each
manage level.
3. Create a formatting rule for IT operating data.
You use the mapping rule to define which rules are used to map IT operating data for
user accounts and which default values are used if no IT operating data can be
determined through a person's primary roles.
The type of IT operating data required depends on the target system. The following
setting are recommended for default user accounts:
l In the mapping rules for the IsGroupAccount_Group, IsGroupAccount_SubSku,
IsGroupAccount_DeniedService, and IsGroupAccount_DirectoryRole columns, use
the default value 1 and set the Always use default value option.
l In the mapping rule for the IdentityType column, use the default value
Primary and enable Always use default value.
4. Enter the effective IT operating data for the target system. Select the concrete target
system under Effects on.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 85
Managing Azure Active Directory user accounts and employees
Specify in the departments, cost centers, locations, or business roles that IT
operating data should apply when you set up a user account.
5. Assign the account definition to employees.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.

Related topics

l Account definitions for Azure Active Directory user accounts on page 56

Administrative user accounts


An administrative user account must be used for certain administrative tasks.
Administrative user accounts are usually predefined by the target system and have fixed
names and login names, such as Administrator.
Administrative user accounts are imported into One Identity Manager during
synchronization.
NOTE: Some administrative user accounts can be automatically identified as privileged
user accounts. To do this, in the Designer, enable the Mark selected user accounts as
privileged schedule.

Related topics

l Providing administrative user accounts for one employee on page 86


l Providing administrative user accounts for several employees on page 87

Providing administrative user accounts for one


employee

Prerequisites

l The user account must be labeled as a personalized admin identity.


l The employee who will be using the user account must be labeled as a personalized
admin identity.
l The employee who will be using the user account must be linked to a main identity.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 86
Managing Azure Active Directory user accounts and employees
To prepare an administrative user account for a person

1. Label the user account as a personalized admin identity.


a. In the Manager, select the Azure Active Directory > User accounts
category.
b. Select the user account in the result list.
c. Select the Change main data task.
d. On the General tab, in the Identity selection list, select Personalized
administrator identity.
2. Link the user account to the employee who will be using this administrative
user account.
a. In the Manager, select the Azure Active Directory > User accounts
category.
b. Select the user account in the result list.
c. Select the Change main data task.
d. On the General tab, in the Person selection list, select the employee who will
be using this administrative user account.
TIP: If you are the target system manager, you can choose to create a
new person.

Related topics

l Providing administrative user accounts for several employees on page 87


l For more information about mapping employee identities, see the One Identity
Manager Identity Management Base Module Administration Guide.

Providing administrative user accounts for


several employees

Prerequisite

l The user account must be labeled as a shared identity.


l A pseudo employee must exist. The pseudo employee must be labeled as a shared
identity and must have a manager.
l The employees who are permitted to use the user account must be labeled as a
primary identity.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 87
Managing Azure Active Directory user accounts and employees
To prepare an administrative user account for multiple employees

1. Label the user account as a shared identity.


a. In the Manager, select the Azure Active Directory > User accounts
category.
b. Select the user account in the result list.
c. Select the Change main data task.
d. On the General tab, in the Identity menu, select Shared identity.
2. Link the user account to a pseudo employee.
a. In the Manager, select the Azure Active Directory > User accounts
category.
b. Select the user account in the result list.
c. Select the Change main data task.
d. On the General tab, select the pseudo employee from the Employee menu.
TIP: If you are the target system manager, you can choose to create a
new pseudo employee.
3. Assign the employees who will use this administrative user account to the
user account.
a. In the Manager, select the Azure Active Directory > User accounts
category.
b. Select the user account in the result list.
c. Select the Assign employees authorized to use task.
d. In the Add assignments pane, add employees.
TIP: In the Remove assignments pane, you can remove assigned
employees.

To remove an assignment
l Select the employee and double-click .

Related topics

l Providing administrative user accounts for one employee on page 86


l For detailed information about mapping employee identities, see the One Identity
Manager Identity Management Base Module Administration Guide.

Privileged user accounts


Privileged user accounts are used to provide employees with additional privileges. This
includes administrative user accounts or service accounts, for example. The user accounts
are labeled with the Privileged user account property (IsPrivilegedAccount column).

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 88
Managing Azure Active Directory user accounts and employees
NOTE: The criteria according to which user accounts are automatically identified as
privileged are defined as extensions to the view definition (ViewAddOn) in the
TSBVAccountIsPrivDetectRule table (which is a table of the Union type). The evaluation is
done in the TSB_SetIsPrivilegedAccount script.

To create privileged users through account definitions

1. Create an account definition. Create a new manage level for privileged user accounts
and assign this manage level to the account definition.
2. If you want to prevent the properties for privileged user accounts from being
overwritten, set the IT operating data overwrites property for the manage level
to Only initially. In this case, the properties are populated just once when the user
accounts are created.
3. Specify the effect of temporarily or permanently disabling or deleting, or the
security risk of an employee on its user accounts and group memberships for each
manage level.
4. Create a formatting rule for the IT operating data.
You use the mapping rule to define which rules are used to map IT operating data for
user accounts and which default values are used if no IT operating data can be
determined through a person's primary roles.
The type of IT operating data required depends on the target system. The following
settings are recommended for privileged user accounts:
l In the mapping rule for the IsPrivilegedAccount column, use the default value
1 and set the Always use default value option.
l You can also specify a mapping rule for the IdentityType column. The column
owns different permitted values that represent user accounts.
l To prevent privileged user accounts from inheriting the entitlements of the
default user, define a mapping rule for the IsGroupAccount_Group,
IsGroupAccount_SubSku, and IsGroupAccount_DeniedService columns with a
default value of 0 and set the Always use default value option.
5. Enter the effective IT operating data for the target system.
Specify in the departments, cost centers, locations, or business roles which IT
operating data should apply when you set up a user account.
6. Assign the account definition directly to employees who work with privileged
user accounts.
When the account definition is assigned to an employee, a new user account is
created through the inheritance mechanism and subsequent processing.

TIP: If customization requires that the login names of privileged user accounts follow a
defined naming convention, specify how the login names are formatted in the template.

l To use a prefix for the login name, in the Designer, set the TargetSystem |
AzureAD | Accounts | PrivilegedAccount | AccountName_Prefix
configuration parameter.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 89
Managing Azure Active Directory user accounts and employees
l To use a postfix for the login name, in the Designer, set the TargetSystem |
AzureAD | Accounts | PrivilegedAccount | AccountName_Postfix
configuration parameter.

These configuration parameters are evaluated in the default installation, if a user account
is marked with the Privileged user account property (IsPrivilegedAccount column).
The user account login names are renamed according to the formatting rules. This also
occurs if the user accounts are labeled as privileged using the Mark selected user
accounts as privileged schedule. If necessary, modify the schedule in the Designer.

Related topics

l Account definitions for Azure Active Directory user accounts on page 56

Updating employees when Azure Active


Directory user account are modified
In One Identity Manager, modifications to employee properties are forwarded to the
associated user accounts and subsequently provisioned in the target system. In certain
circumstances, it may be necessary to forward user account modifications in the target
system to employee properties in One Identity Manager.

Example:

During testing, user accounts from the target system are only read into One Identity
Manager and employees created. User account administration (creating, modifying,
and deleting) should be done later through One Identity Manager. During testing,
user accounts are modified further in the target system, which can lead to drifts in
user account properties and employee properties. Due to this, user account
modifications loaded on resynchronization should be temporarily published to
employees who are already created. This means data is not lost when user account
administration is put into effect through One Identity Manager.

To update employees when user accounts are modified

l In the Designer, set the TargetSystem | AzureAD | PersonUpdate


configuration parameter.

Modifications to user accounts are loaded into One Identity Manager during
synchronization. These modifications are forwarded to the associated employees through
subsequent scripting and processing.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 90
Managing Azure Active Directory user accounts and employees
NOTE:

l When making changes to user accounts, the employees are only updated for user
accounts with the Unmanaged manage level and that are linked to an employee.

l Only the employee created by the modified user account is updated. The data
source from which the employee was created is shown in the Import data source
property. If other user accounts are assigned to the employee, changes to these
user accounts do not cause the employee to be update.

l For employees who do not yet have the Import data source set, the user
account's target system is entered as the data source for the import during the first
update of the connected user account.

User account properties are mapped to employee properties using the AAD_PersonUpdate_
AADUser script. To make the mapping easier to customize, the script is overwritable.
To customize, create a copy of the script and start the script coding follows:
Public Overrides Function AAD_PersonUpdate_AADUser (ByVal UID_Account As String,
oldUserPrincipalName As String, ProcID As String)
This redefines the script and overwrites the original. The process does not have to be
changed in this case.

Specifying deferred deletion for Azure


Active Directory user accounts
You can use deferred deletion to specify how long the user accounts remain in the
database after deletion is triggered before they are finally removed. By default, user
accounts are finally deleted from the database after 30 days. First, the user accounts are
disabled or blocked. You can reenable the user accounts up until deferred deletion runs.
After deferred deletion is run, the user accounts are deleted from the database and cannot
be restored anymore.
You have the following options for configuring deferred deletion.

l Global deferred deletion: Deferred deletion applies to user accounts in all target
system. The default value is 30 days.
In the Designer, enter a different value for deferred deletion in the Deferred
deletion [days] property of the AADUser table.
l Object-specific deferred deletion: Deferred deletion can be configured depending on
certain properties of the accounts.
To use object-specific deferred deletion, in the Designer, create a Script (deferred
deletion) for the AADUser table.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 91
Managing Azure Active Directory user accounts and employees
Example:

Deferred deletion of privileged user accounts is 10 days. The following Script


(deferred deletion) is entered in the table.
If Not $IsPrivilegedAccount:Bool$ Then
Value = 10
End If

For detailed information on editing table definitions and configuring deferred deletion in the
Designer, see the One Identity Manager Configuration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 92
Managing Azure Active Directory user accounts and employees
4

Managing memberships in Azure


Active Directory groups

Azure Active Directory user accounts can be grouped into Azure Active Directory groups
that can be used to regulate access to resources.
In One Identity Manager, you can assign Azure Active Directory groups directly to user
accounts or they can be inherited through departments, cost centers, locations, or business
roles. Users can also request the groups through the Web Portal. To do this, groups are
provided in the IT Shop.
NOTE: Assignments to Azure Active Directory groups that are synchronized with the local
Active Directory are not allowed in One Identity Manager. These groups cannot be
requested through the web portal. You can only manage these groups in your locally. For
more information, see the Azure Active Directory documentation from Microsoft.

Detailed information about this topic

l Assigning Azure Active Directory groups to Azure Active Directory user


accounts on page 93
l Effectiveness of group memberships on page 104
l Azure Active Directory group inheritance based on categories on page 107
l Overview of all assignments on page 109

Assigning Azure Active Directory groups


to Azure Active Directory user accounts
Azure Active Directory groups can be assigned directly or indirectly to Azure Active
Directory user accounts.
In the case of indirect assignment, employees and Azure Active Directory groups are
assigned to hierarchical roles, such as departments, cost centers, locations, or business
roles. The Azure Active Directory groups assigned to an employee are calculated from the
position in the hierarchy and the direction of inheritance. If you add an employee to roles

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 93
Managing memberships in Azure Active Directory groups
and that employee owns an Azure Active Directory user account, the Azure Active Directory
user account is added to the Azure Active Directory group.
Furthermore, Azure Active Directory groups can be requested through the Web Portal. To
do this, add employees to a shop as customers. All Azure Active Directory groups are
assigned to this shop can be requested by the customers. Requested Azure Active Directory
groups are assigned to the employees after approval is granted.
Through system roles, Azure Active Directory groups can be grouped together and assigned
to employees and workdesks as a package. You can create system roles that contain only
Azure Active Directory groups. You can also group any number of company resources into a
system role.
To react quickly to special requests, you can assign Azure Active Directory groups directly
to Azure Active Directory user accounts.
For detailed information see the following guides:

Topic Guide

Basic principles for assigning and One Identity Manager Identity Management
inheriting company resources Base Module Administration Guide
One Identity Manager Business Roles Admin-
istration Guide
Assigning company resources through One Identity Manager IT Shop Administration
IT Shop requests Guide
System roles One Identity Manager System Roles Admin-
istration Guide

Detailed information about this topic

l Prerequisites for indirect assignment of Azure Active Directory groups to Azure


Active Directory user accounts on page 95
l Assigning Azure Active Directory groups to departments, cost centers and
locations on page 96
l Assigning Azure Active Directory groups to business roles on page 97
l Adding Azure Active Directory groups to system roles on page 98
l Adding Azure Active Directory groups to the IT Shop on page 99
l Adding Azure Active Directory groups automatically to the IT Shop on page 101
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups on page 103
l Assigning Azure Active Directory groups directly to Azure Active Directory user
accounts on page 104

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 94
Managing memberships in Azure Active Directory groups
Prerequisites for indirect assignment of
Azure Active Directory groups to Azure
Active Directory user accounts
In the case of indirect assignment, employees, and Azure Active Directory groups are
assigned to hierarchical roles, such as departments, cost centers, locations, or business
roles. When assigning Azure Active Directory groups indirectly, check the following settings
and modify them if necessary:

1. Assignment of employees and Azure Active Directory groups is permitted for role
classes (departments, cost centers, locations, or business roles).
For more detailed information, see the One Identity Manager Identity Management
Base Module Administration Guide.

To configure assignments to roles of a role class


a. In the Manager, select role classes in the Organizations > Basic
configuration data > Role classes category.
- OR -
In the Manager, select role classes in the Business roles > Basic
configuration data > Role classes category.
b. Select the Configure role assignments task and configure the permitted
assignments.
l To generally allow an assignment, enable the Assignments
allowed column.
l To allow direct assignment, enable the Direct assignments
permitted column.
c. Save the changes.
2. Settings for assigning Azure Active Directory groups to Azure Active Directory
user accounts.
l The Azure Active Directory user account is linked to an employee.
l The Azure Active Directory user account has the Groups can be inherited
option set.

NOTE: There are other configuration settings that play a role when company resources
are inherited through departments, cost centers, locations, and business roles. For
example, role inheritance might be blocked or inheritance of employees not allowed. For
more detailed information about the basic principles for assigning company resources,
see the One Identity Manager Identity Management Base Module Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 95
Managing memberships in Azure Active Directory groups
Related topics

l Creating and editing Azure Active Directory user accounts on page 177
l General main data of Azure Active Directory user accounts on page 178

Assigning Azure Active Directory groups to


departments, cost centers and locations
Assign groups to departments, cost centers, or locations so that the group can be assigned
to user accounts through these organizations.
This task is not available for dynamic groups.

To assign a group to departments, cost centers, or locations (non role-


based login)

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Assign organizations task.
4. In the Add assignments pane, assign the organizations:
l On the Departments tab, assign departments.
l On the Locations tab, assign locations.
l On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

To remove an assignment
l Select the organization and double-click .
5. Save the changes.

To assign groups to a department, a cost center, or a location (non role-based


login or role-based login)

1. In the Manager, select the Organizations > Departments category.


- OR -
In the Manager, select the Organizations > Cost centers category.
- OR -
In the Manager, select the Organizations > Locations category.
2. Select the department, cost center, or location in the result list.
3. Select the Assign Azure Active Directory groups task.
4. In the Add assignments pane, assign groups.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 96
Managing memberships in Azure Active Directory groups
TIP: In the Remove assignments pane, you can remove the assignment of
groups.

To remove an assignment
l Select the group and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of Azure Active Directory groups to Azure


Active Directory user accounts on page 95
l Assigning Azure Active Directory groups to business roles on page 97
l Adding Azure Active Directory groups to system roles on page 98
l Adding Azure Active Directory groups to the IT Shop on page 99
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups on page 103
l Assigning Azure Active Directory groups directly to Azure Active Directory user
accounts on page 104
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Assigning Azure Active Directory groups to


business roles
NOTE: This function is only available if the Business Roles Module is installed.
Assign the group to business roles so that the group is assigned to user accounts through
these business roles.
This task is not available for dynamic groups.

To assign a group to a business role (non role-based login)

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Assign business roles task.
4. In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
l Select the business role and double-click .
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 97
Managing memberships in Azure Active Directory groups
To assign groups to a business role (non role-based login or role-based login)

1. In the Manager, select the Business roles > <role class> category.
2. Select the business role in the result list.
3. Select the Assign Azure Active Directory groups task.
4. In the Add assignments pane, assign the groups.
TIP: In the Remove assignments pane, you can remove the assignment of
groups.

To remove an assignment
l Select the group and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of Azure Active Directory groups to Azure


Active Directory user accounts on page 95
l Assigning Azure Active Directory groups to departments, cost centers and
locations on page 96
l Adding Azure Active Directory groups to system roles on page 98
l Adding Azure Active Directory groups to the IT Shop on page 99
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups on page 103
l Assigning Azure Active Directory groups directly to Azure Active Directory user
accounts on page 104
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Adding Azure Active Directory groups to


system roles
NOTE: This function is only available if the System Roles Module is installed.
Use this task to add a group to system roles.
If you assign a system role to employees, all Azure Active Directory user accounts owned
by this employee inherit the group.
This task is not available for dynamic groups.
NOTE: Groups with Only use in IT Shop set can only be assigned to system roles that
also have this option set. For more information, see the One Identity Manager System
Roles Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 98
Managing memberships in Azure Active Directory groups
To assign a group to system roles

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Assign system roles task.
4. In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.

To remove an assignment
l Select the system role and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of Azure Active Directory groups to Azure


Active Directory user accounts on page 95
l Assigning Azure Active Directory groups to departments, cost centers and
locations on page 96
l Assigning Azure Active Directory groups to business roles on page 97
l Adding Azure Active Directory groups to the IT Shop on page 99
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups on page 103
l Assigning Azure Active Directory groups directly to Azure Active Directory user
accounts on page 104

Adding Azure Active Directory groups to


the IT Shop
When you assign a group to an IT Shop shelf, it can be requested by the shop customers.
To ensure it can be requested, further prerequisites need to be guaranteed:

l The group is not a dynamic group.


l The group must be labeled with the IT Shop option.
l The group must be assigned a service item.
TIP: In the Web Portal, all products that can be requested are grouped together by
service category. To make the group easier to find in the Web Portal, assign a
service category to the service item.
l If you only want the group to be assigned to employees through IT Shop requests,
the group must also be labeled with the Use only in IT Shop option. Direct
assignment to hierarchical roles or user accounts is no longer permitted.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 99
Managing memberships in Azure Active Directory groups
NOTE: With role-based login, the IT Shop administrators can assign groups to IT Shop
shelves. Target system administrators are not authorized to add groups to IT Shop.

To add a group to the IT Shop.

1. In the Manager, select the Azure Active Directory > Groups (non role-based
login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory groups (role-
based login) category.
2. In the result list, select the group.
3. Select the Add to IT Shop task.
4. Select the IT Shop structures tab.
5. In the Add assignments pane, assign the group to the IT Shop shelves.
6. Save the changes.

To remove a group from individual shelves of the IT Shop

1. In the Manager, select the Azure Active Directory > Groups (non role-based
login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory groups (role-
based login) category.
2. In the result list, select the group.
3. Select the Add to IT Shop task.
4. Select the IT Shop structures tab.
5. In the Remove assignments pane, remove the group from the IT Shop shelves.
6. Save the changes.

To remove a group from all shelves of the IT Shop

1. In the Manager, select the Azure Active Directory > Groups (non role-based
login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory groups (role-
based login) category.
2. In the result list, select the group.
3. Select the Remove from all shelves (IT Shop) task.
4. Confirm the security prompt with Yes.
5. Click OK.
The group is removed from all shelves by the One Identity Manager Service. All
requests and assignment requests with this group are canceled.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 100
Managing memberships in Azure Active Directory groups
For more information about requesting company resources through the IT Shop, see the
One Identity Manager IT Shop Administration Guide.

Related topics

l General main data of Azure Active Directory groups on page 193


l Prerequisites for indirect assignment of Azure Active Directory groups to Azure
Active Directory user accounts on page 95
l Adding Azure Active Directory groups automatically to the IT Shop on page 101
l Assigning Azure Active Directory groups to departments, cost centers and
locations on page 96
l Assigning Azure Active Directory groups to business roles on page 97
l Adding Azure Active Directory groups to system roles on page 98
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups on page 103
l Assigning Azure Active Directory groups directly to Azure Active Directory user
accounts on page 104

Adding Azure Active Directory groups


automatically to the IT Shop
The following steps can be used to automatically add Azure Active Directory groups to the
IT Shop. Synchronization ensures that the Azure Active Directory groups are added to the
IT Shop. If necessary, you can manually start synchronization with the Synchronization
Editor. New Azure Active Directory groups created in One Identity Manager also are added
automatically to the IT Shop.

To add Azure Active Directory groups automatically to the IT Shop

1. In the Designer, set the QER | ITShop | AutoPublish | AADGroup


configuration parameter.
2. In order not to add Azure Active Directory groups to the IT Shop automatically, in the
Designer, set the QER | ITShop | AutoPublish | AADGroup | ExcludeList
configuration parameter.
This configuration parameter contains a listing of all Azure Active Directory groups
that should not be allocated to the IT Shop automatically. You can extend this list if
required. To do this, enter the name of the groups in the configuration parameter.
Names are listed in a pipe (|) delimited list. Regular expressions are supported.
3. Compile the database.

The Azure Active Directory groups are added automatically to the IT Shop from now on.
The following steps are run to add an Azure Active Directory group to the IT Shop.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 101
Managing memberships in Azure Active Directory groups
1. A service item is determined for the Azure Active Directory group.
The service item is tested for each Azure Active Directory group and modified if
necessary. The name of the service item corresponds to the name of the Azure
Active Directory group.
l The service item is modified for Azure Active Directory groups with
service items.
l Azure Active Directory groups without service items are allocated new
service items.
2. The service item is assigned to either the Azure Active Directory groups |
Security groups default service category or the Azure Active Directory groups
| Distribution groups default service category.
3. An application role for product owners is determined and the service item is
assigned.
Product owners can approve requests for membership in these Azure Active
Directory groups. The default product owner is the Azure Active Directory
group's owner.
NOTE: The application role for the product owner must be added under the
Request & Fulfillment | IT Shop | Product owner application role.
l If the owner of the Azure Active Directory group is already a member of an
application role for product owners, this application role is assigned to the
service item. Therefore, all members of this application role become product
owners of the Azure Active Directory group.
l If the owner of the Azure Active Directory group is not yet a member of an
application role for product owners, a new application role is created. The
name of the application corresponds to the name of the owner.
l If the owner is a user account, the user account's employee is added to
the application role.
l If it is a group of owners, the employees of all this group's user accounts
are added to the application role.
4. The Azure Active Directory group is labeled with the IT Shop option and assigned to
the IT Shop groups Azure Active Directory shelf in the Identity & Access
Lifecycle shop.

Subsequently, the shop's customers can use the Azure Active Directory to request
memberships in Web Portal groups.
NOTE: If an Azure Active Directory group is irrevocably deleted from the One Identity
Manager database, the associated service item is also deleted.
For more information about configuring the One Identity Manager IT Shop Administration
Guide, see the IT Shop. For more information about requesting access requests in Web
Portal, please refer to the One Identity Manager Web Portal User Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 102
Managing memberships in Azure Active Directory groups
Related topics

l Adding Azure Active Directory groups to the IT Shop on page 99


l Assigning Azure Active Directory groups to departments, cost centers and
locations on page 96
l Assigning Azure Active Directory groups to business roles on page 97
l Adding Azure Active Directory groups to system roles on page 98
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups on page 103
l Adding Azure Active Directory groups to Azure Active Directory groups on page 195

Assigning Azure Active Directory user


accounts directly to Azure Active Directory
groups
To react quickly to special requests, you can assign groups directly to user accounts. You
cannot directly assign groups that have the Only use in IT Shop option.
NOTE: User accounts cannot be manually added to dynamic groups.

To assign user accounts directly to a group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Assign user accounts task.
4. In the Add assignments pane, assign the user accounts.
TIP: In the Remove assignments pane, you can remove assigned user accounts.

To remove an assignment
l Select the user account and double-click .
5. Save the changes.

Related topics

l Assigning Azure Active Directory groups directly to Azure Active Directory user
accounts on page 104
l Assigning Azure Active Directory groups to departments, cost centers and
locations on page 96
l Assigning Azure Active Directory groups to business roles on page 97
l Adding Azure Active Directory groups to system roles on page 98
l Adding Azure Active Directory groups to the IT Shop on page 99

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 103
Managing memberships in Azure Active Directory groups
Assigning Azure Active Directory groups
directly to Azure Active Directory user
accounts
To react quickly to special requests, you can assign groups directly to the user account. You
cannot directly assign groups that have the Only use in IT Shop option.
NOTE: User accounts cannot be manually added to dynamic groups.

To assign groups directly to user accounts

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Assign groups task.
4. In the Add assignments pane, assign the groups.
TIP: In the Remove assignments pane, you can remove the assignment of
groups.

To remove an assignment
l Select the group and double-click .
5. Save the changes.

Related topics

l Assigning Azure Active Directory groups to departments, cost centers and


locations on page 96
l Assigning Azure Active Directory groups to business roles on page 97
l Adding Azure Active Directory groups to system roles on page 98
l Adding Azure Active Directory groups to the IT Shop on page 99
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
groups on page 103

Effectiveness of group memberships


When groups are assigned to user accounts an employee may obtain two or more groups,
which are not permitted in this combination. To prevent this, you can declare mutually
exclusive groups. To do this, you specify which of the two groups should apply to the user
accounts if both are assigned.
It is possible to assign an excluded group at any time either directly, indirectly, or with an
IT Shop request. One Identity Manager determines whether the assignment is effective.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 104
Managing memberships in Azure Active Directory groups
NOTE:

l You cannot define a pair of mutually exclusive groups. That means, the definition
"Group A excludes group B" AND "Group B excludes groups A" is not permitted.
l You must declare each group to be excluded from a group separately. Exclusion
definitions cannot be inherited.
l One Identity Manager does not check if membership of an excluded group is
permitted in another group ( table).

