One Identity Active Roles

1

One Identity Active Roles Azure AD, Office 365, and Exchange Online

Management Version 1.0

Date

8/21/2019 9/20/2019

10/14/2019

10/21/2019 11/04/2019

Version History

Version

Explanation of Change

0.1

Initial Draft

0.2

Restructured the white paper content into

a template

0.3

Updated white paper to include back

synchronization content

0.4

Finalized the white paper content

1.0

Finalized content for 1.0 version

Table of Contents

1. Introduction ......................................................................................................................................................................3 2. Active Roles and supported Azure environments.............................................................................................................4 3. Azure object management supported in various Azure environments............................................................................5 4. Azure Object management in a Non-Federated environment .........................................................................................6 5. Azure Object Management in Federated and Synchronized Identity environments .......................................................7 6. Azure object management flow charts.............................................................................................................................8

One Identity Active Roles | Azure AD, Office 365, and Exchange Online Management

3

1. Introduction

Active Roles (formerly known as ActiveRoles?) is an administrative platform that facilitates administration and provisioning for Active Directory, Exchange, and Azure Active Directory (Azure AD) in a hybrid environment. Active Roles allows the organization to manage through the Web Interface and to develop a flexible administrative structure that suits their needs while ensuring secure delegation of tasks as well as reduced workloads and lower costs. Active Roles enables synchronization of the on-premises Active Directory objects to Azure AD. It also allows you to create Microsoft Office 365 cloud users, groups, and contacts for your on-premises Active Directory users, groups, and contacts that allows their properties to be synchronized from Active Roles to the cloud.

This section provides detailed information on the Azure AD operations.

The Office 365/Azure AD capabilities of Active Roles support the following administrative tasks: Create an Office 365 user account associated with a given Active Directory user account. Synchronize user properties from Active Directory user accounts to their associated Office 365 user accounts. View or change the properties of the Office 365 user account associated with a given Active Directory user account. Assign Office 365 licenses to the Office 365 user account associated with a given Active Directory user account. Delete the Office 365 user account associated with a given Active Directory user account. Create an Office 365 security group or distribution group associated with a given Active Directory group. Synchronize group properties, including the member's list, from Active Directory groups to their associated Office 365 groups. View or change the properties of the Office 365 group associated with a given Active Directory group. Delete the Office 365 group associated with a given Active Directory group. Create an Office 365 external contact associated with a given Active Directory contact. Synchronize contact properties from Active Directory contacts to their associated Office 365 external contacts. View or change the properties of the Office 365 external contact associated with a given Active Directory contact. Delete the Office 365 external contact associated with a given Active Directory contact. View Office 365 domain and license information. Create Office 365 users. When you create an Office 365 user, you can choose whether to license that user for Exchange Online. Create security groups and distribution groups in Office 365. You can choose the type of Office 365 group that you want to create. Assign licenses to Office 365 users. When creating or administering a user, you can choose the Office 365 licenses that you want to assign to that user. Restrict the licenses for Office 365 users. You can configure a policy to specify what Office 365 licenses can be assigned depending on user location in Active Directory. View or change the Office 365 specific object properties. You can edit Office 365 users, groups, and contacts. Examine Office 365 licenses and license usage. For each of your license subscriptions, you can view how many licenses are valid, expired, assigned, and available. This information is displayed on the Azure License Report in Azure Configuration. Examine Office 365 domains. Azure Domains are listed in Azure Domains in Azure Configuration.

 Associate existing Office 365 users with on-premises Active Directory users. This can be achieved using the back-synchronization workflow by mapping an existing Office 365 user to the appropriate onpremises Active Directory user and updating its Azure ObjectID in Active Roles.

2. Active Roles and supported Azure environments

This section explains the different types of Azure environment configurations supported by Active Roles and examples of each configuration. Active Roles supports the following Azure environment configurations.

2.1 Non-Federated

An environment in which the on-premises domains are not registered in Azure AD and Azure AD Connect, or any third-party synchronization tools that are not configured in the domain for synchronization, is called a Non-Federated environment. The changes made in Active Roles are immediately replicated to Azure or Office 365 using Graph API calls or cmdlet calls. Users are typically created in Azure with the UPN suffix. It is less likely to have this type of environment in production, and it can be used only for testing. Examples of Non-Federated configuration:

On-premises domain: test.local Azure AD domain: ARSAzure. Azure AD Connect: Not present in the domain The domain is not registered in Azure. The user is created in Active Roles with an ID, user001@test.prod.quest.corp, and in Azure as user001@ARSAzure.. The user is created in Azure simultaneously when it is created in Active Roles using a Graph API call.

Synchronized Identity

In a Synchronized Identity, the on-premises domain may or may not be registered in Azure AD. Here, Azure AD Connect is configured to synchronize the local AD objects to Azure. Users may typically be created with selected on-premises domains or an UPN suffix.

Examples of Synchronized Identity configuration On-premises domain: test.local Azure AD domain: rd4. Azure AD Connect: Performs the synchronization task.

The on-premises domain may or may not be registered in Azure. The user will be created in Active Roles with the user001@test.prod.quest.corp ID and in Azure as user001@rd4..

One Identity Active Roles | Azure AD, Office 365, and Exchange Online Management

2.2 Federated

In a Federated environment, the on-premises domain is registered in Azure AD. Azure AD Connect and ADFS are configured to facilitate synchronization. Users are typically created with the UPN suffix of the selected on-premises domain.

Examples of Federated configuration:

On-premise domain: rd4. Azure AD domain: rd4. Azure AD Connect and AD FS are configured.

The domain is registered and verified in Azure. The user is created in Active Roles and Azure AD with the same id: user001@rd4..

3. Azure object management supported in various Azure environments

This section provides information about the supported operations and methods for performing the operations for Azure objects in various Azure environments using the Active Roles Web Interface, such as Federated, Synchronized Identity, and Non-Federated environments.

In the Active Roles Web Interface, you can select the required Azure environment configuration during the Azure tenant creation. The specified configuration can be modified later if needed by changing the Azure properties of the tenant. Active Roles identifies the environment based on the Azure Tenant type and applies the changes to the Web Interface.

Active Roles uses different technologies such as Graph API and Exchange Online cmdlets to work with O365/Azure/Exchange Online. The Graph API (Unified Graph/Azure AD Graph) does not provide WRITE capability for certain attributes in the Federated and Synchronized Identity environment. To be consistent with the behavior of the Microsoft API in Active Roles, we have intentionally disabled these property fields in the Web Interface. These fields cannot be manually enabled. However, Microsoft allows certain Exchange Online attributes to be modified using Exchange Online cmdlets in Federated and Synchronized Identity environments. These property fields are editable in the Active Roles Web Interface in the Exchange Online property wizard.

In a Non-Federated environment, there is no restriction for Graph API or Exchange Online cmdlets to perform any of the operations. For this reason, in the Active Roles Web Interface, all the property fields are editable and can be modified.

More capabilities like Office 365 License assignment, Roles assignment can be performed for Azure users in Active Roles web interface.

One Identity Active Roles | Azure AD, Office 365, and Exchange Online Management

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download