The effectiveness of the assignments is mapped in the AADUserInGroup and


AADBaseTreeHasGroup tables by the XIsInEffect column.

Example: The effect of group memberships

l Group A is defined with permissions for triggering requests in a tenant. A


group B is authorized to make payments. A group C is authorized to
check invoices.
l Group A is assigned through the "Marketing" department, group B through
"Finance", and group C through the "Control group" business role.

Clara Harris has a user account in this tenant. She primarily belongs to the
"Marketing" department. The "Control group" business role and the "Finance"
department are assigned to her secondarily. Without an exclusion definition, the user
account obtains all the permissions of groups A, B, and C.
By using suitable controls, you want to prevent an employee from being able to
trigger a request and to pay invoices. That means, groups A, B, and C are mutually
exclusive. An employee that checks invoices may not be able to make invoice
payments as well. That means, groups B and C are mutually exclusive.

Table 14: Specifying excluded groups (AADGroupExclusion table)

Effective group Excluded group

Group A

Group B Group A

Group C Group B

Table 15: Effective assignments

Employee Member in role Effective group

Ben King Marketing Group A

Jan Bloggs Marketing, finance Group B

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 105
Managing memberships in Azure Active Directory groups
Employee Member in role Effective group

Clara Harris Marketing, finance, control group Group C

Jenny Basset Marketing, control group Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target
system. If Clara Harris leaves the "control group" business role at a later date, group
B also takes effect.
The groups A and C are in effect for Jenny Basset because the groups are not defined
as mutually exclusive. That means that the employee is authorized to trigger
requests and to check invoices. If this should not be allowed, define further exclusion
for group C.

Table 16: Excluded groups and effective assignments

Employee Member in Assigned Excluded Effective


role group group group

Jenny Marketing Group A


Group C
Basset Control group Group C Group B
Group A

Prerequisites

l The QER | Structures | Inherite | GroupExclusion configuration parameter


is set.
In the Designer, set the configuration parameter and compile the database.
NOTE: If you disable the configuration parameter at a later date, model compon-
ents and scripts that are not longer required, are disabled. SQL procedures and
triggers are still carried out. For more information about the behavior of prepro-
cessor relevant configuration parameters and conditional compiling, see the One
Identity Manager Configuration Guide.
l Mutually exclusive groups belong to the same tenant.

To exclude a group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select a group in the result list.
3. Select the Exclude groups task.
4. In the Add assignments pane, assign the groups that are mutually exclusive to the
selected group.
- OR -

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 106
Managing memberships in Azure Active Directory groups
In the Remove assignments pane, remove the groups that are no longer
mutually exclusive.
5. Save the changes.

Azure Active Directory group


inheritance based on categories
In One Identity Manager, user accounts can selectively inherit groups, administrator roles,
subscriptions, and disabled service plans. To do this, the groups (administrator roles,
subscriptions, and disabled service plans) and the user accounts are divided into
categories. The categories can be freely selected and are specified using a mapping rule.
Each category is given a specific position within the template. The mapping rule contains
different tables. Use the user account table to specify categories for target system
dependent user accounts. In the other tables, enter your categories for the groups,
administrator roles, subscriptions, and disabled service plans. Each table contains the
category positions position 1 to position 63.
Every user account can be assigned to one or more categories. Each group can also be
assigned to one or more categories. The group is inherited by the user account when at
least one user account category items matches an assigned group. The group is also
inherited by the user account if the group or the user account is not put into categories.
NOTE: Inheritance through categories is only taken into account when groups are
assigned indirectly through hierarchical roles. Categories are not taken into account
when groups are directly assigned to user accounts.

Table 17: Category examples

Category item Categories for user accounts Categories for groups

1 Default user Default permissions

2 System users System user permissions

3 System administrator System administrator permissions

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 107
Managing memberships in Azure Active Directory groups
Figure 2: Example of inheriting through categories.

To use inheritance through categories

1. In the Manager, define the categories in the Azure Active Directory tenant.
2. In the Manager, assign categories to user accounts through their main data.
3. In the Manager, assign categories to groups through their main data.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 108
Managing memberships in Azure Active Directory groups
Related topics

l Defining categories for the inheritance of entitlements on page 171


l General main data of Azure Active Directory user accounts on page 178
l General main data of Azure Active Directory groups on page 193
l Editing Azure Active Directory subscription main data on page 202

Overview of all assignments


The Overview of all assignments report is displayed for some objects, such as
authorizations, compliance rules, or roles. The report finds all the roles, for example,
departments, cost centers, locations, business roles, and IT Shop structures in which there
are employees who own the selected base object. In this case, direct as well as indirect
base object assignments are included.

Examples:

l If the report is created for a resource, all roles are determined in which there
are employees with this resource.
l If the report is created for a group or another system entitlement, all roles are
determined in which there are employees with this group or system
entitlement.
l If the report is created for a compliance rule, all roles are determined in which
there are employees who violate this compliance rule.
l If the report is created for a department, all roles are determined in which
employees of the selected department are also members.
l If the report is created for a business role, all roles are determined in which
employees of the selected business role are also members.

To display detailed information about assignments

l To display the report, select the base object from the navigation or the result list and
select the Overview of all assignments report.
l Click the Used by button in the report toolbar to select the role class for which
you want to determine whether roles exist that contain employees with the selected
base object.
All the roles of the selected role class are shown. The color coding of elements
identifies the role in which there are employees with the selected base object. The
meaning of the report control elements is explained in a separate legend. To access
the legend, click the icon in the report's toolbar.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 109
Managing memberships in Azure Active Directory groups
l Double-click a control to show all child roles belonging to the selected role.
l By clicking the button in a role's control, you display all employees in the role with
the base object.
l Use the small arrow next to to start a wizard that allows you to bookmark this list
of employees for tracking. This creates a new business role to which the employees
are assigned.

Figure 3: Toolbar of the Overview of all assignments report.

Table 18: Meaning of icons in the report toolbar

Icon Meaning

Show the legend with the meaning of the report control elements

Saves the current report view as a graphic.

Selects the role class used to generate the report.

Displays all roles or only the affected roles.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 110
Managing memberships in Azure Active Directory groups
5

Managing Azure Active Directory


administrator roles assignments

In One Identity Manager, you can assign the Azure Active Directory administrator roles
directly to user accounts or they can be inherited through departments, cost centers,
locations, or business roles. Users can also request the administrator roles through the
Web Portal. To do this, administrator roles are provided in the IT Shop.

Detailed information about this topic

l Assigning Azure Active Directory administrator roles to Azure Active Directory user
accounts on page 111
l Azure Active Directory administrator role inheritance based on categories on
page 120
l Overview of all assignments on page 109

Assigning Azure Active Directory


administrator roles to Azure Active
Directory user accounts
Azure Active Directory administrator roles can be assigned directly or indirectly to Azure
Active Directory user accounts.
In the case of indirect assignment, employees and Azure Active Directory administrator
roles are assigned to hierarchical roles, such as, departments, cost centers, locations, or
business roles. The Azure Active Directory administrator roles assigned to an employee
are calculated from the position in the hierarchy and the direction of inheritance. If you
add an employee to roles and that employee owns an Azure Active Directory user account,
the Azure Active Directory user account is added to the Azure Active Directory
administrator roles.
You can also request Azure Active Directory administration roles in the Web Portal. To do
this, add employees to a shop as customers. All Azure Active Directory administrator roles

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 111
Managing Azure Active Directory administrator roles assignments
assigned as products to this shop, can be requested by the customers. Requested Azure
Active Directory administrator roles are assigned to the employees after approval is
granted.
Through system roles, Azure Active Directory administrator roles can be grouped together
and assigned to employees and workdesks as a package. You can create system roles that
contain only Azure Active Directory administrator roles. You can also group any number of
company resources into a system role.
To react quickly to special requests, you can assign Azure Active Directory administrator
roles directly to Azure Active Directory user accounts.
For detailed information see the following guides:

Topic Guide

Basic principles for assigning and One Identity Manager Identity Management
inheriting company resources Base Module Administration Guide
One Identity Manager Business Roles Admin-
istration Guide
Assigning company resources through One Identity Manager IT Shop Administration
IT Shop requests Guide
System roles One Identity Manager System Roles Admin-
istration Guide

Detailed information about this topic

l Prerequisites for indirect assignment of Azure Active Directory administration roles


to Azure Active Directory user accounts on page 113
l Assigning Azure Active Directory administrator roles to departments, cost centers,
and locations on page 114
l Assigning Azure Active Directory administrator roles to business roles on page 115
l Adding Azure Active Directory administrator roles to system roles on page 116
l Adding Azure Active Directory administrator roles in the IT Shop on page 117
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
administrator roles on page 119
l Assigning Azure Active Directory administrator roles directly to Azure Active
Directory user accounts on page 120

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 112
Managing Azure Active Directory administrator roles assignments
Prerequisites for indirect assignment of
Azure Active Directory administration roles
to Azure Active Directory user accounts
In the case of indirect assignment, employees and Azure Active Directory administrator
roles are assigned to hierarchical roles, such as, departments, cost centers, locations, or
business roles. When assigning Azure Active Directory administrator roles indirectly, check
the following settings and modify them if necessary.

1. Assignment of employees and Azure Active Directory administrator roles is


permitted for role classes (departments, cost centers, locations, or business roles).
For more detailed information, see the One Identity Manager Identity Management
Base Module Administration Guide.

To configure assignments to roles of a role class


a. In the Manager, select role classes in the Organizations > Basic
configuration data > Role classes category.
- OR -
In the Manager, select role classes in the Business roles > Basic
configuration data > Role classes category.
b. Select the Configure role assignments task and configure the permitted
assignments.
l To generally allow an assignment, enable the Assignments
allowed column.
l To allow direct assignment, enable the Direct assignments
permitted column.
c. Save the changes.
2. Settings for assigning Azure Active Directory administrator roles to Azure Active
Directory user accounts.
l The Azure Active Directory user account is linked to an employee.
l The Azure Active Directory user account has the Administrator roles can be
inherited option set.

NOTE: There are other configuration settings that play a role when company resources
are inherited through departments, cost centers, locations, and business roles. For
example, role inheritance might be blocked or inheritance of employees not allowed. For
more detailed information about the basic principles for assigning company resources,
see the One Identity Manager Identity Management Base Module Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 113
Managing Azure Active Directory administrator roles assignments
Related topics

l Creating and editing Azure Active Directory user accounts on page 177
l General main data of Azure Active Directory user accounts on page 178

Assigning Azure Active Directory


administrator roles to departments, cost
centers, and locations
By assigning administrator roles to departments, cost centers, or locations, you enable the
group to be assigned to user accounts through these organizations.

To assign an administrator role to departments, cost centers, or locations (non


role-based login)

1. In the Manager, select the Azure Active Directory > Administrator roles
category.
2. Select the administrator role in the result list.
3. Select the Assign organizations task.
4. In the Add assignments pane, assign the organizations:
l On the Departments tab, assign departments.
l On the Locations tab, assign locations.
l On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

To remove an assignment
l Select the organization and double-click .
5. Save the changes.

To assign administrator roles to departments, cost centers or locations (role-


based login)

1. In the Manager, select the Organizations > Departments category.


- OR -
In the Manager, select the Organizations > Cost centers category.
- OR -
In the Manager, select the Organizations > Locations category.
2. Select the department, cost center or location in the result list.
3. Select the Assign Azure Active Directory administrator roles task.
4. In the Add assignments pane, assign administrator roles.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 114
Managing Azure Active Directory administrator roles assignments
TIP: In the Remove assignments pane, you can remove assigned admin-
istrator roles.

To remove an assignment
l Select the administrator role and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of Azure Active Directory administration roles


to Azure Active Directory user accounts on page 113
l Assigning Azure Active Directory administrator roles to business roles on page 115
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
administrator roles on page 119
l Adding Azure Active Directory administrator roles to system roles on page 116
l Adding Azure Active Directory administrator roles in the IT Shop on page 117
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Assigning Azure Active Directory


administrator roles to business roles
NOTE: This function is only available if the Business Roles Module is installed.
By assigning administrator roles to business roles, the administrator role can be assigned
to user accounts through these business roles.

To assign an administrator role to business roles (non role-based login)

1. In the Manager, select the Azure Active Directory > Administrator roles
category.
2. Select the administrator role in the result list.
3. Select the Assign business roles task.
4. In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
l Select the business role and double-click .
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 115
Managing Azure Active Directory administrator roles assignments
To assign administrator roles to a business role (non role-based login)

1. In the Manager, select the Business roles > <role class> category.
2. Select the business role in the result list.
3. Select the Assign Azure Active Directory administrator roles task.
4. In the Add assignments pane, assign administrator roles.
TIP: In the Remove assignments pane, you can remove assigned admin-
istrator roles.

To remove an assignment
l Select the administrator role and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of Azure Active Directory administration roles


to Azure Active Directory user accounts on page 113
l Assigning Azure Active Directory administrator roles to departments, cost centers,
and locations on page 114
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
administrator roles on page 119
l Adding Azure Active Directory administrator roles to system roles on page 116
l Adding Azure Active Directory administrator roles in the IT Shop on page 117
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Adding Azure Active Directory administrator


roles to system roles
NOTE: This function is only available if the System Roles Module is installed.
Use this task to add an administrator role to system roles. When you assign a system role
to an employee, the administrator roles are inherited by all user accounts that these
employees have.
NOTE: Applications in which the Only use in IT Shop option is set can only be assigned
to system roles that also have this option set. For more information, see the One Identity
Manager System Roles Administration Guide.

To assign an administrator role to system roles

1. In the Manager, select the Azure Active Directory > Administrator roles
category.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 116
Managing Azure Active Directory administrator roles assignments
2. Select the administrator role in the result list.
3. Select the Assign system roles task.
4. In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.

To remove an assignment
l Select the system role and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of Azure Active Directory administration roles


to Azure Active Directory user accounts on page 113
l Assigning Azure Active Directory administrator roles to departments, cost centers,
and locations on page 114
l Assigning Azure Active Directory administrator roles to business roles on page 115
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
administrator roles on page 119
l Adding Azure Active Directory administrator roles in the IT Shop on page 117

Adding Azure Active Directory administrator


roles in the IT Shop
Once an administrator role has been assigned to an IT Shop shelf, it can be requested by
the shop customers. To ensure it can be requested, further prerequisites need to be
guaranteed:

l The administrator role must be labeled with the IT Shop option.


l The administrator role must be assigned to a service item.
l If the administrator role can only be assigned to employees using IT Shop requests,
the administrator role must be also labeled with the Only use in IT Shop option.
Direct assignment to hierarchical roles may not be possible.

NOTE: IT Shop administrators can assign administrator roles to IT Shop shelves in the
case of role-based login. Target system administrators are not authorized to add
administrator roles in the IT Shop.

To add an administrator role in the IT Shop

1. In the Manager, select the Azure Active Directory > administrator roles (non
role-based login) category.
- OR -

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 117
Managing Azure Active Directory administrator roles assignments
In the Manager, select the Entitlements > Azure Active Directory
administrator roles (role-based login) category.
2. Select the administrator role in the result list.
3. Select the Add to IT Shop task.
4. In the Add assignments pane, assign the administrator role to the IT Shop shelves.
5. Save the changes.

To remove an administrator role from individual IT Shop shelves

1. In the Manager, select the Azure Active Directory > administrator roles (non
role-based login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory
administrator roles (role-based login) category.
2. Select the administrator role in the result list.
3. Select the Add to IT Shop task.
4. In the Remove assignments pane, remove the administrator role from the IT
Shop shelves.
5. Save the changes.

To remove an administrator role from all IT Shop shelves

1. In the Manager, select the Azure Active Directory > administrator roles (non
role-based login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory
administrator roles (role-based login) category.
2. Select the administrator role in the result list.
3. Select the Remove from all shelves (IT Shop) task.
4. Confirm the security prompt with Yes.
5. Click OK.
The administrator role is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests with this administrator role are
canceled at the same time.

For detailed information about requesting company resources through the IT Shop, see the
One Identity Manager IT Shop Administration Guide.

Related topics

l Editing main data of Azure Active Directory administrator roles on page 199
l Prerequisites for indirect assignment of Azure Active Directory administration roles
to Azure Active Directory user accounts on page 113

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 118
Managing Azure Active Directory administrator roles assignments
l Assigning Azure Active Directory administrator roles to departments, cost centers,
and locations on page 114
l Assigning Azure Active Directory administrator roles to business roles on page 115
l Assigning Azure Active Directory user accounts directly to Azure Active Directory
administrator roles on page 119
l Adding Azure Active Directory administrator roles to system roles on page 116

Assigning Azure Active Directory user


accounts directly to Azure Active Directory
administrator roles
To react quickly to special requests, you can assign administrator roles directly to user
accounts. You cannot directly assign administration roles that have the Only use in IT
Shop option set.

To assign a user account directly to an administrator role.

1. In the Manager, select the Azure Active Directory > Administrator roles
category.
2. Select the administrator role in the result list.
3. Select the Assign user accounts task.
4. In the Add assignments pane, assign the user accounts.
TIP: In the Remove assignments pane, you can remove assigned user accounts.

To remove an assignment
l Select the user account and double-click .
5. Save the changes.

Related topics

l Assigning Azure Active Directory administrator roles directly to Azure Active


Directory user accounts on page 120
l Assigning Azure Active Directory administrator roles to departments, cost centers,
and locations on page 114
l Assigning Azure Active Directory administrator roles to business roles on page 115
l Adding Azure Active Directory administrator roles to system roles on page 116
l Adding Azure Active Directory administrator roles in the IT Shop on page 117

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 119
Managing Azure Active Directory administrator roles assignments
Assigning Azure Active Directory
administrator roles directly to Azure Active
Directory user accounts
To react quickly to special requests, you can assign administrator roles directly to the user
account. You cannot directly assign administration roles that have the Only use in IT
Shop option set.

To assign administrator roles directly to user accounts

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Assign administrator roles task.
4. In the Add assignments pane, assign administrator roles.
TIP: In the Remove assignments pane, you can remove assigned admin-
istrator roles.

To remove an assignment
l Select the administrator role and double-click .
5. Save the changes.

Related topics

l Assigning Azure Active Directory administrator roles to Azure Active Directory user
accounts on page 111

Azure Active Directory administrator


role inheritance based on categories
The procedure described under Azure Active Directory group inheritance based on
categories on page 107 can also be applied for administrator roles.

To use inheritance through categories

1. In the Manager, define the categories in the Azure Active Directory tenant.
2. In the Manager, assign categories to user accounts through their main data.
3. In the Manager, assign categories to administrator roles through their main data.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 120
Managing Azure Active Directory administrator roles assignments
Related topics

l Defining categories for the inheritance of entitlements on page 171


l General main data of Azure Active Directory user accounts on page 178
l Editing main data of Azure Active Directory administrator roles on page 199

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 121
Managing Azure Active Directory administrator roles assignments
6

Managing Azure Active Directory


subscription and Azure Active
Directory service plan assignments

The user requires an Azure Active Directory subscription to access the service plans in
Azure Active Directory. An Azure Active Directory subscription defines the scope of
service plans that the user can access. Use of individual service plans by the user can be
permitted or not.

Example:

The Azure Active Directory subscription A contains service plan 1, service plan 2, and
the service plan 3.

l The subscription A is assigned to the user.


l The user is not permitted service plan 2.

Therefore, the user can use service plans 1 and 3.

In Azure Active Directory, Azure Active Directory subscriptions can be assigned to users
and groups. Service plans can be permitted or not depending on the assignment method.
The user obtains all the permitted service plans.

Example:

The Azure Active Directory subscription A contains service plan 1, service plan 2, and
the service plan 3.

l The Azure Active Directory subscription A is assigned directly to the user.


l The user is not permitted service plan 2.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
122
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
The Azure Active Directory subscription B contains the service plan 4, service plan 5,
and the service plan 6.

l The Azure Active Directory subscription B is assigned to group A.


l The group A is not permitted to user service plan 6.
l The user is in group A.

Therefore, the user can use service plans 1, 3, 4, and 5.

It is possible that a user obtains the same Azure Active Directory subscription directly as
well as through one or more groups. If a service plan is permitted by one assignment
method and not by another, the user is given the service plan.

Example:

The Azure Active Directory subscription A contains service plan 1, service plan 2, and
the service plan 3.

l The Azure Active Directory subscription A is assigned directly to the user.


l The user is not permitted to use service plan 2.
l The Azure Active Directory subscription A is assigned to group A.
l All service plans for the group A are allowed.
l The user is in group A.

Therefore, the user can use service plans 1, 2, and 3.

In One Identity Manager, Azure Active Directory subscriptions and service plans and their
assignments to Azure Active Directory user accounts and Azure Active Directory groups are
mapped as follows.

Table 19: Azure Active Directory subscription and service plans in the One
Identity Manager schema map

Table Description

AADSubSku This table contains all Azure Active Directory subscriptions.


The information about Azure Active Directory subscriptions
within an Azure Active Directory tenant is loaded into One
Identity Manager by synchronization. You cannot create
new Azure Active Directory subscription in One Identity
Manager.

AADServicePlan This table contains the service plans. The information


about service plans within an Azure Active Directory tenant

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
123
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Table Description

is loaded into One Identity Manager by synchronization.


You cannot create new service plans in One Identity
Manager.

AADServicePlanInSubSku This table contains service plan assignments to Azure


Active Directory subscriptions. The assignments are loaded
into One Identity Manager by synchronization. You cannot
edit the assignments in One Identity Manager.

AADDeniedServicePlan This table contains service plan assignments to Azure


Active Directory subscriptions for mapping service plans
that are not permitted. The entries are created
automatically in One Identity Manager after synchronizing
Azure Active Directory subscriptions.
Service plans that are not permitted are called "disabled
service plans" in One Identity Manager. By assigning a
disabled service plans to an Azure Active Directory user
account in One Identity Manager, you disable the use of
this service plan in Azure Active Directory.

AADUserHasSubSku This table contains Azure Active Directory subscription


assignments to Azure Active Directory user accounts. It
maps direct assignments of Azure Active Directory
subscriptions to Azure Active Directory user accounts and
assignments that an Azure Active Directory user accounts
obtains through its Azure Active Directory groups. The
assignments are loaded by synchronization.
You can assign Azure Active Directory subscriptions to
Azure Active Directory user accounts in One Identity
Manager either directly, though IT Shop requests, or
through departments, cost centers, locations and business
roles.
You cannot edit assignments by Azure Active Directory
groups in One Identity Manager.
The Azure Active Directory group that an assignment
results from, is mapped in the Azure Active Directory
source group column (AADUserHasSubSku.UID_
AADGroupSource). If the column is empty, this assignment of
the Azure Active Directory subscription to the Azure Active
Directory user account is created either directly, though IT
Shop requests, or through departments, cost centers,
locations, and business roles. Assignments through Azure
Active Directory groups are marked in the Origin column
with the Assignment by group value
(AADUserHasSubSku.XOrigin=16).

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
124
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Table Description

The table also contains a list of disabled service plans from


its Azure Active Directory subscriptions for each Azure
Active Directory user account (AADUserHasSubSku.DenyList).

AADUserHasDeniedService This table contains disabled service plan assignments to


Azure Active Directory user accounts. The entries are
taken from the list of disabled service plans
(AADUserHasSubSku.DenyList).
You can assign disabled service plans to Azure Active
Directory user accounts in One Identity Manager either
directly, though IT Shop requests, or through departments,
cost centers, locations and business roles. By assigning a
disabled service plan, you disable the use of this service
plan in Azure Active Directory.
NOTE: A disabled service plan that is assigned to a user
account can be permitted if the user accounts obtains the
service plan additional through a group and the service
plan for the group is allowed. The assignment by group is
not mapped in this table.

AADUserHasServicePlan This table contains the service plan assignments for Azure
Active Directory user accounts that are in effect. The
assignments are calculated in One Identity Manager from
the entries in the AADUserHasSubSku,
AADUserHasDeniedService, AADGroupHasSubSku, and
AADGroupHasDeniedService tables.

AADGroupHasSubSku This table contains Azure Active Directory subscription


assignments to Azure Active Directory groups. This table
also contains a list of disabled service plans from its Azure
Active Directory subscriptions for each Azure Active
Directory group (AADUserHasSubSku.DenyList).
The assignments are loaded into One Identity Manager by
synchronization. You cannot edit the assignments in One
Identity Manager.

AADGroupHasDeniedService This table contains disabled service plan assignments to


Azure Active Directory groups. The entries are taken from
the list of disabled service plans
(AADGroupHasSubSku.DenyList). You cannot edit the
assignments in One Identity Manager.

Detailed information about this topic

l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
125
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
l Assigning Azure Active Directory subscriptions to Azure Active Directory user
accounts on page 128
l Inheriting Azure Active Directory subscriptions based on categories on page 151
l Assigning disabled Azure Active Directory service plans to Azure Active Directory
user accounts on page 140
l Inheritance of disabled Azure Active Directory service plans based on
categories on page 152
l Overview of all assignments on page 109

Displaying enabled and disabled Azure


Active Directory service plans forAzure
Active Directory user accounts and
Azure Active Directory groups
An Azure Active Directory user account can obtain Azure Active Directory subscriptions and
Azure Active Directory service plans directly or through its Azure Active Directory groups.
NOTE: It is possible that an Azure Active Directory user obtains the same Azure Active
Directory subscription directly as well as through one or more Azure Active Directory
groups. If a service plan is permitted by one assignment method and not by another, the
user is given the service plan.
This means:
A disabled service plan that is assigned to a user account can be permitted if the user
accounts obtains the service plan additional through a group and the service plan for the
group is allowed.
For more information, see Managing Azure Active Directory subscription and Azure
Active Directory service plan assignments on page 122.

To display information about Azure Active Directory subscriptions and service


plans for a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Azure Active Directory user account overview task.
The following information about Azure Active Directory subscriptions and service
plans for a user account is displayed on the overview form.
l Azure Active Directory subscriptions (owned): Azure Active Directory
subscriptions assigned to the user account either directly, though IT Shop
requests, or through departments, cost centers, locations and business roles.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
126
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
l Azure Active Directory subscriptions (inherited): Azure Active Directory
subscriptions that the user account has obtained through its Azure Active
Directory groups.
l Azure Active Directory service plans: Azure Active Directory service
plans permitted for this user account.
l Disabled Azure Active Directory service plans from owned
subscriptions: Disabled Azure Active Directory service plans assigned to this
user account either directly, through the IT Shop or through departments, cost
centers, locations and business roles.
4. Select the License overview report.
The report contains a summary of assigned and effective subscriptions and service
plans for an Azure Active Directory user account.

To display information about Azure Active Directory subscriptions and service


plans for a group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Azure Active Directory group overview task.
The following information about Azure Active Directory subscriptions and service
plans for a group is displayed on the overview form.
l Azure Active Directory subscriptions: Azure Active Directory
subscriptions assigned to Azure Active Directory groups.
l Enabled Azure Active Directory service plans: Azure Active Directory
service plans permitted for this group.
l Disabled Azure Active Directory service plans: Azure Active Directory
service plans not permitted for this group.
l Azure Active Directory user accounts: Azure Active Directory user
accounts assigned to group and therefore contain subscriptions and
service plans.

Related topics

l Assigning Azure Active Directory subscriptions to Azure Active Directory user


accounts on page 128
l Assigning disabled Azure Active Directory service plans to Azure Active Directory
user accounts on page 140

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
127
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Assigning Azure Active Directory
subscriptions to Azure Active Directory
user accounts
Azure Active Directory subscriptions can be assigned directly or indirectly to Azure Active
Directory user accounts.
In the case of indirect assignment, employees and Azure Active Directory subscriptions are
assigned to hierarchical roles, such as departments, cost centers, locations, or business
roles. Azure Active Directory subscriptions assigned to an employee are calculated from
the position in the hierarchy and the direction of inheritance. If the employee has a user
account in Azure Active Directory, Azure Active Directory role subscriptions are inherited
by this Azure Active Directory user account.
Furthermore, Azure Active Directory subscriptions can be assigned to employees through
IT Shop requests. Add employees to a shop as customers so that Azure Active Directory
subscriptions can be assigned through IT Shop requests. All Azure Active Directory
subscriptions assigned to this shop can be requested by the customers. Requested Azure
Active Directory subscriptions are assigned to the employees after approval is granted.
TIP: You can combine the account definition for creating the Azure Active Directory user
account and the Azure Active Directory subscription that will be used into one system
role. In this way, the employee automatically obtains a user account and an Azure Active
Directory subscription.
An employee can obtain this system role directly through departments, cost centers,
locations, or business roles, or an IT Shop request.
To react quickly to special requests, you can assign Azure Active Directory subscriptions
directly to Azure Active Directory user accounts.
NOTE: An Azure Active Directory user account can also obtain Azure Active Directory
subscriptions through its Azure Active Directory groups. You cannot edit assignments by
Azure Active Directory groups in One Identity Manager.
The AADUserhasSubSku contains the assignments of Azure Active Directory subscription to
Azure Active Directory user accounts with their origin. For more information, see
Managing Azure Active Directory subscription and Azure Active Directory service plan
assignments on page 122.
For detailed information see the following guides:

Topic Guide

Basic principles for assigning and One Identity Manager Identity Management
inheriting company resources Base Module Administration Guide
One Identity Manager Business Roles Admin-
istration Guide
Assigning company resources through One Identity Manager IT Shop Administration

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
128
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Topic Guide

IT Shop requests Guide


System roles One Identity Manager System Roles Admin-
istration Guide

Detailed information about this topic

l Prerequisites for indirect assignment of Azure Active Directory subscriptions to Azure


Active Directory user accounts on page 129
l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126
l Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations on page 130
l Assigning Azure Active Directory subscriptions to business roles on page 132
l Adding Azure Active Directory subscriptions to system roles on page 133
l Adding Azure Active Directory subscriptions to the IT Shop on page 134
l Adding Azure Active Directory subscriptions automatically to the IT Shop on page 136
l Assigning Azure Active Directory user account directly to Azure Active Directory
subscriptions on page 138
l Assigning Azure Active Directory subscriptions directly to Azure Active Directory user
accounts on page 139

Prerequisites for indirect assignment of


Azure Active Directory subscriptions to
Azure Active Directory user accounts
In the case of indirect assignment, employees and Azure Active Directory subscriptions are
assigned to hierarchical roles, such as departments, cost centers, locations, or business
roles. When assigning Azure Active Directory subscriptions indirectly, check the following
settings and modify them if necessary:

1. Assignment of employees and Azure Active Directory subscriptions is permitted for


role classes (departments, cost centers, locations, or business roles).
For more information, see the One Identity Manager Identity Management Base
Module Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
129
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
To configure assignments to roles of a role class
a. In the Manager, select role classes in the Organizations > Basic
configuration data > Role classes category.
- OR -
In the Manager, select role classes in the Business roles > Basic
configuration data > Role classes category.
b. Select the Configure role assignments task and configure the permitted
assignments.
l To generally allow an assignment, enable the Assignments
allowed column.
l To allow direct assignment, enable the Direct assignments
permitted column.
c. Save the changes.
2. Settings for assigning Azure Active Directory subscriptions to Azure Active Directory
user accounts.
l The Azure Active Directory user account is linked to an employee.
l The Azure Active Directory user account has a location.
l The Azure Active Directory user account has the Subscriptions can be
inherited option set.

NOTE: There are other configuration settings that play a role when company resources
are inherited through departments, cost centers, locations, and business roles. For
example, role inheritance might be blocked or inheritance of employees not allowed. For
more detailed information about the basic principles for assigning company resources,
see the One Identity Manager Identity Management Base Module Administration Guide.

Related topics

l Creating and editing Azure Active Directory user accounts on page 177
l General main data of Azure Active Directory user accounts on page 178

Assigning Azure Active Directory


subscriptions to departments, cost centers,
and locations
Assign Azure Active Directory subscriptions to departments, cost centers, and locations so
that user accounts are assigned to them through these organizations.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
130
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
To assign an Azure Active Directory subscription to departments, cost centers,
or locations (non role-based login)

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select the Assign organizations task.
4. In the Add assignments pane, assign the organizations:
l On the Departments tab, assign departments.
l On the Locations tab, assign locations.
l On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

To remove an assignment
l Select the organization and double-click .
5. Save the changes.

To assign Azure Active Directory subscriptions to a department, cost center, or


location (role-based login)

1. In the Manager, select the Organizations > Departments category.


- OR -
In the Manager, select the Organizations > Cost centers category.
- OR -
In the Manager, select the Organizations > Locations category.
2. Select the department, cost center or location in the result list.
3. Select the Assign Azure Active Directory subscriptions task.
4. In the Add assignments pane, select the Azure Active Directory tenant and assign
the Azure Active Directory subscriptions.
TIP: In the Remove assignments pane, you can remove assigned Azure Active
Directory subscriptions.

To remove an assignment
l Select the subscription and double-click Azure Active Directory.
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of Azure Active Directory subscriptions to Azure


Active Directory user accounts on page 129
l Assigning Azure Active Directory subscriptions to business roles on page 132
l Assigning Azure Active Directory user account directly to Azure Active Directory
subscriptions on page 138

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
131
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
l Adding Azure Active Directory subscriptions to system roles on page 133
l Adding Azure Active Directory subscriptions to the IT Shop on page 134
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Assigning Azure Active Directory


subscriptions to business roles
NOTE: This function is only available if the Business Roles Module is installed.
Assign Azure Active Directory subscriptions to business roles so that they are assigned to
user accounts through these business roles.

To assign an Azure Active Directory subscription to business roles (non role-


based login)

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select the Assign business roles task.
4. In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
l Select the business role and double-click .
5. Save the changes.

To assign Azure Active Directory subscriptions to a business role (role-


based login)

1. In the Manager, select the Business roles > <role class> category.
2. Select the business role in the result list.
3. Select the Assign Azure Active Directory subscriptions task.
4. In the Add assignments pane, select the Azure Active Directory tenant and assign
the Azure Active Directory subscriptions.
TIP: In the Remove assignments pane, you can remove assigned Azure Active
Directory subscriptions.

To remove an assignment
l Select the subscription and double-click Azure Active Directory.
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
132
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Related topics

l Prerequisites for indirect assignment of Azure Active Directory subscriptions to Azure


Active Directory user accounts on page 129
l Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations on page 130
l Assigning Azure Active Directory user account directly to Azure Active Directory
subscriptions on page 138
l Adding Azure Active Directory subscriptions to system roles on page 133
l Adding Azure Active Directory subscriptions to the IT Shop on page 134
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Adding Azure Active Directory subscriptions


to system roles
NOTE: This function is only available if the System Roles Module is installed.
Use this task to add an Azure Active Directory subscription to system roles. When you
assign a system role to an employee, the Azure Active Directory subscription is inherited
by all user accounts owned by these employees.
NOTE: Azure Active Directory subscriptions in which the Only use in IT Shop option is
set can only be assigned to system roles that also have this option set. For more
information, see the One Identity Manager System Roles Administration Guide.
TIP: You can combine the account definition for creating the Azure Active Directory user
account and the Azure Active Directory subscription that will be used into one system
role. In this way, the employee automatically obtains a user account and an Azure Active
Directory subscription.
An employee can obtain this system role directly through departments, cost centers,
locations, or business roles, or an IT Shop request.

To assign an Azure Active Directory subscription to a system role

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select the Assign system roles task.
4. In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.

To remove an assignment
l Select the system role and double-click .
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
133
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Related topics

l Prerequisites for indirect assignment of Azure Active Directory subscriptions to Azure


Active Directory user accounts on page 129
l Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations on page 130
l Assigning Azure Active Directory subscriptions to business roles on page 132
l Assigning Azure Active Directory user account directly to Azure Active Directory
subscriptions on page 138
l Adding Azure Active Directory subscriptions to the IT Shop on page 134

Adding Azure Active Directory subscriptions


to the IT Shop
Once an Azure Active Directory subscription is assigned to an IT Shop shelf, it can be
requested by customers. To ensure it can be requested, further prerequisites need to be
guaranteed.

l The Azure Active Directory subscription must be labeled with the IT Shop option.
l The Azure Active Directory subscription must be assigned to a service item.
l If the Azure Active Directory subscription is only supposed to be available to
employees through IT Shop requests, the Azure Active Directory subscription must
also be labeled with the Only for use in IT Shop option. Direct assignment to
hierarchical roles may not be possible.

NOTE: IT Shop administrators can assign Azure Active Directory subscriptions to IT Shop
shelves in the case of role-based login. Target system administrators are not authorized
to add Azure Active Directory subscriptions in the IT Shop.

To add an Azure Active Directory subscription to the IT Shop

1. In the Manager, select the Azure Active Directory > Subscriptions (non role-
based login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory
subscriptions (role-based login) category.
2. Select an Azure Active Directory subscription in the result list.
3. Select Add to IT Shop.
4. In the Add assignments pane, assign the Azure Active Directory subscription to the
IT Shop shelves.
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
134
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
To remove an Azure Active Directory subscription from individual IT Shop
shelves

1. In the Manager, select the Azure Active Directory > Subscriptions (non role-
based login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory
subscriptions (role-based login) category.
2. Select an Azure Active Directory subscription in the result list.
3. Select Add to IT Shop.
4. In the Remove assignments pane, remove the Azure Active Directory subscription
from the IT Shop shelves.
5. Save the changes.

To remove an Azure Active Directory subscription from all IT Shop shelves

1. In the Manager, select the Azure Active Directory > Subscriptions (non role-
based login) category.
- OR -
In the Manager, select the Entitlements > Azure Active Directory
subscriptions (role-based login) category.
2. Select an Azure Active Directory subscription in the result list.
3. Select the Remove from all shelves (IT Shop) task.
4. Confirm the security prompt with Yes.
5. Click OK.
The Azure Active Directory subscription is removed from all shelves by the One
Identity Manager Service. All request and assignment requests for this Azure Active
Directory subscription are canceled in the process.

For detailed information about requesting company resources through the IT Shop, see the
One Identity Manager IT Shop Administration Guide.

Related topics

l Editing Azure Active Directory subscription main data on page 202


l Prerequisites for indirect assignment of Azure Active Directory subscriptions to Azure
Active Directory user accounts on page 129
l Adding Azure Active Directory subscriptions automatically to the IT Shop on page 136
l Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations on page 130
l Assigning Azure Active Directory subscriptions to business roles on page 132
l Adding Azure Active Directory subscriptions to system roles on page 133

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
135
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
l Assigning Azure Active Directory user account directly to Azure Active Directory
subscriptions on page 138

Adding Azure Active Directory subscriptions


automatically to the IT Shop
The following steps can be used to automatically add Azure Active Directory subscriptions
to the IT Shop. Synchronization ensures that the Azure Active Directory subscriptions are
added to the IT Shop. If necessary, you can manually start synchronization with the
Synchronization Editor. New Azure Active Directory subscriptions created in One Identity
Manager also are added automatically to the IT Shop.

To add Azure Active Directory subscriptions automatically to the IT Shop

1. In the Designer, set the QER | ITShop | AutoPublish | AADSubSku


configuration parameter.
2. In order not to add Azure Active Directory subscriptions to the IT Shop automatically,
in the Designer, set the QER | ITShop | AutoPublish | AADSubSku |
ExcludeList configuration parameter.
This configuration parameter contains a listing of all Azure Active Directory
subscriptions that should not be allocated to the IT Shop automatically. You can
extend this list if required. To do this, enter the name of the subscription in the
configuration parameter. Names are listed in a pipe (|) delimited list. Regular
expressions are supported.
3. Compile the database.

The Azure Active Directory subscriptions are added automatically to the IT Shop
from now on.
The following steps are run to add an Azure Active Directory subscription to the IT Shop.

1. A service item is determined for the Azure Active Directory subscription.


The service item is tested for each Azure Active Directory subscription and modified
if necessary. The name of the service item corresponds to the name of the Azure
Active Directory subscription.
l The service item is modified for Azure Active Directory subscriptions with
service items.
l Azure Active Directory subscriptions without service items are allocated new
service items.
2. The service item is assigned to the Azure Active Directory subscriptions default
service category.
3. An application role for product owners is determined and assigned to the
service item.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
136
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Product owners can approve requests for these Azure Active Directory subscriptions.
The default product owner is the Azure Active Directory subscription's owner.
NOTE: The application role for the product owner must be added under the
Request & Fulfillment | IT Shop | Product owner application role.
l If the owner of the Azure Active Directory subscription is already a member of
an application role for product owners, this application role is assigned to the
service item. Therefore, all members of this application role become product
owners of the Azure Active Directory subscription.
l If the owner of the Azure Active Directory subscription is not yet a member of
an application role for product owners, a new application role is created. The
name of the application corresponds to the name of the owner.
l If the owner is a user account, the user account's employee is added to
the application role.
l If it is a group of owners, the employees of all this group's user accounts
are added to the application role.
4. The Azure Active Directory subscription is labeled with the IT Shop option and
assigned to the Azure Active Directory subscriptions IT Shop shelf in the
Identity & Access Lifecycle shop.

Then the shop customers use the Web Portal to request the Azure Active Directory
subscription.
NOTE: If an Azure Active Directory subscription is irrevocably deleted from the One
Identity Manager database, the associated service item is also deleted.
For more information about configuring the One Identity Manager IT Shop Administration
Guide, see the IT Shop. For more information about requesting access requests in the Web
Portal, see the One Identity Manager Web Portal User Guide.

Related topics

l Adding Azure Active Directory subscriptions to the IT Shop on page 134


l Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations on page 130
l Assigning Azure Active Directory subscriptions to business roles on page 132
l Assigning Azure Active Directory user account directly to Azure Active Directory
subscriptions on page 138
l Adding Azure Active Directory subscriptions to system roles on page 133

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
137
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Assigning Azure Active Directory user
account directly to Azure Active Directory
subscriptions
To react quickly to special requests, you can assign subscriptions directly to Azure Active
Directory user accounts. You cannot directly assign Azure Active Directory subscriptions
that have the Only use in IT Shop option set.

Special on the assignment form

On the form, assignments of Azure Active Directory subscriptions to Azure Active Directory
user accounts are shown with their origin. This means:

l Azure Active Directory source group: Azure Active Directory group resulting
from an assignment. If the column is empty, this assignment of the Azure Active
Directory subscription to the Azure Active Directory user account is created either
directly, though IT Shop requests, or through departments, cost centers, locations,
and business roles.
l Origin: Type of assignment. Assignments through Azure Active Directory groups are
marked with the Assigned by group value (AADUserHasSubSku.XOrigin=16).

NOTE: You cannot delete assignments that are not derived from an Azure Active
Directory group.

To assign an Azure Active Directory subscription directly to user accounts

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select in the Assign user accounts task.
4. Click Add and select the user account in the Azure Active Directory user
account menu.
5. Save the changes.

To remove direct assignments of Azure Active Directory subscriptions

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select in the Assign user accounts task.
4. Select the assignment and click Remove.
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
138
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Related topics

l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126
l Assigning Azure Active Directory subscriptions directly to Azure Active Directory user
accounts on page 139
l Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations on page 130
l Assigning Azure Active Directory subscriptions to business roles on page 132
l Adding Azure Active Directory subscriptions to system roles on page 133
l Adding Azure Active Directory subscriptions to the IT Shop on page 134

Assigning Azure Active Directory


subscriptions directly to Azure Active
Directory user accounts
To react quickly to special requests, you can assign subscriptions directly to Azure Active
Directory user accounts. You cannot directly assign Azure Active Directory subscriptions
that have the Only use in IT Shop option set.

Special on the assignment form

On the form, assignments of Azure Active Directory subscriptions to Azure Active Directory
user accounts are shown with their origin. This means:

l Azure Active Directory source group: Azure Active Directory group resulting
from an assignment. If the column is empty, this assignment of the Azure Active
Directory subscription to the Azure Active Directory user account is created either
directly, though IT Shop requests, or through departments, cost centers, locations,
and business roles.
l Origin: Type of assignment. Assignments through Azure Active Directory groups are
marked with the Assigned by group value (AADUserHasSubSku.XOrigin=16).

NOTE: You cannot delete assignments that are not derived from an Azure Active
Directory group.

To assign subscriptions directly to Azure Active Directory user accounts

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Directly assign subscriptions task.
4. Click Add and in the Azure Active Directory subscription menu, select an Azure

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
139
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Active Directory subscription.
5. Save the changes.

To remove direct assignments of Azure Active Directory subscriptions

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Directly assign subscriptions task.
4. Select the assignment and click Remove.
5. Save the changes.

Related topics

l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126
l Assigning Azure Active Directory subscriptions to Azure Active Directory user
accounts on page 128
l Assigning Azure Active Directory subscriptions to departments, cost centers, and
locations on page 130
l Assigning Azure Active Directory subscriptions to business roles on page 132
l Adding Azure Active Directory subscriptions to system roles on page 133
l Adding Azure Active Directory subscriptions to the IT Shop on page 134

Assigning disabled Azure Active


Directory service plans to Azure Active
Directory user accounts
Disabled Azure Active Directory service plans can be assigned directly or indirectly to
Azure Active Directory user accounts.
In the case of indirect assignment, employees and disabled service plans are assigned to
hierarchical roles, such as departments, cost centers, locations, or business roles. The
disabled Azure Active Directory service plans assigned to an employee are calculated from
the position in the hierarchy and the direction of inheritance. If the employee has a user
account in Azure Active Directory, disabled service plans belonging to roles are inherited
by this user account.
Furthermore, disabled service plans can be assigned to employees through IT Shop
requests. Add employees to a shop as customers so that disabled service plans can be
assigned through IT Shop requests. All disabled service plans are assigned to this shop can
be requested by the customers. Requested disabled service plans are assigned to the
employees after approval is granted.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
140
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
To react quickly to special requests, you can assign disabled service plans directly to Azure
Active Directory user accounts.
NOTE: It is possible that an Azure Active Directory user obtains the same Azure Active
Directory subscription directly as well as through one or more Azure Active Directory
groups. If a service plan is permitted by one assignment method and not by another, the
user is given the service plan.
This means:
A disabled service plan that is assigned to a user account can be permitted if the user
accounts obtains the service plan additional through a group and the service plan for the
group is allowed.
For more information, see Managing Azure Active Directory subscription and Azure
Active Directory service plan assignments on page 122 and Displaying enabled and
disabled Azure Active Directory service plans forAzure Active Directory user accounts
and Azure Active Directory groups on page 126.
For detailed information see the following guides:

Topic Guide

Basic principles for assigning and One Identity Manager Identity Management
inheriting company resources Base Module Administration Guide
One Identity Manager Business Roles Admin-
istration Guide
Assigning company resources through One Identity Manager IT Shop Administration
IT Shop requests Guide
System roles One Identity Manager System Roles Admin-
istration Guide

Detailed information about this topic

l Prerequisites for indirect assignment of disabled Azure Active Directory service plans
to Azure Active Directory user accounts on page 142
l Assigning disabled Azure Active Directory service plans directly to departments, cost
centers, and locations on page 143
l Assigning disabled Azure Active Directory service plans to business roles on page 144
l Adding disabled Azure Active Directory service plans to system roles on page 145
l Adding disabled Azure Active Directory service plans to the IT Shop on page 146
l Adding disabled Azure Active Directory service plans automatically to the IT
Shop on page 148
l Assigning Azure Active Directory user accounts directly to disabled Azure Active
Directory service plans on page 149
l Assigning disabled Azure Active Directory service plans directly to Azure Active
Directory user accounts on page 150

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
141
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Prerequisites for indirect assignment of
disabled Azure Active Directory service
plans to Azure Active Directory user
accounts
In the case of indirect assignment, employees and disabled service plans are assigned to
hierarchical roles, such as departments, cost centers, locations, or business roles. When
assigning disabled Azure Active Directory service plans indirectly, check the following
settings and modify them if necessary:

1. Assignment of employees and disabled Azure Active Directory service plans is


permitted for role classes (departments, cost centers, locations, or business roles).
For more information, see the One Identity Manager Identity Management Base
Module Administration Guide.

To configure assignments to roles of a role class


a. In the Manager, select role classes in the Organizations > Basic
configuration data > Role classes category.
- OR -
In the Manager, select role classes in the Business roles > Basic
configuration data > Role classes category.
b. Select the Configure role assignments task and configure the permitted
assignments.
l To generally allow an assignment, enable the Assignments
allowed column.
l To allow direct assignment, enable the Direct assignments
permitted column.
c. Save the changes.
2. Settings for assigning disabled Azure Active Directory service plans to Azure Active
Directory user accounts.
l The Azure Active Directory user account is linked to an employee.
l The Azure Active Directory user account has the Disabled service plans can
be inherited option set.

Related topics

l Creating and editing Azure Active Directory user accounts on page 177
l General main data of Azure Active Directory user accounts on page 178

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
142
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Assigning disabled Azure Active Directory
service plans directly to departments, cost
centers, and locations
Assign disabled Azure Active Directory service plans to departments, cost centers, and
locations in order to assign user accounts to them through these organizations.

To assign a disabled service plan to departments, cost centers, or locations


(non role-based login)

1. In the Manager, select the Azure Active Directory > Disabled service
plans category.
2. Select the service plan in the result list.
3. Select the Assign organizations task.
4. In the Add assignments pane, assign the organizations:
l On the Departments tab, assign departments.
l On the Locations tab, assign locations.
l On the Cost centers tab, assign cost centers.
TIP: In the Remove assignments pane, you can remove assigned organizations.

To remove an assignment
l Select the organization and double-click .
5. Save the changes.

To assign disabled service plans to a department, cost center, or location (role-


based login)

1. In the Manager, select the Organizations > Departments category.


- OR -
In the Manager, select the Organizations > Cost centers category.
- OR -
In the Manager, select the Organizations > Locations category.
2. Select the department, cost center or location in the result list.
3. Select Assigning disabled Azure Active Directory service plans.
4. In the Add assignments pane, select the Azure Active Directory subscription and
assign the disabled service plans.
TIP: In the Remove assignments pane, you can remove assigned service plans.

To remove an assignment

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
143
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
l Select the service plan and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of disabled Azure Active Directory service plans
to Azure Active Directory user accounts on page 142
l Assigning disabled Azure Active Directory service plans to business roles on page 144
l Assigning Azure Active Directory user accounts directly to disabled Azure Active
Directory service plans on page 149
l Adding disabled Azure Active Directory service plans to system roles on page 145
l Adding disabled Azure Active Directory service plans to the IT Shop on page 146
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Assigning disabled Azure Active Directory


service plans to business roles
NOTE: This function is only available if the Business Roles Module is installed.
Assign disabled Azure Active Directory service plans to business roles so that they can be
assigned to user accounts through these business roles.

To assign a disabled service plan to a business role (non role-based login)

1. In the Manager, select the Azure Active Directory > Disabled service
plans category.
2. Select the service plan in the result list.
3. Select the Assign business roles task.
4. In the Add assignments pane, select the role class and assign business roles.
TIP: In the Remove assignments pane, you can remove assigned business roles.

To remove an assignment
l Select the business role and double-click .

1. Save the changes.

To assign disabled service plans to a business role (non role-based login)

1. In the Manager, select the Business roles > <role class> category.
2. Select the business role in the result list.
3. Select the Assigning disabled Azure Active Directory service plans task.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
144
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
4. In the Add assignments pane, select the Azure Active Directory subscription and
assign the disabled service plans.
TIP: In the Remove assignments pane, you can remove assigned service plans.

To remove an assignment
l Select the service plan and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of disabled Azure Active Directory service plans
to Azure Active Directory user accounts on page 142
l Assigning disabled Azure Active Directory service plans directly to departments, cost
centers, and locations on page 143
l Assigning Azure Active Directory user accounts directly to disabled Azure Active
Directory service plans on page 149
l Adding disabled Azure Active Directory service plans to system roles on page 145
l Adding disabled Azure Active Directory service plans to the IT Shop on page 146
l One Identity Manager users for managing an Azure Active Directory
environment on page 11

Adding disabled Azure Active Directory


service plans to system roles
NOTE: This function is only available if the System Roles Module is installed.
Use this task to add disabled Azure Active Directory service plans to system roles. If you
assign a system role to an employee, the disabled service plan is inherited by all user
accounts owned by these employees.
NOTE: Disabled Azure Active Directory service plans in which the Only use in IT Shop
option is set can only be assigned to system roles that also have this option set. For more
information, see the One Identity Manager System Roles Administration Guide.

To assign a disabled service plan to system roles

1. In the Manager, select the Azure Active Directory > Disabled service
plans category.
2. Select the service plan in the result list.
3. Select the Assign system roles task.
4. In the Add assignments pane, assign system roles.
TIP: In the Remove assignments pane, you can remove assigned system roles.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
145
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
To remove an assignment
l Select the system role and double-click .
5. Save the changes.

Related topics

l Prerequisites for indirect assignment of disabled Azure Active Directory service plans
to Azure Active Directory user accounts on page 142
l Assigning disabled Azure Active Directory service plans directly to departments, cost
centers, and locations on page 143
l Assigning disabled Azure Active Directory service plans to business roles on page 144
l Assigning Azure Active Directory user accounts directly to disabled Azure Active
Directory service plans on page 149
l Adding disabled Azure Active Directory service plans to the IT Shop on page 146

Adding disabled Azure Active Directory


service plans to the IT Shop
A disabled Azure Active Directoryservice plan can be requested by shop customers when it
is assigned to an IT Shop shelf. To ensure it can be requested, further prerequisites need to
be guaranteed.

l The disabled service plan must be labeled with the IT Shop option.
l The disabled service plan must be assigned to a service item.
l If the disabled service plan is only assigned to employees using IT Shop requests,
you must also set the Only for use in IT Shop option. Direct assignment to
hierarchical roles may not be possible.

NOTE: IT Shop administrators can assign disabled service plans to IT Shop shelves in the
case of role-based login. Target system administrators are not authorized to add disabled
service plans in the IT Shop.

To add a disabled service plan in the IT Shop

1. In the Manager, select the Azure Active Directory > Disabled service plans
(non role-based login) category.
- OR -
In the Manager, select the Entitlements > Disabled Azure Active Directory
service plans (role-based login) category.
2. Select the service plan in the result list.
3. Select the Add to IT Shop task.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
146
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
4. In the Add assignments pane, assign the disabled service plan to the IT
Shop shelves.
5. Save the changes.

To remove a disabled service plan from individual IT Shop shelves

1. In the Manager, select the Azure Active Directory > Disabled service plans
(non role-based login) category.
- OR -
In the Manager, select the Entitlements > Disabled Azure Active Directory
service plans (role-based login) category.
2. Select the service plan in the result list.
3. Select the Add to IT Shop task.
4. In the Remove assignments pane, remove the disabled service plan from the IT
Shop shelves.
5. Save the changes.

To remove a disabled service plan from all IT Shop shelves

1. In the Manager, select the Azure Active Directory > Disabled service plans
(non role-based login) category.
- OR -
In the Manager, select the Entitlements > Disabled Azure Active Directory
service plans (role-based login) category.
2. Select the service plan in the result list.
3. Select the Remove from all shelves (IT Shop) task.
4. Confirm the security prompt with Yes.
5. Click OK.
The disabled service plan is removed from all shelves by the One Identity Manager
Service. All requests and assignment requests with this disabled service plan are
canceled at the same time.

For detailed information about requesting company resources through the IT Shop, see the
One Identity Manager IT Shop Administration Guide.

Related topics

l Prerequisites for indirect assignment of disabled Azure Active Directory service plans
to Azure Active Directory user accounts on page 142
l Adding disabled Azure Active Directory service plans automatically to the IT
Shop on page 148
l Assigning disabled Azure Active Directory service plans directly to departments, cost
centers, and locations on page 143
l Assigning disabled Azure Active Directory service plans to business roles on page 144

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
147
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
l Assigning Azure Active Directory user accounts directly to disabled Azure Active
Directory service plans on page 149
l Adding disabled Azure Active Directory service plans to system roles on page 145

Adding disabled Azure Active Directory


service plans automatically to the IT Shop
The following steps can be used to automatically add disabled Azure Active Directory
service plans to the IT Shop. Synchronization ensures that the disabled service plans are
added to the IT Shop. If necessary, you can manually start synchronization with the
Synchronization Editor. New disabled service plans created in One Identity Manager also
are added automatically to the IT Shop.

To add disabled service plans automatically to the IT Shop

1. In the Designer, set the QER | ITShop | AutoPublish | AADDeniedServicePlan


configuration parameter.
2. In order not to add disabled service plans to the IT Shop automatically, in the
Designer, set the QER | ITShop | AutoPublish | AADDeniedServicePlan |
ExcludeList configuration parameter.
This configuration parameter contains a listing of all disabled service plans that
should not be allocated to the IT Shop automatically. You can extend this list if
required. To do this, enter the name of the subscription in the configuration
parameter. Names are listed in a pipe (|) delimited list. Regular expressions
are supported.
3. Compile the database.

The disabled service plans are added automatically to the IT Shop from now on.
The following steps are run to add a disabled service plan to the IT Shop.

1. A service item is determined for the disabled service plan.


The service item is tested for each disabled service plan and modified if necessary.
The name of the service item corresponds to the name of the disabled service plan.
l The service item is modified for disabled service plans with service items.
l Disabled service plans without service items are allocated new service items.
2. The service item is assigned to the Disabled Azure Active Directory service
plans default service category.
3. An application role for product owners is determined and assigned to the
service item.
Product owners can approve requests for these disabled service plans. The default
product owner is the disabled service plan's owner.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
148
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
NOTE: The application role for the product owner must be added under the
Request & Fulfillment | IT Shop | Product owner application role.
l If the owner of the disabled service plan is already a member of an application
role for product owners, this application role is assigned to the service item.
Therefore, all members of this application role become product owners of the
disabled service plan.
l If the owner of the disabled service plan is not yet a member of an application
role for product owners, a new application role is created. The name of the
application corresponds to the name of the owner.
l If the owner is a user account, the user account's employee is added to
the application role.
l If it is a group of owners, the employees of all this group's user accounts
are added to the application role.
4. The disabled service plan is labeled with the IT Shop option and assigned to the
Disabled Azure Active Directory service plans IT Shop shelf in the Identity &
Access Lifecycle shop.

Then the shop customers use the Web Portal to request the disabled service plan.
NOTE: If a disabled service plan is irrevocably deleted from the One Identity Manager
database, the associated service item is also deleted.
For more information about configuring the One Identity Manager IT Shop Administration
Guide, see the IT Shop. For more information about requesting access requests in the Web
Portal, see the One Identity Manager Web Portal User Guide.

Related topics

l Adding disabled Azure Active Directory service plans to the IT Shop on page 146
l Assigning disabled Azure Active Directory service plans directly to departments, cost
centers, and locations on page 143
l Assigning disabled Azure Active Directory service plans to business roles on page 144
l Assigning Azure Active Directory user accounts directly to disabled Azure Active
Directory service plans on page 149
l Adding disabled Azure Active Directory service plans to system roles on page 145

Assigning Azure Active Directory user


accounts directly to disabled Azure Active
Directory service plans
To react quickly to special requests, you can assign disabled service plans directly to a user
account. You cannot directly assign disabled service plans with the Only use in IT Shop
option set.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
149
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
To assign a disabled service plan directly to a user account

1. In the Manager, select the Azure Active Directory > Disabled service
plans category.
2. Select the service plan in the result list.
3. Select the Assign user accounts task.
4. In the Add assignments pane, assign the user accounts.
TIP: In the Remove assignments pane, you can remove assigned user accounts.

To remove an assignment
l Select the user account and double-click .
5. Save the changes.

Related topics

l Assigning Azure Active Directory subscriptions directly to Azure Active Directory user
accounts on page 139
l Assigning disabled Azure Active Directory service plans directly to departments, cost
centers, and locations on page 143
l Assigning disabled Azure Active Directory service plans to business roles on page 144
l Adding disabled Azure Active Directory service plans to system roles on page 145
l Adding disabled Azure Active Directory service plans to the IT Shop on page 146

Assigning disabled Azure Active Directory


service plans directly to Azure Active
Directory user accounts
To react quickly to special requests, you can assign disabled service plans directly to a user
account. You cannot directly assign disabled service plans with the Only use in IT Shop
option set.

To assign disabled service plans directly to a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Assign disabled service plans task.
4. In the Add assignments pane, assign disabled service plans.
TIP: In the Remove assignments pane, you can remove assigned disabled
service plans.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
150
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
To remove an assignment
l Select a disabled service plan and click .
5. Save the changes.

Related topics

l Assigning disabled Azure Active Directory service plans to Azure Active Directory
user accounts on page 140
l Assigning disabled Azure Active Directory service plans directly to departments, cost
centers, and locations on page 143
l Assigning disabled Azure Active Directory service plans to business roles on page 144
l Adding disabled Azure Active Directory service plans to system roles on page 145
l Adding disabled Azure Active Directory service plans to the IT Shop on page 146

Inheriting Azure Active Directory


subscriptions based on categories
The procedure described under Azure Active Directory group inheritance based on
categories on page 107 can also be used for Azure Active Directory subscriptions.

To use inheritance through categories

1. In the Manager, define the categories in the Azure Active Directory tenant.
2. In the Manager, assign categories to user accounts through their main data.
3. In the Manager, assign categories to Azure Active Directory subscriptions through
their main data.

Related topics

l Defining categories for the inheritance of entitlements on page 171


l General main data of Azure Active Directory user accounts on page 178
l Editing Azure Active Directory subscription main data on page 202

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
151
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
Inheritance of disabled Azure Active
Directory service plans based on
categories
The procedure described under Azure Active Directory group inheritance based on
categories on page 107 can also be used for disabled service plans.

To use inheritance through categories

1. In the Manager, define the categories in the Azure Active Directory tenant.
2. In the Manager, assign categories to user accounts through their main data.
3. In the Manager, assign categories to disabled service plans through their main data.

Related topics

l Defining categories for the inheritance of entitlements on page 171


l General main data of Azure Active Directory user accounts on page 178
l Editing main data of disabled Azure Active Directory service plans on page 205

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
152
Managing Azure Active Directory subscription and Azure Active
Directory service plan assignments
7

Login information for Azure Active


Directory user accounts

When new user accounts are created in One Identity Manager, the passwords needed to log
in to the target system are created immediately also. Various options are available for
assigning the initial password. Predefined password policies are applied to the passwords,
and you can adjust these policies to suit your individual requirements if necessary. You can
set up email notifications to distribute the login information generated to users.

Detailed information about this topic

l Password policies for Azure Active Directory user accounts on page 153
l Initial password for new Azure Active Directory user accounts on page 165
l Email notifications about login data on page 165

Password policies for Azure Active


Directory user accounts
One Identity Manager provides you with support for creating complex password policies,
for example, for system user passwords, the employees' central password as well as
passwords for individual target systems. Password polices apply not only when the user
enters a password but also when random passwords are generated.
Predefined password policies are supplied with the default installation that you can use or
customize if required. You can also define your own password policies.

Detailed information about this topic

l Predefined password policies on page 154


l Using password policies on page 155
l Creating password policies on page 156
l Editing password policies on page 157

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 153
Login information for Azure Active Directory user accounts
l Custom scripts for password requirements on page 161
l Password exclusion list on page 164
l Checking passwords on page 164
l Testing password generation on page 165

Predefined password policies


You can customize predefined password policies to meet your own requirements if
necessary.

Password for logging in to One Identity Manager

The One Identity Manager password policy is applied for logging in to One Identity
Manager. This password policy defines the settings for the system user passwords
(DialogUser.Password and Person.DialogUserPassword) as well as the passcode for a one
time log in on the Web Portal (Person.Passcode).
NOTE: The One Identity Manager password policy is marked as the default policy.
This password policy is applied if no other password policy can be found for employees,
user accounts, or system users.
For detailed information about password policies for employees, see the One Identity
Manager Identity Management Base Module Administration Guide.

Password policy for forming employees' central passwords

An employee's central password is formed from the target system specific user accounts
by respective configuration. The Employee central password policy defines the
settings for the (Person.CentralPassword) central password. Members of the Identity
Management | Employees | Administrators application role can adjust this
password policy.
IMPORTANT: Ensure that the Employee central password policy does not violate the
target system-specific requirements for passwords.
For detailed information about password policies for employees, see the One Identity
Manager Identity Management Base Module Administration Guide.

Password policies for user accounts

Predefined password policies are provided, which you can apply to the user account
password columns of the user accounts.
IMPORTANT: If you do not use password policies that are specific to the target system,
the One Identity Manager password policy default policy applies. In this case,
ensure that the default policy does not violate the target systems requirements.
NOTE: When you update One Identity Manager version 7.x to One Identity Manager
version 8.2.1, the configuration parameter settings for forming passwords are passed on

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 154
Login information for Azure Active Directory user accounts
to the target system-specific password policies.
The Azure Active Directory password policy is predefined for Azure Active Directory.
You can apply this password policy to Azure Active Directory user accounts
(AADUser.Password) of an Azure Active Directory tenant.
If the tenants' password requirements differ, it is recommended that you set up your own
password policies for each tenant.
Furthermore, you can apply password policies based on the account definition of the user
accounts or based on the manage level of the user accounts.

Using password policies


The Azure Active Directory password policy is predefined for Azure Active Directory.
You can apply this password policy to Azure Active Directory user accounts
(AADUser.Password) of an Azure Active Directory tenant.
If the tenants' password requirements differ, it is recommended that you set up your own
password policies for each tenant.
Furthermore, you can apply password policies based on the account definition of the user
accounts or based on the manage level of the user accounts.
The password policy that is to be used for a user account is determined in the
following sequence:

1. Password policy of the user account's account definition.


2. Password policy of the user account's manage level.
3. Password policy of the user account's tenant.
4. The One Identity Manager password policy (default policy).

IMPORTANT: If you do not use password policies that are specific to the target system,
the One Identity Manager password policy default policy applies. In this case,
ensure that the default policy does not violate the target systems requirements.

To reassign a password policy

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Password policies category.
2. Select the password policy in the result list.
3. Select Assign objects.
4. Click Add in the Assignments section and enter the following data.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 155
Login information for Azure Active Directory user accounts
l Apply to: Application scope of the password policy.

To specify an application scope


1. Click next to the field.
2. Select one of the following references under Table:
l The table that contains the base objects of synchronization.
l To apply the password policy based on the account definition, select
the TSBAccountDef table.
l To apply the password policy based on the manage level, select the
TSBBehavior table.
3. Under Apply to, select the table that contains the base objects.
l If you have selected the table containing the base objects of
synchronization, next select the specific target system.
l If you have selected the TSBAccountDef table, next select the
specific account definition.
l If you have selected the TSBBehavior table, next select the specific
manage level.
4. Click OK.
l Password column: Name of the password column.
l Password policy: Name of the password policy to use.
5. Save the changes.

To change a password policy's assignment

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Password policies category.
2. Select the password policy in the result list.
3. Select the Assign objects task.
4. In the Assignments pane, select the assignment you want to change.
5. From the Password Policies menu, select the new password policy you want
to apply.
6. Save the changes.

Creating password policies


Predefined password policies are supplied with the default installation that you can use or
customize if required. You can also define your own password policies.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 156
Login information for Azure Active Directory user accounts
To create a password policy

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Password policies category.
2. Click in the result list.
3. On the main data form, enter the main data of the password policy.
4. Save the changes.

Detailed information about this topic

l General main data of password policies on page 158


l Policy settings on page 158
l Character classes for passwords on page 159
l Custom scripts for password requirements on page 161
l Editing password policies on page 157

Editing password policies


Predefined password policies are supplied with the default installation that you can use or
customize if required.

To edit a password policy

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Password policies category.
2. In the result list, select the password policy.
3. Select the Change main data task.
4. Edit the password policy's main data.
5. Save the changes.

Detailed information about this topic

l General main data of password policies on page 158


l Policy settings on page 158
l Character classes for passwords on page 159
l Custom scripts for password requirements on page 161
l Creating password policies on page 156

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 157
Login information for Azure Active Directory user accounts
General main data of password policies
Enter the following main data of a password policy.

Table 20: main data for a password policy

Property Meaning

Display name Password policy name. Translate the given text using the
button.

Description Text field for additional explanation. Translate the given text
using the button.

Error Message Custom error message generated if the policy is not fulfilled.
Translate the given text using the button.

Owner (Application Role) Application roles whose members can configure the password
policies.

Default policy Mark as default policy for passwords. This option cannot be
changed.
NOTE: The One Identity Manager password policy is
marked as the default policy. This password policy is
applied if no other password policy can be found for
employees, user accounts, or system users.

Policy settings
Define the following settings for a password policy on the Password tab.

Table 21: Policy settings

Property Meaning

Initial password Initial password for newly created user accounts. The initial
password is used if a password is not entered when you
create a user account or if a random password is not
generated.

Password confirmation Reconfirm password.

Minimum Length Minimum length of the password. Specify the number of


characters a password must have. If the value is 0, no
password is required.

Max. length Maximum length of the password. Specify the number of


characters a password can have. The maximum permitted
value is 256.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 158
Login information for Azure Active Directory user accounts
Property Meaning

Max. errors Maximum number of errors. Set the number of invalid


passwords attempts. The number of failed logins is only
taken into account when logging in to One Identity Manager.
If the value is 0, the number of failed logins is not taken into
account.
This data is only taken into account if the One Identity
Manager login was through a system user or employee based
authentication module. If a user has exceeded the maximum
number of failed logins, the employee or system user will not
be able to log in to One Identity Manager.
You can use the Password Reset Portal to reset the passwords
of employees and system users who have been blocked. For
more information, see the One Identity Manager Web
Designer Web Portal User Guide.

Max. days valid Maximum age of the password. Enter the length of time a
password can be used before it expires. If the value is 0, then
the password does not expire.

Password history Enter the number of passwords to be saved. If, for example,
a value of 5 is entered, the user's last five passwords are
stored. If the value is 0, then no passwords are stored in the
password history.

Minimum password Specifies how secure the password must be. The higher the
strength password strength, the more secure it is. The value 0 means
that the password strength is not tested. The values 1, 2, 3
and 4 specify the required complexity of the password. The
value 1 represents the lowest requirements in terms of
password strength. The value 4 requires the highest level of
complexity.

Name properties denied Specifies whether name properties are permitted in the
password. If this option is set, name properties are not
permitted in passwords. The values of these columns are
taken into account if the Contains name properties for
password check option is set. In the Designer, adjust this
option in the column definition. For more information, see the
One Identity Manager Configuration Guide.

Character classes for passwords


Use the Character classes tab to specify which characters are permitted for a password.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 159
Login information for Azure Active Directory user accounts
Table 22: Character classes for passwords

Property Meaning

Required Number of rules for character classes that must be fulfilled so that a
number of password adheres to the password policy. The following rules are taken into
character account for Min. number letters, Min. number lowercase, Min.
classes number uppercase, Min. number digits, and Min. number special
characters.
That means:

l Value 0: All character class rules must be fulfilled.


l Value >0: Minimum number of character class rules that must be
fulfilled. At most, the value can be the number of rules with a value
>0.

NOTE: Generated passwords are not tested for this.

Min. Specifies the minimum number of alphabetical characters the password


number must contain.
letters

Min. Specifies the minimum number of lowercase letters the password must
number contain.
lowercase

Min. Specifies the minimum number of uppercase letters the password must
number contain.
uppercase

Min. Specifies the minimum number of digits the password must contain.
number
digits

Min. Specifies the minimum number of special characters the password must
number contain.
special
characters

Permitted List of permitted special characters.


special
characters

Max. Specifies the maximum number of identical characters that can be present in
identical the password in total.
characters
in total

Max. Specifies the maximum number of identical character that can be repeated
identical after each other.
characters
in

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 160
Login information for Azure Active Directory user accounts
Property Meaning

succession

Denied List of special characters that are not permitted.


special
characters

Do not Specifies whether a generated password can contain lowercase letters. This
generate setting only applies when passwords are generated.
lowercase
letters

Do not Specifies whether a generated password can contain uppercase letters. This
generate setting only applies when passwords are generated.
uppercase
letters

Do not Specifies whether a generated password can contain digits. This setting only
generate applies when passwords are generated.
digits

Do not Specifies whether a generated password can contain special characters. If


generate this option is set, only letters, numbers, and spaces are allowed in
special passwords. This setting only applies when passwords are generated.
characters

Custom scripts for password requirements


You can implement custom scripts for testing and generating passwords if the password
requirements cannot be mapped with the existing settings options. Scripts are applied in
addition to the other settings.

Detailed information about this topic

l Checking passwords with a script on page 161


l Generating passwords with a script on page 163

Checking passwords with a script


You can implement a script if additional policies need to be used for checking a password
that cannot be mapped with the available settings.

Syntax of check scripts


Public Sub CCC_CustomPwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 161
Login information for Azure Active Directory user accounts
With parameters:
policy = password policy object
spwd = password to check
TIP: To use a base object, take the Entity property of the PasswordPolicy class.

Example: Script that checks a password

A password cannot start with ? or ! . The password cannot start with three identical
characters. The script checks a given password for validity.
Public Sub CCC_PwdValidate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
Dim pwd = spwd.ToInsecureArray()
If pwd.Length>0
If pwd(0)="?" Or pwd(0)="!"
Throw New Exception(#LD("Password can't start with '?' or
'!'")#)
End If
End If
If pwd.Length>2
If pwd(0) = pwd(1) AndAlso pwd(1) = pwd(2)
Throw New Exception(#LD("Invalid character sequence in
password")#)
End If
End If
End Sub

To use a custom script for checking a password

1. In the Designer, create your script in the Script Library category.


2. Edit the password policy.
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Password policies category.
b. In the result list, select the password policy.
c. Select the Change main data task.
d. On the Scripts tab, enter the name of the script to be used to check a
password in the Check script field.
e. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 162
Login information for Azure Active Directory user accounts
Related topics

l Generating passwords with a script on page 163

Generating passwords with a script


You can implement a generating script if additional policies need to be used for generating
a random password, which cannot be mapped with the available settings.

Syntax for generating script


Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
With parameters:
policy = password policy object
spwd = generated password
TIP: To use a base object, take the Entity property of the PasswordPolicy class.

Example: Script that generates a password

The script replaces invalid ? and ! characters at the beginning of random


passwords with _.
Public Sub CCC_PwdGenerate( policy As VI.DB.Passwords.PasswordPolicy, spwd As
System.Security.SecureString)
Dim pwd = spwd.ToInsecureArray()
' replace invalid characters at first position
If pwd.Length>0
If pwd(0)="?" Or pwd(0)="!"
spwd.SetAt(0, CChar("_"))
End If
End If
End Sub

To use a custom script for generating a password

1. In the Designer, create your script in the Script Library category.


2. Edit the password policy.
a. In the Manager, select the Azure Active Directory > Basic configuration
data > Password policies category.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 163
Login information for Azure Active Directory user accounts
b. In the result list, select the password policy.
c. Select the Change main data task.
d. On the Scripts tab, enter the name of the script to be used to generate a
password in the Generating script field.
e. Save the changes.

Related topics

l Checking passwords with a script on page 161

Password exclusion list


You can add words to a list of restricted terms to prohibit them from being used in
passwords.
NOTE: The restricted list applies globally to all password policies.

To add a term to the restricted list

1. In the Designer, select the Base data > Security settings > Password
policies category.
2. Create a new entry with the Object > New menu item and enter the term you want
to exclude from the list.
3. Save the changes.

Checking passwords
When you verify a password, all the password policy settings, custom scripts, and the
restricted passwords are taken into account.

To verify if a password conforms to the password policy

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Password policies category.
2. In the result list, select the password policy.
3. Select the Change main data task.
4. Select the Test tab.
5. Select the table and object to be tested in Base object for test.
6. Enter a password in Enter password to test.
A display next to the password shows whether it is valid or not.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 164
Login information for Azure Active Directory user accounts
Testing password generation
When you generate a password, all the password policy settings, custom scripts and the
restricted passwords are taken into account.

To generate a password that conforms to the password policy

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Password policies category.
2. In the result list, select the password policy.
3. Select the Change main data task.
4. Select the Test tab.
5. Click Generate.
This generates and displays a password.

Initial password for new Azure Active


Directory user accounts
You can issue an initial password for a new Azure Active Directory user account in the
following ways:

l When you create the user account, enter a password in the main data.
l Assign a randomly generated initial password to enter when you create user
accounts.
l In the Designer, set the TargetSystem | AzureAD | Accounts |
InitialRandomPassword configuration parameter.
l Apply target system specific password policies and define the character sets
that the password must contain.
l Specify which employee will receive the initial password by email.

Related topics

l Password policies for Azure Active Directory user accounts on page 153
l Email notifications about login data on page 165

Email notifications about login data


You can configure the login information for new user accounts to be sent by email to a
specified person. In this case, two messages are sent with the user name and the initial

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 165
Login information for Azure Active Directory user accounts
password. Mail templates are used to generate the messages. The mail text in a mail
template is defined in several languages. This means the recipient’s language can be taken
into account when the email is generated. Mail templates are supplied in the default
installation with which you can configure the notification procedure.
The following prerequisites must be fulfilled in order to use notifications:

1. Ensure that the email notification system is configured in One Identity Manager. For
more information, see the One Identity Manager Installation Guide.
2. In the Designer, set the Common | MailNotification | DefaultSender
configuration parameter and enter the sender address for sending the email
notifications.
3. Ensure that all employees have a default email address. Notifications are sent to this
address. For more information, see the One Identity Manager Identity Management
Base Module Administration Guide.
4. Ensure that a language can be determined for all employees. Only then can they
receive email notifications in their own language. For more information, see the One
Identity Manager Identity Management Base Module Administration Guide.

When a randomly generated password is issued for the new user account, the initial login
data for a user account is sent by email to a previously specified person.

To send initial login data by email

1. In the Designer, set the TargetSystem | AzureAD | Accounts |


InitialRandomPassword configuration parameter.
2. In the Designer, set the Designer TargetSystem | AzureAD | Accounts |
InitialRandomPassword | SendTo configuration parameter and enter the
message recipient as a value.
3. In the Designer, set the TargetSystem | AzureAD | Accounts |
InitialRandomPassword | SendTo | MailTemplateAccountName
configuration parameter.
By default, the message sent uses the mail template Employee - new user
account created. The message contains the name of the user account.
4. In the Designer, set the TargetSystem | AzureAD | Accounts |
InitialRandomPassword | SendTo | MailTemplatePassword configuration
parameter.
By default, the message sent uses the mail template Employee - initial
password for new user account. The message contains the initial password for
the user account.

TIP: To use custom mail templates for emails of this type, change the value of the config-
uration parameter.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 166
Login information for Azure Active Directory user accounts
8

Mapping of Azure Active Directory


objects in One Identity Manager

In One Identity Manager, you can map user accounts, groups, administrator roles,
subscriptions, service plans, applications, service principals, and app roles of an
Azure Active Directory tenant. These objects are imported into the One Identity
Manager database during synchronization. You cannot display or edit their properties
in the Manager.

Detailed information about this topic

l Azure Active Directory core directories on page 167


l Azure Active Directory tenant on page 168
l Azure Active Directory domains on page 172
l Azure Active Directory user accounts on page 176
l Azure Active Directory groups on page 191
l Azure Active Directory administrator roles on page 198
l Azure Active Directory subscriptions and Azure Active Directory service
principals on page 201
l Disabled Azure Active Directory service plans on page 204
l Azure Active Directory applications and Azure Active Directory service
principals on page 207
l Reports about Azure Active Directory objects on page 215

Azure Active Directory core directories


For more information about the Azure Active Directory structure, see the Azure Active
Directory documentation from Microsoft.
You must provide details about your organization the first time you register for a Microsoft
cloud service. This detailed information is used to make a new Azure Active Directory
directory partition. The organization represents one Azure Active Directory tenant. In One

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 167
Mapping of Azure Active Directory objects in One Identity Manager
Identity Manager, you can edit the main data of each tenant. However, you cannot create
new tenants in One Identity Manager.
A base domain is linked to the core directory in the cloud. You can also add other user-
defined domains in Azure Active Directory, which you can then allocate to Microsoft cloud
services. One Identity Manager only loads verified domain data into the database. It is not
possible to edit data in One Identity Manager.

Detailed information about this topic

l Azure Active Directory tenant on page 168


l Azure Active Directory domains on page 172
l Azure Active Directory policies for activity-based timeouts on page 173
l Azure Active Directory policies for home realm discovery on page 174
l Azure Active Directory policies for issuing tokens on page 174
l Azure Active Directory policies for token lifetime on page 175

Azure Active Directory tenant


You must provide details about your organization the first time you register for a Microsoft
cloud service. This detailed information is used to make a new Azure Active Directory
directory partition. The organization represents one Azure Active Directory tenant. In One
Identity Manager, you can edit the main data of each Azure Active Directory tenant.
However, you cannot create new Azure Active Directory tenants in One Identity Manager.

To edit Azure Active Directory tenant main data

1. In the Manager, select the Azure Active Directory > Tenants category.
2. In the result list, select the Azure Active Directory tenant.
3. Select the Change main data task.
4. Edit the Azure Active Directory tenant's main data.
5. Save the changes.

Detailed information about this topic

l General main data of Azure Active Directory tenants on page 169


l Information about local Active Directory on page 170
l Defining categories for the inheritance of entitlements on page 171
l Synchronizing single objects on page 49

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 168
Mapping of Azure Active Directory objects in One Identity Manager
General main data of Azure Active
Directory tenants
Enter the following data on the General tab.

Table 23: Azure Active Directory tenant main data

Property Description

Display The Azure Active Directory tenant’s display name.


name

Account Initial account definition for creating Azure Active Directory user
definition accounts. This account definition is used if automatic assignment of
(initial) employees to user accounts is used for this Azure Active Directory tenant
and user accounts should be created which are already managed (Linked
configured state). The account definition's default manage level is
applied.
User accounts are only linked to the employee (Linked) if no account
definition is given. This is the case on initial synchronization, for example.

Target Application role, in which target system managers are specified for the
system Azure Active Directory tenant. Target system managers only edit the
managers objects from Azure Active Directory tenants to which they are assigned.
Each Azure Active Directory tenant can have a different target system
manager assigned to it.
Select the One Identity Manager application role whose members are
responsible for administration of this Azure Active Directory tenant. Use
the button to add a new application role.

Location The Azure Active Directory tenant's location.

Street Street or road.

City City.

Zip code Zip code.

Country Country.

Synchronized Type of synchronization through which the data is synchronized between


by the Azure Active Directory tenant and One Identity Manager. You can no
longer change the synchronization type once objects for this Azure Active
Directory tenant are present in One Identity Manager.
If you create an Azure Active Directory tenant with the Synchronization
Editor, One Identity Manager is used.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 169
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Table 24: Permitted values

Value Synchronization by Provisioned by

One Identity Azure Active Directory Azure Active Directory


Manager connector connector

No none none
synchronization

NOTE: If you select No synchronization, you can define custom


processes to exchange data between One Identity Manager and the
target system.

Recipients List of recipients of marketing notifications.


(marketing
notifications)

Recipient List of recipients of technical notifications.


(technical
notifications)

Recipients List of recipients of security notifications.


(security
notifications)

Phone Phone numbers for security notifications.


numbers
(security
notifications)

Related topics

l Assigning employees automatically to Azure Active Directory user accounts on


page 78
l Target system managers for Azure Active Directory on page 224

Information about local Active Directory


The Linked tab shows information about the local Active Directory, which is linked to the
Azure Active Directory tenant.

Table 25: Local Active Directory user account data

Property Description

Synchronization with local Specifies whether synchronization with a local Active

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 170
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Active Directory enabled Directory is enabled.

Last synchronization Time of the last Azure Active Directory tenant


synchronization with the local Active Directory.

Defining categories for the inheritance of


entitlements
In One Identity Manager, user accounts can selectively inherit groups, administrator roles,
subscriptions, and disabled service plans. To do this, the groups (administrator roles,
subscriptions, and disabled service plans) and the user accounts are divided into
categories. The categories can be freely selected and are specified using a mapping rule.
Each category is given a specific position within the template. The mapping rule contains
different tables. Use the user account table to specify categories for target system
dependent user accounts. In the other tables, enter your categories for the groups,
administrator roles, subscriptions, and disabled service plans. Each table contains the
category positions position 1 to position 63.

To define a category

1. In the Manager, select the Azure Active Directory tenant in the Azure Active
Directory > Tenants category.
2. Select the Change main data task.
3. Switch to the Mapping rule category tab.
4. Extend the relevant roots of a table.
5. To enable the category, double-click .
6. Enter a category name of your choice for user accounts and groups (administrator
roles, subscriptions, disabled service plans) in the login language that you use.
7. Save the changes.

Related topics

l Azure Active Directory group inheritance based on categories on page 107


l Azure Active Directory administrator role inheritance based on categories on
page 120
l Inheriting Azure Active Directory subscriptions based on categories on page 151
l Inheritance of disabled Azure Active Directory service plans based on
categories on page 152

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 171
Mapping of Azure Active Directory objects in One Identity Manager
Editing the synchronization project for an
Azure Active Directory tenant
Synchronization projects in which an Azure Active Directory tenant is already used as a
base object can also be opened in the Manager. You can, for example, check the
configuration or view the synchronization log in this mode. The Synchronization Editor is
not started with its full functionality. You cannot run certain functions, such as, running
synchronization or simulation, starting the target system browser and others.
NOTE: The Manager is locked for editing throughout. To edit objects in the Manager, close
the Synchronization Editor.

To open an existing synchronization project in the Synchronization Editor

1. In the Manager, select the Azure Active Directory > Tenants category.
2. In the result list, select the Azure Active Directory tenant.
3. Select the Change main data task.
4. Select the Edit synchronization project task.

Related topics

l Adjusting the synchronization configuration for Azure Active Directory


environments on page 30

Azure Active Directory domains


A base domain is linked to the core directory in the cloud. You can also add other user-
defined domains in Azure Active Directory, which you can then allocate to Microsoft cloud
services. One Identity Manager only loads verified domain data into the database. It is not
possible to edit data in One Identity Manager.

To obtain an overview of a domain

1. In the Manager, select the Azure Active Directory > Verified domains category.
2. Select the domain in the result list.
3. Select the Azure Active Directory domain overview task.

Table 26: Domain main data

Property Description

Domain Full domain name.


name

Tenant Azure Active Directory tenant entered for this domain.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 172
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Type Type of domain.

Primary Specifies whether this is the primary domain, for example, for creating new
domain Azure Active Directory user accounts.

Initial Specifies whether this is the initial domain. The initial domain is created
domain when a tenant is registered in Azure Active Directory.

Available List of the services available in this domain.


services

Related topics

l Synchronizing single objects on page 49

Azure Active Directory policies for activity-


based timeouts
You can use Azure Active Directory activity-based timeout policies to specify the idle time
of web sessions for applications. For more information, see the Azure Active Directory
documentation from Microsoft.
Azure Active Directory activity-based timeout policies are loaded into One Identity
Manager during synchronization and cannot be changed.

To display information about an Azure Active Directory policy

1. In the Manager, select the Azure Active Directory > Tenants > <your tenant>
> Policies > Activity-based timeout policies category.
2. In the result list, select the Azure Active Directory policy.
3. Select one of the following tasks:
l Activity-based timeout policy overview: This shows you an overview of
the Azure Active Directory policy and its dependencies.
l Change main data: Shows the Azure Active Directory policy's main data. You
cannot edit the main data.
l Display name: The Azure Active Directory policy's display name.
l Description: Description of the Azure Active Directory policy.
l Definition: Definition of the Azure Active Directory in JSON format.
l Tenant: Azure Active Directory tenant that owns the policy.
l Default policy: Specifies whether this is the Azure Active Directory
tenant's default policy.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 173
Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory policies for home
realm discovery
You can use Azure Active Directory home realm discovery policies to accelerate logging
users into federated domains. To provide an Azure Active Directory home realm discovery
policy for an Azure Active Directory application, you assign the policy to the Azure Active
Directory service principal. For more information, see the Azure Active Directory
documentation from Microsoft.
Azure Active Directory home realm discovery policies are loaded into One Identity Manager
during synchronization and cannot be changed.

To display information about an Azure Active Directory policy

1. In the Manager, select the Azure Active Directory > Tenants > <your tenant>
> Policies > Home realm discovery policies category.
2. In the result list, select the Azure Active Directory policy.
3. Select one of the following tasks:
l Home realm discovery policy overview: This shows you an overview of
the Azure Active Directory policy and its dependencies.
l Change main data: Shows the Azure Active Directory policy's main data. You
cannot edit the main data.
l Display name: The Azure Active Directory policy's display name.
l Description: Description of the Azure Active Directory policy.
l Definition: Definition of the Azure Active Directory in JSON format.
l Tenant: Azure Active Directory tenant that owns the policy.
l Default policy: Specifies whether this is the Azure Active Directory
tenant's default policy.

Related topics

l Displaying Azure Active Directory service principal main data on page 213

Azure Active Directory policies for issuing


tokens
You can use Azure Active Directory token issuance policies to specify SAML token
properties for logging in. To provide an Azure Active Directory token issuance policy for
an Azure Active Directory application, you assign the policy to the Azure Active
Directory application. For more information, see the Azure Active Directory
documentation from Microsoft.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 174
Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory token issuance policies are loaded into One Identity Manager during
synchronization and cannot be changed.

To display information about an Azure Active Directory policy

1. In the Manager, select the Azure Active Directory > Tenants > <your tenant>
> Policies > Token issuance policies category.
2. In the result list, select the Azure Active Directory policy.
3. Select one of the following tasks:
l Token issuance policy overview: This shows you an overview of the Azure
Active Directory policy and its dependencies.
l Change main data: Shows the Azure Active Directory policy's main data. You
cannot edit the main data.
l Display name: The Azure Active Directory policy's display name.
l Description: Description of the Azure Active Directory policy.
l Definition: Definition of the Azure Active Directory in JSON format.
l Tenant: Azure Active Directory tenant that owns the policy.
l Default policy: Specifies whether this is the Azure Active Directory
tenant's default policy.

Related topics

l Displaying Azure Active Directory applications on page 209

Azure Active Directory policies for token


lifetime
You can use Azure Active Directory token lifetime policies to specify the validity of
token for logging in. To provide an Azure Active Directory token lifetime policy for
an Azure Active Directory application, you assign the policy to the Azure Active
Directory application. For more information, see the Azure Active Directory
documentation from Microsoft.
Azure Active Directory token lifetime policies are loaded into One Identity Manager during
synchronization and cannot be changed.

To display information about an Azure Active Directory policy

1. In the Manager, select the Azure Active Directory > Tenants > <your tenant>
> Policies > Token lifetime policies category.
2. In the result list, select the Azure Active Directory policy.
3. Select one of the following tasks:

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 175
Mapping of Azure Active Directory objects in One Identity Manager
l Token lifetime policy overview: This shows you an overview of the Azure
Active Directory policy and its dependencies.
l Change main data: Shows the Azure Active Directory policy's main data. You
cannot edit the main data.
l Display name: The Azure Active Directory policy's display name.
l Description: Description of the Azure Active Directory policy.
l Definition: Definition of the Azure Active Directory in JSON format.
l Tenant: Azure Active Directory tenant that owns the policy.
l Default policy: Specifies whether this is the Azure Active Directory
tenant's default policy.

Related topics

l Displaying Azure Active Directory applications on page 209

Azure Active Directory user accounts


You use One Identity Manager to manage user accounts in Azure Active Directory. The user
requires a subscription to access the service plans in Azure Active Directory. Azure Active
Directory user accounts obtain the required access permissions to the resources through
membership in groups.

Related topics

l Managing Azure Active Directory user accounts and employees on page 55


l Managing memberships in Azure Active Directory groups on page 93
l Managing Azure Active Directory administrator roles assignments on page 111
l Managing Azure Active Directory subscription and Azure Active Directory service plan
assignments on page 122
l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126
l Login information for Azure Active Directory user accounts on page 153
l Creating and editing Azure Active Directory user accounts on page 177
l Assigning extended properties to Azure Active Directory user accounts on page 187
l Disabling Azure Active Directory user accounts on page 188
l Deleting and restoring Azure Active Directory user accounts on page 189
l Displaying the Azure Active Directory user account overview on page 190
l Displaying Active Directory user accounts for Azure Active Directory user accounts

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 176
Mapping of Azure Active Directory objects in One Identity Manager
on page 190
l Synchronizing single objects on page 49

Creating and editing Azure Active Directory


user accounts
A user account can be linked to an employee in One Identity Manager. You can also manage
user accounts separately from employees.
NOTE: It is recommended to use account definitions to set up user accounts for company
employees. In this case, some of the main data described in the following is mapped
through templates from employee main data.
NOTE: If employees are to obtain their user accounts through account definitions, the
employees must own a central user account and obtain their IT operating data through
assignment to a primary department, a primary location, or a primary cost center.
TIP: You can combine the account definition for creating the user account and the
subscription that will be used into one system role. In this way, the employee
automatically obtains a user account and a subscription.
An employee can obtain this system role directly through departments, cost centers,
locations, or business roles, or an IT Shop request.

To create a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Click in the result list.
3. On the main data form, edit the main data of the user account.
4. Save the changes.

To edit main data of a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Change main data task.
4. Edit the user account's resource data.
5. Save the changes.

To manually assign a user account for an employee

1. In the Manager, select the Employees > Employees category.


2. Select the employee in the result list.
3. Select the Assign Azure Active Directory user accounts task.
4. Assign a user account.
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 177
Mapping of Azure Active Directory objects in One Identity Manager
Detailed information about this topic

l General main data of Azure Active Directory user accounts on page 178
l Contact data for Azure Active Directory user accounts on page 184
l Information about the user profile for Azure Active Directory user accounts on
page 185
l Organizational data for Azure Active Directory user accounts on page 185
l Information about the local Active Directory user account on page 186

Related topics

l Account definitions for Azure Active Directory user accounts on page 56


l Supported user account types on page 83
l Login information for Azure Active Directory user accounts on page 153
l Managing Azure Active Directory user accounts and employees on page 55
l Managing memberships in Azure Active Directory groups on page 93
l Managing Azure Active Directory administrator roles assignments on page 111
l Managing Azure Active Directory subscription and Azure Active Directory service plan
assignments on page 122

General main data of Azure Active Directory


user accounts
Enter the following data on the General tab.

Table 27: Additional main data of a user account

Property Description

Employee Employee that uses this user account. An employee is already entered if
the user account was generated by an account definition. If you create the
user account manually, you can select an employee in the menu. If you
are using automatic employee assignment, an associated employee is
found and added to the user account when you save the user account.
You can create a new employee for a user account with an identity of type
Organizational identity, Personalized administrator identity,
Sponsored identity, Shared identity, or Service identity. To do this,
click next to the input field and enter the required employee main data.
Which login data is required depends on the selected identity type.

No link to an Specifies whether the user account is intentionally not assigned an


employee employee. The option is automatically set if a user account is included in

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 178
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

required the exclusion list for automatic employee assignment or a corresponding


attestation is carried out. You can set the option manually. Enable the
option if the user account does not need to be linked with an employee
(for example, if several employees use the user account).
If attestation approves these user accounts, these user accounts will not
be submitted for attestation in the future. In the Web Portal, user
accounts that are not linked to an employee can be filtered according to
various criteria.

Not linked to Indicates why the No link to an employee required option is enabled
an employee for this user account. Possible values:

l By administrator: The option was set manually by the admin-


istrator.
l By attestation: The user account was attested.
l By exclusion criterion: The user account is not associated with
an employee due to an exclusion criterion. For example, the user
account is included in the exclude list for automatic employee
assignment (configuration parameter PersonExcludeList).

Account Account definition through which the user account was created.
definition
Use the account definition to automatically fill user account main data and
to specify a manage level for the user account. One Identity Manager
finds the IT operating data of the assigned employee and enters it in the
corresponding fields in the user account.
NOTE: The account definition cannot be changed once the user account
has been saved.
NOTE: Use the user account's Remove account definition task to
reset the user account to Linked status. This removes the account defin-
ition from both the user account and the employee. The user account
remains but is not managed by the account definition anymore. The
task only removes account definitions that are directly assigned
(XOrigin=1).

Manage level Manage level of the user account. Select a manage level from the menu.
You can only specify the manage level can if you have also entered an
account definition. All manage levels of the selected account definition
are available in the menu.
Tenant Azure Active Directory user account's tenant.

User type Type of user account. Depending on the user type, other mandatory input
is required.
Permitted values are:

l Member: Normal Azure Active Directory user account.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 179
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

l Guest: User account for guest users. The Azure Active Directory
connector creates a user account for guest users and ensures that
an invitation is sent by email to the given email address.
Further configuration of guest users is required in the synchron-
ization project. For more information, see Customizing synchron-
ization projects to invite guest users on page 32.

Invitation (Only for the Guest user type) Acceptance status of the guest's invitation.
status
Permitted values are:

l Pending acceptance: The user has not accepted the invitation


yet.
l Accepted: The user has accepted the invitation.
l Empty: Guest user without invitation.

Last change (Only for the Guest user type) Time at which the invitation status was
changed.

Domain User account's domain.

Location Location where this user account is in use. In the One Identity Manager, if
you assign Azure Active Directory subscriptions, a location is required.

First name The user’s first name. If you have assigned an account definition, the
input field is automatically filled out with respect to the manage level.
Last name The user’s last name. If you have assigned an account definition, the
input field is automatically filled out with respect to the manage level.
Date of birth The user's date of birth

Age group The user's age group. Permitted values are Minor, Teenager, and
Adult.

Consent for Specifies whether consent must be given for minors. Permitted values are
minors Obtained, Not obtained, and Not required.

User login User account login name. The user's login name is made up of the alias
name and the domain. User login names that are formatted like this correspond
to the User Principal Name (UPN) in Azure Active Directory.

Display name User account display name.

Alias Email alias for the user account.

Email User account's email address.


address

Preferred User's preferred language, for example, en-US.


language

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 180
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Password Password for the user account. The employee’s central password can be
mapped to the user account password. For detailed information about an
employee’s central password, see One Identity Manager Identity
Management Base Module Administration Guide.
If you use a random generated initial password for the user accounts, it is
automatically entered when a user account is created.
The password is deleted from the database after publishing to the target
system.
NOTE: One Identity Manager password policies are taken into account
when a user password is being verified. Ensure that the password policy
does not violate the target system's requirements.

Password Reconfirm password.


confirmation

Change Specifies whether the user must change their password the next time
password at they log in.
next login

Password Policies, which only apply to the user account. The available options are:
policy No restrictions, Password never expires, and Allow weak
passwords.

Password last Data of last password change. The date is read in from the Azure Active
changed Directory system and cannot be changed.

Risk index Maximum risk index value of all assigned groups. The property is only
(calculated) visible if the QER | CalculateRiskIndex configuration parameter is set.
For detailed information, see the One Identity Manager Risk Assessment
Administration Guide.

Category Categories for the inheritance of groups by the user account. Groups can
be selectively inherited by user accounts. To do this, groups and user
accounts or contacts are divided into categories. Select one or more
categories from the menu.

Identity User account's identity type Permitted values are:

l Primary identity: Employee's default user account.


l Organizational identity: Secondary user account used for
different roles in the organization, for example for subcontracts
with other functional areas.
l Personalized administrator identity: User account with
administrative permissions, used by one employee.
l Sponsored identity: User account to use for a specific purpose.
Training, for example.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 181
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

l Shared identity: User account with administrative permissions,


used by several employees. Assign all employees that use this user
account.
l Service identity: Service account.

Privileged Specifies whether this is a privileged user account.


user account.

Disabled Specifies whether the user account can inherit disabled Azure Active
service plans Directory service plans through the employee. If this option is set, the
can be user account inherits disabled service plans through hierarchical roles or
inherited IT Shop requests.

l If you add an employee with a user account to a department, for


example, and you have assigned disabled service plans to this
department, the user account inherits these disabled service plans.
l If an employee has requested a disabled service plan in the IT Shop
and the request is granted approval, the employee's user account
only inherits the disabled service plan if the option is set.

Subscriptions Specifies whether the user account can inherit Azure Active Directory
can be subscriptions through the employee. If this option is set, the user account
inherited inherits Azure Active Directory subscriptions through hierarchical roles or
IT Shop requests.

l If you add an employee with a user account to a department, for


example, and you have assigned Azure Active Directory
subscriptions to this department, the user account inherits these
Azure Active Directory subscriptions.
l If an employee has requested an Azure Active Directory
subscription in the IT Shop and the request is granted approval, the
employee's user account only inherits the Azure Active Directory
subscription if the option is set.

Administrator Specifies whether the user account can inherit Azure Active Directory
roles can be administrator roles through the employee If this option is set, the user
inherited account inherits administrator roles through hierarchical roles or IT Shop
requests.

l If you add an employee with a user account to a department, for


example, and you have assigned administrator roles to this
department, the user account inherits these administrator roles.
l If an employee has requested an administrator role in the IT Shop
and the request is granted approval, the employee's user account
only inherits the administrator role if the option is set.

Groups can Specifies whether the user account can inherit groups through the linked

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 182
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

be inherited employee. If the option is set, the user account inherits groups through
hierarchical roles, in which the employee is a member, or through IT
Shop requests.

l If you add an employee with a user account to a department, for


example, and you have assigned groups to this department, the
user account inherits these groups.
l If an employee has requested group membership in the IT Shop and
the request is granted approval, the employee's user account only
inherits the group if the option is set.

Office 365 NOTE: This property is only available if the Exchange Online Module is
groups can installed.
be inherited
Specifies whether the user account can inherit Office 365 groups through
the linked employee. If the option is set, the user account inherits Office
365 groups through hierarchical roles, in which the employee is a
member, or through IT Shop requests.

l If you add an employee with a user account to a department, for


example, and you have assigned Office 365 groups to this
department, the Azure Active Directory user account inherits these
Office 365 groups.
l If an employee has requested group membership in the IT Shop and
the request is granted approval, the employee's Azure Active
Directory user account only inherits the Office 365 group if the
option is set.

For detailed information about Office 365 groups, see the One Identity
Manager Administration Guide for Connecting to Exchange Online.

User account Specifies whether the user account is disabled. If a user account is not
is disabled required for a period of time, you can temporarily disable the user
account by using the "User account is disabled" option.

Resource Specifies whether this user account is a resource account.


account

Related topics

l Account definitions for Azure Active Directory user accounts on page 56


l Password policies for Azure Active Directory user accounts on page 153
l Azure Active Directory group inheritance based on categories on page 107
l Managing Azure Active Directory user accounts and employees on page 55
l Supported user account types on page 83
l Disabling Azure Active Directory user accounts on page 188

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 183
Mapping of Azure Active Directory objects in One Identity Manager
l Prerequisites for indirect assignment of Azure Active Directory groups to Azure
Active Directory user accounts on page 95
l Prerequisites for indirect assignment of Azure Active Directory administration roles
to Azure Active Directory user accounts on page 113
l Prerequisites for indirect assignment of Azure Active Directory subscriptions to Azure
Active Directory user accounts on page 129
l Prerequisites for indirect assignment of disabled Azure Active Directory service plans
to Azure Active Directory user accounts on page 142

Contact data for Azure Active Directory


user accounts
Enter the following address data for contacting the employee on the Contact tab.

Table 28: Contact data

Property Description

Street Street or road. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level.

State State. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level.

City City. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level. Locations can be
automatically generated and employees assigned based on the city.

Zip code Zip code. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level.

Country The country ID.

Business Business telephone numbers.


phones

Mobile Mobile number. If you have assigned an account definition, the input field is
phone automatically filled out with respect to the manage level.

Fax Fax number. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level.

Additional User email addresses.


email
addresses

Proxy Other email addresses for the user. You can also add other mail connectors
addresses (for example, CCMail, MS) in addition to the standard address type (SMTP,
X400).

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 184
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Use the following syntax to set up other proxy addresses:


Address type: <email address>

Information about the user profile for Azure


Active Directory user accounts
The following information is displayed on the User profile tab.

Table 29: User profile

Property Description

Preferred The user's preferred name.


name

Legal age This is used by Enterprise application to determined the legal age
group groups of users. The property is calculated based on the Age group and
Consent for minors properties.

VoIP SIP The instant message voice over IP (VoIP) session initiation protocol
addresses (SIP) addresses for the user.

Personal site URL for the user's personal website.

About me Text field to the user to write a description of themselves.

Responsibilities List of the user's responsibilities.

Schools List of schools the user has attended.

Skills and List of the user's qualifications.


expertise

Past projects List of the user's past projects.

Interests List of the user's interests.

Organizational data for Azure Active


Directory user accounts
The following organizational main data is mapped on the Organizational tab.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 185
Mapping of Azure Active Directory objects in One Identity Manager
Table 30: Organizational main data

Property Description

Employee ID of the user within the organization. If you have assigned an account
identifier definition, the input field is automatically filled out with respect to the
manage level.

Date hired Date on which the user entered the company.

Company Employee's company. If you have assigned an account definition, the input
field is automatically filled out with respect to the manage level.

Department Employee's department. If you have assigned an account definition, the


input field is automatically filled out with respect to the manage level.

Office Office. If you have assigned an account definition, the input field is
automatically filled out with respect to the manage level.

Job Job description. If you have assigned an account definition, the input field is
description automatically filled out with respect to the manage level.
Account Manager responsible for the user account.
manager
To specify an account manager

1. Click next to the field.


2. In the Table menu, select the table that maps the account manager.
3. In the Account manager menu, select the manager.
4. Click OK.

Information about the local Active Directory


user account
The Linked tab shows information about the local Active Directory user account, which is
linked to the Azure Active Directory user account.

Table 31: Local Active Directory user account data

Property Description

Synchronization Specifies whether synchronization with a local Active Directory is


with local Active enabled.
Directory enabled

Last Time of the last Azure Active Directory user account


synchronization synchronization with the local Active Directory.

SID of the local Security ID of the local Active Directory user account.
account.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 186
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Immutable Identifier that is used to maintain the relationship between the


identifier Active Directory user account and the Azure Active Directory user
account. The identifier cannot be changed.

Distinguished name Active Directory user account's distinguished name.

Full domain name Full domain name of the user account's Active Directory domain.

Login name (pre Login name of the Active Directory user account for the previous
Win2000) version of Active Directory.

User login name Active Directory user account login name.


(of local account)

Attribute extension Additional company-specific information about the Active Directory


01 - attribute user account.
extension 15

Related topics

l Displaying Active Directory user accounts for Azure Active Directory user accounts
on page 190
l Recommendations for federations on page 220

Assigning extended properties to Azure


Active Directory user accounts
Extended properties are meta objects, such as operating codes, cost codes, or cost
accounting areas that cannot be mapped directly in One Identity Manager.
For detailed information about using extended properties, see the One Identity Manager
Identity Management Base Module Administration Guide.

To specify extended properties for a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select Assign extended properties.
4. In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended
properties.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 187
Mapping of Azure Active Directory objects in One Identity Manager
To remove an assignment
l Select the extended property and double-click .
5. Save the changes.

Disabling Azure Active Directory user


accounts
The way you disable user accounts depends on how they are managed.

Scenario:

The user account is linked to employees and is managed through account definitions.
User accounts managed through account definitions are disabled when the employee is
temporarily or permanently disabled. The behavior depends on the user account manage
level. Accounts with the Full managed manage level are disabled depending on the
account definition settings. For user accounts with a manage level, configure the required
behavior using the template in the AADUser.AccountDisabled column.

Scenario:

The user accounts are linked to employees. No account definition is applied.


User accounts managed through user account definitions are disabled when the employee
is temporarily or permanently disabled. The behavior depends on the QER | Person |
TemporaryDeactivation configuration parameter

l If the configuration parameter is set, the employee’s user accounts are disabled
when the employee is permanently or temporarily disabled.
l If the configuration parameter is not set, the employee’s properties do not have any
effect on the associated user accounts.

To disable the user account when the configuration parameter is disabled

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Change main data task.
4. On the General tab, set the Account is disabled option.
5. Save the changes.

Scenario:

User accounts not linked to employees.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 188
Mapping of Azure Active Directory objects in One Identity Manager
To disable a user account that is no longer linked to an employee

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Change main data task.
4. On the General tab, set the Account is disabled option.
5. Save the changes.

For more information about deactivating and deleting employees and user accounts, see
the One Identity Manager Target System Base Module Administration Guide.

Related topics

l Account definitions for Azure Active Directory user accounts on page 56


l Creating manage levels on page 63
l Deleting and restoring Azure Active Directory user accounts on page 189

Deleting and restoring Azure Active


Directory user accounts
NOTE: As long as an account definition for an employee is valid, the employee retains the
user account that was created by it. If the account definition assignment is removed, the
user account that was created from this account definition, is deleted.
You can delete a user account that was not created using an account definition through the
result list or from the menu bar. After you have confirmed the security alert the user
account is marked for deletion in the One Identity Manager. The user account is locked in
One Identity Manager and permanently deleted from the One Identity Manager database
and the target system depending on the deferred deletion setting.
For more information about deactivating and deleting employees and user accounts, see
the One Identity Manager Target System Base Module Administration Guide.

To delete a user account that is not managed using an account definition

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Click in the result list.
4. Confirm the security prompt with Yes.

To restore a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Click in the result list.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 189
Mapping of Azure Active Directory objects in One Identity Manager
Related topics

l Disabling Azure Active Directory user accounts on page 188


l Specifying deferred deletion for Azure Active Directory user accounts on page 91

Displaying the Azure Active Directory user


account overview
Use this task to obtain an overview of the most important information about a user
account.

To obtain an overview of a user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Azure Active Directory user account overview task.

Related topics

l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126

Displaying Active Directory user accounts


for Azure Active Directory user accounts
You can see the Active Directory user account for an Azure Active Directory user account
on the overview form.

To display the Active Directory user account for an Azure Active Directory
user account

1. In the Manager, select the Azure Active Directory > User accounts category.
2. Select the user account in the result list.
3. Select the Azure Active Directory user account overview task.
The Active Directory user account form element shows which user account is
linked to it.

For more information about Active Directory, see the One Identity Manager Administration
Guide for Connecting to Active Directory.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 190
Mapping of Azure Active Directory objects in One Identity Manager
Related topics

l Information about the local Active Directory user account on page 186

Azure Active Directory groups


Azure Active Directory recognizes several group types into which you can organize users
and groups to regulate access to resources or email distribution, for example.
Azure Active Directory groups are loaded into One Identity Manager by
synchronization. You can edit individual main data of the group and you can create
new security groups in One Identity Manager. However, you cannot create more group
types in One Identity Manager.
To add users to groups, you assign the groups directly to users. This can be assignments of
groups to departments, cost centers, locations, business roles, or the IT Shop.
NOTE: Assignments to Azure Active Directory groups that are synchronized with the local
Active Directory are not allowed in One Identity Manager. These groups cannot be
requested through the web portal. You can only manage these groups in your locally. For
more information, see the Azure Active Directory documentation from Microsoft.
The group types supported in One Identity Manager are listed below.

Table 32: Support groups types

Group Description
type

Security Resource permissions are distributed through security groups. User


group accounts and other groups are added to security groups, which makes
administration easier.
Security groups are loaded into One Identity Manager by synchronization.
You can edit security groups in One Identity Manager and also create new
ones.

Office 365 Office 365 groups are loaded into One Identity Manager by synchronization.
group You can edit Office 365 groups in One Identity Manager but
you can only create new Office 365 groups in One Identity Manager if the
Exchange Online Module in installed. For more information, see the One
Identity Manager Administration Guide for Connecting to Exchange Online.

Distribution Distribution groups are used to send emails to group members. Distribution
group groups are loaded into One Identity Manager by synchronization. You can
edit distribution groups in One Identity Manager but you cannot create them
in One Identity Manager.

Mail- Mail-enabled security groups are security groups that are used as
enabled distribution groups.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 191
Mapping of Azure Active Directory objects in One Identity Manager
Group Description
type

security Mail-enabled security groups are loaded into One Identity Manager by
groups synchronization. You can edit mail-enabled security groups in One Identity
Manager but you can only create new mail-enabled security groups in One
Identity Manager if the Exchange Online Module is installed. For more
information, see the One Identity Manager Administration Guide for
Connecting to Exchange Online.

Dynamic Members of a dynamic group are not strictly assigned, but determined
group through defined rules. Dynamic groups are loaded into One Identity
Manager by synchronization. You can change dynamic groups in One
Identity Manager. You cannot create new dynamic groups in One Identity
Manager.

Related topics

l Managing memberships in Azure Active Directory groups on page 93


l Editing main data of Azure Active Directory groups on page 192
l Adding Azure Active Directory groups to Azure Active Directory groups on page 195
l Assigning owners to Azure Active Directory groups on page 196
l Assigning extended properties to Azure Active Directory groups on page 196
l Deleting Azure Active Directory groups on page 197
l Displaying the Azure Active Directory group overview on page 197
l Displaying Active Directory groups for Azure Active Directory groups on page 198
l Synchronizing single objects on page 49
l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126

Editing main data of Azure Active Directory


groups
Azure Active Directory groups are loaded into One Identity Manager by synchronization.
You can create security groups in One Identity Manager. You cannot create distribution
group and dynamic groups in One Identity Manager.
You can only create mail-enabled security groups and Office 365 groups in One Identity
Manager if the Exchange Online Module is installed. For more information, see the One
Identity Manager Administration Guide for Connecting to Exchange Online.
the data you can edit depends on the group type.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 192
Mapping of Azure Active Directory objects in One Identity Manager
To edit group main data

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Change main data task.
4. On the main data form, edit the main data of the group.
5. Save the changes.

Detailed information about this topic

l General main data of Azure Active Directory groups on page 193


l Information about local Active Directory groups on page 194

General main data of Azure Active


Directory groups
Enter the following data on the General tab.

Table 33: General main data

Property Description

Display name The display name is used to display the group in the One Identity Manager
tools user interface.

Tenant The group's Azure Active Directory tenant.

Alias Email alias for the group.

Email Group's email address


address

Proxy Other email addresses for the group. You can also add other mail
addresses connectors (for example, CCMail, MS) in addition to the standard address
type (SMTP, X400).
Use the following syntax to set up other proxy addresses:
Address type: new email address

Group type The type of group. is empty for security and distribution groups. The value
is Unified for Office 365 groups and For dynamic groups, the value
entered is DynamicMembership.

Security Specifies whether this group is a security group. Resource permissions


group are distributed through security groups. User accounts and other groups
are added to security groups, which makes administration easier.

Mail-enabled Specifies whether the email is enabled for the group. If this option is set

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 193
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

for a security group, it is a mail-enabled security group. Otherwise, it is a


distribution group.

IT Shop Specifies whether the group can be requested through the IT Shop. If this
option is set, the group can be requested by the employees through the
Web Portal and distributed with a defined approval process. The group can
still be assigned directly to hierarchical roles.

Only for use Specifies whether the group can only be requested through the IT Shop. If
in IT Shop this option is set, the group can be requested by the employees through
the Web Portal and distributed with a defined approval process. Direct
assignment of the group to hierarchical roles or user accounts is not
permitted.

Service item Service item data for requesting the group through the IT Shop.

Risk index Value for evaluating the risk of assigning the group to user accounts. Set
a value in the range 0 to 1. This input field is only visible if the QER |
CalculateRiskIndex configuration parameter is activated.
For more information about risk assessment, see the One Identity
Manager Risk Assessment Administration Guide.

Category Categories for group inheritance. Groups can be selectively inherited by


user accounts. To do this, groups and user accounts are divided into
categories. Select one or more categories from the menu.
Description Text field for additional explanation.

Read-only Specifies whether the memberships are read-only. The memberships are
memberships regulated by the target system. Manual changes to memberships in One
Identity Manager are not permitted.

Related topics

l Azure Active Directory group inheritance based on categories on page 107


l For more information about preparing groups for requesting through the IT Shop, see
the One Identity Manager IT Shop Administration Guide.

Information about local Active Directory


groups
The Federation tab shows information about the local Active Directory user account that is
linked to the Azure Active Directory user account.
Assignments to Azure Active Directory groups that are synchronized with the local Active
Directory are not allowed in One Identity Manager. These groups cannot be requested

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 194
Mapping of Azure Active Directory objects in One Identity Manager
through the web portal. You can only manage these groups in your locally. For more
information, see the Azure Active Directory documentation from Microsoft.

Table 34: Local Active Directory group data

Property Description

Synchronization with local Specifies whether synchronization with a local Active


Active Directory enabled Directory is enabled.

Last synchronization Time of the last Azure Active Directory group


synchronization with the local Active Directory.

SID of local group Security ID of the local Active Directory group.

Related topics

l For more information, see Displaying Active Directory groups for Azure Active
Directory groups on page 198.

Adding Azure Active Directory groups to


Azure Active Directory groups
Use this task to add a group to another group. This means that the groups can be
hierarchically structured.

To assign groups directly to a group as members

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Assign groups category.
4. Select the Has members tab.
5. Assign child groups in Add assignments.
TIP: In the Remove assignments pane, you can remove the assignment of
groups.

To remove an assignment
l Select the group and double-click .
6. Save the changes.

To add a group as a member of other groups

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Assign groups task.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 195
Mapping of Azure Active Directory objects in One Identity Manager
4. Select the Is member of tab.
5. In the Add assignments pane, assign parent groups.
TIP: In the Remove assignments pane, you can remove the assignment of
groups.

To remove an assignment
l Select the group and double-click .
6. Save the changes.

Assigning owners to Azure Active Directory


groups
A group owner can edit group properties.

To assign owners to a group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Assign owner task.
4. Select the table containing the owner from the Table menu at the top of the form.
You have the following options:
l Azure Active Directory user accounts
5. In the Add assignments pane, assign owners.
TIP: In the Remove assignments pane, you can remove assigned owners.

To remove an assignment
l Select the owner and double-click .
6. Save the changes.

Assigning extended properties to Azure


Active Directory groups
Extended properties are meta objects, such as operating codes, cost codes, or cost
accounting areas that cannot be mapped directly in One Identity Manager.
For more detailed information about setting up extended properties, see the One Identity
Manager Identity Management Base Module Administration Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 196
Mapping of Azure Active Directory objects in One Identity Manager
To specify extended properties for a group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select Assign extended properties.
4. In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended
properties.

To remove an assignment
l Select the extended property and double-click .
5. Save the changes.

Deleting Azure Active Directory groups


Groups are deleted permanently from the One Identity Manager database and from Azure
Active Directory.

To delete a group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Click in the result list.
4. Confirm the security prompt with Yes.

Displaying the Azure Active Directory


group overview
Use this task to obtain an overview of the most important information about a group.

To obtain an overview of a group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Azure Active Directory group overview task.

Related topics

l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 197
Mapping of Azure Active Directory objects in One Identity Manager
Displaying Active Directory groups for Azure
Active Directory groups
The Active Directory group linked to an Azure Active Directory group is displayed on the
overview form.

To display the Active Directory group for an Azure Active Directory group

1. In the Manager, select the Azure Active Directory > Groups category.
2. Select the group in the result list.
3. Select the Azure Active Directory group overview task.
The Active Directory group form element shows which group is linked to it.

For more information about Active Directory, see the One Identity Manager Administration
Guide for Connecting to Active Directory.

Related topics

l Information about local Active Directory groups on page 194

Azure Active Directory administrator


roles
By using Azure Active Directory administrator roles, you can assign administrative
permissions to users. Azure Active Directory recognizes several administrator roles that
fulfill different functions. For more information about administrator roles, see the Azure
Active Directory documentation from Microsoft.
One Identity Manager administrator roles are loaded into Azure Active Directory by
synchronization. You can edit individual main data of Azure Active Directory
administrator roles but you cannot create new Azure Active Directory administrator roles
in One Identity Manager.
To add users to Azure Active Directory administrator roles, assign the Azure Active
Directory administrator roles directly to the user. This may be Azure Active Directory
administrator role assignments to departments, cost centers, locations, business roles, or
the IT Shop.

Related topics

l Managing Azure Active Directory administrator roles assignments on page 111


l Editing main data of Azure Active Directory administrator roles on page 199

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 198
Mapping of Azure Active Directory objects in One Identity Manager
l Assigning extended properties to Azure Active Directory administrator roles on
page 200
l Displaying the Azure Active Directory administration role overview on page 201
l Synchronizing single objects on page 49

Editing main data of Azure Active Directory


administrator roles
One Identity Manager administrator roles are loaded into Azure Active Directory by
synchronization. You can edit individual main data of Azure Active Directory
administrator roles but you cannot create new Azure Active Directory administrator roles
in One Identity Manager.

To edit the main data of an Azure Active Directory administrator role

1. In the Manager, select the Azure Active Directory > Administrator roles
category.
2. Select the administrator role in the result list.
3. Select the Change main data task.
4. Edit the administrator role's main data.
5. Save the changes.

Table 35: Azure Active Directory administrator role main data

Property Description

Display The display name is used to display the administrator role in the One
name Identity Manager tools' user interface.

Tenant The administrator role's Azure Active Directory tenant.

Template ID of the administrator role template on which this administrator role was
ID. based.

IT Shop Specifies whether the administrator role can be requested through the IT
Shop. The administrator role can be ordered by its employees over the Web
Portal and distributed using a defined approval process. The administrator
role can still be assigned directly to user accounts and hierarchical roles.

Only for Specifies whether the administrator role can only be requested through the
use in IT IT Shop. The administrator role can be ordered by its employees over the
Shop Web Portal and distributed using a defined approval process. You cannot
assign an administrator role directly to a hierarchical role.

Service Specifies a service item for requesting the administrator role through the IT
item Shop.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 199
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Risk index Value for assessing the risk of assigning administrator roles to user
accounts. Set a value in the range 0 to 1. This input field is only visible if the
QER | CalculateRiskIndex configuration parameter is set.
For more information about risk assessment, see the One Identity Manager
Risk Assessment Administration Guide.

Category Categories for inheriting administrator roles. Administrator roles can be


selectively inherited by user accounts. To do this, administrator roles and
user accounts are divided into categories. Use the menu to allocate one or
more categories to the administrator role.
Description Text field for additional explanation.

Related topics

l Azure Active Directory administrator role inheritance based on categories on


page 120
l For more information about preparing administrator roles for requesting through the
IT Shop, see the One Identity Manager IT Shop Administration Guide.

Assigning extended properties to Azure


Active Directory administrator roles
Extended properties are meta objects, such as operating codes, cost codes, or cost
accounting areas that cannot be mapped directly in One Identity Manager.
For more information about using extended properties, see the One Identity Manager
Identity Management Base Module Administration Guide.

To specify extended properties for an administrator role

1. In the Manager, select the Azure Active Directory > Administrator roles
category.
2. Select the administrator role in the result list.
3. Select the Assign extended properties task.
4. In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended
properties.

To remove an assignment
l Select the extended property and double-click .
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 200
Mapping of Azure Active Directory objects in One Identity Manager
Displaying the Azure Active Directory
administration role overview
Use this task to obtain an overview of the most important information about an
administrator role.

To obtain an overview of a administration role

1. In the Manager, select the Azure Active Directory > Administrator roles
category.
2. Select the administrator role in the result list.
3. Select the Azure Active Directory administrator role overview task.

Azure Active Directory subscriptions


and Azure Active Directory service
principals
Information about Azure Active Directory subscriptions and Azure Active Directory service
plans within an Azure Active Directory tenant is loaded into One Identity Manager during
synchronization. In One Identity Manager, you cannot create new Azure Active Directory
subscriptions or Azure Active Directory service plans. However, in One Identity Manager,
you can edit certain main data of requesting the Azure Active Directory subscription in the
IT Shop and for user account assignments.
NOTE: An Azure Active Directory user account can also obtain Azure Active Directory
subscriptions through its Azure Active Directory groups. You cannot edit assignments by
Azure Active Directory groups in One Identity Manager.

Related topics

l Managing Azure Active Directory subscription and Azure Active Directory service plan
assignments on page 122
l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126
l Editing Azure Active Directory subscription main data on page 202
l Assigning additional properties to Azure Active Directory subscriptions on page 203
l Displaying the Azure Active Directory subscriptions and service plan overview
on page 204
l Synchronizing single objects on page 49
l Disabled Azure Active Directory service plans on page 204

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 201
Mapping of Azure Active Directory objects in One Identity Manager
Editing Azure Active Directory subscription
main data
To edit Azure Active Directory subscription main data

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select the Change main data task.
4. Edit the Azure Active Directory subscription's main data.
5. Save the changes.

Table 36: Azure Active Directory subscription main data

Property Description

SKU display The SKU display name of the Azure Active Directory subscription. For
name example, AAD_Premium or RMSBASIC.

Tenant Tenant given for this Azure Active Directory subscription.

Subscription The Azure Active Directory subscription status, such as enabled (active).
status

Purchased The number of licenses purchased.


licenses

Assigned Number of actively used licenses.


licenses

Suspended Number of suspended licenses.


licenses

Warning Number of licenses with a warn status.


units

IT Shop Specifies whether the Azure Active Directory subscription can be requested
through the IT Shop. This Azure Active Directory subscription can be
requested by staff using the Web Portal and granted through a defined
approval process. The Azure Active Directory subscription can still be
assigned directly to user accounts and hierarchical roles.

Only for use Specifies whether the Azure Active Directory subscription can only be
in IT Shop requested through the IT Shop. This Azure Active Directory subscription
can be requested by staff using the Web Portal and granted through a
defined approval process. The Azure Active Directory subscription may not
be assigned directly to hierarchical roles.

Service Service item data for requesting the Azure Active Directory subscription
item through the IT Shop.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 202
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Risk index Value for evaluating the risk of assigning the Azure Active Directory
subscription to Azure Active Directory user accounts. Set a value in the
range 0 to 1. This field is only visible if the QER | CalculateRiskIndex
configuration parameter is set.
For more information about risk assessment, see the One Identity Manager
Risk Assessment Administration Guide.

Category Category for Azure Active Directory subscription inheritance. Azure Active
Directory subscriptions can be selectively inherited by Azure Active
Directory user accounts. To do this, the Azure Active Directory subscrip-
tions the Azure Active Directory user accounts are divided into categories.
Use this menu to allocate one or more categories to the Azure Active
Directory subscription.

Related topics

l Azure Active Directory group inheritance based on categories on page 107


l For detailed information about preparing subscriptions for requesting through the IT
Shop, see the One Identity Manager IT Shop Administration Guide.

Assigning additional properties to Azure


Active Directory subscriptions
Extended properties are meta objects, such as operating codes, cost codes, or cost
accounting areas that cannot be mapped directly in One Identity Manager.
For more information about using extended properties, see the One Identity Manager
Identity Management Base Module Administration Guide.

To specify extended properties for an Azure Active Directory subscription

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select Assign extended properties.
4. In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended
properties.

To remove an assignment
l Select the extended property and double-click .
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 203
Mapping of Azure Active Directory objects in One Identity Manager
Displaying the Azure Active Directory
subscriptions and service plan overview
Use this task to obtain an overview of the most important information about an Azure
Active Directory subscription and a service plan.

To obtain an overview of an Azure Active Directory subscription

1. In the Manager, select the Azure Active Directory > Subscriptions category.
2. Select an Azure Active Directory subscription in the result list.
3. Select the Azure Active Directory subscription overview task.

To obtain an overview of an Azure Active Directory service plan

1. In the Manager, select the Azure Active Directory > Service plans category.
2. Select the Azure Active Directory service plan in the result list.
3. Select the Azure Active Directory service plan overview task.

Related topics

l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126

Disabled Azure Active Directory


service plans
To prevent users from using individual Azure Active Directory service plans, so-called
"disabled service plans" are mapped in One Identity Manager. Disabled service plans are
created automatically in One Identity Manager after synchronizing Azure Active Directory
subscriptions. Disabled service plans are requested through the IT Shop or assigned to
users through departments, cost centers, locations, business roles, or system roles.
NOTE: An Azure Active Directory user accounts can also obtain disabled service plans
through its Azure Active Directory groups. You cannot edit assignments by Azure Active
Directory groups in One Identity Manager.

Related topics

l Managing Azure Active Directory subscription and Azure Active Directory service plan
assignments on page 122
l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126
l Editing main data of disabled Azure Active Directory service plans on page 205

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 204
Mapping of Azure Active Directory objects in One Identity Manager
l Assigning extended properties to disabled Azure Active Directory service plans
on page 206
l Displaying the disabled Azure Active Directory service plan overview on page 206
l Synchronizing single objects on page 49

Editing main data of disabled Azure Active


Directory service plans
To edit disabled Azure Active Directory service plan main data

1. In the Manager, select the Azure Active Directory > Disabled service
plans category.
2. Select the disabled service plan from the result list.
3. Select the Change main data task.
4. Edit the disabled service plan's main data.
5. Save the changes.

Table 37: Disabled service plan main data

Property Description

Subscription Name of the Azure Active Directory subscription.

Service plan Name of the Azure Active Directory service plan.

IT Shop Specifies whether the service plan can be requested through the IT Shop.
The disabled service plan can be requested by your staff though the Web
Portal and granted through a defined approval process. The disabled
service plan can still be assigned directly to hierarchical roles.

Only for use Specifies whether the disabled service plan can only be requested through
in IT Shop the IT Shop. The disabled service plan can be requested by your staff
though the Web Portal and granted through a defined approval process. The
disabled service plan may not be assigned directly to hierarchical roles.

Service Service item data for requesting the disabled service plan through the IT
item Shop.

Category Categories for disabled service plan inheritance. User accounts can select-
ively inherit disabled Azure Active Directory service plans. To do this,
disabled service plans and Azure Active Directory user accounts are
divided into categories. Use this menu to allocate one or more categories
to the disabled service plan.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 205
Mapping of Azure Active Directory objects in One Identity Manager
Related topics

l Azure Active Directory group inheritance based on categories on page 107


l For detailed information about preparing service plans for requesting through the IT
Shop, see the One Identity Manager IT Shop Administration Guide.

Assigning extended properties to disabled


Azure Active Directory service plans
Extended properties are meta objects, such as operating codes, cost codes, or cost
accounting areas that cannot be mapped directly in One Identity Manager.
For more information about using extended properties, see the One Identity Manager
Identity Management Base Module Administration Guide.

To specify extended properties for a disabled Azure Active Directory


service plan

1. In the Manager, select the Azure Active Directory > Disabled service
plans category.
2. Select the disabled service plan from the result list.
3. Select Assign extended properties.
4. In the Add assignments pane, assign extended properties.
TIP: In the Remove assignments pane, you can remove assigned extended
properties.

To remove an assignment
l Select the extended property and double-click .
5. Save the changes.

Displaying the disabled Azure Active


Directory service plan overview
Use this task to obtain an overview of the most important information about a disabled
Azure Active Directory service plan.

To obtain an overview of a disabled Azure Active Directory service plan

1. In the Manager, select the Azure Active Directory > Disabled service
plans category.
2. Select the disabled service plan from the result list.
3. Select the Disabled Azure Active Directory service plan overview task.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 206
Mapping of Azure Active Directory objects in One Identity Manager
Related topics

l Displaying enabled and disabled Azure Active Directory service plans forAzure Active
Directory user accounts and Azure Active Directory groups on page 126

Azure Active Directory applications


and Azure Active Directory service
principals
When an application is registered in an Azure Active Directory tenant, it creates an
associated Azure Active Directory service principal. There are so-called app roles defined
for applications. Azure Active Directory users, Azure Active Directory groups, or Azure
Active Directory service principals can use app roles to provide permissions or functions
for the application.
For detailed information about integrating applications into Azure Active Directory, see the
Azure Active Directory documentation from Microsoft.
Information about Azure Active Directory applications, Azure Active Directory service
principals, and app roles within an Azure Active Directory tenant is loaded into One Identity
Manager during synchronization. You cannot create new Azure Active Directory
applications, Azure Active Directory service principals, and app roles in One Identity
Manager but you can specify owners of applications and service principals and create or
delete app roles in One Identity Manager.

Detailed information about this topic

l Displaying information about Azure Active Directory applications on page 207


l Assigning owners to Azure Active Directory applications on page 208
l Displaying Azure Active Directory applications on page 209
l Displaying information about Azure Active Directory service principals on page 210
l Assigning owner to Azure Active Directory service principals on page 211
l Editing authorizations for Azure Active Directory service principals on page 212
l Displaying Azure Active Directory service principal main data on page 213

Displaying information about Azure Active


Directory applications
The information about the Azure Active Directory application is loaded into One Identity
Manager during synchronization. All the Azure Active Directory applications with their

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 207
Mapping of Azure Active Directory objects in One Identity Manager
Azure Active Directory service principals that are registered in this Azure Active Directory
tenant are loaded for each Azure Active Directory tenant.
IF an Azure Active Directory application is used in an Azure Active Directory tenant that
is registered in another Azure Active Directory tenant, only the Azure Active Directory
service principal and not the Azure Active Directory application is loaded into One
Identity Manager.
You cannot create Azure Active Directory applications in One Identity Manager.

To display information about an Azure Active Directory application

1. In the Manager, select the Azure Active Directory > Applications category.
2. In the result list, select the Azure Active Directory application.
3. Select one of the following tasks:
l Azure Active Directory application overview: This shows you an
overview of the Azure Active Directory application and its dependencies.
l Change main data: Shows the Azure Active Directory application's
main data.
l Assign owners: Shows the Azure Active Directory application's owners. You
can assign owners to an application or remove them again.

Related topics

l Assigning owners to Azure Active Directory applications on page 208


l Displaying Azure Active Directory applications on page 209
l Displaying information about Azure Active Directory service principals on page 210

Assigning owners to Azure Active Directory


applications
Use this task to assign owners to an Azure Active Directory application or to remove them
from an Azure Active Directory application. Owners of Azure Active Directory application
can show the application registration in Azure Active Directory and edit it.

To assign owners to an Azure Active Directory application

1. In the Manager, select the Azure Active Directory > Applications category.
2. In the result list, select the Azure Active Directory application.
3. Select the Assign owner task.
4. In the Table menu, select the Azure Active Directory user accounts
(AADUser) item.
5. In the Add assignments pane, assign owners.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 208
Mapping of Azure Active Directory objects in One Identity Manager
TIP: In the Remove assignments pane, you can remove assigned owners.

To remove an assignment
l Select the owner and double-click .
6. Save the changes.

Displaying Azure Active Directory


applications
The information about the Azure Active Directory application is loaded into One
Identity Manager during synchronization. You cannot edit Azure Active Directory
application main data.

To display an Azure Active Directory application's main data

1. In the Manager, select the Azure Active Directory > Applications category.
2. In the result list, select the Azure Active Directory application.
3. Select Change main data.

Table 38: Azure Active Directory application main data

Property Description

Display Display name of the application.


name

Publisher Name of the application's verified publisher domain.


domain

Registration Date and time when the application was registered.


date

Group Group membership claim expected by the application. Group types that are
membership included in the access, ID, and SAML tokens. Permitted values are:
claim
l None: No group types
l All: All group types
l Security groups: Security groups with the user as a member.

Logo URL Link to the application's logo.

Marketing Link to the application's marketing page.


URL

Privacy Link to the application's privacy statement.


statement
URL

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 209
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Service URL Link to the application's support page.

Terms of Link to the application's terms of service.


service URL

Fallback Specifies whether the fallback application type is a public client, such as an
public client application installed and running on a mobile device. The default value is
false meaning the fallback application type is a confidential client such as a
web application. If the option is disabled, it means that the fallback
application type is a confidential client, such as a web application (default).

Supported Specifies which Microsoft user accounts for the current application are
user supported. Permitted values are:
accounts
l Accounts in this organizational directory only
l Accounts in any organizational directory
l Accounts in any organizational directory and personal Microsoft
accounts
l Only personal Microsoft accounts

Token Name of the policy for issuing tokens.


issuance
policies

Token Name of the policy for token lifetimes.


lifetime
policy

Tags User-defined string to use for categorizing and identifying the application.

Related topics

l Azure Active Directory policies for issuing tokens on page 174


l Azure Active Directory policies for token lifetime on page 175

Displaying information about Azure Active


Directory service principals
When an application is registered in an Azure Active Directory tenant in Microsoft Azure
Management Portal, it creates an associated Azure Active Directory service principal.
The information about the Azure Active Directory service principal is loaded into One
Identity Manager during synchronization. You cannot create new Azure Active Directory
service principals in One Identity Manager.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 210
Mapping of Azure Active Directory objects in One Identity Manager
To display information about anAzure Active Directory service principal

1. In the Manager, select the Azure Active Directory > Service principals
category.
2. In the result list, select the Azure Active Directory service principal.
3. Select one of the following tasks:
l Azure Active Directory service principal overview: This shows you an
overview of the Azure Active Directory service principal and its dependencies.
l Change main data: This displays the Azure Active Directory service
principal's main data.
l Assign owners: This displays the Azure Active Directory service principals
owners. You can assign owners to a service principal or remove them.
l Assign authorizations: This displays user accounts, groups, and service
principals with their assigned app roles. You can create more authorizations or
removed them.

Related topics

l Assigning owner to Azure Active Directory service principals on page 211


l Editing authorizations for Azure Active Directory service principals on page 212
l Displaying Azure Active Directory service principal main data on page 213
l Displaying information about Azure Active Directory applications on page 207

Assigning owner to Azure Active Directory


service principals
Use this task to assign owners to an Azure Active Directory service principal or to remove
them from a service principal.

To assign owners to an Azure Active Directory application

1. In the Manager, select the Azure Active Directory > Service principals
category.
2. In the result list, select the Azure Active Directory service principal.
3. Select the Assign owner task.
4. In the Table menu, select the Azure Active Directory user accounts
(AADUser) item.
5. In the Add assignments pane, assign owners.
TIP: In the Remove assignments pane, you can remove assigned owners.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 211
Mapping of Azure Active Directory objects in One Identity Manager
To remove an assignment
l Select the owner and double-click .
6. Save the changes.

Editing authorizations for Azure Active


Directory service principals
There are so-called app roles defined for applications. Azure Active Directory users, Azure
Active Directory groups, or Azure Active Directory service principals can use app roles to
provide permissions or functions for the application.
App roles and their assignments are loaded into One Identity Manager by synchronization.
However, you cannot create new app roles in One Identity Manager. In One Identity
Manager, you can add or remove authorizations for the service principals and their
applications respectively.

To assign authorizations to an Azure Active Directory service principal

1. In the Manager, select the Azure Active Directory > Service principals
category.
2. In the result list, select the Azure Active Directory service principal.
3. Select the Assign authorizations task.
4. In the Assignments pane, click Add and enter the following data.
l Authorized for: Specify the user account, group, or service principal for the
authorization.
a. Click next to the field.
b. Under Table, select one of the following tables:
l To authorize a user account, select AADUser.
l To authorize a group, select AADGroup.
l To authorize a service principal, select AADServicePrincipal.
c. Under Authorized for, select the user account, group, or service
principal.
d. Click OK.
l App role: Select the app role for the authorization.
NOTE: If there is no app role defined for a service principal, leave this item
empty to authorize the user account, group, or service principal.
5. Save the changes.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 212
Mapping of Azure Active Directory objects in One Identity Manager
To remove authorizations from an Azure Active Directory service principal

1. In the Manager, select the Azure Active Directory > Service principals
category.
2. In the result list, select the Azure Active Directory service principal.
3. Select the Assign authorizations task.
4. In the Assignments pane, select the authorization you want to remove.
5. Click Remove.
6. Save the changes.

Displaying Azure Active Directory service


principal main data
The information about the Azure Active Directory service principal is loaded into One
Identity Manager during synchronization. You cannot edit Azure Active Directory service
principal main data.

To display an Azure Active Directory service principal's main data

1. In the Manager, select the Azure Active Directory > Service principals
category.
2. In the result list, select the Azure Active Directory service principal.
3. Select the Change main data task.

Table 39: General main data for an Azure Active Directory service principal

Property Description

Display Name for displaying the service principal.


name

Alternative Alternative names for the service principal. This is used to call service
names principals by subscription, to identify resource groups and full resource IDs
for managing identities.
Web page Home page of the Azure Active Directory application.

Enabled Specifies whether the service principal is enabled.

Application Display name of the associated Azure Active Directory application.


display
name.

App role Specifies whether users or other service principals must be assigned an app
assignment role for this service principal before they can login or obtain application
required tokens.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 213
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Logo URL Link to the application's logo.

Marketing Link to the application's marketing page.


URL

Privacy Link to the application's privacy statement.


statement
URL

Service Link to the application's support page.


URL

Terms of Link to the application's terms of service.


service
URL

Login URL URL that the identity provider uses to reroute the user to Azure Active
Directory for authentication.

Logout URL URL that the Microsoft authorization service uses to log out a user using
OPENID Connect front channel, OpenID Connect back-channel, or SAML
logout protocols.

Notification List of email addresses that Azure Active Directory sends a notification to if
mail the active certificate is nearing the expiration date.
addresses

Preferred Single sign-on mode configured for this Azure Active Directory application.
single sign-
on mode
Reply URLs URLs that user tokens are sent to for logging in with the associated
application, or the redirect URIs that OAuth 2.0 authorization codes and
access tokens are sent to for the associated application.

Service Contains the list of URIs that identify the associated Azure Active Directory
principal application within its Azure Active Directory tenant, or within a verified
names custom domain, if the Azure Active Directory application is an Azure Active
Directory multi-tenant.

Service Specifies whether the service principal represents an application or a


principal managed identity. This is set by Azure Active Directory internally. Permitted
type values are:

l Application: The service principal represents an application.


l ManagedIdentity: The service principal represents a managed
identity

Encryption ID of the public key for logging in using certificates.


key ID

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 214
Mapping of Azure Active Directory objects in One Identity Manager
Property Description

Home Name of the home realm discovery policy.


realm
discovery
policy

Delete date Time at which the service principal was deleted.

Tags User-defined string to use for categorizing and identifying the application.

Related topics

l Azure Active Directory policies for home realm discovery on page 174

Reports about Azure Active Directory


objects
One Identity Manager makes various reports available containing information about the
selected base object and its relations to other One Identity Manager database objects. The
following reports are available for Azure Active Directory.
NOTE: Other sections may be available depending on the which modules are installed.

Table 40: Data quality target system report

Report Published Description


for

Show overview User account This report shows an overview of the user account
and the assigned permissions.

Show overview User account This report shows an overview of the user account
including origin and origin of the assigned permissions.

Show overview User account This report shows an overview of the user accounts
including history including its history.
Select the end date for displaying the history (Min.
date). Older changes and assignments that were
removed before this date, are not shown in the
report.

License overview User account The report contains a summary of assigned and
effective subscriptions and service plans for a user
account.

License overview Subscription The report shows an overview of a subscription


license. It shows to which groups and user accounts

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 215
Mapping of Azure Active Directory objects in One Identity Manager
Report Published Description
for

the subscription is assigned and which service plans


effectively apply to the groups and the user
accounts.

Overview of all group This report finds all roles containing employees
assignments who have the selected system entitlement.
Subscription
Administrator
role

Show overview group This report shows an overview of the system entitle-
ment and its assignments.

Show overview group This report shows an overview of the system entitle-
including origin ment and origin of the assigned user accounts.

Show overview group This report shows an overview of the system entitle-
including history ment and including its history.
Select the end date for displaying the history (Min.
date). Older changes and assignments that were
removed before this date, are not shown in the
report.

Show entitlement Tenant This report shows all system entitlements that are
drifts the result of manual operations in the target
system rather than provisioned by One Identity
Manager.

Show user accounts Tenant This report returns all the user accounts with their
overview (incl. permissions including a history.
history)
Select the end date for displaying the history (Min.
date). Older changes and assignments that were
removed before this date, are not shown in the
report.

Show user accounts Tenant This report contains all user accounts with an above
with an above average number of system entitlements.
average number of
system entitlements

Show employees Tenant This report shows all the employees that have
with multiple user multiple user accounts. The report contains a risk
accounts assessment.

Show system Tenant This report shows the system entitlements with the
entitlements assigned user accounts including a history.
overview (incl.
Select the end date for displaying the history (Min.
history)

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 216
Mapping of Azure Active Directory objects in One Identity Manager
Report Published Description
for

date). Older changes and assignments that were


removed before this date, are not shown in the
report.

Overview of all Tenant This report finds all roles containing employees
assignments with at least one user account in the selected target
system.

Show unused user Tenant This report contains all user accounts, which have
accounts not been used in the last few months.

Show orphaned user Tenant This report shows all user accounts to which no
accounts employee is assigned.

Table 41: Additional reports for the target system

Report Description

Azure Active Directory This report contains a summary of user account and group
user account and group distribution in all tenants. You can find this report in the My
administration One Identity Manager category.

Data quality summary This report contains different evaluations of user account data
for Azure Active quality in all tenants. You can find this report in the My One
Directory user accounts Identity Manager category.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 217
Mapping of Azure Active Directory objects in One Identity Manager
9

Handling of Azure Active Directory


objects in the Web Portal

One Identity Manager enables its users to perform various tasks simply using a Web Portal.

l Managing user accounts and employees


An account definition can be requested by shop customers in the Web Portal if it is
assigned to an IT Shop shelf. The request undergoes a defined approval process.
The user account is not created until it has been agreed by an authorized person,
such as a manager.
l Managing assignments of groups, administrator roles, subscriptions, and disabled
service plans
In the Web Portal, by assigning groups, administrator roles, subscriptions, and
disabled service plans to an IT Shop shelf, you can request these products from shop
customers. The request undergoes a defined approval process. The group,
administrator role, subscription, or disabled service plan is not assigned until it has
been approved by an authorized person.
In the Web Portal, managers and administrators of organizations can assign groups,
administrator roles, subscriptions, and disabled service plans to the departments,
cost centers, or locations for which they are responsible. The groups, administrator
roles, subscriptions, and disabled service plans are inherited by all employees who
are members of these departments, cost centers, or locations.
If the Business Roles Module is available, in the Web Portal, managers and
administrators of business roles can assign groups, administrator roles,
subscriptions, and disabled service plans to the business roles for which they are
responsible. The groups, administrator roles, subscriptions, and disabled service
plans are inherited by all employees who are members of these business roles.
If the System Roles Module is available, in the Web Portal, supervisors of system
roles can assign groups, administrator roles, subscriptions, and disabled service
plans to the system roles. The groups, administrator roles, subscriptions, and
disabled service plans are inherited by all employees that have these system roles
assigned to them.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 218
Handling of Azure Active Directory objects in the Web Portal
l Attestation
If the Attestation Module is available, the correctness of the properties of target
system objects and of entitlement assignments can be verified on request. To enable
this, attestation policies are configured in the Manager. The attestors use the Web
Portal to approve attestation cases.
l Governance administration
If the Compliance Rules Module is available, you can define rules that identify the
invalid entitlement assignments and evaluate their risks. The rules are checked
regularly, and if changes are made to the objects in One Identity Manager.
Compliance rules are defined in the Manager. Supervisors use the Web Portal to
check and resolve rule violations and to grant exception approvals.
If the Company Policies Module is available, company policies can be defined for the
target system objects mapped in One Identity Manager and their risks evaluated.
Company policies are defined in the Manager. Supervisors use the Web Portal to
check policy violations and to grant exception approvals.
l Risk assessment
You can use the risk index of groups, administrator roles, subscriptions and disabled
service plans to evaluate the risk of entitlement assignments for the company. One
Identity Manager provides default calculation functions for this. The calculation
functions can be modified in the Web Portal.
l Reports and statistics
The Web Portal provides a range of reports and statistics about the employees, user
accounts, and their entitlements and risks.

For detailed information about the named topics, see Managing Azure Active Directory user
accounts and employees on page 55, Managing memberships in Azure Active Directory
groups on page 93, Managing Azure Active Directory administrator roles assignments on
page 111, Managing Azure Active Directory subscription and Azure Active Directory service
plan assignments on page 122 and in refer to the following guides:

l One Identity Manager Web Designer Web Portal User Guide


l One Identity Manager Attestation Administration Guide
l One Identity Manager Compliance Rules Administration Guide
l One Identity Manager Company Policies Administration Guide
l One Identity Manager Risk Assessment Administration Guide

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 219
Handling of Azure Active Directory objects in the Web Portal
10

Recommendations for federations

NOTE: The following modules must be installed to support federations in One


Identity Manager:

l Active Directory Module


l Azure Active Directory Module

In a federation, the local Active Directory user accounts are connected to Azure Active
Directory user accounts. The connection is established by using the ms-ds-
consistencyGUID property in the Active Directory user account and the immutable property
in the Azure Active Directory user account. Synchronization of Active Directory and
Azure Active Directory user accounts is carried out in the federation by Azure AD
Connect. For more information about Azure AD Connect, see the Azure Active Directory
documentation from Microsoft.
One Identity Manager maps the connection using the Active Directory user account's Azure
AD Connect anchor ID (ADSAccount.MSDsConsistencyGuid) and the Azure Active Directory
user account's immutable identifier (AADUser.OnPremImmutableId).
Some of the target system relevant properties of Azure Active Directory user accounts that
are linked to local Active Directory user account cannot be changed in One Identity
Manager. However, assignment of permissions to Azure Active Directory user accounts in
One Identity Manager is possible.
Assignments to Azure Active Directory groups that are synchronized with the local Active
Directory are not allowed in One Identity Manager. These groups cannot be requested
through the web portal. You can only manage these groups in your locally. For more
information, see the Azure Active Directory documentation from Microsoft.
The One Identity Manager supports the following scenarios for federations.

Scenario 1

1. Active Directory user accounts are created in One Identity Manager and provisioned
the local Active Directory environment.
2. Azure AD Connect creates the Azure Active Directory user accounts in Azure Active
Directory tenants.
3. Azure Active Directory synchronization loads the Azure Active Directory user
accounts in to One Identity Manager.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 220
Recommendations for federations
This is the recommended procedure. Creating Azure Active Directory user accounts
through Azure AD Connect and then loading them into One Identity Manager normally
takes a while. Azure Active Directory user accounts are not immediately available in One
Identity Manager.

Scenario 2

1. Active Directory user accounts and Azure Active Directory user accounts are created
in One Identity Manager.
In this case, the connection is established by using the
ADSAccount.MSDsConsistencyGuid and AADUser.OnPremImmutableId columns. This can be
carried using custom scripts or custom templates.
2. Active Directory and Azure Active Directory user accounts are provisioned
independently in their own target systems.
3. Azure AD Connect detects the connection between the user accounts, establishes the
connection in the federation and updates the required properties.
4. The next Azure Active Directory synchronization updates the Azure Active Directory
user accounts in One Identity Manager.

With this scenario, the Azure Active Directory user accounts are immediately available in
One Identity Manager and can be issued their permissions.
NOTE:

l If you work with account definitions, it is recommended you enter the account
definition for Active Directory as a required account definition in the account
definition for Azure Active Directory.
l If you work with account definitions, it is recommended you select the Only
initially value for the IT operating data overwrites property in the manage
level. Then the data is only determined in the initial case.
l Do not post-process Azure Active Directory user accounts using templates because
certain target system relevant properties cannot be edited and the following
errors may occur:
[Exception]: ServiceException occured
Code: Request_BadRequest
Message: Unable to update the specified properties for on-premises
mastered Directory Sync objects or objects currently undergoing
migration.
[ServiceException]: Code: Request_BadRequest - Message: Unable to update
the specified properties for on-premises mastered Directory Sync objects
or objects currently undergoing migration.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 221
Recommendations for federations
Related topics

l Information about the local Active Directory user account on page 186
l Account definitions for Azure Active Directory user accounts on page 56
l Main data for an account definition on page 58

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 222
Recommendations for federations
11

Basic configuration data for


managing an Azure Active Directory
environment

To manage an Azure Active Directory environment in One Identity Manager, the following
basic data is relevant.

l Target system types


Target system types are required for configuring target system comparisons. Tables
with outstanding objects are maintained with the target system types and settings
are configured for provisioning memberships and single objects synchronization.
Target system types also map objects in the Unified Namespace.
For more information, see Post-processing outstanding objects on page 50.
l Target system managers
A default application role exists for the target system manager in One Identity
Manager. Assign the employees who have permission to edit all tenants in One
Identity Manager to this application role.
Define additional application roles if you want to limit the permissions for target
system managers to individual tenants. The application roles must be added under
the default application role.
For more information, see Target system managers for Azure Active Directory
on page 224.
l Servers
Servers must be informed of your server functionality in order to handle Azure Active
Directory-specific processes in One Identity Manager. For example, the
synchronization server.
For more information about editing Job servers for Azure Active Directory
components, see the One Identity Manager Administration Guide for Connecting to
Azure Active Directory.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
223
Basic configuration data for managing an Azure Active Directory
environment
Target system managers for Azure
Active Directory
A default application role exists for the target system manager in One Identity Manager.
Assign the employees who have permission to edit all tenants in One Identity Manager to
this application role.
Define additional application roles if you want to limit the permissions for target system
managers to individual tenants. The application roles must be added under the default
application role.
For detailed information about implementing and editing application roles, see the One
Identity Manager Authorization and Authentication Guide.

Implementing application roles for target system managers

1. The One Identity Manager administrator allocates employees to be target system


administrators.
2. These target system administrators add employees to the default application role for
target system managers.
Target system managers with the default application role are authorized to edit all
the tenants in One Identity Manager.
3. Target system managers can authorize other employees within their area of
responsibility as target system managers and if necessary, create additional child
application roles and assign these to individual clients.

Table 42: Default application roles for target system managers

User Tasks

Target Target system managers must be assigned to the Target systems |


system Azure Active Directory application role or a child application role.
managers
Users with this application role:

l Assume administrative tasks for the target system.


l Create, change, or delete target system objects.
l Edit password policies for the target system.
l Prepare groups to add to the IT Shop.
l Can add employees who have another identity than the Primary
identity.
l Configure synchronization in the Synchronization Editor and define
the mapping for comparing target systems and One Identity
Manager.
l Edit the synchronization's target system types and outstanding

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
224
Basic configuration data for managing an Azure Active Directory
environment
User Tasks

objects.
l Authorize other employees within their area of responsibility as
target system managers and create child application roles if
required.

To initially specify employees to be target system administrators

1. Log in to the Manager as a One Identity Manager administrator (Base role |


Administrators application role)
2. Select the One Identity Manager Administration > Target systems >
Administrators category.
3. Select the Assign employees task.
4. Assign the employee you want and save the changes.

To add the first employees to the default application as target system


managers

1. Log in to the Manager as a target system administrator (Target systems |


Administrators application role).
2. Select the One Identity Manager Administration > Target systems > Azure
Active Directory category.
3. Select the Assign employees task.
4. Assign the employees you want and save the changes.

To authorize other employees as target system managers when you are a


target system manager

1. Log in to the Manager as a target system manager.


2. Select the application role in the Azure Active Directory > Basic configuration
data > Target system managers category.
3. Select the Assign employees task.
4. Assign the employees you want and save the changes.

To specify target system managers for individual clients

1. Log in to the Manager as a target system manager.


2. Select the Azure Active Directory > Tenants category.
3. Select the client in the result list.
4. Select the Change main data task.
5. On the General tab, select the application role in the Target system
manager menu.
- OR -

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
225
Basic configuration data for managing an Azure Active Directory
environment
Next to the Target system manager menu, click to create a new
application role.
a. Enter the application role name and assign the Target systems | Azure
Active Directory parent application role.
b. Click OK to add the new application role.
6. Save the changes.
7. Assign employees to this application role who are permitted to edit the client in One
Identity Manager.

Related topics

l One Identity Manager users for managing an Azure Active Directory


environment on page 11
l Azure Active Directory tenant on page 168

Job server for Azure Active Directory-


specific process handling
Servers must be informed of their server functionality in order to handle Azure Active
Directory-specific processes in One Identity Manager. For example, the
synchronization server.
You have several options for defining a server's functionality:

l In the Designer, create an entry for the Job server in the Base Data > Installation
> Job server category. For more information about this, see the One Identity
Manager Configuration Guide.
l In the Manager, select an entry for the Job server in the Azure Active Directory >
Basic configuration data > Server category and edit the Job server main data.
Use this task if the Job server has already been declared in One Identity Manager and
you want to configure special functions for the Job server.

NOTE: One Identity Manager must be installed, configured, and started in order for a
server to perform its function in the One Identity Manager Service network. Proceed as
described in the One Identity Manager Installation Guide.

To edit a Job server and its functions

1. In the Manager, select the Azure Active Directory > Basic configuration data
> Server category.
2. Select the Job server entry in the result list.
3. Select the Change main data task.
4. Edit the Job server's main data.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
226
Basic configuration data for managing an Azure Active Directory
environment
5. Select the Assign server functions task and specify server functionality.
6. Save the changes.

Detailed information about this topic

l General main data of Job servers on page 227


l Specifying server functions on page 229

General main data of Job servers


NOTE: All editing options are also available in the Designer under Base Data >
Installation > Job server.
NOTE: More properties may be available depending on which modules are installed.

Table 43: Job server properties

Property Meaning

Server Job server name.

Full Full server name in accordance with DNS syntax.


server
Syntax:
name
<Name of servers>.<Fully qualified domain name>

Target Computer account target system.


system

Language Language of the server.

Server is Specifies whether the server maps a cluster.


cluster

Server Cluster to which the server belongs.


belongs
NOTE: The Server is cluster and Server belongs to cluster properties
to cluster
are mutually exclusive.

IP Internet protocol version 6 (IPv6) server address.


address
(IPv6)

IP Internet protocol version 4 (IPv4) server address.


address
(IPv4)

Copy Permitted copying methods that can be used when this server is the source of
process a copy action. At present, only copy methods that support the Robocopy and
(source rsync programs are supported.
server)

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
227
Basic configuration data for managing an Azure Active Directory
environment
Property Meaning

If no method is given, the One Identity Manager Service determines the


operating system of the server during runtime. Replication is then performed
with the Robocopy program between servers with a Windows operating system
or with the rsync program between servers with a Linux operating system. If
the operating systems of the source and destination servers differ, it is
important that the right copy method is applied for successful replication. A
copy method is chosen that supports both servers.

Copy Permitted copying methods that can be used when this server is the destin-
process ation of a copy action.
(target
server)

Coding Character set coding that is used to write files to the server.

Parent Name of the parent Job server.


Job
server

Executing Name of the executing server. The name of the server that exists physically
server and where the processes are handled.
This input is evaluated when the One Identity Manager Service is automat-
ically updated. If the server is handling several queues, the process steps are
not supplied until all the queues that are being processed on the same server
have completed their automatic update.

Queue Name of the queue to handle the process steps. The process steps are
requested by the Job queue using this queue identifier. The queue identifier is
entered in the One Identity Manager Service configuration file.

Server Operating system of the server. This input is required to resolve the path
operating name for replicating software profiles. The values Win32, Windows, Linux,
system and Unix are permitted. If no value is specified, Win32 is used.

Service One Identity Manager Service user account information. In order to replicate
account between non-trusted systems (non-trusted domains, Linux server), the One
data Identity Manager Service user information has to be declared for the servers
in the database. This means that the service account, the service account
domain, and the service account password have to be entered for the server.

One Specifies whether a One Identity Manager Service is installed on this server.
Identity This option is enabled by the QBM_PJobQueueLoad procedure the moment the
Manager queue is called for the first time.
Service
The option is not automatically removed. If necessary, you can reset this
installed
option manually for servers whose queue is no longer enabled.

Stop One Specifies whether the One Identity Manager Service has stopped. If this
Identity option is set for the Job server, the One Identity Manager Service does not
Manager process any more tasks.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
228
Basic configuration data for managing an Azure Active Directory
environment
Property Meaning

Service You can make the service start and stop with the appropriate administrative
permissions in the Job Queue Info program. For more information, see the
One Identity Manager Process Monitoring and Troubleshooting Guide.

No Specifies whether to exclude the server from automatic software updating.


automatic
NOTE: Servers must be manually updated if this option is set.
software
update

Software Specifies whether a software update is currently running.


update
running

Server Server functionality in One Identity Manager. One Identity Manager


function processes are handled with respect to the server function.

Related topics

l Specifying server functions on page 229

Specifying server functions


NOTE: All editing options are also available in the Designer under Base Data >
Installation > Job server.
The server function defines the functionality of a server in One Identity Manager. One
Identity Manager processes are handled with respect to the server function.
NOTE: More server functions may be available depending on which modules are installed.

Table 44: Permitted server functions

Server function Remark

Azure Active Server on which the Azure Active Directory connector is installed.
Directory This server synchronizes the Azure Active Directory target system.
connector (via
Microsoft Graph)

CSV connector Server on which the CSV connector for synchronization is installed.

Domain The Active Directory domain controller. Servers that are not labeled
controller as domain controllers are considered to be member servers.

Printer server Server that acts as a print server.

Generic server Server for generic synchronization with a custom target system.

Home server Server for adding home directories for user accounts.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
229
Basic configuration data for managing an Azure Active Directory
environment
Server function Remark

Update server This server automatically updates the software on all the other
servers. The server requires a direct connection to the database
server that One Identity Manager database is installed on. It can run
SQL tasks.
The server with the One Identity Manager database installed on it is
labeled with this functionality during initial installation of the schema.

SQL processing It can run SQL tasks. The server requires a direct connection to the
server database server that One Identity Manager database is installed on.
Several SQL processing servers can be set up to spread the load of
SQL processes. The system distributes the generated SQL processes
throughout all the Job servers with this server function.

CSV script server This server can process CSV files using the ScriptComponent process
component.

Generic database This server can connect to an ADO.Net database.


connector

One Identity Server on which the One Identity Manager connector is installed. This
Manager server synchronizes the One Identity Manager target system.
database
connector

One Identity Server on which a One Identity Manager Service is installed.


Manager Service
installed

Primary domain Primary domain controller.


controller

Profile server Server for setting up profile directories for user accounts.

SAM Server for running synchronization with an SMB-based target system.


synchronization
Server

SMTP host Server from which One Identity Manager Service sends email
notifications. Prerequisite for sending mails using One Identity
Manager Service is SMTP host configuration.

Default report Server on which reports are generated.


server

Windows The server can run Windows PowerShell version 3.0 or later.
PowerShell
connector

Related topics

l General main data of Job servers on page 227

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
230
Basic configuration data for managing an Azure Active Directory
environment
Appendix A

Appendix : Troubleshooting

Possible errors when synchronizing an


Azure Active Directory tenant
Issue

An error occurs when loading the Azure Active Directory user accounts:
[Exception]: ServiceException occured
Code: BadRequest
Message: Tenant does not have a SPO license.
[ServiceException]: Code: BadRequest - Message: Tenant does not have a SPO license.

Cause

An Azure Active Directory tenant is synchronized that does not have a license for the
SharePoint Online service.

Possible solutions

l Ensure the Azure Active Directory tenant has a license that includes the SharePoint
Online service. (Recommended)
l If you want to synchronize an Azure Active Directory tenant that does not have a
license for the SharePoint Online service, change the synchronization project with
the Synchronization Editor.
In Users mapping, disable the property mapping rules for the following schema
properties. To do this, set the mapping direction to the Do not map.
l BirthDay
l PreferedName

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 231
Appendix: Troubleshooting
l Responsibilities
l Schools
l Skills
l PastProjects
l Interests
l HireDate
l EmployeeID
l AboutMe
l MySite
l ImAddresses
l FaxNumber
l OtherMails
For more information about editing property mapping rules in the
Synchronization Editor, see the One Identity Manager Target System
Synchronization Reference Guide.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 232
Appendix: Troubleshooting
Appendix B

Configuration parameters for


Appendix :

managing an Azure Active Directory


environment

The following configuration parameters are available in One Identity Manager after the
module has been installed.

Table 45: Configuration parameters

Configuration Description
parameter

TargetSystem | Preprocessor relevant configuration parameter for controlling


AzureAD database model components for Azure Active Directory target
system administration. If the parameter is set, the target
system components are available. Changes to this parameter
require the database to be recompiled.
If you disable the configuration parameter at a later date,
model components and scripts that are not longer required, are
disabled. SQL procedures and triggers are still carried out. For
more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the
One Identity Manager Configuration Guide.

TargetSystem | Allows configuration of user account data.


AzureAD | Accounts

TargetSystem | Specifies whether a random password is generated when a new


AzureAD | Accounts | user account is added. The password must contain at least
InitialRandomPassword those character sets that are defined in the password policy.

TargetSystem | Employee to receive an email with the random generated


AzureAD | Accounts | password (manager cost center/department/location/role,
InitialRandomPassword employee’s manager or XUserInserted). If no recipient can be
| SendTo found, the password is sent to the address stored in the
TargetSystem | AzureAD | DefaultAddress configuration
parameter.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
233
Appendix: Configuration parameters for managing an Azure Active
Directory environment
Configuration Description
parameter

TargetSystem | Mail template name that is sent to supply users with the login
AzureAD | Accounts | credentials for the user account. The Employee - new user
InitialRandomPassword account created mail template is used.
| SendTo |
MailTemplateAccountNa
me

TargetSystem | Mail template name that is sent to supply users with the initial
AzureAD | Accounts | password. The Employee - initial password for new user
InitialRandomPassword account mail template is used.
| SendTo |
MailTemplatePassword

TargetSystem | Mail template used to send notifications about whether default


AzureAD | Accounts | IT operating data mapping values are used for automatically
MailTemplateDefaultVal creating a user account. The Employee - new user account
ues with default properties created mail template is used.

TargetSystem | Allows configuration of privileged Azure Active Directory user


AzureAD | Accounts | account settings.
PrivilegedAccount

TargetSystem | Postfix for formatting the login name of privileged user


AzureAD | Accounts | accounts.
PrivilegedAccount |
AccountName_Postfix

TargetSystem | Prefix for formatting a login name of privileged user accounts.


AzureAD | Accounts |
PrivilegedAccount |
AccountName_Prefix

TargetSystem | Default email address of the recipient for notifications about


AzureAD | actions in the target system.
DefaultAddress

TargetSystem | Directory where the delta token files for the delta
AzureAD | synchronization are stored.
DeltaTokenDirectory

TargetSystem | Maximum runtime of a synchronization in minutes. No


AzureAD | recalculation of group memberships by the DBQueue Processor
MaxFullsyncDuration can take place during this time. If the maximum runtime is
exceeded, group membership are recalculated.

TargetSystem | Mode for automatic employee assignment for user accounts


AzureAD | added to the database outside synchronization.
PersonAutoDefault

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
234
Appendix: Configuration parameters for managing an Azure Active
Directory environment
Configuration Description
parameter

TargetSystem | Specifies whether employees are automatically assigned to


AzureAD | disabled user accounts. User accounts are not given an account
PersonAutoDisabledAcc definition.
ounts

TargetSystem | Mode for automatic employee assignment for user accounts


AzureAD | that are added to or updated in the database by
PersonAutoFullSync synchronization.

TargetSystem | List of all user accounts that must not be automatically


AzureAD | assigned to employees. Names are listed in a pipe (|) delimited
PersonExcludeList list that is handled as a regular search pattern.
Example:
ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SU
PPORT_.*|.* | $

TargetSystem | Specifies whether employees are updated if their user accounts


AzureAD | are changed. This configuration parameter is set to allow
PersonUpdate person objects to be updated continually from linked user
accounts.

QER | ITShop | AutoPub- Preprocessor relevant configuration parameter for


lish | AADGroup automatically adding Azure Active Directory groups to the IT
Shop. If the parameter is set, all groups are automatically
assigned as products to the IT Shop. Changes to this parameter
require the database to be recompiled.
If you disable the configuration parameter at a later date,
model components and scripts that are not longer required, are
disabled. SQL procedures and triggers are still carried out. For
more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the
One Identity Manager Configuration Guide.

QER | ITShop | List of all Azure Active Directory groups that must not be
AutoPublish | AADGroup automatically assigned to the IT Shop. Each entry is part of a
| ExcludeList regular search pattern and supports regular expression
notation.
Example:
.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

QER | ITShop | Preprocessor relevant configuration parameter for


AutoPublish | automatically adding Azure Active Directory subscriptions to
AADSubSku the IT Shop. If the parameter is set, all subscriptions are
automatically assigned as products to the IT Shop. Changes to
this parameter require the database to be recompiled.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
235
Appendix: Configuration parameters for managing an Azure Active
Directory environment
Configuration Description
parameter

If you disable the configuration parameter at a later date,


model components and scripts that are not longer required, are
disabled. SQL procedures and triggers are still carried out. For
more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the
One Identity Manager Configuration Guide.

QER | ITShop | AutoPub- List of all Azure Active Directory subscriptions that must not be
lish | AADSubSku | automatically assigned to the IT Shop. Each entry is part of a
ExcludeList regular search pattern and supports regular expression
notation.

QER | ITShop | AutoPub- Preprocessor relevant configuration parameter for


lish | AADDeniedSer- automatically adding Azure Active Directory service plans to
vicePlan the IT Shop. If the parameter is set, all service plans are
automatically assigned as products to the IT Shop. Changes to
this parameter require the database to be recompiled.
If you disable the configuration parameter at a later date,
model components and scripts that are not longer required, are
disabled. SQL procedures and triggers are still carried out. For
more information about the behavior of preprocessor relevant
configuration parameters and conditional compiling, see the
One Identity Manager Configuration Guide.

QER | ITShop | AutoPub- List of all Azure Active Directory service plans that must not be
lish | AADDeniedSer- automatically assigned to the IT Shop. Each entry is part of a
vicePlan | ExcludeList regular search pattern and supports regular expression
notation.

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory
236
Appendix: Configuration parameters for managing an Azure Active
Directory environment
Appendix C

Appendix : Default project template for Azure


Active Directory

A default project template ensures that all required information is added in One Identity
Manager. This includes mappings, workflows, and the synchronization base object. If you
do not use a default project template you must declare the synchronization base object in
One Identity Manager yourself.
Use a default project template for initially setting up the synchronization project. For
custom implementations, you can extend the synchronization project with the
Synchronization Editor.
The project template uses mappings for the following schema types.

Table 46: Azure Active Directory schema type mapping

Schema type in Azure Active Table in the One Identity Manager


Directory Schema

DirectoryRole AADDirectoryRole

Group AADGroup

LicenseAssignments AADUserHasSubSku

GroupLicenseAssignments AADGroupHasSubSku

Organization AADOrganization

ServicePlanInfo AADServicePlan

SubscribedSku AADSubSku

User AADUser

VerifiedDomain AADVerifiedDomain

Application AADApplication

AppRole AADAppRole

AppRoleAssignment AADAppRoleAssignment

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 237
Appendix: Default project template for Azure Active Directory
Schema type in Azure Active Table in the One Identity Manager
Directory Schema

ServicePrincipal AADServicePrincipal

ActivityBasedTimeoutPolicy AADActivityBasedTimeoutPolicy

HomeRealmDiscoveryPolicy AADHomeRealmDiscoveryPolicy

TokenIssuancePolicy AADTokenIssuancePolicy

TokenLifetimePolicy AADTokenLifetimePolicy

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 238
Appendix: Default project template for Azure Active Directory
Appendix D

Appendix : Editing Azure Active Directory


system objects

The following table describes permitted editing methods of Azure Active Directory schema
types and names restrictions required by system object processing.

Table 47: Methods available for editing schema types

Type Read Add Delete Refresh

Subscriptions (SubscribedSku) Yes No No No

Administrator roles (DirectoryRole) Yes No No Yes

User accounts (User) Yes Yes Yes Yes

Service plans (ServicePlanInfo) Yes No No No

Domains (VerifiedDomain) Yes No No No

Groups (Group) Yes Yes Yes Yes

License assignments to user accounts Yes Yes Yes Yes


(LicenseAssignments)

License assignments to groups Yes No No No


(GroupLicenseAssignments)

Tenants (Organization) Yes No No Yes

Applications (Application) Yes No No Yes

Service principle (ServicePrincipal) Yes No No Yes

App roles (AppRole) Yes No No No

Assignments to app roles (AppRoleAssignment) Yes Yes Yes Yes

Policies on activity-based timeout Yes No No No


(ActivityBasedTimeoutPolicy)

Policies on home realm discovery Yes No No No


(HomeRealmDiscoveryPolicy)

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 239
Appendix: Editing Azure Active Directory system objects
Type Read Add Delete Refresh

Policies on token issuance (TokenIssuancePolicy) Yes No No No

Policies on token lifetime (TokenLifetimePolicy) Yes No No No

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 240
Appendix: Editing Azure Active Directory system objects
Appendix E

Appendix : Azure Active Directory connector


settings

The following settings are configured for the system connection with the Azure Active
Directory connector.

Table 48: Azure Active Directory connector settings

Setting Meaning

Client ID Application ID that was generated during integration of One


Identity Manager as an Azure Active Directory tenant
application.
Variable: CP_ClientID

Login domain Base domain or a verified domain of your Azure Active


Directory tenant.
Variable: CP_OrganizationDomain

User name User account name for logging in on Azure Active Directory
if you have integrated One Identity Manager as a native
client application in for Azure Active Directory tenant.
Variable: CP_Username

Password The user account’s password.


Variable: CP_Password

Key Key that was generated during registration of One Identity


Manager as an Azure Active Directory web application of
the tenant.
Variable: CP_Secret

Organization ID The Azure Active Directory tenant ID.


Variable: OrganizationID

GuestInviteSendMail Specifies whether the guest user invitation will be sent.


Default: True

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 241
Appendix: Azure Active Directory connector settings
Setting Meaning

Variable: GuestInviteSendMail

GuestInviteLanguage Language to use for sending the guest user invitation.


Default: en-us
Variable: GuestInviteLanguage

GuestInviteCustomMessage Personal welcome greeting for the guest user.


Variable: GuestInviteCustomMessage

GuestInviteRedirectUrl URL to reroute guest users after they have accepted the
invitation and registered.
Default: http://www.office.com
Variable: GuestInviteRedirectUrl

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 242
Appendix: Azure Active Directory connector settings
About us

About us

One Identity solutions eliminate the complexities and time-consuming processes often
required to govern identities, manage privileged accounts and control access. Our solutions
enhance business agility while addressing your IAM challenges with on-premises, cloud and
hybrid environments.

Contacting us
For sales and other inquiries, such as licensing, support, and renewals, visit
https://www.oneidentity.com/company/contact-us.aspx.

Technical support resources


Technical support is available to One Identity customers with a valid maintenance contract
and customers who have trial versions. You can access the Support Portal at
https://support.oneidentity.com/.
The Support Portal provides self-help tools you can use to solve problems quickly and
independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

l Submit and manage a Service Request


l View Knowledge Base articles
l Sign up for product notifications
l Download software and technical documentation
l View how-to videos at www.YouTube.com/OneIdentity
l Engage in community discussions
l Chat with support engineers online
l View services to assist you with your product

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 243
About us
Index
I ndex

A assign user account 119-120

account definition 56 Azure Active Directory tenant 199

add to IT Shop 73 category 120, 199

assign automatically 71 display name 199

assign to all employees 71 edit 199

assign to Azure Active Directory risk index 199


tenant 75 service item 199
assign to business role 70 template 199
assign to cost center 70 Azure Active Directory app role 207, 212
assign to department 70 Azure Active Directory application 207,
assign to employee 68, 72 209

assign to location 70 owner 208

assign to system roles 72 Azure Active Directory connector 22

create 57 Azure Active Directory delta synchron-


ization 37
delete 76
delta token file 37
edit 58
Azure Active Directory domain 172
IT operating data 65-66
Azure Active Directory duty roster 128
manage level 62-63
disabled service plan
Administratorrolle
add to IT Shop 146, 148
assign user account 111
add to system role 145
architecture overview 10
assign to business role 144
Azure Active Directory
assign to cost center 143
use case 17
assign to department 143
Azure Active Directory administrator
role 198 assign to location 143

add to IT Shop 117 assign user account 140, 149-150

add to system role 116 category 152

assign extended properties 200 edit 205

assign to business role 115 Azure Active Directory group

assign to cost center 114 Active Directory group 194, 198

assign to department 114 add to IT Shop 99, 101

assign to location 114

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 244
Index
add to system role 98 add to system role 133
alias 193 assign extended properties 203, 206
assign extended properties 196 assign to business role 132
assign group 195 assign to cost center 130
assign to business role 97 assign to department 130
assign to cost center 96 assign to location 130
assign to department 96 assign user account 128, 138-140
assign to location 96 category 151
assign user account 93, 103-104 edit 202
Azure Active Directory tenant 193 Azure Active Directory tenant
category 107, 193 account definition 169
delete 197 account definition (initial) 75
distribution group 191 application roles 11
edit 192 category 107, 120, 151-152, 171
effective 104 edit 168
email address 193 employee assignment 80
exclusion 104 local Active Directory 170
group type 191, 193 overview of all assignments 109
mail-enabled security policy 191 report 215
Office 365 group 191 synchronization 169
owner 196 target system manager 11, 169, 224
risk index 193 Azure Active Directory user account
security group 191, 193 account definition 75, 178
service item 193 account manager 185
Azure Active Directory policy Active Directory user account 186,
190
activity-based timeout 173
alias 178
home realm discovery 174
assign administrator role 119-120
token issuance 174
assign disabled service plan 149-150
token lifetime 175
assign employee 55, 78, 177-178
Azure Active Directory service
principal 207, 210, 213 assign extended properties 187
authorization 212 assign group 103-104
owner 211 assign subscription 138-139
Azure Active Directory subscription Azure Active Directory tenant 178
add to IT Shop 134, 136 can inherit administrator role 178

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 245
Index
can inherit disabled service plan 178 B
can inherit Exchange Online
base object 35, 44
group 178
can inherit subscription 178
category 107, 120, 151-152, 178 C
company 185 calculation schedule 46
deactivate 178, 188 deactivate 47
deferred deletion 91 configuration parameter 233
delete 189 convert connection parameter 35
department 184-185
domain 178
D
email address 178, 184
default user accounts 85
employee 178
direction of synchronization
identity 178
direction target system 25, 31
Immutable identifier 186
in the Manager 25
inherit group 178
job description 185
local user account 186 E
location 178 email notification 165
lock 189 employee assignment
login name 178 automatic 78
manage 176 manual 81
manage level 83, 178 remove 81
password 178 search criteria 80
initial 165 table column 80
password policies 178 exclusion definition 104
privileged user account 178
proxy address 184 I
restore 189
identity 83
risk index 178
IT operating data
set up 177
change 68
SID 186
IT Shop shelf
town 184
assign account definition 73
update employee 90

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 246
Index
J P
Job server 226 password
edit 21 initial 165
load balancing 45 password policy 153
assign 155

L character sets 159


check password 164
load balancing 45
conversion script 161, 163
login data 165
default policy 155, 158
display name 158
M edit 156-157
membership error message 158
modify provisioning 42 excluded list 164
failed logins 158

N generate password 165


initial password 158
notification 165
name components 158
password age 158
O
password cycle 158
object password length 158
delete immediately 50 password strength 158
outstanding 50 predefined 154
publish 50 test script 161
One Identity Manager project template 237
administrator 11 provisioning
register as application 17 accelerate 45
target system administrator 11 members list 42
target system manager 11, 224
user 11
S
outstanding object 50
schema
changes 36
shrink 36
update 36

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 247
Index
server 226 synchronization server 226
single object synchronization 44, 49 configure 21
accelerate 45 install 21
start up configuration 35 Job server 21
synchronization synchronization workflow
accelerate 37 create 25, 31
authorizations 20 synchronize single object 49
base object system connection
create 32 change 34
calculation schedule 46 enabled variable set 36
configure 25, 30
connection parameter 25, 30, 32 T
different domains 32
target system synchronization 50
extended schema 32
template
prevent 47
IT operating data, modify 68
scope 30
set up 15
start 25, 46 U
synchronization project user account
create 25 administrative user account 86-87
target system schema 32 apply template 68
user 20 default user accounts 85
variable 30 identity 83
variable set 32 password
workflow 25, 31 notification 165
synchronization configuration privileged user account 83, 88
customize 30-32 type 83, 85, 88
synchronization log 48
contents 29 V
create 29
variable set 35
synchronization project
active 36
create 25
deactivate 47
edit 172
project template 237

One Identity Manager 8.2.1 Administration Guide for Connecting to


Azure Active Directory 248
Index

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy